全社員一丸での 安全最優先の 鉄道づくり€¦ · 安全管理体制・方法 p.15 安全方針・安全管理体制 安全管理方法 安全目標・安全重点施策
Security Operation Center - ntnu.edu.t · 關於我 劉俊雄, OuTian [email protected]...
Transcript of Security Operation Center - ntnu.edu.t · 關於我 劉俊雄, OuTian [email protected]...
-
Arp Attack
Session Hijacking
Man In The Middle
DOS & DDOS
-
2007/2008/2009 0day
CEH (Certified Ethical Hacker)
-
358
359
360
361 1/2
362
363 358 ~ 360
6
-
TearDrop
Land
Ping of Death
Smurf
Fraggle
SYN Flood
//Sniffing
Man-In-The-Middle
Session Hijacking
-
Ex: MS08-001
Buffer Overflow
Format String
Race Condition
SQL Injection
Code/Command Injection
Arbitrary File Inclusion
-
MS08-001
Microsoft Windows TCP/IP IGMP MLD
Remote Code Execution Vulnerability
Microsoft Advisory
http://support.microsoft.com/kb/941644
Exploiting
http://immunityinc.com/documentation/ms08_
001.html
http://support.microsoft.com/kb/941644http://immunityinc.com/documentation/ms08_001.htmlhttp://immunityinc.com/documentation/ms08_001.html -
Immunity CANVAS
http://immunityinc.com/products-canvas.shtml
Core Impact
http://www.coresecurity.com/content/core-impact-
overview
Metasploit
http://www.metasploit.com/
// []
http://immunityinc.com/products-canvas.shtmlhttp://immunityinc.com/products-canvas.shtmlhttp://immunityinc.com/products-canvas.shtmlhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.coresecurity.com/content/core-impact-overviewhttp://www.metasploit.com/ -
Arp Attack
-
/
Man-In-The-MiddleSession Hijacking
-
//ARPARP TableMAC (Ex: netcut)
//ARPIP
Mac Flooding Switch Mac-Address-Table
ARP SpoofingIP Forwarding
//
-
EE => AA (Unicast)
192.168.1.254 in EE
AA => FF (Broadcast)
who is 192.168.1.254 ?
Tell 192.168.1.1
Hub (Layer 1)
192.168.1.254
192.168.1.1 192.168.1.2 192.168.1.3
192.168.1.254 EE
MAC: AA
Not Me ! Not Me !
Is Me !
MAC: BB MAC: CC
MAC: EE
Go To Internet ~
[ HUB ]
-
EE => AA (Unicast)
192.168.1.254 in EE
AA => FF (Broadcast)
who is 192.168.1.254 ?
Tell 192.168.16.1
Switch (Layer 2)
192.168.1.254
192.168.1.1 192.168.1.2 192.168.1.3
192.168.1.254 EE
MAC: AA
Not Me ! Not Me !
Is Me !
MAC: BB MAC: CC
MAC: EE
Go To Internet ~
AA => EE
[ SWITCH ]
AA
EE
-
EE => AA (Unicast)
192.168.1.254 in EE
AA => FF (Broadcast)
who is 192.168.1.254 ?
Tell 192.168.1.1
Netcut
192.168.1.254
192.168.1.1 192.168.1.2 192.168.1.3
192.168.1.254 XX
MAC: AA
Is Me !
MAC: BB MAC: CC
MAC: EE
Go To Internet ~
AA => XX
[ SWITCH ]
AA
EE
?? => FF
192.168.1.254 in XX
XX
-
BB => AA
192.168.1.254 in BB
EE => AA (Unicast)
192.168.1.254 in EE
AA => FF (Broadcast)
who is 192.168.1.254 ?
Tell 192.168.16.1
Arp Spoofing
192.168.1.254
192.168.1.1 192.168.1.2 192.168.1.3
192.168.1.254 BB
MAC: AA
Is Me !
MAC: BB MAC: CC
MAC: EE
Go To Internet ~
AA => BB
[ SWITCH ]
AA
EE
BB
-
Man In The Middle
-
(Session Hijacking)
-
Layer 2
ARP [LAN]
Layer 3
DHCP Spoofing [LAN]
DNS Spoofing [LAN][INTERNET]
DNS Cache Poisoning [LAN][INTERNET]
Layer 7
Proxy [LAN] [INTERNET]
-
Layer 2
ARP Spoofing
ARP Table
IP ForwardingMan In The Middle
/
IP Smart Spoofing
-
IP Smart Spoofing
-
Layer 3
DHCP Spoofing
DHCP RequestDHCP ReplyIP/Gatewaly/DNS
DNSGateway Man In The Middle
/
-
Layer 3
DNS Spoofing
DNS DN IP
Man In The Middle
/
-
Layer 3
DNS Cache Poisoning
DNS SpoofingDNS
PORT/Query IDDNS Server DN IP Cache
DNS Server Man In The Middle
/
http://www.checkpoint.com/defense/advisories/public/
dnsvideo/index.html
http://www.checkpoint.com/defense/advisories/public/dnsvideo/index.htmlhttp://www.checkpoint.com/defense/advisories/public/dnsvideo/index.html -
Layer 7
Proxy
ProxyMan In The Middle
Proxy Server
SSL
Transparent Proxy
In-Line Mode Transparent Proxy
RouterWCCP
Gateway IP/PORT Rewrite
SSL
-
Session Hijacking
-
root
/
Session ID
-
Layer 2
ARP [LAN]
Layer 7
Cookie & Session ID [LAN] [INTERNET]
-
Layer 2
ARP Spoofing
ARP Table
IP ForwardingMan In The Middle
RST
-
Layer 7
Cookie Spoofing
Cookie/Session ID
CookieSession
Proxy
Session ID
Session ID
Session
-
Cookie
GET /test.asp HTTP/1.1
Host: www.example.com
HTTP/1.1 200 OK
Set-Cookie: name=ABC
GET /test.asp HTTP/1.1
Host: www.example.com
Cookie: name=ABC
Cookie Table
Domain Path Name Value
www.example.com / Name ABC
-
Session
POST /test.asp HTTP/1.1
Host: www.example.com
Content-Length: 8
name=XYZ
HTTP/1.1 200 OK
Set-Cookie: SESSID=bbbb
GET /test.asp HTTP/1.1
Host: www.example.com
Cookie: SESSID=bbbb
SESSID:aaaaname=ABC
SESSID:bbbbname=XYZ
Cookie Table
Domain Path Name Value
www.example.com / SESSID bbbb
-
DOS && DDOS
-
DOS/DDOS
DOS Denial Of Service
DDOS Distributed DOS
-
45
!
-
46
ISP
IP
-
DOS
Incoming
Outgoing
/Performance
CPU
Chip
Capacity
Memory
Session Table
Disk Space
-
DOS
/
-
DDOS Attack
Teardrop
Land
Smurf
Fraggle
Ping of Death
-
IP Header
-
TCP/UDP Header
TCP
UDP
-
Teardrop
TCP bugCrash
Firewall Server
Windows 3.195NT
Linux kernel < 2.0.322.1.63
-
Teardrop
-
Land
Source/Destination IP TCP SYN Crash
Firewall Server
AIX 3
FreeBSD 2.2.5
IRIX 5.3
NetBSD 1.3
SunOS 4.1.4
Windows 95NT
-
Smurf
icmp echo-requestBroadcast Address
icmp echo-reply
Firewall
Internet RouterBroadcast Address (no ip directed-broadcast)
Windows ?? ICMP Broadcast
Linux (net.ipv4.icmp_echo_ignore_broadcasts)
-
Smurf
-
Fraggle
udp Broadcast Address
port 7 (echo)
port 19 (chargen)
UDP
Firewall
Internet RouterBroadcast Address (no ip directed-broadcast)
UDP
-
Ping of Death
65535 bytes ping
routerMTU
Crash
1997-1998 OS
Firewall Server
-
Internet DDOS
Sessionless =>
SYN Flood
ACK/RST Flood
UDP/ICMP Flood
IP Fragment Attack
Full Connection
Connection Flood
Zombie Connection
SSL Flood
HTTP Flood
Application Flood
-
60
-
61
-
62
DDoS
IP Header
TCP/UDP Header
Application Header
Limit Connect/s
Limit Concurrent Connections
SYN Proxy
SYN Cookies
-
DDoS ()
Limit Request/s
JavaScript/Cookie Challenge
Challenge/Response
-
SYN Flood
SYN Session Table SYN_RCVD
[] > [Timeout]
SYN Proxy / Server
Table
timeout
SYN Cookie
RFC 4987
-
SYN Flood DDOS Attack
TCP
Client Server
Session Table
Client Server
SYN Flooding
-
TCP State
-
67
SYN = 64 bytes
1Mbps 2000 pps SYN
100Mbps 200,000 pps SYN
500Mbps 1,000,000 pps SYN
New Session/s
-
68
100 Mbps
~ 200,000 pps
1000 Mbps ~ 2,000,000 pps
10Gbps !? !? !? !? !? !?
CPU
NIC
Linux
UNIX-based
Windows
-
69
On Linux 2.6 kernel
Intel chip NIC
NoteBookThinkpad X61s
500,000 pps (in Gigabit LAN)
1 Gbps ()
unlimited concurrent connections (!?)
Server Dell PowerEdge R805 800,000 pps
1 ~ 10 Gbps
-
RFC 4987
TCP SYN Flooding Attacks and Common
Mitigations
Filtering
Increasing Backlog
Reducing SYN-RECEIVED Timer
Recycling the Oldest Half-Open TCB
SYN Cache
SYN Cookies
Hybrid Approaches
Firewalls and Proxies
-
ACK/RST Flood
ACK/RST
FirewallProxyL4Session Table RST ( Drop )
Outbound
Stateful Firewall L4 Drop
-
SYN/ACK/RST Flood
Before WinXP sp1hping
HGod
After WinXP sp1 WinPcap Library
Linux tfn/tfn2k
juno.c
synk4.c
netflood.cpp
d0s.pl
-
Hgod
-
UDP/ICMP Flood
UDP/ICMP
overheadTCP
FirewallACL
IPS
QOSPPS
-
UDP Floods
Windows
Linux
pktgen (kernel module)
-
Fragment Packet Flood
-
Connection Flood
TCP
/
Firewall/IPS Connection Per Second
timeout
CPS
Proxy/L4
-
Zombie Connection
TCP
/ Session Table
Firewall/IPS IP
timeout
Proxy/L4
-
SSL Flood
SSL Handshake
SSL
SSL Offload
SSL Session Re-Use
SSL Accelerator
-
SSL Handshake
ServerClient
ClientHello
ChangeCipherSpec
ClientKeyExchange
Finished
ServerHello
Certificate
ChangeCipherSpec
ServerHelloDone
Finished
Supported SSL/TLS VersionCipherMethodSessionIDRandom Data
Used SSL/TLS VersionCipherMethodSessionIDRandom Data
Chain of Certificate/Public Key
Send client key encrypted by servers public key
Verify Cipher/Key
Verify Cipher/Key
-
HTTP Flood
HTTP Request
Request
Firewall/IPS IP
IP (ex: mod_evasive)
L7 (Cookie)
-
HTTP Flood
ab (Apache Benchmark)http://httpd.apache.org/
JMeterhttp://jakarta.apache.org/jmeter/
Siegehttp://www.joedog.org/siege/
Microsoft Web Application Stress Toolhttp://www.microsoft.com/technet/archive/itsolutions/
intranet/downloads/webstres.mspx
. Many toolshttp://www.softwareqatest.com/qatweb1.html
http://httpd.apache.org/http://jakarta.apache.org/jmeter/http://www.joedog.org/siege/http://www.microsoft.com/technet/archive/itsolutions/intranet/downloads/webstres.mspxhttp://www.microsoft.com/technet/archive/itsolutions/intranet/downloads/webstres.mspxhttp://www.softwareqatest.com/qatweb1.html -
Microsoft Web Application Stress Tool
-
Firewall
IPS / IDP
Intrusion Detection&Prevention System
Application Delivery Controller
L4Load Balancer
ADC
DDoS
-
Firewall
-
IPS
-
Application Delivery Controller