計(jì)算機(jī)網(wǎng)絡(luò)攻擊和防護(hù)技術(shù)

1、計(jì)算機(jī)網(wǎng)絡(luò)攻擊和防護(hù)技術(shù)簡(jiǎn)介網(wǎng)絡(luò)安全各項(xiàng)專題應(yīng)用軟件安全(Application security)操作系統(tǒng)安全(Operating system security)網(wǎng)絡(luò)安全(Network security)網(wǎng)頁(yè)(Web security)網(wǎng)絡(luò)攻擊基本原理 (Principals of network attacks)網(wǎng)絡(luò)攻擊防護(hù)基本原理(Intrusion detection and prevention)網(wǎng)絡(luò)安全技術(shù)要求計(jì)算機(jī)操作系統(tǒng)計(jì)算機(jī)體系結(jié)構(gòu)計(jì)算機(jī)網(wǎng)絡(luò)數(shù)據(jù)結(jié)構(gòu)計(jì)算機(jī)算法C 語(yǔ)言匯編語(yǔ)言較強(qiáng)的英語(yǔ)閱讀能力警告: 慎用網(wǎng)絡(luò)安全知識(shí)我們會(huì)討論一些 漏洞(vulnerabilities)

2、和攻擊 (attacks)大部分漏洞已經(jīng)堵了.一些攻擊還是會(huì)造成破壞 不要嘗試在非實(shí)驗(yàn)室場(chǎng)合試用目的學(xué)習(xí)如何避免和防衛(wèi)惡性攻擊學(xué)習(xí)作為軟件工程師, 如何寫(xiě)好無(wú)漏洞的軟件老一代的黑客(2000 前)Profile:計(jì)算機(jī)迷14 到34 歲不用照顧家庭不為錢Source: Raimund Genes新一代駭客高中未畢業(yè)生“most of these people I infect are so stupid they really aint got no business being on the Internet in the first place.“技能用攻擊工具少量計(jì)算機(jī)知識(shí)工作時(shí)間: 2

3、-10 分鐘管理 Botnet收入: 平均 $6,800 /月每天工作: 網(wǎng)上閑逛, 網(wǎng)上聊天 botnets 自動(dòng)掙錢控制 13,000 以上的計(jì)算機(jī), 分布在世界各地 不斷地感染新的 Bot PCs, 下載廣告軟件和惡性軟件到受感染的機(jī)器 竊取敏感數(shù)據(jù)帳號(hào), 密碼, 電郵, 社會(huì)安全號(hào),信用卡號(hào), 銀行帳號(hào)等出售服務(wù)和非法數(shù)據(jù)給各種公司TopC, GammaC, Loudcash, or 180Solutions.6Washington Post: Invasion of the Computer Snatchers網(wǎng)絡(luò)安全問(wèn)題有多大?/stats/CERT Vulnerabilities

4、 reported惡性軟件(Malware) 分類Virus(病毒)Copy and infect without permissionWorm(蠕蟲(chóng))Self-propagating across networksTrojan(木馬)Destructive program masquerading as a benign applicationBot and Botnet (僵尸和僵尸網(wǎng))Used for the co-ordination and operation of an attackSpyware (間諜軟件)Intercept or take partial control ov

5、er users interactionBackdoor (后門(mén))Covert access to a computerDownloader Download/install malicious softwareRansomwareProgram to encrypt user useful data and request ransom for restoration AdwareDownload advertising software and display advertisements without user consentRootkit Subvert control of OS常

6、見(jiàn)的網(wǎng)絡(luò)攻擊分類2006 MITRE CVE stats: 21.5 % of CVEs were XSS 14 percent SQL injection 9.5 percent php includes“ 7.9 buffer overflow2005 年前, buffer overflows 是最常見(jiàn)2005 年后, Cross-Site Scripping (XSS) 最常見(jiàn)9Vulnerability Stats: web is “winning”Source: MITRE CVE trendsMajority of vulnerabilities now found in web

7、software網(wǎng)絡(luò)攻擊實(shí)例: SilentBankerProxy intercepts request and adds fieldsBank sends login page needed to log inWhen user submits information, also sent to attackerCredit: Zulfikar Ramzan網(wǎng)絡(luò)安全黑市RankLast Goods and servicesCurrentPreviousPrices12Bank accounts22%21%$10-100021Credit cards13%22%$0.40-$2037Full

8、identity9%6%$1-154N/ROnline auction site accounts7%N/A$1-858Scams7%6%$2.50/wk - $50/wk (hosting); $25 design64Mailers6%8%$1-1075Email Addresses5%6%$0.83-$10/MB83Email Passwords5%8%$4-309N/RDrop (request or offer)5%N/A10-50% of drop amount106Proxies5%6%$1.50-$30Credit: Zulfikar Ramzan為什么有這么多安全漏洞(Secu

9、rity Vulnerabilities)Buggy software.insecure codeAwarenessSome contributing factorsFew courses in computer securityProgramming text books do not emphasize securityFew security audits C is an unsafe languageProgrammers have many other things to worry aboutLegacy software (some solutions, e.g. Sandbox

10、ing)Consumers do not care about securitySecurity is expensive and takes timeSource Of Computer and Network VulnerabilitiesOperation SystemsMicrosoft OSLinuxCommunication ProtocolsProtocol design issuesTCP syn-to-deathApplicationsHttp Word1515WormA worm is self-replicating software designed to spread

11、 through the networkexploit security flaws in widely used services and applications綠霸軟件cause enormous damage Launch DDOS attacks, install bot networks Access sensitive informationCause confusion by corrupting the sensitive informationPenetration Methods (Source S21sec)Browser Exploit (65%)Browser se

12、curity bugsEmail Attachment (13%)Spam and unsolicited emailOperating System Exploit (11%)Internet Download (9%)Other (2%)1717How do worms self-propagate?Scanning worms : Worm chooses “random” addressCoordinated scanning : Different worm instances scan different addressesFlash wormsAssemble tree of v

13、ulnerable hosts in advance, propagate along treeNot observed in the wild, yetPotential for 106 hosts in 2 sec ! StanifordMeta-server worm: Ask server for hosts to infect (e.g., Google for “powered by phpbb”)Topological worm: Use information from infected hosts (web server logs, email address books,

14、config files, SSH “known hosts”)Contagion worm : Propagate parasitically along with normally initiated communication1818Cost of worm attacksMorris worm, 1988Infected approximately 6,000 machines10% of computers connected to the Internet cost $10 million in downtime and cleanupCode Red worm, July 16

15、2001Direct descendant of Morris wormInfected more than 500,000 serversProgrammed to go into infinite sleep mode July 28 Caused $2.6 Billion in damages,Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad, California1919Internet Worm (First major attack)Released November 1988Prog

16、ram spread through Digital, Sun workstations Exploited Unix security vulnerabilitiesVAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequencesNo immediate damage from program itself Replication and threat of damage Load on network, systems used in attackMany sys

17、tems shut down to prevent further attack2020Some historical worms of noteWormDateDistinctionMorris11/88Used multiple vulnerabilities, propagate to “nearby” sysADM5/98Random scanning of IP address spaceRamen1/01Exploited three vulnerabilitiesLion3/01Stealthy, rootkit wormCheese6/01Vigilante worm that

18、 secured vulnerable systemsCode Red7/01First sig Windows worm; Completely memory residentWalk8/01Recompiled source code locallyNimda9/01Windows worm: client-to-server, c-to-c, s-to-s, Scalper6/0211 days after announcement of vulnerability; peer-to-peer network of compromised systemsSlammer1/03Used a

19、 single UDP packet for explosive growth2121Increasing propagation speedCode Red, July 2001Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0.Windows 2000 that run IIS 4.0 and 5.0 Web serversExploits known buffer overflow in Idq.dllVulnerable population (360,000 serve

20、rs) infected in 14 hoursSQL Slammer, January 2003Affects Microsoft SQL 2000Exploits known buffer overflow vulnerabilityServer Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39Vulnerable population infected in less than 10 minutes2222Code RedInitial ve

21、rsion (July 13, 2001)Sends its code as an HTTP requestHTTP request exploits buffer overflow Malicious code is not stored in a filePlaced in memory and then runWhen executed,Worm checks for the file C:NotwormIf file exists, the worm thread goes into infinite sleep stateCreates new threadsIf the date

22、is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses2323Code Red of July 13 and July 19Initial release of July 13, 20011st through 20th month: Spread via random scan of 32-bit IP addr space20th through end of each month: attack.Flood

23、ing attack against 1 ()Failure to seed random number generator linear growthRevision released July 19, 2001.White House responds to threat of flooding attack by changing the address of Causes Code Red to die for date 20th of the month.But: this time random number generator correctly seeded2424Infect

24、ion rate2525Spread of Code RedNetwork telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT)Course of infection fits classic logistic.Note: larger the vulnerable population, faster the worm spreads.That night ( 20th), worm dies except for hosts with inaccurate clocks!It just takes one of

25、 these to restart the worm on August 1st 26262727Code Red 2Released August 4, 2001.Comment in code: “Code Red 2.”But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.Kills Co

26、de Red 1.Safety valve: programmed to die Oct 1, 2001.2828Striving for Greater Virulence: NimdaReleased September 18, 2001.Multi-mode spreading:attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected server

27、s w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem!Leaped across firewalls.2929Code Red 2 kills off Code Red 1Code Red 2 settles into weekly patternNimda enters the ecosystemCode Red 2 dies off as programmedCR 1 returns thanksto bad clocksSlammer01/25/2003Vulnerabilit

28、y disclosed : 25 June 2002Better scanning algorithmUDP Single packet : 380bytesMuch faster than TCP based wormSlammer propagationNumber of Scan/secPacket LossServer ViewConsequencesATM systems not availablePhone network overloaded (no 911!)5 DNS root downPlanes delayedBotnetBotNetsA New Big ProblemB

29、otsLittle program installed silently without user interventionMost users are not aware of Bots in their computersCommon users are weakest linksNeed good education to common users to mitigate the Botnet Millions of computers infected 53000 infected per day (2007)BotnetsNetworks of computers on which

30、Bots are installed. Managed by command and control serverUsed for DDOS, Cyber War, Identity Theft, SPAM, SCAMBots are deployed across countries around worldChina, USA, Germany, Spain, France are the top five countries infectedHow Botnets workC & CBotBotBotBotCentralized BotnetsCentralizedDistributed

31、 BotnetsC&C centralized StatWorld Wild ProblemIntrusion Detection & PreventionAn OverviewFirewallFirewall can block unwanted serviceThe first-level of defense for network intrusion.Firewall Alone Is Not EnoughFirewall cannot look into applicationsIPS is the key to keep up with new security threats p

32、rotectionIPS can realize Qos for business critical applications over nonessential apps like P2P and IMTimelineVulnerabilitiesDiscoveredAdvisory IssuedWorm ReleasedExploits ReleasedGetting ShorterLifecycle of Vulnerabilities and ThreatsBenefits of Network IPSDropped from the networkBenefitsAttacks ne

33、ver reach their victim, eliminating impact to the networkNo need to waste time investigating the attackWorks for all traffic (IP, TCP, UDP, etc.)Drops only the offending trafficAn active, in-line system detects an attack and drops malicious traffic during the detection processUserUserUserServersMail

34、ServerWebServerFirewallHTTP TrafficCode redTypical DeploymentsLarge Enterprise / Service ProvidersRegional OfficesSmall/Mid-size BusinessesMid-size BusinessesIntegrated FW/IPSIPSIPSIPSWe have Long Way to GoKnown Threats but no known ways to protectKnown Threats with available protectionUnknown Threa

35、ts & VulnerabilitiesPacketEngineIPS Sensor ArchitecturesPacket engine packet IOpacket defragmentationflow and session managementDetector analyzes and decodes applicationsPolicy contains signatures and rules to detect attacksBoth policy and detector can be dynamically loadableLog for forensic analysi

36、sDetectorPolicyLogManagementActionNetwork InterfaceIPS ArchitectureIP Fragment ReassemblyTCP ReassemblyLine-breakingApplication (HTTP) Parsing Event CorrelationLogs + PacketsFlow Lookup/ReconstructionActionsSignaturesAttack MatchingNetwork InterfaceTraffic Anomaly DetectionIdentify abnormal usage patternNo protocol anomalies or attack patterns but unusual traffic usage/volumeExample: Ping SweepReconnaissance Scan networks to identify resources for possible attackPing Sweep from external/suspicious source should alert administratorProtocol Anoma