计算机网络攻击和防护技术

1、计算机网络攻击和防护技术简介网络安全各项专题应用软件安全(Application security)操作系统安全(Operating system security)网络安全(Network security)网页(Web security)网络攻击基本原理 (Principals of network attacks)网络攻击防护基本原理(Intrusion detection and prevention)网络安全技术要求计算机操作系统计算机体系结构计算机网络数据结构计算机算法C 语言汇编语言较强的英语阅读能力警告: 慎用网络安全知识我们会讨论一些 漏洞(vulnerabilities)

2、和攻击 (attacks)大部分漏洞已经堵了.一些攻击还是会造成破坏 不要尝试在非实验室场合试用目的学习如何避免和防卫恶性攻击学习作为软件工程师, 如何写好无漏洞的软件老一代的黑客(2000 前)Profile:计算机迷14 到34 岁不用照顾家庭不为钱Source: Raimund Genes新一代骇客高中未毕业生“most of these people I infect are so stupid they really aint got no business being on the Internet in the first place.“技能用攻击工具少量计算机知识工作时间: 2

3、-10 分钟管理 Botnet收入: 平均 $6,800 /月每天工作: 网上闲逛, 网上聊天 botnets 自动挣钱控制 13,000 以上的计算机, 分布在世界各地 不断地感染新的 Bot PCs, 下载广告软件和恶性软件到受感染的机器 窃取敏感数据帐号, 密码, 电邮, 社会安全号,信用卡号, 银行帐号等出售服务和非法数据给各种公司TopC, GammaC, Loudcash, or 180Solutions.6Washington Post: Invasion of the Computer Snatchers网络安全问题有多大?/stats/CERT Vulnerabilities

4、 reported恶性软件(Malware) 分类Virus(病毒)Copy and infect without permissionWorm(蠕虫)Self-propagating across networksTrojan(木马)Destructive program masquerading as a benign applicationBot and Botnet (僵尸和僵尸网)Used for the co-ordination and operation of an attackSpyware (间谍软件)Intercept or take partial control ov

5、er users interactionBackdoor (后门)Covert access to a computerDownloader Download/install malicious softwareRansomwareProgram to encrypt user useful data and request ransom for restoration AdwareDownload advertising software and display advertisements without user consentRootkit Subvert control of OS常

6、见的网络攻击分类2006 MITRE CVE stats: 21.5 % of CVEs were XSS 14 percent SQL injection 9.5 percent php includes“ 7.9 buffer overflow2005 年前, buffer overflows 是最常见2005 年后, Cross-Site Scripping (XSS) 最常见9Vulnerability Stats: web is “winning”Source: MITRE CVE trendsMajority of vulnerabilities now found in web

7、software网络攻击实例: SilentBankerProxy intercepts request and adds fieldsBank sends login page needed to log inWhen user submits information, also sent to attackerCredit: Zulfikar Ramzan网络安全黑市RankLast Goods and servicesCurrentPreviousPrices12Bank accounts22%21%$10-100021Credit cards13%22%$0.40-$2037Full

8、identity9%6%$1-154N/ROnline auction site accounts7%N/A$1-858Scams7%6%$2.50/wk - $50/wk (hosting); $25 design64Mailers6%8%$1-1075Email Addresses5%6%$0.83-$10/MB83Email Passwords5%8%$4-309N/RDrop (request or offer)5%N/A10-50% of drop amount106Proxies5%6%$1.50-$30Credit: Zulfikar Ramzan为什么有这么多安全漏洞(Secu

9、rity Vulnerabilities)Buggy software.insecure codeAwarenessSome contributing factorsFew courses in computer securityProgramming text books do not emphasize securityFew security audits C is an unsafe languageProgrammers have many other things to worry aboutLegacy software (some solutions, e.g. Sandbox

10、ing)Consumers do not care about securitySecurity is expensive and takes timeSource Of Computer and Network VulnerabilitiesOperation SystemsMicrosoft OSLinuxCommunication ProtocolsProtocol design issuesTCP syn-to-deathApplicationsHttp Word1515WormA worm is self-replicating software designed to spread

11、 through the networkexploit security flaws in widely used services and applications绿霸软件cause enormous damage Launch DDOS attacks, install bot networks Access sensitive informationCause confusion by corrupting the sensitive informationPenetration Methods (Source S21sec)Browser Exploit (65%)Browser se

12、curity bugsEmail Attachment (13%)Spam and unsolicited emailOperating System Exploit (11%)Internet Download (9%)Other (2%)1717How do worms self-propagate?Scanning worms : Worm chooses “random” addressCoordinated scanning : Different worm instances scan different addressesFlash wormsAssemble tree of v

13、ulnerable hosts in advance, propagate along treeNot observed in the wild, yetPotential for 106 hosts in 2 sec ! StanifordMeta-server worm: Ask server for hosts to infect (e.g., Google for “powered by phpbb”)Topological worm: Use information from infected hosts (web server logs, email address books,

14、config files, SSH “known hosts”)Contagion worm : Propagate parasitically along with normally initiated communication1818Cost of worm attacksMorris worm, 1988Infected approximately 6,000 machines10% of computers connected to the Internet cost $10 million in downtime and cleanupCode Red worm, July 16

15、2001Direct descendant of Morris wormInfected more than 500,000 serversProgrammed to go into infinite sleep mode July 28 Caused $2.6 Billion in damages,Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad, California1919Internet Worm (First major attack)Released November 1988Prog

16、ram spread through Digital, Sun workstations Exploited Unix security vulnerabilitiesVAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequencesNo immediate damage from program itself Replication and threat of damage Load on network, systems used in attackMany sys

17、tems shut down to prevent further attack2020Some historical worms of noteWormDateDistinctionMorris11/88Used multiple vulnerabilities, propagate to “nearby” sysADM5/98Random scanning of IP address spaceRamen1/01Exploited three vulnerabilitiesLion3/01Stealthy, rootkit wormCheese6/01Vigilante worm that

18、 secured vulnerable systemsCode Red7/01First sig Windows worm; Completely memory residentWalk8/01Recompiled source code locallyNimda9/01Windows worm: client-to-server, c-to-c, s-to-s, Scalper6/0211 days after announcement of vulnerability; peer-to-peer network of compromised systemsSlammer1/03Used a

19、 single UDP packet for explosive growth2121Increasing propagation speedCode Red, July 2001Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0.Windows 2000 that run IIS 4.0 and 5.0 Web serversExploits known buffer overflow in Idq.dllVulnerable population (360,000 serve

20、rs) infected in 14 hoursSQL Slammer, January 2003Affects Microsoft SQL 2000Exploits known buffer overflow vulnerabilityServer Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39Vulnerable population infected in less than 10 minutes2222Code RedInitial ve

21、rsion (July 13, 2001)Sends its code as an HTTP requestHTTP request exploits buffer overflow Malicious code is not stored in a filePlaced in memory and then runWhen executed,Worm checks for the file C:NotwormIf file exists, the worm thread goes into infinite sleep stateCreates new threadsIf the date

22、is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses2323Code Red of July 13 and July 19Initial release of July 13, 20011st through 20th month: Spread via random scan of 32-bit IP addr space20th through end of each month: attack.Flood

23、ing attack against 1 ()Failure to seed random number generator linear growthRevision released July 19, 2001.White House responds to threat of flooding attack by changing the address of Causes Code Red to die for date 20th of the month.But: this time random number generator correctly seeded2424Infect

24、ion rate2525Spread of Code RedNetwork telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT)Course of infection fits classic logistic.Note: larger the vulnerable population, faster the worm spreads.That night ( 20th), worm dies except for hosts with inaccurate clocks!It just takes one of

25、 these to restart the worm on August 1st 26262727Code Red 2Released August 4, 2001.Comment in code: “Code Red 2.”But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.Kills Co

26、de Red 1.Safety valve: programmed to die Oct 1, 2001.2828Striving for Greater Virulence: NimdaReleased September 18, 2001.Multi-mode spreading:attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected server

27、s w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem!Leaped across firewalls.2929Code Red 2 kills off Code Red 1Code Red 2 settles into weekly patternNimda enters the ecosystemCode Red 2 dies off as programmedCR 1 returns thanksto bad clocksSlammer01/25/2003Vulnerabilit

28、y disclosed : 25 June 2002Better scanning algorithmUDP Single packet : 380bytesMuch faster than TCP based wormSlammer propagationNumber of Scan/secPacket LossServer ViewConsequencesATM systems not availablePhone network overloaded (no 911!)5 DNS root downPlanes delayedBotnetBotNetsA New Big ProblemB

29、otsLittle program installed silently without user interventionMost users are not aware of Bots in their computersCommon users are weakest linksNeed good education to common users to mitigate the Botnet Millions of computers infected 53000 infected per day (2007)BotnetsNetworks of computers on which

30、Bots are installed. Managed by command and control serverUsed for DDOS, Cyber War, Identity Theft, SPAM, SCAMBots are deployed across countries around worldChina, USA, Germany, Spain, France are the top five countries infectedHow Botnets workC & CBotBotBotBotCentralized BotnetsCentralizedDistributed

31、 BotnetsC&C centralized StatWorld Wild ProblemIntrusion Detection & PreventionAn OverviewFirewallFirewall can block unwanted serviceThe first-level of defense for network intrusion.Firewall Alone Is Not EnoughFirewall cannot look into applicationsIPS is the key to keep up with new security threats p

32、rotectionIPS can realize Qos for business critical applications over nonessential apps like P2P and IMTimelineVulnerabilitiesDiscoveredAdvisory IssuedWorm ReleasedExploits ReleasedGetting ShorterLifecycle of Vulnerabilities and ThreatsBenefits of Network IPSDropped from the networkBenefitsAttacks ne

33、ver reach their victim, eliminating impact to the networkNo need to waste time investigating the attackWorks for all traffic (IP, TCP, UDP, etc.)Drops only the offending trafficAn active, in-line system detects an attack and drops malicious traffic during the detection processUserUserUserServersMail

34、ServerWebServerFirewallHTTP TrafficCode redTypical DeploymentsLarge Enterprise / Service ProvidersRegional OfficesSmall/Mid-size BusinessesMid-size BusinessesIntegrated FW/IPSIPSIPSIPSWe have Long Way to GoKnown Threats but no known ways to protectKnown Threats with available protectionUnknown Threa

35、ts & VulnerabilitiesPacketEngineIPS Sensor ArchitecturesPacket engine packet IOpacket defragmentationflow and session managementDetector analyzes and decodes applicationsPolicy contains signatures and rules to detect attacksBoth policy and detector can be dynamically loadableLog for forensic analysi

36、sDetectorPolicyLogManagementActionNetwork InterfaceIPS ArchitectureIP Fragment ReassemblyTCP ReassemblyLine-breakingApplication (HTTP) Parsing Event CorrelationLogs + PacketsFlow Lookup/ReconstructionActionsSignaturesAttack MatchingNetwork InterfaceTraffic Anomaly DetectionIdentify abnormal usage patternNo protocol anomalies or attack patterns but unusual traffic usage/volumeExample: Ping SweepReconnaissance Scan networks to identify resources for possible attackPing Sweep from external/suspicious source should alert administratorProtocol Anoma