Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer network wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Airborne Networking wikipedia , lookup
Guide to Network Defense and Countermeasures Second Edition Chapter 4 Network Traffic Signatures Objectives • • • • Describe the concepts of signature analysis Detect normal and suspicious traffic signatures Identify suspicious events Explain the Common Vulnerabilities and Exposures (CVE) standard Guide to Network Defense and Countermeasures, Second Edition 2 Understanding Signature Analysis • Signature – set of characteristics used to define a type of network activity • Intrusion detection devices – Some devices assemble databases of “normal” traffic signatures • Deviations from normal signatures trigger an alarm – Other devices refer to a database of well-known attack signatures • Traffic that matches stored signatures triggers an alarm – They deal with false positives and false negatives Guide to Network Defense and Countermeasures, Second Edition 3 Understanding Signature Analysis (continued) • Signature analysis – Analyzes and understands TCP/IP communications – Determines whether they are legitimate or suspicious • Bad header information – Common way in which packets are altered – Suspicious signatures can include malformed • • • • Source and destination IP address Source and destination port number IP options, protocol and checksums IP fragmentation flags, offset, or identification Guide to Network Defense and Countermeasures, Second Edition 4 Understanding Signature Analysis (continued) • Bad header information – Checksum • Simple error-checking procedure • Determines whether a message has been damaged or tampered with while in transit • Uses a mathematical formula • Suspicious data payload – Payload • Actual data sent from an application on one computer to an application on another – Some IDSs check for specific strings in the payload Guide to Network Defense and Countermeasures, Second Edition 5 Understanding Signature Analysis (continued) • Suspicious data payload – Known attacks • Hack’a’Tack Trojan program • Flaw in the UNIX Sendmail program • Single-Packet Attacks – Also called “atomic attacks” – Completed by sending a single network packet from client to host – Does not need a connection to be established – Changes to IP option settings can cause a server to freeze up Guide to Network Defense and Countermeasures, Second Edition 6 Guide to Network Defense and Countermeasures, Second Edition 7 Understanding Signature Analysis (continued) • Multiple-Packet Attacks – Also called “composite attacks” – Require a series of packets to be received and executed for the attack to be completed – Especially difficult to detect – Denial-of-service (DoS) attacks are obvious examples • ICMP flood Guide to Network Defense and Countermeasures, Second Edition 8 Capturing Packets • Packet sniffer – Software or hardware that monitors traffic going into or out of a network device – Captures information about each TCP/IP packet it detects – Capturing packets and studying them can help you better understand what makes up a signature Guide to Network Defense and Countermeasures, Second Edition 9 Guide to Network Defense and Countermeasures, Second Edition 10 Guide to Network Defense and Countermeasures, Second Edition 11 Guide to Network Defense and Countermeasures, Second Edition 12 Capturing Packets (continued) • Packet sniffer – Examples • Snort • Ethereal • Tcpdump Guide to Network Defense and Countermeasures, Second Edition 13 Guide to Network Defense and Countermeasures, Second Edition 14 Detecting Traffic Signatures • Need to detect whether traffic is normal or suspicious • Network baselining – Process of determining what is normal for your network before you can identify anomalies Guide to Network Defense and Countermeasures, Second Edition 15 Normal Traffic Signatures • TCP flags – – – – – – – SYN (0x2) ACK (0x10) PSH (0x8) URG (0x20) RST (0x4) FIN (0x1) Numbers 1 and 2 • Placement and use of these flags are definite – Deviations from normal use mean that the communication is suspicious Guide to Network Defense and Countermeasures, Second Edition 16 Normal Traffic Signatures (continued) • Ping signatures – The sequence of packets is shown in the next slides Guide to Network Defense and Countermeasures, Second Edition 17 Guide to Network Defense and Countermeasures, Second Edition 18 Guide to Network Defense and Countermeasures, Second Edition 19 Normal Traffic Signatures (continued) • FTP signatures – The sequence of packets is shown in the next slides – Normal connection signature includes a three-way handshake Guide to Network Defense and Countermeasures, Second Edition 20 Guide to Network Defense and Countermeasures, Second Edition 21 Guide to Network Defense and Countermeasures, Second Edition 22 Normal Traffic Signatures (continued) • Web signatures – Most of the signatures in log files are Web related – Normal communication consists of a sequence of packets distinguished by their TCP flags Guide to Network Defense and Countermeasures, Second Edition 23 Guide to Network Defense and Countermeasures, Second Edition 24 Suspicious traffic signatures • Categories – Informational • Traffic might not be malicious – Reconnaissance • Attacker’s attempt to gain information – Unauthorized access • Traffic caused by someone who has gained unauthorized access – Denial of service • Traffic might be part of a more complex attack Guide to Network Defense and Countermeasures, Second Edition 25 Suspicious traffic signatures (continued) • Ping sweeps – Also called an ICMP sweep – Used by attackers to determine the location of a host – Attacker sends a series of ICMP echo request packets in a range of IP addresses – Ping sweep alone does not cause harm Guide to Network Defense and Countermeasures, Second Edition 26 Guide to Network Defense and Countermeasures, Second Edition 27 Suspicious traffic signatures (continued) • Port scans – Attempt to connect to a computer’s ports to see whether any are active and listening – Signature typically includes a SYN packet sent to each port Guide to Network Defense and Countermeasures, Second Edition 28 Guide to Network Defense and Countermeasures, Second Edition 29 Suspicious traffic signatures (continued) • Random back door scan – Probes a computer to see if any ports are open and listening that are used by well-known Trojan programs – Trojan programs • Applications that seem to be harmless but can cause harm to a computer or its files Guide to Network Defense and Countermeasures, Second Edition 30 Guide to Network Defense and Countermeasures, Second Edition 31 Guide to Network Defense and Countermeasures, Second Edition 32 Suspicious traffic signatures (continued) • Specific Trojan scans – Port scans can be performed in several ways – Vanilla scan • Probes all ports from 0 to 65,535 – Strobe scan • Probes only ports commonly used by specific programs • Can be used to detect whether a Trojan program is already installed and running Guide to Network Defense and Countermeasures, Second Edition 33 Guide to Network Defense and Countermeasures, Second Edition 34 Suspicious traffic signatures (continued) • Nmap scans – Network mapper (Nmap) • Popular software tool for scanning networks – Nmap scans can circumvent IDSs monitoring – Examples of Nmap scans • • • • SYN scan FIN scan ACK scan Null scan Guide to Network Defense and Countermeasures, Second Edition 35 Guide to Network Defense and Countermeasures, Second Edition 36 Identifying Suspicious Events • Attackers avoid launching well-known attacks – Use waiting intervals to fool detection systems • Reviewing log files manually can be overwhelming – Must check them and identify potential attacks • You can use IDSs to help you with this task – IDSs depend on extensive databases of attack signatures Guide to Network Defense and Countermeasures, Second Edition 37 Packet Header Discrepancies • Falsified IP address – Attacker can insert a false address into the IP header • Make the packet more difficult to trace back – Also known as IP spoofing • Falsified port number or protocol – Protocol numbers can also be altered • Illegal TCP flags – Look at the TCP flags for violations of normal usage – Examples of SYN and FIN flags misuse • SYN/FIN • SYN/FIN/PSH,SYN/FIN/RST,SYN/FIN/RST/PSH Guide to Network Defense and Countermeasures, Second Edition 38 Packet Header Discrepancies (continued) • TCP or IP options – TCP options can alert you of an attack • Only one MSS option should appear in a packet • MSS, NOP, and SackOK should appear only in packets that have the SYN and/or ACK flag set • TCP packets have two “reserved bits” – IP options • Originally intended as ways to insert special handling instructions into packets • Attackers mostly use IP options now for attack attempts Guide to Network Defense and Countermeasures, Second Edition 39 Packet Header Discrepancies (continued) • Fragmentation abuses – Maximum transmit unit (MTU) • Maximum packet size that can be transmitted over a network – Packets larger than the MTU must be fragmented • Broken into multiple segments small enough for the network to handle – Fragmentation abuses • Overlapping fragments • Fragments that are too long or too small • Fragments overwriting data Guide to Network Defense and Countermeasures, Second Edition 40 Advanced Attacks • Advanced IDS evasion techniques – Polymorphic buffer overflow attack • Uses a tool called ADMutate • Alter an attack’s shell code to differ from the known signature many IDSs use • Once packets reach the target, they reassemble into original form – Path obfuscation • Directory path in payload is obfuscated by using multiple forward slashes • Alternatively, it can use the Unicode equivalent of a forward slash, %co%af Guide to Network Defense and Countermeasures, Second Edition 41 Advanced Attacks (continued) • Advanced IDS evasion techniques – Common Gateway Interface (CGI) scripts • Scripts used to process data submitted over the Internet • Examples – Count.cgi – FormMail – AnyForm – Php.cgi – TextCounter – GuestBook Guide to Network Defense and Countermeasures, Second Edition 42 Remote Procedure Calls • Remote Procedure Call (RPC) – Standard set of communication rules – Allows one computer to request a service from another computer on a network • Portmapper – Maintains a record of each remotely accessible program and the port it uses – Converts RPC program numbers into TCP/IP port numbers Guide to Network Defense and Countermeasures, Second Edition 43 Remote Procedure Calls (continued) • RPC-related security events – RPC dump • Targeted host receives an RPC dump request – RPC set spoof • Targeted host receives an RPC set request from a source IP address of 127.x.x.x – RPC NFS sweep • Targeted host receives series of requests for the Network File System (NFS) on different ports Guide to Network Defense and Countermeasures, Second Edition 44 Using the Common Vulnerabilities and Exposures (CVE) Standard • Make sure your security devices share information and coordinate with one another – Each devices uses its own “language” • Common Vulnerabilities and Exposures (CVE) – Enables devices to share information using the same standard Guide to Network Defense and Countermeasures, Second Edition 45 How the CVE Works • CVE enables hardware and devices to draw from the same database of vulnerabilities • Benefits – Stronger security – Better performance Guide to Network Defense and Countermeasures, Second Edition 46 Guide to Network Defense and Countermeasures, Second Edition 47 Scanning CVE Vulnerabilities Descriptions • Can view current CVE vulnerabilities online – And even download the list • The CVE list is not a vulnerability database that can be used with an IDS • Information in a CVE reference – Name of the vulnerability – Short description – References to the event in other databases • Such as BUGTRAQ Guide to Network Defense and Countermeasures, Second Edition 48 Guide to Network Defense and Countermeasures, Second Edition 49 Summary • Interpreting network traffic signatures – Can help prevent network intrusions • Analysis of traffic signatures – Integral aspect of intrusion prevention • Possible intrusions are marked by invalid settings • Packet sniffers – Capture packets • Learn what normal traffic signatures look like – Help identify signatures of suspicious connection attempts Guide to Network Defense and Countermeasures, Second Edition 50 Summary (continued) • Suspicious network events – – – – – “Orphaned” packets Land attacks Localhost source spoof Falsified protocol numbers Illegal combinations of TCP flags • Advanced attacks – Difficult to detect without a database of intrusion signatures or user behaviors Guide to Network Defense and Countermeasures, Second Edition 51 Summary (continued) • Advanced attack methods include – Exploiting CGI vulnerabilities – Misusing Remote Procedure Calls • Common Vulnerabilities and Exposures (CVE) – Enables security devices to share attack signatures and information about network vulnerabilities Guide to Network Defense and Countermeasures, Second Edition 52