Chapter 16 Attack Detection and Prevention - CCS Labs · Chapter 16 Attack Detection and Prevention ... (2) Host Intrusion ... Application Layer Anomaly Detection (ALAD) [Mahoney2002]

[NetSec], WS 2006/2007 16.1

Chapter 16Attack Detection and Prevention

Attack Overview, Taxonomy, and ExamplesAttack Detection

Principles of Intrusion Detection SystemsDistributed attack detection

Attack Prevention

[NetSec], WS 2006/2007 16.2

Introduction

Definition: Intrusion“An Intrusion is unauthorized access to and/or activity in an information system.”

Definition: Intrusion Detection“The process of identifying that an intrusion has been attempted, is occurring or has occurred.”

National Security Telecommunications Advisory Committee (NSTAC) Intrusion Detection Subgroup

[NetSec], WS 2006/2007 16.3

Introduction

Intrusion DetectionAttack- / Invasion detection: Tries to detect unauthorized access by outsiders

Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to access services on the internet by bypassing security directives

Anomaly Detection: Tries to detect abnormal states within a network, e.g. sudden appearance of never used protocols, big amount of unsuccessful login attempts

Intrusion PreventionAn IPS adds further functionality to an IDS. After detecting a possible attack the IPS tries to prevent the ongoing attack, e.g. by closing network connections or reconfiguring firewalls

[NetSec], WS 2006/2007 16.4

Introduction

[NetSec], WS 2006/2007 16.5

Categorizing Attacks

Who / which device is attacking?Normal user device located outside the infrastructure:

Examples: PC, PDA, mobile phone, ...Commanded by a normal user not aware of what he is doing, orHacked and commanded by a malicious attacker

Device located inside the infrastructure:Examples: router, management workstation, ...Either deliberately placed by an attacker inside the infrastructure, or Being part of the genuine infrastructure but hacked and commanded by a malicious attacker

Which layer(s) is the attack aiming at?Physical, MAC / Data Link, Network, Transport, Application

Which kind of attack is performed?Attacking user data PDUs: eavesdropping, replay, modification, ...Resource depletion: TCP-SYN flood, SMURF attack, ...

[NetSec], WS 2006/2007 16.6

Availability: The Key Challenge for the Next Years

Security of transmitted information in the sense of confidentiality, authenticity, etc. is well researched and many network security protocols have been developed & standardized during the past decade

Examples: PPP/PPTP, L2TP, IPSec, SSL/TLS, SSH, GSM/GPRS/UMTS security protocols, ....

In “infrastructure networks” (like the Internet), routing threats can be effectively countered by deploying PKI-based approaches like S-BGP

However, ensuring availability of our IT- and communication infrastructure requires more than can be realized by standard network security protocols, and thus turns out to be the major challenge for the next years of security research!

[NetSec], WS 2006/2007 16.7

Denial of Service

What is Denial of Service?Denial of Service (DoS) attacks aim at denying or degrading legitimate users’ access to a service or network resource, or at bringing down the servers offering such services

Motivations for launching DoS attacks:Hacking (just for fun, by “script kiddies”, ...)Gaining information leap (→ 1997 attack on bureau of labor statistics server; was possibly launched as unemployment information has implications to the stock market) Discrediting an organization operating a system (i.e. web server)Revenge (personal, against a company, ...)Political reasons (“information warfare”)...

[NetSec], WS 2006/2007 16.8

Denial of Service Attacking Techniques

Resource destruction (disabling services):Hacking into systemsMaking use of implementation weaknesses as buffer overrunDeviation from proper protocol execution

Resource depletion by causing:Storage of (useless) state informationHigh traffic load (requires high overall bandwidth from attacker)Expensive computations (“expensive cryptography”!)Resource reservations that are never used (e.g. bandwidth)

Origin of malicious traffic:Genuineness of source addresses: either genuine or forged Number of sources:

single source, or multiple sources (Distributed DoS, DDoS)

[NetSec], WS 2006/2007 16.9

Examples: Resource Destruction

Hacking:Exploiting weaknesses that are caused by careless operation of a systemExamples: default accounts and passwords not disabled, badly chosen passwords, social engineering (incl. email worms), etc.

Deviation from proper protocol execution:Example: exploit IP’s fragmentation & reassembly

Send IP fragments to broadcast address 192.168.133.0Operating systems with origins in BSD often respond to this address as a broadcast addressIn order to respond, the packets have to be reassembled firstIf an attacker sends a lot of fragments without ever sending a first / last fragment, the buffer of the reassembling system gets overloadedAs some routers use BSD-based TCP/IP stacks, even the network infrastructure can be attacked this way!

[NetSec], WS 2006/2007 16.10

Countering Attacks: Three Principle Classes of Action

Prevention:All measures taken in order to avert that an attacker succeeds in realizing a threat Examples:

Cryptographic measures: encryption, computation of modification detection codes, running authentication protocols, etc.Firewall techniques: packet filtering, service proxying, etc.

Preventive measures are by definition taken before an attack takes placeAttention: it is generally impossible to prevent every potential attack!

Detection:All measures taken to recognize an attack while or after it occurredExamples:

Recording and analysis of audit trailsOn-the-fly traffic monitoring and intrusion detection

Reaction:All measures taken in order react to ongoing or past attacks

[NetSec], WS 2006/2007 16.11

Attack Strategy

Scan for vulnerabilitiesDetection of vulnerable hosts and applications

Compromising hostsManual hackingViruses, Trojans, Worms

Distributed denial-of-service attackBandwidth depletionResource depletion

[NetSec], WS 2006/2007 16.12

Port Scan

BackgroundIdentification of vulnerable systems / applicationsAutomated distribution of worms

Scan typesVertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour periodHorizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour periodCoordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scanStealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection

[NetSec], WS 2006/2007 16.13

Port Scan (2)

Scan characteristicsPort distributionSource distribution

Scan rates for top 10 destination port categories between May-July, 2002.

Distribution of coordinated, horizontal and vertical scans for the month of June, 2002

Source: [Yegneswaran2003]

[NetSec], WS 2006/2007 16.14

Distributed Denial-of-Service Attacks

Bandwidth depletion

FloodUDP floodICMP flood

Amplification (i.e. using a reflector network)

Smurf (ICMP echo request)Fraggle (UDP echo, e.g. chargen)

Resource depletion

Protocol exploitTCP SYNPUSH+ACK (to unload TCP buffer + ACK to overflow a receiver)

Malformed packet attacksUsage of incorrect formatted IP packets to crash the victim system

Sleep deprivationRendering a pervasive computing device inoperable by draining the battery

[NetSec], WS 2006/2007 16.15

TCP-SYN flood

>90% of DDoS attacks use TCP [Moore2001]Several defense mechanisms

SYN cache, SYN cookies, SynDefender, SYN proxying, …… stateful, have to be installed at victims FW, rely on traceback

Flooding detection system (FDS) [Wang2002]Stateless, low computation overheadRelies on SYN-FIN/RST pairsUses CUSUM (cumulative sum) algorithm

Automated model approach [Tupakula2004]Controller-agent model#SYN - #ACK > limit? Agent sends an alarm to the controllerCentral controller verifies alarm signatures and issues countermeasures

Basic idea: detection, source identification, firewall configuration

[NetSec], WS 2006/2007 16.16

SYN Flood Protection: TCP SYN cookies

SYN cookies as a reaction to an attackSYN cookies are a particular choice of the initial seq number.The server generates the initial sequence number α such as:

α = h(SSYN, DSYN , K)SSYN: src addr of the SYN packetDSYN: addr of the serverK: a secret keyh is a cryptographic hash function.

At arrival of the ACK message, the server calculates α again.Then, it verifies if the ack number is correct. If yes, it assumes that the client has sent a SYN message recently (considered as normal behavior), and allocates TCB memory.

client server

SYN seq=x

SYN seq= α , ACK x+1

ACK α +1

connectionestablished

No resources are allocated here

[NetSec], WS 2006/2007 16.17

Intrusion Detection

Data collection issuesReliable and complete dataCollection is expensive, collecting the right information is important

Detection techniquesMisuse detection (or signature-based or knowledge-based)Anomaly detection

ResponseCounteracting an attack

EvaluationSystem effectiveness, performance, network-wide analysis

False-positive rateFalse-negative rate

[NetSec], WS 2006/2007 16.18

Classification of Attack Detection

Four dimensions Hostbased

Networkbased

Knowledgebased

Anomalydetection

[NetSec], WS 2006/2007 16.19

Classification of Attack Detection (2)

Host Intrusion Detection Systems (HIDS)Works on information available on a system, e.g. OS-Logs, application-logs, timestampsCan easily detect attacks by insiders, as modification of files, illegal access to files, installation of Trojans or rootkitsProblems: has to be installed on every System, produces lots of information, often no realtime-analysis but predefined time intervals, hard to manage a huge number of systems

Network Intrusion Detection System (NIDS)Works on information provided by the network, mainly packets sniffed from the network layer. Uses signature detection (stateful), protocol decoding, statistical anomaly analysis, heuristical analysisDetects: DoS with buffer overflow attacks, invalid packets, attacks on application layer, DDoS, spoofing attacks, port scansOften used on network hubs, to monitor a segment of the network

[NetSec], WS 2006/2007 16.20

Placement of a Network Intrusion Detection System

Internet

LAN

DMZ

Monitors all incoming traffic•High load•High rate of false alarms

Monitors all traffic to and from systems in the DMZ•Reduced amount of Data•Can only detect Intrusions on these Computers

Monitors all traffic within the corporate LAN•Possible detection of misuse by insiders•Possible detection of intrusion via mobile machines (notebooks...)

[NetSec], WS 2006/2007 16.21

Knowledge-based Detection

Based on signatures or patterns of well-known attacks

Working principlesScan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web server or MSSQL databasesScan for pre-defined numbers of ICMP, TCP SYN, etc. packetsPatterns can be specified at each protocol level

Network protocol (e.g. IP, ICMP)Transport protocol (e.g. TCP, UDP)Application protocol (e.g. HTTP, SMTP)

ProsFast, requires few state information, low false-positive rate

ConsRecognizes only known attacks

ExamplesSnort, Bro

[NetSec], WS 2006/2007 16.22

Snort

OpenSourceSupport for Windows, UNIX, Linux,...Rule Based Intrusion DetectionRuleset can be edited individuallyHuge number of predefined rulesDaily community rules updateReporting into: Logfiles, LogServer, DatabaseDifferent formats for captured data supported: libpcap, ...Supports packet de-fragmentation, protocol decoding, state inspectionPossible reactions: TCP reset, ICMP unreachable, configuration of firewalls, alerting via email, pager, SMS (plugins)Graphical tools for administration and analysis are available

[NetSec], WS 2006/2007 16.23

Snort (2)

Mainly signature based, each intrusion needs a predefined rule

alert tcp $HOME_NET any -> any 9996 \(msg:"Sasser ftp script to transfer up.exe"; \

content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; \sid:1000000; rev:3)

Three step processing of captured information (capturing is done by libpcap):

Preprocessing (normalized and reassembled packets)Detection Engine works on the data and decides what action should be takenAction is taken (log, alert, pass)

Modular structure allows to change many parts asPreprocessor, Detection, Action Modules

[NetSec], WS 2006/2007 16.24

Anomaly Detection

Based on the analysis of long-term and short-term traffic behavior

Working principlesScan for anomalies in

Traffic behaviorProtocol behaviorApplication behavior

ProsRecognizes unknown attacks as well

ConsFalse-positive rate might be high

ExamplesPHAD/ALAD, Emerald

[NetSec], WS 2006/2007 16.25

Anomaly Detection (2)

Generic anomaly detection system

Source: [Estevez-Tapiador2004]

[NetSec], WS 2006/2007 16.26

Anomaly Detection (3)

Source: [Estevez-Tapiador2004]

[NetSec], WS 2006/2007 16.27

Anomaly Detection (4)

Source: [Estevez-Tapiador2004]

Classification criteria

[NetSec], WS 2006/2007 16.28

ALAD

Application Layer Anomaly Detection (ALAD) [Mahoney2002]

Extension to PHADFive models:1. P(src IP | dest IP)

Learns normal set of clients for each host, i.e. the set of clients allowed on a restricted service

2. P(src IP | dest IP, dest port)Like (1), but one model for each server on each host

3. P(dest IP, dest port)Learns the set of local servers which normally receive requests

4. P(TCP flags | dest port)Learns the set of TCP flags for all packets of a particular connection

5. P(keyword | dest port)Examines the text in the incoming request (first 1000 bytes)

[NetSec], WS 2006/2007 16.29

Defense Challenges

Need for a distributed response at many points on the InternetCoordinated response is necessary for successful countermeasures

Economic and social factorsDeployment of response systems at parties that do not suffer direct damage from the DDoS attack

Lack of detailed informationThorough understanding of attacks is required

Lack of defense system benchmarks

Difficulty of large-scale testing

[NetSec], WS 2006/2007 16.30

Attack Prevention / Counteracting

Anti-Spoof MechanismsFiltering of forged packetsCryptographic authenticationTraceback

Counteracting DDoS attacksCounteracting TCP SYN floodDistributed FirewallingCongestion control

[NetSec], WS 2006/2007 16.31

Address Spoofing

The Spoofing Problem:Packet routing in IP networks is based on destination address information only, correctness of source address is not verifiedMost (D)DoS attacks consist of packets with spoofed or faked source addresses in order to disguise the identity of the attacking systemsIdentification of the attacking systems is needed for installing efficient defense mechanismsSome detection mechanisms also require valid information about the attack sourcesFurther issues: legal prosecution of attackers and prevention of new attacks

[NetSec], WS 2006/2007 16.32

Anti-Spoof Mechanisms

Filtering of forged packetsIngress filtering: implementation of “anti-spoof” ACLs based on (static/dynamic) knowledge about “own” IP address rangeRPF: reverse path forwarding, known from multicast routing, fails for dynamic load-balancingSAVE: source address validity enforcement protocol [Li2002]

Associates interfaces with valid source address rangesAlso useful for RPF check, e.g. for multicast routing

Cryptographic authenticationIPSec authentication, problem: key management

TracebackReal-time / Forensic methodsMost promising solution!

[NetSec], WS 2006/2007 16.33

Traceback (1)

Goal:Identify the source address (or at least the ingress point) and the attack path of a packet without relying on the source address information

Challenges:Short path reconstruction timeProcessing and storage requirementsScalabilityCompatibility with existing protocols

[NetSec], WS 2006/2007 16.34

Traceback (2)

Taxonomy of traceback mechanisms

active passive

Traceback

packetinsertion

packetmarking

packetlogging

flowlogging

networkreconfig.

linktesting

backscatteranalysis

[NetSec], WS 2006/2007 16.35

Packet Insertion

ICMP traceback (ITrace) [Bellovin2000]:For 1 out of 20.000 packets, routers send an ITrace message with router ID and information about original packet to the same destination

If a flow contains enough packets, the destination is likely to receive ITrace messages from every router on the path.

Limitations:Router infrastructure has to be modifiedRequires large number of packets/flow long t.b. time for distributed low-rate attacksDestination has to store original packets for later comparison with ITrace messageITrace messages need to be authenticated, e.g. using PKIInserted ICMP packets may influence network behaviorICMP traffic is often rate-limited by routers and preferentially dropped during congestion

packet P

ITrace(R1, P)

R1 R2

[NetSec], WS 2006/2007 16.36

References

[Estevez2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, July 2004, pp. 1569-1584.

[Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE Computer - Special Issue on Security and Privacy, April 2002, pp. 27-30.

[Lee2004] R. B. Lee, "Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures," Princeton University, Technical Report, 2004.

[Li2002] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source Address Validity Enforcement Protocol," Proceedings of IEEE Infocom 2002, New York, USA, June 2002.

[Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp. 39-53.

[Paxson1999] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, December 1999, pp. 2435-2463.

[Porras1997] P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of National Information Systems Security Conference, October 1997.

[Roesch1999] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proceedings of 13th USENIX Conference on System Administration, 1999, pp. 229-238.

[Tupakula2004] U. K. Tupakula, V. Varadharajan, and A. K. Gajam, "Counteracting TCP SYN DDoSAttacks using Automated Model," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December 2004.

[Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE INFOCOM 2002, 2002.

[Yegneswaran2003] V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," Proceedings of ACM SIGMETRICS, June 2003.