Dienstag, 14. April 2015

Denial of Service and Intrusion Detection


What is a DoS attack and how can it be initiated? Which one is done mostly?

In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.
A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, distributed denial-of-service attacks are sent by two or more people, or bots, and denial-of-service attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.
A denial of service (DoS) attack is an attack on the availability of network resources.DoS attacks can be initiated in many ways, including:


  • Transmission failure
  • Traffic redirection
  • DNS attacks
  • Connection flooding



Which types of connection flooding attacks do you know?

A connection flooding attack seeks to negatively affect the availability of a network recourse by exhausting or overwhelming the capacity of a communications channel. Types:


  • Echo chargen
  • Ping of death
  • Smurth attack
  • SYN flood
  • Teardrop




What is an echo chargen attack?

Basically, this attack is a form of an UDP flood attack. The attacker sends a forged UDP echo request packet (with source IP of the target) to the port 19 (chargen) of another computer. This in turn sends a packet with random strings to the echo service port of the target computer responds again. As a result, the bandwidth of the computer is busy fast.


Source: http://image.slidesharecdn.com/12-tcp-dns-140326164729-phpapp01/95/12-tcpdns-14-638.jpg?cb=1395870536



What is the speciality of a ping of death attack?

A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol (IP) header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65535bytes. Larger packets could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers. Generally, sending a 65,536-byte ping packet violates the Internet Protocol as documented in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.



Describe smurf attacks and their impacts?

The smurf attack is an attack in which a system is flooded with spoofed ping messages. This creates high computer network traffic on the victim’s network, which often renders it unresponsive.
Smurfing takes certain well-known facts about Internet Protocol and Internet Control Message Protocol (ICMP) into account. ICMP is used by network administrators to exchange information about network state, and can also be used to ping other nodes to determine their operational status. The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo responses to the ping message are directed toward the victim’s IP address. Large number of pings and the resulting echoes can make the network unusable for real traffic.



Show in an example how a teardrop attack is carried out.

In the teardrop attack, packet fragments are sent in a jumbled and confused order. When the receiving device attempts to reassemble them, it obviously won’t know how to handle the request. Older versions of operating systems will simply just crash when this occurs. Operating systems such as Windows NT, Windows 95, and even Linux versions prior to version 2.1.63 are vulnerable to the teardrop attack. As stated earlier, upgrading your network hardware and software is the best way to stay secure from these types of attacks.



Why are DDoS attacks more efficient than DoS attacks?

In a distributed denial of service attack, an attacker uses any convenient method to distribute a Trojan horse to as many target machines as possible. After choosing a victim, a signal is transmitted from the attacker to each zombie machine to initiate the attack. The Trojan horse on each zombie machine then launches a denial of service attack on the target.



How does an Intrusion Detection System work? What is the difference to an Intrusion Prevention System? Which goals do they have?

An intrusion detection system (IDS) is a device that monitors system activities with a view toward detecting malicious or suspicious events

IDS attempt to detect:


  • Outsiders breaking into a system
  • Insiders attempting to perform inappropriate actions



Goals of IDS:

  • Detect wide variety of instrusions
    • Previously known and unknown attacks
    • Suggest need to learn/adapt to new attacks or changes in behavior
  • Detect instrusions in timely fashion
    • May need to be real-time especially when system responds to instrusion
    • May suffice to report instrusion ocurred a few minutes or hours ago
  • Present analysis in simple, easy-to-understand format
    • Ideally a binary indicator
    • Usually more complex, allowing analyst to examine suspected attack
    • User interface critical, especially when monitoring many systems
  • Be accurate
    • Minimize false positives, false negatives
    • Minimize time spent verifying attacks, looking for them





Name the differences between host-based and network-based IDSs.

Host-based:

  • IDS runs on a host
  • IDS monitors activities on this host only


Network-based:

  • The IDS is a stand-alone device
  • The IDS monitors the entire network or sub-network




Name the different modes of operation of an IDS. Which one is most efficient for detecting an attack?

Signature-based:


  • The looks for known attacks
  • To detect an attack, current activities are matched to known attack signatures
  • Problem: Unable to detect new attacks (unknown signatures)


Anomaly-based:


  • IDS allows only permitted behavior
  • Uses models of acceptable user activities
  • Raises alarm upon detection of deviation from model behavior


Hybrid:


  • IDS is a combination of anomaly, signature, and/or heuristic-based approaches


Heuristic-based:


  • The IDS automatically constructs a model of "normal" system behavior
  • Current activities are compared to what is considered normal in order to identify unacceptable system activities




What can be done with the responses of an IDS.


  • Protect systems and reduce exposure
  • Alert a human
  • Monitor the attack and collect data



Sources:

http://en.wikipedia.org/wiki/Intrusion_detection_system
http://www.geniusguard.com/AboutDDoS.php
http://en.wikipedia.org/wiki/Denial-of-service_attack
https://www.youtube.com/watch?v=0_59AocrBVo
http://beyondcgpa.com/tag/hacking-website-attack/
http://www.techopedia.com/definition/17294/smurf-attack

Eingestellt von um Keine Kommentare:

Firewalls and Network Security

A video about Firewalls and Network Security you can find at:
https://www.youtube.com/watch?v=XEqnE_sDzSk



Which characteristics make a network vulnerable to attacks?

Several characteristics make networks vulnerable to attack, including:


  • System complexity
  • Many points of attack
  • Unknown boundary
  • Resource and workload sharing
  • Anonymity



What is a port scanner? How does a network admin use this tool?

Is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A network administrator or security analyst can use a port scanner to evaluate the strengths and weaknesses of a network.

A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.



What is a firewall? Which tasks can be fulfilled by a firewall?

A firewall is software or hardware that checks information coming from the Internet or a network, and then either blocks it or allows it to pass through to your computer, depending on your firewall settings.
A firewall can help prevent hackers or malicious software (such as worms) from gaining access to your computer through a network or the Internet. A firewall can also help stop your computer from sending malicious software to other computers.

Quelle: http://res2.windows.microsoft.com/resbox/en/windows%207/main/a253fe23-4fb7-48d2-b52f-f52cb0e82734_57.jpg


Just as a brick wall can create a physical barrier, a firewall creates a barrier between the Internet and your computer.
A firewall isn't the same thing as an antivirus program. To help protect your computer, you need both a firewall and an antivirus and anti-malware program.



What is a firewall security policy? Name some examples!

A firewall security policy is a set of rules that a firewall relies upon to determine which traffic should be allowed to pass through a network boundary.


Examples of firewall security policy rules:

  • Block all access from the outside, allow all access to the outside
  • Allow access from outside
    • Only for certain activities
    • Only for certain sub-networks, hosts, applications, or users


Firewalls may have a default security policy:

  • Default permit
    • Anything that is not expressly prohibited is allowed
  • Default deny
    • Anything that is not expressly allowed is denied



What can be done by stateful inspection firewall?

A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and UDP "pseudo" sessions. Each entry records the session's source and destination IP address and port numbers, and the current TCP sequence number. Entries are created only for those TCP connections or UDP streams that satisfy a defined security policy. Packets associated with these sessions are permitted to pass through the firewall. Sessions that do not match any policy are denied, as are any packets received that do not match an existing table entry.

Stateful inspection is more secure than packet filtering because it only allow packets belonging to an allowed session. For example, instead of permitting any host or program to send any kind of TCP traffic on port 80, a stateful inspection firewall ensures that packets belong to an existing session. Furthermore, it can authenticate the user when the session is established, it can determine whether the packets really carry HTTP, and it can enforce constraints at the application layer (e.g., filtering URLs to deny access to black-listed sites).



What is an application proxy gateway? How does it increase security?

Also known as application proxy or application-level proxy, an application gateway is an application program that runs on afirewall system between two networks. When a client program establishes a connection to a destination service, it connects to an application gateway, or proxy



What is a circuit-level-gateway?

A circuit-level gateway is a firewall that provides User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) connection security, and works between an Open Systems Interconnection (OSI) network model’s transport and application layers such as the session layer. Unlike application gateways, circuit-level gateways monitor TCP data packet handshaking and session fulfillment of firewall rules and policies.

A proxy server is a security barrier between internal and external computers, while a circuit-level gateway is a virtual circuit between the proxy server and internal client.

For example, when a user Web page access request passes through the circuit gateway, basic internal user information, such as IP address, is exchanged for proper feedback. Then, the proxy server forwards the request to the Web server. Upon receiving the request, the external server sees the proxy server’s IP address but does not receive any internal user information. The Web or real server sends the proxy server a proper response, which is forwarded to the client or end user via the circuit-level gateway.



What are guard firewalls? Which advantages do they have over application proxy gateways?

A firewall is designed to limit traffic to certain services, a guard aims to control the information exchange that the network communication is supporting at the business level. Further, unlike a firewall a guard provides assurance that it is effective in providing this control even under attack and failure conditions.

A guard will typically sit between a protected network and an external network, and ensure the protected network is safe from threats posed by the external network and from leaks of sensitive information to the external network.

A guard is usually dual-homed, though guards can connect more than two networks, and acts as a full application layer proxy, engaging in separate communications on each interface. A guard will pass only the business information carried by the protocols from one network to another, and then only if the information passes configured checks which provide the required protection.



Where is a personal firewall implemented? Can it replace a hardware firewall?

A personal firewall differs from a conventional firewall in terms of scale. A personal firewall will usually protect only the computer on which it is installed, as compared to a conventional firewall which is normally installed on a designated interface between two or more networks, such as a router or proxy server. Hence, personal firewalls allow a security policy to be defined for individual computers, whereas a conventional firewall controls the policy between the networks that it connects.

The per-computer scope of personal firewalls is useful to protect machines that are moved across different networks. For example, a laptop computer may be used on a trustedintranet at a workplace where minimal protection is needed as a conventional firewall is already in place, and services that require open ports such as file and printer sharing are useful. The same laptop could be used at public Wi-Fi hotspots, where strict security is required to protect from malicious activity. Most personal firewalls will prompt the user when a new network is connected for the first time to decide the level of trust, and can set individual security policies for each network.



Name the six truths about firewalls!


  • Exert only narrow control over the content that they allow to cross the network boundary
  • Protect an environment only if they control the entire perimeter
  • Systems should not contain any tools that could help an attacker who penetrates the firewall in subsequent exploits
  • Do not protect data outside of the perimeter
  • Must be properly configured, and their configuration settings must be periodically evaluated and updated
  • From the outside, firewalls are the most visible component of a network, and are hence attractive targets for attack




Does NAT really increase the network security?

NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design.
If you keep your network secure, it is no security leakage if the network is not hidden from the Internet by a NAT device. It is rather cumbersome that NAT breaks the end-to-end communication model and disrupts certain internet protocols.
The usage of NAT has several disadvantages, mainly because it breaks the end-to-end communication model which is essential for proper IP connections. For example, IPsec host-to-host tunnels cannot be used with NAT, the FTP protocol (active mode) does not work, VoIP (SIP) has troubles, and any other peer-to-peer protocols do not work out of the box if they need to establish connections to each other independently. To overcome this disadvantages, a few changes in the just mentioned protocols are proposed to use them also through NAT devices, called NAT traversal.




Sources:

http://en.wikipedia.org/wiki/Port_scanner
http://windows.microsoft.com/en-us/windows/what-is-firewall#1TC=windows-7
http://windows.microsoft.com/en-us/windows/understanding-firewall-settings#1TC=windows-7
https://www.netcetera.co.uk/Products/DedicatedServers/Additions/Firewall/
http://www.eircomictdirect.ie/docs/juniper/wp_firewall.pdf
http://en.wikipedia.org/wiki/Guard_(information_security)
http://www.wikiwand.com/en/Personal_firewall
http://www.slideshare.net/hiwashooter/personal-or-software-firewall
http://en.wikipedia.org/wiki/Network_address_translation
http://www.techopedia.com/definition/24780/circuit-level-gateway

Eingestellt von um Keine Kommentare:

Computer and Network Security - Types of Security Attacks and Services

This video is about security attacks and services:
 https://www.youtube.com/watch?v=LkzWHgX_GDU



What is the difference between trojans, viruses and worms?

Viruses
A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.

Worms
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.

Trojans
A Trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.



What is the difference between an active and a passive attack?

Passive Attack
A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user.

Active Attack
In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS, or modification of data.



How can a passive attack be detected?

Passive attacks are very difficult to detect because they do not involve any alteration of the data. When the messages are exchanged neither the sender nor the receiver is aware that a third party has read the messages. This can be prevented by encryption of data.




Which types of active attacks are typically used?

  • In a masquerade attack, the intruder pretends to be a particular user of a system to gain access or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen login IDs and passwords, through finding security gaps in programs or through bypassing the authentication mechanism.
  • In a session replay attack, a hacker steals an authorized user’s log in information by stealing the session ID. The intruder gains access and the ability to do anything the authorized user can do on the website.
  • In a message modification attack, an intruder alters packet header addresses to direct a message to a different destination or modify the data on a target machine.
  • In a denial of service (DoS) attack, users are deprived of access to a network or web resource. This is generally accomplished by overwhelming the target with more traffic than it can handle.
  • In a distributed denial-of-service (DDoS) exploit, large numbers of compromised systems (sometimes called a botnet or zombie army) attack a single target.


What is X.800? Which services are included?

X-800 is an extention recommendation of the recommendation X-200 which describes the reference model for Open System Interconnection (OSI). It establishes a framework for coordinating the development of existing and future recommendations for the system interconnection. The objective of OSI is to permit the interconnection of heterogeneous computer systems so that communication between application process may be achieved. At various times, security controls need to be built in order to protect the information exchanged between application processes,but by doing so the cost and time of obtaining and modifying data will be greater than the potential value of the informations.

The OSI security architecture provides a useful overview of many concepts that take eyes on the mechanisms, services and security attacks which can be described as following :


  • Security Attack : any action that compromises the security of information owned by somebody including unauthorized reading of a message of file and traffic analysis.
  • Security Mechanism : any process that designed to detect or preventing a security attack to be held.
  • Security Service : a process of enhancing / improving the security of data processing system and information exchange between application processes.




How does the ILOVEYOU-worm work?

The ILOVEYOU-worm comes in an e-mail note with "I LOVE YOU" in the subject line and contains an attachment that, when opened, results in the message being re-sent to everyone in the recipient's Microsoft Outlook address book and, perhaps more seriously, the loss of every JPEG, MP3, and certain other files on the recipient's hard disk. Because Microsoft Outlook is widely installed as the e-mail handler in corporate networks, the ILOVEYOU virus can spread rapidly from user to user within a corporation. On May 4, 2000, the virus spread so quickly that e-mail had to be shut down in a number of major enterprises such as the Ford Motor Company. The virus reached an estimated 45 million users in a single day.



What is a VANET? Which security measures need to be considered in those networks?

A VANET turns every participating car into a wireless router or node, allowing cars approximately 100 to 300 metres of each other to connect and, in turn, create a network with a wide range. As cars fall out of the signal range and drop out of the network, other cars can join in, connecting vehicles to one another so that a mobile Internet is created.



Source: http://adrianlatorre.com/projects/pfc/img/vanet_full.jpg




Which security measures are necessary in WMNs? Wich security attacks can happen in WMNs?

A wireless mesh network (WMN) is a mesh network created through the connection of wireless access points installed at each network user's locale. Each network user is also a provider, forwarding data to the next node. The networking infrastructure is decentralized and simplified because each node need only transmit as far as the next node. Wireless mesh networking could allow people living in remote areas and small businesses operating in rural neighborhoods to connect their networks together for affordable Internet connections.




What is the "Byzantine General Problem"?

Reliable computer systems must handle malfunctioning components that give conflicting information to different parts of the system. This situation can be expressed abstractly in terms of a group of generals of the Byzantine army camped with their troops around an enemy city. Communicating only by messenger, the generals must agree upon a common battle plan. However, one or more of them may be traitors who will try to confuse the others. The problem is to find an algorithm to ensure that the loyal generals will reach agreement. It is shown that, using only oral messages, this problem is solvable if and only if more than two-thirds of the generals are loyal; so a single traitor can confound two loyal generals. With unforgeable written messages, the problem is solvable for any number of generals and possible traitors.


Sources:

http://whatis.techtarget.com/definition/active-attack
http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/types-of-attack.html
http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html

Eingestellt von um Keine Kommentare:
Abonnieren Posts (Atom)