Basic Elements of Attacks and Their Detection

Basic Elements of Attacks and Their Detection

Contents• Elements of TCP/IP addressing• Layers in Internet communication• Phases of an attack

2/46

• IP address– IPv4: a 32 bit number usually presented as 4

dotted fields – field1.field2.field3.field4• Example: 194.147.191.31

– IPv6: a 128 bit number arranged as 8 groups of 16 bits each separated by colons.• Example:

00DC:BA02:5644:A201:1FAB:BA5C:7000:001D• Multiple 0s can be replaced by double colon• All IPv4 addresses fit in the rightmost 8 digits of an

IPv6 address, e.g. IPv6 ::C293:BF1F is IPv4 194.147.191.31 (C2hex=19410 etc.)

Elements of TCP/IP addressing

3/46

Elements of TCP/IP addressing

• Encapsulation is extensively used in packet data transmission– A lower level protocol is seen as data at the

immediately higher level– These levels are called layers.

4/46

Layers in Internet communication

• Layers relevant for Internet packet communication– Hardware (link) layer– IP layer– Protocol (transport) layer– Application layer

5/46


• Hardware (link) layer– Interfaces with the network hardware (e.g.

Ethernet, IEEE 802.11 etc.)– Packets physically sent/received– Handles specific information about the local

hardware (e.g. MAC address).

6/46


• IP layer– Implements the IP protocol– Reads IP addresses– IP is unreliable: no guarantee whatsoever that

a packet will arrive– Packets may be broken into fragments if

necessary and this layer handles the fragmentation.

7/46


• IP header

8/46


• IP header fields– Version (4 bits): IP version number (4 or 6).– Length (4 bits): number of 4-byte words in the

header (maximum 60 bytes).– Type of service (1 byte): routing preference:

• Minimize delay• Maximize throughput• Maximize reliability• Minimize monetary cost.

9/46


• IP header fields (cont.)– Total Packet Length (2 bytes): total number of

bytes of the IP datagram.– Identification (2 bytes): unique identifier for

the packet.– Flags (3 bits): flags indicating fragmentation

status.– Fragment Offset (13 bits): offset of

fragmented packet.

10/46


• IP header fields (cont.)– Time to Live (1 byte): how many routers to

allow the packet to traverse.– Protocol (1 byte): code indicating what

protocol is used in the protocol header.– Header Checksum (2 bytes): error checking

code to ensure the packet is not corrupted in transit.

11/46


• IP header fields (cont.)– Source IP Address (4 bytes): address of the

source host.– Destination IP Address (4 bytes): address of

the destination host.– Options: rarely used nowadays and often not

implemented at all.

12/46


• Protocol (transport) layer– Reliability of communication is implemented

here.– TCP, UDP or ICMP may be implemented at

this level, unlike the IP layer where only IP packets may exist.

13/46


• TCP protocol– Provides a reliable mode of communication

between applications– Implements “ports”– Two-way communication– Implements a communication “channel” with

mechanisms to ensure packets arrive or are resent as needed.

– Web, ftp, telnet, SSH, E-mail use TCP.

14/46


• TCP header

15/46


• TCP header fields– Source Port (2 bytes): communications port

number– Destination Port (2 bytes): communications

port number for the destination application– Sequence Number (4 bytes): unique number

for the packet (they are sequential in the session)

16/46


• TCP header fields (cont.)– Acknowledgement Number (4 bytes): like the

sequence number.– Length (4 bits): length of the header in 4 byte

words.– Reserved (6 bits): reserved bits.– Flags (6 bits): flags controlling the

communications session.

17/46


• TCP header fields (cont.)– Window Size (2 bytes): number of bytes in the

transfer buffer.– Checksum (2 bytes): checksum for the TCP

header.– Urgent Pointer (2 bytes): control for

emergency aborts.– Options: various options.

18/46


• UDP protocol– Provides a mode of communication between

applications– Each packet has a “port” number that indicates

the application– Does not implement any guarantees of service.– One way communication– Applications must implement necessary

checks.

19/46


• UDP header

20/46


• UDP header fields– Source Port (2 bytes): communications port

number; 65,536 possible values– Destination Port (2 bytes): communications

port number for the destination application; usually fixed for given applications (80 - Web)

– Length (2 bytes): total length of the UDP datagram in bytes

– Checksum (2 bytes): checksum for the UDP header.

21/46


• ICMP protocol– The control and error message mechanism

for the Internet– Each packet has a type/code indicator telling

what kind of information is in the packet– Different types of ICMP packets have slightly

different headers/data– Automatically generated (almost always).

22/46


• ICMP header – ordinary

• ICMP header – echo request/reply

23/46


• ICMP header fields– Type (1 byte): type of control message the

packet represents (0 – echo reply, 8 – echo request, 3 – destination unreachable etc.)

– Code (1 byte): indicator of what sub-type of message the packet contains

– Checksum (2 bytes): checksum for the ICMP header.

24/46


• Application layer– Applications run at this level, i.e. application

protocols are implemented here– Common applications:

• Web• ftp• E-mail• telnet• SSH• ...

25/46


• Protocol headers give information about:– source and destination– protocol details– application

• The data give information about:– login, password information– commands attempted– files accessed.

26/46

Phases of an attack

• Four phases in the attacking process:– Planning phase– Reconnaissance phase– Attack phase– Post attack phase.

• The attack process is in general cyclic– After completing an attack, another attack is

planned – an extension of the previous one.

27/46

Phases of an attack

28/46

• Planning phase– Can take many different forms.– The attacker often makes use of the system in

its intended manner before making the attack.– Example: the attacker may sign up for an

account on an online e-commerce system or log onto a public server.

– This type of publicly available legitimate access helps the attacker define the scope and goals of the attack.

Phases of an attack

29/46

• Planning phase (cont.)– After the initial preparation is complete, the

attacker decides on the scope of the attack.– The attacker may have various goals:

• Denial of service• Escalation of legitimate privileges• Unauthorized access• Data manipulation

– The motivation behind an attack often dictates which of these goals are chosen.

Phases of an attack

30/46

• Reconnaissance phase– The attacker next gathers information or

performs reconnaissance on the targeted network.

– The attacker carries out a variety of different inquiries with the goal of pinpointing a specific method of attack (port scanning etc.)

– The goal of the attacker in this phase is to narrow down the field of thousands of possible exploits to a small number of vulnerabilities that are specific to the targeted host/network.

Phases of an attack

31/46

• Reconnaissance phase (cont.)– The attacker attempts to make this

reconnaissance as hard to notice as possible.– Even so, there are many different means of

reconnaissance and some of them can be detected by an intrusion detection system.

– Sources of information for the attacker:• Legitimate public data (forums, public databases,

public monitoring tools, etc.)• Vulnerability scanning (ping, TCP connect, OS and

version scanning, etc.)

Phases of an attack

32/46

• Attack phase– The traffic generated from attacks can take

many different forms. – Types of attacks:

• Denial of service• Remote exploits• Trojans and backdoor programs• Misuse of legitimate access

Phases of an attack

33/46

• Attack phase (cont.)– Denial of service (DoS)

• Any attack that disrupts the function of a system so that legitimate users can no longer access it.

• Possible on most network equipment: routers, servers, firewalls, remote access machines, etc.

• Can be specific to a service (e.g. FTP attack), or an entire machine.

• Categories of DoS– Resource depletion– Malicious packet attacks.

Phases of an attack

34/46

Phases of an attack

• Attack phase (cont.)– Denial of service (DoS) (cont.)

• Resource depletion DoS attack – Functions by flooding a service with so much normal

traffic that legitimate users cannot access the service. – An attacker inundating a service with normal traffic can

exhaust finite resources such as bandwidth, memory and processor cycles.

– Examples: SYN flood, Smurf, etc.

35/46


• Malicious packet DoS attacks– Function by sending abnormal traffic to a host to cause

the service or the host itself to crash. – Occur when software is not properly coded to handle

abnormal or unusual traffic. – Such traffic can cause software to react unexpectedly

and crash.– Attackers can use these attacks to bring down even IDS.– Examples: Microsoft FTP DoS, SNORT ICMP DoS, etc.

Phases of an attack

36/46

Phases of an attack


• Malicious packet DoS attacks (cont.)– In addition to unusual traffic, malicious packets can

contain payloads that cause a system to crash.– A packet's payload is taken as input into a service. – If this input is not properly checked, the application can

be brought down.

37/46

Phases of an attack• Attack phase (cont.)

– Denial of service (DoS) (cont.)• DoS attacks commonly utilize spoofed IP

addresses because the attack is successful even if the response is misdirected.

• The attacker requires no response, and in cases like the Smurf attack, wants at all costs to avoid a response.

• This can make DoS attacks difficult to defend from, and even more difficult to detect.

38/46

• Attack phase (cont.)– Remote exploits

• Attacks designed to take advantage of improperly coded software to compromise and take control of a vulnerable host.

• Can function in the same manner as the malicious payload traffic DoS attacks.

• Take advantage of improperly checked input or configuration errors.

• Examples: buffer overflow, Unicode exploit, Cookie poisoning, SQL injection, etc.

Phases of an attack

39/46

• Attack phase (cont.)– Trojans and Backdoor programs

• By installing a backdoor program or a Trojan, an attacker can bypass normal security controls and gain privileged unauthorized access to a host.

• A backdoor program can be deployed on a system in a variety of different ways. E.g. a malicious software engineer can add a backdoor program into legitimate software code.

• Backdoor programs might be added for legitimate maintenance reasons in the software development life cycle, but later forgotten.

Phases of an attack

40/46

• Attack phase (cont.)– Trojans and Backdoor programs (cont.)

• A Trojan is defined as software that is disguised as a benign application.

• Remote control Trojans typically listen on a port like a genuine application.

• Through this open port, an attacker controls them remotely.

• Trojans can be used to perform any number of functions on the host.

Phases of an attack

41/46

• Attack phase (cont.)– Trojans and Backdoor programs (cont.)

• Some Trojans include portscanning and DoS features.

• Others can take screen and Webcam captures and send them back to the attacker.

• Trojans and backdoor programs have traditionally listened on a TCP or UDP port, making it easy to detect them and undertake countermeasures.

Phases of an attack

42/46

• Attacks phase (cont.)– Trojans and Backdoor programs (cont.)

• Because of that, Trojans have evolved so they no longer need to listen on a TCP or UDP port.

• Instead, they listen for a specific sequence of events before processing commands.

• It may be a combination of predetermined source addresses, TCP header information, or false destination ports that do not match to a listening service.

Phases of an attack

43/46

Phases of an attack

• Attack phase (cont.)– Misuse of Legitimate Access

• Attackers often attempt to gain unauthorized use of legitimate accounts by getting authentication information.

• This can be performed by means of technical and/or social engineering methods.

• IDS, especially the anomaly detection ones, may be used to detect such activities.

44/46

Phases of an attack

• Post-attack phase– After an attacker has successfully penetrated

into a host on the targeted network, further actions he will take are in general unpredictable.

– In this phase, the attacker carries out his plan and makes use of information resources as he considers appropriate.

45/46

Phases of an attack

• Post-attack phase – Possible post-attack activities:

• Covering tracks• Penetrating deeper into network infrastructure• Using the host to attack other networks• Gathering, manipulating, or destroying data• Handing over the host to a friend or a hacker group• Walking or running away without doing anything.

46/46

Basic Elements of Attacks and Their Detection

Documents