Attack Trends Presented by: Dani Firman Syah
Attack Trends Spyware DoS (Denial of Service) Attacks Wirelless Attacks Phishing (pronounced “fishing”) Spam Web Attacks
A. Spyware Spyware = aplikasi liar, terinstall secara diam-diam dan aktifitasnya adalah mempromosikan informasi tentang produk/barang melalui banner dan melakukan aktifitas tracking. Sypware Activity: - Memonitor aktifitas browsing & mem-popup banner. - Merekam aktifitas keyboard kadang menjadi logger. Impact: - Performance - Privacy - Security Risk
Spyware Defense Cek apakah aplikasi yang di install bukan termasuk spyware. Daftar spyware bisa di lihat di Jangan meng-install aplikasi yang tidak jelas sumbernya. Gunakan software anti-spyware. Misal: Ad-aware. RTFM (Read The Faqs & Manual), baca baik-baik dokumen EULA (End User License Agreement) dari aplikasi yang akan di install. Gunakan firewall untuk mendeteksi koneksi keluar yang tidak di ketahui sumbernya.
B. DoS & DDoS DoS (Denial of Service) DDoS (Distributed Denial of Service) DoS = Serangan paket data melalui layanan TCP/IP (victim: network, host, aplikasi, system). DDoS = DDoS merupakan jenis serangan DoS secara massal dengan menggunakan hosts yang berbeda-beda untuk menyerang ke satu target/victim.
DoS & DDoS Tools TFN (Tribal Flood Network) Trin00 TFN2K (TFN with encrpytion, making it harder to detect. Tagra3 is new type of DoS attack) Stacheldraht (Combine Trin00 & TFN’s Technology)
TCP-IP Three Way Handshake SYN with ISN A COMPUTER A COMPUTER B ACK ISN A with SYN ISN B ACK ISN B Connection establish (ACK, Data)
Spoofing & DoS Computer A Computer B Attacker SYN (A, ISN A ) ACK (A, ISN A SYN (B, ISN B ) RESET!! !
SYN Flood/Smurf Attack (Spoofing Act) Computer AComputer B Attacker SYN (A, ISN A ) ACK (A, ISN A SYN (B, ISN B ) ACK (B, ISN B ) DIE!!! (SYN FLOOD)
TCP-IP Injection
DoS & DDoS Mitigation Cara paling sederhana adalah merubah IP (Internet Protocol) yang menjadi target DoS/DDoS. Hapus routing di gateway/router dari IP yang menjadi target. Filter signature attack dengan firewall untuk men-denied paket data yang tidak normal (zero data size, large UDP & ICMP packets). Firewall: iptables, packetfilter, ipfw, checkpoint and Cisco PIX support to deny unsignature packet data. Allow only first UDP & ICMP packets, after first igonered (i.e. timeout).
C. Wirelless Attack Various of Wirelless Attack : a. Surveillance attack (war driving or net stumbling) b. Rogue Access Point attack c. Jamming (Denial of Service) attack d. Cracking WEP (IV Collisions, FMS, Korek Chopchop) e. WPA Dictionary attack f. Wireless Injection attack
Wireless Attack Tools Netstumbler (Windows GUI) Wellenreiter (Linux GUI) Airsnort Kismet Aircrack WEPcrack AiroPeek CoPatty, etc
Surveillance Attack
War Driving
Rogue Access Point
Jamming (Denial of Service) Direct Sequence Spread Spectrum (DSSS) Channel Overlap Channel 1, 6, 11 not Overlapping
WEP Cracking
WPA Dictionary Attack (1)
WPA Dictionary Attack (2)
WPA Dictionary Attack (3)
WPA Dictionary Attack (4)
Wireless Injection iwlist ath0 scan ath1 Scan completed : Cell 01 - Address: 00:13:10:30:32:4B ESSID:"linksys" Mode:Master Encryption key:off Frequency:2.452 GHz (Channel 9) Quality:43/0 Signal level:-28 dBm Noise level:-41 dBm iwconfig ath1 mode monitor channel 9 ifconfig ath1 promisc wifiinject -b 00:13:10:30:32:4B -i ath1 -p -o ath1 IN_IFACE: ath1 OUT_IFACE: ath1 BSSID: 00:13:10:30:32:4B tcpdump: WARNING: ath1: no IPv4 address assigned Interface wj0 created. Configure it and use it ifconfig wj mtu 1400 ping PING ( ): 56 data bytes 64 bytes from : icmp_seq=2 ttl=64 time=0.188 ms 64 bytes from : icmp_seq=3 ttl=64 time=0.206 ms
Securing The Wireless Network a) Secure SSID, MAC Filtering, WEP/WPA b) Wireless gateway for wireless protection (Captive Portal: noCat Auth, wifidog, hostapd + freeradius) c) VPN for securing the wireless network d) Monitoring: Fake AP, Wireless Honeypot, Arpwatch
Securing SSID Ganti SSID (Service Set Identifier) default dengan SSID yang tidak mudah di lacak (kombinasi huruf & angka), gunakan maksimum karakter untuk SSID.
MAC Filtering Konfigurasi MAC Address (Media Access Control) filtering di AP (Access Point). Hanya wireless dari client yang MAC-nya terdaftar yang bisa terkoneksi ke AP. MAC terdiri dari 24 bit, 12 bit pertama adalah code vendor, 12 bit selanjutnya serial number. Contoh: b vendor 3Com
WEP Security Proteksi dengan WEP (Wired Equivalent Privacy). WEP key = 64 bit, 128 bit
Wireless Gateway (1)
Wireless Gateway (2) NoCat Auth HOSTAP D + Open Source Captive Portal d g CHILLISPO T
Captive Portal
Securing the WLAN with VPN
Monitoring the WLAN Fake AP (Fake access point generator) Wireless Honeypot WIDS (The Wireless Intrusion Detection System) ARPWatch
Fake AP Black Alchemy Weapons Lab ( As part of honeypot Fake AP runs on Linux and *BSD Using Prism2/2.5/3 based b cards with Host AP for Intersil Prism2/2.5/3
Wireless Honeypot (1) HONEYPOT CONFIGURATION : FOR LINKSYS WRT54 ACCESS POINT create linksys set linksys personality " Linux Kernel " add linksys tcp port 80 "/bin/sh scripts/fakelinksys.sh" add linksys udp open 53 open add linksys udp open 67 open add linksys udp open 69 open set linksys tcp action reset bind linksys
Wireless Honeypot (2) FILE: fakelinksys.sh #!/bin/sh DATE=`date` echo "== Httpd break-in attempt [$DATE] ==" >> /tmp/linksys.log while read request do LINE=`echo "$request" | egrep -i "[a-z:]"` if [ -z "$LINE" ] then break fi echo "$request" >> /tmp/linksys.log done echo "==" >> /tmp/linksys.log cat << _eof_ HTTP/ Unauthorized Server: httpd Date: $DATE WWW-Authenticate: Basic realm="WRT54G" Content-Type: text/html Connection: close 401 Unauthorized Authorization required. _eof_
ARP Watch
D. Phishing Phising = Fishing, Victim di arahkan ke sebuah alamat URL dari web site palsu/fake web site yang seolah-olah situs tersebut asli. Phising di kirimkan melalui palsu (fake/spoofed ). Site palsu tersebut biasanya mengandung virus, trojan atau informasi yang merugikan. Phising sering mengelabui victim dengan bug di browser, di kenal dengan istilah misleading di URL & HTML Links (bug di IE browser) Contoh: (misleading URL). (misleading HTML)
Phising Example
Phising Defense Upgrade, patch dan fixed IE browser Anda dengan hotfix terbaru dari Microsoft Windows Update. ( Gunakan non IE-Browser: Opera, Mozilla, Firefox, Conqueror Camino (mac). Disable dengan mode HTML, gunakan plaintext .
E. SPAM SPAM merupakan yang biasanya berisi informasi iklan, produk, layanan dan informasi lainnya yang tidak di inginkan oleh pemilik . SPAM menyebar dengan memanfaatkan informasi address book yang ada di internet (webpages, whitepages, yellowpages, search-engine dsb). SPAM seringkali menjadi sumber penyebaran virus di Internet. SPAM yang tidak terkontrol bisa meningkatkan traffic network yang dapat mengakibatkan bottleneck di jaringan.
Blocking SPAM Install Anti Spam (SpamAssassin, Bogofilter, Razor, Pyzor, GFI MailEssentials dsb). Gunakan anti virus untuk server (Mcafee, Symantec AV, Amavis, Mimedefang, Khasperky AV, NormanAV?). Jalankan fasilitas blacklist/blocklist (i.e: exchange blocklist, spfilter). Beberapa provider blacklist bisa di gunakan untuk blocking spam. - relays.ordb.org - relays.visi.com - bl.spamcop.net - blackholes.wirehub.net - list.dsbl.org Gunakan frontend-backend topology (menggunakan 2 MTA/lebih, frontend server sebagai filtering machine).
F. Web Attacks Parameter Manipulation (CGI command execution, Unicode/URL Decoding) Buffer Overflow (.ida/.idq Overflow, ISAPI Printer Overflow, WebDAV Overflow / Web-based Distributing & Authoring Versioning). Cross Site Scripting (XSS) SQL Injection Session/Cookie Hijacking & Manipulation © Dani Firman Syah, Xnuxer Security,
Parameter Manipulation
SQL Injections
Cross Site Scripting
Securing The Web Gunakan secure WebServer Install patch dan hotfix terbaru. Install IIS Lockdown di IIS Webserver. Securing code (filter variable). Gunakan filtering device (Denied illegal signature TCP-IP). Gunakan SSL (Secure Socket Layer) untuk transaksi data yang aman.
Questions?