Anatomy of Internet and Network Attacks Who

Anatomy of Internet and Network Attacks

Who Is Who?

Where Do I Want to Go?

Qtip -u -s NT-Server

XXX-XX 41 XXX-XX 42 XXX-XX 43 XXX-XX 44 Phone Modem Phone

Net. Recon Scans the specified network looking for vulnerabilities

Backdoor - Back Orifice 2000

Backdoor – Sub. Seven

Backdoor – Sub. Seven Connect to remote system

Backdoor – Sub. Seven Antivirus detects install

Backdoor – Sub. Seven Net. Recon detects backdoor Start scan Lets look at the details Fond Sub. Seven

Now, where can I go?

Hub Laptop System A Computer System B Server System C

Switch Laptop System A Computer System B Server System C

What Else Can We Do…?

Resources

Resources

Resources No More Resources

Attacker sends a ICMP ping to the broadcast address of a router The source IP address is set (spoofed) to that of Server D

The router broadcasts the ping to its network

Each system returns a ping reply to the source (System D)

XYZ DNS Server Internet Web Surfer XYZ Web Server Attackers Web Server

XYZ DNS Server Internet Web Surfer XYZ Web Server Attackers Web Server

XYZ DNS Server Internet Web Surfer XYZ Web Server Attackers Web Server

The Ping is stopped at the firewall

Distributed Attack

Remote System Web Server

Remote System Remote System Web Server

Flood Traffic is limited by router

DDo. S Attack Router Limits the Attack DDo. S Target

The system power turns off!

Search Random IP addresses for vulnerable systems

Verify that the target is running on an English (US) Windows NT/2000 system

Compromise server using IIS Index Server ISAPI Extension buffer overflow and install worm code

Alter local web page

This altered page will be available for 10 hours and then disappear forever or until the system is re-infected

Begin searching Random IP addresses for vulnerable systems

At 0: 00 UTC begin searching Random IP addresses again

Where to Look for More Information

Where to Look for More Information

Conclusions