Scribd Logo
Upload

Welcome to Scribd!

  • Houle

    Uploaded by

    Hanan Mahmoud
    8 views23 pages

    Original Title

    houle

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views23 pages

    Houle

    Uploaded by

    Hanan Mahmoud

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    CERT

    Coordination Center
    Software Engineering Institute
    Carnegie MeIIon University
    Pittsburgh, PA 15213-3890
    The CERT Coordination Center is part of the Software Engineering
    Institute. The Software Engineering Institute is sponsored by the
    U.S. Department of Defense.
    2001 by Carnegie Mellon University
    some images copyright www.arttoday.com
    1
    Tronds In onInI of
    SorvIco Affnck
    TochnoIogy
    KevIn J. Hou!e
    NANOG23 Octobev 2001
    2001 by Carnegie Mellon University
    2
    Background: Pre-1999
    oS TooIs:
    SingIe-source, singIe target tooIs
    IP source address spoofing
    Packet ampIification (e.g., smurf)
    epIoyment:
    Widespread scanning and expIoitation via
    scripted tooIs
    Hand-instaIIed tooIs and tooIkits on
    compromised hosts (unix)
    Use:
    Hand executed on source host
    2001 by Carnegie Mellon University
    3
    Background: 1999
    oS TooIs:
    MuItipIe-source, singIe target tooIs
    istributed attack networks (handIer/agent)
    oS attacks
    epIoyment:
    Hand-seIected, hard-coded handIers
    Scripted agent instaIIation (unix)
    Use:
    Custom, obfuscated controI channeIs
    intruder handIers
    handIers agents
    2001 by Carnegie Mellon University
    4
    Background: 2000
    02-2000 : Infamous oS attacks
    04-2000 : S ampIification attacks,
    mstream oS tooI
    05-2000 : VBS/LoveIetter, t0rnkit
    07-2000 : Hybris
    08-2000 : Trinity IRC-based oS tooI (unix)
    11-2000 : MuItipIe IRC-based oS tooIs
    (Windows)
    2001 by Carnegie Mellon University
    5
    Background: 2001
    01-2001 : Ramen worm
    02-2001 : VBS/OnTheFIy (Anna Kournikova),
    erkms worm, 1i0n worm
    04-2001 : Adore/Red worm, carko oS tooI
    05-2001 : cheese worm, w0rmkit worm,
    sadmind/IIS worm
    06-2001 : Maniac worm, Code Red worm
    07-2001 : W32/Sircam, Leaves, Code Red II,
    various teInetd worms, various
    IRC-based oS tooIs (knight, kaiten)
    09-2001 : imda worm
    2001 by Carnegie Mellon University
    6
    %rends - Deployment
    reater degree of automation
    W SeIf-propagating worms
    CentraI source propagation
    Back channeI propagation
    Autonomous propagation
    2001 by Carnegie Mellon University
    7
    entral Source Propagation
    centraI-source
    attacker victims next-victims
    1 - expIoit
    2 - copy code
    3 - repeat
    ExampIe: 1i0n worm
    2001 by Carnegie Mellon University
    8
    Back annel Propagation
    attacker victims next-victims
    1 - expIoit
    2 - copy code
    3 - repeat
    ExampIe: Ramen worm
    2001 by Carnegie Mellon University
    9
    utonomous Propagation
    attacker victims next-victims
    1 - expIoit & copy code 2 - repeat
    ExampIes: Code Red, Code Red II
    2001 by Carnegie Mellon University
    10
    %rends - Deployment (cont.)
    egree of
    BIind
    Targeting
    SeIective
    Targeting
    Automation Very high Low high
    VuInerabiIity-
    specificity
    Very high Low high
    Other criteria Low Very high
    Targeting Systems: BIind vs. SeIective Targeting
    2001 by Carnegie Mellon University
    11
    Blind %argeting
    W SociaI Engineering
    W32/Sircam
    W Specific vuInerabiIities
    sadmind/IIS worm unix/Microsoft IIS
    Code Red, Code Red II Microsoft IIS
    imda Windows/IIS
    Various teInetd worms unix
    Activity tends to foIIow vuInerabiIity IifecycIes
    2001 by Carnegie Mellon University
    12
    Selective %argeting
    W Windows end-users increasingIy targeted
    Iess technicaIIy sophisticated
    Iess protected
    difficuIt to contact en mass
    sIow response to security aIerts/events
    weII-known netbIocks
    widespread broadband connectivity
    increase in home networking
    expIoit technoIogy base is maturing
    CERT Tech Tip - Home etwork Security
    http://www.cert.org/tech_tips/home_networks.htmI
    2001 by Carnegie Mellon University
    13
    Selective %argeting (3)
    W Routers increasingIy targeted
    source for recon/scanning
    proxy to IRC networks
    source for packet fIooding attacks
    Compromise via weak/defauIt passwords
    Routers sometimes reconfigured
    pubIic guides are avaiIabIe
    Increased threat of routing protocoI attacks
    discussions at efCon and BIack Hat Briefings
    2001 by Carnegie Mellon University
    14
    %rends: Use
    ControI Infrastructure - The cIassic oS modeI
    intruder
    handIer handIer
    agent agent agent agent agent agent agent agent
    victim
    2001 by Carnegie Mellon University
    15
    ontrol Infrastructure
    W Increased use of IRC networks and protocoIs
    IRC server repIaces the handIer
    common, 'Iegit' service ports (e.g., 6667/tcp)
    commands are buried in 'Iegit' traffic
    no agent Iisteners; outbound connections onIy
    More 'survivabIe' infrastructure
    reduction in address Iists maintained
    disposabIe, easy to obtain agents
    makes use of pubIic IRC networks
    private servers are aIso used
    2001 by Carnegie Mellon University
    16
    ontrol Infrastructure (2)
    W Increased use of IRC networks and protocoIs
    (cont.)
    Agent redirection / update is easier
    everyone change to a new channeI
    everyone change to a new IRC server
    everyone downIoad this updated moduIe
    "fIoating" domains used to direct agents
    bogus WHOIS data, stoIen credit cards
    'A' record modification redirects hard-wired agents
    2001 by Carnegie Mellon University
    17
    %rends: Use
    W Less emphasis on forged packet characteristics
    size and distribution of oS makes response
    difficuIt
    overwheIming number of sources in oS attack
    sources often cross muItipIe AS boundaries
    high bandwidth consumption is easy; no need for
    fancy packets
    increase in attacks using Iegitimate traffic
    mixes with other traffic
    harder to fiIter/Iimit
    2001 by Carnegie Mellon University
    18
    %rends: Impact
    W Increase in coIIateraI damage (e.g., bIast radius)
    backup systems impacted by sharp increases
    in Iog voIumes
    financiaI impact at sites with measured usage
    circuits
    muItipIe sites impacted in shared data centers
    arp storms impacting IocaIIy infected networks
    W HighIy automated depIoyments are themseIves
    causing deniaI of service conditions
    2001 by Carnegie Mellon University
    19
    at e re Not Seeing
    Changes in fundamentaI conditions that enabIe
    deniaI of service attacks
    W Consumption of Iimited resources
    Processing cycIes
    Memory resources
    etwork bandwidth
    W Interdependency of security on the Internet
    The exposure to oS attack of SiteA depends
    on the security of SiteB
    There are huge numbers of SiteB's
    2001 by Carnegie Mellon University
    20
    at e re Not Seeing (2)
    Advances in oS attack payIoad
    W Seeing the same common packet stream types
    W Known attacks work, there is IittIe incentive to
    improve
    TCP (SYACKFIRST) fIood
    UP fIood
    ICMP echo request/repIy fIood
    AmpIification attacks
    Source IP address spoofing
    2001 by Carnegie Mellon University
    21
    at e re Not Seeing (3)
    Reductions in Iaunch-point avaiIabiIity
    W Vendors are stiII producing insecure products
    W Administrators/users are stiII depIoying and
    operating systems insecureIy
    W VuInerabiIity Iife cycIe is stiII Iengthy (2-3 years)
    2001 by Carnegie Mellon University
    22
    redits
    W Paper: Trends in eniaI of Service Attack
    TechnoIogy
    W Authors: Kevin HouIe
    eiI Long
    Rob Thomas
    eorge Weaver
    W http://www.cert.org/archive/pdf/oS_trends.pdf
    2001 by Carnegie Mellon University
    23
    CERT Coordination Center
    Software Engineering Institute
    Carnegie MeIIon University
    4500 Fifth Avenue
    Pittsburgh PA 15213
    USA
    HotIine: +1 412 268 7090 CERT personneI answer 8:00 a.m. -
    8:00 p.m. EST(MT-5) / ET(MT-4),
    and are on caII for emergencies
    during other hours.
    Fax: +1 412 268 6989
    Web: http://www.cert.org/
    EmaiI: cert@cert.org
    #%

    ontact Information

    You might also like