25/11/2010

Introduction Security Attacks

Gail Hopkins

Computer security
Confidentiality Integrity Availability

Authentication Types of security attacks

Computer Security - Introduction

Three main aspects of computer security (from Dieter Gollman, Computer Security)
Confidentiality Integrity Availability

Confidentiality
Keeping information secret from people who should not know it
Passwords, credit card details

Encompasses:
Privacy Secrecy

Detecting breaches in confidentiality can be difficult

Integrity
Ensuring things are not altered without permission Similar to setting file permissions to readonly Can be compromised in many ways:
Someone changes the way something operates Someone intercepts and changes emails between people Someone breaks into a site and changes the web pages Accidental damage

Integrity (2)
Not always compromised by deliberate malicious actions
Accident or equipment failure

Detecting when integrity has been compromised is difficult Not all compromises involve breaking into a software system
E.g. data corrupted at source

25/11/2010

Integrity (3)
In general:
Integrity requires that only authorised users perform authorised actions on resources they are authorised to use Important to be able to verify the identity of the user
Digital signatures, passwords

Availability
Ensuring that legitimate users of a system have reasonable and reliable access to their systems
I.e. prevent a denial of service ISO 7498-2 standard defines this as:
Denial of service: The prevention of authorised access to resources or the delaying of timecritical operations

Can be perpetrated by a flooding attack

Authentication
Verifying the identity of someone Two reasons for authenticating users:
Users want to access files and programs
Therefore have to be distinguished by an identity

Password login
Once succeeded, all activities of user occur within scope of an identifier On UNIX username converted to a global unique userid (UID) On Windows username converted to a security-id (SID)
Only unique on a local host

Accountability attaching actions to users for recording in logs

All authentication based on comparing unique attributes of individuals with a database

E.g. Password or encryption key

Identification requires an initial introduction based on trust Authentication is the confirmation of a previously trusted identity

This type of login is called unilateral authentication

Identifies user to the computer, but not the computer to the user

Types of Authentication
OSI security architecture (ISO 7498-2) defines:
Entity authentication
Checking the identity of an individual or entity

Types of Security Attack

Viruses Worms Macro viruses Trojan horses Denial of service (DoS) Hacking

Origin authentication
Checking the location of an individual or entity

Unilateral authentication
Verifying the entity to the authenticator

Mutual authentication
Verifying both parties to one another

25/11/2010

Viruses
Computer programs which attach to or overwrite other programs in order to replicate themselves
Can be sent as email attachments Often disguised as audio/video files, games, etc.

Viruses (2)
Spread through sharing infected files
Email attachments Documents or files transferred between users

Famous viruses:
ILOVEYOU, May 2000 Cost billions of dollars Reached around 45 million users in 1 day!

Can cause a great deal of damage!

Corrupt files, overwrite hard drives

Can be relatively harmless, but not usually!

Worms
Like viruses but dont need to be attached to another program to spread
Can spread across the network and infect files on their own

WellWell-known Targetted Attacks

Ping attacks Denial of service attacks TCP/IP spoofing SYN flooding TCP sequence guessing IP/UDP fragmentation (Teardrop) ICMP flooding (Smurf) DNS cache poisoning

Blaster worm, August 2003 CodeRed, 2001

Ping Attacks
Internet datagrams should not exceed 64KB (RFC 791)
But some implementations of IP can send larger datagrams
ping s 65510 destinationHost But not all implementations can receive them

Denial of Service (DoS) Attacks (DoS)

Cause a particular resource to be taken up to the extent that other legitimate users are denied that resource
i.e. Overload a system with so many service requests that it cant cope Therefore compromises its availability

Possible to crash some older network interfaces by sending a ping request with a very large packet size

E.g. Mail spamming

Attacker sends very large numbers of repetitive email messages
Fills up servers disk Causes sendmail daemon to spawn rapidly System comes to a standstill

25/11/2010

TCP/IP Spoofing
Forging datagrams so that they appear to come from a third party host
Host A Host B

Why do TCP/IP Spoofing?

Attacker might want to appear to be host C to gain access to a special resource that host C has privileged access to To attack host C (perhaps as part of a more elaborate attack)

Attacker at host A creates a packet with destination address host B and source address host C

Host C
After Burgess, 2004

SYN Flooding
Also a type of IP spoofing
Used to create a Denial of Service attack So it cant reply with a reset

TCP Sequence Guessing

A form of IP spoofing Allows an attacker to make a TCP connection to a host by guessing initial TCP sequence number used by remote host Used to impersonate other hosts for trusted access

Host A chooses an address for host C that is not in use ... And repeatedly sends SYN packets (for new connections) on the same port and on other ports

RECV queue fills up quickly Cant be emptied because the connections cant be completed Therefore services are cut off

IP/UDP Fragmentation (Teardrop)

UDP fragment #1 Size = 100 - 0

IP/UDP Fragmentation (Teardrop) (2)

In normal internet datagram delivery, individual networks have a maximum packet size they can deliver
Packets are therefore fragmented at routers when they are too big for the next network Assembled always at the end host

UDP fragment #2 0
a) Normal UDP Fragmentation

Size = 200 - 100 200

100

UDP fragment #1
UDP fragment #2

Size = 120 - 0

In a Teardrop attack:
Attacker forges two UDP datagrams so that they appear to be fragments of a larger packet
But they are given data offsets which overlap

Size = 90 - 120 100 200

After Burgess, 2004

b) Spoofed UDP Fragmentation, generates a negative size

25/11/2010

IP/UDP Fragmentation (Teardrop) (3) (Teardrop)

At the end host:
Kernel needs to allocate memory for the packets Kernel calculates the difference between end of datagram and offset where fragment started Normal assumption that next fragment would follow on from previous In a Teardrop attack, this leads to a negative number for fragment size! Kernel performs malloc(size) (to allocate memory), where size is negative Kernel panics, system crashes!

ICMP Flooding (Smurf)

A Denial of Service attack ICMP is normally used to transmit error messages and control information between hosts Used by ping and echo Normally all hosts respond to ping and echo requests without question

ICMP Flooding (Smurf) (2)

In an ICMP Flooding attack, attacker sends a spoofed ICMP packet to broadcast address of a large network Packet is given a source address (forged) of a host that the attacker wishes to attack All hosts on the network reply to the source address at the same time Host is flooded with requests Requests consume all system resources

Summary
An introduction to security considerations Mechanisms whereby attacks on systems are made.

Reference
Principles of Network and System Administration, Mark Burgess, Wiley, 2004