1 “As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security.
Post on 11-Jan-2016
212 Views
Preview:
Transcript
1
“As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security is one of the top 10 skills that will become "newly important" to companies in the next five years.” -- Kate Kaiser,
Associate Professor at Marquette University, quoted in “Hot Skills, Cold Skills”, ComputerWorld, July 17, 2006
2
“Companies employ 1.4 million IT security professionals worldwide. By 2010, that number will reach 2 million, an increase of almost 30%. U.S. companies will also increase spending on information security training by 16.4% annually through 2009.”
-- from a study by IDC on
Security Workforce Trends quoted in “Hot Skills, Cold Skills”,
ComputerWorld, July 17, 2006
3
Certifications …. 1 International Information Systems Security
Certification Consortium, Inc. [(ISC)²]; https://www.isc2.org/: Certified Information Systems Security
Professional (CISSP) Information Systems Audit and Control Association
(ISACA); http://www.isaca.org/: Certified Information Systems Auditor
(CISA) Certified Information Security Manager
(CISM)
4
Certifications …. 2 Computing Technology Industry Association
(CompTIA); http://www.comptia.org/: CompTIA Security+ Certification CompTIA Network+ Certification CompTIA A+ Certification
SysAdmin, Audit, Network, Security (SANS)
Institute; http://www.sans.org/: Global Information Assurance
Certification (GIAC)
5
Example 1: Telnet connection TCP Stimulus-Response
6
TCP stimulus – response Example of tcpdump data for a telnet
(port 23) application Type 1: Normal system
Stimulus abc.com.25020 > cde.com.telnet: S 2538567 :2538567 (0) win 4096 <mss 1480> (DF) Response cde.com.telnet > abc.com.25020: S 38849799
:38849799 (0) ack 2538568 win 4096 <mss
1480>
7
Anomalous cases: tcp-telnet example
Type 2: Destination not listening on telnet port
For the same stimulus, response will be a Reset/Ack:
cde.com.telnet > abc.com.25020: R 0:0(0) ack2538568 win 0
Type 3: Destination host: not available: Though the destination host has a registered DNS IP
address, the host may be currently down, or, it may have been misconfigured preventing it from
responding.
The response would be from the router (Assume its address as xxx.1.) to which the network of the dest host is directly connected.
8
Anomalous cases: tcp-telnet example continued
xxx.1 > abc.com: icmp: host cde.com unreachable.
Type 4: Destination port blockedxxx.1 > abc.com: icmp: host cde.com unreachable –
admin prohibited filter. Type5: Destination port blocked – Router is
silenced. Some routers can be silenced by putting a statement
like ‘no IP unreachable’ in the access control list. The stimulus will get no response. The stimulus will be sent repeatedly till the maximum
number of permitted attempts is reached.
9
Example 2: Windows tracert ICMP ECHO REQUEST-
RESPONSE
10
Windows tracert:Windows tracert: Consists of ICMP echo requests and ICMP echo replies. Ex: For a final dest, which is at two jumpstcpdump output from the FIRST router, at a distance of
one jump from the source, the : Stimulus
abc.com > cde.com: icmp: echo request [ttl = 1] Response
router1 > abc.com: icmp: time exceeded in transit tracert sends the same stimulus three times (i.e.
twice more) to get the response, from the same destination.
11
Windows tracert (continued): Thereafter it sends an echo request with TTL = 2.
abc.com > cde.com : icmp : echo request cde.com > abc.com : icmp: echo reply abc.com would note RTT.
The same message is sent again two times and the values of RTT are noted in each case.
Tracert then gives an output: Over a maximum of 30 hops:
129ms 126ms 130ms router 1229ms 124ms 118ms cde.com trace complete.
12
Example 3: UNIX traceroute UDP-ICMP PORT UNREACHABLE
13
UNIX traceroute: The default behavior of tcpdump is to print TTL
only when it has a value of 1 -- to warn of an impending problem.
UNIX traceroute: Sends a UDP message with increasing values of
TTL, beginning with TTL = 1, to trace the route. For the destination, usually a port lying in the
range 33000 to 33999 range is used. Such a port is normally not used for listening. So an ICMP port unreachable message is
returned.
14
Tcpdump output of traceroute: The tcpdump output: For ttl = 1
abc.com.27822 > cde.com.33888: udp 12(DF) [ttl=1]
router1 > abc.com: icmp: time exceeded in transit
For ttl = 2 abc.com.27822 > cde.com.33889: udp 12
(DF)cde.com.33889 > abc.com.27822: icmp:
cde.com udp port 33889 unreachable (DF)
3 similar messages are sent in each case.
15
Example 4: FTP PROCEDURE TCP
16
FTP Procedure:
Active FTP: (21:command port; 20: data port) Step 1: FTP client initiates the establishment of a
connection with the ftp server at port 21. Step 2: The client requests transfer of a directory
file or any other file from the server to the client. Step 3: The server initiates the connection from
port 20 to an ephemeral port of the client. Step 4: After the connection is established, on the
new connection, the transfer of data is completed.For additional exchange of data a new connection
with anew ephemeral port is made.
17
FTP: tcpdump output Step1:Establishment of Connection:
abc.com.38235 > cde.com.21: S 2537895 : 2537895 (0)
cde.com.21 > abc.com.38235: S 12337887 : 12337887 (0) ack 2537896
abc.com.38235 > cde.com.21 : ack 1 Step2: Exchange of packets for authentication: asking
for user name, and later, the password etc. As an example, the ONLY THE FIRST TWO packets are
shown below.: cde.com.21 > abc.com.38235 : P 1 : 24 (23) ack 1P indicates Push flag. abc.com.38235 > cde.com.21 : .ack 24
18
FTP: tcpdump output (continued):
Step 3: The directory command is issued by abc.com, to
get the list of directories available at the server.(not shown)
This leads to an establishment of a second TCP connection between the port 20 of the server and an ephemeral port of the server.:
cde.com.20 > abc.com.38236:S 23376656: 23376656 (0) abc.com.38236 > cde.com.20 : S 3535736 : 3535736 (0)
ack 23376657 cde.com.20 > abc.com.38236 : .ack 1
Now cde.com would send the list of directories to abc.com at the new connection.
19
Example 5:
All erroneous packets may not be malicious.
20
No stimulus -- all response:Consider the following tcp output: router 1 > 182.122.150.72: icmp : time exceeded in
transit (or any other error message) router 1 > 182.122.130.52 : icmp : time exceeded in
transit router1 > 182.122.110.32 : icmp : time exceeded in
transitExplanation:A large number of such messages to the net182.122 net host addresses had been spoofed for sendingtraffic to a foreign host.Note: Such icmp message cannot be probing messages
sincean icmp message cannot get a response. No danger to182.122
21
Example 6: DNS MESSAGES
UDP STIMULUS-RESPONSE
22
UDP stimulus – response: Example of tcpdump data for DNS messages
(port 53): Type 1: Normal: Stimulus: abc.com.25020 > cde.com.domain: 21000 + (31)
(DF)
+ means that the domain server is asked to recursively work to obtain the resolution. 31 is the payload of the udp packet – not including the udp and ip headers.
Response:
cde.com.domain > abc.com. 25020 21000 1/0/0 (193) (DF)
23
UDP stimulus-response: Anomalous Cases 1/0/0 tcpdump DNS report format 1 one answer resource record 0 no authority record 0 no additional record.
Type2: Destination not listening at port 53: For the same stimulus, the response is:
cde.com.domain > abc.com: icmp: cde.com udp port domain unreachable.
24
DNS Background ….1
25
DNS : DNS (UDP port 53):
Com edu net org biz info name pro gov mil ca jp uk…….
Root servers 2-character country specific domain……….
arpa(for reverse look-up)
26
DNS System:
Every domain name server has many slaves, which take over in case there is a failure.
The slaves keep themselves synchronized by using BIND protocol.
Transfers between the primary DNS server and the slaves is through a zone transfer, which should be allowed between authorized servers only.
These transfers are done by using TCP in the interest of reliability.
27
DNS RESPONSE:
X/Y/Z X: gives the number of responses
(usually 1 or 0) i.e. the resolved IP address
Y: Authoritative records: The names of authoritative DNS servers
Z: Additional records: The IP addresses of authoritative DNS servers
28
Example 7: DNS MESSAGES
UDP STIMULUS-RESPONSE
29
DNS: tcpdump outputabc.com.2222 > dns.cde.com.53 : 1 + (35) abc.com issues a ‘gethostbyname’ call to resolve the
IP address of some host lying in SANS organization. The + sign means the request is recursive, in that it
asks the local DNS server to find and give the final answer.
The local DNS server has no information about SANS organization. So it goes to the root server.
dns.cde.com.53 > h.root.servers.net.53: 12420-(30)(DF)
Root servers are busy. So only an iterative request is issued as indicated by a hyphen after 12420.
Reference: The example is taken from Northcutt and Novak, Ch 6
30
DNS: Authoritative records: 12420 is the ID number for the request.h.root.servers.net.53 > dns.cde.com.53: 12420-0/3/3
(153)(DF) The root server says that it is sending: 0 / 3 / 3 No records / authoritative records /additional records
Authoritative records:of 3 servers which own and maintain the records for the SANS domain.
Additional records: provides the resolution of the above three authoritative DNS servers with their IP addresses.
31
DNS: Authoritative & Additional records:
Authoritative records: sans.org name server = server1.sans.org
sans.org name server = ns.BSD1.COM sans.org name server = ns. DELOS.COM
Additional records: server1.sans.org Internet address =
167.216.133.33 ns.BSD.COM Internet address = 205.230.225.16 ns.DELOS.COM Internet address = 192.65.171.1
32
DNS: tcpdump output (continued): The local DNS server now asks the first
authoritativeDNS server for resolving the IP address.:
dns.cde.com.53 > server1.sans.org.53:12421 + (30) DF
server1 sans.org.53 > dns.cde.com.53:12421 * 1/3/3 (172)
* means the IP address being given is authoritative. 3/3 are the same Authority Records and Additional
Records, mentioned in the previous slide.
33
DNS Background ….2
34
DNS Cache The local DNS server caches the IP
address(es), obtained as shown in the previous four slides, for a period called TTL, as specified by the authoritative domain server.
As long as the record is in the cache, a request for resolving a domain address would be met by responding with the IP address from the cache. The server will mark it as unauthoritative.
35
DNS: Reverse lookup
Reverse look up: Given: an IP address To find: host name by using gethostbyaddr Method : To reverse look up the address
167.216.233.33, the query is as follows: 33.233.216.167.in-addr.arpa.
Limited size of UDP data: Maximum allowable size of UDP DNS response =
512 bytes Out of this IP header = 20 bytes
UDP header = 8 bytes
36
Limited size of UDP data:
Therefore data part of a UDP DNS message 484 bytes.
If the data to be returned should be more than 484 bytes, it would be truncated and a new TCP request for DNS will be issued.
Example:abc.com.2727 > dns.cde.com.53:12122 (43)(DF)dns.cde.com.53 > abc.com.2727:12122| 7/0/0
(494) The vertical line after 12122 indicates that the data
has been truncated.
37
DNS: on TCP The size of the data that should have been sent was
494 bytes (which is larger than 484 bytes that is allowed with UDP).
The request can be reissued with TCP. But TCP connection to 53 is usually not allowed,
except for zone transfer. In such a case, larger data of the type asked for
above cannot be obtained.
Alternatively TCP connections to port 53 may be allowed, if an earlier udp connection exist(ed). But this would require storing the state of udp connections.
38
Weaknesses in DNS: Probing attacks:
a) At any machine, on giving the following command % nslookup
the name of default domain name server and its IP address
are provided.Example W1 : >nslookup Default Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3
39
Weaknesses in DNS: Example 2Example W2: > on sending a ‘gethostbyname’call to resolve the IP address of www.msn.com: Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3
Non-authoritative answer: Name: www.msn.com Addresses: 207.68.173.254, 207.68.171.244,
207.68.171.245, 207.68.172.234, 207.68.173.244
A Non-authoritative answer: the one that thelocal domain name server supplies from its cache.
40
To find your name serverb) On using the command>set type=ns>domainnamethe system responds with your name server.Ex W3: > set type=ns> uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3 ……………..next
slide
41
Ex W3: continuedNon-authoritative answer:uwindsor.ca nameserver = dns.uwindsor.cauwindsor.ca nameserver = ns1.uwo.ca
dns.uwindsor.ca internet address = 137.207.232.1
ns1.uwo.ca internet address = 129.100.2.12There are two name servers. Names and IP addresses of both are provided.
42
Weaknesses in DNS: Example W4Example W4: > set type=ns > msn.com Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer:
msn.com nameserver = dns1.cp.msft.net
msn.com nameserver = dns1.dc.msft.net
msn.com nameserver = dns1.sj.msft.net
msn.com nameserver = dns1.tk.msft.net
43
Weaknesses in DNS: Example W4 continuedmsn.com nameserver = dns3.jp.msft.netmsn.com nameserver = dns3.uk.msft.net
dns1.cp.msft.net internet address = 207.46.138.20
dns1.dc.msft.net internet address = 64.4.25.30dns1.sj.msft.net internet address =
65.54.248.222dns1.tk.msft.net internet address =
207.46.245.230dns3.jp.msft.net internet address =
207.46.72.123dns3.uk.msft.net internet address =
213.199.144.151
44
Weaknesses in DNS(continued): c) Many domain name servers store host information
like name of the machine, details of its hardware and operating system.Example: The command
> set type = hinfo > host49 will get the hardware and OS information of host 49, if available.
It is wise not to store such information in a DNS server,since the DNS protocol provides a means of accessingthe information to any one (including a hacker)easily.
45
Host Information: Example W5> set type=hinfo> davinci.newcs.uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3newcs.uwindsor.caprimary name server = davinci.newcs.uwindsor.ca responsible mail addr = walid.uwindsor.ca serial = 2003112403 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 86400 (1 day)
46
Host Information: Definitions Master/Secondary servers ..1Serial: serial number at the beginning of Start Of
Authority (SOA) data: updated every time the dns database is updated.
A secondary dns server updates its data, only if the Serial number of the Master is higher than its Serial number
Serial: defines when the DNS data was updated.Refresh: is the time interval (in seconds) between
two successive updating of the database of a secondary name server
Retry: If the secondary should not be able to reach the Master after a Refresh interval, it starts trying to reach the Master every Retry interval.
Retry Interval < Refresh Interval
47
Host Information: Definitions Master/Secondary servers ..2Expire:If the secondary should not be able to
reach the Master after a Expire interval, it stops responding to domain name resolution queries. i.e. it expires its data.
default TTL: TTL for every record of the name server’s database is supplied by the authoritative ns in its response to the query.
The default value is used if no such value is supplied in the response.
48
Host Information: Example W6> set type=hinfo> nismail.uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3
uwindsor.ca primary name server = dns.uwindsor.ca responsible mail addr = clw.uwindsor.ca serial = 2004020400 refresh = 14400 (4 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 129600 (1 day 12 hours)
49
Weaknesses in DNS(continued): d) the command
> ls -d abc.com may list the entire DNS server record of the domain abc.com. Example W7: > ls -d newcs.uwindsor.ca [davinci.newcs.uwindsor.ca] newcs.uwindsor.ca. SOA (Start of Authoority)
davinci.newcs.uwindsor.ca walid.uwindsor.ca.(2003020700 10800 3600 604800 86400)newcs.uwindsor.ca. NS uwindsor.canewcs.uwindsor.ca. NS davinci.newcs.uwindsor.ca ……………..next slide
50
Weaknesses in DNS: Example W7: continued ……2newcs.uwindsor.ca. NS naps.uwindsor.carouter-nt A 137.207.76.2Symmetra ups A 137.207.76.15xylan ATM machine A 137.207.76.54cs-ssr-6th router at 6thfl A 137.207.76.250davinci MX 5 davinci.newcs.uwindsor.cadavinci MX 10 nismail.uwindsor.cacs-ssr-main main router A 137.207.76.254
davinci.newcs.uwindsor.ca walid.uwindsor.ca. (2003020700 10800 3600 604800 86400)
Notes: A: Authoritatve Record; MX: Mail exchange
51
Weaknesses in DNS: Example W7: continued ….3Ex.W7: For the domain, there are two mailexchangers available with Priority values of 5and 10.Allowed priority values: 0 to 65,535. The highest priority: 0 and the lowest priority:65,535.A mail server would try to deliver the mail first to a MailExchange of the highest value of priority. In case, thatmail exchanger is down, it would deliver the mail to the
mail exchanger with the next lower value of priority. This method avoids looping in a large system
52
Weaknesses in DNS (continued) e) A tool called ‘Domain Internet Groper’ (DIG):
supplied with some implementations of BIND. This can provide the version number of
BIND. (versions in use: 4.8.3 and 4.9.4) f) Sneaky traceroute Since port 53 is usually kept open, and
firewalls allow the port 53 messages udp messages to port 53, with increasing values of TTL, can tell whether the host is alive.
This method ( to find whether a host is alive) may be used --if ICMP echo requests are blocked.
53
sneaky traceroute
Generate udp messages for the destination host (which should not be a ns) with progressively increasing values of ttl.
Intermediate routers would respond with time exceeded ICMP message.
If the dest host is alive, it would respond with a port unreachable ICMP message.
If the dest host is not alive, the last router would respond with a host unreachable ICMP message.
54
Weaknesses in DNS Cache Poisoning attack:
g) Since DNS message format for query and the message format for the response is the same, a query may contain a poisoned
IP address.
The domain name server would cache it for later use.
This can misdirect other users to the wrong site.
55
References For Mitnic attack:
1.http://www.totse.com/en/hack/hack_attack/hacker03.html
2. http://www.shado.info/blog/archives/000112.html (home page of the blog: http://www.shado.info/
56
Two news-itemsand Two stories (p. 103-105 and Ch 7 of the
text book on Intrusion Detection)
57
WHY DID AL – JAZEERA WEB-SITES GO DOWN?“At this point we're not able to triangulate to a
particular reason…. It could just be an overall traffic increase that adds to the load or it could be an increase in the rate at which users are coming to the site. Or it could be some external event like a DoS or a virus that's propagating.
Al-Jazeera put this site together in a hurry…. You have to do at least some basic load testing.”
Roopak Patel,
Senior Internet Data Analyst, Keynote Systems Inc., a performance management and testingcompany,
San Mateo, Calif March 25, 2003
58
Dangerous timesThe recent rash of Internet worms has produced an
army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive DDoS attack at any time.
CERT is monitoring .. five large networks of compromised machines installed with bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines.
Officials at the CERT Coordination Center
Carnegie- Mellon University, 17 March 2003
top related