In a survey of it decision makers 63% had experienced some form of attack in the past year. One-way to mitigate these forms of attacks is to use some form of stateful inspection firewalls. Three of the most common Web application vulnerabilities and attacks are DoS, Distributed DoS, and many of the different types of DDoS.
In a survey of it decision makers 63% had experienced some form of attack in the past year. One-way to mitigate these forms of attacks is to use some form of stateful inspection firewalls. Three of the most common Web application vulnerabilities and attacks are DoS, Distributed DoS, and many of the different types of DDoS.
In a survey of it decision makers 63% had experienced some form of attack in the past year. One-way to mitigate these forms of attacks is to use some form of stateful inspection firewalls. Three of the most common Web application vulnerabilities and attacks are DoS, Distributed DoS, and many of the different types of DDoS.
Web Server Application Attacks 2 Abstract In todays business world, most companies will have some form of Internet presence to interact with customers. It is increasingly harder to anticipate attacks and malicious activity. In a Verisign survey of IT decision makers 63% had experienced some form of attack in the past year, 67% said any downtime affected their customers, and 51% reported lost revenue from the downtime. The survey shows, from IT security perspective, the importance of keeping systems updated and monitored at all times. One-way to mitigate these forms of attacks are to use some form of stateful inspection firewalls. One such product that uses stateful inspection by default on all application traffic is Sophos that is an appliance or Virtual Machine. In this paper, we will discuss three common Web application vulnerabilities and attacks with recommendations on how to mitigate. Second, discuss the risk facing US government websites and why these websites were not always dealt with once they were identified. Last, give recommendations on how to best mitigate a Domain Name System Security Extension attack. Web Server Application Attacks 3 Web Server Application Attacks Examine three (3) common Web application vulnerabilities and attacks, and recommend corresponding mitigation strategies for each. Provide a rationale for your response Three of the most common Web application vulnerabilities and attacks are Denial of Service (DoS), Distributed DoS (DDoS), and many of the different types of DDoS. First, DoS involves four different forms of attacks such as jamming networks, flooding service ports, misconfiguring routers, and flooding mail servers. When defending against an attack, it is best to have a plan in place. The plan should include contact information both internal and external resources such as ISPs, Hosting providers, and security vendors. A very basic approach is to maintain a Black List of known IPs and Domains of known bad actors; however, maintain a list to the most up to date information as attackers are able to migrate to new IPs and Domains you could inflict a DoS on yourself when legitimate traffic is blocked. In the firewall appliance Sophos, this is configurable through the Intrusion Prevention System (see Figure 1 IPS configuration DoS). Next DDoS is similar to a DoS attack but instead of it being a single IP address this type of attack comes from multiple IPs and ISPs. There are several types of attacks associated with DDoS such as FTP Bounce, Port Scanning, Ping Flooding, Smurf, SYN flooding, IP Fragmentation, IP Sequence Prediction, DNS Cache Poisoning, SNMP, and Send Mail. An agent (Windows Systems) or daemon (Linux Systems) installed on multiple clients with a master controlling both. This form of agent or daemon is called a Zombie. The master sends a command to the Zombies to begin the attack against a destination until the destination no longer responds. Web Server Application Attacks 4 Avoidance of an FTP Bounce attack the administrator needs to ensure the FTP daemon is up to date on a Linux system as well as FTP services on a windows system. In addition, the continuous monitoring of the FTP service will help with determining an attack or not. Patching operating systems as well as network enabled printers and routers can mitigate a Ping Flood attack against a network. Furthermore, enabling encryption of sessions on a router helps to reduce Ping Flood attacks. Encryption ensures that a trusted host that originates outside of the known network can securely communicate with the internal Network. A Smurf attack is a modified Ping Flooding of a network except it is intended for a specific target. Routers configured to deny ICMP packets broadcasted from an outside source are stopped at the router. However, this feature should be configured on all network routers to be effective. TCP communications have a three-way handshake when communicating between devices. The initial connection is made with an SYN (synchronize) packet and the responding systems sends an SYN ACK (synchronize acknowledge) in return the client responds with an ACK (acknowledge). An SYN flooding attack begins at the response of the first SYN while the target is awaiting the SYN ACK packet to return. By default, Windows uses a Time to Live (TTL) of 255 hops while Linux systems configured with a TTL of 64 hops. A decrease in the TTL can help to mitigate an SYN flooding attack as the wait time for a response shortened. In addition, applying service packs and upgrading older systems will help against an SYC attack. The next two types of attacks are against the Internet Protocol (IP) of the TCP/IP suite. The first type of attack is an IPFragentation/Overlapping Fragment attack. An attacker can change the size of the IP packet making it smaller in transit to the target. Because of the smaller packet size routers will allow the traffic through and when the packet is reassembled at the other end, it causes the system to become overloaded putting the original packet back together. One Web Server Application Attacks 5 way to mitigate this type of attack is the use of ACL packet rules on all routers. With TCP/IP communications and the fragmentation of IP packets, there is a sequence number assigned to each packet. An attacker can establish a connection with a machine, find the next sequence number of a packet stream, and in turn respond with the next packet sequence tricking the machine in thinking it is talking to a different target. The attacker can then request different services from the machine for its bidding. Most new operating systems randomize their sequence numbers to reduce the possibility of the attack, so it is the best practice to keep your systems up to date with the latest patches and latest operating systems. In addition, using Intrusion Detection Systems (IDS) can mitigate the IPSequence Prediction attack. DNSCache Poisoning uses a DNS servers cached information to redirect a website call to another network connection. Domain Name Service (DNS) converts a Fully Qualified Domain Name (FQDN) and converts it to a usable IP address. A DNS server will cache a look up of an FQDN to IP so if future calls for the site does not require another query. One way to defend against these types of attacks is to ensure running the latest DNS software. As discussed in the publication of DNS security: poisoning, attacks and mitigation patched Windows servers use a 2,500-port range for source port randomizing. According to the documentation, it would take up to 3.8 days for an attacker to be successful in this type of attack when the port randomization is in place. Management of network devices such as routers and switches performed from a management system uses SNMP (Simple Network Management Protocol). The default settings, which go unchanged in many situations, is public for read-only access and private for the read- write access to the device. The connection information is sent in clear text. The best way to mitigate this is to shut off SNMP services if you are not going to manage your devices using Web Server Application Attacks 6 SNMP, switch to using SNMP3 that requires an encrypted connection using credentials, simply change the default defaults settings from public/private to some other form of community string. Using Microsoft Visio or an open source alternative such as Dia, outline an architectural design geared toward protecting Web servers from a commonly known Denial of Service (DOS) attack. In an attempt to protect Web servers from potential threats, the following recommendation is presented (Figure 2 Architectural design for protecting web servers). To start with, a Firewall using both IPS/IDS stateful packet inspection configured and regularly updated in all routers in the DMZ area between firewalls. All routers, switches, and operating systems that require SNMP management must only run SNMP3 or have the service disabled. All operating systems updated with latest security patches on a monthly schedule. Furthermore, quarterly Baseline Security test ran against target systems to ensure they are up to date. Based on your research from the Network World article, examine the potential reasons why the security risks facing U.S. government Websites were not always dealt with once they were identified and recognized as such. All governments are known for espionage and trickery so why not on their own networks. Many companies will configure the preverbal honeypot network for attackers to cause confusion, report low false positives, and high-success rates, and to help train security teams. In 2014, the latest numbers indicate that 57% of the federal sites are now using DNSSEC on their websites that are up from the study conducted in 2013. This delay in adoption can also be a great way for government security agencies to discover whom the real attackers are and begin to build legal cases against these same attackers. Another possible reason for the delay is the complexity of using DNSSEC that requires all Certificate Authority (CA) and Intermediate Authority (IA) to validate the signature of the DNS Web Server Application Attacks 7 server supplying the specific address. As there are many CAs and IAs, which not controlled by the government, can take time. In addition, not all sites work well with DNSSEC so a reconfiguration of the website may also need to be done. Suggest what you believe to be the best mitigation or defense mechanisms that would help to combat the Domain Name System Security Extensions (DNSSEC) concerns to which the article refers. Propose a plan that the U.S. government could use in order to ensure that such mitigation takes place. The plan should include, at a minimum, two (2) mitigation, or defense mechanisms. Regardless of what solution is selected an evaluation of the network is conducted to find out if this going to be running in a mixed environment and application testing will need to be conducted prior to roll out. In a Microsoft Windows based DNS system, two items must be done before DNSSEC can begin. The first is the understanding that DNSSEC will require Windows Server 2008 R2 that is available for 64-bit processors only. Second, all Active Directory (AD) Domain Controllers will be upgraded to support the DNSSEC system. Considerations of hardware evaluated during the discovery phase as DNS servers use three to five times the memory of an unsigned zone, DNS server response will increase the network traffic to and from the server. When performing validations the server CPU usage will increase as it is validating DNSSEC data. Lastly, depending on the size of the DNS zones there will be an increase of size of the AD database file. The next step is to configure and distribute trust anchors. In order for this to work, all servers must be Windows 2008 R2 to support the DNSKEY resource record. After completion, a configuration of the IPsec policy that will be applied to all servers has to be created and tested. Once IPsec is completed, configuration settings must be tested and pushed out to all DNSSEC aware Windows clients and any Non- DNSSEC aware clients. All of these processes will take time and coordination, as the service Web Server Application Attacks 8 desk will need to be a part of these changes as well as the business units. Another option is to forgo any internal changes at all and outsource the project to an external vendor such as F5s Global Traffic Manager that delivers a complete, real-time DNSSEC solution to protect the system. Outsourcing can be leveraged so that as the internal systems are updated over time then finally replacing the outsourced solution with the internal. Web Server Application Attacks 9 References What is a DDoS Attack and DDoS Mitigation Services - Verisign. (n.d.). Retrieved from https://www.verisigninc.com/en_US/website-availability/ddos-protection/what-is-a-ddos- attack/index.xhtml Best Practice: Firewall settings guide. (2014, May 01). Retrieved from http://www.sophos.com/en-us/support/knowledgebase/57757.aspx Jackson, W. (2013, January 23). How to mitigate and defend against DOS attacks -- GCN. Retrieved from http://gcn.com/articles/2013/01/23/how-to-mitigate-defend-against-dos- attacks.aspx Hassell, J. (2006, June 8). The top five ways to prevent IP spoofing. Retrieved from http://www.computerworld.com/s/article/9001021/The_top_five_ways_to_prevent_IP_sp oofing Access Control Lists and IP Fragments. (2005, August 10). Retrieved from http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014- acl-wp.html Agar, R., & Paterson, K. (2010). DNS security best practices to prevent DNS poisoning attacks. Retrieved from http://www.computerweekly.com/feature/DNS-security-best-practices-to- prevent-DNS-poisoning-attacks Romanski, J. (2000, August 12). Intrusion Detection FAQ: Using SNMP for Reconnaissance. Retrieved from http://www.sans.org/security-resources/idfaq/snmp.php Marsan, C. D. (2012, May 15). 40% of U.S. government Web sites fail security test. Retrieved from http://www.networkworld.com/article/2186860/data-center/40--of-u-s--government- web-sites-fail-security-test.html Web Server Application Attacks 10 Lemos, R. (2013, October 1). 5 Reasons Every Company Should Have A Honeypot. Retrieved from http://www.darkreading.com/vulnerabilities---threats/5-reasons-every-company- should-have-a-honeypot/d/d-id/1140595 Eland, H. (2009, October 07). CircleID. Retrieved from http://www.circleid.com/posts/securing_a_domain_ssl_vs_dnssec/ Ayoub, R. (n.d.). How Internet Service Providers Can Use DNSSEC to Provide Security for Customers, 1-13. Retrieved July 12, 2014, from https://www.verisigninc.com/en_US/resource-center/index.xhtml DNSSEC Deployment Planning. (2009, October 07). Retrieved from http://technet.microsoft.com/en-us/library/ee649173(v=ws.10).aspx
Web Server Application Attacks 11 Figures
Figure 1. IPS configuration DoS Web Server Application Attacks 12
Figure 2. Architectural design for protecting web servers