This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
DDOS is an activities that impede or turn off the work of service by using many of attacker host, using either a dedicated computer or a computer that forced into zombie to attack using injected Trojan DDOS to helper host (zombie). This attack can use layered infrastructure and different platforms.
In general, How DDOS attack works are :
Scan into the network to search the vulnerable hosts that have internet connection with using DDOS tool
After the vulnerable host is found, the tool will inject the Trojan called DDOS Trojan, to make the vulnerable hosts become a Zombie host which can controlled remotely
Then after the number of zombie hosts felt enough, the cracker server will ask zombie hosts to perform the attack together to make the system hang, or if the target was a website, then it will not be accessible by other users because the provided source has been used to serve a request from DDOS attackers.
The consequences of the DDOS attack is the system of users will hang, whereas on the network it will caused the entire network cannot be accessed.
Explain defense mechanism that can be devised to perform prevent and reactive actions
For prevention actions :
Knowing the kind of DDOS attacks and how its works.
Based on the prolexis report, the most used of DDOS type is SYN Flood. This type will flood the victim with a lot of TCP SYN packets, so the victim system will reply with a TCP SYN ACK packets making the backlog queue is full and the system will not respond to other TCP SYN packets.
Install and update anti-virus software and Firewall.
Setup firewall to allow or deny protocols, IP address, or ports. It will prevent users in simpe way from small flooding attack.
Using screening/filtering/sniffing tools
This setup can protect the network/server by looking the attack pattern or by identity the contect of information. When it comes frequently in same pattern, then filtering tools can give signal to block the messages qith this pattern. It will protect the network/server from attack. The example of DDOS system detections are :
NetFlow analyzers : collect IP traffic informations
SNMP-based tools : collect information from network devices like a switch or a router supporting SNMP protocol
Conduct regular testing to know how secure your server or network
For Reactive actions :
Do detection and immediate respon to DDOS attack. The reactive mechanism are :
Search the pattern with observed the network traffic and compare it with known pattern signatures from database. The known attack can easily detect but the new attack cannot detect if the database system not updated
Observed the network traffic and compare it with the normal traffic. But the model or categories of "normal traffic" must be updated and properly adjusted
Combines the signatures and anomaly mechanism
If users/server has been attacked (with several characteristic likes : Suddenly slow network performance, Cannot access any web site, Suddenly increase of spam email received, Unavailability of a particular web site) some reactive actions may occurs :
Block the traffic
Traceback to identify the attacker
Explain how someone approaches the problem of DDOS caused by botnet.
Botnet also calles as "Zombie Army" in DDOS attack. To approach the problem caused by botnet are by using prevention and reactive mechanism, like :
Personal habits that must be considered is notice when downloading, Avoid installing useless things and read carefully before click anything.
Routines to do is use anti-virus/trojan utility, system updates frequently and do not leave your PC without locking it
Back-up all systems on a regular basis, keeping all sotfware up-to-date and use personal firewall.
Explain why DDOS is difficult to solve and describe some of the successful DDOS prevention mechanism
DDOS difficult to solve because of :
DDoS attacked victims using flood packets.
The victims was unable to contact anyone for help. So, perhaps if another network be attacked, no one would know it and nobody can help. But it is difficult to detect early, we only know after attacked with a sudden increase traffic.
Using filtering tools for the traffic flow will affect that the valid traffic will also be blocked. It will cause the applications waiting for respond. However, if there is no filtering then it will attacked by zombie and the traffic will flooding and the bandwith/resource will consumed all.
Attack packets also have spoofed IP addresses. It is difficult to trace back to their source, because packets may come from thousands of IP addresses.
Implementation of software and hardware for defense mechanism must be setup up properly. If the setup not comply with the system or architecture then it won't work to defense from attackers.
Some of successful DDOS prevention mechanism are :
Using Honeypots. Honeypots is a system that designed for inspect and be attacked. There is 2 types of honeypots :
Used to emulating services and operating system. Attackers cannot interact with the basic operating system, but they can interact only with specific services. This type cannot provide a detail information about the attackers action. But it can detect communication attempts toward unused IP addresses.
If the attack not directed against the emulated service, we can used a high-interaction honeypots or called honeynet. It is not a software, but a network architecture that designed to be attacked. With this architecture every activity will be recorded and attackers will be trapped. The attack will interact with the honeynet system, but prevent to interact with other systems.
Using Route Filter Techniques
It used to make attackers not know the route to critical servers and suspicious route are not used.
Propose short term solutions to solve DDOS attack. Also propose a long term solution to trace the botnets to the source, i.e. C&C and hopefully the "man behind the gun."
a. Short term solutions :
Increase user awareness, such as : don't open attachment from unknown sender, unknown file extention, always update information about malware, backup personal data regularly, etc
Process Aspect :
Include DDOS security in testing scope
Conduct DDOS risk assessment regularly
Conduct security awareness and training regularly
Develop contingency or disaster recovery plan, if there are any DDOS Attack
Technology Aspect :
Forces all internet transmission to go through TCP (transmission control protocol)
Using route filtering
Deploy IDPS (Intrusion Detection and Preventing System) to detect attack
Using anti virus, firewall to protect our systems
b. Long term solutions :
Increase internal campaign about DDOS attack and honeynet project to prevent from DDOS attack
Process Aspect :
Participate in honeynet sharing information, to keep update about the honeynet project around the world
Update IT security policy to implement honeynet project
Technoloy Aspect :
Implement honeynet architecture. With implement this, we can studied the attacker activities and method and used it to increase information security.
[20 pts] Answer the following question :
How does the protocol work for authentication?
The MS-CHAP v2 works is :
The client asks for a challenge authenticator from server.
The server will send back a 16-bytes random server challenge.
The client will generate the response:
Generates 16-bytes random client challenge.
Generates challenge Hash using SHA1 = (ClientChallange||ServerChallange||Username)
Generates 16 bytes from the user's password becoma the NT hash password.
Added 5 bytes of zero to 16 bytes of NT hash password, then generates challenge response using 3 x DES (every 7 bytes)
Encrypt the first 8 bytes (result in step b) using 3 DES keys (d) to result 24 bytes Challangeresponse
Send 24-bytes Challangeresponse, 16-bytes ChallangeHash, and username to the Server
The server receives the response, and decrypt it using the client hashed password that stored in database
If the decrypted result matches the challenge, the server will send back 20-bytes authenticator response to the client
The client uses generate the 20 bytes (with same procedures) and compares it to the servers authenticator response. If they match, then the client and the server are authenticated
What is the vulnerability of the protocol?
When generating the 8-bytes of challenge that used in 16-bytes random server challenge, is transmitted in plain-text. It can be attacked by any eavesdropper, so this challenge not provide security.
Derive from the NT hash password using 3 DES keys
The 16-bytes NT hash password is added with 5 byte of zero, and then it will derive 3 DES keys every 7 bytes. Because the last 5 byte is zero, then the effective key just 16 bytes.
Using brute force attack trying, it just need 65536 different DES keys to determined the 16 bits of NT hash password and it will take no more than some seconds.
What kind of technology was used to crack this protocol? Compare the technology used in cracking DES and describe their differences
CHAPCRACK is a tool that used to crack MS-CHAPV2.
To cracking DES use tool called EFF DES cracker or DEEP CRACK.
The differences are :
CHAPCRACK is combined the used of Deep Crack and CloudCracker. Chapcrack will capture the network traffic that using MS CHAPV2 and and reduce it into a single DES key. The DES key submitted into CloudCracker (that using a FGPA Cracking box/DES cracking machine) to decrypt the key. This output then used by Chapcrack to decrypt the entire session.
Deep Crack just used to crack DES key encryption
Explain the countermeasure corporation should take in this case.
Don't use PPTP VPN protocol. Users can move to using PEAP or another more secure VPN. And for user who used it for WPA2 Radius (wifi connection) should migrate to another secure protocol.
[30 pts] Answer the following question :
Describe how SMS Internet Banking two-factor authentication works
SMS Internet banking Two-Factor Authentication is an authentication process that involves an additional layer of security to verifying an Internet Banking user's identity. Users will be required to present a unique One-Time Password (OTP) in addition to the User ID and password when performing login and other important transactions such as 3rd party funds transfer or online credit card transactions. How it works :
User login into internet banking website using their Username and password
User do transactions such as 3rd party fund transfer
User will receive SMS to their registered mobile phone number with unique and temporary PIN code (OTP). Each of SMS OTP used only once and in a short period of time.
User must enter this code into the website to prove their identity
If the PIN code is entered correctly, then their transaction will be proceed
With this mechanism, it will provide an extra layer of online security for internet banking transactions. But user must always update their mobile phone number to Bank.
Describe how Mobile in the Middle attack of Zitmo actually works
Zitmo will inject some HTML form into victim browser to get victim phone number and phone model
After get the phone number and model, they will send SMS that contain link with compatible version of malicious package
After user downloading the malicious mobile application, it will lifts SMS texts containing personal information (i.e. bank account number, password, etc) that sent to the user
Zitmo then funneled it to a remote server
This make attacker can get access to mobile transaction authentication number or OTP pin code
Describe the difference between spitmo and Zitmo
The difference between Spitmo and Zitmo :
Zeus In The Mobile
Type of attack
Man in the browser
Man in the Mobile
Required Phone information
Mobile phone number and phone IMEI number
Mobile phone number and phone model
How to attack
Using compromised user browser, then ask user to certificated their phone number with downloading a link.
Then user will be instructed to call a specific number that intercept by the malicious apps.
The Trojan will intercept and transferred all incoming SMS to the drop points
Using malicious mobile applications to intercept and block all incoming SMS
Doesn't have user interface
Using user interface, looks like a security tools
How to send stolen information
Using URLEncoderÂ to "encode" the data via GET request
Using JSON object in a POST request
How to stealth
Not run as background service
Run as background service
Describe what is code signing and how does these malware got signed and trusted by the device?
Code signing is is a method used for digital certificates and and the public key infrastructure to sign program files so user can confirm/authorise the writer of the file/software and guaranteed that it hasn't been destructed.
How does these malware got signed and trusted by the device :
The Spitmo trojan usually was signed using a test key publicly available from theÂ CyanogenMod githubÂ repository. When they inject the web browser (i.e. bank website) they ask the customer phone number and phone IMEI. This customer phone IMEI used to listed in certificate. Because the device will trust application or file that the certificate has their IMEI number.
After the attacker receive the IMEI number, they will update the certificate for all victims and create a new file installer signed with the updated certificate. When user downloading the file/applications, it will trusted by the device, because the application or file has the IMEI certificate.