Home

notes

1. 0 1382726991 1382726991 0 win 0 a Step 3 SYN flood the login server 0 0 0 0 14 18 26 507560 apollo it luc edu 999 gt x terminal shell S 1382726991 1382726991 0 win 4096 4 18 26 694691 x terminal shell gt apollo it luc edu 999 S 2021952000 2021952000 0 ack 1382726992 win 4096 14 18 26 775037 apollo it luc edu 999 gt x terminal shell R 1382726992 1382726992 0 win 0 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao Mitnick Attack Intrusion Detection Systems IDS a Stopar Tere ona ne IDS Systems can be defined as the tools methods and gt Initiate a connection resources to help identify assess and report 36 245045 server login gt x terminal shell S 1382727010 1382727010 0 win 4096 36 755522 server login gt x terminal shell ack 2024384001 win 4096 unauthorized or unapproved network activity gt Compromise the host x terminal the trusted connection is used to execute the following UNIX command with rshell rsh x terminal Loosely compare IDS Systems to an alarm system echo gt gt rhosts The result of this causes x terminal to trust as IDSs work at the network layer they analyze packets to root all computers and all users on these computers T 7 find specific patterns if so an alert is logged 37 265404 server login gt x terminal shell P 0 2 2 ack 1 win 4096 37 775872 server login gt x terminal shell P 2 7 5 ack 1 w
2. snort 1 var log 25 March 2006 EEC693 793 Wenbing Zhao 4 NIDS Mode Load Snort with a full set of rules configure packet analysis plug ins and allow it to monitor your network for hostile activity Snort at its most complex gt Variety of options for packet analysis and logging gt Runs in real time mode gt Generates alerts gt Logs offending packets 25 March 2006 EEC693 793 Wenbing Zhao 10 NIDS Configuration Snort Rules Specify a configuration file Simple format with flexibility gt snort c snort conf gt Define the who and what that Snort looks for gt Automatically puts Snort in NIDS mode gt Inspects packet header payload or both gt Standard rules alone are enough to detect attacks or Default configuration interesting events gt Output directory is var log snort oe Alert mode is full gt Multi packet events or attacks are best detected with preprocessors a http www snort org docs writing_rules gt Lots of data here more than a few slides worth 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao J Snort Rule Anatomy 4 Rule Headers and Options I 10 1 1 0 24 10 1 1 0 24 flags SF sg SYN FIN ie 7 Each rule has 2 parts alert tcp 10 0 24 any gt 10 0 any flags SF sg S scan v an Rule Header Rule Option gt Rule header gt Rule options Headers define who is involved Specific syntax for both gt Includes acti
3. Smurf Attack e Smurf attack relies on ICMP s capability to send traffic to broadcast address gt Use intermediate networks as amplification points 25 March 2006 EEC693 793 Wenbing Zhao Teardrop Attack Teardrop An attacker sends two fragments that cannot be reassembled properly by manipulating the offset value of packet and cause reboot or halt of victim system due to resource exhaustion 25 48 205383 wile e coyote 45959 gt target net 3964 udp 28 frag 242 36 0 25 48 205383 wile e coyote gt target net frag 242 4 24 749 54 519006 10 0 0 1 591038 161 GetRequest 33 1 3 6 1 2 1 1 5 0 len3 lt asnl 4500 004c 0000 4000 4011 269 0a00 0002 e6e4 00al 0038 Oefc 302e 0201 0004 0670 7562 6c69 63a0 2102 0206 9202 0100 0201 0030 1530 1306 082b 0601 0201 0105 0044 84ff ffff ff02 0100 25 March 2006 EEC693 793 Wenbing Zhao Echo Chargen Attach Echo uses UDP port 7 if it receives a packet it echoes back the payload If you send echo an a it replies with an a Chargen character generator uses UDP port 19 If you send Chargen any characters it replies with a pseudo random string of characters An attacker spoofs a number of connections to various hosts Chargen ports If both services are enabled a game of Echo lt gt Chargen ping pong will begin burning bandwidth and CPU cycles 25 March 2006 EEC693 793 Wenbing Zhao Land Attack a Land An attacker sends a forged packet with the same source and destination
4. a UDP packet it will determine what application is waiting on the destination port gt When it realizes that there is no application that is waiting on the port it will generate an ICMP packet of destination unreachable to the forged source address gt If enough UDP packets are delivered to ports on victim the system will go down 25 March 2006 EEC693 793 Wenbing Zhao Denial of Service a A denial of service attack DoS attack is an attack on a computer system or network that causes a loss of service to users typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system a Techniques of DoS gt Brute force UDP floods SYN floods Smurf Echo Chargen gt One packet kills Teardrop Land Ping of death 25 March 2006 EEC693 793 Wenbing Zhao SYN Flooding a The goal of SYN flooding is to throw hundreds or thousands of packets per second at a server to exhaust either system resources or even network resources when the rate is high enough gt SYN flooding was used against Yahoo and other high profile Internet sites in February 2000 a When an attacker sets up a SYN flood he has no intention to complete the three way handshake and establish the connection Rather the goal is to exceed the limits set for the number of connections waiting to be established for a given service 25 March 2006 EEC693 793 Wenbing Zhao
5. utility generate ICMP echo requests i i scan it to see what services are active a If an ICMP echo request is sent to a broadcast address afl the hosts inthe subnet mightseply a In the following trace TCP SYN segment is used to probe each port 700002 pinger gt 172 0 icmp echo request 714882 pinger gt Vies 64 icmp echo request E E A 7eerhads 338 115229 pinger gt 172 63 icmp echo request 09 52 26 573678 bad 1800 715561 pinger gt 172 20 64 127 icmp echo request 09 52 26 603163 bad 1802 716021 pinger gt 172 2 128 icmp echo request 09 52 28 639922 bad A 1804 146119 pinger gt 172 x 191 icmp echo request 09 52 28 668172 bad 7 1806 746487 pinger gt 172 20 64 192 icmp echo request 09 52 32 749958 bad 1808 746845 pinger gt 172 20 64 255 icmp echo request 09 52 32 772739 bad x 1809 09 52 32 802331 bad F 1810 09 52 32 824582 bad 1812 D9 52732 850126 bad 1814 09 52 32 871856 bad 1 BG 09 52 25 349706 bad r 1797 target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork target mynetwork gt gt gt gt gt gt gt gt gt gt gt gt 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao Stealth Scanning Inverse Mapping Intentionally violating the
6. EEC 693 793 Mas ERIE Outline Special Topics in Electrical Engineering bad Secure and Dependable Computing Netw rkintrusi n gt Reconnaissance collection host and network information gt find vulnerability to exploit Lecture 9 gt Act of intrusion denial of service TCP session hijacking a Intrusion detection systems gt Overview Wenbing Zhao gt Case study snort Department of Electrical and Computer Engineering Reference Network Intrusion Detection 3r Ed By Cleveland State University Publishing 2002 and mady Novak New Riders wenbing ieee org gt http proquest safaribooksonline com 0735712654 25 March 2006 EEC693 793 Wenbing Zhao J Purpose of Network Attacks 4 Counter Measures Reconnaissance Firewalls Compromising systems for notoriety for 10 Access control lists ACLs minutes of fame a Physical security Gathering corporate or sensitive company Limiting network access points information for financial compensation i a Monitoring and auditing systems a Destructive or malicious behavior f f a Intrusion detection systems 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao Background ICMP ICMP It provides a simple means of communicating between hosts or a router and a host to alert them to some kind of problem situation ICMP doesn t use ports to communicate like the transport protocols do ICMP messages can get lost and not be delivere
7. IP address The victim system will be confused and crashed or rebooted 12 03 97 02 19 48 192 268 11 180 gt 1925068 54 1 12 03 97 02 21 53 192 168 1 1 31337 gt 192 168 1512 25 March 2006 EEC693 793 Wenbing Zhao Ping of Death Attack a Ping of Death An attacker sends an ICMP echo request packet that is much larger than the maximum IP packet size to victim gt Generally sending a ping packet of a size such as 65 536 bytes is illegal according to networking protocol but a packet of such a size can be sent if it is fragmented gt When the target computer reassembles the packet a buffer overflow can occur which often causes a system crash 25 March 2006 EEC693 793 Wenbing Zhao Mitnick Attack a The Mitnick attack is one of the most famous intrusion cases to ever occur The attack used two techniques gt SYN flooding keep one system from being able to transmit gt TCP hijacking while the system was in a mute state the attacker assumed its apparent identity and hijacked the TCP connection Mitnick detected a trust relationship between two computers and exploited that relationship 25 March 2006 EEC693 793 Wenbing Zhao TCP Session Hijacking Conventional TCP exchanges do not require any authentication or confirmation that they are the actual hosts involved in a previously established connection After a session has been established between two hosts those hosts use the following to reconfirm
8. TCP three way handshake to Inverse mapping techniques bypass firewalls and intrusion detectors gt Compile a list of networks or hosts that are not gt Send a TCP segment with FIN flag on to a host that never reachable had such a connection gt Send a TCP segment with both SYN and FIN flag on gt In both cases a RST segment is sent by if the host exists an ICMP message will be sent back otherwise Counter measure gt Then use the converse of that map to determine where things probably are gt Do not allow ICMP unreachables out of your network 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao Use IP Fragmentation Only first fragment chunk comes with protocol information For later fragments the firewalls would assume that this was just another segment of traffic that had already passed their access lists On receiving a fragment if one of the target hosts does not exist the router sends back an unreachable message The attacker can then compile a list of all the hosts that do not exist and by taking the inverse of that list has a list of the hosts that do exist 25 March 2006 EEC693 793 Wenbing Zhao UDP Flooding UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data a A UDP Flooding Attack is possible when an attacker sends a UDP packet to a random port on the victim system gt When the victim system receives
9. d ICMP can be broadcast to many hosts Hosts and routers are the senders of ICMP messages Hosts listen for ICMP and most will respond unless they deliberately have been altered for silence 25 March 2006 EEC693 793 Wenbing Zhao Reconnaissance a Host and network mapping gt To determine what hosts or services are available in a facility To map a class B network gt Up to 65 536 hosts gt About 50 TCP and UDP ports account for the probable services gt So the target space is something in the range of 163 million gt which could be scanned in less than four months at 18 packets per second 25 March 2006 EEC693 793 Wenbing Zhao Background TCPdump CPdump is a UNIX tool used to gather data from the network decipher the bits and display the output in a semi coherent fashion gt See http www tcpdump org for more information TCPdump output format 09 32 43 910000 nmap edu 1173 gt dns net 21 S 62697789 62697789 0 win 512 09 32 43 9147882 time stamp in the format of two digits for hours two digits for minutes two digits for seconds and six digits for fractional parts of a second nmap edu source host name If there is no resolution for the IP number or the default behavior of host name resolution is not requested the IP number appears and not the host name 1173 source port number or port service gt marker to indicate a directional flow going from source to destination dns net destination ho
10. in 4096 P 7 3 38 287404 server login gt x terminal shell 2 25 ack 1 win 4096 Similar to antivirus software i e use known signatures gt Terminate the connection to recognize traffic patterns 14 18 41 347003 server login gt x terminal shell ack 2 win 4096 14 18 42 255978 server login gt x terminal shell ack 3 win 4096 14 18 43 165874 server login gt x terminal shell F 32 32 0 ack 3 win 4096 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao IDS Types a Host based intrusion detection system HIDS gt Requires software that resides on the system and can scan all host resources for activity Network based intrusion detection system NIDS gt Analyzes network packets looking for attacks gt Recieves all packets on a particular network segment via taps or port mirroring a Hybrids of the two gt combines a HIDS with a NIDS 25 March 2006 EEC693 793 Wenbing Zhao Information Flow a Raw packet capture gt Must save raw packets so they can be processed a Filtering gt Filter out certain types of packets that are not interested gt Example capture only TCP traffic gt Desirable in very high speed networks Packet decoding gt Packets are sent to a series of decoder routines that define the packets structure gt packets that cannot be properly decoded are dropped 25 March 2006 EEC693 793 Wenbing Zhao Basic Process for an IDS a Information Flow collects data p
11. on gt Command line use only a Write your own rules gt Set custom filters gt Automate update of signatures a User s Manual and Tutorial gt http www snort org 25 March 2006 EEC693 793 Wenbing Zhao Sniffer Mode Sniff and dump packets to standard output or to the screen a Run time switches gt Verbose mode v gt Dump packet payloads d gt Display ARP packets a gt Display link layer data e a For example gt snort dvae 25 March 2006 EEC693 793 Wenbing Zhao 37 4 How Does Snort Differ from tcpdump m Snort is descriptive and verbose gt tcpdump output in hexidecimal is primitive and esoteric Snort determines each entry s value gt It identifies the individual fields Snort computes the corresponding fields gt It does not print out all the fields in the headers gt No Snort output for version number or checksums 25 March 2006 EEC693 793 Wenbing Zhao What to do with binary logs Snort binary logs are kept in tcpdump format These can be read back through Snort using the r command line switch a Example gt snort dvr var log snort snort01l log Readback can be used to dump log again or perform detection on packets in the log file 25 March 2006 EEC693 793 Wenbing Zhao Snort Packet Logger Mode a Tell Snort to output packets to a log file Command line options gt Dump packets into lt logdir gt 1 lt logdir gt Examples gt
12. on protocol source and destination IPs source and destination ports and direction of traffic a Rule header is required rule options are not o a Options define what is involved Rule may be on multiple lines if the gt Tells Snort what packet attributes to inspect continuation character is used f gt Forms a signature for a specific attack or probe gt Each rule is typically a single line 25 March 2006 EEC693 793 Wenbing Zhao 25 March 2006 EEC693 793 Wenbing Zhao
13. reprocess and classifies them a Exploit Detection determine if information falls outside a normal activity is so it is matched against a knowledge base a If a match is found an alert is sent 25 March 2006 EEC693 793 Wenbing Zhao Information Flow m Storage gt Packet decoded are often stored in a file or into a data structure Fragment reassembly gt Critical consideration which fragments will be retained gt Information needed packet header gt Retaining only the first fragment more efficient a Stream reassembly gt Important when data arrives in different order 25 March 2006 EEC693 793 Wenbing Zhao Exploit Detection Signature matching gt A string that is a part of what an attack host send to an intended victim that uniquely identifies a particular attack Rule based matching gt Based on combinations of possible indicators of attacks aggregating them to see if a rule condition is fulfilled Profile based matching gt When a users action deviates to much from a normal pattern the profiling system flags this event and passes info to output routines 25 March 2006 EEC693 793 Wenbing Zhao Modes of Operation m Three general operational modes gt Sniffer gt Packet logger gt NIDS Network Intrusion Detection System Run time mode is determined by command line switches a Variables for writing own rules and filters available 25 March 2006 EEC693 793 Wenbing Zhao Snort a Functi
14. st name 21 The destination port number for example 21 might be translated as FTP S TCP flag The S represents the SYN flag which indicates a request to start a TCP connection 62697789 62697789 0 beginning TCP sequence number ending TCP sequence number data bytes win 512 receiving buffer size in bytes of nmap edu for this connection 25 March 2006 EEC693 793 Wenbing Zhao Host Scan Using UDP Echo Requests In the following trace the attacker is targeting multiple network addresses 708 48 088681 slowpoke mappem com 3066 168 134 117 echo udp 6 15 04 539055 slowpoke mappem com 3066 31 73 1 echo udp 6 715 13 155988 slowpoke mappem com 3066 172 31 16 152 echo udp 6 22 38 573703 slowpoke mappem com 3066 192 168 91 18 echo udp 6 27 07 867063 slowpoke mappem com 3066 172 31 2 176 echo udp 6 730 38 220795 slowpoke mappem com 3066 192 168 5 103 echo udp 6 749 31 024008 slowpoke mappem com 3066 172 31 152 254 echo udp 6 749 55 547694 slowpoke mappem com 3066 192 168 219 32 echo udp 6 This scan is seeing whether any host will reply on the echo port The echo port echoes back imagine that any characters sent to it Good system administrators should not have this port listening and good network administrators should not allow in traffic to this port 25 March 2006 EEC693 793 Wenbing Zhao Host Scan Using ICMP Echo Requests Port Scan a After our attacker has found a host he may want to a The ping
15. the corresponding host gt IP number gt Port numbers gt Sequence numbers gt Acknowledgement numbers If a hostile user can observe data exchanges and successfully intercept an ongoing connection with all the authentication parameters properly set he can hijack a session 25 March 2006 EEC693 793 Wenbing Zhao Mitnick Attack Step 1 recon probes 14 09 32 toad com finger 1 target 14 10 21 toad com finger 1 server 14 10 50 toad com finger 1 root server 14 11 07 toad com finger 1 x terminal 14 11 38 toad com showmount e x terminal 14 11 49 toad com rpcinfo p x terminal 14 12 05 toad com finger 1 root x terminal 25 March 2006 EEC693 793 Wenbing Zhao Mitnick Attack Mitnick Attack a Examining Network Traces find how the host establishes ISN gt 2021824000 2021952000 128 000 r 218 22 516699 92 6 97 gt server login 1382726960 1382726960 14 18 25 906002 apollo it luc edu 1000 gt x terminal shell S 18 22 566069 gt server login S 1382726961 1382726961 1382726990 1382726990 0 win 4096 18 22 744477 server login S 1382726962 1382726962 4518 26 094731 x terminal shell gt apollo it luc edu 1000 S 218 22 830111 92 6 97 server login 1382726963 1382726963 2021824000 0 ack 1382726991 win 4096 18 22 886128 92 6 97 server login S 1382726964 1382726964 0 14 18 26 172394 apollo it luc edu 1000 gt x terminal shell R 718322983514 92 6697 server login 1382726965 1382726965

notes

Contents

Download Pdf Manuals

Related Search

Related Contents