ITT320

Introduction to Computer Security

CHAPTER 2 – TYPES OF ATTACKS

Mazlan Osman
Objectives
 Describe the most common network attacks
 Explain how these attacks are executed
 Identify basic defense against those attacks
 Configure a system to prevent Denial of Service
attacks
 Configure a system to defend against Trojan
horse attacks
 Configure a system to defend against buffer
overflow, IP spoofing and Session Hijacking
attacks
2
Introduction

 There are many types of attacks that can

affect computer systems.
 This chapter addresses some of the most
common, including Denial of Service (DOS),
virus, and Trojan horse attacks.
 In information security “knowledge is power”
is not only good advice but an axiom upon
which to build an entire security outlook.

3
Denial of Service Attack
 Any attack that aims to legitimate
users of the use of target system
 This attack does not attempt to
obtain sensitive information
 DoS attack based on any device
has operational limits, not just
computer systems
 Exceeding of any limits will stop
the system from responding
 Utilizes the ping utility to execute
DoS attack

4
Types of Denial of Service Attacks

 Distributed Denial of Service (DDoS)

 SYN Flood

 Smurf Attack

 The Ping of Death

 Distributed Reflection Denial of

Service

5
Distributed Denial of Service (DDoS)
Attack
 Variation of a Denial of Service
 Launched from multiple clients
 Now become the most common sort of DoS
attack. Why?
 Easier to overload a target system if you have
more than one machine attacking
 Allows attacker to launch the attack from other
people’s machines
 More difficult to track due to the use of
zombie machines
6
SYN Flood
 One popular version of DoS attack
 Attacker take advantage of the TCP handshake
process of message between client and server
 A small buffer space in memory is set on the
server when a session initiated between client and
server
 The session packet include a SYN field that
identifies the sequence of the message exchange
 An attacker will send a number of connection
requests very rapidly to server and server then fail
to respond to the reply that cause SYN flood

7
SYN Flood
 Can be protected in the following manners:
 Micro Blocks – changing the way the server allocates

memory for any given connection request

 SYN Cookies – the system does not immediately create a

buffer space in memory for the hand-shaking process

 RST Cookies – the server sends a wrong SUNACK and

when client sent back a packet the server knows the client
request is legitimate
 Stack tweaking – altering the TCP stack on the server so

that it will take less time to timeout

8
Smurf Attack
 Very popular type of DoS attack
 Utilizes the ICMP packet to execute the
attack
 ICMP packet is sent out to the
broadcast address but it return address
has been altered to match one of the
computer in the network
 All the computers on the network will
then respond by pinging the target
computer
 Continually pinging packet will create
DoS attack

9
Ping of Death (PoD)
 The simplest and primitive form of DoS attack
 It based on overloading the target system
 Attacks machines that cannot handle oversized
packets by sending a packet that is too large
and can shut down a target machine
 Become less common as newer operating
systems are better able to handle overly large
packets
 Ensure that systems are patched and up to
date
10
Ping of Death (PoD) cont.
 Variations of PoD:
 UDP Flood
 Variation to the PoD that targets open ports
 Faster due to no acknowledgements required
 Sends packets to random ports
 If enough are sent, the target computer shuts
down
 ICMP Flood
 Another name for the ping flood

11
Distributed Reflection Denial of
Service
 A special kind of DoS
 Attacker uses Routers to execute the DoS attack
 Attacker sends a stream of packets to the
variation routers requesting a connection
 The packet has been altered so that they appear
to come from the target system’s IP address
 The routers respond by initiating connections
with the target system

12
Distributed Reflection Denial of
Service cont.
 A flood of connections from multiple routers
hitting the same target system
 The following diagram illustrates how a DRDoS
uses internet routers to execute an attack

13
DoS Tools
 DoS becoming so common because there are a
number of tools available for executing DoS
 Tools are downloadable from the Internet
 Ease of access facilitates widespread use
 Most widely used:
 Tribal Flood Network – used in UDP, ICMP, and TCP
SYN Flood attacks
 Trin00 – available for UNIX and Windows, a DDoS
tool

14
Real World DoS Attacks – Virus
 The following are examples of real-world DoS
attacks by several worms:
 Blaster –spread via e-mail and use buffer
overflow attack
 MyDoom – executed DDoS atack
 W32.Storm Worm – running in Microsoft Web
Server
 The Slammer Worm – running Microsoft SQL
Server

15
How to Defend Against DoS Attacks
 Need to understand how attack is perpetrated
 Configure firewall to disallow incoming
protocols or all traffic
 This may not be a practical solution
 Disable forwarding of directed IP broadcast
packets on routers

16
How to Defend Against DoS Attacks
(cont.)
 Maintain virus protection on all clients on
your network and keep updated
 Maintain operating system patches and keep
updated
 Establish policies for downloading software

17
Defending Against Buffer Overflow
Attacks
 More common than DoS a few years ago
 It designed to put more data in the buffer than
the buffer was designed to hold
 At least one worm used a buffer overflow to
infect target machine
 More difficult to execute because an attacker
must have a good knowledge in
programming language
 The best defense is routinely patch software
18
Defending Against Buffer Overflow
Attacks (cont.)
 The following illustrates what happens in a
Buffer overflow attack

19
Defending Against IP Spoofing

 Session hijacking is a process whereby a

hacker takes over a TCP session between
two machines
 Used to gain unauthorized access to
computers
 Source address of packet is changed
 Becoming less frequent due to security

20
Defending Against IP Spoofing cont.

 Potential vulnerabilities with routers:

 External routers connected to multiple internal
networks
 Proxy firewalls that use t he source IP address for
authentication
 Routers that subnet internal networks
 Unfiltered packets with a source IP on the local
network/domain

21
Defending Against Session Hacking

 The hacker takes over a TCP session

 Most common is the “man-in-the-middle”
 Can also be done if the hacker gains access
to the target machine
 Encryption is the only way to combat this type
of attack

22
Blocking Virus and Trojan Horse
Attacks
 Viruses
 Most common threat to networks
 Propagate in two ways:
 Scanning computer for network connections
 Reading e-mail address book and sending to all
 Examples:
 SoBig Virus
 Mimail, Bagle
 Sasser

23
Blocking Virus and Trojan Horse
Attacks cont.
 Viruses (rules to protect)
 Always use virus scanner software
 Do not open unknown attachments
 Establish a code word with friends and colleagues
 Do not believe security alerts sent to you

24
Blocking Virus and Trojan Horse
Attacks cont.
 Trojan Horses
 Program that looks benign, but has malicious
intent
 They might:
 Download harmful software
 Install a key logger or other spyware
 Delete files
 Open a backdoor for hacker to use

25
Trojan Horse CAUTION

Students are strongly cautioned against

attempting to create any of these Trojan horse
scenarios. Release of this type of application is
a criminal offense and likely to result in a prison
sentence and civil penalties.

26
Summary

 Most common network attacks:

 Session hacking
 Virus and Trojan horse attacks
 Denial of Service/Distributed Denial of Service
 Buffer overflow
 Explanation of how these attacks take place
has been outlined

27
Summary cont.

 Basic defenses against these types of attacks

 Virus protection software
 Router configuration
 Smart e-mail policies and procedures
 Monitor network traffic
 Maintain a current patch policy to keep systems
up to date with security patches

28
Summary cont.

 Prevent Denial of Service attacks

 Use of Proxy servers
 Established policies on maintenance
 Keep systems up to date with latest patches

29
Summary cont.

 Defend against Trojan horse and virus

attacks:
 Have an established policy for email attachments
and downloading software
 Do not open unknown attachments
 Strictly monitor software downloads and what can be
downloaded
 Defend against buffer overflow attacks
 Routinely update systems
 Keep security patches up to date

30