Transcription
1
Network Security FundamentalsWEBINAR COURSE2v1.0
Speakers Jamie Gillespie (APNIC Senior Security Specialist) Jessica Wei (APNIC Network Analyst)3v1.0
Overview Information Security Landscape Definitions in Information Security CSIRT/CERT Introduction Infrastructure Security Cryptography VPN and IPsec DoS and DDoS4v1.0
Information Security Landscape5v1.0
Security hortened: https://goo.gl/P1279w66v1.0
Security Breaches haveibeenpwned.com tracksaccounts that have beencompromised and releasedinto the public 346 pwned websites6,931,949,148 pwned accounts90,470 pastes111,609,979 paste accounts77v1.0
Security Breaches zone-h.org/archive tracks andarchives website defacements88v1.0
Security Breaches Common vulnerabilities can lead to mass compromises99v1.0
Definition in Information Security10v1.0
InfoSec Definitions Let’s start with definitions so we speak a common language Information Security the practice of preventing unauthorized access, use, disclosure,disruption, modification, inspection, recording or destruction ofinformationThe purpose of information security management is to ensurebusiness continuity and reduce business damage by preventing andminimizing the impact of security incidents This is done through Prevention, Detection, and RecoveryInformation, IT, Internet, Cyber it’s all Security1111v1.0
InfoSec Definitions Asset - what we are trying to protect The “information” part of “information security”Resources Physical – servers, routers, switchesVirtual – CPU, memory, bandwidth, network connections1212v1.0
InfoSec Definitions Threat - a circumstance or event with the potential tonegatively impact an asset Intentional Accidental Hacking, malware, DDoS, company insiders, theftMalfunction, user errorNatural Natural disaster, earthquakes, storms/floods1313v1.0
InfoSec Definitions Vulnerability - weakness in an asset’s design orimplementation Software bugs Protocol “bugs” or design flaws Weak passwords, lack of 2FA/MFAUnvalidated inputs SYN flood, predictive sequence numbers, ASN.1, NTLMMisconfigurationsInsecure authentication Most vulnerabilities you’ll hear of fall into this category, OS’s, applications,servicesSQL injection, Cross Site Scripting (XSS)Poor physical security Example on next slide 1414v1.0
InfoSec DefinitionsThe brazen airport computer theft that has Australia'santi-terror fighters up in armsBy Philip CornfordSeptember 5, 2003On the night of Wednesday, August 27, two men dressed as computer technicians andcarrying tool bags entered the cargo processing and intelligence centre at SydneyInternational Airport.They presented themselves to the security desk as technicians sent by Electronic DataSystems, the outsourced customs computer services provider which regularly sends peopleto work on computers after normal office hours.After supplying false names and signatures, they were given access to the top-securitymainframe room. They knew the room's location and no directions were needed.Inside, they spent two hours disconnecting two computers, which they put on trolleys andwheeled out of the room, past the security desk, into the lift and out of the building.1515v1.0
InfoSec Definitions Risk – the potential for loss or damage to an asset caused bya threat exploiting a vulnerability Sometimes shown as:Risk Threat x Vulnerability Or a more detailed view is:Risk Asset (or Impact) x Threat x Vulnerability1616v1.0
InfoSec Definitions Risk Matrix – used when performingrisk assessments to define a level of riskCommonly used in real-world riskCONSEQUENCE umLowMediumHighLIKELIHOOD1717v1.0
Risk Matrix – used when performingrisk assessments to define a level of risk Commonly used in real-world riskCONSEQUENCEInfoSec wLowLowMediumLowMediumHighLIKELIHOOD Discuss: What are some recent vulnerabilities?How does that fit into the simple risk matrix? Remember: Risk Asset (or Impact) x Threat x Vulnerability1818v1.0
InfoSec Definitions CVSS – Common Vulnerability Scoring System A system to translate the characteristics and impacts of avulnerability into a numerical scoreInteractive calculator is ator The Apache Struts vulnerability in 2017 scored a perfect 101919v1.0
InfoSec Definitions Mitigate – to reduce the seriousness or severity This is done by applying security controlsControls can be classified by their time of impact: PreventativeDetectiveCorrectiveor by the type of control: Legal and regulatory compliancePhysicalProcedural / AdministrativeTechnical2020v1.0
InfoSec Definitions Defence In Depth – the layering of security controls toprovide redundancy in case of a failure or vulnerability These commonly layer controls at different times and typesSometimes referred to as a Castle Approach(see prev)For more castle defences, 3/08/CastleTraps-and-Defenses.jpgPictured to the left is Caerphilly philly aerial.jpg2121v1.0
InfoSec Definitions Defence In Depth Discuss: Imagine you had a bar of gold to protect What container would you put it in?What room would the container be in?What locks are on the doors?Where is the room located in the building?What cameras are watching the room and building?What humans are watching the cameras?Who will respond with force to a theft attempt?Bonus question: How much did all of this cost?2222v1.0
InfoSec Definitions Threat actor – a person trying to cause harm to your systemor network Commonly called an attacker or hacker, although the definition of ahacker has changed over many yearsAlso known as malicious actorCan be further broken down into categories such as: OpportunisticHacktivistsCybercriminals (organized or not)Nation States / Government SponsoredInsiders (intentional or accidental)2323v1.0
CSIRT/CERT Introduction24v1.0
CSIRT / CERT CSIRT - Computer Security Incident Response TeamCERT - Computer Emergency Response Teams A CSIRT performs, coordinates, and supports theresponse to security incidents that involve sites within adefined constituency Must react to reported security incidents or threat In ways which the specific community agrees to be in itsgeneral interest T Team Entity (Unit/Organization) that does IR work!25v1.0
Constituency Example of Constituents: A CSIRT serves its constituent Constituency help define: The purpose & nature of the CSIRTWho is the CSIRT ServingTypes of incidents the CSIRT handlesThe relationship with other CSIRTsEnterprise / Single OrganizationSector BasedCritical InfrastructureProductNational / CountryCustomer Constituents might overlap Co-ordination is key CSIRT of the “Last Resort”26v1.0
Different Types of CSIRTs Enterprise CSIRTs Analysis Centersprovide incident handling services totheir parent organization. This couldbe a CSIRT for a bank, amanufacturing company, an ISP, auniversity, or a federal agency. focus on synthesizing data from varioussources to determine trends andpatterns in incident activity. Thisinformation can be used to help predictfuture activity or to provide earlywarning when the activity matches a setof previously determined characteristics. National CSIRTs provide incident handling services toa country. Vendor Teams handle reports of vulnerabilities in theirsoftware or hardware products. Theymay work within the organization todetermine if their products arevulnerable and to develop remediationand mitigation strategies. A vendorteam may also be the internal CSIRT fora vendor organization. Coordination Centers coordinate and facilitate thehandling of incidents across variousCSIRTs. Examples include the CERTCoordination Center or the UnitedStates Computer EmergencyReadiness Team (US-CERT). Incident Response Providers offer incident handling services as a forfee service to other organizations.(Source: US-CERT elopment/csirt-faq.cfm)27v1.0
Why a CSIRT? Security Incidents Happen! Security ImprovementsExecute incident response plansAssurance to customers andstakeholdersBest Practice Analyze Incidents and ProvideLessons Learned Resource Allocation Mitigate Loss or Damage Point of ContactGovernance Compliance to Standards Cyber Security FrameworkISO 27001, ITILCompliance with Law orRegulations28Dedicated Service(s)Human Resources, SkillsSpecific Polices and SOPsPoint of Contactv1.0
Whois Database: Incident Response Team anged:source:1.1.1.0 - 1.1.1.255APNIC-LABSResearch prefix for APNIC GM85-APIRT-APNICRANDNET-AUASSIGNED PORTABLEhm-changed@apnic.net 20140507hm-changed@apnic.net rce:IRT-APNICRANDNET-AUPO Box 3646South Brisbane, QLD PAR302-AP# FilteredMAINT-AU-APNIC-GM85-APhm-changed@apnic.net 20110922APNIC29v1.0 29
Infrastructure Security Fundamentals30v1.0
Device Access Control (Physical) Lock up the server room. Equipment kept in highly restrictiveenvironments Set up surveillance Make sure the most vulnerable devices are in that locked room Keep intruders from opening the case Protect the portables Pack up the backups Disable the drives Social engineering training and awareness Console access password protectedaccess via OOB (Out-of-band) managementconfigure timeouts31v1.0
Fundamental Device Protection (Logical) Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hosts Allow remote vty access only through SSH Protect SNMP if used Shut down unused interfaces & unneeded services Ensure accurate timestamps for all logging Create appropriate banners32v1.0
Management Plane Filters Authenticate Access Define Explicit Access To/From Management Stations SNMPSyslogTFTPNTPAAA ProtocolsSSH33v1.0
Secure Access with Passwords and Logout Timers Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hostsline console 0login Allow remote vty access only through SSH Protect SNMP if used Shut down unused interfaces & unneeded servicespassword console-pwdexec-timeout 1 30!line vty 0 4loginpassword vty-pwdexec-timeout 5 00 Ensure accurate timestamps for all logging Create appropriate banners!enable secret enable-secretusername test secret test-secret34v1.0
Radius Authentication (AAA)aaa new-model!aaa authentication login default group radius localaaa authorization exec default group radius local!radius-server host 192.168.1.250 auth-port 1812 acct-port 1813radius-server key 7 0130310759262E000B69560F35v1.0
Never Leave Passwords in Clear-Text Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users service password-encryption command Restrict logical access to specified trusted hosts password command Allow remote vty access only throughWill SSHencrypt allpasswords on the Cisco IOSwith Cisco-defined encryption type “7”Protect SNMP if used Use “command password 7 password ” for cut/pasteoperationsShut down unused interfaces & unneededservices Cisco proprietary encryption method Ensure accurate timestamps for all logging Create appropriate banners secret command Uses MD5 to produce a one-way hashCannot be decryptedUse “command secret 5 password ”to cut/paste another “enable secret” password36v1.0
Authenticate Individual Users Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual usersusername mike secret mike-secretusername john secret john-secret Restrict logical access to specified trustedusernamehostschris secret chris-secret Allow remote vty access only through SSH! Protect SNMP if usedusername staff secret group-secret Shut down unused interfaces & unneeded services Ensure accurate timestamps for all logging Create appropriate banners37v1.0
Restrict Access to Trusted Hosts Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hosts Allow remote vty access only through SSH Protect SNMPif usedaccess-list 103 permit tcp host 192.168.200.7access-list103 permittcp host 192.168.200.8 Shut downunused interfaces& unneededservices 192.168.1.0 0.0.0.255 eq 22 log-input192.168.1.0 0.0.0.255 eq 22 log-inputaccess-list 103 permit tcp host 192.168.100.6 192.168.1.0 0.0.0.255 eq 23 log-inputEnsure accuratetimestampsloggingaccess-list103 denyforip allanyany log-input!Create appropriatebannersline vty 0 4access-class 103 intransport input ssh38v1.0
Securing SSH Secure logical access to routers with passwords and timeouts Never leave passwords in clear-textipv6 access-list AUTHORIZED IPV6 HOSTpermit ipv6 host 2001:db8:0:6::250 any Authenticate individual usersdeny ipv6 any any log Restrict logical access to specified trusted hosts! Allow remote vty access only through SSHip access-list extended AUTHORIZED IPV4 HOSTpermit Protect SNMP if useddeny Shut down unused interfaces & unneeded services Ensure accurate timestamps for all loggingtcp host 192.168.75.5 any eq 22tcp any any log!line vty 0 4 Create appropriate bannersaccess-class AUTHORIZED IPV4 HOST inipv6 access-class AUTHORIZED IPV6 HOST in39v1.0
Securing SNMP Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hostsaccess-list 99 permit 192.168.1.250 Allow remote vty access onlyaccess-listthrough SSH 99 permit 192.168.1.240 Protect SNMP if used Shut down unused interfacessnmp-server& unneeded servicescommunity N3TW0RK-manag3m3nt ro 99 Ensure accurate timestamps for all logging Create appropriate banners40v1.0
Turn Off Unused co IOS Commandno cdp runCDPProprietary layer 2 protocolbetween Cisco devicesEnabledTCP small serversStandard TCP network services:echo, chargen, etcIOS V11.3: disabledIOS V11.2: enabledThis is a legacy feature, disableit explicitlyno service tcp-smallserversUDP small serversStandard UDP network services:echo, discard, etcIOS V11.3: disabledIOS V11.2: enabledThis is a legacy feature, disableit explicitlyno service udp-smallserversFingerUnix user lookup service, allowsremote listing of logged in users.EnabledUnauthorized persons don’tneed to know this, disable it.no service fingerHTTP serverSome Cisco IOS devices offer webbased configurationVaries by deviceIf not in use, explicitly disable,otherwise restrict accessno ip http serverBootp serverService to allow other routers toboot from this oneEnabledThis is rarely needed and mayopen a security hole, disable itno ip bootp server41v1.0
Turn Off Unused co IOS CommandPAD ServiceRouter will support X.25 packetassembler serviceEnabledDisable if not explicitly neededno service padIP source routingFeature that allows a packet tospecify its own routeEnabledCan be helpful in attacks,disable itno ip source-routeProxy ARPRouter will act as a proxy for layer2 address resolutionEnabledDisable this service unless therouter is serving as a LAN bridgeno ip proxy-arpIP directedbroadcastPackets can identify a target LANfor broadcastsEnabled (IOS V11.3 &earlier)Directed broadcast can be usedfor attacks, disable itno ip directed-broadcast42v1.0
Configuration Example43Commands on Cisco IOS43v1.0
Ensure Accurate Timestamps for all Logging Secure logical access to routers with passwords and timeouts Never leave passwords in clear-textservice timestampstimezone Authenticate individual userslog datetime localtime msec show-year Restrict logical access to specified trusted hostsRouter(config)# logging 192.168.0.30 Allow remote vty access only through SSHRouter(config)# logging trap 3 Protect SNMP if usedRouter(config)# logging facility local3 Shut down unused interfaces & unneeded services Ensure accurate timestamps for all logging Create appropriate banners44v1.0
Configuration change loggingRouter# configure terminalRouter(config)# archiveRouter(config-archive)# log configRouter(config-archive-log-config)# logging enableRouter(config-archive-log-config)# logging size 200Router(config-archive-log-config)# hidekeysRouter(config-archive-log-config)# notify syslog768962: Feb 1 20:59:45.081 UTC: %PARSER-5-CFGLOG LOGGEDCMD: User:fakrul loggedcommand:!exec: enable768963: Feb 1 21:03:17.160 UTC: %PARSER-5-CFGLOG LOGGEDCMD: User:fakrul loggedcommand:no ipv6 prefix-list dhakacom AS23956 IN IPv6 description768965: Feb 1 21:03:19.182 UTC: %SYS-5-CONFIG I: Configured from console by fakrul on vty0(2001:db8:0:6::250)45v1.0
Create Appropriate Banner Secure logical access to routers with passwords and timeouts Never leave passwords in clear-text Authenticate individual users Restrict logical access to specified trusted hosts Allow remote vty access only throughYouSSHhave!!!!WARNING !!!!accessed a restricted device. Protect SNMP if usedAll access is being logged and any unauthorized accessbe prosecuted to the full extent of the law. Shut down unused interfaces & unneeded serviceswill Ensure accurate timestamps for all logging Create appropriate banners46v1.0
Data Plane (Packet) Filters Most common problems Poorly-constructed filtersOrdering matters in some devices Scaling and maintainability issues with filters arecommonplace Make your filters as modular and simple as possible Take into consideration alternate routes Backdoor paths due to network failures47v1.0
Filtering Deployment Considerations How does the filter load into the router? Does it interrupt packet flow? How many filters can be supported in hardware? How many filters can be supported in software? How does filter depth impact performance? How do multiple concurrent features affect performance? Do I need a standalone firewall?48v1.0
Filtering Recommendations Log filter port messages properly Allow only internal addresses to enter the router from the internal interface Block packets from outside (untrusted) that are obviously fake or commonlyused for attacks Block packets that claim to have a source address of any internal (trusted)network.49v1.0
Filtering Recommendations Block incoming loopback packets and RFC 1918 networks 127.0.0.010.0.0.0 – 10.255.255.255172.16.0.0 – 172.31.0.0192.168.0.0 – 192.168.255.255 Block multicast packets (if NOT using multicast) Block broadcast packets (careful of DHCP & BOOTP users) Block incoming packets that claim to have same destinationand source address50v1.0
RFC2827 (BCP38) – Ingress Filtering If an ISP is aggregating routing announcements for multipledownstream networks, strict traffic filtering should be used toprohibit traffic which claims to have originated from outside ofthese aggregated announcements. The ONLY valid source IP address for packets originating froma customer network is the one assigned by the ISP (whetherstatically or dynamically assigned). An edge router could check every packet on ingress to ensurethe user is not spoofing the source address on the packetswhich he is originating.51v1.0
BCP38Source IP: 10.2.1.3PassSource IP: 192.168.0.4DropSource IP: 10.2.1.20PassISP AEnterprise BWhole IP address block: 10.0.0.0/8IP address block: 10.2.1.0/2452v1.0
Techniques for BCP38 Static ACLs on the edge of the network Unicast RPF strict mode IP source guardExample of Inbound Packet Filteraccess-list 121 permit ip 192.168.1.250 0.0.0.255 anyaccess-list 121 deny ip any any log!interface serial 1/1/1.3Description Link to XYZip access-group 121 in53v1.0
Infrastructure Filters Summary Permit only required protocols and deny ALL others to infrastructurespace-Filters now need to be IPv4 and IPv6!Applied inbound on ingress interfaces Basic premise: filter traffic destined TO your core routers Develop list of required protocols that are sourced from outside your ASand access core routers-Example: eBGP peering, GRE, IPsec, etc.Use classification filters as required Identify core address block(s)-This is the protected address spaceSummarization is critical for simpler and shorter filters54v1.0
General Filtering Best Practices Explicitly deny all traffic and only allow what you need The default policy should be that if the firewall doesn't knowwhat to do with the packet, deny/drop it Don't rely only on your firewall for all protection of yournetwork Implement multiple layers of network protection Make sure all of the network traffic passes through thefirewall Log all firewall exceptions (if possible)55v1.0
Cryptography56v1.0
Cryptography Terminology Cryptography From Greek, “crypto” meaning hidden or secret, “graphy” meaning writingCryptanalysis 57From Greek, “crypto” meaning hidden or secret, “analysis” meaning to loosen oruntie57v1.0
MPlaintextCiphertextPlaintextDecryption KeyEncryption KeySymmetric KeyCryptographyShared KeyShared KeyAsymmetric KeyCryptographyPublic KeyPrivate Key58v1.0 58
Symmetric Key Algorithm Uses a single key to both encrypt and decrypt information Also known as a secret-key algorithm The key must be kept a “secret” to maintain securityThis key is also known as a private key Examples: DES, 3DES, AES, RC4, RC6, Blowfish59v1.0 59
Symmetric Key intextCiphertextEncryption KeyPlaintextDecryption KeyShared KeyShared KeySymmetric KeyCryptographySame shared secret key60v1.0 60
Asymmetric Key Algorithm Also called public-key cryptography Keep private key privateAnyone can see public key Separate keys for encryption and decryption (public andprivate key pairs) Examples: RSA, DSA, Diffie-Hellman, ElGamal, PKCS61v1.0 61
How Public Key Cryptography worksAlice and Bob, they are using Public Key pairs to communicate.What are the keys do they have?Bob knowsfollowing keysAlice knowsfollowing keys Alice’s Public Key Alice’s Public Key Alice’s Private Key Bob’s Public Key Alice’s Private Key Bob’s Public Key Bob’s Private Key Bob’s Public Key Bob’s Private Key Alice’s Public Key62v1.0
How to Use Public Key CryptographyAlice and Bob, they are using Public Key pairs to communicate. Alice has a messageIf encrypted by1 Alice’s Public Key2 Alice’s Private KeyUsing which keycan decrypt it? Alice’s Private Key Alice’s Public KeyWho candecrypt it?AliceEveryoneFunctionAlice can encryptthe file only forherself.Only from Alice(Sign)Integrity3 Bob’s Public Key Bob’s Private Key63BobConfidentialityv1.0
Communication between Alice and Bob for EncryptionAliceBob Bob’s Public Key Bob’s Private KeyAliceBob Alice’s Public Key Alice’s Private Key64v1.0
Use Case email encrypting: to send confidential informationsigning: to prove the message actually comes from you and is notmodified during delivery File distribution signing: to prove the contents is distributed by you and not modifiedsince signedyou can generate separate signature file if needed you have the original file and signature file for it65v1.0
Cryptography Asymmetric algorithms are slower and secure, so mostimplementations use a combination of both to ensure it isboth fast and secure Common implementations SSLPGP / GPG6666v1.0
VPN and IPsec67v1.0
Virtual Private Network Creates a secure tunnel over a public network Client to firewallRouter to routerFirewall to firewall Uses the Internet as the public backbone to access a secureprivate network Remote employees can access their office network VPN Protocols PPTP (Point-to-Point tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)IPsec (Internet Protocol Security)TLS (Transport Layer Security)68v1.0 68
Different Layers of EncryptionApplication Layer – SSL, PGP, SSH, HTTPSNetwork Layer - IPsecLink Layer Encryption69v1.0 69
IPsec Provides Layer 3 security (RFC 2401) Transparent to applications (no need for integrated IPsec support) A set of protocols and algorithms used to secure IP data atthe network layer Combines different components: Security associations (SA)Internet Key Exchange (IKE)Authentication headers (AH)Encapsulating security payload (ESP) A security context for the VPN tunnel is established via theISAKMP (Internet Security Association Key ManagementProtocol)70v1.0 70
Benefits of IPsec Confidentiality By encrypting data Data integrity and source authentication Data “signed” by sender and “signature” is verified by the recipientModification of data can be detected by signature “verification”Because “signature” is based on a shared secret, it gives sourceauthentication“IPsec is designed to provide interoperable, high quality, cryptographically-basedsecurity for IPv4 and IPv6” - (RFC 2401)71v1.0 71
Benefits of IPsec Anti-replay protection Optional; the sender must provide it but the recipient may ignore Authentication Signatures and certificatesAll these while still maintaining the ability to route through existingIP networks Key management IKE – session negotiation and establishmentSessions are rekeyed or deleted automaticallySecret keys are securely established and authenticatedRemote peer is authenticated through varying options72v1.0 72
Authentication Header (AH) Provides source authentication and data integrity Protection against source spoofing and replay attacks Authentication is applied to the entire packet, with themutable fields in the IP header zeroed out If both AH and ESP are applied to a packet, AH follows ESP Operates on top of IP using protocol 5173v1.0 73
Encapsulating Security Payload (ESP) Uses IP protocol 50 Provides all that is offered by AH, plus data confidentiality uses symmetric key encryption Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPsec header as wellas the data contained as payload74v1.0 74
IPsec ArchitectureAHSecurityProtocolsAuthentication HeaderIPsec Security PolicyESPEncapsulating SecurityPayloadIKEThe Internet Key Exchange75Establishes the tunnelKey managementv1.0 75
Working Process of IPsec1IPsec PeerIPsec Peer2Traffic which needsto be protectedIKE Phase 1Secure communication channelIKE Phase 23IPsec TunnelSecured traffic exchange476v1.0 76
IPsec Modes Tunnel Mode Entire IP packet is encrypted and becomes the data component of anew (and larger) IP packet.Frequently used in an IPsec site-to-site VPN Transport Mode IPsec header is inserted into the IP packetNo new packet is createdWorks well in networks where increasing a packet’s size could causean issueFrequently used for remote-access VPNs77v1.0 77
Tunnel vs. Transport Mode IPsecIPTCPHeader HeaderWithout IPsecPayloadIPTCPIPIPsecHeader Header HeaderTransport ModeIPsecPayloadIPTCPNew IP IPsecHeader Header Header HeaderPayload78Tunnel ModeIPsecv1.0 78
Capture: Telnet7979v1.0
Capture: Telnet IPsec8080v1.0
IPsec Best Practices Use IPsec to provide integrity in addition to encryption. Use ESP option Use strong encryption algorithms 3DES and AES instead of DES Use a good hashing algorithm SHA instead of MD581v1.0 81
DoS and DDos82v1.0
What is DoS and DDoS? In general, a denial of service is an attack against availabilityof a service A service can be a network, or a specific service such as a web site DoS - Denial of Service Usually from only one source DDoS - Distributed Denial of Service Attack originates from multiple sourcesThis is caused through resource exhaustion8383v1.0
Impacts of a DDoS Users sees DDoS as an outage Security team sees DDoS as a loss of availability Think back to CIA triad Business management, sees DDoS as impacting the businessfinancially Especially if the business makes money using the Internet ISP, credit card gateway, online casino8484v1.0
DoS by LayersProtocols andServicesAttacksApplicationHTTP, FTP,DHCP, NTP,TFTP, DNSReflection andAmplification (DNS,NTP, etc), Slowloris,Complex DB QueriesTransportTransportTCP, UDPSYN FloodNetworkInternetIP, ICMP, RIPICMP FloodWiFi, Ethernet,Fiber, CopperElectrical InterferenceOSI ModelTCP/IP ModelApplicationPresentationSessionData LinkPhysicalNetworkAccess85Construction Equipment* Colour animated slide85v1.0
Anatomy of a Plain DoS AttackAttacker(1) Attacker send any valid orinvalid traffic to the targetTarget serverIP 10.10.1.18686v1.0
Anatomy of a Plain DDoS AttackAttackerBot Net.(1) Attacker directsbots to begin attack(2) All bots send any valid orinvalid traffic to the targetTarget serverIP 10.10.1.18787v1.0
Anatomy of aReflected Amplification AttackAttackerBot Net.(1) Attacker directsbots to begin attack(2) All bots sendDNS query for TXT recordin domain “evil.com”to open recursive serversand fake "my IP is 10.10.1.1"(3) Open resolvers askthe authoritative name serverfor the TXT record “evil.com”(5) Open resolvers sendDNS response with(4000 byte DNS TXT RR)to target name server.Target serverIP 10.10.1.188(4) evil.com respondswith 4000 byte TXT recordOpen recursiveDNS servers88evil.comauthoritati
14 v1.0 InfoSec Definitions Vulnerability - weakness in an asset's design or implementation Software bugs Most vulnerabilities you'll hear of fall into this category, OS's, applications, services Protocol "bugs" or design flaws SYN flood, predictive sequence numbers, ASN.1, NTLM Misconfigurations Insecure authentication Weak passwords, lack of 2FA/MFA
![Wireshark - start [APNIC TRAINING WIKI]](/img/61/4-3-wireshark.jpg)
