1 “As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security.

1

“As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security is one of the top 10 skills that will become "newly important" to companies in the next five years.” -- Kate Kaiser,

Associate Professor at Marquette University, quoted in “Hot Skills, Cold Skills”, ComputerWorld, July 17, 2006

2

“Companies employ 1.4 million IT security professionals worldwide. By 2010, that number will reach 2 million, an increase of almost 30%. U.S. companies will also increase spending on information security training by 16.4% annually through 2009.”

-- from a study by IDC on

Security Workforce Trends quoted in “Hot Skills, Cold Skills”,

ComputerWorld, July 17, 2006

3

Certifications …. 1 International Information Systems Security

Certification Consortium, Inc. [(ISC)²]; https://www.isc2.org/: Certified Information Systems Security

Professional (CISSP) Information Systems Audit and Control Association

(ISACA); http://www.isaca.org/: Certified Information Systems Auditor

(CISA) Certified Information Security Manager

(CISM)

4

Certifications …. 2 Computing Technology Industry Association

(CompTIA); http://www.comptia.org/: CompTIA Security+ Certification CompTIA Network+ Certification CompTIA A+ Certification

SysAdmin, Audit, Network, Security (SANS)

Institute; http://www.sans.org/: Global Information Assurance

Certification (GIAC)

5

Example 1: Telnet connection TCP Stimulus-Response

6

TCP stimulus – response Example of tcpdump data for a telnet

(port 23) application Type 1: Normal system

Stimulus abc.com.25020 > cde.com.telnet: S 2538567 :2538567 (0) win 4096 <mss 1480> (DF) Response cde.com.telnet > abc.com.25020: S 38849799

:38849799 (0) ack 2538568 win 4096 <mss

1480>

7

Anomalous cases: tcp-telnet example

Type 2: Destination not listening on telnet port

For the same stimulus, response will be a Reset/Ack:

cde.com.telnet > abc.com.25020: R 0:0(0) ack2538568 win 0

Type 3: Destination host: not available: Though the destination host has a registered DNS IP

address, the host may be currently down, or, it may have been misconfigured preventing it from

responding.

The response would be from the router (Assume its address as xxx.1.) to which the network of the dest host is directly connected.

8

Anomalous cases: tcp-telnet example continued

xxx.1 > abc.com: icmp: host cde.com unreachable.

Type 4: Destination port blockedxxx.1 > abc.com: icmp: host cde.com unreachable –

admin prohibited filter. Type5: Destination port blocked – Router is

silenced. Some routers can be silenced by putting a statement

like ‘no IP unreachable’ in the access control list. The stimulus will get no response. The stimulus will be sent repeatedly till the maximum

number of permitted attempts is reached.

9

Example 2: Windows tracert ICMP ECHO REQUEST-

RESPONSE

10

Windows tracert:Windows tracert: Consists of ICMP echo requests and ICMP echo replies. Ex: For a final dest, which is at two jumpstcpdump output from the FIRST router, at a distance of

one jump from the source, the : Stimulus

abc.com > cde.com: icmp: echo request [ttl = 1] Response

router1 > abc.com: icmp: time exceeded in transit tracert sends the same stimulus three times (i.e.

twice more) to get the response, from the same destination.

11

Windows tracert (continued): Thereafter it sends an echo request with TTL = 2.

abc.com > cde.com : icmp : echo request cde.com > abc.com : icmp: echo reply abc.com would note RTT.

The same message is sent again two times and the values of RTT are noted in each case.

Tracert then gives an output: Over a maximum of 30 hops:

129ms 126ms 130ms router 1229ms 124ms 118ms cde.com trace complete.

12

Example 3: UNIX traceroute UDP-ICMP PORT UNREACHABLE

13

UNIX traceroute: The default behavior of tcpdump is to print TTL

only when it has a value of 1 -- to warn of an impending problem.

UNIX traceroute: Sends a UDP message with increasing values of

TTL, beginning with TTL = 1, to trace the route. For the destination, usually a port lying in the

range 33000 to 33999 range is used. Such a port is normally not used for listening. So an ICMP port unreachable message is

returned.

14

Tcpdump output of traceroute: The tcpdump output: For ttl = 1

abc.com.27822 > cde.com.33888: udp 12(DF) [ttl=1]

router1 > abc.com: icmp: time exceeded in transit

For ttl = 2 abc.com.27822 > cde.com.33889: udp 12

(DF)cde.com.33889 > abc.com.27822: icmp:

cde.com udp port 33889 unreachable (DF)

3 similar messages are sent in each case.

15

Example 4: FTP PROCEDURE TCP

16

FTP Procedure:

Active FTP: (21:command port; 20: data port) Step 1: FTP client initiates the establishment of a

connection with the ftp server at port 21. Step 2: The client requests transfer of a directory

file or any other file from the server to the client. Step 3: The server initiates the connection from

port 20 to an ephemeral port of the client. Step 4: After the connection is established, on the

new connection, the transfer of data is completed.For additional exchange of data a new connection

with anew ephemeral port is made.

17

FTP: tcpdump output Step1:Establishment of Connection:

abc.com.38235 > cde.com.21: S 2537895 : 2537895 (0)

cde.com.21 > abc.com.38235: S 12337887 : 12337887 (0) ack 2537896

abc.com.38235 > cde.com.21 : ack 1 Step2: Exchange of packets for authentication: asking

for user name, and later, the password etc. As an example, the ONLY THE FIRST TWO packets are

shown below.: cde.com.21 > abc.com.38235 : P 1 : 24 (23) ack 1P indicates Push flag. abc.com.38235 > cde.com.21 : .ack 24

18

FTP: tcpdump output (continued):

Step 3: The directory command is issued by abc.com, to

get the list of directories available at the server.(not shown)

This leads to an establishment of a second TCP connection between the port 20 of the server and an ephemeral port of the server.:

cde.com.20 > abc.com.38236:S 23376656: 23376656 (0) abc.com.38236 > cde.com.20 : S 3535736 : 3535736 (0)

ack 23376657 cde.com.20 > abc.com.38236 : .ack 1

Now cde.com would send the list of directories to abc.com at the new connection.

19

Example 5:

All erroneous packets may not be malicious.

20

No stimulus -- all response:Consider the following tcp output: router 1 > 182.122.150.72: icmp : time exceeded in

transit (or any other error message) router 1 > 182.122.130.52 : icmp : time exceeded in

transit router1 > 182.122.110.32 : icmp : time exceeded in

transitExplanation:A large number of such messages to the net182.122 net host addresses had been spoofed for sendingtraffic to a foreign host.Note: Such icmp message cannot be probing messages

sincean icmp message cannot get a response. No danger to182.122

21

Example 6: DNS MESSAGES

UDP STIMULUS-RESPONSE

22

UDP stimulus – response: Example of tcpdump data for DNS messages

(port 53): Type 1: Normal: Stimulus: abc.com.25020 > cde.com.domain: 21000 + (31)

(DF)

+ means that the domain server is asked to recursively work to obtain the resolution. 31 is the payload of the udp packet – not including the udp and ip headers.

Response:

cde.com.domain > abc.com. 25020 21000 1/0/0 (193) (DF)

23

UDP stimulus-response: Anomalous Cases 1/0/0 tcpdump DNS report format 1 one answer resource record 0 no authority record 0 no additional record.

Type2: Destination not listening at port 53: For the same stimulus, the response is:

cde.com.domain > abc.com: icmp: cde.com udp port domain unreachable.

24

DNS Background ….1

25

DNS : DNS (UDP port 53):

Com edu net org biz info name pro gov mil ca jp uk…….

Root servers 2-character country specific domain……….

arpa(for reverse look-up)

26

DNS System:

Every domain name server has many slaves, which take over in case there is a failure.

The slaves keep themselves synchronized by using BIND protocol.

Transfers between the primary DNS server and the slaves is through a zone transfer, which should be allowed between authorized servers only.

These transfers are done by using TCP in the interest of reliability.

27

DNS RESPONSE:

X/Y/Z X: gives the number of responses

(usually 1 or 0) i.e. the resolved IP address

Y: Authoritative records: The names of authoritative DNS servers

Z: Additional records: The IP addresses of authoritative DNS servers

28

Example 7: DNS MESSAGES

UDP STIMULUS-RESPONSE

29

DNS: tcpdump outputabc.com.2222 > dns.cde.com.53 : 1 + (35) abc.com issues a ‘gethostbyname’ call to resolve the

IP address of some host lying in SANS organization. The + sign means the request is recursive, in that it

asks the local DNS server to find and give the final answer.

The local DNS server has no information about SANS organization. So it goes to the root server.

dns.cde.com.53 > h.root.servers.net.53: 12420-(30)(DF)

Root servers are busy. So only an iterative request is issued as indicated by a hyphen after 12420.

Reference: The example is taken from Northcutt and Novak, Ch 6

30

DNS: Authoritative records: 12420 is the ID number for the request.h.root.servers.net.53 > dns.cde.com.53: 12420-0/3/3

(153)(DF) The root server says that it is sending: 0 / 3 / 3 No records / authoritative records /additional records

Authoritative records:of 3 servers which own and maintain the records for the SANS domain.

Additional records: provides the resolution of the above three authoritative DNS servers with their IP addresses.

31

DNS: Authoritative & Additional records:

Authoritative records: sans.org name server = server1.sans.org

sans.org name server = ns.BSD1.COM sans.org name server = ns. DELOS.COM

Additional records: server1.sans.org Internet address =

167.216.133.33 ns.BSD.COM Internet address = 205.230.225.16 ns.DELOS.COM Internet address = 192.65.171.1

32

DNS: tcpdump output (continued): The local DNS server now asks the first

authoritativeDNS server for resolving the IP address.:

dns.cde.com.53 > server1.sans.org.53:12421 + (30) DF

server1 sans.org.53 > dns.cde.com.53:12421 * 1/3/3 (172)

* means the IP address being given is authoritative. 3/3 are the same Authority Records and Additional

Records, mentioned in the previous slide.

33

DNS Background ….2

34

DNS Cache The local DNS server caches the IP

address(es), obtained as shown in the previous four slides, for a period called TTL, as specified by the authoritative domain server.

As long as the record is in the cache, a request for resolving a domain address would be met by responding with the IP address from the cache. The server will mark it as unauthoritative.

35

DNS: Reverse lookup

Reverse look up: Given: an IP address To find: host name by using gethostbyaddr Method : To reverse look up the address

167.216.233.33, the query is as follows: 33.233.216.167.in-addr.arpa.

Limited size of UDP data: Maximum allowable size of UDP DNS response =

512 bytes Out of this IP header = 20 bytes

UDP header = 8 bytes

36

Limited size of UDP data:

Therefore data part of a UDP DNS message 484 bytes.

If the data to be returned should be more than 484 bytes, it would be truncated and a new TCP request for DNS will be issued.

Example:abc.com.2727 > dns.cde.com.53:12122 (43)(DF)dns.cde.com.53 > abc.com.2727:12122| 7/0/0

(494) The vertical line after 12122 indicates that the data

has been truncated.

37

DNS: on TCP The size of the data that should have been sent was

494 bytes (which is larger than 484 bytes that is allowed with UDP).

The request can be reissued with TCP. But TCP connection to 53 is usually not allowed,

except for zone transfer. In such a case, larger data of the type asked for

above cannot be obtained.

Alternatively TCP connections to port 53 may be allowed, if an earlier udp connection exist(ed). But this would require storing the state of udp connections.

38

Weaknesses in DNS: Probing attacks:

a) At any machine, on giving the following command % nslookup

the name of default domain name server and its IP address

are provided.Example W1 : >nslookup Default Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3

39

Weaknesses in DNS: Example 2Example W2: > on sending a ‘gethostbyname’call to resolve the IP address of www.msn.com: Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3

Non-authoritative answer: Name: www.msn.com Addresses: 207.68.173.254, 207.68.171.244,

207.68.171.245, 207.68.172.234, 207.68.173.244

A Non-authoritative answer: the one that thelocal domain name server supplies from its cache.

40

To find your name serverb) On using the command>set type=ns>domainnamethe system responds with your name server.Ex W3: > set type=ns> uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3 ……………..next

slide

41

Ex W3: continuedNon-authoritative answer:uwindsor.ca nameserver = dns.uwindsor.cauwindsor.ca nameserver = ns1.uwo.ca

dns.uwindsor.ca internet address = 137.207.232.1

ns1.uwo.ca internet address = 129.100.2.12There are two name servers. Names and IP addresses of both are provided.

42

Weaknesses in DNS: Example W4Example W4: > set type=ns > msn.com Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer:

msn.com nameserver = dns1.cp.msft.net

msn.com nameserver = dns1.dc.msft.net

msn.com nameserver = dns1.sj.msft.net

msn.com nameserver = dns1.tk.msft.net

43

Weaknesses in DNS: Example W4 continuedmsn.com nameserver = dns3.jp.msft.netmsn.com nameserver = dns3.uk.msft.net

dns1.cp.msft.net internet address = 207.46.138.20

dns1.dc.msft.net internet address = 64.4.25.30dns1.sj.msft.net internet address =

65.54.248.222dns1.tk.msft.net internet address =

207.46.245.230dns3.jp.msft.net internet address =

207.46.72.123dns3.uk.msft.net internet address =

213.199.144.151

44

Weaknesses in DNS(continued): c) Many domain name servers store host information

like name of the machine, details of its hardware and operating system.Example: The command

> set type = hinfo > host49 will get the hardware and OS information of host 49, if available.

It is wise not to store such information in a DNS server,since the DNS protocol provides a means of accessingthe information to any one (including a hacker)easily.

45

Host Information: Example W5> set type=hinfo> davinci.newcs.uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3newcs.uwindsor.caprimary name server = davinci.newcs.uwindsor.ca responsible mail addr = walid.uwindsor.ca serial = 2003112403 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 86400 (1 day)

46

Host Information: Definitions Master/Secondary servers ..1Serial: serial number at the beginning of Start Of

Authority (SOA) data: updated every time the dns database is updated.

A secondary dns server updates its data, only if the Serial number of the Master is higher than its Serial number

Serial: defines when the DNS data was updated.Refresh: is the time interval (in seconds) between

two successive updating of the database of a secondary name server

Retry: If the secondary should not be able to reach the Master after a Refresh interval, it starts trying to reach the Master every Retry interval.

Retry Interval < Refresh Interval

47

Host Information: Definitions Master/Secondary servers ..2Expire:If the secondary should not be able to

reach the Master after a Expire interval, it stops responding to domain name resolution queries. i.e. it expires its data.

default TTL: TTL for every record of the name server’s database is supplied by the authoritative ns in its response to the query.

The default value is used if no such value is supplied in the response.

48

Host Information: Example W6> set type=hinfo> nismail.uwindsor.caServer: davinci.newcs.uwindsor.caAddress: 137.207.76.3

uwindsor.ca primary name server = dns.uwindsor.ca responsible mail addr = clw.uwindsor.ca serial = 2004020400 refresh = 14400 (4 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 129600 (1 day 12 hours)

49

Weaknesses in DNS(continued): d) the command

> ls -d abc.com may list the entire DNS server record of the domain abc.com. Example W7: > ls -d newcs.uwindsor.ca [davinci.newcs.uwindsor.ca] newcs.uwindsor.ca. SOA (Start of Authoority)

davinci.newcs.uwindsor.ca walid.uwindsor.ca.(2003020700 10800 3600 604800 86400)newcs.uwindsor.ca. NS uwindsor.canewcs.uwindsor.ca. NS davinci.newcs.uwindsor.ca ……………..next slide

50

Weaknesses in DNS: Example W7: continued ……2newcs.uwindsor.ca. NS naps.uwindsor.carouter-nt A 137.207.76.2Symmetra ups A 137.207.76.15xylan ATM machine A 137.207.76.54cs-ssr-6th router at 6thfl A 137.207.76.250davinci MX 5 davinci.newcs.uwindsor.cadavinci MX 10 nismail.uwindsor.cacs-ssr-main main router A 137.207.76.254

davinci.newcs.uwindsor.ca walid.uwindsor.ca. (2003020700 10800 3600 604800 86400)

Notes: A: Authoritatve Record; MX: Mail exchange

51

Weaknesses in DNS: Example W7: continued ….3Ex.W7: For the domain, there are two mailexchangers available with Priority values of 5and 10.Allowed priority values: 0 to 65,535. The highest priority: 0 and the lowest priority:65,535.A mail server would try to deliver the mail first to a MailExchange of the highest value of priority. In case, thatmail exchanger is down, it would deliver the mail to the

mail exchanger with the next lower value of priority. This method avoids looping in a large system

52

Weaknesses in DNS (continued) e) A tool called ‘Domain Internet Groper’ (DIG):

supplied with some implementations of BIND. This can provide the version number of

BIND. (versions in use: 4.8.3 and 4.9.4) f) Sneaky traceroute Since port 53 is usually kept open, and

firewalls allow the port 53 messages udp messages to port 53, with increasing values of TTL, can tell whether the host is alive.

This method ( to find whether a host is alive) may be used --if ICMP echo requests are blocked.

53

sneaky traceroute

Generate udp messages for the destination host (which should not be a ns) with progressively increasing values of ttl.

Intermediate routers would respond with time exceeded ICMP message.

If the dest host is alive, it would respond with a port unreachable ICMP message.

If the dest host is not alive, the last router would respond with a host unreachable ICMP message.

54

Weaknesses in DNS Cache Poisoning attack:

g) Since DNS message format for query and the message format for the response is the same, a query may contain a poisoned

IP address.

The domain name server would cache it for later use.

This can misdirect other users to the wrong site.

55

References For Mitnic attack:

1.http://www.totse.com/en/hack/hack_attack/hacker03.html

2. http://www.shado.info/blog/archives/000112.html (home page of the blog: http://www.shado.info/

56

Two news-itemsand Two stories (p. 103-105 and Ch 7 of the

text book on Intrusion Detection)

57

WHY DID AL – JAZEERA WEB-SITES GO DOWN?“At this point we're not able to triangulate to a

particular reason…. It could just be an overall traffic increase that adds to the load or it could be an increase in the rate at which users are coming to the site. Or it could be some external event like a DoS or a virus that's propagating.

Al-Jazeera put this site together in a hurry…. You have to do at least some basic load testing.”

Roopak Patel,

Senior Internet Data Analyst, Keynote Systems Inc., a performance management and testingcompany,

San Mateo, Calif March 25, 2003

58

Dangerous timesThe recent rash of Internet worms has produced an

army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive DDoS attack at any time.

CERT is monitoring .. five large networks of compromised machines installed with bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines.

Officials at the CERT Coordination Center

Carnegie- Mellon University, 17 March 2003