Download ch04 - kuroski.net

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
Document related concepts

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Asynchronous Transfer Mode wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Net bias wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer network wikipedia , lookup

Distributed firewall wikipedia , lookup

Deep packet inspection wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Guide to Network Defense and
Countermeasures
Second Edition
Chapter 4
Network Traffic Signatures
Objectives
•
•
•
•
Describe the concepts of signature analysis
Detect normal and suspicious traffic signatures
Identify suspicious events
Explain the Common Vulnerabilities and Exposures
(CVE) standard
Guide to Network Defense and Countermeasures, Second Edition
2
Understanding Signature Analysis
• Signature – set of characteristics used to define a
type of network activity
• Intrusion detection devices
– Some devices assemble databases of “normal” traffic
signatures
• Deviations from normal signatures trigger an alarm
– Other devices refer to a database of well-known
attack signatures
• Traffic that matches stored signatures triggers an alarm
– They deal with false positives and false negatives
Guide to Network Defense and Countermeasures, Second Edition
3
Understanding Signature Analysis
(continued)
• Signature analysis
– Analyzes and understands TCP/IP communications
– Determines whether they are legitimate or suspicious
• Bad header information
– Common way in which packets are altered
– Suspicious signatures can include malformed
•
•
•
•
Source and destination IP address
Source and destination port number
IP options, protocol and checksums
IP fragmentation flags, offset, or identification
Guide to Network Defense and Countermeasures, Second Edition
4
Understanding Signature Analysis
(continued)
• Bad header information
– Checksum
• Simple error-checking procedure
• Determines whether a message has been damaged or
tampered with while in transit
• Uses a mathematical formula
• Suspicious data payload
– Payload
• Actual data sent from an application on one computer
to an application on another
– Some IDSs check for specific strings in the payload
Guide to Network Defense and Countermeasures, Second Edition
5
Understanding Signature Analysis
(continued)
• Suspicious data payload
– Known attacks
• Hack’a’Tack Trojan program
• Flaw in the UNIX Sendmail program
• Single-Packet Attacks
– Also called “atomic attacks”
– Completed by sending a single network packet from
client to host
– Does not need a connection to be established
– Changes to IP option settings can cause a server to
freeze up
Guide to Network Defense and Countermeasures, Second Edition
6
Guide to Network Defense and Countermeasures, Second Edition
7
Understanding Signature Analysis
(continued)
• Multiple-Packet Attacks
– Also called “composite attacks”
– Require a series of packets to be received and
executed for the attack to be completed
– Especially difficult to detect
– Denial-of-service (DoS) attacks are obvious examples
• ICMP flood
Guide to Network Defense and Countermeasures, Second Edition
8
Capturing Packets
• Packet sniffer
– Software or hardware that monitors traffic going into
or out of a network device
– Captures information about each TCP/IP packet it
detects
– Capturing packets and studying them can help you
better understand what makes up a signature
Guide to Network Defense and Countermeasures, Second Edition
9
Guide to Network Defense and Countermeasures, Second Edition
10
Guide to Network Defense and Countermeasures, Second Edition
11
Guide to Network Defense and Countermeasures, Second Edition
12
Capturing Packets (continued)
• Packet sniffer
– Examples
• Snort
• Ethereal
• Tcpdump
Guide to Network Defense and Countermeasures, Second Edition
13
Guide to Network Defense and Countermeasures, Second Edition
14
Detecting Traffic Signatures
• Need to detect whether traffic is normal or
suspicious
• Network baselining
– Process of determining what is normal for your
network before you can identify anomalies
Guide to Network Defense and Countermeasures, Second Edition
15
Normal Traffic Signatures
• TCP flags
–
–
–
–
–
–
–
SYN (0x2)
ACK (0x10)
PSH (0x8)
URG (0x20)
RST (0x4)
FIN (0x1)
Numbers 1 and 2
• Placement and use of these flags are definite
– Deviations from normal use mean that the
communication is suspicious
Guide to Network Defense and Countermeasures, Second Edition
16
Normal Traffic Signatures (continued)
• Ping signatures
– The sequence of packets is shown in the next slides
Guide to Network Defense and Countermeasures, Second Edition
17
Guide to Network Defense and Countermeasures, Second Edition
18
Guide to Network Defense and Countermeasures, Second Edition
19
Normal Traffic Signatures (continued)
• FTP signatures
– The sequence of packets is shown in the next slides
– Normal connection signature includes a three-way
handshake
Guide to Network Defense and Countermeasures, Second Edition
20
Guide to Network Defense and Countermeasures, Second Edition
21
Guide to Network Defense and Countermeasures, Second Edition
22
Normal Traffic Signatures (continued)
• Web signatures
– Most of the signatures in log files are Web related
– Normal communication consists of a sequence of
packets distinguished by their TCP flags
Guide to Network Defense and Countermeasures, Second Edition
23
Guide to Network Defense and Countermeasures, Second Edition
24
Suspicious traffic signatures
• Categories
– Informational
• Traffic might not be malicious
– Reconnaissance
• Attacker’s attempt to gain information
– Unauthorized access
• Traffic caused by someone who has gained
unauthorized access
– Denial of service
• Traffic might be part of a more complex attack
Guide to Network Defense and Countermeasures, Second Edition
25
Suspicious traffic signatures
(continued)
• Ping sweeps
– Also called an ICMP sweep
– Used by attackers to determine the location of a host
– Attacker sends a series of ICMP echo request
packets in a range of IP addresses
– Ping sweep alone does not cause harm
Guide to Network Defense and Countermeasures, Second Edition
26
Guide to Network Defense and Countermeasures, Second Edition
27
Suspicious traffic signatures
(continued)
• Port scans
– Attempt to connect to a computer’s ports to see
whether any are active and listening
– Signature typically includes a SYN packet sent to
each port
Guide to Network Defense and Countermeasures, Second Edition
28
Guide to Network Defense and Countermeasures, Second Edition
29
Suspicious traffic signatures
(continued)
• Random back door scan
– Probes a computer to see if any ports are open and
listening that are used by well-known Trojan programs
– Trojan programs
• Applications that seem to be harmless but can cause
harm to a computer or its files
Guide to Network Defense and Countermeasures, Second Edition
30
Guide to Network Defense and Countermeasures, Second Edition
31
Guide to Network Defense and Countermeasures, Second Edition
32
Suspicious traffic signatures
(continued)
• Specific Trojan scans
– Port scans can be performed in several ways
– Vanilla scan
• Probes all ports from 0 to 65,535
– Strobe scan
• Probes only ports commonly used by specific programs
• Can be used to detect whether a Trojan program is
already installed and running
Guide to Network Defense and Countermeasures, Second Edition
33
Guide to Network Defense and Countermeasures, Second Edition
34
Suspicious traffic signatures
(continued)
• Nmap scans
– Network mapper (Nmap)
• Popular software tool for scanning networks
– Nmap scans can circumvent IDSs monitoring
– Examples of Nmap scans
•
•
•
•
SYN scan
FIN scan
ACK scan
Null scan
Guide to Network Defense and Countermeasures, Second Edition
35
Guide to Network Defense and Countermeasures, Second Edition
36
Identifying Suspicious Events
• Attackers avoid launching well-known attacks
– Use waiting intervals to fool detection systems
• Reviewing log files manually can be overwhelming
– Must check them and identify potential attacks
• You can use IDSs to help you with this task
– IDSs depend on extensive databases of attack
signatures
Guide to Network Defense and Countermeasures, Second Edition
37
Packet Header Discrepancies
• Falsified IP address
– Attacker can insert a false address into the IP header
• Make the packet more difficult to trace back
– Also known as IP spoofing
• Falsified port number or protocol
– Protocol numbers can also be altered
• Illegal TCP flags
– Look at the TCP flags for violations of normal usage
– Examples of SYN and FIN flags misuse
• SYN/FIN
• SYN/FIN/PSH,SYN/FIN/RST,SYN/FIN/RST/PSH
Guide to Network Defense and Countermeasures, Second Edition
38
Packet Header Discrepancies
(continued)
• TCP or IP options
– TCP options can alert you of an attack
• Only one MSS option should appear in a packet
• MSS, NOP, and SackOK should appear only in packets
that have the SYN and/or ACK flag set
• TCP packets have two “reserved bits”
– IP options
• Originally intended as ways to insert special handling
instructions into packets
• Attackers mostly use IP options now for attack attempts
Guide to Network Defense and Countermeasures, Second Edition
39
Packet Header Discrepancies
(continued)
• Fragmentation abuses
– Maximum transmit unit (MTU)
• Maximum packet size that can be transmitted over a
network
– Packets larger than the MTU must be fragmented
• Broken into multiple segments small enough for the
network to handle
– Fragmentation abuses
• Overlapping fragments
• Fragments that are too long or too small
• Fragments overwriting data
Guide to Network Defense and Countermeasures, Second Edition
40
Advanced Attacks
• Advanced IDS evasion techniques
– Polymorphic buffer overflow attack
• Uses a tool called ADMutate
• Alter an attack’s shell code to differ from the known
signature many IDSs use
• Once packets reach the target, they reassemble into
original form
– Path obfuscation
• Directory path in payload is obfuscated by using
multiple forward slashes
• Alternatively, it can use the Unicode equivalent of a
forward slash, %co%af
Guide to Network Defense and Countermeasures, Second Edition
41
Advanced Attacks (continued)
• Advanced IDS evasion techniques
– Common Gateway Interface (CGI) scripts
• Scripts used to process data submitted over the
Internet
• Examples
– Count.cgi
– FormMail
– AnyForm
– Php.cgi
– TextCounter
– GuestBook
Guide to Network Defense and Countermeasures, Second Edition
42
Remote Procedure Calls
• Remote Procedure Call (RPC)
– Standard set of communication rules
– Allows one computer to request a service from
another computer on a network
• Portmapper
– Maintains a record of each remotely accessible
program and the port it uses
– Converts RPC program numbers into TCP/IP port
numbers
Guide to Network Defense and Countermeasures, Second Edition
43
Remote Procedure Calls (continued)
• RPC-related security events
– RPC dump
• Targeted host receives an RPC dump request
– RPC set spoof
• Targeted host receives an RPC set request from a
source IP address of 127.x.x.x
– RPC NFS sweep
• Targeted host receives series of requests for the
Network File System (NFS) on different ports
Guide to Network Defense and Countermeasures, Second Edition
44
Using the Common Vulnerabilities and
Exposures (CVE) Standard
• Make sure your security devices share information
and coordinate with one another
– Each devices uses its own “language”
• Common Vulnerabilities and Exposures (CVE)
– Enables devices to share information using the same
standard
Guide to Network Defense and Countermeasures, Second Edition
45
How the CVE Works
• CVE enables hardware and devices to draw from
the same database of vulnerabilities
• Benefits
– Stronger security
– Better performance
Guide to Network Defense and Countermeasures, Second Edition
46
Guide to Network Defense and Countermeasures, Second Edition
47
Scanning CVE Vulnerabilities
Descriptions
• Can view current CVE vulnerabilities online
– And even download the list
• The CVE list is not a vulnerability database that can
be used with an IDS
• Information in a CVE reference
– Name of the vulnerability
– Short description
– References to the event in other databases
• Such as BUGTRAQ
Guide to Network Defense and Countermeasures, Second Edition
48
Guide to Network Defense and Countermeasures, Second Edition
49
Summary
• Interpreting network traffic signatures
– Can help prevent network intrusions
• Analysis of traffic signatures
– Integral aspect of intrusion prevention
• Possible intrusions are marked by invalid settings
• Packet sniffers
– Capture packets
• Learn what normal traffic signatures look like
– Help identify signatures of suspicious connection
attempts
Guide to Network Defense and Countermeasures, Second Edition
50
Summary (continued)
• Suspicious network events
–
–
–
–
–
“Orphaned” packets
Land attacks
Localhost source spoof
Falsified protocol numbers
Illegal combinations of TCP flags
• Advanced attacks
– Difficult to detect without a database of intrusion
signatures or user behaviors
Guide to Network Defense and Countermeasures, Second Edition
51
Summary (continued)
• Advanced attack methods include
– Exploiting CGI vulnerabilities
– Misusing Remote Procedure Calls
• Common Vulnerabilities and Exposures (CVE)
– Enables security devices to share attack signatures
and information about network vulnerabilities
Guide to Network Defense and Countermeasures, Second Edition
52
Related documents
jones, c - Computer Science
jones, c - Computer Science
Avian Influenza
Avian Influenza
chap16
chap16
Molecular regulation of plant responses to low temperature in
Molecular regulation of plant responses to low temperature in
Immunity Questions
Immunity Questions
2 Marketing Strategy Background
2 Marketing Strategy Background
Foreign Policy
Foreign Policy
Plant Structures for Defense
Plant Structures for Defense
Jasmonic acid (JA) is a plant hormone that plays an important role in
Jasmonic acid (JA) is a plant hormone that plays an important role in
Immune Response
Immune Response
The Immune System
The Immune System
Why we need IT security - Department of Computer Science and
Why we need IT security - Department of Computer Science and