1 “As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security is one of the top 10 skills that will become "newly important" to companies in the next five years.” -- Kate Kaiser, Associate Professor at Marquette University, quoted in “Hot Skills, Cold Skills”, ComputerWorld, July 17, 2006
58
Embed
1 “As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
“As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security is one of the top 10 skills that will become "newly important" to companies in the next five years.” -- Kate Kaiser,
Associate Professor at Marquette University, quoted in “Hot Skills, Cold Skills”, ComputerWorld, July 17, 2006
2
“Companies employ 1.4 million IT security professionals worldwide. By 2010, that number will reach 2 million, an increase of almost 30%. U.S. companies will also increase spending on information security training by 16.4% annually through 2009.”
-- from a study by IDC on
Security Workforce Trends quoted in “Hot Skills, Cold Skills”,
ComputerWorld, July 17, 2006
3
Certifications …. 1 International Information Systems Security
Certification Consortium, Inc. [(ISC)²]; https://www.isc2.org/: Certified Information Systems Security
Professional (CISSP) Information Systems Audit and Control Association
(ISACA); http://www.isaca.org/: Certified Information Systems Auditor
(CISA) Certified Information Security Manager
(CISM)
4
Certifications …. 2 Computing Technology Industry Association
Institute; http://www.sans.org/: Global Information Assurance
Certification (GIAC)
5
Example 1: Telnet connection TCP Stimulus-Response
6
TCP stimulus – response Example of tcpdump data for a telnet
(port 23) application Type 1: Normal system
Stimulus abc.com.25020 > cde.com.telnet: S 2538567 :2538567 (0) win 4096 <mss 1480> (DF) Response cde.com.telnet > abc.com.25020: S 38849799
:38849799 (0) ack 2538568 win 4096 <mss
1480>
7
Anomalous cases: tcp-telnet example
Type 2: Destination not listening on telnet port
For the same stimulus, response will be a Reset/Ack:
cde.com.telnet > abc.com.25020: R 0:0(0) ack2538568 win 0
Type 3: Destination host: not available: Though the destination host has a registered DNS IP
address, the host may be currently down, or, it may have been misconfigured preventing it from
responding.
The response would be from the router (Assume its address as xxx.1.) to which the network of the dest host is directly connected.
8
Anomalous cases: tcp-telnet example continued
xxx.1 > abc.com: icmp: host cde.com unreachable.
Type 4: Destination port blockedxxx.1 > abc.com: icmp: host cde.com unreachable –
admin prohibited filter. Type5: Destination port blocked – Router is
silenced. Some routers can be silenced by putting a statement
like ‘no IP unreachable’ in the access control list. The stimulus will get no response. The stimulus will be sent repeatedly till the maximum
number of permitted attempts is reached.
9
Example 2: Windows tracert ICMP ECHO REQUEST-
RESPONSE
10
Windows tracert:Windows tracert: Consists of ICMP echo requests and ICMP echo replies. Ex: For a final dest, which is at two jumpstcpdump output from the FIRST router, at a distance of
Now cde.com would send the list of directories to abc.com at the new connection.
19
Example 5:
All erroneous packets may not be malicious.
20
No stimulus -- all response:Consider the following tcp output: router 1 > 182.122.150.72: icmp : time exceeded in
transit (or any other error message) router 1 > 182.122.130.52 : icmp : time exceeded in
transit router1 > 182.122.110.32 : icmp : time exceeded in
transitExplanation:A large number of such messages to the net182.122 net host addresses had been spoofed for sendingtraffic to a foreign host.Note: Such icmp message cannot be probing messages
sincean icmp message cannot get a response. No danger to182.122
21
Example 6: DNS MESSAGES
UDP STIMULUS-RESPONSE
22
UDP stimulus – response: Example of tcpdump data for DNS messages
+ means that the domain server is asked to recursively work to obtain the resolution. 31 is the payload of the udp packet – not including the udp and ip headers.
* means the IP address being given is authoritative. 3/3 are the same Authority Records and Additional
Records, mentioned in the previous slide.
33
DNS Background ….2
34
DNS Cache The local DNS server caches the IP
address(es), obtained as shown in the previous four slides, for a period called TTL, as specified by the authoritative domain server.
As long as the record is in the cache, a request for resolving a domain address would be met by responding with the IP address from the cache. The server will mark it as unauthoritative.
35
DNS: Reverse lookup
Reverse look up: Given: an IP address To find: host name by using gethostbyaddr Method : To reverse look up the address
167.216.233.33, the query is as follows: 33.233.216.167.in-addr.arpa.
Limited size of UDP data: Maximum allowable size of UDP DNS response =
512 bytes Out of this IP header = 20 bytes
UDP header = 8 bytes
36
Limited size of UDP data:
Therefore data part of a UDP DNS message 484 bytes.
If the data to be returned should be more than 484 bytes, it would be truncated and a new TCP request for DNS will be issued.
(494) The vertical line after 12122 indicates that the data
has been truncated.
37
DNS: on TCP The size of the data that should have been sent was
494 bytes (which is larger than 484 bytes that is allowed with UDP).
The request can be reissued with TCP. But TCP connection to 53 is usually not allowed,
except for zone transfer. In such a case, larger data of the type asked for
above cannot be obtained.
Alternatively TCP connections to port 53 may be allowed, if an earlier udp connection exist(ed). But this would require storing the state of udp connections.
38
Weaknesses in DNS: Probing attacks:
a) At any machine, on giving the following command % nslookup
the name of default domain name server and its IP address
are provided.Example W1 : >nslookup Default Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3
39
Weaknesses in DNS: Example 2Example W2: > on sending a ‘gethostbyname’call to resolve the IP address of www.msn.com: Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3
A Non-authoritative answer: the one that thelocal domain name server supplies from its cache.
40
To find your name serverb) On using the command>set type=ns>domainnamethe system responds with your name server.Ex W3: > set type=ns> uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3 ……………..next
slide
41
Ex W3: continuedNon-authoritative answer:uwindsor.ca nameserver = dns.uwindsor.cauwindsor.ca nameserver = ns1.uwo.ca
dns.uwindsor.ca internet address = 137.207.232.1
ns1.uwo.ca internet address = 129.100.2.12There are two name servers. Names and IP addresses of both are provided.
42
Weaknesses in DNS: Example W4Example W4: > set type=ns > msn.com Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer:
msn.com nameserver = dns1.cp.msft.net
msn.com nameserver = dns1.dc.msft.net
msn.com nameserver = dns1.sj.msft.net
msn.com nameserver = dns1.tk.msft.net
43
Weaknesses in DNS: Example W4 continuedmsn.com nameserver = dns3.jp.msft.netmsn.com nameserver = dns3.uk.msft.net
dns1.cp.msft.net internet address = 207.46.138.20
dns1.dc.msft.net internet address = 64.4.25.30dns1.sj.msft.net internet address =
65.54.248.222dns1.tk.msft.net internet address =
207.46.245.230dns3.jp.msft.net internet address =
207.46.72.123dns3.uk.msft.net internet address =
213.199.144.151
44
Weaknesses in DNS(continued): c) Many domain name servers store host information
like name of the machine, details of its hardware and operating system.Example: The command
> set type = hinfo > host49 will get the hardware and OS information of host 49, if available.
It is wise not to store such information in a DNS server,since the DNS protocol provides a means of accessingthe information to any one (including a hacker)easily.
45
Host Information: Example W5> set type=hinfo> davinci.newcs.uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3newcs.uwindsor.caprimary name server = davinci.newcs.uwindsor.ca responsible mail addr = walid.uwindsor.ca serial = 2003112403 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 86400 (1 day)
46
Host Information: Definitions Master/Secondary servers ..1Serial: serial number at the beginning of Start Of
Authority (SOA) data: updated every time the dns database is updated.
A secondary dns server updates its data, only if the Serial number of the Master is higher than its Serial number
Serial: defines when the DNS data was updated.Refresh: is the time interval (in seconds) between
two successive updating of the database of a secondary name server
Retry: If the secondary should not be able to reach the Master after a Refresh interval, it starts trying to reach the Master every Retry interval.
Retry Interval < Refresh Interval
47
Host Information: Definitions Master/Secondary servers ..2Expire:If the secondary should not be able to
reach the Master after a Expire interval, it stops responding to domain name resolution queries. i.e. it expires its data.
default TTL: TTL for every record of the name server’s database is supplied by the authoritative ns in its response to the query.
The default value is used if no such value is supplied in the response.
48
Host Information: Example W6> set type=hinfo> nismail.uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3
uwindsor.ca primary name server = dns.uwindsor.ca responsible mail addr = clw.uwindsor.ca serial = 2004020400 refresh = 14400 (4 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 129600 (1 day 12 hours)
49
Weaknesses in DNS(continued): d) the command
> ls -d abc.com may list the entire DNS server record of the domain abc.com. Example W7: > ls -d newcs.uwindsor.ca [davinci.newcs.uwindsor.ca] newcs.uwindsor.ca. SOA (Start of Authoority)
Weaknesses in DNS: Example W7: continued ……2newcs.uwindsor.ca. NS naps.uwindsor.carouter-nt A 137.207.76.2Symmetra ups A 137.207.76.15xylan ATM machine A 137.207.76.54cs-ssr-6th router at 6thfl A 137.207.76.250davinci MX 5 davinci.newcs.uwindsor.cadavinci MX 10 nismail.uwindsor.cacs-ssr-main main router A 137.207.76.254
Weaknesses in DNS: Example W7: continued ….3Ex.W7: For the domain, there are two mailexchangers available with Priority values of 5and 10.Allowed priority values: 0 to 65,535. The highest priority: 0 and the lowest priority:65,535.A mail server would try to deliver the mail first to a MailExchange of the highest value of priority. In case, thatmail exchanger is down, it would deliver the mail to the
mail exchanger with the next lower value of priority. This method avoids looping in a large system
52
Weaknesses in DNS (continued) e) A tool called ‘Domain Internet Groper’ (DIG):
supplied with some implementations of BIND. This can provide the version number of
BIND. (versions in use: 4.8.3 and 4.9.4) f) Sneaky traceroute Since port 53 is usually kept open, and
firewalls allow the port 53 messages udp messages to port 53, with increasing values of TTL, can tell whether the host is alive.
This method ( to find whether a host is alive) may be used --if ICMP echo requests are blocked.
53
sneaky traceroute
Generate udp messages for the destination host (which should not be a ns) with progressively increasing values of ttl.
Intermediate routers would respond with time exceeded ICMP message.
If the dest host is alive, it would respond with a port unreachable ICMP message.
If the dest host is not alive, the last router would respond with a host unreachable ICMP message.
54
Weaknesses in DNS Cache Poisoning attack:
g) Since DNS message format for query and the message format for the response is the same, a query may contain a poisoned
IP address.
The domain name server would cache it for later use.
2. http://www.shado.info/blog/archives/000112.html (home page of the blog: http://www.shado.info/
56
Two news-itemsand Two stories (p. 103-105 and Ch 7 of the
text book on Intrusion Detection)
57
WHY DID AL – JAZEERA WEB-SITES GO DOWN?“At this point we're not able to triangulate to a
particular reason…. It could just be an overall traffic increase that adds to the load or it could be an increase in the rate at which users are coming to the site. Or it could be some external event like a DoS or a virus that's propagating.
Al-Jazeera put this site together in a hurry…. You have to do at least some basic load testing.”
Roopak Patel,
Senior Internet Data Analyst, Keynote Systems Inc., a performance management and testingcompany,
San Mateo, Calif March 25, 2003
58
Dangerous timesThe recent rash of Internet worms has produced an
army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive DDoS attack at any time.
CERT is monitoring .. five large networks of compromised machines installed with bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines.