程序代写 CSF 2022 Web attacks

Cyber Security Fundamentals (M) & (H): Web attacks
Glasgow, 24th January 2022.
, School of Computing Science, University of Glasgow, Scotland. http://www.mariaevangelopoulou.com/

Copyright By PowCoder代写 加微信 powcoder

Structure of Lectures
Sections that will be covered:
Cyber Security Basic background, Look into networking,
Cyber Attacks and defence,
Web applications’ vulnerabilities, Trending in Cyber,
Penetration testing & Digital Forensics. Guest lectures to be confirmed.
CSF 2022 Web attacks

Lecturer’s instructions
When you see the red sign in a slide it means that you must not use anything described in the specific slide without the necessary authorisation. The lecturer of this course will not be responsible for any misuse.
When you see the green sign in a slide it means that you can use anything described in the specific slide on your own.
CSF 2022 Web attacks

➢ Some tools need special permissions in order to run them in a secure manner without violating any laws!!!
➢ Because of this we have created these signs to indicate to you which tools are ok to be used and which are not!
➢ One of the most important slides as if you don’t follow this rule it can have serious impact on you, so please don’t use anything under the banner of the red (first) sign.

Web attacks; is this a real threat?
CSF 2022 CSF Web attacks @bbc.co.uk

➢ Hackers have massacred all the virtual characters in some of online adventure game World of Warcraft’s major cities in 2012. This was after an exploit was discovered and used. More than 10 million subscribers at the time played WoW. In 2010 a player initiated a DDoS attack so other players cannot log in.
➢ A series of gaming server were brought down in 2013 and 2014 by Mr. Thompson. Games like Overwatch and Battlefield became unavailable to players. The accuser pleaded guilty in 2018.
➢ Read more information from articles.

CSF 2022 CSF Web attacks
@telegraph.co.uk

➢ This attack was initiated by competitors; they paid a certain amount of money to bring down their competitors. This was how Mirai a known botnet came to life.
➢ Read article for more details.

CSF 2022 CSF Web attacks
@ncsc.gov.uk

➢All the trouble was caused by simply a misconfiguration of the app which led to sensitive details to be vulnerable as they could be accessible by hackers. The choice in the policy for everyone and every user was the main misunderstanding that caused this issue.
➢ Read the article for more details.

CSF 2022 CSF Web attacks
@bbc.co.uk

➢This is a type of a phishing email. An email was sent, supposedly from a school admin office informing parents of the acceptance of cryptocurrency for tuition fees. They urged the parents to pay with cryptocurrency and offered them a 25% discount if they paid the remaining of their fees by the 29th of December.
➢ Read the article for extra information.

CSF 2022 CSF Web attacks @thehackernews.com

➢ A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after it was infected with malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The attackers made important contributions to the code so they can be seem as important contributors and once given access they inserted the malicious code into the files.
➢ Stolen databases from Linkedin, Dropbox and other high profile services were up for sale by Tessa 88. More than half a billion username and passwords were obtained and were used in phishing account takeovers and more. Another person was also involved however it is clear that they were both responsible for selling the stolen databases but not the actual act of hacking which still remains unsolved.
➢ Talk talk hack; and , 21 were sentenced Monday to 12 months and 8 months in prison, respectively, after they admitted charges relating to the massive breach that cost TalkTalk £77 million in losses. More teenagers were identified as they were trying to extort money from the company.
➢ Read the articles for more details. TheHackerNews is a good source of information for news in cybers.

CSF 2022 CSF Web attacks @csis.org

CSF 2022 CSF Web attacks
List of Web attacks for today…
➢ Phishing attacks ➢ DDOS & DOS

CSF 2022 CSF Web attacks
Phishing attacks…
➢ How do we recognise that an email might be a phishing email?
➢ What should we do?
➢ What will happen afterwards?
➢ What are the different types of phishing?
➢ Any defend mechanisms?

Notes (1/2)
1)How do we recognise that an email might be a phishing email? Grammar mistakes/Language, Unusual or unexpected requests, Urge the recipient to press a link, login or make a payment, provide personal details, contain attachments that claim to be encrypted.
2)What should we do? Report the suspicious email to the infosecurity team of our organisation. Inform other team members of the email to be aware.
3) The inforisk team analyses the email: 1) Sender domain
2) Sender IP address
3) Analyse the attachment
4) Analyse the URL
5) Block IP, URL, sender
6) Identify how many users received it
7) Identify how many users might have clicked
8) Contact the affected users (remove their machine off network and clean) 9) Remove the email from the users machines
10)Contact users to inform of malicious email

Notes (2/2)
4) Types of phishing; spear phishing, clone phishing, whaling, smishing.
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and address taken and used to create an almost identical or cloned email. The goal is to replace the attachment or link within the email with a malicious version and by spoofing the IP address so it may seem that it comes from the original sender. In this case the malicious entity might claim this is an updated version of the email or simply it was resend.
Spear phishing is when the phishing email is targeted and is so detailed that it is hard to believe that the sender (malicious entity) is not who claims to be. It will have really specific details; like details of meetings someone has attended, their full name, schedule etc.
Whaling is a type of spear phishing directed specifically at senior executives and other high- profile targets. Why do you think that whaling is dangerous? Because the target is of high profile and this means that if the attack is successful then the malicious entity will have more access right than a simple user (always chase for admin rights) plus more important information.
Smishing is the act of phishing through text messages.
5) Email filter (ironport now owned by Cisco), email firewall which analyses the incoming email attachments, URL filter (bluecoat now owned by Symantec) to block URL.

Phishing example
CSF 2022 CSF Web attacks @infosecinstitute.com

➢In the above example you can see that the email address (domain) is not legit for amazon as it is @mazoncanada.ca.
➢The greeting is quite general. There are grammar mistakes.
➢It is urging you to press a link and reply; by hovering above the link someone can notice that the link is not what it claims to be.

Phishing example
CSF 2022 CSF Web attacks @zdnet.com

➢ In this example you can notice the amount of detail and how serious the email is; an example of spear phishing.

CSF 2022 CSF Web attacks
Phishing examination?

➢ This is an example of how you can identify the IP address of the sender. It depends on the mail provider you are using. In this example you open the email and there is a small folder (message details). By clicking you can see details of the email and can start your investigation.
➢Try it with one of your emails and see what details you can extract.

Useful online tools for identifying malicious actors
➢ https://urlscan.io/
➢ https://app.any.run/
➢ https://checkphish.ai/
➢ https://www.hybrid-analysis.com/
CSF 2022 CSF Web attacks

➢The links above are free online tools that someone can use for a phishing investigation without the need of a sandbox environment in order to make analysis. The first two tools are really detailed and give more insight than the other too.
➢You can check both URLs or attachments that are contained in an email. By choosing them they will be run in the online safe environment and details of any malware or any malicious background processes will be given.
➢ This is something you can explore on your own.

CSF 2022 CSF Web attacks
DDOS & DOS
➢ What is the purpose of a Denial of Service attack?
➢ What is the difference between DoS and DDoS?
➢ Most common types of attacks:
UDP Flood, ICMP (Ping) Flood, SYN Flood, NTP Amplification, Ping of Death, Smurf attack, HTTP Flood.

➢ Denial of Service attempts to degrade or halt activity on a host or network. How can this be achieved? By monopolizing resources; host resources like memory or network bandwidth or simply cause the host to crash.
➢ What’s the difference between DDoS and DoS. A DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet, occasionally referred to as a “zombie army”. Group of hijacked Internet- connected devices, each injected with malware used to control it from a remote location (C&C Command and control or C2C servers) without the knowledge of the device’s rightful owner. Basically, computing resources that attackers (botmasters) can use for maliciously purposes. One device can be compromised at the same time by several perpetrators, which also be using the device at the same time for a different type of attack. Botnets can communicate and create between them a P2P network which means that an attack can have multiple origins and be controlled by multiple individuals. Botnets are available for hire and can be really cheap from 5$ per hour to a monthly deal of around $40.
➢ Denial of service (DoS) attacks use a single Internet-connected device (one network connection) to flood a target with malicious traffic. This means that it needs to be a powerful device and has access to lots of bandwidth in order to have the desired effect.

➢UDP Packets (no restrictions in size & no handshake)→ looking for relevant application and sends ICMP message “Destination unreachable” (volume based attack).
➢ In order to anonymize the attack the attacker can spoof the IP address of the return packets so they never reach the host.
➢Mitigation; limitation of ICMP responses, firewall rules that block malicious UDP packets, deep packet inspection.
CSF 2022 CSF Web attacks

Notes (1/2)
➢ Three types of attacks depending on the goal; Volume Based Attacks like UDP floods, ICMP floods, and other spoofed-packet floods. Trying to saturate the bandwidth of the attacked site and magnitude is measured in bits per second (Bps). Protocol Attacks such as SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS. It consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (Pps). Application Layer Attacks like GET/POST floods. Comprised of seemingly legitimate and innocent requests. Trying to crash the web server and is measured in Requests per second (Rps).
➢ UDP flood; DoS → attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and as there is no associated applications sends back an ICMP “Destination Unreachable” packet. As more and more UDP packets are received and answered, the system becomes overwhelmed and unresponsive to other clients. The attacker may spoof the IP address of the packets in order to anonymize the attack. UDP unicorn is one of the available software packages for performing a UDP flood attack.

Notes (2/2)
➢ Why UDP flood is quite easy? Because it is a connectionless protocol which doesn’t require any kind of handshake like TCP. Also this make the traffic unnecessary to be checked as it can also sustain the quality with packet loss. However, these same properties also make UDP more vulnerable to abuse. This makes UDP flood attacks highly-effective but also easy to execute with relatively few resources.
➢ Mitigation? limiting the rate of ICMP responses but this can have an impact on legitimate traffic. Use of firewalls in order to filter out or block malicious UDP packets. However modern high-volume attacks can simply overbear firewalls. This is why now there are mechanisms that they try to balance the attack load while they undergo deep packet inspection.

ICMP (Ping) Flood
➢Flooding with ICMP requests. Ping requests→used to test connectivity (volume based attack).
➢Useful ping commands: -n→numbers of requests send, -l →amount of data within each packet & -t→keep sending until host times out. In a DoS the attacker needs to have a lot more bandwidth than the victim.
➢ Mitigation; firewall rules that do not allow pings, limiting size and rate of ping requests.
CSF 2022 CSF Web attacks

➢ Ping flood (ICMP flood) → DoS attack: attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings. Ping requests are used to test the connectivity of two computers by measuring the round-trip time from when an ICMP echo request is sent to when an ICMP echo reply is received. The amount of ping requests equals the amount of responses. This put a strain to incoming/outgoing channels and consumes significant bandwidth leading to a DoS. But the attacker must have more bandwidth than the victim. So for bigger targets DDoS with the use of botnets is preferable.
➢ Executing a ping flood is dependent on attackers knowing the IP address of their target. Attacks can therefore be broken down into three categories, based on the target and how its IP address is resolved. There are a number of ping commands that can be used to facilitate an attack, including: 1) –n command; specify the number of times a request is sent. 2) –l command; specify the amount of data sent with each packet. 3) –t command; to continue pinging until the host times out.
➢ Mitigation; 1) firewall to disallow pings will block attacks originating from outside your network but not internal. 2) Limiting the size of ping requests as well as the rate at which they can be accepted.

➢Mitigation; RST & SYN cookies, Stack settings, Micro- record (protocol based attack).
CSF 2022 CSF Web attacks @incapsula.com

Notes (1/2)
➢ SYN flood (DDoS); exploits part of the TCP three-way handshake to consume resources on the targeted server and render it unresponsive. In general, the attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation.
➢ More specifically, the attacker sends repeated SYN packets to every port on the targeted server (can also use a fake IP address). The serve responds to each attempt with a SYN-ACK packet from each open port. The malicious client either does not send the expected ACK or never receives the SYN-ACK (spoofed IP). The server will wait for acknowledgement (reply) for some time and cannot close the connection by sending a RST packet; so the connection stays open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open, so this is why these attacks are also knows as “half-open” attacks. Eventually, as the server’s connection overflow, service to legitimate clients will be denied and the server may even malfunction or crash.

Notes (2/2)
➢ Mitigation; 1) microblocks → small part of memory only allocated for every SYN request. 2) SYN cookies→SYN-ACK response with a sequence number containing the client IP address, port number, and possibly other unique identifying information. The client should have this hash value included in the ACK so the server can verify host is legit and then allocate memory for the connection. 3) RST cookies→server intentionally sends an invalid SYN-ACK. This should result in the client generating an RST packet, which tells the server something is wrong. If this is received, the server knows the request is legitimate and accepts subsequent incoming connections from it. 4) Stack tweaking → reduce of the timeout until a stack frees memory allocated to a connection or selectively drop incoming connections. However, all this means that the target network can handle a large-volume attack.

NTP Amplification
➢Use of the Network Time protocol that is responsible for clock synchronisation (protocol based attack). Older versions also contain information of traffic count and include the list of the last 600 hosts that were connected to the server.
➢Amplification→reply is considerably bigger than request & reflection attack→IP address spoofed to be the victim in the reply.
➢ Mitigation; traffic filtering and enhanced network infrastructure, disable monlist requests.
CSF 2022 CSF Web attacks

➢ NTP amplification → DDoS attack; attacker exploits Network Time Protocol (NTP) servers to overwhelm the target with User Datagram Protocol (UDP) traffic. Network Time Protocol (NTP) is one of the oldest network protocols, and is used by Internet-connected machines to synchronize their clocks. In addition to clock synchronization, older versions of NTP support a monitoring service that enables administrators to query a given NTP server for a traffic count. This command, called “monlist,” sends the requester a list of the last 600 hosts that connected to the queried server. In the most basic type of NTP amplification attack, an attacker repeatedly sends the “get monlist” request to an NTP server, while spoofing the requesting server’s IP address to that of the victim server. The NTP server responds by sending the list to the spoofed IP address. This response is considerably larger than the request, amplifying the amount of traffic directed at the target server and ultimately leading to a degradation of service for legitimate requests.
➢ NTP amplification is also a reflection attack. Reflection attacks involve eliciting a response from a server to a spoofed IP address.

Ping of Death
➢Use of malformed or oversize packets; normally send in fragments (protocol based attack). Works mostly on unpatched machines.
➢ Remember IPv4 packets in a correct form are 65.535 bytes including a payload of 84 bytes.
➢Mitigation; firewall block & blockage of fragmented ping requests.
CSF 2022 CSF Web attacks

➢ Ping of Death (PoD) → attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command. This is a type of attack that exploit legacy weaknesses but is still relevant to unpatched systems. The size of a correctly-formed IPv4 packet including the IP header is 65,535 bytes. Since sending a ping packet larger than 65,535 bytes violates the Internet Protocol, attackers would generally send malformed packets in fragments. When the target system attempts to reassemble the fragments and ends up with an oversized packet, memory overflow could occur and lead to various system problems including crash.
➢ Mitigation; 1) firewall block of ICMP messages. 2) block fragmented pings allowing actual ping traffic to pass through. 3) Identify and filter out all abnormally large packets, even if they are fragmented.

Smurf attack
➢Mitigation; firewall block & disable IP-directed broadcasts; req

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com