IP Flooding
- simple DoS attack
- many coordinated attackers ping arbitrary machines with a spoofed IP address that belongs to victim
- all machines will send responses (acknowledgements) to the victim flooding its bandwidth
- SMURF attack is example of IP flooding where pings are sent to reserved broadcast address
TCP Attacks
- TCP packets are not secured in any way. Most headers can be guessed and forged.
- Attacker on a machine that packets are routed through can easily interfere with packets in any way.
- Can observe packets on the wire, and inject new ones, but can’t intercept the original traffic.
Denial of Service (DoS)
- asymmetry of resources is key: attacker needs to spend relatively low resources but cause high-cost damage to target
- defend using: firewalls (filtering/scrubbing), CDNs
SUID Vulnerabilities
- SUID bit inherits owner’s UID on execution
- GUID bit inherits owner’s GUID on execution
- SUID allows processes to launch with EUID > UID (more privileges than those assigned to the user)
What happens if you can modify $PATH for a SUID program?
You can make a program with higher privileges execute your own program with those high privileges. (And the program that you write can do something malicious with high privileges)
File Descriptor Vulnerabilities
Example:
1)SUID program opens a file only readable by root. 2)Program forks a user-controlled, unprivileged process. 3)Child will inherit the open file descriptor!
Close file descriptors to defend against this
Cross-Site Scripting (XSS)
- XSS allows an attacker to inject code into a vulnerable web page. Victims visiting the page will inadvertently run code from an untrusted origin.
- Injected code runs in the vulnerable site’s context. Can access all data without violating SOP!
Reflected XSS
1) Attacker includes code in malicious link.
2) Attacker tricks victim into clicking on the link.
3) Code is reflected & run on the visited page.
Stored XSS
1) Attacker submits code to server.
2) Server persists code to storage.
3) Victim accesses page that includes and runs stored code.
Cross-Site Request Forgery (CSRF)
- allows an attacker to perform actions on behalf of a legitimate, authenticated user of a web application
- via social engineering, phishing, by injecting a CSRF payload that will trigger the attack automatically.
- attacker doesn’t need to steal cookie because browser automatically includes session cookie, which authenticates and authorizes the action
- defend using a CSRF token: add a secret to the request so the attacker cannot predict the value needed to trigger a sensitive action
Confused Deputy Problem & CSRF
- Confused deputy’s are tricked into performing a malicious action that they had the permission to perform, but should not have performed!
- CSRF is an example of the confused deputy problem.
- Web browser is the deputy
- confused into misusing the user’s legit authority under the attacker’s control.
XSS vs CSRF
In XSS, client trust in the server is violated.
In CSRF, server trust in the client is violated.
Black Hats
Bad guys.
Break into systems for fun/profit
White Hats
Good guys.
Ethical Hackers
Try to protect systems, advance security
Gray Hats
“Chaotic good” guys, often good intent, but legal/ethical trouble.
Break things first, then ask questions.
Virus
- malware that infects other host files and lives inside them
- can infect boot sector on disk, data files, executable files, etc.
- trade-off b/w propagation success and detection risk
Worms
- self-propagation over the network by exploiting vulnerable services
- self-contained program, no infection
- fully automated, no need for user interaction
Trojans
- malicious software pretending to be benign
- self-contained program, no infection
- tricks users into thinking it is a benign application and interacting with it
Rootkits
- live inside the kernel, modules, drivers…
- can easily hide from anti-virus
- since TCB can no longer be trusted, throw your computer out the window
Botnets
- overlay of compromised hosts (bots, zombies)
- easy to monetize
- remote command and control
- distributed command execution
- botmaster: controls network, issues commands through C&C server(s)
Domain Generation Algorithms (DGA)
- many bots use DNS to resolve to C&C server
- if a single name is used, easy to take down the botnet by blocklisting that name
- solution: generate many names, botnet rotates b/w them
- Fast flux used to rapidly change IP addresses that DNS record map to, used to prevent IP blocklisting
Botnet Defenses
- sinkholes and blocklisting (may need to reverse engineer DGA)
- identify C&C traffic, look for periodic behavior
- identify crowd behavior, all bot-infected hosts in a network will receive and react to a command in the same way
Ransomware
- encrypt files, lock screen, ask for a ransom
- solution: backup your files
Advanced Persistent Threats (APT)
- attackers may have advanced capabilities
- persistent: covert activity over a long period of time
- threat: capability + intent
- targeted malware is a more useful term!
