Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Slides:



Advertisements
Similar presentations
TCP/IP MODEL Maninder Kaur
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
System Security Scanning and Discovery Chapter 14.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Port Scanning.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Forensic and Investigative Accounting
Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.
Chapter 6: Packet Filtering
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Chapter 8 Safeguarding the Internet. Firewalls Firewalls: hardware & software that are built using routers, servers and other software A point between.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Transmission Control Protocol TCP. Transport layer function.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Cracking Techniques Onno W. Purbo
1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 3: TCP/IP Architecture.
Protocols COM211 Communications and Networks CDA College Olga Pelekanou
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
DoS/DDoS attack and defense
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
CompTIA Security+ Study Guide (SY0-401)
Port Scanning James Tate II
Port Scanning (based on nmap tool)
TCP/IP Internetworking
TCP/IP Internetworking
CompTIA Security+ Study Guide (SY0-401)
Lecture 2: Overview of TCP/IP protocol
Lecture 3: Secure Network Architecture
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon University

Changes in Intrusion Profile 1988 –exploiting passwords –exploiting known vulnerabilities Today –exploiting passwords –exploiting known vulnerabilities –exploiting protocol flaws –examining source files for new security flaws –abusing anonymous FTP, web servers, –installing sniffer programs –IP source address spoofing –denial of service attacks –widespread, automated scanning of the Internet The definition of “vulnerability” on the Internet is approaching that of the DoD in trusted systems

Scanning for Victims Today: Wide scale scanners collect information on 100,000s of hosts around the Internet Sniffers now use the same technology as intrusion detection tools Number and complexity of trust relationships in real systems make victim selection easier

Scanning for Victims Tomorrow: Use of data reduction tools and more query-oriented search capability will allow reuse of scan data Inexpensive disk and computation time will encourage the use of cryptography and persistent storage of scan data Scan data becomes a commodity like marketing information

Probe Definition A single attempt to collect information, or to compromise a resource. Usually refers to one or more packets that traverse a computer network. Usually inferred to be malicious, but might be used for packets where the intent is unknown or not clear.

Scan Definition A scan is a collection of probes, usually with some pattern across a range of systems, services or both.

Attractive Targets What information is available to the public? –DNS servers –hosts mentioned in whois records –public service machines (Web, ftp, mail) Intruders may also identify targets with –traceroutes –DNS zone transfers –other advanced scanning techniques

Packet Types TCP: Transmission Control Protocol –reliable, connection oriented –3-way handshake establishes connection –telnet, SMTP, SSH, ftp UDP: User Datagram Protocol –Unreliable, connectionless –DNS, bootp, tftp, NFS, SNMP ICMP: Internet Control Message Protocol –error and control information –ping, traceroute

Establishing a TCP Connection Send SYN Receive SYN + ACK Send ACK Site A Receive SYN Send SYN + ACK Receive ACK Site B Network Messages

Closing a TCP Connection Send FIN + ACK Receive ACK Receive FIN + ACK Send ACK Inform Application Site A Receive FIN + ACK Send ACK Inform application Send FIN + ACK Receive ACK Site B Network Messages

TCP Connect Probes The intruder uses the connect() system call to send the probe. These probes open (and perhaps close) a TCP connection as described earlier. Privileged access on the origin host is not needed. This type of probe is the most common and the easiest to detect.

TCP SYN Probes The intruder sends a SYN packet. A SYN-ACK response means the port is open. A RST response means the port is closed. These probes are harder to detect because the connection is never fully completed.

TCP FIN Probes The intruder sends a FIN packet. Some systems respond with: –RST packets for closed ports –nothing for open ports Like SYN probes, FIN probes are hard to detect because the connection is never completed.

ICMP Host Unreachable Probes The intruder sends a packet to a host. If an intermediate router knows that this host does not exist, it may respond with an “ICMP host unreachable” packet. This technique identifies which hosts don’t exist, and by inference, which ones do. More information is available in IN

Reverse Ident Probes The intruder first connects to an open port. Then they send an ident request to the probed host to determine which userid owns the port. Protect against these scans by using the privacy options in ident. These probes can be used to identify Web servers running as root, etc.

FTP Bounce Probes The intruder connects to an FTP server. Then they attempt to transfer files between the FTP server and the target host. Based on the error messages, the intruder can tell if the port is open. FTP bounce probes are often used to probe systems behind a firewall. More information is available in CA

Decoy Probes The intruder sends several spoofed probes at the same time the real probe is sent. The real origin is hard to determine. This reduces the chance that the probe will be reported and responded to correctly. It can also lead system administrators to doubt the legitimacy of probes reported to them.

Spoofed Origin Probes The intruder sends probes with a spoofed source address. Then they use an ethernet sniffer to capture the probe results on a host “near” the spoofed origin of the probes. More information is available in IN

Fragmented Probes The intruder fragments the header of the probe packet into tiny pieces. Some systems (including firewalls) do not properly filter these packets. Other types of probes can be used with the “fragmented header” technique.

Architecture Mapping The intruder sends probes that produce specific responses based on the operating system. The intruder can use this information to identify –operating system –hardware architecture –OS version number More information is available in IN

Coordinated Scans Coordinated scans are probes that –come from multiple hosts –collectively produce a complete scan The results are collected by a single intruder or shared among cooperating intruders. It looks like there are multiple intruders, but there’s no way to know for sure.

Slow Scans The probes in a scan can occur slowly, over days or even weeks. This avoids thresholds in some firewalls. It’s harder to detect than a normal scan. It’s also harder to detect on the originating host. More information is available in IN

The Future of Probes We’re very likely to see more: –widespread brute-force scanning with little regard for being detected –stealthy probes like SYN and FIN that require packet logging to detect –attempts to hide the origin of the probes through spoofing and decoys –automated vulnerability exploits that probe and compromise in a single step

Typical Intruder Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Yesterday

Distributed Coordinated Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Today

Distributed Coordinated Attack Uses 100s to 1000s of clients (10,000s) Is triggered by a “victim” and “time” command Will simultaneously attack the victim from all clients Currently does not use random source addresses Today used in DoS attacks only

Issues for Responding to DoS Attacks Filtering/detecting this attack is problematic! The intruder’s intent is not always clear in denial of service attacks. The intruder might be –using the DoS attack to hide a real attack –misusing resources to attack someone else –attempting to frame someone else for the attack –disabling a trusted host as part of an intrusion Attacks also frequently involve –IRC abuse –intruders attacking each other –retaliation for securing systems

The Future is Automation Put these together and what do you get? –tools to scan for multiple vulnerabilities –architecture identification tools –widely available exploits –pre-packaged Trojan horse backdoor programs –delivery and recon through active content Bad news! Together, these publicly available tools could be modified to launch wide-spread scans and compromise systems automatically.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.