View
83
Download
0
Embed Size (px)
DESCRIPTION
공격/ 대응 Examples. 내 용. Spoofing 공격 및 대응 ARP Spoofing IP Spoofing DNS Spoofing Sniffing 공격 및 대응 DOS/DDOS(Distributed Denial Of Service) 공격 및 대응 Buffer overflow 공격 및 대응. Spoofing 공격. 스푸핑 (Spoofing) 이란 ‘ 속이다 ’ 라는 의미 대상 IP 주소 호스트 이름 MAC 주소 - PowerPoint PPT Presentation
/ Examples
Spoofing ARP SpoofingIP SpoofingDNS SpoofingSniffing DOS/DDOS(Distributed Denial Of Service) Buffer overflow
(Spoofing) IP MAC , Spoofing
ARP IP 2 MAC MAC ARP Spoofing
1. 10.0.0.2 MAC CC 10.0.0.3 MAC CC 2. 3. , ARP Spoofing
ARP Spoofing
IP Spoofing TCP TCP Sequence Number IP RPC r r : IP (UNIX LINUX)/etc/hosts.equiv$HOME/.rhost
IP Spoofing S: C:S X:~
IP Spoofing C S C SYN Flooding C C down reboot IP SpoofC (Impersonation)X -> S : SYN(ISN X), Src = CS -> C : SYN(ISN S), ACK(ISN X)C RST
IP Spoofing ISN X ISN S X C S SYN ISN S , C X LAN Segment Packet Dump Tool X -> S : ACK(ISN S), Src=CS C TCP X S Data echo + + >> .rhost // any host, any named user can access
Blind Spoofing ISN r- , NFS(Network File System)Non-Blind Spoofing Packet ( ->RST-> :IP hijacking)
ISNISN(Initial Sequence Number) SYN OS
ISN ISN = 1 128,000 TCP 64,000 IRIX 6.2 Linux 1.x SunOS 5.5 MS WindowFree BSD 64,000 HP-UXAIX 3 SunOS 5.4 ISN AIX 4 Linux 2.x
ISN ISN S SYN Packet (1)X -> S : SYN(ISN X)S -> X : SYN(ISN S), ACK(ISN X) ISN Spoofing Packet (2)X -> S : SYN(ISN X), Src = CS -> C : SYN(ISN S), ACK(ISN X) ISN (2) ISN S (1) RTT(Round Trip Time) Tcpdump packet Packet ISN
IP Spoofing r-command Sequence Number SN 32bit randomize bit randomize brute-force ( seed )ISN S (DES-ecb mode) , SN (IPSec)
IP Spoofing Libnet : Packet Injectionhttp://libnet.sourceforge.net/Libpcap : Packet Capture : WinPcaphttp://winpcap.polito.it/Libnids : Network Analisyshttp://www.packetfactory.net/Projects/libnids/OpenSSL : Cryptographyhttp://www.openssl.or.kr/news/news.html
DNS(Domain Name System) . www.cwd.go.kr( ) . DNS , DNS
DNS
1. IP DNS . DNS query 2. DNS IP 3. IP DNS
DNS DNS query . DNS query arp DNS query DNS
2. DNS . DNS DNS response DNS response DNS
3. DNS response , . DNS DNS response DNS
SniffingSniff : Sniffing , . Sniffing (Passive) , LAN Sniffing (Promiscuous) LAN IP MAC(Media Access Control) , Sniffing ,
Snort IDS TCP Dump . . . , . Sniffing-TCPDump
Telnet Login TCPDump : wishfree
Telnet Login TCPDump : qwer1234
(DoS) TCP SYN flooding DOS Backlog(N) TCP
(DoS) N N Half open : Random IP -> ACK IP Address spoofing SYN Packet -> TCP (Half open connection )Firewall RST Packet
DDoS :SmurfTrinooTrible Flood Network (TFN, TFN2K)StacherldrahtShaftMstream
Smurf IP ICMP
Tribal Flood Network (TFN2K)
DDoS (. TFN -> ) :Savage : . Bellovin:
Buffer overflow bugCERT 50% :1997: 16 out of 28 CERT advisories.1998: 9 out of 131999: 6 out of 12 HOST : 2 : buffer overflow
Buffer overflow ?Stack OverflowLIPO(Last In First Out)PUSH/POP Stack Pointer : esp , , Overriding Heap Overflow Malloc ->Overriding
Buffer overflow ? :void func(char *str) {char buf[128];strcpy(buf, str);} :
*str 136 ?strcpy :
: strcpy() strcpy *str :
func() , shell !! : ret func()
Buffer overflows URL func() 200 URL : P \0 Overflow func() buffer overflows : MIME name field MS Outlook Express 4.0x
overflow non-executable Linux Solaris , overflow buffer overflow 2 : P
Stack smashing : buffer overflow Overriding pointers : (Linux superprobe )
buffer overflow pointer overridinglongjmp buffers : longjmp(pos) (Perl 5.003 )pos buffer Overflow pos overriding
: (local vars) (malloc ed vars)(data segment) (static vars) : libc exec FP ret-addr libc exec \bin\sh
Buffer overflows buffer overflows : $$$$$ , overflow core dump $$$$$ (eEye Retina, ISIC) Open Source
Buffer overflow :strcpy(), strcat(), sprintf() strncpy(), strncat() strncpy() strncpy( dest, src, strlen(src)+1 ) :
buffer overflows ? :@stake.com (l0pht.com) : SLINT (UNIX)rstcorp: its4. ( )Berkeley: Wagner, et al. ( )
: StackGuard 1: buffer C C++ 2: StackGuard (OGI) canary
Canary Random canary: canary canary random canary Terminator canary: Canary = 0, newline, linefeed, EOFC
StackGuard ()StackGuard GCC : PointGuard.Canary function pointers setjmp buffers : Canary stack smashing canaries
Buffer overflows: attacks and defenses for the vulnerability of the decade.http://www.immunix.org/StackGuard/discex00.pdfA first step towards automated detection of buffer overrun vulnerabilities.http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.psSmashing the stack for fun and profit. http://www.phrack.com Article p49-14. By Aleph1Bypassing StackGuard and StackShield. http://ww.phrack.com Article p56-6. By Bulba and Kil3rDistributed denial of service attacks/tools. http://staff.washington.edu/dittrich/misc/ddos
Up till now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy. Up till now, have been concerned with protecting message content (ie secrecy) by encrypting the message. Will now consider how to protect message integrity (ie protection from modification), as well as confirming the identity of the sender. Generically this is the problem of message authentication, and in eCommerce applications is arguably more important than secrecy.
