공격/ 대응 Examples

  • Published on
    03-Jan-2016

  • View
    80

  • Download
    0

Embed Size (px)

DESCRIPTION

/ Examples. . Spoofing ARP Spoofing IP Spoofing DNS Spoofing Sniffing DOS/DDOS(Distributed Denial Of Service) Buffer overflow . Spoofing . (Spoofing) IP MAC - PowerPoint PPT Presentation

Transcript

  • / Examples

  • Spoofing ARP SpoofingIP SpoofingDNS SpoofingSniffing DOS/DDOS(Distributed Denial Of Service) Buffer overflow

  • (Spoofing) IP MAC , Spoofing

  • ARP IP 2 MAC MAC ARP Spoofing

  • 1. 10.0.0.2 MAC CC 10.0.0.3 MAC CC 2. 3. , ARP Spoofing

  • ARP Spoofing

  • IP Spoofing TCP TCP Sequence Number IP RPC r r : IP (UNIX LINUX)/etc/hosts.equiv$HOME/.rhost

  • IP Spoofing S: C:S X:~

  • IP Spoofing C S C SYN Flooding C C down reboot IP SpoofC (Impersonation)X -> S : SYN(ISN X), Src = CS -> C : SYN(ISN S), ACK(ISN X)C RST

  • IP Spoofing ISN X ISN S X C S SYN ISN S , C X LAN Segment Packet Dump Tool X -> S : ACK(ISN S), Src=CS C TCP X S Data echo + + >> .rhost // any host, any named user can access

  • Blind Spoofing ISN r- , NFS(Network File System)Non-Blind Spoofing Packet ( ->RST-> :IP hijacking)

  • ISNISN(Initial Sequence Number) SYN OS

    ISN ISN = 1 128,000 TCP 64,000 IRIX 6.2 Linux 1.x SunOS 5.5 MS WindowFree BSD 64,000 HP-UXAIX 3 SunOS 5.4 ISN AIX 4 Linux 2.x

  • ISN ISN S SYN Packet (1)X -> S : SYN(ISN X)S -> X : SYN(ISN S), ACK(ISN X) ISN Spoofing Packet (2)X -> S : SYN(ISN X), Src = CS -> C : SYN(ISN S), ACK(ISN X) ISN (2) ISN S (1) RTT(Round Trip Time) Tcpdump packet Packet ISN

  • IP Spoofing r-command Sequence Number SN 32bit randomize bit randomize brute-force ( seed )ISN S (DES-ecb mode) , SN (IPSec)

  • IP Spoofing Libnet : Packet Injectionhttp://libnet.sourceforge.net/Libpcap : Packet Capture : WinPcaphttp://winpcap.polito.it/Libnids : Network Analisyshttp://www.packetfactory.net/Projects/libnids/OpenSSL : Cryptographyhttp://www.openssl.or.kr/news/news.html

  • DNS(Domain Name System) . www.cwd.go.kr( ) . DNS , DNS

    DNS

  • 1. IP DNS . DNS query 2. DNS IP 3. IP DNS

  • DNS DNS query . DNS query arp DNS query DNS

  • 2. DNS . DNS DNS response DNS response DNS

  • 3. DNS response , . DNS DNS response DNS

  • SniffingSniff : Sniffing , . Sniffing (Passive) , LAN Sniffing (Promiscuous) LAN IP MAC(Media Access Control) , Sniffing ,

  • Snort IDS TCP Dump . . . , . Sniffing-TCPDump

  • Telnet Login TCPDump : wishfree

  • Telnet Login TCPDump : qwer1234

  • (DoS) TCP SYN flooding DOS Backlog(N) TCP

  • (DoS) N N Half open : Random IP -> ACK IP Address spoofing SYN Packet -> TCP (Half open connection )Firewall RST Packet

  • DDoS :SmurfTrinooTrible Flood Network (TFN, TFN2K)StacherldrahtShaftMstream

  • Smurf IP ICMP

  • Tribal Flood Network (TFN2K)

  • DDoS (. TFN -> ) :Savage : . Bellovin:

  • Buffer overflow bugCERT 50% :1997: 16 out of 28 CERT advisories.1998: 9 out of 131999: 6 out of 12 HOST : 2 : buffer overflow

  • Buffer overflow ?Stack OverflowLIPO(Last In First Out)PUSH/POP Stack Pointer : esp , , Overriding Heap Overflow Malloc ->Overriding

  • Buffer overflow ? :void func(char *str) {char buf[128];strcpy(buf, str);} :

    *str 136 ?strcpy :

  • : strcpy() strcpy *str :

    func() , shell !! : ret func()

  • Buffer overflows URL func() 200 URL : P \0 Overflow func() buffer overflows : MIME name field MS Outlook Express 4.0x

  • overflow non-executable Linux Solaris , overflow buffer overflow 2 : P

  • Stack smashing : buffer overflow Overriding pointers : (Linux superprobe )

    buffer overflow pointer overridinglongjmp buffers : longjmp(pos) (Perl 5.003 )pos buffer Overflow pos overriding

  • : (local vars) (malloc ed vars)(data segment) (static vars) : libc exec FP ret-addr libc exec \bin\sh

  • Buffer overflows buffer overflows : $$$$$ , overflow core dump $$$$$ (eEye Retina, ISIC) Open Source

  • Buffer overflow :strcpy(), strcat(), sprintf() strncpy(), strncat() strncpy() strncpy( dest, src, strlen(src)+1 ) :

  • buffer overflows ? :@stake.com (l0pht.com) : SLINT (UNIX)rstcorp: its4. ( )Berkeley: Wagner, et al. ( )

  • : StackGuard 1: buffer C C++ 2: StackGuard (OGI) canary

  • Canary Random canary: canary canary random canary Terminator canary: Canary = 0, newline, linefeed, EOFC

  • StackGuard ()StackGuard GCC : PointGuard.Canary function pointers setjmp buffers : Canary stack smashing canaries

  • Buffer overflows: attacks and defenses for the vulnerability of the decade.http://www.immunix.org/StackGuard/discex00.pdfA first step towards automated detection of buffer overrun vulnerabilities.http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.psSmashing the stack for fun and profit. http://www.phrack.com Article p49-14. By Aleph1Bypassing StackGuard and StackShield. http://ww.phrack.com Article p56-6. By Bulba and Kil3rDistributed denial of service attacks/tools. http://staff.washington.edu/dittrich/misc/ddos

    Up till now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy. Up till now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy.