四川大学信息安全工程系 方勇 信息系统安全
四川大学信息安全工程系 方勇
信息系统安全
四川大学信息安全工程系 方勇
第第77章章 IDSIDS
四川大学信息安全工程系 方勇
AGENDAAGENDA
IntroductionIntroductionThreatsThreatsIDSIDS
四川大学信息安全工程系 方勇
What Is An Intrusion?What Is An Intrusion?An intrusion can be defined as:An intrusion can be defined as:
Any set of actions that attempts to compromise Any set of actions that attempts to compromise the integrity, confidentiality or availability of a the integrity, confidentiality or availability of a resourceresource
All intrusions are defined relative to a All intrusions are defined relative to a security policysecurity policy
A security policy defines what is permitted and A security policy defines what is permitted and what is denied on the systemwhat is denied on the systemWithout a set of normal behavior defined, it is Without a set of normal behavior defined, it is useless to catch intrusionsuseless to catch intrusions
四川大学信息安全工程系 方勇
What is Intrusion Detection?What is Intrusion Detection?““Intrusion detection is the process of Intrusion detection is the process of identifying and responding to malicious identifying and responding to malicious activity targeted at computing and activity targeted at computing and networking resources.networking resources.””
–– Edward AmorosoEdward Amoroso
““An environment for anomaly and misuse detection An environment for anomaly and misuse detection and subsequent analysis of the behavior of and subsequent analysis of the behavior of
systems and networkssystems and networks””..
四川大学信息安全工程系 方勇
Intrusions over the decadesIntrusions over the decades
四川大学信息安全工程系 方勇
Attacks vs. AttackersAttacks vs. Attackers
四川大学信息安全工程系 方勇
AGENDAAGENDA
IntroductionIntroductionThreatsThreatsIDSIDS
Threat AnalysisThreat Analysis
四川大学信息安全工程系 方勇
Types of AttacksTypes of Attacks
Location of Attacks: Layer Location of Attacks: Layer 22 -- 77
GetsAccess
Gets noAccess
AuthorisedUser DoS
UnauthorisedUser Intrusion
四川大学信息安全工程系 方勇
Layer 2: ARP SpoofingLayer 2: ARP Spoofing
CCIE’99 Vienna © 1999, Cisco Systems, Inc. 11
IP aMAC A
IP bMAC B
IP cMAC C• C is sending faked
gratuitous ARP reply to A• C sees traffic from IP a to IP b
C->A, ARP, b=C
C->A, ARP, b=CA->C, IP, a->b
A->C, IP, a->bC->B, IP, a->b
C->B, IP, a->b
四川大学信息安全工程系 方勇
Layer 3: IP SpoofingLayer 3: IP Spoofing
Ra
Rb
Rc
A
B
C
B->A via C, Rc,Ra
Back traffic uses the same source route
B->A via C,Rc Ra
B->A via C,Rc,Ra
A->B via Ra, Rc,C
A->B via Ra, Rc,C
A->B via Ra, Rc,C
B is a friendallow access
四川大学信息安全工程系 方勇
Layer 3: Smurf Attack...Layer 3: Smurf Attack...
Attacker
Innocent/unprotected relays/amplifiers
Victim
A
Network B, local broadcast B.*
A-> B.*: ping
A-> B.*: pin
gA-> B.*: ping
B.1-> A: pong
B.2-> A: pong
B.3-> A: pong
B.n-> A: pong
B.1-> A: pongB.2-> A: pong
B.3-> A: pong
B.n-> A: pongB.1-> A: pong
B.2-> A: pong
B.3-> A: pong
B.n-> A: pong
Dated 1998
四川大学信息安全工程系 方勇
Layer 4: SYN attackLayer 4: SYN attackB A
flags=SYN, seq=(Sb,?)
flags=SYN+ACK, seq=(Sa,Sb)
C (masquerading B)
A allocates kernel resourcefor handling the starting connectionA allocates kernel resourceA allocates kernel resourcefor handling the starting connectionfor handling the starting connection
No answer from B…120 sec timeoutFree the resource
No answer from BNo answer from B……120 sec timeout120 sec timeoutFree the resourceFree the resource Denial of Services
kernel resources exhausted
四川大学信息安全工程系 方勇
DNS spoofingDNS spoofing
HOST DNSserverX.localdomain.it
10.1.1.50
MITM
10.1.1.1
If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server
四川大学信息安全工程系 方勇
mbehring
DoSDoS: The Procedure: The Procedure
ISP CPE Target
“Zombies”or “Bots”
Hacker
1. Cracking2. Signalling 3. Flooding
InnocentUser PCs
四川大学信息安全工程系 方勇
Distributed Denial of Service: Distributed Denial of Service: DDoSDDoSDDoSDDoS attacks originate from a large number of attacks originate from a large number of systems.systems.TrinooTrinoo, Tribal Flood Network, , Tribal Flood Network, MstreamMstream, and , and StacheldrahtStacheldraht are some of the new are some of the new DDoSDDoS attack attack toolstoolsA hacker talks to a master or server that has A hacker talks to a master or server that has been placed on a compromised system.been placed on a compromised system.The master talks to the slave or client The master talks to the slave or client processes that have been placed on other processes that have been placed on other compromised systems. The slaves, also called compromised systems. The slaves, also called zombies, perform the actual attack against the zombies, perform the actual attack against the target system.target system.
四川大学信息安全工程系 方勇
The architecture of The architecture of DDoSDDoS attacks.attacks.
四川大学信息安全工程系 方勇
Code RedCode RedInfects Microsoft IIS web serversInfects Microsoft IIS web serversSpread: Using real source, random destinationSpread: Using real source, random destinationAttack: accessing a specific serverAttack: accessing a specific server
http get Fill buffer Unicode encoded Assembler code
Infected host (real IP!)
217.33.138.14- - [07/Aug/2001:01:17:32 +0100] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 328
四川大学信息安全工程系 方勇
Buffer OverflowsBuffer Overflowsvoid void foo(charfoo(char *s) {*s) {
char buf[10];char buf[10];strcpy(buf,sstrcpy(buf,s););printf(printf(““bufbuf is %sis %s\\nn””,s);,s);
}}……foo(foo(““thisstringistolongforfoothisstringistolongforfoo””););
四川大学信息安全工程系 方勇
stackstack
四川大学信息安全工程系 方勇
Intrusion Intrusion
四川大学信息安全工程系 方勇
AGENDAAGENDA
IntroductionIntroductionThreatsThreatsIDSIDS
四川大学信息安全工程系 方勇
But IBut I’’ve got a Firewallve got a Firewall…….!!!.!!!
E-commerce Servers
Step 1: Penetrate PerimeterExploit “permitted” conduits
Step 2: Decommission or Compromise DeviceLaunch buffer overflow attack to plant Trojan horse
Provides Perimeter Security That:
Internet
Policy:permit HTTP permit FTPpermit SMTP
Attack Scenario:Firewalls = Access ControlFirewalls = Access Control
Blocks specific unwanted protocols
Cannot Provide Security For:Malicious attacks contained within
“permitted” traffic
Step 3: Escalate PrivilegesUse compromised system to access internal network
Blocks comm over specific ports
Threats including cgi-bin attacks, buffer overflows, fragmented, or Unicode attacks
DMZ
四川大学信息安全工程系 方勇
……And IPSecAnd IPSec--VPNVPN…….!!!.!!!
VPN = PrivacyVPN = Privacy
Step 1: Compromise ExtranetAttack “weak-link” in extranet chain to gain back door access to corporate network
Step 2: Compromise Remote AccessExploit weakness in remote access or dial-up devices to gain “trusted” access
Provides Data Privacy By:
Attack Scenario:
Encrypting contents of traffic
Cannot Provide Security For:Insider threat – 80% of attacks come from
“trusted” sources
Ensuring basic authentication of user
Malicious content embedded in encrypted traffic
Site-to-Site VPNs do not authenticate users or traffic
四川大学信息安全工程系 方勇
TerminologyTerminologyFalse positives:False positives: System System mistakenly reports certain mistakenly reports certain benign activity as maliciousbenign activity as maliciousFalse negatives:False negatives: System does System does not detect and report actual not detect and report actual malicious activitymalicious activity
四川大学信息安全工程系 方勇
Detection TechniquesDetection Techniques
Pattern MatchingPattern MatchingStatefulStateful Pattern MatchingPattern MatchingProtocol DecodeProtocol Decode--Based AnalysisBased AnalysisHeuristicHeuristic--Based AnalysisBased AnalysisAnomalyAnomaly--Based AnalysisBased Analysis
signaturesignature--based IDS != pattern matchingbased IDS != pattern matching
四川大学信息安全工程系 方勇
Bottom Line AnalysisBottom Line AnalysisTo do its job right, a good IDS must To do its job right, a good IDS must implement various analysis technologyimplement various analysis technologyThe number of attacks detected is much The number of attacks detected is much more relevant than the number of signature more relevant than the number of signature supported or usedsupported or usedIDS challenges areIDS challenges are
Minimizing false positiveMinimizing false positiveMinimizing false negativeMinimizing false negativeKeeping up with performanceKeeping up with performanceHandling the large amount of data generatedHandling the large amount of data generated
四川大学信息安全工程系 方勇
Management consoleReal-time event displayEvent databaseSensor configuration
SensorPacket signature analysisGenerate alarmsResponse/countermeasures
ProductionNetwork Segment
Management Console
Component Communications
IDS Sensor
Typical Network IDS ArchitectureTypical Network IDS Architecture
四川大学信息安全工程系 方勇
Monitoring TrafficMonitoring Traffic
Must see all of the monitored trafficMust see all of the monitored trafficMust be able to keep up with Must be able to keep up with monitored traffic (current technology monitored traffic (current technology is about few 100 Mbps)is about few 100 Mbps)
四川大学信息安全工程系 方勇
Sensors on Outside or Inside?Sensors on Outside or Inside?
SiSi
AttackerInsideInsideDMZDMZ
Internet
Sensor on Outside• Sees everything including
traffic blocked by firewallCan’t tell what is denied or permitted by firewallTools like Stick can generate lots of “noise”
• Monitors both DMZ and inside traffic
Sensors on Inside• Sees only traffic permitted
by the firewallYou know you need to respond
• Need sensor on each internal leg off firewall
四川大学信息安全工程系 方勇
Typical Response ActionsTypical Response Actions
TCP resets: disconnecting the TCP resets: disconnecting the attacker (Be careful in switched attacker (Be careful in switched environments)environments)IP session loggingIP session logging““Shunning/blockingShunning/blocking””
四川大学信息安全工程系 方勇
Blocking/Shunning with a RouterBlocking/Shunning with a Router
Deny172.29.29.2
Write the ACL Detect the attackDetect attack on sniffing interface
Configure ACL on management interface
Attacker172.29.29.2
InternetSiSi
InsideInside
Confusing IDSConfusing IDS
四川大学信息安全工程系 方勇
Network IDS Evasion techniquesNetwork IDS Evasion techniques1.1. Obfuscating the attack: sending fragmented Obfuscating the attack: sending fragmented
packets (IP), using unusual encoding, packets (IP), using unusual encoding, sending packets out of order (TCP)sending packets out of order (TCP)
2.2. Overwhelming the IDS: sending 1000Overwhelming the IDS: sending 1000’’s of s of spoofed attacks (spoofed attacks (tools like snot, sticktools like snot, stick))so IDS sensors cannot follow and will miss so IDS sensors cannot follow and will miss an attackan attackso monitoring systems cannot follow as so monitoring systems cannot follow as wellwellmost human beings will not locate most human beings will not locate thetheattack among all false alarmsattack among all false alarms……
四川大学信息安全工程系 方勇
Confusing Traditional IDS SystemsConfusing Traditional IDS Systems
IDS evasion techniquesIDS evasion techniquesFragmented IP Fragmented IP datagramsdatagrams ((FragrouterFragrouter) ) Overlapping and/or Overlapping and/or reordered TCP streams reordered TCP streams ((FragrouteFragroute))Unicode obfuscated Unicode obfuscated characters (Whisker)characters (Whisker)
IDS overrun toolsIDS overrun toolsStickStick——Simulate large Simulate large volume of false alarmsvolume of false alarms
cmd.cmd.
exeexe
Fragmented Attack Example
cmd.execmd.exe
P1
P2
End Host
cmd.junkcmd.junk
exeexe
cmd.execmd.exe
P1
P2
End Host
Equal fragment offset
More info >> http://online.securityfocus.com/infocus/1577
Tracking a Evolving Target
四川大学信息安全工程系 方勇
Evasion techniquesEvasion techniquesDe-obfuscation
• Multiple character representations
e.g. Unicode
• Whisker attacks
四川大学信息安全工程系 方勇
Reconstructing FlowsReconstructing FlowsLetLet’’s say you want to search for the text s say you want to search for the text ““USER rootUSER root””. Is it enough to just search . Is it enough to just search the data portion of TCP segments you see?the data portion of TCP segments you see?
USER root
HDR USERTCP: HDR root
HDR USHDR ERHDR HDR HDR ro HDR otIP:(Uh oh… we have to reassemble frags and resequence segs)
四川大学信息安全工程系 方勇
Fun with FragmentsFun with Fragments
HDR USHDR
ERHDR
HDRHDR ro
HDR ot
1.
2.
4.
5.
3. 1,000,000 unrelated fragments
Imagine an attacker sends:
四川大学信息安全工程系 方勇
Fragmented IP Fragmented IP datagramsdatagramsHDR USHDR
ERHDR
HDR HDR ro
HDR ot
Should we consider 3a part of the data stream “USER root”?Or is 3b part of the data stream? “USER foot”!-- If the OS makes a different decision than the monitor: Bad.-- Even worse: Different OS’s have different protocol interpretations,
1.
2.
3b.
4.
Imagine an attacker sends:
HDR HDR fo
3a.
Seq. #
Time
四川大学信息安全工程系 方勇
Fragmented IP Fragmented IP datagramsdatagrams -- SolarisSolaris--NTNT
四川大学信息安全工程系 方勇
Fragmented IP Fragmented IP datagramsdatagrams -- LinuxLinux
四川大学信息安全工程系 方勇
TCP fragmentation evasion techniquesTCP fragmentation evasion techniques
• TTL expiration
• URG Pointer Use in TCP
• RST or FIN Out of Order
• Sending Packets Out of Order
• Vary the Window Size to Desynchronize the IDS
• Checksum
• Data in the Three Way Handshake
Overlaps in a TCP stream could occur but are extremely rare. Overwrites in the TCP session should not ever occur and if it does, then someone is intentionally attempting to hide from an IDS .
四川大学信息安全工程系 方勇
Fragroute is not your friend !!Fragroute is not your friend !!Fragment all traffic to a Windows host into forwardFragment all traffic to a Windows host into forward--overlapping 8overlapping 8--byte fragments (byte fragments (favoringfavoring older data), older data), reorder randomly, and print to standard output: reorder randomly, and print to standard output:
IpIp__fragfrag 8 8 oldoldorder random order random
printprint
Segment all TCP data to a host into forwardSegment all TCP data to a host into forward--overlapping 4overlapping 4--byte segments (byte segments (favoringfavoring newer data), newer data), interleave with overwriting, random chaff segments interleave with overwriting, random chaff segments bearing older timestamp options for PAWS elimination, bearing older timestamp options for PAWS elimination, reorder randomly, and print to standard output: reorder randomly, and print to standard output:
tcp_segtcp_seg 4 new 4 new tcp_chafftcp_chaff paws paws order random order random printprint
http://www.monkey.org/~dugsong/fragroute/
四川大学信息安全工程系 方勇
Insertion, Evasion, and Denial of Service: Eluding Network Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection Intrusion Detection
http://http://secinf.net/info/ids/idspaper/idspaper.htmlsecinf.net/info/ids/idspaper/idspaper.htmlNetwork Intrusion Detection: Evasion, Network Intrusion Detection: Evasion, Traffic Normalization, and EndTraffic Normalization, and End--toto--End Protocol SemanticsEnd Protocol Semanticshttp://www.icir.org/vern/papers/normhttp://www.icir.org/vern/papers/norm--usenixusenix--secsec--0101--htmlhtml//IDS Evasion Techniques and Tactics IDS Evasion Techniques and Tactics http://online.securityfocus.com/infocus/1577http://online.securityfocus.com/infocus/1577SANSSANSDug Song Dug Song –– FragrouteFragroutehttp://www.monkey.org/~dugsong/talks/csw02/index.htmlhttp://www.monkey.org/~dugsong/talks/csw02/index.html
References References -- PapersPapers