changed 5 years ago
Linked with GitHub

IT Security 2 (Ch4~Ch6)

Chapter 4: Countermeasures (應對措施)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Countermeasures

  • 應對措施的條件:
    • General: 要能對抗各種攻擊
    • Timely: 及時有效
    • Resilient: 對evasion(逃避) techniques 有彈性
    • causing minimal DoS cost: 最小化減少server的性能, 最小化operation的中斷
    • transparent: 不用對OS, 軟硬體做修改
    • Global and local coverage: 處理外部及內部網路
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Prevention
    • 避免感染, 避免系統產生malware
    • 困難, 因為大多來自Social Engineering
    • 網路server和client需加強防禦
    • 手段:
      • Policy: 時常修改密碼
      • Vulnerability mitigation:時常更新軟體, 適當存取資料, 減少使用者可以access的檔案, pentest(滲透測試)
      • Awareness: 教育
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Mitigation
    • 識別malware
    • 移除來自所有infected system的traces以避免擴散
    • 封鎖
    • 提醒其他人
    • take down C&C,若在同一個network裡

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Informing and Disinfecting Victims

  • victims可以被ISP (internet service provider)通知
  • 某些ISP用walled garden techniques:
    • 使得使用者的服務使用更不方便或無法使用,直到被消毒為止

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Detecting infections with (mainly known) malware

  • On the host directly
    • 檢查signature(只能偵測到已知的malware)
  • On the local network of a host
    • 檢查網路連線是否連到可疑的port或用可疑的protocol(只能偵測到已知的bots)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Host-based Anti-Virus Technologies

  • 通常只能檢測已知的malware (不能確定一個program是不是virus)
  • scanners:
    • 檢查簽章(對已知的virus有效)
    • 檢查code是否符合virus(例如decryption loop)
    • 檢查integrity
  • 模擬(emulation):
    • 模擬CPU執行多個instructions

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Host-based Rootkit Detection

  • scan簽章
  • 找是否有隱含rootkits的特徵
    • 截取system call, key logger與keyboard drive互動
    • 難以偵測, 因為anti-virus軟體也會截取system call
  • 比較 system scan using API calls 及 actual view of storage using instructions not using API calls
    • rootkits會修改view of storage以把自己藏起來

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Host-based Behavior Blocking Software

  • 與OS整合
  • Monitor(監控) program的行為
    • 開啟檔案
    • 格式化硬碟
    • 修改executable files
    • 修改重大系統設定
    • 送email
    • 重置網路設定
  • 即使再精細的malware也需要送出request,可以被behavior blocking software偵測

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Network-based Perimeter(周長) Scanning

  • 組織的防火牆或intrusion detection system
  • Ingres(the act of entering) moniters
    • 在企業網路的邊界
    • 用異常的簽章或行為
  • Egress(the act of going out) moniters
    • 在個人網路的border
    • 試圖抓取malware的source如檢查scanning的跡象或大量通訊
    • 可能封鎖這些行動

Techniques to detect NEW malware

  • 被感染的host: 檢測不尋常的行為, integrity檢查
  • monitoring network traffic locally
    • 檢測C&C
    • 檢測bot是否在execution phase
    • 檢測DNS traffic中不尋常的NX response(DGA-based malware)
  • honeypots

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Malware collection and analysis

  • 蒐集新的sample(Honeypots, 掃描email附檔, 分析links in spam)

  • 分析malware(runtime analysis(Sandboxing), reverse engineering)

  • make the finding available(to feed Botnet Monitoring Tools, to generate signatures for A/V products)

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Honeypots

    • 定義: computers act like regular vulnerable system to attract malware(假裝vulnerable以吸引malware)

    • 分類:

      • Interaction type:
        • Low-interaction: 模擬system services
          Image Not Showing Possible Reasons
          • The image file may be corrupted
          • The server hosting the image is unavailable
          • The image path is incorrect
          • The image format is not supported
          Learn More →
          容易且快速執行
          Image Not Showing Possible Reasons
          • The image file may be corrupted
          • The server hosting the image is unavailable
          • The image path is incorrect
          • The image format is not supported
          Learn More →
          容易被malware偵測,因為功能不齊全
        • High-interaction: 在full OS中執行complete functionality
          Image Not Showing Possible Reasons
          • The image file may be corrupted
          • The server hosting the image is unavailable
          • The image path is incorrect
          • The image format is not supported
          Learn More →
          Image Not Showing Possible Reasons
          • The image file may be corrupted
          • The server hosting the image is unavailable
          • The image path is incorrect
          • The image format is not supported
          Learn More →
          跟Low-interaction相反

        高度討論: 是否只用low-interaction當發現一些新的malware?

      • Character:
        • Virtual: 在VM中
        • physical: 大多數的honeypots

        取決可用的硬體資源

      • type of victim:
        • Server: 模擬web, ftp, file sharing
        • Client: 模擬電腦user, 點擊link, 瀏覽drive-by download的網站

        兩者都應該被使用, 少了一方都不能提供完整的malware行為(complete picture)

    • Honeypot機器沒有productive use(生產力)

    • Server honeypots被動

    • Client honeypots主動(collect URLs

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Analysis

    • 擷取資訊:
      • C&C
      • Encryption keys, 密碼
    • Static (Manual): 用reverse engineering及debugging
      較花時間, 需要分析能力
    • Dynamic (automatic):Sandbox
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      Sandbox
      在限制的環境下動態runtime分析
      檢查behavior
      取得C&C
      malware通常會偵測sandbox
      耗費資源(malware會執行as long as possible)

Chapter 5: Mobile Malware

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Mobile的安全機制

  • Access right通常被限制
  • 為了加強access right,通常用sandbox
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    • seperate applications
    • Capsulates(膠囊) access to system resouce
  • 只有簽章後的程式可以執行(可以追溯malware作者)
  • Service connection(允許OS的作者可以刪除app)
  • Appstores(第三方app可以被market operator控制)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Android
    • sandbox, access right
      相同作者的app可以共享資料及存取權
    • Code signing
      沒有強制central certification authority for public keys
      malware作者用不同的key就不能被追蹤

      只能偵測 unauthorized updates

    • Access rights
      早期只能all-or-none
      較新的版本可以部份選取
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    iOS
    • Code signing
      • 需要向Apple註冊public key
    • Appstore
      • 只有從Apple Appstore下載的app可以執行

      因這些限制使得使用者用 Jailbreaking

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Mobile malware and Android

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    為何Android會吸引Malware
    • 分布廣, 市占大(large market share)
    • 不管制app發行
    • Open platform
    • update困難
      • 多個製造商
      • 使用者不更新
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    感染途徑: Download and Install
    • 使用者下載malicious app(free, new update, 從第三方取得)
    • 用vulnerability取得access right
    • Drive-by-download
      • 利用瀏覽器弱點感染手機
      • 使用者點擊link

      使用者會下載unsolicited(不請自來的) APK

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Observed Malicious Functionality

  • 有利益
    • 撥打付費電話
    • app購買
    • Spam
  • Data theft
    • 竊取資料
  • Reloading malware
    • update turns harmless app into malware
    • reload新的功能
  • Bot funtionality
    • C&C
  • Adware
    • 廣告
  • Destructive malware
  • Infection of connected computers
  • Ransomware
  • Trojan banking apps
  • Mobile crypto miners

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Comparison to Desktop Malware

  • Desktop malware:
    • 破壞性
    • 取得關注
  • 2000後
    • 專業
    • 商業
  • 現今
    • underground economy
    • 需要高技術
  • Mobile malware
    • 直接從專業, 商業開始

Chapter 6: Denial of Service Attacks

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
What is denial of service attack

  • 攻擊availability
    • A Denial of service(DoS) is an action that prevents or impairs the authorized use of networks, or applications by exhausting resources such as central processing units, bandwidth, and disk space.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
攻擊的resources分類

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Network bandwidth
    • 攻擊network links的capacity (如ISP連線)
    • intra-ISP能力通常較ISP連到corporate LAN能力高
    • 若ISP router收到過多的traffic,會drop packets
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    System Resource
    • overloading or crashing OS的Network handling軟體
    • Type1: 傳送耗費資源的packets
      • SYN spoofing (targets table of TCP connections on a server)
    • Type2: packets啟動bug
      • reboot機器使reload軟體
      • poison packet attack
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Application Resources
    • 特定applications(如Web server)
    • 利用多個合法的requests,使server花費資源回覆requests
    • 稱作 cyberslam
    • 其他example: trigger server的bug
    • Flooding
      • overwhelming網路連線能力
      • 產生大量traffic (example: ICMP echo requests)
      • 容易被偵測如果source address是單一的
      • 回傳的訊息仍是大量traffic (reflected back to the source)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Source Address Spoofing

  • 製造假的IP address (在ICMP flooding時)
  • 較難偵測
  • 沒有reflection of traffic(回傳訊息的traffic) back to real source
  • 給real source IP的reply(可能找不到IP address)加到link to target(回傳給target)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Thwarting(阻撓) Source Address Spoofing

  • block 無效的IP packets, 在egress filter

  • 越靠近attacker's subnet越好

  • 但很多ISP不採用此filter (costly且降低performance)

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    SYN spoofing

    • 攻擊network server回應TCP connection request
    • overflow the table of 已知TCP connection
    • 合法user的request會失敗

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Types of flooding attacks

  • 使網路overloaded
  • 使routers擁擠,packet drops
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    ICMP Floods
    • 傳統administrators允許ICMP echo request/replies到server診斷
    • 現在許多組織用firewall過濾ICMP echo request
    • attackers可能轉向其他 ICMP message type
      • 必要的通知congestions的訊息
      • 帶著部分訊息使他們變得很龐大
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    UDP Floods
    • UDP packets被導向某個port
    • (早期版本) 被導向的packets(假造的source address)可能被預設能通過
    • 若有server running service則會回應original packet data內容給假的source address
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    TCP SYN Floods
    • 用假的source address傳送TCP SYN packets
    • flood network link而不是server's system resource

Application-based bandwidth attack

  • 使目標執行resource-consuming的運算
  • 攻擊者利用此 Disproportionality(不成比例的) (簡單的query可以使application做大量運算)
    • example for two application layer protocols:
      • Session initiation protocol(SIP)
      • HTTP
    • Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      Session initiation protocol(SIP)
      • 兩種訊息: requests / responses
      • SIP INVITE 訊息建立media session
      • 攻擊者利用INVITEs訊息進行flood攻擊
    • Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      HTTP
      • 用HTTP request轟炸server
      • 下載大型檔案(使用memory, processing, transmission資源)
      • recursive (recursive link)
        也較 spidering
    • Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      Slowloris
      • 通常server有許多threads回應requests
      • 攻擊者佔用這些threads,傳送無法完成的HTTP requests
        • sends incomplete request
        • sends more header lines to keep connection alive

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Principle of Reflection Attacks

  • 攻擊者傳送假的target's address
  • server稱為 Reflector (intermediate)
  • server回應此packet並送response給target
  • 過度的 responses 會overwhelm target's network link
  • 容易deploy且難偵測
  • Ideal: 一個request有大量response(eg. DNS, SNMP, ISAKMP等)
  • server通常有high-capacity with good connection
  • eg. SYN flooding attack using reflection
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Self-contained Loop
    • 攻擊者用 echo reflector service 和 port 7
    • target若在port 7收到response,則視為echo request,並echos back
    • 如果它們沒有filter不可能的port組合,則產生self-contained loop

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Amplification Attacks

  • 產生多個response給target
  • 送廣播的request
    • 所有的host都會回覆這個request,產生大量response

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Defense against this broadcast amplification

  • 不允許從network外的broadcast
  • 但目前沒有被廣泛採用

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
DNS Amplification Attacks

  • target: DNS server
    (reflector也是 DNS server)
  • 利用DNS protocol會轉換small request成 large response
  • 越新的DNS版本效果越好
    因為允許responses超過4000bytes (需要DNSsec的public key)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Defenses against DoS attacks

  • 減少變成target的後果
  • 避免系統成為被利用的對象
  • 很難避免
  • 有些traffic可能是意外
  • 規定network bandwidth
  • 分散server
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Attack prevention and preemption(搶佔)
    • backup resources
    • 加強policy
    • 修改system或protocol
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Attack detection and filtering
    • 偵測攻擊
    • 使被攻擊的影響最小
    • 偵測可疑patterns
    • 過濾packets
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Attack source traceback and identification
    • 識別source
    • 通常不可能快(攻擊已送出)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Attack reaction
    • 減輕影響

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Preventive mechanisms

  • 限制傳送假的source address的packet
  • 過濾packet types(eg. ICMP, UDP)
  • 對付SYN spoofing攻擊: 用修改的TCP版本
    • server不用存取connection資訊直到client回傳ACK
    • TCP connection table就不會被假的IP佔據
    • 缺點:
      • server需計算cookie
      • 不能用TCP的特定extension (cookie太小)
  • 對付SYN spoofing: 選擇性或隨機drop TCP connection table 的 incomplete connections
  • 修改table size, 修改timeout
  • 對付amplification攻擊:
    • 封鎖 IP-based broadcast的使用
  • 封鎖可疑的服務或port組合
  • 確定另一方是否為人類 (用CAPTACHAs)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Responding to a DoS Attack

  • 組織: ISP在沒有網路連線時available
    • traffic可以被過濾
  • 發布intrusion detection system以偵測異常traffic
  • 擷取packets以分析攻擊type
  • 若系統中的bug被攻擊則修改
  • 被攻擊後用backup server
Select a repo