1、1 2000, Cisco Systems, Inc. NTW 2000 Network SecurityNetwork Security ISOC NTW 2000ISOC NTW 2000 2 2000, Cisco Systems, Inc. NTW 200022000, Cisco Systems, Inc. IntroductionIntroduction 3 2000, Cisco Systems, Inc. NTW 2000 Network Security ComponentsNetwork Security Components 4 2000, Cisco Systems,

2、Inc. NTW 2000 ISP ExampleISP Example . . . Customer Site ISP Management Plane. . . T1 WWW DNS1 Pub1TFTPDNS2Pub 2 ISP Service Plane Foreign Site Internet 5 2000, Cisco Systems, Inc. NTW 2000 Enterprise ExampleEnterprise Example Protected Network Engineering Admin Finance Dial-Up Access Business Partn

3、ers DNS Server WWW Server Internet 6 2000, Cisco Systems, Inc. NTW 2000 Current Threats and Current Threats and Attack MethodsAttack Methods 62000, Cisco Systems, Inc. 7 2000, Cisco Systems, Inc. NTW 2000 Attack TrendsAttack Trends Exploiting passwords and poor configurations Software bugs Trojan ho

4、rses Sniffers IP address spoofing Toolkits Distributed attacks 8 2000, Cisco Systems, Inc. NTW 2000 Attack TrendsAttack Trends High Low 19882000 Attack Sophistication Attacker Knowledge 9 2000, Cisco Systems, Inc. NTW 2000 Vulnerability Exploit Cycle Advanced Intruders Discover Vulnerability Crude E

5、xploit Tools Distributed Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits Source: CERT Coordination Center 10 2000, Cisco Systems, Inc. NTW 2000 Increasingly Serious Impa

6、ctsIncreasingly Serious Impacts $10M transferred out of one banking system Loss of intellectual property - $2M in one case, the entire company in another Extensive compromise of operational systems - 15,000 hour recovery operation in one case Alteration of medical diagnostic test results Extortion -

7、 demanding payments to avoid operational problems 11 2000, Cisco Systems, Inc. NTW 2000 Evolving DependenceEvolving Dependence Networked appliances/homes Wireless stock transactions On-line banking Critical infrastructures Business processes 12 2000, Cisco Systems, Inc. NTW 2000 100% vulnerable Inte

8、rnalInternal ExploitationExploitation ExternalExternal ExploitationExploitation 75% vulnerable Internet The Communitys VulnerabilityThe Communitys Vulnerability Source: Cisco Security Posture Assessments 1996-1999 13 2000, Cisco Systems, Inc. NTW 2000 0 10 20 30 40 50 60 70 819992000 Yes

9、No Dont Know Unauthorized UseUnauthorized Use Percentage of Respondents Source: 2000 CSI/FBI Computer Crime and Security Survey 14 2000, Cisco Systems, Inc. NTW 2000 ConclusionConclusion Sophisticated attacks + Dependency + Vulnerability 15 2000, Cisco Systems, Inc. NTW 2000 Classes of AttacksClasse

10、s of Attacks Reconnaisance Unauthorized discovery and mapping of systems, services, or vulnerabilities Access Unauthorized data manipulation, system access, or privilege escalation Denial of Service Disable or corrupt networks, systems, or services 16 2000, Cisco Systems, Inc. NTW 2000 Reconnaissanc

11、e MethodsReconnaissance Methods Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts 17 2000, Cisco Systems, Inc. NTW 2000 Network Network SniffersSniffers telnet Router

12、5 User Access Verification Username: squiggie password: Sq%*jkl;T Router5ena Password: jhervq5 Router5# Got It ! Router5 18 2000, Cisco Systems, Inc. NTW 2000 ISP ExampleISP Example . . . Customer Site ISP Management Plane. . . T1 WWW DNS1 Pub1TFTPDNS2Pub 2 ISP Service Plane Foreign Site Internet 19

13、 2000, Cisco Systems, Inc. NTW 2000 Enterprise ExampleEnterprise Example Protected Network Engineering Admin Finance Dial-Up Access Business Partners DNS Server WWW Server Internet 20 2000, Cisco Systems, Inc. NTW 2000 nmapnmap network mapper is a utility for port scanning large networks: TCP connec

14、t() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep) TCP Ping s

15、canning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting (nearly 500) Reverse-ident scanning. 21 2000, Cisco Systems, Inc. NTW 2000 nmapnmap nmap Scan Type(s) Options Example: my-unix-host% nmap -sT my-router Starting nmap V. 2.53 by fyodorinsecure.org ( www.ins

16、ecure.org/nmap/ ) Interesting ports on my- (10.12.192.1) (The 1521 ports scanned but not shown below are in state closed) Port State Service 21/tcpopen ftp 22/tcpopenssh 23/tcpopen telnet 25/tcpopensmtp 37/tcpopen time 80/tcpopen http 110/tcpopen pop-3 22 2000, Cisco Systems, Inc. NTW 2000 Why Do Yo

17、u Care?Why Do You Care? The more information you have, the easier it will be to launch a successful attack: Map the network Profile the devices on the network Exploit discovered vulnerabilities Achieve objective 23 2000, Cisco Systems, Inc. NTW 2000 Exploiting passwords Brute force Cracking tools Ex

18、ploit poorly configured or managed services anonymous ftp, tftp, remote registry access, nis, Trust relationships: rlogin, rexec, IP source routing File sharing: NFS, Windows File Sharing Access MethodsAccess Methods 24 2000, Cisco Systems, Inc. NTW 2000 Access Methods Access Methods contdcontd Expl

19、oit application holes Mishandled input data: access outside application domain, buffer overflows, race conditions Protocol weaknesses: fragmentation, TCP session hijacking Trojan horses: Programs that plant a backdoor into a host 25 2000, Cisco Systems, Inc. NTW 2000 IP PacketIP Packet Internet Prot

20、ocol IP = connectionless network layer SAP = 32 bits IP address RFC 791, Sep 1981 26 2000, Cisco Systems, Inc. NTW 2000 IP: Packet FormatIP: Packet Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Versio

21、n| IHL |Type of Service| Total Length| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

22、-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Options| Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Internet Datagra

23、m Header 27 2000, Cisco Systems, Inc. NTW 2000 IP SpoofingIP Spoofing A B C Attacker Hi, my name is B 28 2000, Cisco Systems, Inc. NTW 2000 IP: Normal RoutingIP: Normal Routing Ra Rb Rc A B C Routing based on routing tables A - B A - B A - B B via Rb C via Rc A, C via Ra B via Ethernet B,C via Ra 29

24、 2000, Cisco Systems, Inc. NTW 2000 IP: Source RoutingIP: Source Routing Ra Rb Rc A B C A - B via Ra, Rb B unknown C via Rc Routing based on IP datagram option A - B via Ra, Rb A - B via Ra, Rb 30 2000, Cisco Systems, Inc. NTW 2000 IP Unwanted RoutingIP Unwanted Routing DMZ intranet Internet R1 R2 C

25、 A C-A via R1, R2 C-A via R1, R2 C-A via R1, R2 C-A via R1,R2 A unknown B via Internet A unknown B via R1 A unknown B via DMZ A via Intranet B via DMZ C unknown B 31 2000, Cisco Systems, Inc. NTW 2000 IP Unwanted Routing (IP Unwanted Routing (ContCont.) .) B (acting as router) Internet dial-up PPP i

26、ntranet A C A unknown B via Internet A unknown B via PPP A via Ethernet C via PPP C-A via B C-A via B C-A via B 32 2000, Cisco Systems, Inc. NTW 2000 IP Spoofing Using Source IP Spoofing Using Source RoutingRouting Ra Rb Rc A B C B-A via C, Rc,Ra Back traffic uses the same source route B-A via C,Rc

27、Ra B-A via C,Rc,Ra A-B via Ra, Rc,C A-B via Ra, Rc,C A-B via Ra, Rc,C B is a friend allow access 33 2000, Cisco Systems, Inc. NTW 2000 Transport Control ProtocolTransport Control Protocol TCP = connection oriented transport layer RFC 793, Sep 1981 SAP= 16 bits TCP ports 34 2000, Cisco Systems, Inc.

28、NTW 2000 TCP Packet FormatTCP Packet Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number

29、| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Acknowledgment Number| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

30、-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format 35 2000, Cis

31、co Systems, Inc. NTW 2000 TCP connection establishmentTCP connection establishment B A flags=SYN, seq=(Sb,?) flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa) flags=ACK, seq=(Sb,Sa+8) data=“Username:” 36 2000, Cisco Systems, Inc. NTW 2000 TCP blind spoofingTCP blind spoofing BA flags=SYN, seq=(Sb,?)

32、 flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa) flags=ACK, seq=(Sb,Sa+8) data=“Username:” C masquerading as B flags=ACK, seq=(Sa+8,Sb+7) data=“myname” C guesses SaC guesses SaC guesses Sa A believes the connection comes from B and starts the application (e.g. rlogin) A believes the connectionA be

33、lieves the connection comes from B and startscomes from B and starts the application (e.g.the application (e.g. rloginrlogin) ) 37 2000, Cisco Systems, Inc. NTW 2000 TCP blind spoofing (TCP blind spoofing (ContCont.) .) C masquerades as B A believes the connection is coming from trusted B C does not

34、 see the back traffic For this to work, the real B must not be up, and C must be able to guess As sequence number 38 2000, Cisco Systems, Inc. NTW 2000 TCP session hijackingTCP session hijacking BA flags=SYN, seq=(Sb,?) flags=SYN+ACK, seq=(Sa,Sb) flags=ACK, seq=(Sb,Sa) “Password:”, seq=(Sb,Sa+9) “Xy

35、zzy” , seq=(Sa+9,Sb+5) “delete *”, seq=(Sb+5,Sa+18) C masquerading B B initiates a connection with A and is authenticated by application on A B initiates a connection with AB initiates a connection with A and is authenticated and is authenticated by application on Aby application on A C guesses Sa,

36、Sb C inserts invalid data C guesses Sa,C guesses Sa, SbSb C inserts invalid dataC inserts invalid data 39 2000, Cisco Systems, Inc. NTW 2000 It Never EndsIt Never Ends Latest FTP Vulnerability “Because of user input going directly into a format string for a *printf function, it is possible to overwr

37、ite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shell code pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem.

38、 Anonymous ftp is exploitable making it even more serious as attacks can come anonymously from anywhere on the internet.” Source: SecurityFocus.Com, 2000 40 2000, Cisco Systems, Inc. NTW 2000 Denial of Service MethodsDenial of Service Methods Resource Overload Disk space, bandwidth, buffers, . Ping

39、floods, SYN flood, UDP bombs, . Software bugs Out of Band Data Crash: Ping of death, fragmentation Toolkits: TRINOO,Tribal Flood Net and friends Distributed attacks for amplification 41 2000, Cisco Systems, Inc. NTW 2000 IP Normal FragmentationIP Normal Fragmentation IP largest data is 65.535 = 216-

40、1 IP fragments a large datagram into smaller datagrams to fit the MTU fragments are identified by fragment offset field destination host reassembles the original datagram 42 2000, Cisco Systems, Inc. NTW 2000 IP Normal Fragmentation (IP Normal Fragmentation (ContCont.) .) TL=1300, FO=0data length 12

41、80 TL=500, FO=0data length 480 TL=500, FO=480data length 480 TL=360, FO=960data length 340 Before fragmentation: After fragmentation (MTU = 500): IP HeaderIP data 43 2000, Cisco Systems, Inc. NTW 2000 IP NormalIP Normal ReassemblyReassembly TL=500, FO=0data length 480 TL=500, FO=480data length 480 T

42、L=360, FO=960data length 340 Received from the network: Kernel memory at destination host Reassembly buffer, 65.535 bytes 44 2000, Cisco Systems, Inc. NTW 2000 IPIP ReassemblyReassembly AttackAttack send invalid IP datagram fragment offset + fragment size 65.535 usually containing ICMP echo request

43、(ping) not limited to ping of death ! 45 2000, Cisco Systems, Inc. NTW 2000 IPIP ReassemblyReassembly Attack (Attack (ContCont.) .) TL=1020, FO=0data length 1000 TL=1020, FO=65000data length 1000 Received from the network: Reassembly buffer, 65.535 bytes 64 IP fragments 64 IP fragments with data len

44、gth 1000 . Kernel memory at destination host BUG: buffer exceededBUG: buffer exceededBUG: buffer exceeded 46 2000, Cisco Systems, Inc. NTW 2000 SYN attackSYN attack BA flags=SYN, seq=(Sb,?) flags=SYN+ACK, seq=(Sa,Sb) C masquerading as B A allocates kernel resource for handling the starting connectio

45、n A allocates kernel resourceA allocates kernel resource for handling the starting connectionfor handling the starting connection No answer from B 120 sec timeout Free the resource No answer from BNo answer from B 120 sec timeout120 sec timeout Free the resourceFree the resource Denial of Services k

46、ernel resources exhausted 47 2000, Cisco Systems, Inc. NTW 2000 Directed Broadcast PING SMURF AttackSMURF Attack 172.18.1.2 160.154.5.0 ICMP REQ D=160.154.5.255 S= 172.18.1.2 ICMP REPLY D=172.18.1.2 S=160.154.5.10 ICMP REPLY D=172.18.1.2 S=160.154.5.11 ICMP REPLY D=172.18.1.2 S=160.154.5.12 ICMP REP

47、LY D=172.18.1.2 S=160.154.5.13 ICMP REPLY D=172.18.1.2 S=160.154.5.14 Attempt to overwhelm WAN link to destination 48 2000, Cisco Systems, Inc. NTW 2000 DDoS Step 1: Find Vulnerable DDoS Step 1: Find Vulnerable HostsHosts Attacker Use reconnaissance tools locate Use reconnaissance tools locate vulne

48、rable hosts to be used as mastersvulnerable hosts to be used as masters and daemonsand daemons 49 2000, Cisco Systems, Inc. NTW 2000 DDoS Step 2: Install Software on DDoS Step 2: Install Software on Masters and Agents Masters and Agents Attacker Innocent Master Innocent Master Innocent daemon agents Innocent daemon agents 1) Use master and agent programs 1) Use master and agent programs on all cracked hosts on all cracked hosts 2) create a hierarchical covert control2) create