Documente Academic
Documente Profesional
Documente Cultură
Bogdan Doinea
bogdan.doinea@gmail.com
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Agendă
Atacuri de rețea
– DoS
– MiTM
– atacuri “noi”
Echipamente de rețea
– routere ca echipamente de securitate
– firewall-uri dedicate
– IPS/IDS
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Atacuri de rețea
Vechi (clasice)
– DoS
• la nivel de sistem de operare
• la nivel de rețea
– Sniffing
– MiTM
– Brute force
– Fizice
Noi
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Denial of Service
Ce fel de serviciu ?
– orice …
La nivel de rețea
– ping
– ping complex - smurf attack
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Ping
Ping flood
1. DoS: compter 2 computer
2. DDoS: exploit
3. DDoS: no exploit
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Smurf attack
192.168.1.0 /24
192.168.2.1 /24
Atacator Victimă
192.168.2.1 | 192.168.1.255
Tehnici folosite:
– spoofing
• DHCP snooping pe switch
– ip directed-broadcast
• dezactivat pe ruter
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Teardrop attack
Ce este fragmentarea ?
Transmiterea unui pachet de pe un mediu cu MTU mare pe
un mediu cu MTU mai mic
Wireless
MPLS
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Teardrop attack
Ce este fragmentarea ?
Transmiterea unui pachet de pe un mediu cu MTU mare pe
un mediu cu MTU mai mic
Wireless
MPLS
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 8
.. de fapt Vista, dar și 7
SMB 2.0
Full Disclosure mailling list -> 8 September 2009
“SRV2.SYS fails to handle malformed SMB headers for the
NEGOTIATE PROTOCOL REQUEST functionality. No user
action is required”
Windows Teardrop Attack Detection Software via MS
sau firewall ?
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 9
TCP SYN flood
Tehnici folosite:
– spoofing
• DHCP snooping pe switch
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Prevenirea TCP SYN flood
TCP Intercept
– Se folosește pe ruter
– Stabilește o conexiune TCP din partea serverului spre client
– Stabilește o conexiune TCP din partea clientului spre server
– Stabilește sesiunea end-to-end doar dacă primește ACK
SYN SYN
4 1
SYN + ACK SYN + ACK
5 2
ACK ACK
6 3
Firewall
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Buffer overflow
Vârful stivei
Cod “rău”
Stiva
crește în
jos String-
Adresă de întoarcere urile cresc
Variabile locale în sus
buffer
Prevenire și detecție
PaX – patch pentru kernel Linux
Memoria de date marcată non-executabilă
Memoria de cod marcată non-writable
Stack Guard, Stack Smashing Protection, “canary value”
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Atacuri fizice ?
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Atacuri fizice ?
Disaster recovery and backups (GLB)
Cold site
Warm site
Hot site
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Sniffing
!= captură
Acțiunea de a captură trafic ce nu îți este destinat ție
E legal ?
– da
– nu
– da
– nu
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Man in the Middle
Bob Alice
Uknown
AJ
Cerere ARP validă
MAC dest MAC sursă Type Cod operație MAC sursă IP sursă MAC dest IP dest
FFFF:FFFF: 0000:0000:
MAC Bob 0x0806 1 MAC Bob IP Bob IP Alice
FFFF 0000
FFFF:FFFF: 0000:0000:
MAC AJ 0x0806 1 MAC AJ IP Gateway IP inexistent
FFFF 0000
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Detecție/Prevenire MiTM
Social engineering
– Kevin Mitnick
Side-channel attacks
– timing attacks -> “cât durează calculul unei operații”
– TEMPEST attacks -> “bazate pe unde electromagnetice”
• Transmitted Electro-Magnetic Pulse
• Transient ElectroMagnetic Pulse Emanation Standard
• Tiny ElectroMagnetic Particles Emitting Secret Things
– acoustics attacks -> folosit încă din anii 80
– observation attacks -> urmărirea mișcărilor oculare a unui utilizator
prin telescop
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Agendă
Atacuri de rețea
– DoS
– MiTM
– atacuri “noi”
Echipamente de rețea
– routere ca echipamente de securitate
– firewall-uri dedicate
– IPS/IDS
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Un ruter -> ce poate face el ?
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Ce este un firewall ?
Private-DMZ
Policy DMZ
DMZ-Private
Policy Public-DMZ
Policy
Private-Public
Policy
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Stateless firewall
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Stateful firewall
Internet
Dezavantaje:
– FTP
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Implementări de statefull firewall
Cisco
CBAC – Cisco
– Context-based access control
– programat să facă inspecție la nivel 7 în mesajele de control al unor
protocoale
– permite FTP
ZBF – Cisco
– Zone based firewall
– Poate face NBAR (Network Based Application recognition)
– msn, bittorrent
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Intrusion Detection/Prevention
IDS/IPS vs firewall ?
– un firewall tratează “conexiuni”
– un IDS/IPS poate:
• opri accesarea unui URL care duce spre un cod malițios
• opri descărcarea unei resurse infectate
• ping scan/port scan
• opri descărcarea unei resurse care conține șirul “i can haz
cheeseburger”
• în general: folosește o bază de date + învățare adaptivă pentru a
recunoaște diferite atacuri de rețea
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Plasarea unui IDS/IPS în rețea
1
Switch
1 IDS IPS 2
Sensor
4
3 3
Target
Management Target Management
Console Console
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 26
IDS-initiated shunning
Control
interface
Management Target
Console
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Overview
Atacuri DoS
– ping flood
– smurf
– teardrop, tcp SYN flood (TCP Intercept)
– side-channel & social engineering
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Referințe
www.infosyssec.com
www.sans.org
www.cisecurity.org
www.cert.org
www.isc2.org
www.first.org
www.infragard.net
www.mitre.org
www.cnss.gov
New CCNA 307 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 29