![Page 2: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/2.jpg)
Internet Attacks – The Gory Details slide 2 of 172
![Page 3: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/3.jpg)
Internet Attacks – The Gory Details slide 14 of 172
The Internet
• Ad hoc collection of TCP/IP interconnections
• No real central authority
• No central knowledge of connections– maybe flows, but not yet
• No per-packet billing, in most places
• Core equipment too busy to help law enforcement
• Large perimeters are impossible to control
![Page 4: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/4.jpg)
Internet Attacks – The Gory Details slide 15 of 172
Remote Attacks, and anonymity, are easy
• Attacks can be laundered through many hosts around the world
• brief attacks are hard to track down
• the average defender is clueless
![Page 5: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/5.jpg)
Internet Attacks – The Gory Details slide 16 of 172
Traceback can be very hard
• clueless ISPs
• ignorant law enforcement
• treaties with foreign countries
• may not be against the local law
• attacker may cease attack before traceback is completed
![Page 6: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/6.jpg)
Internet Attacks – The Gory Details slide 17 of 172
“Monoculture”
• Small set of target types and versions– Microsoft OS and applications– Apache– Samba– DNS– Cisco IOS
• Like planting Kansas with a single strain of wheat, or vineyards with a single root stock
![Page 7: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/7.jpg)
Internet Attacks – The Gory Details slide 18 of 172
Attacking scripts are published and shared
• Loners develop attack software for the rest of us
• Hacking FAQs are common
• Software tools are easily available– look up “rootkit”
• “Script kiddies” are a major source of current Internet attacks
![Page 8: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/8.jpg)
Internet Attacks – The Gory Details slide 19 of 172
Unsafe Services
• Useful
• Poorly written
• Poor auditing
• Found in most hosts
• Safer services and protocols are rare
• Vendors sell flawed software
• Users don’t fix holes
• Host-based security is usually broken
• Security requires discipline: not found in market leaders– And often not found
in open source software either
![Page 9: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/9.jpg)
Internet Attacks – The Gory Details slide 20 of 172
Unsafe ServicesSome Typical Errors
• Unchecked user input submitted to the shell or Perl– wildcard and
escape characters take over the process
– CGI scripts
• Secret options, commands, or back doors– DEBUG and others
in sendmail
• Input string length is not checked– string buffer overrun
corrupts stack• strcpy, gets,
sprintf– caller supplies
assembly code, and jumps to it
– finger (Morris worm)
– early Netscape– statd (latest)
![Page 10: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/10.jpg)
Internet Attacks – The Gory Details slide 21 of 172
Unsafe Services: Privileged programs are much too large
• Sendmail is tens of thousands of lines of complex code, running as root.
• Netscape browser/communicator is huge
• Operating systems are huge– Windows– Unix– Features are never retired, only added
• A short, simple program is hard to get right
![Page 11: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/11.jpg)
Internet Attacks – The Gory Details slide 22 of 172
Unsafe Protocols
• Passwords transmitted in the clear– Challenge/response is better, though
subject to dictionary attacks– EKE can hide this– Machine generated passwords are better,
but require devices or printouts
• Address-based authentication– Can be OK in controlled environments– DNS and routing attacks can fool these
![Page 12: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/12.jpg)
Internet Attacks – The Gory Details slide 23 of 172
Weakest Link Compromisesmany targets
• Vulnerabilities are common in network services
• One break-in compromises– the rest of the
host– the host’s net
(via sniffers)– trusting hosts
• “non-vital” targets may be vital
![Page 13: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/13.jpg)
Internet Attacks – The Gory Details slide 24 of 172
How Do They Find Dangerous Ports?
• Port scanners
• Easy to write
• Half-open (SYN-only) scanners often don’t show up in logs
• Harder to scan for UDP services, but not by much
• “Firewalking” can scan through a firewall– Uses packets that a firewall often admits,
such as ICMP or TCP SYN/ACK
![Page 14: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/14.jpg)
slide 25 of 172
Attacks
Stack Smashing
![Page 15: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/15.jpg)
Internet Attacks – The Gory Details slide 26 of 172
Programs don’t check their input
• Routines like gets, strcpy, and sprintf, which are inherently dangerous
• If input length is too long, it can overwrite memory in C, overwriting variables and subroutine return addresses.
• Every piece of external data must be checked before it is used.
• It doesn’t hurt to check internal stuff, too– assert.h– CPU time is cheap
![Page 16: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/16.jpg)
Internet Attacks – The Gory Details slide 27 of 172
Variables
A Stack: before a procedure call
![Page 17: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/17.jpg)
Internet Attacks – The Gory Details slide 28 of 172
Return addr
String buffer
Local vars.
Local vars
Otherstuff
A Stack: while a procedure is running
Where to go after theprocedure is finished
![Page 18: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/18.jpg)
Internet Attacks – The Gory Details slide 29 of 172
Return addr
String buffer
Local vars.
Local vars
Otherstuff
A Stack: while a procedure is running
Input line goes in here
![Page 19: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/19.jpg)
Internet Attacks – The Gory Details slide 30 of 172
Return addr
String buffer
Local vars.
Local vars
Otherstuff
A Stack: while a procedure is running
Input line goes in here
![Page 20: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/20.jpg)
Internet Attacks – The Gory Details slide 31 of 172
Return addr
String buffer
Local vars.
Local vars
Otherstuff
“Stack smashing” attack
New return address, pointsto...
![Page 21: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/21.jpg)
Internet Attacks – The Gory Details slide 32 of 172
Return addr
String buffer
Local vars.
Local vars
Otherstuff
“Stack smashing” attack
…new code loaded insome space on the stack
The code runs with theprivileges of the attackedprogram, usually root
![Page 22: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/22.jpg)
Internet Attacks – The Gory Details slide 33 of 172
Some former victims of stack-smashing attacks
• Fingerd (Morris worm)
• sendmail
• syslogd
• rstatd
• early Netscape browsers
• file names in attachments to mail
• sshd
• IIS web server
![Page 23: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/23.jpg)
slide 34 of 172
AttacksPortable Programs
![Page 24: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/24.jpg)
Internet Attacks – The Gory Details slide 35 of 172
Dangerous services:portable programs
• JAVA
• ActiveX^H^H^H^H^H^H^HCOMX^H^H^H^HSOAP
• Viruses:– PC– Word– Excel
![Page 25: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/25.jpg)
Internet Attacks – The Gory Details slide 36 of 172
Where do Programs Run?
Kernel
Program
![Page 26: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/26.jpg)
Internet Attacks – The Gory Details slide 37 of 172
Where do Programs Run?
Kernel
Program
This model is wrong!
![Page 27: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/27.jpg)
Internet Attacks – The Gory Details slide 38 of 172
Applets run in an incompletely-defined environment
Kernel
Program
![Page 28: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/28.jpg)
Internet Attacks – The Gory Details slide 39 of 172
Java’s “sandbox”
• Is incompletely defined
• Can be different for each vendor
• Often optimized for speed, not security
• Allows “native methods”, which can break the security model
• ActiveX– like Java, but no
sandbox at all
![Page 29: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/29.jpg)
slide 40 of 172
AttacksSniffing attacks (“eavesdropping”)
![Page 30: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/30.jpg)
Internet Attacks – The Gory Details slide 41 of 172
Host withTCP Services
Client Server
Attacker
![Page 31: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/31.jpg)
Internet Attacks – The Gory Details slide 42 of 172
Ethernet and Passwords
• Was never secure from eavesdropping
• “Sniffing” tools are common– grab host name,
user name, and password
– check any hacker collection
• Credit card numbers are easy
• Over 1,000,000 captured in 1994
• It doesn’t matter how good your password is if it can be sniffed!
• Still in wide use - even for root!
![Page 32: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/32.jpg)
Internet Attacks – The Gory Details slide 43 of 172
Wireless passwords
![Page 33: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/33.jpg)
Internet Attacks – The Gory Details slide 44 of 172
Wireless passwords
![Page 34: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/34.jpg)
slide 45 of 172
AttacksIP Spoofing a trusted host
![Page 35: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/35.jpg)
Internet Attacks – The Gory Details slide 46 of 172
IP Spoofing
• Defeats address-based authentication– i.e. rlogin, rsh, tcp wrappers
• Common tools available to the hackers– they don’t have to be TCP/IP experts
• This was used to crack Tsutomu Shimomura’s machines in “Takedown.”
• Robert Morris Jr. wrote a paper on this in 1984
• Steve Bellovin republished it in 1989
• First known use in 1994
![Page 36: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/36.jpg)
Internet Attacks – The Gory Details slide 47 of 172
Normal TCP connection,initial SYN packet
Client ServerSYN,SEQ0
![Page 37: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/37.jpg)
Internet Attacks – The Gory Details slide 48 of 172
Response to Open, connection is “half open”
Client ServerSYN,SEQ0
SYN,ACK,SEQ0+1,SEQ0
![Page 38: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/38.jpg)
Internet Attacks – The Gory Details slide 49 of 172
Client completes handshake, TCP connection is now open
Client ServerSYN,SEQ0
SYN,ACK,SEQ0+1,SEQ0
ACK,SEQ0+1,SEQ0+1
![Page 39: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/39.jpg)
Internet Attacks – The Gory Details slide 50 of 172
IP Spoof of a Trusted Client Determine Likely SEQ0
Client Server
Attacker
![Page 40: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/40.jpg)
Internet Attacks – The Gory Details slide 51 of 172
IP Spoof of a Trusted ClientSuppress the Trusted Client
Client Server
Attacker
killer packetor SYN attack
![Page 41: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/41.jpg)
Internet Attacks – The Gory Details slide 52 of 172
IP Spoof of a Trusted ClientSuppress the Trusted Client
Client Server
Attacker
![Page 42: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/42.jpg)
Internet Attacks – The Gory Details slide 53 of 172
Attacker opens connection “from” trusted client
Client Server
Attacker
SYN,SEQ0
![Page 43: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/43.jpg)
Internet Attacks – The Gory Details slide 54 of 172
Open seems to come fromtrusted client
Client Server
Attacker
SYN,SEQ0
![Page 44: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/44.jpg)
Internet Attacks – The Gory Details slide 55 of 172
IP Spoof of a Trusted ClientServer responds to dead client
Client Server
Attacker
SYN,ACK,SEQ0+1,SEQ0
![Page 45: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/45.jpg)
Internet Attacks – The Gory Details slide 56 of 172
IP Spoof of a Trusted ClientSpoof final open message
Client Server
Attacker
ACK,SEQ0+1,SEQ0+1
![Page 46: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/46.jpg)
Internet Attacks – The Gory Details slide 57 of 172
IP Spoof of a Trusted Client“Open” is complete
Client Server
Attacker
![Page 47: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/47.jpg)
Internet Attacks – The Gory Details slide 58 of 172
IP Spoof of a Trusted ClientOpen Server to outside access
Client Server
Attacker
“evil trusted command”
![Page 48: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/48.jpg)
Internet Attacks – The Gory Details slide 59 of 172
Preventing IP spoofing
• Spoofing can be stopped at the perimeter– “No internal addresses accepted from the
outside”– Helps to have a coherent address space
• A firewall can prevent access also
• Address-based authentication is a BAD IDEA.
![Page 49: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/49.jpg)
slide 60 of 172
AttacksTCP hijacking
![Page 50: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/50.jpg)
Internet Attacks – The Gory Details slide 61 of 172
Attacker is watching an existing connection, perhaps through the strong authentication stage
Client Server
Attacker
![Page 51: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/51.jpg)
Internet Attacks – The Gory Details slide 62 of 172
Kill the client connection...
Client Server
Attacker
killer packet
![Page 52: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/52.jpg)
Internet Attacks – The Gory Details slide 63 of 172
…and continue the connection
Client Server
Attacker
![Page 53: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/53.jpg)
Internet Attacks – The Gory Details slide 64 of 172
TCP hijacking
• Takes over an existing, authenticated connection
• Needs access to the packet flow
• Common tools are available to the hackers now
• Cryptographic signatures of packets can defeat this
![Page 54: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/54.jpg)
slide 65 of 172
AttacksDenial of Service
![Page 55: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/55.jpg)
Internet Attacks – The Gory Details slide 66 of 172
Host withTCP Services
Client Server
Attacker
![Page 56: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/56.jpg)
Internet Attacks – The Gory Details slide 67 of 172
Denial-of-service Attacks
• In your face - not subtle like traditional hacking attacks
• Random packets are very hard to trace
• Can go on for weeks
• Attackers can exploit poor local software or...
• Simply flood the site’s network with incoming packets
• These attacks are always possible on a public service
![Page 57: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/57.jpg)
slide 68 of 172
AttacksDenial of Service: SYN
packet attacks
![Page 58: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/58.jpg)
Internet Attacks – The Gory Details slide 69 of 172
Normal TCP open
Client ServerSYN,SEQ0
SYN,ACK,SEQ0+1,SEQ0
ACK,SEQ0+1,SEQ0+1
![Page 59: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/59.jpg)
Internet Attacks – The Gory Details slide 70 of 172
Normal TCP open
Clienthalf-open
<300ms
![Page 60: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/60.jpg)
Internet Attacks – The Gory Details slide 71 of 172
SYN Attacks
• First seen at Panix.com in fall 1996
• Half-open processing was implemented poorly– Quadratic behavior– Wasn’t much call for
improving it
• We’ve been expecting it– The only thing we left
out of our firewalls book– Removed at the last
minute• We knew of no good
solution• We are sorry we left
it out
• A new one appeared in fall 1997– SYN with same
source and destination address kills some TCP/IP implementation
• There will be more attacks on TCP/IP implementations– lots of code
involved– hard to test code in
a kernel
![Page 61: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/61.jpg)
slide 72 of 172
AttacksDenial of Service
Ping flood (smurf)
![Page 62: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/62.jpg)
Internet Attacks – The Gory Details slide 73 of 172
Identify ping generatornetworks
target
G
GG
GG
G
![Page 63: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/63.jpg)
Internet Attacks – The Gory Details slide 74 of 172
Trigger packets withspoofed return address
target
packetcannon
G
GG
GG
G
![Page 64: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/64.jpg)
Internet Attacks – The Gory Details slide 75 of 172
Generators flood the targetwith packets
target
packetcannon
G
GG
GG
G
![Page 65: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/65.jpg)
Internet Attacks – The Gory Details slide 76 of 172
Traceback
• The target cannot tell where the trigger is coming from
• Attacking hosts may not know that they are being used
• Broadcast storms can generate more load
![Page 66: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/66.jpg)
slide 77 of 172
AttacksDNS, routing, and
infrastructure attacks
![Page 67: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/67.jpg)
Internet Attacks – The Gory Details slide 78 of 172
Routing attacksPacket Diversion and man-in-the-middle attacks
Client Server
Attacker
![Page 68: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/68.jpg)
Internet Attacks – The Gory Details slide 79 of 172
Routing attacksPacket Diversion and man-in-the-middle attacks
Client Server
Attacker
(router)
![Page 69: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/69.jpg)
Internet Attacks – The Gory Details slide 80 of 172
Routing attacksPacket Diversion and man-in-the-middle attacks
Client Server
Attacker
(router)
![Page 70: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/70.jpg)
Internet Attacks – The Gory Details slide 81 of 172
DNS attacks
• Include an extra “glue” record on a DNS query– short cache time-out hides the evidence– newest bind program checks for this– “DNS cache poisoning”
• Capture DNS server and return incorrect result
• DNSSEC can fix this– going through final comments now
![Page 71: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/71.jpg)
Internet Attacks – The Gory Details slide 82 of 172
Infrastructure attacks
• Our tools are still weak– authenticated SBGP4 is coming, maybe
• Keep up with the latest name server
• Move to secure router implementations, when available
• Question: what will you do if the entire Internet is down for a week?
![Page 72: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/72.jpg)
slide 83 of 172
AttacksSocial Engineering
(a.k.a. spying)
![Page 73: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/73.jpg)
Internet Attacks – The Gory Details slide 84 of 172
Social Engineering (cont.)
Click here to infect your computer.
![Page 74: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/74.jpg)
Internet Attacks – The Gory Details slide 85 of 172
Another problem with strange programs
![Page 75: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/75.jpg)
Internet Attacks – The Gory Details slide 86 of 172
Social Engineering
``Hello, this is Dennis Ritchie calling.I’m in Israel now and I have forgottenmy password.’’
``Hello, <admin-name>, I’ve juststarted work here. <Boss-name>said I should have an account on<target-host>‘‘
![Page 76: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/76.jpg)
slide 87 of 172
AttacksUnsafe services
![Page 77: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/77.jpg)
Internet Attacks – The Gory Details slide 88 of 172
Host withTCP Services
Client Server
Attacker
![Page 78: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/78.jpg)
Internet Attacks – The Gory Details slide 89 of 172
Host withTCP Services
Client Server
Attacker
![Page 79: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/79.jpg)
Internet Attacks – The Gory Details slide 90 of 172
ftp stream tcp nowait root /v/gate/ftpdtelnet stream tcp nowait root /usr/etc/telnetdshell stream tcp nowait root /usr/etc/rshdlogin stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internalecho stream tcp nowait root internaldiscard stream tcp nowait root internalchargen stream tcp nowait root internaldaytime stream tcp nowait root internaltime stream tcp nowait root internalecho dgram udp wait root internaldiscard dgram udp wait root internalchargen dgram udp wait root internaldaytime dgram udp wait root internaltime dgram udp wait root internalsgi-dgl stream tcp nowait root/rcv dglduucp stream tcp nowait root /usr/lib/uucp/uucpd
Default servicesSGI workstation
![Page 80: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/80.jpg)
Internet Attacks – The Gory Details slide 91 of 172
More default services
mountd/1 stream rpc/tcp wait/lc root rpc.mountdmountd/1 dgram rpc/udp wait/lc root rpc.mountdsgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountdsgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountdrstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamdsgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerdtcpmux/sgi_printer stream tcp nowait root ?print/printerd 9fs stream tcp nowait root /v/bin/u9fs u9fswebproxy stream tcp nowait root /usr/local/etc/webserv
![Page 81: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/81.jpg)
Internet Attacks – The Gory Details slide 92 of 172
Some Dangerous Services
• Telnet
• FTP
• NFS
• RPC
• “secure” RPC
• rlogin/rsh/rcp
• X11
• DNS
• (web servers)
![Page 82: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/82.jpg)
Internet Attacks – The Gory Details slide 93 of 172
Why are they insecure?telnet
• Eavesdropping attacks sniff passwords– >1,000,000 sniffed in 1994 from hacked
ISPs
• TCP hijacking takes over authenticated connections: strong passwords aren’t enough
• Insecure accounts are subject to probes and use
• Corruption of client host compromises the session
![Page 83: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/83.jpg)
Internet Attacks – The Gory Details slide 94 of 172
Why are they insecure?FTP
• Same as telnet, plus
• history of bugs in servers
• setup errors for anonymous FTP–get permissions wrong–distribute the real password file
to the masses–“why”
![Page 84: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/84.jpg)
Internet Attacks – The Gory Details slide 95 of 172
Why are they insecure?NFS
• Root file handle can be sniffed
• Relies on RPC software
![Page 85: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/85.jpg)
Internet Attacks – The Gory Details slide 96 of 172
Why are they insecure?RPC and secure RPC
• RPC–address-based– local relay
feature can obscure address information from the server
• Secure RPC–cryptographic
ally weak
![Page 86: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/86.jpg)
Internet Attacks – The Gory Details slide 97 of 172
Why are they insecure?Rlogin, rsh, rcp
• rlogin, rsh, rcp–can be hijacked–can be spoofed
•use addressed-based authentication
– .rhosts and /etc/hosts.equiv leak trusted host information
– .rhosts: users should not be making security policy
![Page 87: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/87.jpg)
Internet Attacks – The Gory Details slide 98 of 172
Why are they insecure?X11
• Clear text leaks secrets
• Cookie authentication is in the clear
• Advanced authentication not widely available
• xhost configuration errors
• Historically, bugs in xdm
![Page 88: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/88.jpg)
Internet Attacks – The Gory Details slide 99 of 172
Why are they insecure?DNS - domain name system
• Bind runs as root–it is big, and not well
understood–runs on vital hosts
• Cache poisoning: cache wrong answers–attack address-based auth–spoof servers
![Page 89: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/89.jpg)
Internet Attacks – The Gory Details slide 100 of 172
DNS lookupA asks D for B’s IP address
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B?
![Page 90: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/90.jpg)
Internet Attacks – The Gory Details slide 101 of 172
DNS lookup: D asks B (or someone who knows about B)
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B?
![Page 91: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/91.jpg)
Internet Attacks – The Gory Details slide 102 of 172
DNS lookup: B answers, D caches the answer, and tells A
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 1.2.3.4
B -> 1.2.3.4
![Page 92: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/92.jpg)
Internet Attacks – The Gory Details slide 103 of 172
DNS lookupA uses the answer
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 1.2.3.4
X: 5.6.7.8
![Page 93: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/93.jpg)
Internet Attacks – The Gory Details slide 104 of 172
DNS lookup: D remembers the answer for a given period
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 1.2.3.4
X: 5.6.7.8
![Page 94: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/94.jpg)
Internet Attacks – The Gory Details slide 105 of 172
DNS cache poisoning attack:Attacker C arranges for D to ask him a question
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
X?
X: 5.6.7.8
![Page 95: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/95.jpg)
Internet Attacks – The Gory Details slide 106 of 172
DNS cache poisoning attack:Attacker C arranges for D to ask him a question
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
X?
X: 5.6.7.8
![Page 96: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/96.jpg)
Internet Attacks – The Gory Details slide 107 of 172
DNS cache poisoning attack: The attacker gives an answer, plus…
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 5.6.7.8
X -> 5.6.7.8
X: 5.6.7.8
![Page 97: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/97.jpg)
Internet Attacks – The Gory Details slide 108 of 172
DNS cache poisoning attack:A gets his answer, and uses it
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 5.6.7.8
X -> 5.6.7.8
X -> 5.6.7.8 X: 5.6.7.8
![Page 98: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/98.jpg)
Internet Attacks – The Gory Details slide 109 of 172
DNS cache poisoning attack:The cache has an extra answer
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 5.6.7.8
X -> 5.6.7.8
X: 5.6.7.8
![Page 99: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/99.jpg)
Internet Attacks – The Gory Details slide 110 of 172
DNS cache poisoning attack:Now A asks for B’s address
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 5.6.7.8
X -> 5.6.7.8
X: 5.6.7.8
B?
![Page 100: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/100.jpg)
Internet Attacks – The Gory Details slide 111 of 172
DNS cache poisoning attack: D “knows” the answer already, and returns it
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 5.6.7.8
X -> 5.6.7.8
X: 5.6.7.8B -> 5.6.7.8
![Page 101: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/101.jpg)
Internet Attacks – The Gory Details slide 112 of 172
DNS cache poisoning attack: A uses the answer
Client
Server
Attacker
B -> 1.2.3.4
B: 1.2.3.4
A
cache
D
B -> 5.6.7.8
X -> 5.6.7.8
X: 5.6.7.8B -> 5.6.7.8
![Page 102: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/102.jpg)
Internet Attacks – The Gory Details slide 113 of 172
DNS cache poisoning
• Gives the wrong answer on inverse lookups, foiling rsh, rlogin
• If you connect to the wrong site they can– spoof a login, and capture passwords– spoof a web page, and give wrong
answers– set themselves up for man-in-the-middle
attacks, relaying info to the real server
![Page 103: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/103.jpg)
Internet Attacks – The Gory Details slide 114 of 172
DNS cache poisoning
• Older versions of bind fall for this
• You can even send an answer without a query, to some implementations!
• DNS responses can be spoofed to– what if the query gets two answers: use
the first?!
• DNSSEC fixes this
![Page 104: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/104.jpg)
Internet Attacks – The Gory Details slide 115 of 172
Why are they insecure?Web servers
• Complex, and buggy–stack
smashing attacks, etc
• CGI scripts :it is always dangerous to add programs
• Numerous configuration options–Apache
security relies on good configuration
• Needs access to internal databases
![Page 105: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/105.jpg)
Internet Attacks – The Gory Details slide 116 of 172
Unsafe services: SMB
• Protocol uses weak authentication
• samba is big: I prefer using chroot
![Page 106: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/106.jpg)
Internet Attacks – The Gory Details slide 117 of 172
Unsafe services: Microsoft authentication over PPTP
• Weak authentication
• Probably weak encryption implementation– see Bruce Schneier’s paper in ACM CCS-5
![Page 107: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/107.jpg)
Internet Attacks – The Gory Details slide 118 of 172
Other services
• POP3 and IMAP
• IRC - no!
• Realaudio– UDP is dangerous, TCP ok
• Mbone– hard to gate– some UDP implementations respond to
multicast packets
![Page 108: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/108.jpg)
slide 119 of 172
Exponential attacks
![Page 109: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/109.jpg)
Internet Attacks – The Gory Details slide 120 of 172
Viruses
• PC viruses– there are tens of thousands of them,
including variants– defense is best made at the host, with a
virus checker• update the database often
• Unix viruses– Tom duff made one– Shell viruses are easy– Unix viruses are rare!
![Page 110: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/110.jpg)
Internet Attacks – The Gory Details slide 121 of 172
Viruses
• Firewalls can filter them– It seems like the right place– It requires a lot of work, and they can be
hidden
• Macro viruses are the most alarming
• They have access to the entire PC, with a little work
![Page 111: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/111.jpg)
Internet Attacks – The Gory Details slide 122 of 172
The Morris Worm
• November 2, 1988
• Spread using– fingerd (stack smashing)– sendmail (DEBUG back door)– password guessing
• Poorly controlled exponential growth
• A team of experts fought it quickly
![Page 112: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/112.jpg)
slide 123 of 172
AttacksUnsafe programs
![Page 113: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/113.jpg)
Internet Attacks – The Gory Details slide 124 of 172
find / -perm -4000 -user root -print | wc -l
Root: the gateway to privilege
![Page 114: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/114.jpg)
Internet Attacks – The Gory Details slide 125 of 172
AIX 4.2 & 242 & a staggering number \\BSD/OS 3.0 & 78\\FreeBSD 4.3 & 42 & someone's guard machine\\FreeBSD 4.3 & 47 & 2 appear to be third-party\\FreeBSD 4.5 & 43 & see text for closer analysis \\HPUX A.09.07 & 227 & about half may be special for this host \\Linux (Mandrake 8.1) & 39 & 3 appear to be third-party \\Linux (Red Hat 2.4.2-2) & 39 & 2 third-party programs \\Linux (Red Hat 2.4.7-10) & 31 & 2 third-party programs\\Linux (Red Hat 5.0) & 59\\Linux (Red Hat 6.0) & 38 & 2--4 third-party \\Linux 2.0.36 & 26 & approved distribution for one university \\Linux 2.2.16-3 & 47 \\Linux 7.2 & 42\\NCR Intel 4.0v3.0 & 113 & 34 may be special to this host \\NetBSD 1.6 & 35 \\SGI Irix 5.3 & 83 \\SGI Irix 5.3 & 102 \\Sinux 5.42c1002 & 60 & 2 third-party programs\\ Sun Solaris 5.4 & 52 & 6 third-party programs\\Sun Solaris 5.6 & 74 & 11 third-party programs\\Sun Solaris 5.8 & 70 & 6 third-party programs\\Sun Solaris 5.8 & 82 & 6 third-party programs\\Tru64 4.0r878 & 72 & \\
Setuid-root
![Page 115: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/115.jpg)
Internet Attacks – The Gory Details slide 126 of 172
Insecure clients
• This is not the same as TCP hijacking
• encryption on the link won’t fix this
• any persistent connection is vulnerable– rlogin, ftp, ssh
• Tsutomu left an rlogin session running when he went skiing
• YOU HAVE TO BE ABLE TO TRUST YOUR CLIENT– laptop PCs vs. terminal rooms
![Page 116: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/116.jpg)
Internet Attacks – The Gory Details slide 127 of 172
Insecure clients:attacker takes over client host
Client Server
Attacker
![Page 117: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/117.jpg)
Internet Attacks – The Gory Details slide 128 of 172
Insecure clients:attacker takes over client host…
Client Server
Attacker
![Page 118: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/118.jpg)
Internet Attacks – The Gory Details slide 129 of 172
…installs the TAP kernel load module…
Client Server
Attacker
TAP
![Page 119: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/119.jpg)
Internet Attacks – The Gory Details slide 130 of 172
…user makes authenticated connection to server…
Client Server
Attacker
TAP
![Page 120: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/120.jpg)
Internet Attacks – The Gory Details slide 131 of 172
hacker takes over terminal connection with “TAP”
Client Server
Attacker
TAP
![Page 121: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/121.jpg)
Internet Attacks – The Gory Details slide 132 of 172
We’ve been losing ground for decades
• Bad guys are figuring out attacks that we have been waiting for over the years– Very few surprises
• Defense has not improved much– Ssh– IPsec– Better Linux and Unix systems
![Page 122: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/122.jpg)
slide 133 of 172
How Do We Fix All This?
![Page 123: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/123.jpg)
slide 134 of 172
How Do We Fix All This?
Hide behind a perimeter defense?
![Page 124: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/124.jpg)
FirewallsPerimeter defenses
![Page 125: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/125.jpg)
Internet Attacks – The Gory Details slide 136 of 172
Firewalls: Not a panacea
• Backdoors usually diminish the effectiveness
• Commercial firewalls are probably OK
• May give community a false sense of security
• The firewall is often the only secure part of a configuration– People go
around them– People go
through the bad ones
– No protection from insiders
![Page 126: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/126.jpg)
slide 137 of 172
Anything large enough to be called
an “intranet” is probably out of control
![Page 127: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/127.jpg)
Internet Attacks – The Gory Details slide 138 of 172
![Page 128: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/128.jpg)
Internet Attacks – The Gory Details slide 139 of 172
This wasSupposedTo be aVPN
![Page 129: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/129.jpg)
Internet Attacks – The Gory Details slide 140 of 172
Some intranet statisticsfrom Lumeta clients
Intranet sizes (devices) 7,900 365,000Corporate address space 81,000 745,000,000Address space usage efficiency% devices in unknown address space 0.01% 20.86%
% routers responding to "public" 0.14% 75.50%% routers responding to other 0.00% 52.00%
Outbound host leaks on network 0 176,000% devices with outbound ICMP leaks 0% 79%% devices with outbound UDP leaks 0% 82%
Inbound UDP host leaks 0 5,800% devices with inbound ICMP leaks 0% 11%% devices with inbound UDP leaks 0% 12%
% hosts running Windows 36% 84%
![Page 130: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/130.jpg)
Internet Attacks – The Gory Details slide 141 of 172
You don’t know to whom you are connected
• Modems are cheap and easy to hook up.– Sun’s “fax”
machines
• Home commuting networks may link to spouse’s company, or the Internet.– even routing
worked!
• Remote managers can make extranet connections that aren’t authorized.– these
connections can be very hard to find
– but the security threat is still there
![Page 131: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/131.jpg)
Internet Attacks – The Gory Details slide 142 of 172
You don’t know how many hosts you have
• Most control is at the network level, not the host level.
• Name server entries are optional.
• Nobody keeps the reverse name service information up-to-date.
• Mapping takes work, and doesn’t catch hosts that are down
• Some network links are ephemeral.
![Page 132: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/132.jpg)
Internet Attacks – The Gory Details slide 143 of 172
Lucent’s intranetc. 1997
Allentown
MurrayHill
ColumbusHolmdel
SLIPPPPISDNX.25cable
...
Lucent - 130,000, 266K IP addresses, 3000 nets ann.
MurrayHill
The Internet
~200 business partnersthousands of
telecommuters
![Page 133: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/133.jpg)
slide 144 of 172
None of this protects us from an insider threat, so…
![Page 134: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/134.jpg)
slide 145 of 172
How Do We Fix All This?
Life without a firewall
“skinny dipping”
![Page 135: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/135.jpg)
Internet Attacks – The Gory Details slide 146 of 172
Secure computing needs…
• Safe clients
• Secure communication
• Safe servers
• Strong, 2-factor authentication– Something you have and something you
know– Emergency 1-factor authentication,
something you know, used extremely rarely
![Page 136: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/136.jpg)
Internet Attacks – The Gory Details slide 147 of 172
Safe clients and servers need:
• A trustable Trusted Computing Base
• Simple, well-specified and debugged kernel– Check out the semantics of setuid in Unix
flavors (Setuid Demystified. Chen, Wagner, and Dean; Usenix Security 2002)
– MAC controls: more permissions, use of file system permissions, and programs that know how to use them• “root” is bad; see Multics!)
– Better, more routing sandboxing• Make chroot much better, and easier
![Page 137: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/137.jpg)
Internet Attacks – The Gory Details slide 148 of 172
Free, new servers by Don Knuth?
• He’s busy with Volume 4
• Literate programming of key servers might be the way to go
• Other languages might be better: C and C++ still have buffer overflow problems– Modula 3?– Java?
![Page 138: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/138.jpg)
Internet Attacks – The Gory Details slide 149 of 172
We need better suspenders
• We should never trust the application writers to get it right, though they should try hard
• Jails/chroot/sandboxes need to be easy and common-place– More restrictive jails should be possible– Unprivileged user should be able to set
these up, even if he is already in a jail• The /etc/passwd problem
– Static builds should be easier– Careful documentation of what a program
needs to access.
![Page 139: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/139.jpg)
Internet Attacks – The Gory Details slide 150 of 172
Improve chroot
• Already some new work in this area: FreeBSD jail
• Goal: routine jailing of everything that processes external input– Netscape client routinely jailed– mail readers– SpamAssassin– Openssl (!)
• See Plan 9 for some good ideas– Network access through the file system?!
![Page 140: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/140.jpg)
Internet Attacks – The Gory Details slide 151 of 172
Related chroot wishes
• Easier builds of static binaries: dynamic libraries make the TCB tougher to build
• Chroot options to all the useful network services: they should jail themselves!– Apache (Ben Laurie is considering this)– Samba– Ntp– DNS (done)
![Page 141: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/141.jpg)
Internet Attacks – The Gory Details slide 152 of 172
Microsoft desperately needs to do this
• I am convinced that they actually are trying to get better
• They have a long way to go
• I wonder if they can wedge good sandboxing into their OS
![Page 142: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/142.jpg)
Internet Attacks – The Gory Details slide 153 of 172
Simpler Software
• One of the underlying problems with Microsoft applications is creeping featurism– For most uses, is Word much better than
WordStar or any of the other early word processors?
– Is this version of PowerPoint that much better than the first ones (bugs aside)?
![Page 143: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/143.jpg)
Internet Attacks – The Gory Details slide 154 of 172
Simpler Software in Unix
• Skim through the Unix V7 man pages (http://plan9.bell-labs.com)
• How many options does cat(1) need?
• How many setuid-to-root programs does your system have?
![Page 144: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/144.jpg)
Internet Attacks – The Gory Details slide 155 of 172
New file system switch
• Revisit the DOOFUS wars of the mid 80s
• Check Plan 9 for possible uses
• Kernel file system switch that has userland file system computation– Must be robust…hung inodes, etc.– Does not involve the network, as NFS
does
• Reimplement SFS, Samba client, etc.,
![Page 145: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/145.jpg)
slide 156 of 172
Communications
![Page 146: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/146.jpg)
Internet Attacks – The Gory Details slide 157 of 172
Communication encryption options
• Ssh
• IPsec
• SSL
![Page 147: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/147.jpg)
Internet Attacks – The Gory Details slide 158 of 172
Communications solutions: ssh
• Source code is available
• Widely examined
• But: 2 protocol flaws found so far
• stack smashing scare
• Tunneling is valuable
• IPsec has better crypto, maybe
![Page 148: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/148.jpg)
Internet Attacks – The Gory Details slide 159 of 172
IPsec
• Protocol well-vetted by expert community
• We have the CPUs, I want everyone to use it, for all communications
• Needs simpler setup– Microsoft requires certificates, no?– Secret key pairs are fine for small setups
• Key exchange daemons worry me– They gotta run as root, no?– They can use complicated crypto libraries,
and are exposed network services
![Page 149: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/149.jpg)
Internet Attacks – The Gory Details slide 160 of 172
SSL
• Well-documented and ver. 3 is probably ok
• Implemented by openssl…
• …which uses X.509…
• …which uses ASN.1…
• …which is complicated, a monoculture, and has had several bugs exposed
• Can you jail the SSL parts of your web server? (I have: sslwrap + chroot)
![Page 150: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/150.jpg)
slide 161 of 172
Authentication
![Page 151: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/151.jpg)
Internet Attacks – The Gory Details slide 162 of 172
Security doesn’t need to be inconvenient
• Modern hotel room keys
• Modern car keys
![Page 152: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/152.jpg)
Internet Attacks – The Gory Details slide 163 of 172
Some solutions:Hardware tokens
Digital PathwaysSNK-004
• SecureID– time-based
• S/Key– software or printout
solution
• Many others– usually proprietary
server software– New USB dongles
are just the ticket!
![Page 153: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/153.jpg)
Internet Attacks – The Gory Details slide 164 of 172
One-time Passwords
RISC/os (inet)
Authentication Server.
Id? chesEnter response code for 70202: 04432234
Destination? cetus$
![Page 154: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/154.jpg)
Internet Attacks – The Gory Details slide 165 of 172
How does it work? Server and client share a secret key
Client Server
Secret keySecret key
![Page 155: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/155.jpg)
Internet Attacks – The Gory Details slide 166 of 172
How does it work? Server generates a unique challenge
Client Server
Secret keySecret key
challenge70202
![Page 156: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/156.jpg)
Internet Attacks – The Gory Details slide 167 of 172
How does it work? The client encrypts the challenge with key…
Client Server
Secret keySecret key
70202
![Page 157: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/157.jpg)
Internet Attacks – The Gory Details slide 168 of 172
How does it work?…and returns the result
Client Server
Secret keySecret key
70202
04432234
![Page 158: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/158.jpg)
Internet Attacks – The Gory Details slide 169 of 172
How does it work?The server checks the result
Client Server
Secret keySecret key
70202
04432234
04432234
![Page 159: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/159.jpg)
Internet Attacks – The Gory Details slide 170 of 172
One-time passwords
• The client proves he has the key, without revealing it
• With hardware, he may not even know the key
• the keys are computer-generated– no weak passwords
• If the challenges don’t repeat, an eavesdropper can’t predict the answer, unless the encryption (DES) is broken
![Page 160: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/160.jpg)
Internet Attacks – The Gory Details slide 171 of 172
One-time passwords
• The key can be generated from a password but the challenge/response pair is subject to a dictionary attack
• This extra work for the user is worth the effort:– very strong authentication– spies use this– needs about a page of C code– can be implemented in a remote
authentication server
![Page 161: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/161.jpg)
Internet Attacks – The Gory Details slide 172 of 172
Human-computed one-time password: a research project
challenge: 00193 Wed Sep 11 11:22:09 2002response: ab0dh1kd0jkfj1kye./
![Page 162: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/162.jpg)
Internet Attacks – The Gory Details slide 173 of 172
Not Gory Enough For You?
• Bugtraq mailing list
• Firewalls and Internet Security
• Chapman and Zwicky
• Keyword search in search engines for hacking tools– “rootkit”
![Page 163: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/163.jpg)
Internet Attacks – The Gory Details slide 174 of 172
![Page 164: Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com](https://reader038.vdocuments.site/reader038/viewer/2022102907/56649ddd5503460f94ad60ec/html5/thumbnails/164.jpg)
Internet Attacks – The Gory Details slide 175 of 172
Questions
• http://research.lumeta.com/ches/
• Yes, I’d love to sign your book