网络安全.ppt

网络安全 By Blank Zhang Agenda ? 1. From Outside ? Packet level protocol issue ? Lower level protocols ? Direct Attacks ? 2. User-Level Local Attacks ? Buffer Overflow ? ld_preload ? Dictionary Attack ? 3. Root-Level Local Attacks ? Rootkits & Backdoor ? Kernel Modules A Typical Setup of a TCP Connection A typical tear down of TCP connection ? Sequence No. & Flags ? The sequence number in a packet corresponds to the first byte of data in that packet. ? The acknowledgement number holds the value of the next expected sequence number, implicitly acknowledging all data up until that number. ? In addition to SYN and ACK, there are other flags: - FIN: I would like to close this connection now - PSH: please push all the data currently queued - URG: This message is urgent, please interrupt the current connectioin . Note that the response to this is highly implementation- dependent - RST: something has gone wrong, please reset this connection Ways to exploit the TCP protocol ? Sequence No. Prediction ? IP spoofing ? SYN flooding ? Land Attack ? Sniping ? Hijacking Sequence No. Prediction ? After a client send a SYN packet to the server, the server will response SYN+ACK with a sequence number of choosing, which then must be ACK by the client. ? This sequence number is predictable, the attack connects to a service first with its own IP address, records the sequence number chosen, then opens a second connection from a forged IP address. ? The attack doesn ’ t see the AYN+ACK from the server, but can guess the correct responses. If the source IP address is used for authentication, then the attacker can use the one-munication to break into the server. IP Spoofing ? In general, an attacker can claim to be from a different IP than he actually is, by setting the packet source address to the IP address of a different (possibly non-existent) host. ? This makes it easier to convince the target of a different identity in certain trust-based attacks, and also makes it