SlideShare uma empresa Scribd logo

Botnets Attacks.pptx

Transferir como PPTX, PDF
M
MuhammadRehan856177

DDoS, Malware, Botnets attacks and mitigations

Engenharia
1 de 38
Lecture 6 DDoS, Malware, Botnets attacks and mitigations Author: Muhammad Rehan
Objective • OS security • Malware, Botnet, Computer Virus, Rootkit, Morris Worm • Network attacks such as distributed denial of service (DDOS) • DDoS attacks and mitigation • What Is Botnet? Definition, Methods, Attack Examples, and Prevention Best Practices for 2022
Operating system security Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions.
Important functions of OS • Security • Control over system performance • Job accounting • Error detecting aids • Coordination between other software and users • Memory Management • Processor Management • Device Management
Malware Features & Types • Infectious: • Viruses, worms • Concealment: • Trojan horses, logic bombs, rootkits • Malware for stealing information: • Spyware, keyloggers, screen scrapers • Malware for profit: • Dialers, scarewares, ransomware • Malware as platform for other attacks • Botnets, backdoors (trapdoors) • Many malwares have characteristics of multiple types
Trojan Horse Example: Attacker: Place the following file cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* as /homes/victim/ls • Victim ls • Software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. • User tricked into executing Trojan horse – Expects (and sees) overt and expected behavior – Covertly perform malicious acts with user’s authorization
Trapdoor or Backdoor • Secret entry point into a system • Specific user identifier or password that circumvents normal security procedures. • Commonly used by developers • Could be included in a compiler.
Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met • E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system • Modify/delete files/disks
Example of Logic Bomb • In 1982, the Trans-Siberian Pipeline incident occurred. A KGB operative was to steal the plans for a sophisticated control system and its software from a Canadian firm, for use on their Siberian pipeline. The CIA was tipped off by documents in the Farewell Dossier and had the company insert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monumental non- nuclear explosion and fire ever seen from space“.
Spyware • Malware that collects little bits of information at a time about users without their knowledge • Keyloggers: stealthly tracking and logging key strokes • Screen scrapers: stealthly reading data from a computer display • May also tracking browsing habit • May also re-direct browsing and display ads
Scareware • Malware that scares victims into take actions that ultimately end up compromising our own security. • E.g., paying for and installing fake anti-virus products
Ransomware • Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. • Disable an essential system service or lock the display at system startup • Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms • Victim user has to • enter a code obtainable only after wiring payment to the attacker or sending an SMS message • buy a decryption or removal tool
Virus • Attach itself to a host (often a program) and replicate itself • Self-replicating code • Self-replicating Trojan horses • Alters normal code with “infected” version • Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program
Worm • Self-replicating malware that does not require a host program • Propagates a fully working version of itself to other machines • Carries a payload performing hidden tasks • Backdoors, spam relays, DDoS agents; … • Phases • Probing  Exploitation  Replication  Payload
General Worm Trends • Speed of spreading • Slow to fast to stealthy • Vector of infection • Single to varied • Exploiting software vulnerabilities to exploiting human vulnerabilities • Payloads • From “no malicious payloads beyond spreading” to botnets, spywares, and physical systems
Morris Worm (November 1988) • First major worm • Written by Robert Morris • Son of former chief scientist of NSA’s National Computer Security Center What comes next: 1 11 21 1211 111221?
Morris Worm Description • Two parts • Main program to spread worm • look for other machines that could be infected • try to find ways of infiltrating these machines • Vector program (99 lines of C) • compiled and run on the infected machines • transferred main program to continue attack
Vector 1: Debug feature of sendmail • Sendmail • Listens on port 25 (SMTP port) • Some systems back then compiled it with DEBUG option on • Debug feature gives • The ability to send a shell script and execute on the host
Vector 2: Exploiting fingerd • What does finger do? • Finger output arthur.cs.purdue.edu% finger ninghui Login name: ninghui In real life: Ninghui Li Directory: /homes/ninghui Shell: /bin/csh Since Sep 28 14:36:12 on pts/15 from csdhcp-120-173 (9 seconds idle) New mail received Tue Sep 28 14:36:04 2020; unread since Tue Sep 28 14:36:05 2020 No Plan.
Vector 2: Exploiting fingerd • Fingerd • Listen on port 79 • It uses the function gets • Fingerd expects an input string • Worm writes long string to internal 512-byte buffer • Overrides return address to jump to shell code
Vector 3: Exploiting Trust in Remote Login • Remote login on UNIX • rlogin, rsh • Trusting mechanism • Trusted machines have the same user accounts • Users from trusted machines • /etc/host.equiv – system wide trusted hosts file • /.rhosts and ~/.rhosts – users’ trusted hosts file Host aaa.xyz.com /etc/host.equiv bbb.xyz.com Host bbb.xyz.com User alice rlogin
Other Features of The Worm • Self-hiding • Program is shown as 'sh' when ps • Files didn’t show up in ls • Find targets using several mechanisms: • 'netstat -r -n‘, /etc/hosts, … • Compromise multiple hosts in parallel • When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts • Worm has no malicious payload • Where does the damage come from?
Damage • One host may be repeatedly compromised • Supposedly designed to gauge the size of the Internet • The following bug made it more damaging. • Asks a host whether it is compromised; however, even if it answers yes, still compromise it with probability 1/8. CS526 Topic 10: Malware 23
Zombie & Botnet • Secretly takes over another networked computer by exploiting software flows • Builds the compromised computers into a zombie network or botnet • a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. • Uses it to indirectly launch attacks • E.g., DDoS, phishing, spamming, cracking
Rootkit • A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. • Emphasis is on hiding information from administrators’ view, so that malware is not detected • E.g., hiding processes, files, opened network connections, etc • Example: Sony BMG copy protection rootkit scandal • In 2005, Sony BMG included Extended Copy Protection on music CDs, which are automatically installed on Windows on CDs are played.
Types of Rootkits • User-level rootkits • Replace utilities such as ps, ls, ifconfig, etc • Replace key libraries • Detectable by utilities like tripwire • Kernel-level rootkits • Replace or hook key kernel functions • Through, e.g., loadable kernel modules or direct kernel memory access • A common detection strategy: compare the view obtained by enumerating kernel data structures with that obtained by the API interface • Can be defended by kernel-driver signing (required by 64-bit windows)
How does a computer get infected with malware or being intruded? • Executes malicious code via user actions (email attachment, download and execute trojan horses, or inserting USB drives) • Buggy programs accept malicious input • daemon programs that receive network traffic • client programs (e.g., web browser, mail client) that receive input data from network • Programs Read malicious files with buggy file reader program • Configuration errors (e.g., weak passwords, guest accounts, DEBUG options, etc) • Physical access to computer
Background Information: Denial of Service Attacks • Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources. • DoS Attacks Affect: • Software Systems • Network Routers/Equipment/Servers • Servers and End-User PCs
Classification of DoS Attacks Attack Affected Area Example Description Network Level Device Routers, IP Switches, Firewalls Ascend Kill II, “Christmas Tree Packets” Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug. OS Level Equipment Vendor OS, End- User Equipment. Ping of Death, ICMP Echo Attacks, Teardrop Attack takes advantage of the way operating systems implement protocols. Application Level Attacks Finger Bomb Finger Bomb, Windows NT RealServer G2 6.0 Attack a service or machine by using an application attack to exhaust resources. Data Flood (Amplification, Oscillation, Simple Flooding) Host computer or network Smurf Attack (amplifier attack) UDP Echo (oscillation attack) Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources. Protocol Feature Attacks Servers, Client PC, DNS Servers SYN (connection depletion) Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.
Countermeasures of DoS attacks Attack Countermeasure Options Example Description Network Level Device Software patches, packet filtering Ingress and Egress Filtering Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network. OS Level SYN Cookies, drop backlog connections, shorten timeout time SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks. Application Level Attacks Intrusion Detection System GuardDog, other vendors. Software used to detect illicit activity. Data Flood (Amplification, Oscillation, Simple Flooding) Replication and Load Balancing Akami/Digital Island provide content distribution. Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks. Protocol Feature Attacks Extend protocols to support security. ITEF standard for itrace, DNSSEC Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.
Distributed Denial Of Service Attack What is a Distributed Denial of Service Attack? As Defined by the World Wide Web Security FAQ: A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.
Widely used DDoS Programs • Trinoo (TCP connectivity between master and hosts) • Tribe Flood Network (Allows for UDP flooding, TCP SYN, ICMP flood, smurf attacks and can pass through firewalls) • TFN2K (Provides no authentication, so that only one packet captured will identify the source.) • stacheldraht (Provides ICMP, UDP, and TCP SYN attack options)
Common DDoS Countermeasures • Prevent Initial Hack • Use of Firewalls and Demilitarized Zone • Check Ingress/Egress Packets • Use a server farm and load balancer to offset the effects of a DDoS attack • Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate users) • Change IP address of attacked system (problem for updating legitimate users of new system IP address)
What Is Botnet? Definition, Methods, Attack Examples, and Prevention Best Practices for 2022 What Is a Botnet? A botnet is defined as a cyberattack that uses multiple networked devices to run one or more bots on each device and then uses this swarm of infected devices to attack a server, company website, or other devices or individuals.
Botnets Attacks.pptx
Botnets Attacks.pptx
Botnets Attacks.pptx
Botnets Attacks.pptx

Recomendados

Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
malikmuzammil2326
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
Sugirtha Jasmine M
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
Pruthvi Monarch
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
rajakhurram
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
list of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewarelist of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for maleware
AJAY VISHKARMA
 

Recomendados

Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
malikmuzammil2326
 
unit 2 confinement techniques.pdf
unit 2 confinement techniques.pdfunit 2 confinement techniques.pdf
unit 2 confinement techniques.pdf
RohitGautam261127
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
Sophos Benelux
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
Sugirtha Jasmine M
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
Pruthvi Monarch
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
rajakhurram
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
list of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewarelist of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for maleware
AJAY VISHKARMA
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
Sweta Leena Panda
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
patelripal99
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
Geevarghese Titus
 
Ch14 security
Ch14 securityCh14 security
Ch14 security
Welly Dian Astika
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
Neha Kurale
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
Inderjeet Singh
 
Malware part 2
Malware part 2Malware part 2
Malware part 2
ShouaQureshi
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
Mohsin Riaz
 
Virus vs worms vs trojans
Virus vs worms vs trojansVirus vs worms vs trojans
Virus vs worms vs trojans
Sreekanth Narendran
 
Cyber security:Tools used in cyber crime
Cyber security:Tools used in cyber crimeCyber security:Tools used in cyber crime
Cyber security:Tools used in cyber crime
nidhidgowda185
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
Murali Mohan
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
Wiliam Ferraciolli
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
Kabul Education University
 
Computer security
Computer securityComputer security
Computer security
Mahesh Singh Madai
 
Session Slide
Session SlideSession Slide
Session Slide
Muralidharan Radhakrishnan
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
diarfirstdiarfirst
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Rishabha Garg
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
MuhammadRehan856177
 
Event Programming JavaScript
Event Programming JavaScriptEvent Programming JavaScript
Event Programming JavaScript
MuhammadRehan856177
 

Mais conteúdo relacionado

Semelhante a Botnets Attacks.pptx

Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
Inderjeet Singh
 
Cyber security:Tools used in cyber crime
Cyber security:Tools used in cyber crimeCyber security:Tools used in cyber crime
Cyber security:Tools used in cyber crime
nidhidgowda185
 

Semelhante a Botnets Attacks.pptx (20)

ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
 
Tools and methods used in cybercrime
Tools and methods used in cybercrimeTools and methods used in cybercrime
Tools and methods used in cybercrime
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Ch14 security
Ch14 securityCh14 security
Ch14 security
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Malware part 2
Malware part 2Malware part 2
Malware part 2
 
Computer Security and Ethics
Computer Security and EthicsComputer Security and Ethics
Computer Security and Ethics
 
Virus vs worms vs trojans
Virus vs worms vs trojansVirus vs worms vs trojans
Virus vs worms vs trojans
 
Cyber security:Tools used in cyber crime
Cyber security:Tools used in cyber crimeCyber security:Tools used in cyber crime
Cyber security:Tools used in cyber crime
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
 
Computer security
Computer securityComputer security
Computer security
 
Session Slide
Session SlideSession Slide
Session Slide
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 

Mais de MuhammadRehan856177

Mais de MuhammadRehan856177 (10)

Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
 
Event Programming JavaScript
Event Programming JavaScriptEvent Programming JavaScript
Event Programming JavaScript
 
Intrusion .ppt
Intrusion .pptIntrusion .ppt
Intrusion .ppt
 
Lecture 2.pptx
Lecture 2.pptxLecture 2.pptx
Lecture 2.pptx
 
Lecture 3.pptx
Lecture 3.pptxLecture 3.pptx
Lecture 3.pptx
 
Lecture 2.pptx
Lecture 2.pptxLecture 2.pptx
Lecture 2.pptx
 
Lecture 2.ppt
Lecture 2.pptLecture 2.ppt
Lecture 2.ppt
 
Introduction to JavaScript (1).ppt
Introduction to JavaScript (1).pptIntroduction to JavaScript (1).ppt
Introduction to JavaScript (1).ppt
 
3. HTML Forms.ppt
3. HTML Forms.ppt3. HTML Forms.ppt
3. HTML Forms.ppt
 
2. HTML Tables.ppt
2. HTML Tables.ppt2. HTML Tables.ppt
2. HTML Tables.ppt
 

Último

Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
Health
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 

Último (20)

Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Air Compressor reciprocating single stage
Air Compressor reciprocating single stageAir Compressor reciprocating single stage
Air Compressor reciprocating single stage
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 

Botnets Attacks.pptx

  • 1. Lecture 6 DDoS, Malware, Botnets attacks and mitigations Author: Muhammad Rehan
  • 2. Objective • OS security • Malware, Botnet, Computer Virus, Rootkit, Morris Worm • Network attacks such as distributed denial of service (DDOS) • DDoS attacks and mitigation • What Is Botnet? Definition, Methods, Attack Examples, and Prevention Best Practices for 2022
  • 3. Operating system security Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions.
  • 4. Important functions of OS • Security • Control over system performance • Job accounting • Error detecting aids • Coordination between other software and users • Memory Management • Processor Management • Device Management
  • 5. Malware Features & Types • Infectious: • Viruses, worms • Concealment: • Trojan horses, logic bombs, rootkits • Malware for stealing information: • Spyware, keyloggers, screen scrapers • Malware for profit: • Dialers, scarewares, ransomware • Malware as platform for other attacks • Botnets, backdoors (trapdoors) • Many malwares have characteristics of multiple types
  • 6. Trojan Horse Example: Attacker: Place the following file cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* as /homes/victim/ls • Victim ls • Software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. • User tricked into executing Trojan horse – Expects (and sees) overt and expected behavior – Covertly perform malicious acts with user’s authorization
  • 7. Trapdoor or Backdoor • Secret entry point into a system • Specific user identifier or password that circumvents normal security procedures. • Commonly used by developers • Could be included in a compiler.
  • 8. Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met • E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system • Modify/delete files/disks
  • 9. Example of Logic Bomb • In 1982, the Trans-Siberian Pipeline incident occurred. A KGB operative was to steal the plans for a sophisticated control system and its software from a Canadian firm, for use on their Siberian pipeline. The CIA was tipped off by documents in the Farewell Dossier and had the company insert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monumental non- nuclear explosion and fire ever seen from space“.
  • 10. Spyware • Malware that collects little bits of information at a time about users without their knowledge • Keyloggers: stealthly tracking and logging key strokes • Screen scrapers: stealthly reading data from a computer display • May also tracking browsing habit • May also re-direct browsing and display ads
  • 11. Scareware • Malware that scares victims into take actions that ultimately end up compromising our own security. • E.g., paying for and installing fake anti-virus products
  • 12. Ransomware • Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. • Disable an essential system service or lock the display at system startup • Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms • Victim user has to • enter a code obtainable only after wiring payment to the attacker or sending an SMS message • buy a decryption or removal tool
  • 13. Virus • Attach itself to a host (often a program) and replicate itself • Self-replicating code • Self-replicating Trojan horses • Alters normal code with “infected” version • Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program
  • 14. Worm • Self-replicating malware that does not require a host program • Propagates a fully working version of itself to other machines • Carries a payload performing hidden tasks • Backdoors, spam relays, DDoS agents; … • Phases • Probing  Exploitation  Replication  Payload
  • 15. General Worm Trends • Speed of spreading • Slow to fast to stealthy • Vector of infection • Single to varied • Exploiting software vulnerabilities to exploiting human vulnerabilities • Payloads • From “no malicious payloads beyond spreading” to botnets, spywares, and physical systems
  • 16. Morris Worm (November 1988) • First major worm • Written by Robert Morris • Son of former chief scientist of NSA’s National Computer Security Center What comes next: 1 11 21 1211 111221?
  • 17. Morris Worm Description • Two parts • Main program to spread worm • look for other machines that could be infected • try to find ways of infiltrating these machines • Vector program (99 lines of C) • compiled and run on the infected machines • transferred main program to continue attack
  • 18. Vector 1: Debug feature of sendmail • Sendmail • Listens on port 25 (SMTP port) • Some systems back then compiled it with DEBUG option on • Debug feature gives • The ability to send a shell script and execute on the host
  • 19. Vector 2: Exploiting fingerd • What does finger do? • Finger output arthur.cs.purdue.edu% finger ninghui Login name: ninghui In real life: Ninghui Li Directory: /homes/ninghui Shell: /bin/csh Since Sep 28 14:36:12 on pts/15 from csdhcp-120-173 (9 seconds idle) New mail received Tue Sep 28 14:36:04 2020; unread since Tue Sep 28 14:36:05 2020 No Plan.
  • 20. Vector 2: Exploiting fingerd • Fingerd • Listen on port 79 • It uses the function gets • Fingerd expects an input string • Worm writes long string to internal 512-byte buffer • Overrides return address to jump to shell code
  • 21. Vector 3: Exploiting Trust in Remote Login • Remote login on UNIX • rlogin, rsh • Trusting mechanism • Trusted machines have the same user accounts • Users from trusted machines • /etc/host.equiv – system wide trusted hosts file • /.rhosts and ~/.rhosts – users’ trusted hosts file Host aaa.xyz.com /etc/host.equiv bbb.xyz.com Host bbb.xyz.com User alice rlogin
  • 22. Other Features of The Worm • Self-hiding • Program is shown as 'sh' when ps • Files didn’t show up in ls • Find targets using several mechanisms: • 'netstat -r -n‘, /etc/hosts, … • Compromise multiple hosts in parallel • When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts • Worm has no malicious payload • Where does the damage come from?
  • 23. Damage • One host may be repeatedly compromised • Supposedly designed to gauge the size of the Internet • The following bug made it more damaging. • Asks a host whether it is compromised; however, even if it answers yes, still compromise it with probability 1/8. CS526 Topic 10: Malware 23
  • 24. Zombie & Botnet • Secretly takes over another networked computer by exploiting software flows • Builds the compromised computers into a zombie network or botnet • a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. • Uses it to indirectly launch attacks • E.g., DDoS, phishing, spamming, cracking
  • 25. Rootkit • A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. • Emphasis is on hiding information from administrators’ view, so that malware is not detected • E.g., hiding processes, files, opened network connections, etc • Example: Sony BMG copy protection rootkit scandal • In 2005, Sony BMG included Extended Copy Protection on music CDs, which are automatically installed on Windows on CDs are played.
  • 26. Types of Rootkits • User-level rootkits • Replace utilities such as ps, ls, ifconfig, etc • Replace key libraries • Detectable by utilities like tripwire • Kernel-level rootkits • Replace or hook key kernel functions • Through, e.g., loadable kernel modules or direct kernel memory access • A common detection strategy: compare the view obtained by enumerating kernel data structures with that obtained by the API interface • Can be defended by kernel-driver signing (required by 64-bit windows)
  • 27. How does a computer get infected with malware or being intruded? • Executes malicious code via user actions (email attachment, download and execute trojan horses, or inserting USB drives) • Buggy programs accept malicious input • daemon programs that receive network traffic • client programs (e.g., web browser, mail client) that receive input data from network • Programs Read malicious files with buggy file reader program • Configuration errors (e.g., weak passwords, guest accounts, DEBUG options, etc) • Physical access to computer
  • 28. Background Information: Denial of Service Attacks • Denial of Service Attack: an attack on a computer or network that prevents legitimate use of its resources. • DoS Attacks Affect: • Software Systems • Network Routers/Equipment/Servers • Servers and End-User PCs
  • 29. Classification of DoS Attacks Attack Affected Area Example Description Network Level Device Routers, IP Switches, Firewalls Ascend Kill II, “Christmas Tree Packets” Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug. OS Level Equipment Vendor OS, End- User Equipment. Ping of Death, ICMP Echo Attacks, Teardrop Attack takes advantage of the way operating systems implement protocols. Application Level Attacks Finger Bomb Finger Bomb, Windows NT RealServer G2 6.0 Attack a service or machine by using an application attack to exhaust resources. Data Flood (Amplification, Oscillation, Simple Flooding) Host computer or network Smurf Attack (amplifier attack) UDP Echo (oscillation attack) Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources. Protocol Feature Attacks Servers, Client PC, DNS Servers SYN (connection depletion) Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.
  • 30. Countermeasures of DoS attacks Attack Countermeasure Options Example Description Network Level Device Software patches, packet filtering Ingress and Egress Filtering Software upgrades can fix known bugs and packet filtering can prevent attacking traffic from entering a network. OS Level SYN Cookies, drop backlog connections, shorten timeout time SYN Cookies Shortening the backlog time and dropping backlog connections will free up resources. SYN cookies proactively prevent attacks. Application Level Attacks Intrusion Detection System GuardDog, other vendors. Software used to detect illicit activity. Data Flood (Amplification, Oscillation, Simple Flooding) Replication and Load Balancing Akami/Digital Island provide content distribution. Extend the volume of content under attack makes it more complicated and harder for attackers to identify services to attack and accomplish complete attacks. Protocol Feature Attacks Extend protocols to support security. ITEF standard for itrace, DNSSEC Trace source/destination packets by a means other than the IP address (blocks against IP address spoofing). DNSSEC would provide authorization and authentication on DNS information.
  • 31. Distributed Denial Of Service Attack What is a Distributed Denial of Service Attack? As Defined by the World Wide Web Security FAQ: A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.
  • 32. Widely used DDoS Programs • Trinoo (TCP connectivity between master and hosts) • Tribe Flood Network (Allows for UDP flooding, TCP SYN, ICMP flood, smurf attacks and can pass through firewalls) • TFN2K (Provides no authentication, so that only one packet captured will identify the source.) • stacheldraht (Provides ICMP, UDP, and TCP SYN attack options)
  • 33. Common DDoS Countermeasures • Prevent Initial Hack • Use of Firewalls and Demilitarized Zone • Check Ingress/Egress Packets • Use a server farm and load balancer to offset the effects of a DDoS attack • Prevent SYN flood attacks by discarding the first SYN packet (causes delay for legitimate users) • Change IP address of attacked system (problem for updating legitimate users of new system IP address)
  • 34. What Is Botnet? Definition, Methods, Attack Examples, and Prevention Best Practices for 2022 What Is a Botnet? A botnet is defined as a cyberattack that uses multiple networked devices to run one or more bots on each device and then uses this swarm of infected devices to attack a server, company website, or other devices or individuals.