《计算机网络攻击和防护技术:第七课》由会员分享,可在线阅读,更多相关《计算机网络攻击和防护技术:第七课(66页珍藏版)》请在金锄头文库上搜索。
1、计算机网络攻击和防护技术第七课OutlineWeb securitySQL InjectionCross-site Scripting (XSS)Cross-site Request forgeryOtherDenial of Service AttackIntroduction of Firewall3Web SecurityTypical Web Site Architecture4Web ApplicationFirewallLoadBalancerDBWS1WS2WS3FirewallAuthorization andAccess ManagementNetegrity (CA)Obl
2、ix (Oracle)AppServersFirewallIPSWeb VulnerabilitiesSQL InjectionA code injection technique that exploits a security vulnerability occurring in the database layer of an applicationBrowser/Client sends malicious input to serverBad input checking leads to malicious SQL queryXSS Cross-site scriptingMali
3、cious attackers inject client-side script into web pages viewed by other usersBad web site sends innocent victim a script that steals information from an honest web siteCSRF Cross-site request forgeryAlso known as one-click attack or session riding Bad web site sends request to good web site, using
4、credentials of an innocent victim who “visits” siteOther problemsHTTP response splitting, site redirects, 5SQL Injection Basic6Victim ServerVictim SQL DBAttackerpost malicious formunintended queryValuable data1237SQL InjectionSample PHP$recipient = $_POSTrecipient; $sql = SELECT PersonID FROM Person
5、 WHERE Username=$recipient; $rs = $db-executeQuery($sql);ProblemWhat if recipient is malicious string that changed the meaning of the query?$recipient = a or t=t $sql = SELECT PersonID FROM Person WHERE Username=a OR t=tCross Site Scripting (XSS) An XSS vulnerability is present when an attacker can
6、inject scripting code into pages generated by a web application.Methods for injecting malicious code:Reflected (Non Persistent) XSS (“type 1”)the attack script is reflected back to the user as part of a page from the victim siteMore commonStored (Persistent) XSS (“type 2”)the attacker stores the mal
7、icious code in a resource managed by the web application, such as a databaseOthers, such as Document-Object-Model (DOM)-based attacks Reflected (Non-Persistent) XSS AttackAttack ServerVictim Server Victim clientvisit web sitereceive malicious pageclick on linkecho user input123send valuable data54Co
8、mpromised Server0Protect from XSS AttacksValidates all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed. Do not attempt to identify active content and remove, filter, or sanitize it. Too many types of ac
9、tive contentToo many ways to encode content to bypass filters Use positive security policySpecifies what is allowed. Negative or attack signature based policies are difficult to maintain Likely be incomplete. DOM-based XSS (no server used)Example page Welcome!Hi var pos = document.URL.indexOf(name=)
10、 + 5; document.write(document.URL.substring(pos,document.URL.length);Works fine with this URL http:/ what about this one? http:/ Klein . XSS of the Third KindClient-side (DOM) XSSEmerges after Web 2.0Documentation Object Model (DOM) is the standard model for representing HTML or XML contentsObject-o
11、riented interface used to read and write docsweb page in HTML is structured dataDOM provides representation of this hierarchyDOM is the primary way for JavaScript programs to manipulate the state of a webpagePopulate it with dynamically computed dataExamples:A piece of JavaScript accessing and extra
12、cting data from the URL via the location.* DOMreceiving raw non-HTML data from the server via XMLHttpRequestProperties: document.alinkColor, document.URL, document.forms , document.links , document.anchors Methods: document.write(document.referrerClient-side (DOM) XSSDOM XSS happens during the conte
13、nt processing stages delegated to the clientAfter data retrieved from server, write dynamic HTML without proper escapingentirely on client sideClient-side (DOM) XSS defensesProxy-basedAnalyze the HTTP traffic exchanged between users web browser and the target web server scanning for special HTML cha
14、racters encoding them before executing the page on the users web browserApplication-level firewall Analyze browsed HTML pages for hyperlinks that might lead to leakage of sensitive information Stop bad requests using a set of connection rules.Auditing systemMonitor execution of JavaScript code compa
15、re the operations against high-level policies Detect malicious behaviorDisabling ScriptsSome web applications can be written to operate completely without client-side script Cross-Site Request Forgery(CSRF, XSRF)Malicious exploit of a website whereby unauthorized commands are transmitted from a user
16、 that the website trustsOne-click AttackSession RidingExploits the trust that a site has in a users browser.Cross-site scripting (XSS) exploits the trust a user has for a particular siteEmerges since 1990sIn 2007, ebay Korea lost 18 million user information because of CSRFRecall: session using cooki
17、esServerBrowserPOST/login.cgiSet-cookie: authenticatorGETCookie: authenticatorresponseBasic picture17Attack ServerServer Victim User Victimestablish sessionsend forged requestvisit serverreceive malicious page1234Question: how long do you stay logged on to your bank account?Cross Site Request Forger
18、y (XSRF)Example: User logs in to . Does not sign off.Session cookie remains in browser stateThen user visits another site containing: document.F.submit(); Or use image:Browser sends user auth cookie with requestTransaction will be fulfilledProblem: cookie auth is insufficient when side effects can o
19、ccurExample: Home Router19Bad web siteHome routerUserconfigure routersend forged requestvisit sitereceive malicious page123420Attack on Home RouterFact:50% of home users use a broadband router with a default or no passwordDrive-by Pharming attack: User visits malicious siteJavaScript at site scans h
20、ome network looking for broadband router: SOP allows “send only” messages Detect success using onerror: Once found, login to router and change DNS serverProblem: “send-only” access is sufficient to reprogram routerSRJ07Login CSRFCSRF CharacteristicsInvolve site that rely on a users identityExploit a
21、 sites trust in that identityTrick the users browser into sending HTTP requests to a target site Involve HTTP requests that have side effects At riskWeb applications that perform actions based on input from trusted and authenticated usersNot authorizing the specific action22How Can CSRF Succeed?Site
22、 does not check the referener header, or victim allow referer spoofer referring page is the URL of the previous webpage from which a link was followedAttacker must find a form submission at the target side that does something useful to the attackerTransfer money, change password, add account, etcAtt
23、acks must determine the right values for all the form inputsThe attacker must lure the victim to a web page with malicious code while the victim is logged in to the target side23CSRF DefensesAuthentication in GET and POST parameters, not only cookiesLimiting the lifetime of authentication cookies Se
24、cret tokenPlace one-time token in page/form from honest siteCheck one-time token in POST Confirm part of ongoing session with serverToken in POST can be HMAC of session ID in cookieHMAC: Hash Message Authentication Code Check referer (sic) headerReferer header is provided by browser, not scriptUnfor
25、tunately, often filtered for privacy reasonsUse custom headers via XMLHttpRequestThis requires global change in server apps24Login CSRFCSRF RecommendationsLogin CSRFStrict Referer validation Login forms typically submit over HTTPS, not blockedHTTPS sites, such as banking sites Use strict Referer val
26、idation to protect against CSRFOtherUse Ruby-on-Rails or other framework that implements secret token method correctlyFutureAlternative to Referer with fewer privacy problemsSend only on POST, send only necessary data26More server-side problemsHTTP Response SplittingSite RedirectsServer Side Include
27、dMisuse of Hidden Tags28What is DOS?Goal: take out a large site with reasonable/ practical workHow: Different methodsExample: AmplificationSmall number of packets big effect Two types of amplification attacks: bug:Design flaw allowing one machine to disrupt a servicefloodingCommand bot-net to genera
28、te flood of requestsA High Profile DOS Example: Estonia29 Known as Estonian Cyberwar Attacked sites: (started Apr 27, 2007, lasted two weeks) Estonian parliament, banks, ministries, newspapers and broadcasters Various Estonian commercial sitesUse BotNets to do Ping floodNo exact responsible found so
29、 far (Russia might possible)world to reconsider the importance of network security to modern military doctrine30DOS happens at any layerDOS at different layersLinkTCP/UDPApplicationPaymentGeneric DOS solutionsNetwork DOS solutionsSad truth: DDOS attacks is a big issue for InternetNo good solution so
30、 farDenial of Service Attacks (DOS)Vulnerabilities based DOSCapacity DepletionDDOSBot and BotnetsApplication-Layer DOSVulnerabilities based DOSOld-school DOSProgram flaws lead to software or hardware failure to handle unexpected situations/conditionsUser send unintended data to the vulnerable progra
31、mExampleOversized packets: ping l 65510 192.168.2.3Fragmentation overlap: crash because of failure to handle tcp/ip fragmentationLoopback floodsChargen service on Unix at the echo serviceinfinite loopUsing victim/s ip address as source and destination.Nukers (windows vulnerability)Send out-of-band p
32、acket (TCP segment with the URG bit set)Extreme fragmentationNETBIOS/SMB (Miscrosoft)Buffer overflowNETBIOS name overlapCombosCapacity Depletion DOSTry to use up resourcesInfrastructure-Layer DOSSYN floodsUDP floodsAmplification based DOSSmurfAttack sends spoofed ICMP ECHO to broadcast addressSource
33、 address is set to the VictimICMP RESPONSE will flood the victimFraggleSimilar as Smurf, but use UDPDDOSBot and BotnetsApplication-Layer DOSRequire less resources Find a resource on a popular site satisfyRequires little computation for client to requestRequires high computation load on serverUsing f
34、air amount of client request, can take down the applicationDOS or DDOS detection might not be able to detectMyDoom worm (July, 2004)Caused all major search engines (google, yahoo, ) down Research Topic: Application Layer DDOS ProtectionWhat is application level distributed Denial-of-Service (App-DDO
35、S)?Using Botnets to launch denial of service attackBotnet attacks are distributed in nature, becoming more and more popularApplication layer attacks look legitimate on network (layer 3) and transport (layer 4)Firewall normally only look at layer-3 and layer-4. Hence firewall based DOS wont work. Tar
36、get to services that cannot be turned off on network devicesExample: http for web server, DNSSsh BotNetsA New Big ProblemBotsLittle program installed silently without user interventionMost users are not aware of Bots in their computersCommon users are weakest linksNeed good education to common users
37、 to mitigate the Botnet Millions of computers infected 53000 infected per day (2007)BotnetsNetworks of computers on which Bots are installed. Managed by command and control server“Karaken” Botnet400,000 botsMachine from 50+ companies among fortune 500. Used for DDOS, Cyber War, Identity Theft, SPAM,
38、 SCAMBots are deployed across countries around worldChina, USA, Germany, Spain, France are the top five countries infectedBotNets: World Wild ProblemDistributed Botnets and DDOSVictim ServerAttacksWith 400k bots, how big can the attacks be?Server Under DDOS AttacksApplication DDOS Protection: Applic
39、ation Analysis Automatic Application IdentificationApplication can run on non-standard portsEach application has signatures/patterns Can be used to identify services/applications Need to build a application identification libraryApplication identification must be done automatically Application Conte
40、xt AnalysisBuild a library for application contexts for all applications / servicesAnalyze the relationship between contexts Construct state-machine inside the application Application DDOS Protection: Classify BOT Client (1)Application MonitorUser configure a connection rate threshold for a specific
41、 service (such as http, dns)Tracks connection rate for each configured application When threshold is exceeded, transit to protocol tracking stage. Application DDOS Protection: Classify BOT Client (2)Protocol TrackingConfigure context thresholds and optimal max-context-values for each application on
42、specific network devicePerforms protocol decoding and deep context inspection Maintains statistical data on service transactionsMonitor count for each processed context Two types of attacks Repeat attacks identical service transactions are performed in a fast and repeated fashion Querying a non-exis
43、ting domain name again and againRandom Attacks Random service request data.Querying a random domain name, once per each request.On exceeding thresholds, transitions to bot client classification stageApplication DDOS Protection: Classify BOT Client (3)BOT Client ClassificationUser configures time-bin
44、ding thresholdsSystem tracks service contexts (protocol tracking) on a per client basis. All clients requests will be subjected to time-binding, Classify a client is a BOT or not. User configured actions will be applied Session action, future action, log Result:Regular client/user are servedAttacker
45、/Bots are stoppedChallenges and To Do ListsIn depth understanding of application and contexts inside the applicationBuild up the application identification databaseSelf adaptive control on normal traffic pattern recognition to minimize user interventionAlgorithms to identify traffic abnormalDOS Prot
46、ectionUsing Anti-DOS productPlan capacityHarding the network edgeBlock ICMP and UDPIngress FilteringEgress filteringDisable directed IP broadcastRate limitAuthenticate routing updatesImplement ink holesImplement Unicast Reverse Path forwardingMake sure the source address and interfacein the routing
47、table matches the interface on the packet receivedDOS ProtectionHarding ServersKeep up with patchesSystem-level SYN ProtectionSystem-level configuration. Detecting DOSKeep Tabs on malwareScan for DOS Bots on networksFoundstones DDOSPingZoombie Zapper Find_ddosFirewallsKeep out unwanted trafficCan be
48、 done in the network (e.g. network perimeter) or at the hostMany mechanismsPacket filtersStateful packet filtersProxiesWhat is Firewall?Software / Hardware barrier between Intranet (LAN) and Extranet (WAN)Permit /deny packets based on rulesSource IP address/port, destination IP address/port, destina
49、tion service, protocols, source domain, etc.Stateful FirewallSessions basedBased on session state instead of packetsPerimeter Gateway common entry point to LANPerformance is the kingCurrent state: 120 gbps in a single box. Basic Firewall ConceptSeparate local area net from internetRouterFirewall All
50、 packets between LAN and internet routed through firewallLocal networkInternetMore about networking: port numberingTCP connection Server port uses number less than 1024 Client port uses number between 1024 and 16383Permanent assignmentPorts 1024 must be available for client to make connectionLimitat
51、ion for stateless packet filteringIf client wants port 2048, firewall must allow incoming trafficBetter: stateful filtering knows outgoing requestsOnly allow incoming traffic on high port to a machine that has initiated an outgoing request on low port Why Firewall Necessary?The 1st line of defenseVe
52、ry efficient in DoS/DDoS protectionPorts / protocols usageWhitelists, blacklists allow or denyNAT IPv4 IPv6EncryptionLaw ComplianceRequires security in depth - including firewallSegmentation of LANSeparate zones / policies to logically separate trafficEnforce corporate policiesPacket Filtering Firew
53、allUses transport-layer information onlyIP Source Address, Destination AddressProtocol (TCP, UDP, ICMP, etc)TCP or UDP source & destination portsTCP Flags (SYN, ACK, FIN, RST, PSH, etc)ICMP message typeNo State information saved, decision made on a per packet basic. ExamplesDNS uses port 53Block inc
54、oming port 53 packets except known trusted serversIssuesStateful filteringEncapsulation: address translation, other complications FragmentationSource/Destination Address ForgeryFiltering Example: Inbound SMTPCan block external request to internal server based on port numberFiltering Example: Outboun
55、d SMTPKnown low port out, arbitrary high port inIf firewall blocks incoming port 1357 traffic then connection failsStateful or Dynamic Packet FilteringPacket decision made in the context of a connectionIf a packet is a new connectionm check against security policyIf a packet is part of an existing c
56、onnection, match it up in the state table & update tableStateful or Dynamic Packet FilteringTelnet“PORT 1234”“ACK”Telnet ClientTelnet Server231234 Client opens channel to server; tells server its port number. The ACK bit is not set while establishing the connection but will be set on the remaining p
57、ackets Server acknowledges Stateful filtering can use this pattern to identify legitimate sessions“PORT 5151”“OK”DATA CHANNELTCP ACKFTP ClientFTP Server20Data21Command51505151 Client opens command channel to server; tells server second port number Server acknowledges Server opens data channel to cli
58、ents second port Client acknowledgesFTPProxy firewallsRelay for connectionsClient Proxy ServerCan be doneApplication levelCircuit LevelNetwork Address Translation(NAT)Why we need NATExtend address spaceSecurity N:M mapping1:1 mappingEncryption (VPNs)Allow Trust users to access sensitive information
59、from untrusted networksImportant from remote users or remote sitesUse IPSecFirewall DeploymentENTERPRISE NETWORKAppsDataFinanceVideoFirewallWork StationsUn-trust ZoneTrust ZoneWeb ServerEmail ServerRouterBranch OfficePartnerRemote sitesWireless accessPartner PortalsData CenterMOBILERemote Office/Hom
60、eData centerInternetFirewallFirewall EvolutionMega Data Centers(thousands)Clients(billions)Global High-Performance NetworkCampusBranchHomeMobileCompany GlobalizationData and Application ConsolidationThe Distributed EnterpriseWhat Firewal Cannot ProtectedTraffic not crossing itRouting aroundInternal trafficMisconfiguredApplication layer attackEx: http service attack for web serverThank You!
