ECE-8843 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: GCATT Bldg.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Cryptography and Network Security Chapter 20 Intruders
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
1 Ola Flygt Växjö University, Sweden Intruders.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
1 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
ECE Prof. John A. Copeland fax Office: Klaus 3362.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Network Threat Management Lancope, Inc Royal Drive, Bldg. 100 Alpharetta, GA Presentation to the Georgia Research Alliance June 14, 2002 Chairman.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Chapter 6: Packet Filtering
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
1 Chapter 9 Intruders. 2 Chapter 9 - Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
Honeypot and Intrusion Detection System
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
CIS 450 – Network Security Chapter 3 – Information Gathering.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
ECE-8843 Fall Prof. John A. Copeland fax Office:
Linux Networking and Security
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Quiz-2 Review ECE Prof. John A. Copeland fax Office:
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 9 Intruders.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Quiz 2 -> Exam Topics Fall Chapter 10a - Firewalls Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Role Of Network IDS in Network Perimeter Defense.
or call for office visit,
IT Ess I v.4x Chapter 1 Cisco Discovery Semester 1 Chapter 8 JEOPADY Q&A by SMBender, Template by K. Martin.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Chapter 9 Intruders.
IDS Intrusion Detection Systems
or call for office visit, or call Kathy Cheek,
ECE Spring also see Prof. John A. Copeland fax Office: Klaus 3362
(see also Q1 and Q2 Topics)
or call for office visit,
Chapter 9 Intruders.
Network hardening Chapter 14.
Intrusion Detection Systems
Chapter 9 Intruders and Viruses.
Presentation transcript:

ECE Prof. John A. Copeland fax Office: GCATT Bldg 579 or call for office visit, or call Kathy Cheek, Chapter 9 - Network Intrusion

2 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data,...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data,...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. Hacker: generic term for someone who does unauthorized things with other peoples’ computers (also a poor golfer, tennis player, or programmer good at quick and dirty code).

3 Access Control Today almost all systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords: 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary(60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (123XYZ). Prevention: Enforce good password selection (“c0p31an6” - not great, “wduSR-wmHb365” - better).

4 Password Gathering Look under keyboard, telephone etc. Look in the Rolodex under “X” and “Z” Call up pretending to from “micro-support,” and ask for it. “Snoop” a network and watch the plaintext passwords go by. Tap a phone line - but this requires a very special modem. Use a “Trojan Horse” program to record key stokes.

5 UNIX Passwords User’s password ( should be required to have 8 characters, some non-letters) Random 12-bit number (Salt) DES Encrypted to 11 viewable characters User IDSalt ValueHashUser IDSalt ValueHashUser IDSalt ValueHash

Storing UNIX Passwords Until a few years ago, UNIX password hashes were kept in in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” directory only visible by “root”. This helps prevent a “reverse-lookup dictionary” attack. “Salt”: prevents duplicate passwords from being easily seen as such. prevents use of standard reverse-lookup dictionaries ( a different dictionary would have to be generated for each value of Salt). does not “effectively increase the length of the password.” 6

7 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast.

# nmap -sS -P0 -vv -p 21,22,25,110, Starting nmap V ( ) Host jacsw ( ) appears to be up... good. Initiating SYN Stealth Scan against victim ( ) Adding open port 22/tcp Adding open port 443/tcp The SYN Stealth Scan took 4 seconds to scan 5 ports. Interesting ports on jacsw ( ): Port State Service 21/tcp filtered ftp [response blocked by firewall] 22/tcp open ssh [tcp port 22 open] 25/tcp filtered smtp 110/tcp filtered pop-3 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds # telnet [telnet can connect to any port] Trying [here we specified port 22] Connected to SSH-2.0-OpenSSH_3.1p1 [response shows SSH version] 8

# less /var/log/secure Oct 15 13:45:30 lc1 sshd[12538]: Could not reverse map address Oct 15 13:46:26 lc1 sshd[12538]: Accepted password for root from port ssh2 Oct 15 15:05:44 lc1 sshd[12591]: Could not reverse map address Oct 15 15:05:48 lc1 sshd[12591]: Accepted password for root from port ssh2 Oct 17 07:34:10 lc1 sshd[13409]: Accepted password for root from port ssh2 Oct 17 07:49:33 lc1 sshd[13460]: Accepted password for root from port ssh2 Oct 17 08:02:37 lc1 sshd[13503]: Accepted password for root from port ssh2 Oct 17 08:10:40 lc1 sshd[13542]: Accepted password for root from port ssh2 Oct 17 08:26:16 lc1 sshd[13584]: Accepted password for root from port ssh2 Oct 17 11:52:18 lc1 sshd[13640]: Could not reverse map address Oct 17 11:52:27 lc1 sshd[13640]: Accepted password for root from port ssh2 9

10 Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the world- wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and an alert to Sys Admin. 4. On Microsoft PC’s, a program like BlackIce or Zone Alarm is easier to install (and more fun) than learning how to reset all of the Windows default parameters to make the system safe.

12 Anomaly-Based Intrusion Detection High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detection Threshold Undetected Intrusions False Alarms

13 “Base-Rate” Fallacy Suppose the accuracy of an IDS is 99%. This means that for every 100 normal events, there will be 1 false positive. Also for every 100 intrusion events, there will be 99 detects (true positives) and 1 missed detection (false negative). If there are 300,000 normal connections a day, there will be 3000 false alarms. If there is one intrusion per week, there will be a 99% chance of detecting it (if the IDS is still turned on). For detailed math, see Appendix 9A of the textbook (edition 2).

14 Distributed Host-Based IDS Modules must be installed and configured on hosts. Highly recommended for critical servers Examples: Okena (Cisco), ISS Desktop Proventia

Data Packets are compared to a growing library of known attack signatures. These include port numbers or sequence numbers that are fixed in the exploit application, and sequences of characters that appear in the data stream. Packet streams must be assembled and searched, which reduces the maximum possible data rate on the link being observed. Signature-Based IDS 15

alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS411 - RealAudio- DoS"; flags: AP; content: "|fff4 fffd 06|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS362 - MISC - Shellcode X86 NOPS-UDP"; content: "| |";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS359 - OVERFLOW- NOOP-HP-TCP2";flags:PA; content:"|0b b b b |";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS345 - OVERFLOW- NOOP-Sparc-TCP";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW- NOOP-Sparc-UDP2"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS291 - MISC - Shellcode x86 stealth NOP"; content: "|eb 02 eb 02 eb 02|";) Six “Signatures” from the Snort Database 16 Other systems: “Dragon”, ISS RealSecure, Arbor

Signature-Based Intrusion Detection Systems May Not Detect New Types of Attack Back Orifice Win Nuke Trino IP Blob Land Attack Attacks with NamesAlarm on Activities in these areas. Attacks without Names (not analyzed yet) 17

Flow-Based Technology -An approach that recognizes normal traffic can detect new types of intrusions. Back Orifice Win Nuke Trino IP Blob Land Attack Attacks with NamesNormal Network Activities Attacks without Names (not analyzed yet) FTP NetBIOS Web Alarm on Activities in this areas. 18 Example: Lancope’s “StealthWatch”

A “Flow” is the stream of packets from one host to another related to the same service (e.g., Web, , telnet, …). Data in packet headers is used to build up counts (leads to high speed). After the flow is over, counters are analyzed and a value is derived for the probability that the flow was crafted, perhaps for probing the network for vulnerabilities or for denial of service. Flow-based Statistical Analysis Counters Flow- Statistics Counters Number of Packets Number of Total Bytes Number of Data Bytes Start Time of Flow Stop Time of Flow Duration of Flow Flag-Bit True-False Combo Fragmentation Bits ICMP Packet Responses to UDP Packets 19

Zone Protection 20

Host-Based Signature -Based Anomaly -Based Flow-Based Can detect misuse of OS access and file permissions. Can detect attacks embedded in network data -if signature is known On host or network. Can detect new types, but high false alarm rate. Can detect new types of attacks by network activity. Should be used with Host-Based and/or Signature Based IDS Types Should be Combined 21

22 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. Flow-based* "CI", signature-based? Signature?, Flow-Based Port Profile* Signature?, "Port-Profile*", Forbidden Zones*, Host-based Host-based Vulnerability Scan * StealthWatch

Type "A" Probes (detected by John Copeland in Dec. 1999) The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, > They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) : (Italy) to (Atlanta, GA) : ( AOL ) to (Atlanta, GA) : (Saudi Arabia) to (Atlanta, GA) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh. 23 Detection of the “Mac Attack” DDoS Plan

"Double-zero" Probes (James Bond, "00" -> "license to kill"), detected in Dec I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, >2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered : (Arab Emirates*) to (Atlanta, GA) : (Arab Emirates*) to (Atlanta, GA) *DNS name: cwa129.emirates.net.ae : (Turkey) to xxx.xxx (Wichita, Kansas) *DNS: none : (Manchester, UK*) to xx.xx (Atlanta, GA) *DNS name: manchester_nas11.ida.bt.net : (Road Runner, Hawaii) to xxx.xxx (Wichita, Kansas) *DNS name: a24b94n80client152.hawaii.rr.com : (cwnet, NJ) to xx.xxx (Atlanta, GA) *DNS name: ad11-s cwci.net 24 2nd Generation, “Mac Attack” Scanning

Drawing from Atlanta Journal- Constitution article, Dec Full details at /macattack/ 25

Start: 11/21/99 11:07:40 PM Find route from: to: ( ), Max 30 hops, 40 byte packets Host Names truncated to 32 bytes ( ): 17ms 17ms 16ms ( ): 18ms 19ms 18ms ( ): 17ms 18ms 17ms ( ): 19ms 17ms 18ms ( ): 25ms 25ms 23ms 6 sgarden-sa-gsr.carolina.rr.com. ( ): 26ms 27ms 27ms 7 roc-gsr-greensboro-gsr.carolina. ( ): 28ms 28ms 30ms 8 roc-asbr-roc-gsr.carolina.rr.com ( ): 30ms 32ms 30ms ( ): 40ms 39ms 39ms 10 gbr2-a30s1.wswdc.ip.att.net. ( ): 38ms 40ms 39ms 11 gr2-p3110.wswdc.ip.att.net. ( ): 278ms 40ms 39ms 12 att-gw.washdc.teleglobe.net. ( ): 41ms 43ms 42ms 13 if-7-2.core1.newyork.teleglobe.n ( ): 45ms 46ms 45ms 14 if bb3.newyork.teleglobe.n ( ): 45ms 47ms 49ms 15 ix bb3.newyork.teleglobe.n ( ): 50ms 46ms 50ms ( ): 44ms 48ms 45ms 17 fe0-0.cr3.ndf.iafrica.net. ( ): 635ms 632ms 633ms 18 atm6-0sub300.cr1.vic.iafrica.net ( ): 641ms 640ms 644ms ( ): 643ms 640ms 643ms ( ): 662ms 659ms 664ms 21 ( ): 663ms 658ms 664ms Trace completed 11/21/99 11:08:25 PM Traceroute to find location of IP Address 26