Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems

Similar presentations


Presentation on theme: "Intrusion Detection Systems"— Presentation transcript:

1 Intrusion Detection Systems
Casey Wilson

2 Outline Start reserving your topology Learning goals Background
Variations

3 Reserve topology Go to: https://goo.gl/zZF5j7
Use RSPEC CyberPaths/files/IDSLabEasyRSpec.txt

4 Learning Goals Setup an IDS and verify that it functions properly
Study and understand IDS logs Apply concepts of intrusion detection in a real scenario Create a custom Intrusion Detection System (IDS) rule

5 Intrusion Detection Systems and Mitigation
Goals: Install Snort IDS on monitor machine Duplicate all traffic to monitor Create a custom alert for Snort IDS Use mitigation script Drop malicious traffic Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client

6 Background Intrusion Detection and Prevention Systems
Computer Networks Software Defined Networks Command Line GENI DoS

7 Detection via Signatures
Signature checking: does packet match some signature? Payload, e.g., shellcode Header, e.g., SYN Problem: not so great for zero-day attacks -- Q: WHY?

8 DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs
Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs

9 Snort Open source IDS Signature detection Lots of available rulesets
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A |root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

10 Variations Two levels: one uses OpenFlow and one is not
Different attacks: Slowloris Privilege escalation Advanced level: use the power of SDN to detect and mitigate the port(s) from which DoS is coming

11 Questions? And one last thing… go to nxt slide Let’s experiment!

12 Correlation and Mitigation
Use monitor to alert correlator Correlator is logic that communicates with controller, gathers info about attack Correlator decides based on controller info if there is an attack Correlator logic is implemented in Python

13 Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec
Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

14 Monitor – real time snort alert monitoring

15 Monitor – send alert to correlator

16 Correlator Original Flow Table Flow Table Snapshot1
Key Value port1 IP1 port2 IP2 port3 IP3 portn IPn Key Value port1 IP1 port2 IP12345 port3 IP3 portn IPn Key Value port1 IP1 port2 IP6789 port3 IP3 portn IPn Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Original Flow Table Flow Table Snapshot1 Flow Table Snapshot2

17 Correlator – parse and process flowdump

18 Correlator – block the port of attack

19 Role of SDN in Implementation
Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance

20 Questions? Let’s experiment!


Download ppt "Intrusion Detection Systems"

Similar presentations


Ads by Google