Cs162 Operating Systems And Systems Programming Cybersecurity Attacks
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Cs162 Operating Systems And Systems Programming Cybersecurity Attacks as PDF for free.
More details
- Words: 2,334
- Pages: 28
CS162 Operating Systems and Systems Programming Lecture 27 Cybersecurity Attacks May 8, 2006 Prof. Anthony D. Joseph http://inst.eecs.berkeley.edu/~cs162
Review: Internet Viruses
• Self-replicating code and data • Typically requires human interaction before exploiting an application vulnerability – Running an e-mail attachment – Clicking on a link in an e-mail – Inserting/connecting “infected” media to a PC
• Then search for files to infect or sends out e-mail with an infected file • FBI survey of 269 companies in 2004 found that viruses caused ~$55 million in damages • DIY toolkits proliferate on Internet 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.2
Review: Internet Worms • Self-replicating, self-propagating code and data • Use network to find potential victims • Typically exploit vulnerabilities in an application running on a machine or the machine’s operating system to gain a foothold • Then search the network for new victims • 80% of worms/viruses in 2004 used e-mail as one of their propagation mechanisms
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.3
Goals for Today • • • •
Hidden Software Attacks Malicious Hackers Critical Cyber Infrastructure Protection Worms and Viruses
• Want to learn more about security? – Take CS 161 this fall
Note: Some slides and/or pictures in the following are adapted from slides ©2005 Silberschatz, Galvin, and Gagne. Gagne Many slides generated from my lecture notes by Kubiatowicz. 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.4
Shrink Wrap Software Woes • Can I trust software installed by the computer manufacturer? – Not really, most major computer manufacturers have shipped computers with viruses – How? » Forget to update virus scanner on “gold” master machine
• Software companies, PR firms, and others routinely release software that contains viruses • Linux hackers say “Start with the source” – Does that work?
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.5
Ken Thompson’s self-replicating program • Bury Trojan horse in binaries, so no evidence in source – Replicates itself to every UNIX system in the world and even to new UNIX’s on new platforms. No visible sign. – Gave Ken Thompson ability to log into any UNIX system
• Two steps: Make it possible (easy); Hide it (tricky) • Step 1: Modify login.c A: if (name == “ken”) don’t check password log in as root
– Easy to do but pretty blatant! Anyone looking will see.
• Step 2: Modify C compiler
– Instead of putting code in login.c, put in compiler: B: if see trigger1 insert A into input stream
– Whenever compiler sees trigger1 (say /*gobbledygook*/), puts A into input stream of compiler – Now, don’t need A in login.c, just need trigger1 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.6
Self Replicating Program Continued • Step 3: Modify compiler source code: C: if see trigger2 insert B+C into input stream
– Now compile this new C compiler to produce binary
• Step 4: Self-replicating code!
– Simply remove statement C in compiler source code and place “trigger2” into source instead » As long as existing C compiler is used to recompile the C compiler, the code will stay into the C compiler and will compile back door into login.c » But no one can see this from source code!
• When porting to new machine/architecture, use existing C compiler to generate cross-compiler – Code will migrate to new architecture!
• Lesson: never underestimate the cleverness of computer hackers for hiding things! 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.7
Cracker Profile • Cracker = malicious hacker • FBI Profiles (circa 1999) – Nerd, teen whiz kid, anti-social underachiever, social guru
• Later survey – Avg age 16 – 19, 90% male, 70% live in US – Spend avg 57 hrs/week online, 98% believe won’t be caught
• Most motivated by prestige – Finding bugs, mass infections, … 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.8
Evolution • 1990’s: Internet spreads around the world – Crackers proliferate in Eastern Europe
• Early 2000’s Do-It-Yourself toolkits – Select propagation, infection, and payload on website for customized virus/worm
• 2001– Crackers proliferate everywhere – Profit motivation: very lucrative incentive!
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.9
Evolution (Circa 2001-) • Cracking for profit, including organized crime – But, 50% of viruses still contain the names of crackers or the groups that are supposedly behind viruses
• Goal: create massive botnets of 10-100,000+ machines – Aggregate bandwidth (gigabits – terabits) – Each machine sets up encrypted, authenticated connection to central point (IRC server) and waits for commands
• Rented for pennies per machine per hour/campaign for: – Overloading/attacking websites, pay-per-click scams, distributed password cracking, sending spam/phishing email, or hosting phishing websites… – Also, Distributed Denial of Service (DDoS) attacks » Overwhelm server and/or network links » Political msgs, fame/bragging » Extortion (“pay or your site and business die”) 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.10
Network Environments • Single host • Subnet/corporate network • ISP-level, Internet-scale • Critical Cyber Infrastructure Protection – Supervisory Control And Data Acquisition (SCADA) – Power plants, chemical factories, refineries, water/sewage plants, port/rail facilities, … – Real risk is “boomable” industries/facilities
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.11
Example True SCADA Incidental Attack Scenarios • Port of Houston, 20 Sept 2001 – >1 billion containers (2000), 6,400 ships (2002), $11 billion revenue (2002) – $15 billion petrochemical complex: largest in nation, second in the world – 19 year old UK teenage member of a group called Allied Haxor Elite trying to get back at a girl he met in a chatroom (Found not guilty)
• Ohio's Davis-Besse nuclear power plant, offline, Jan 2003 – Slammer worm penetrated a private computer network and disabled control and safety monitoring systems for ~5 hours – Penetrated unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network
• Northeast power outage, 50 million people, August 2003 – MSBlaster worm crippled key detection systems and delayed response during a critical time: “significantly worsened the effect of the outage” 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.12
SCADA Vulnerabilities • Control Systems Are Adopting Standardized Technologies with Known Vulnerabilities – Migration to COTS technology (WindowsXP and WinXP embedded) • Control Systems Are Connected to Other Networks – Want real-time view of process “values” from business side • Insecure Connections Exacerbate Vulnerabilities – Insecure dial-in, wireless backhaul, … • Information about Infrastructures and Control Systems Is Publicly Available – Easy to purchase equipment for analysis – Regulatory filings reveal lots of info – Toolkits easily available • Social threats – Insider threat (Queensland sewage treatment plant intrusion) – Lack of operator console password protection
5/8/06
GAO-04-354, “Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, Joseph CS162 ©UCB Spring 2006 Lec 27.13 March 2004
Insufficient Network Isolation
• No firewall between RTUs and SCADA LAN • No sanity checking of data or controls
No firewall between corporate and SCADA LANs
• No firewall for Data Historian • No sanity checking of entered values
Jonathan Pollet, 5/8/06 PlantData Technologies
Joseph CS162 ©UCB Spring 2006
Lec 27.14
Survey of ~50 water supply providers (Ezell 1997) • Insecure network connections – Operators can access email from admin LAN (75%) – Admin LAN is remote accessible (75%) • Vulnerable to corruption of information • Sensitive to Denial of Service attacks – Flooding of wireless/wired link – DoS against controller or RTUs • Limited or no authentication in protocols – Slow/old CPUs in field equipment – High upgrade cost per field device (+ more BW/mem/config) • My observation: – Hard to model effects of incremental retrofit/deployment
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.15
Other COTS Implications • RTUs interconnected by leased lines, public Internet, or wireless – A power company's SCADA traffic was blocked by leased line failures at a telco that fell prey to Slammer worm • Vulnerability and Risk Assessment Team and a power utility… – Drove to a remote substation, while sitting in their vehicle, they noticed a wireless network antenna – Fired up notebooks and connected to network – 10 minutes later, they’d mapped entire substation’s equipment – 15 mins later, they’d mapped the entire operational control network – 20 mins later, they’d accessed the business network and downloaded several business reports – Never even left the vehicle…
Alan S. Brown, “SCADA vs. the hackers,” Mechanical Engineering, December 2002 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.16
Administrivia • Last day of sections is tomorrow • Final Exam: – May 18th 12:30-3:30pm, Bechtel Auditorium
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.17
Zotab Virus (August 2005) • Infect machines and set IE security to low (enables pop-up website ads) • Revenue from ads that now appear • User may remove virus, but IE settings will likely remain set to low • Continued revenue from ads… • More than 100 companies, including Financial Times, ABCNews and CNN, were hit by the Zotob Windows 2000 worm in August 2005 • Two men arrested (will be charged and prosecuted in their respective homelands): – Moroccan 18-year-old Farid Essebar – Turkish 21-year-old Atilla Ekici 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.18
Internet Worms: Zero-Day Exploits
• Morris worm infected a small number of hosts in a few days (several thousand?) – But, Internet only had ~60,000 computers!
• What about today? ~360M computers • Theoretical “zero-day” exploit worm – Rapidly propagating worm that exploits a common Windows vulnerability on the day it is exposed – Propagates faster than human intervention, infecting all vulnerable machines in minutes
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.19
Before Sapphire (AKA Slammer) Worm – 01/25/03
• Fastest computer worm in history – Used MS SQL Server buffer overflow vulnerability – Caused network outages, canceled airline flights, elections problems, interrupted E911 service, and caused ATM failures
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.20
After Sapphire
• Doubled in size every 8.5 seconds, 55M scans/sec
5/8/06
– Infected >90% of vulnerable hosts within 10 mins – Infected at least 75,000 hosts Joseph CS162 ©UCB Spring 2006
Lec 27.21
DDoS Attacks • Overwhelm server and/or network links – Purpose: Extortion, revenge, “kill” competition – Typical target is web server(s) – Try to consume all resources (BW, disk space, CPU) • Simple: same req. for large images/complex action – Might be able to create packet filter to block – Might also be able to block source subnets – Have to put filters into the network (at upstream ISPs) • Complex: Vary requests, rate, zombie set – Harder to create packet filter (esp. if requests look “real”) – Rotating set makes source subnet blocks hard – Only choice may be to add more and more HW and BW
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.22
Toxbot Trojan (Oct 10, 2005) • Three Dutch crackers (19, 22, and 27) • Used Toxbot Trojan (aka Codbot) to infect machines – Installed adware and spyware on user’ machines – Conducted DDoS attack against a US company for extortion (pay or crash your site) – Conducted phishing attacks to hijack PayPal and eBay accounts, then bought goods with accounts • Estimated network size of 100K • Investigators later discovered true size (>1.5M!)
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.23
Honeypots • Distributed Intrusion Detection Systems • Closely monitored network decoys – Simulates one or more network services (or machines) on one or more machines – Causes an attacker to think you're running vulnerable services
• Uses: – May distract adversaries from more valuable machines on a network – May provide early warning about new attack and exploitation trends (use to create new firewall rules) – May enable in-depth examination of adversaries during and after exploitation (log everything!) 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.24
Microsoft Decoy Zombie • Intentionally infected a machine with zombie code • Within 20 days: – PC received > 5 million connections! – Tried to send 18 million spam e-mails containing ads for 13,000 unique domains!
• October 27, 2005: filed 13 “John Doe” lawsuits against spammers – Enables them to subpoena ISPs and domain registrars for identities
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.25
Tarpits • A very, very sticky honeypot… – Network decoy: lets connections in, delays them – Slow down scanning tools/worms to kill their performance/propagation because they rely on quick turnarounds – Might also give us time to protect real hosts
• Example Implementation: – Accept any incoming TCP connection – When data transfer begins to occur, set TCP window size to zero, so no data can be transferred within the session – Hold the connection open, and ignore any requests by remote side to close session – Attacker must wait for the connection to timeout in order to disconnect 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.26
Witty Worm (Mar 04): Attacking the IDS • Targeted a buffer overflow vulnerability in several of a vendor’s IDS products – Deletes a randomly chosen sectors of hard drives over time killing system – Payload contained: “(^.^) insert witty message here (^.^)” • Infected ~12,000 systems within 45 minutes • Witty’s Many Firsts – First widely propagated Internet worm with a destructive payload – First worm with order of magnitude larger hit list than any previous worm – Shortest known interval between vulnerability disclosure and worm release – 1 day – First to spread through nodes doing something proactive to secure their computers / networks – Spread through a population almost an order of magnitude smaller than that of previous worms 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.27
Conclusions • Worms/Viruses are a critical threat – Threat is zero-day attacks
• Cracker motivation has shifted from prestige to profit – Creation and rental of massive botnets
• Many Cyber Critical Infrastructure vulnerabilities – May take a decade to fix
• Can use Honeypots/Tarpits for distributed detection and attack prevention • Even IDS and IPS systems are vulnerable • Let’s thank the TAs and the camera operator! 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.28
Review: Internet Viruses
• Self-replicating code and data • Typically requires human interaction before exploiting an application vulnerability – Running an e-mail attachment – Clicking on a link in an e-mail – Inserting/connecting “infected” media to a PC
• Then search for files to infect or sends out e-mail with an infected file • FBI survey of 269 companies in 2004 found that viruses caused ~$55 million in damages • DIY toolkits proliferate on Internet 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.2
Review: Internet Worms • Self-replicating, self-propagating code and data • Use network to find potential victims • Typically exploit vulnerabilities in an application running on a machine or the machine’s operating system to gain a foothold • Then search the network for new victims • 80% of worms/viruses in 2004 used e-mail as one of their propagation mechanisms
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.3
Goals for Today • • • •
Hidden Software Attacks Malicious Hackers Critical Cyber Infrastructure Protection Worms and Viruses
• Want to learn more about security? – Take CS 161 this fall
Note: Some slides and/or pictures in the following are adapted from slides ©2005 Silberschatz, Galvin, and Gagne. Gagne Many slides generated from my lecture notes by Kubiatowicz. 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.4
Shrink Wrap Software Woes • Can I trust software installed by the computer manufacturer? – Not really, most major computer manufacturers have shipped computers with viruses – How? » Forget to update virus scanner on “gold” master machine
• Software companies, PR firms, and others routinely release software that contains viruses • Linux hackers say “Start with the source” – Does that work?
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.5
Ken Thompson’s self-replicating program • Bury Trojan horse in binaries, so no evidence in source – Replicates itself to every UNIX system in the world and even to new UNIX’s on new platforms. No visible sign. – Gave Ken Thompson ability to log into any UNIX system
• Two steps: Make it possible (easy); Hide it (tricky) • Step 1: Modify login.c A: if (name == “ken”) don’t check password log in as root
– Easy to do but pretty blatant! Anyone looking will see.
• Step 2: Modify C compiler
– Instead of putting code in login.c, put in compiler: B: if see trigger1 insert A into input stream
– Whenever compiler sees trigger1 (say /*gobbledygook*/), puts A into input stream of compiler – Now, don’t need A in login.c, just need trigger1 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.6
Self Replicating Program Continued • Step 3: Modify compiler source code: C: if see trigger2 insert B+C into input stream
– Now compile this new C compiler to produce binary
• Step 4: Self-replicating code!
– Simply remove statement C in compiler source code and place “trigger2” into source instead » As long as existing C compiler is used to recompile the C compiler, the code will stay into the C compiler and will compile back door into login.c » But no one can see this from source code!
• When porting to new machine/architecture, use existing C compiler to generate cross-compiler – Code will migrate to new architecture!
• Lesson: never underestimate the cleverness of computer hackers for hiding things! 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.7
Cracker Profile • Cracker = malicious hacker • FBI Profiles (circa 1999) – Nerd, teen whiz kid, anti-social underachiever, social guru
• Later survey – Avg age 16 – 19, 90% male, 70% live in US – Spend avg 57 hrs/week online, 98% believe won’t be caught
• Most motivated by prestige – Finding bugs, mass infections, … 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.8
Evolution • 1990’s: Internet spreads around the world – Crackers proliferate in Eastern Europe
• Early 2000’s Do-It-Yourself toolkits – Select propagation, infection, and payload on website for customized virus/worm
• 2001– Crackers proliferate everywhere – Profit motivation: very lucrative incentive!
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.9
Evolution (Circa 2001-) • Cracking for profit, including organized crime – But, 50% of viruses still contain the names of crackers or the groups that are supposedly behind viruses
• Goal: create massive botnets of 10-100,000+ machines – Aggregate bandwidth (gigabits – terabits) – Each machine sets up encrypted, authenticated connection to central point (IRC server) and waits for commands
• Rented for pennies per machine per hour/campaign for: – Overloading/attacking websites, pay-per-click scams, distributed password cracking, sending spam/phishing email, or hosting phishing websites… – Also, Distributed Denial of Service (DDoS) attacks » Overwhelm server and/or network links » Political msgs, fame/bragging » Extortion (“pay or your site and business die”) 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.10
Network Environments • Single host • Subnet/corporate network • ISP-level, Internet-scale • Critical Cyber Infrastructure Protection – Supervisory Control And Data Acquisition (SCADA) – Power plants, chemical factories, refineries, water/sewage plants, port/rail facilities, … – Real risk is “boomable” industries/facilities
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.11
Example True SCADA Incidental Attack Scenarios • Port of Houston, 20 Sept 2001 – >1 billion containers (2000), 6,400 ships (2002), $11 billion revenue (2002) – $15 billion petrochemical complex: largest in nation, second in the world – 19 year old UK teenage member of a group called Allied Haxor Elite trying to get back at a girl he met in a chatroom (Found not guilty)
• Ohio's Davis-Besse nuclear power plant, offline, Jan 2003 – Slammer worm penetrated a private computer network and disabled control and safety monitoring systems for ~5 hours – Penetrated unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network
• Northeast power outage, 50 million people, August 2003 – MSBlaster worm crippled key detection systems and delayed response during a critical time: “significantly worsened the effect of the outage” 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.12
SCADA Vulnerabilities • Control Systems Are Adopting Standardized Technologies with Known Vulnerabilities – Migration to COTS technology (WindowsXP and WinXP embedded) • Control Systems Are Connected to Other Networks – Want real-time view of process “values” from business side • Insecure Connections Exacerbate Vulnerabilities – Insecure dial-in, wireless backhaul, … • Information about Infrastructures and Control Systems Is Publicly Available – Easy to purchase equipment for analysis – Regulatory filings reveal lots of info – Toolkits easily available • Social threats – Insider threat (Queensland sewage treatment plant intrusion) – Lack of operator console password protection
5/8/06
GAO-04-354, “Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, Joseph CS162 ©UCB Spring 2006 Lec 27.13 March 2004
Insufficient Network Isolation
• No firewall between RTUs and SCADA LAN • No sanity checking of data or controls
No firewall between corporate and SCADA LANs
• No firewall for Data Historian • No sanity checking of entered values
Jonathan Pollet, 5/8/06 PlantData Technologies
Joseph CS162 ©UCB Spring 2006
Lec 27.14
Survey of ~50 water supply providers (Ezell 1997) • Insecure network connections – Operators can access email from admin LAN (75%) – Admin LAN is remote accessible (75%) • Vulnerable to corruption of information • Sensitive to Denial of Service attacks – Flooding of wireless/wired link – DoS against controller or RTUs • Limited or no authentication in protocols – Slow/old CPUs in field equipment – High upgrade cost per field device (+ more BW/mem/config) • My observation: – Hard to model effects of incremental retrofit/deployment
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.15
Other COTS Implications • RTUs interconnected by leased lines, public Internet, or wireless – A power company's SCADA traffic was blocked by leased line failures at a telco that fell prey to Slammer worm • Vulnerability and Risk Assessment Team and a power utility… – Drove to a remote substation, while sitting in their vehicle, they noticed a wireless network antenna – Fired up notebooks and connected to network – 10 minutes later, they’d mapped entire substation’s equipment – 15 mins later, they’d mapped the entire operational control network – 20 mins later, they’d accessed the business network and downloaded several business reports – Never even left the vehicle…
Alan S. Brown, “SCADA vs. the hackers,” Mechanical Engineering, December 2002 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.16
Administrivia • Last day of sections is tomorrow • Final Exam: – May 18th 12:30-3:30pm, Bechtel Auditorium
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.17
Zotab Virus (August 2005) • Infect machines and set IE security to low (enables pop-up website ads) • Revenue from ads that now appear • User may remove virus, but IE settings will likely remain set to low • Continued revenue from ads… • More than 100 companies, including Financial Times, ABCNews and CNN, were hit by the Zotob Windows 2000 worm in August 2005 • Two men arrested (will be charged and prosecuted in their respective homelands): – Moroccan 18-year-old Farid Essebar – Turkish 21-year-old Atilla Ekici 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.18
Internet Worms: Zero-Day Exploits
• Morris worm infected a small number of hosts in a few days (several thousand?) – But, Internet only had ~60,000 computers!
• What about today? ~360M computers • Theoretical “zero-day” exploit worm – Rapidly propagating worm that exploits a common Windows vulnerability on the day it is exposed – Propagates faster than human intervention, infecting all vulnerable machines in minutes
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.19
Before Sapphire (AKA Slammer) Worm – 01/25/03
• Fastest computer worm in history – Used MS SQL Server buffer overflow vulnerability – Caused network outages, canceled airline flights, elections problems, interrupted E911 service, and caused ATM failures
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.20
After Sapphire
• Doubled in size every 8.5 seconds, 55M scans/sec
5/8/06
– Infected >90% of vulnerable hosts within 10 mins – Infected at least 75,000 hosts Joseph CS162 ©UCB Spring 2006
Lec 27.21
DDoS Attacks • Overwhelm server and/or network links – Purpose: Extortion, revenge, “kill” competition – Typical target is web server(s) – Try to consume all resources (BW, disk space, CPU) • Simple: same req. for large images/complex action – Might be able to create packet filter to block – Might also be able to block source subnets – Have to put filters into the network (at upstream ISPs) • Complex: Vary requests, rate, zombie set – Harder to create packet filter (esp. if requests look “real”) – Rotating set makes source subnet blocks hard – Only choice may be to add more and more HW and BW
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.22
Toxbot Trojan (Oct 10, 2005) • Three Dutch crackers (19, 22, and 27) • Used Toxbot Trojan (aka Codbot) to infect machines – Installed adware and spyware on user’ machines – Conducted DDoS attack against a US company for extortion (pay or crash your site) – Conducted phishing attacks to hijack PayPal and eBay accounts, then bought goods with accounts • Estimated network size of 100K • Investigators later discovered true size (>1.5M!)
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.23
Honeypots • Distributed Intrusion Detection Systems • Closely monitored network decoys – Simulates one or more network services (or machines) on one or more machines – Causes an attacker to think you're running vulnerable services
• Uses: – May distract adversaries from more valuable machines on a network – May provide early warning about new attack and exploitation trends (use to create new firewall rules) – May enable in-depth examination of adversaries during and after exploitation (log everything!) 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.24
Microsoft Decoy Zombie • Intentionally infected a machine with zombie code • Within 20 days: – PC received > 5 million connections! – Tried to send 18 million spam e-mails containing ads for 13,000 unique domains!
• October 27, 2005: filed 13 “John Doe” lawsuits against spammers – Enables them to subpoena ISPs and domain registrars for identities
5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.25
Tarpits • A very, very sticky honeypot… – Network decoy: lets connections in, delays them – Slow down scanning tools/worms to kill their performance/propagation because they rely on quick turnarounds – Might also give us time to protect real hosts
• Example Implementation: – Accept any incoming TCP connection – When data transfer begins to occur, set TCP window size to zero, so no data can be transferred within the session – Hold the connection open, and ignore any requests by remote side to close session – Attacker must wait for the connection to timeout in order to disconnect 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.26
Witty Worm (Mar 04): Attacking the IDS • Targeted a buffer overflow vulnerability in several of a vendor’s IDS products – Deletes a randomly chosen sectors of hard drives over time killing system – Payload contained: “(^.^) insert witty message here (^.^)” • Infected ~12,000 systems within 45 minutes • Witty’s Many Firsts – First widely propagated Internet worm with a destructive payload – First worm with order of magnitude larger hit list than any previous worm – Shortest known interval between vulnerability disclosure and worm release – 1 day – First to spread through nodes doing something proactive to secure their computers / networks – Spread through a population almost an order of magnitude smaller than that of previous worms 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.27
Conclusions • Worms/Viruses are a critical threat – Threat is zero-day attacks
• Cracker motivation has shifted from prestige to profit – Creation and rental of massive botnets
• Many Cyber Critical Infrastructure vulnerabilities – May take a decade to fix
• Can use Honeypots/Tarpits for distributed detection and attack prevention • Even IDS and IPS systems are vulnerable • Let’s thank the TAs and the camera operator! 5/8/06
Joseph CS162 ©UCB Spring 2006
Lec 27.28
Related Documents
Cs162 Operating Systems And Systems Programming Distributed Systems
November 2019 18
Cs162 Operating Systems And Systems Programming Thread Dispatching
November 2019 28