© Egemen K. Çetinkaya
Resilient NetworksMissouri S&T University CPE 6510
Network Security Attacks
Egemen K. Çetinkaya
Department of Electrical & Computer Engineering
Missouri University of Science and Technology
http://web.mst.edu/~cetinkayae/teaching/CPE6510Spring2017
23 March 2017 rev. 17.0 © 2014–2017 Egemen K. Çetinkaya
© Egemen K. Çetinkaya
Network Security AttacksOutline
• Overview
• Security flaw taxonomy
• Denial of service attacks
MST CPE 6510 – Network Security Attacks23 March 2017 2
© Egemen K. Çetinkaya
Network Security AttacksOverview
• Overview
• Security flaw taxonomy
• Denial of service attacks
MST CPE 6510 – Network Security Attacks23 March 2017 3
© Egemen K. Çetinkaya
Security OverviewDefinition
• Security– property of a system and measures taken
– protect itself from unauthorized access or change
– subject to policy
23 March 2017 MST CPE 6510 – Network Security Attacks 4
© Egemen K. Çetinkaya
Security OverviewRelationship to Resilience Disciplines
RobustnessComplexity
Challenge Tolerance
Traffic
Tolerance
legitimate flash crowd
attack DDoS
Disruption
Tolerance
energy
connectivity
delay mobility
environmental
Survivability
Fault Tolerance
(few random)
many targetted
failures
Trustworthiness
Security nonrepudiabilityconfidentiality
availability integrity
AAA
authenticity
authorisabilityauditability
reliability maintainability safety
Performability
QoS measures
Dependability
23 March 2017 MST CPE 6510 – Network Security Attacks 5
© Egemen K. Çetinkaya
SecurityVulnerability
• Vulnerability– flaw or weakness in system
– design, implementation, controls, operation, or management
– could be exploited
– to violate security policy
[CNSS-4009-2006] [S2007]
note relation to definition with respect to faults
– internal fault that allows an external fault to cause an error[Laprie-1994], [ALR+2004]
23 March 2017 MST CPE 6510 – Network Security Attacks 6
© Egemen K. Çetinkaya
SecurityThreats
• Threat– entity, circumstance, capability, action, or event
– with potential to violate security and cause harm
[CNSS-4009-2006] [S2007]
– potential challenge that might exploit a vulnerability
23 March 2017 MST CPE 6510 – Network Security Attacks 7
© Egemen K. Çetinkaya
SecurityThreat Analysis
• Threat– entity, circumstance, capability, action, or event
– with potential to violate security and cause harm
[CNSS-4009-2006] [S2007]
– potential challenge that might exploit a vulnerability
• Threat analysis– examination of information and analysis of actions
– to identify potential threats
– identifying probability of occurrence and consequences
[CNSS-4009-2006] [S2007]
23 March 2017 MST CPE 6510 – Network Security Attacks 8
© Egemen K. Çetinkaya
SecurityChallenges
• Challenge : adverse event or condition that might
– violate security policy including availability
– impact dependability
– impact performability
three aspects of trustworthiness
23 March 2017 MST CPE 6510 – Network Security Attacks 9
© Egemen K. Çetinkaya
SecurityAttackers
• Adversary?– entity that attacks a system
• Cracker? (also spelled kracker)– someone who tries to break into someone else’s system
• Hacker? (cracker ≠ hacker)– someone working on computers and make cool things
• Intruder?– entity that tries to gain unauthorized access
• Packet monkey? (deprecated)– someone who floods a system for a DOS condition
• Script kiddy?– someone who uses existing scripts, but not innovative
23 March 2017 MST CPE 6510 – Network Security Attacks 10
[S2007]
© Egemen K. Çetinkaya
SecurityMotivation for Attackers
• Experimental curiosity e.g. Morris Worm 1988
• Pride and power
• Commercial advantage
• Extortion and criminal gain
• Random protest e.g. similar to Unabomber in 1980s
• Political protest e.g. Anonymous hacktivists
• Terrorism e.g. Al-Qaeda
• Cyber warfare e.g. Stuxnet
23 March 2017 MST CPE 6510 – Network Security Attacks 11
[WPS+2003]
© Egemen K. Çetinkaya
Security FlawsBug and Flaw
• Bug– inadvertently introduced security flaw in a program
• Flaw– part of a program that can cause security violation
– can be inserted:
• intentionally
• accidentally
• Flaws correspond to faults [LBM+1994]
23 March 2017 MST CPE 6510 – Network Security Attacks 12
© Egemen K. Çetinkaya
Security FlawsMalicious Logic
• Malicious logic– hardware, firmware, or software that is intentionally
included or inserted in a system for a harmful purpose
• Examples?
23 March 2017 MST CPE 6510 – Network Security Attacks 13
[S2007]
© Egemen K. Çetinkaya
Security FlawsMalicious Logic
• Malicious logic– hardware, firmware, or software that is intentionally
included or inserted in a system for a harmful purpose
• Examples?
– trapdoor
– Trojan horse
– logic bomb
– virus
– worm
23 March 2017 MST CPE 6510 – Network Security Attacks 14
[S2007]
© Egemen K. Çetinkaya
Security FlawsMalicious Logic
• Malicious logic– hardware, firmware, or software that is intentionally
included or inserted in a system for a harmful purpose
• Malware: a contraction of malicious software– depreciated term
23 March 2017 MST CPE 6510 – Network Security Attacks 15
[S2007]
© Egemen K. Çetinkaya
Security FlawsTrapdoor
• Trapdoor (also known backdoor)
– computer system feature that provides access to resources
– usually hidden or not well-known
– can be:
• an unintentional flaw
• a mechanism deliberately installed by the system's creator
• a mechanism surreptitiously installed by an intruder (spyware)
• spyware usage is slang and depreciated
• Maintenance hook – special instructions in software allowing easy maintenance
and additional feature development
– should be removed in live implementation23 March 2017 MST CPE 6510 – Network Security Attacks 16
[S2007]
© Egemen K. Çetinkaya
Security FlawsCryptographic Trapdoor Function
• Trapdoor function (aka: trap-door one-way function)
– easy to compute in one direction, difficult in opposite
• Example 1:
– consider padlock and key
– locking is easy, does not require key
– to unlock, you need the key – trapdoor information
• Example 2:
– 133 is product of two prime numbers. What are they?
– if the trapdoor information is 19
– the other prime number is …
23 March 2017 MST CPE 6510 – Network Security Attacks 17
[DH1976]
© Egemen K. Çetinkaya
Security FlawsTrojan Horse
• Trojan horse– a computer program that appears to have a useful function
– but also has a hidden and potentially malicious function that
– evades security mechanisms
• Almost any malicious code is Trojan
– since malicious code needs to be disguised
23 March 2017 MST CPE 6510 – Network Security Attacks 18
[S2007]
[http://en.wikipedia.org/wiki/Trojan_Horse]
© Egemen K. Çetinkaya
Security FlawsLogic Bomb
• Logic bomb (or time bomb)
– malicious logic activates when specified conditions are met
• time or event triggers detonation
• otherwise remains dormant
– usually intended to cause denial of service
• crash system
• delete files
• degrading system response time
• Some cases resulting in imprisonment– http://en.wikipedia.org/wiki/Logic_bomb
23 March 2017 MST CPE 6510 – Network Security Attacks 19
[S2007]
© Egemen K. Çetinkaya
Security FlawsVirus
• RFC 4949 [S2007]
– self-replicating computer software infecting another program• usually hidden and malicious logic
– a virus cannot run by itself• host program be run to make the virus active
• Scholarly papers [QW2005]
– “A virus is a piece of code that adds itself to other programs, including operating systems. It cannot run independently—it requires that its ‘host’ program be run to activate it.”
• Symantec [http://www.symantec.com/docs/TECH98539]
– it must execute itself
– it must replicate itself23 March 2017 MST CPE 6510 – Network Security Attacks 20
© Egemen K. Çetinkaya
Security FlawsNotable Viruses
• File infector viruses
– infect executable code (.exe files); e.g. Jerusalem, Cascade
• Boot sector viruses
– infect the system area of a disk; e.g. Michelangelo, Stoned
• Master boot record viruses
– memory resident viruses; e.g. AntiExe, Unashamed
• Multipartite viruses
– infect boot records & program files; e.g. Anthrax, Tequilla
• Macro viruses
– infect data files; e.g. W97M.Melissa, WM.NiceDay
23 March 2017 MST CPE 6510 – Network Security Attacks 21
[http://www.symantec.com/docs/TECH98539]
© Egemen K. Çetinkaya
Security FlawsViruses Taxonomy
• Target formats
– executable viruses or document viruses
• Target component or device
– boot or device drivers viruses• note that BIOS viruses fall under boot sector (boot viruses)
• Programming language
– assembly, code source, script viruses
• Nature of the final payload
– spy, corruption, deletion, destruction viruses
• Operation
– combined viruses, psychological viruses (hoaxes, jokes)23 March 2017 MST CPE 6510 – Network Security Attacks 22
[F2005]
© Egemen K. Çetinkaya
Security FlawsWorm
• RFC 4949 [S2007]
– a computer program that can run independently
– can propagate a complete working version of itself
– may consume system resources destructively
• Symantec [http://www.symantec.com/docs/TECH98539]
– worms are programs that replicate themselves
– does not require a host file• virus requires spreading of an infected host file
– worms generally exist inside of other files• often Word or Excel documents
– usually worms release a document that is already infected • the entire document will travel from computer to computer
23 March 2017 MST CPE 6510 – Network Security Attacks 23
© Egemen K. Çetinkaya
Security FlawsNotable Worms
• E-mail worms – also utilize IRC, AOL IM, MSN, P2P
– Christmas Tree, 1987
– Nimda, 2001
• Windows file sharing worms
– ExploreZip, 1999
• Traditional worms
– Morris, 1988
– Code Red, 2001
– Slammer, 2003
23 March 2017 MST CPE 6510 – Network Security Attacks 24
[KE2003]
© Egemen K. Çetinkaya
Network Security AttacksSecurity Flaw Taxonomy
• Overview
• Security flaw taxonomy
• Denial of service attacks
MST CPE 6510 – Network Security Attacks23 March 2017 25
© Egemen K. Çetinkaya
Security FlawsTaxonomy
• Taxonomies establish common language
• Many taxonomies exist to day23 March 2017 MST CPE 6510 – Network Security Attacks 26
[HH2005]
[L2002]
© Egemen K. Çetinkaya
Security FlawsTaxonomy
• Genesis
• Time of introduction
• Location
23 March 2017 MST CPE 6510 – Network Security Attacks 27
[LBM+1994]
© Egemen K. Çetinkaya
Security Flaw TaxonomyGenesis
• Intentional
– malicious
• e.g. Trojan horse, trapdoor, logic bomb
– non-malicious
• e.g. covert channel
• Inadvertent
– validation error
– domain error
– serialization/aliasing
– inadequate identification/authentication
– boundary condition violation
23 March 2017 MST CPE 6510 – Network Security Attacks 28
[LBM+1994]
© Egemen K. Çetinkaya
Security Flaw TaxonomyTime of Introduction
• During development
– requirement/specification/design
– source code
– object code
• During maintenance
• During operation
23 March 2017 MST CPE 6510 – Network Security Attacks 29
[LBM+1994]
© Egemen K. Çetinkaya
Security Flaw TaxonomyLocation
• Software
– operating system• system initialization• memory management• process management/scheduling• device management• file management• identification/authentication
– support• privileged utilities• unprivileged utilities
– application
• Hardware
23 March 2017 MST CPE 6510 – Network Security Attacks 30
[LBM+1994]
© Egemen K. Çetinkaya
TaxonomyPassive and Active Attacks
• Passive attacks
– attempts to learn or make use of the information
– but does not impact system resources
– difficult to detect
• Examples ?
• Active attacks
23 March 2017 MST CPE 6510 – Network Security Attacks 31
[S2014]
© Egemen K. Çetinkaya
TaxonomyPassive and Active Attacks
• Passive attacks
– attempts to learn or make use of the information
– but does not impact system resources
– difficult to detect
• Examples
– wiretapping
• telephone conversations
• e-mails
– traffic analysis
• Defensive mechanism ?
• Active attacks23 March 2017 MST CPE 6510 – Network Security Attacks 32
[S2014]
© Egemen K. Çetinkaya
TaxonomyPassive and Active Attacks
• Passive attacks
– attempts to learn or make use of the information
– but does not impact system resources
– difficult to detect
• Examples
– wiretapping
• telephone conversations
• e-mails
– traffic analysis
• Encryption is defensive mechanism
• Active attacks23 March 2017 MST CPE 6510 – Network Security Attacks 33
[S2014]
© Egemen K. Çetinkaya
TaxonomyPassive and Active Attacks
• Passive attacks
• Active attacks
– modify the existing communication
– insertion of false information in the communication
– difficult to prevent
• Examples ?
23 March 2017 MST CPE 6510 – Network Security Attacks 34
[S2014]
© Egemen K. Çetinkaya
TaxonomyPassive and Active Attacks
• Passive attacks
• Active attacks
– modify the existing communication
– insertion of false information in the communication
– difficult to prevent
• Examples
– replay
– masquerade
– modification of messages
– denial of service
23 March 2017 MST CPE 6510 – Network Security Attacks 35
[S2014]
© Egemen K. Çetinkaya
TaxonomyOrigin of Attacks
• Insider attacks
– initiated by an entity inside the security perimeter
– difficult to penetrate into the organizationbut easier to launch the attack, can be costly
• Outsider attacks
– initiated by an entity outside of the security perimeter
23 March 2017 MST CPE 6510 – Network Security Attacks 36
[S2014]
© Egemen K. Çetinkaya
Network Security AttacksDenial of Service Attacks
• Overview
• Security flaw taxonomy
• Denial of service attacks
MST CPE 6510 – Network Security Attacks23 March 2017 37
© Egemen K. Çetinkaya
Denial of ServiceIntroduction
• Service– system behavior as perceived by the system user [L1994]
• DoS – Denial of Service
– explicit attempt to prevent the legitimate use of a service
• DDoS – Distributed Denial of Service
– deploys multiple attacking entities
23 March 2017 MST CPE 6510 – Network Security Attacks 38
© Egemen K. Çetinkaya
Denial of ServiceImpact
• Two forms of DoS attacks
– sending one or more packets to exploit a vulnerability
• e.g. ?
– use massive volumes of useless traffic to occupy resources
• e.g. ?
23 March 2017 MST CPE 6510 – Network Security Attacks 39
© Egemen K. Çetinkaya
Denial of ServiceAttack Types
• Two forms of DoS attacks
– sending one or more packets to exploit a vulnerability
• e.g.: ping-of-death: malformed ICMP message
– use massive volumes of useless traffic to occupy resources
• e.g.: ping flood: overwhelm target by ICMP messages
• Generally ping service is disabled for outsiders
• Massive volumes require more resources for attacker
23 March 2017 MST CPE 6510 – Network Security Attacks 40
© Egemen K. Çetinkaya
Distributed Denial of ServiceAttack Stages
• A typical DDoS attack contains two stages:
• First stage:
– compromise vulnerable systems that are available
– install attack tools in these compromised systems
– also known as turning these computers to zombies or bots
• Second stage:
– through a secure channel
– the attacker sends an attack command to the zombies
– source IP address spoofed for identification
• Attacks can utilize 100,000s zombies
– Code Red worm utilized over 300 K zombies23 March 2017 MST CPE 6510 – Network Security Attacks 41
© Egemen K. Çetinkaya
Distributed Denial of ServiceAttack Mechanisms
23 March 2017 MST CPE 6510 – Network Security Attacks 42
[MR2004]
© Egemen K. Çetinkaya
Distributed Denial of ServiceDefense Mechanisms
23 March 2017 MST CPE 6510 – Network Security Attacks 43
[MR2004]
© Egemen K. Çetinkaya
Security AttacksOthers
• Spam unsolicited marketing wasting time & resources
• First commercial instance in 1994
– Canter and Siegel “Green Card Lottery – Final One?” incident
• Mechanisms
– filtering
– counterattack
– fee restructuring
23 March 2017 MST CPE 6510 – Network Security Attacks 44
[http://en.wikipedia.org/wiki/Laurence_Canter_and_Martha_Siegel]
© Egemen K. Çetinkaya
Security AttacksSpam Distribution
23 March 2017 MST CPE 6510 – Network Security Attacks 45
[http://www.symantec.com/security_response/landing/spam]
© Egemen K. Çetinkaya
References and Further Reading
• [MR2004] Jelena Mirkovic and Peter Reiher, “A Taxonomy of DDoSAttack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communication Review, Volume 34, Issue 2, pp. 39 – 53, April 2004.
• [PLR2007] Tao Peng, Christopher Leckie, and KotagiriRamamohanarao, “Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems,” ACM Computing Surveys, Volume 39, Issue 1, Article 3, April 2007.
• [LBM+1994] Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi, “A Taxonomy of Computer Program Security Flaws,” ACM Computing Surveys, Volume 26, Issue 3, pp. 211 – 254, September 1994.
• [S2014] William Stallings, Cryptography and Network Security: Principles and Practice, 6th edition, Prentice Hall, 2014.
MST CPE 6510 – Network Security Attacks23 March 2017 46
© Egemen K. Çetinkaya
References and Further Reading
• [S2007] Robert W. Shirey, “Internet Security Glossary, Version 2,” FYI 36, RFC 4949, August 2007.
• [DH1976] Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, Volume 22, No. 6, pp. 644 – 654, Nov 1976.
• [KE2003] Darrell M. Kienzle and Matthew C. Elder, “Recent worms: a survey and trends," ACM Workshop on Rapid Malcode (WORM), pp. 1 –10, 2003.
• [WPS+2003] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham, “A taxonomy of computer worms," ACM Workshop on Rapid Malcode (WORM), pp. 11 – 18, 2003.
• [QW2005] Sihan Qing and Weiping Wen, “A survey and trends on Internet worms," Computers & Security, Volume 24, No. 4, pp. 334 –346, 2005.
MST CPE 6510 – Network Security Attacks23 March 2017 47
© Egemen K. Çetinkaya
References and Further Reading
• [L2002] Howard Lipson, "Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Special Report CMU/SEI-2002-SR-009, 2002.
• [HH2005] Simon Hansman and Ray Hunt, "A taxonomy of network and computer attacks," Computers & Security, Volume 24, No. 1, pp. 31 –43, Feb. 2005.
• [F2005] Eric Filiol, Computer viruses: from theory to applications, Springer, 2005. (doi: 10.1007/2-287-28099-5)
• http://www.symantec.com/security_response
• http://www.symantec.com/docs/TECH98539
MST CPE 6510 – Network Security Attacks23 March 2017 48
© Egemen K. Çetinkaya
End of Foils
MST CPE 6510 – Network Security Attacks23 March 2017 49