Cybersecurity cyberlab2

442 views

Published on

Intro to computer hacker and attacks and network security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
442
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cybersecurity cyberlab2

  1. 1. Network SecuritySlides by Raymond Borges
  2. 2. Outline• In the NEWS (LOIS) DDoS attacks• Passive Network Attacks• Active Network Attacks• Designing a “Secure” Network• Web 2.0• Summary 2
  3. 3. IN THE NEWS 3
  4. 4. Low Orbit Ion Cannon (LOIC)• Primary tool being used by the script kiddies• Low Orbit Ion Cannon (LOIC) is a web app performance tool• Denial of Service/testing tool• DoS operation using HTTP/TCP/UDP requests• DDoS voluntarily joining botnet Hive Mind 4
  5. 5. How does LOIC work?While IsFlooding is True{1. Create/Connect a TCP Socket to webserver2. Send standard GET request to the server3. Read the first 64 bytes returned4. Sleep for configured Delay} 5
  6. 6. Low Orbit Ion Cannon Hive 6
  7. 7. Low Orbit Ion Cannon New 7
  8. 8. Hive Mind• The automatic mode or Hive Mind, option to voluntarily join a botnet• Using mode, all parameters of attack set up remotely via IRC, including target• IRC is a network protocol designed to provide real-time group chat, often (miss)used to control botnets 8
  9. 9. LOIC trail• If an anonymization network (TOR) is not used traceable IP address records can be logged by its recipient• Logs kept by the ISP used to identify users• Many users arrested using LOIC• LOIC not anonymous 9
  10. 10. LOIC/ Wireshark Demo1. Turn on VMware WinXP machine2. Turn on Wireshark3. Turn on LOIC4. Start packet capture in Wireshark5. Start LOIC 10
  11. 11. LOIC MitigationAttack vector old as the HTTP protocol• Best approach is to use a good rule based firewall, allow for rules on connection limits per IP per secondLegitimate uses for this tool:• Performance base lines• Measuring server performance 11
  12. 12. PASSIVE NETWORK ATTACKS 12
  13. 13. FTP Password Attack Setup1. Install virtual machine or connect to network2. Install Internet Information Services (IIS) on Windows and File Transfer Protocol (FTP)3. Setup FTP with a password4. Run Wireshark while attempting FTP 13
  14. 14. FTP Password Attack1. Run Wireshark on LAN in promiscuous mode2. Wait till someone connects to host with FTP 14
  15. 15. Passive online attack0.http://www.httprecipes.com/1/2/forms.php1.Run Wireshark2.Filter http3.Find post method4.Follow TCP stream5.You have username and password in the clearif server isn’t using https SSL or other encryption 15
  16. 16. ACTIVE NETWORK ATTACKS 16
  17. 17. Replay and Man-in-the-middle• When passwords can’t be caught in plaintext Man-in-the-middle• ARP poisoning Replay attack Session hijacking 17
  18. 18. Cain and Abel (ARP poisoning)1. Install Cain and Abel2. Connect to a network3. Select sniffer tab4. Start sniffer and select network interface5. Select hosts on bottom and press then ok6. Select bottom APR tab and click top window7. Press and select target IP then hit Ok8. Hit then select passwords tab, (http) 18
  19. 19. NETWORK INFRASTRUCTURE 19
  20. 20. Policy• Network security• Company goals lead to  security policy• Network infrastructure design policy• Network design meets requirements 20
  21. 21. So how do we go from? 21
  22. 22. Data Classification• Policy develops from information flow• Who can access what?Common classifications:• Public• Secret• Confidential• Group based 22
  23. 23. User Classifications• Serves same purpose as data classification• Who can access what?Common classifications:• Outsiders• Employees• Executives• Owners 23
  24. 24. Access Control Matrix (ACM) 24
  25. 25. Network Organization• Network infrastructure design using ACM• Layered security measures• Separation of information• Fairly standard corporate network 25
  26. 26. Network Organization Public network firewall Demilitarized Zone (DMZ) Public or External Network Internal network firewallInternal Network 26
  27. 27. FirewallsFirewalls filter based on:• IP Addresses, destination• PortsFiltering firewall based on:• Packet Headers• Source addressesProxy or application level firewalls based on message content:• Virus scanner• Key terms? 27
  28. 28. Firewall Operation 28
  29. 29. Outer FirewallCan be used to:1. Restrict outside access to internal network2. Restrict internal access to internet while allowing access to DMZ based on Access Control Lists (ACL’s)3. ACL’s bind source address/port and destinations address/ports to access rights 29
  30. 30. Outer Firewall• Public needs Web server and mail server access, no other services• Firewall interface allows connections to WWW services (HTTP and HTTPS) and electronic mail (SMTP)• Internet sees addresses of Web and mail servers equal—that of the firewall, NAT 30
  31. 31. Internal Firewall• Sensitive data resides in internal network• Block all traffic except authorized traffic (fail-safe defaults principle)• Information comes only from DMZ, never directly from Internet 31
  32. 32. Ports/Services 20-21 FTP 22 SSH/SCP 23 Telnet 25 SMTP 53 DNS67-68 DHCP/BOOTP 80 HTTP 443 HTTP over SSL465 SMTP over SSL 32
  33. 33. ProxiesProxies - hosts that relay data• Hide identity and protect privacy• Can be used as firewallsThe Onion Routing network (TOR)• Proxy network made of volunteer hosts 33
  34. 34. DMZ and ServersDemilitarized Zone or DMZ - area outsideinternal firewall, some ports unblocked forinbound internet access to serversServers – hosts which serve webpages or storeand process electronic mail for usersWeb server and mail server contained in DMZ 34
  35. 35. Domain Name System (DNS) ServerKnows directory name service information for:• DMZ mail, Web, and log hosts• Internal trusted administrative host• Outer firewall• Inner firewall 35
  36. 36. DMZ Log ServerAll other servers log messages by writing them to alocal file and then to the log server• The log server also writes them to a file and then to write-once media• Confined to the DMZ• Does not initiate transfer to inner network 36
  37. 37. Internal Network• Subnets may have firewall and servers, may filter traffic as inner firewall does• Subnets may share servers• Information flow constraints  arrangement• Firewalls impose confinement at interfaces 37
  38. 38. Firewall AttacksAttackers have 3 methods of firewall entry• Web server ports (HTTP) port proxy checks for invalid or illegal HTTPrequests and rejects them• SMTP portMail proxy will detect and reject such attempts• Bypass the low-level firewall checks by exploiting firewall vulnerabilities 38
  39. 39. Defense Practices• Economy of mechanism (simple mechanisms)Making hosts or devices do only their job• Separation of privilege (divided jobs)More than one host does a certain job• Defense in depth (layered security defense)Multiple defenses to bypass 39
  40. 40. Internet AttacksDistributed Denial of Service (DDoS)SYN flood• Consumes bandwidth• Consumes memory resourcesRemedies• TCP intercept mode• Synkill software 40
  41. 41. AttacksFocus on what we are most concerned about:• Successful attacks• Failed attacks in areas where attacks ought not to be launched e.g. DMZ.Efforts into where we can obtain useful results 41
  42. 42. Summary• Security requirements  network infrastructure• Security goals security policy network form• Internal firewall limits traffic to public servers• Outer firewall blocks external traffic from internal• Public servers only provide one service• Application level firewalls check contents 42
  43. 43. RECENT RESEARCH 43
  44. 44. Quantification of Attackers Activities on Servers running Web 2.0 Applications• Attackers use search-based strategiesGoogle• Easiest ways to attack servers dominate• Password cracking attacks on SSH 44
  45. 45. Quantification of Attackers Activities on Servers running Web 2.0 Applications• Blog user accounts and vulnerability scans• Spam attacks dominate Web 2.0 applications such as Blogs and Wikis• Less activity use known vulnerabilities 45
  46. 46. Possible Questions1. Why is privilege separation so important?2. What is normally closed security?3. What security model do you think Facebook uses?4. How can DNS be used to censor websites?5. Is there another means of reaching a website other than by URL?6. What makes the internet impossible to bring down completely? (Discussion erupts…) 46
  47. 47. References• Introduction to Computer Security, Matt Bishop• Attacks by “Anonymous” WikiLeaks Proponents not Anonymous Pras et.al. Design and Analysis of Communication Systems Group University of Twente, Enschede, The Netherlands• Quantification of Attackers Activities on Servers runningWeb 2.0 Applications, Katerina Goseva-Popstojanova, Risto Pantev, Ana Dimitrijevikj, and Brandon Miller, Lane Department of CS and EE WVU• https://github.com/NewEraCracker/LOIC• http://wasntnate.com/2012/01/analysis-of-low-orbit-ion-cannon- loic-web-stress-tool/• http://www.youtube.com/watch?v=F6_9i-aGAa0&feature=related 47
  48. 48. Questions?

×