Cosc 4765 NID/IDS and NIPS Smoke and Mirrors Defensives Network Attack: DDoS
Dec 23, 2015
Cosc 4765
NID/IDS and NIPS
Smoke and Mirrors Defensives
Network Attack: DDoS
IDS: Intrusion Detection System
• Also called Network Intrusion Detection (NID)– This a large category of software and hardware
appliances– Monitor activity to identify malicious or suspicious
network events.• alerts the admin to a possible attack
• If it a NIPS (network Intrusion Prevention system), then it will initiate a defensive response.– such as terminating the connection
• by configuring the firewall to block it.
Types of IDSs
• Signature-Based– Similar to a Anti-Virus program.– Have the same problems as AV software.
The signatures need to updated, before new types of attacks and be detected.
• Heuristic Based– Looks for behavior that is “out of the ordinary”.– Normally classifies by good/benign,
suspicious, or unknown.
Stealth Mode• So the second target by a hacker will be the
IDS– The first is normally the firewall.
• Stealth mode allows the IDS to be protected.– The machine has 2 NICs.
• One that is monitors target on, but can’t actually receive packets on.
– So the IDS can’t be attacked on monitoring port» A classic attack is DoS on the monitor port.
• The second for normal network traffic
Snort
• A sophisticated open-source network intrusion detection system– http://www.snort.org/
• Both windows and linux versions.
• Will send alerts and log anything it believes to be an attack.
• Has a configurable rule set for attacks, which allows you to configure your own.– Rules are updated on their site every so often.
Smoke and Mirrors defenses
• Honeynet and honeypot projects– To detect malicious behavior, NIDS require signatures
of known attacks and often fail to detect compromises that were unknown at the time it was deployed. On the other hand, honeypots can detect vulnerabilities that are not yet understood.
– Hide computers in the middle of many (possible thousands) "fake" computers
– Because a honeypot has no production value, any attempt to contact it is suspicious. Consequently, forensic analysis of data collected from honeypots is less likely to lead to false positives than data collected by NIDS. 1
Smoke and Mirrors defenses (2)
• Physical honeypot– A real machine on the network with it’s own IP
address.– Useful, because it is a full O/S
• Virtual honeypot – Simulated from another machine
• Allows dozens (even hundreds) to be created and run off one computer
• Virtual machines doesn’t have to be the same O/S.
Virtual honeypot
• The host O/S can now monitor the virtual machines and log everything.– Host O/S must be hardened against attacks
itself, otherwise…
• 2 kinds:– A high-interaction simulates all aspects of an
operating system. – A low-interaction simulates only some parts,
for example the network stack.
Virtual honeypot projects
• Honeynet project (http://www.honeynet.org)– Setup a honeynet gateway, in front your
computers, then setup possibly 65,000 virtual computers run off possible a single computer.
– The goal of PhaseIII is to develop a bootable CDROM that boots into a Honeynet gateway, or Honeywall. Once booted, all you have to do is place your target systems behind this gateway
Honeyd
• Simplier setup then honeynet• Uses an application, setup on a machine, no
firewall or gateway is necessary– Allows scripts to be added, so more services can be
emulated form the single system– Also can emulate routers and network equipment as
well.
– More info can be found at http://www.honeyd.org
Value of Honeypots
• A Honeypot's primary purpose is to collect information. – But how do we derive value from that information?
• Deception: – How can Honeynets be used to deceive threats, how
can this be of value, and for whom would this be valuable for?
• This research is being done by the following folks: – Amit Lakhani at the Royal Holloway, University of London.
– Nirbhay Gupta at Edith Cowan University, Australia.
Value of Honeypots (2)
• Profiling Threats: – how can this be of value, and for whom would this be
valuable for?
• Insider Threats: – How can they be used for early indications and
intelligence gathering of advanced insider threats?
• Intelligence Gathering: – They can be used for intelligence gathering, but how
can this be of value, and for whom would this be valuable for?
Value of Honeypots (3)
• Legal Issues: – What are the legal issues of honeypot technologies,
and how do they apply to different organizations.
• Cyber-Warfare: – How can they be used by the military within Cyber-
warfare and how can this be of value?
• Law Enforcement: – How can law enforcement use this to track down and
prosecute criminal activity?
Value of Honeypots (4)
• Tools and Tactics: – How can this be used to identify and learn
about new tools, trends or tactics? • This research is being lead by the following
people: – Elaine Ng at the University of Copenhagen.
• Early Warning and Prediction: – How can it be used for early warning and
prediction, how can this be of valuable, and for whom would this be valuable for?
Denial of Service Attacks
• One of the most common and simplest forms of attacks.
• Instead of compromising the system,
– DoS wants to either bring down the system or prevent legitimate uses of the system.
• The system is so busy that is it unable to response to legitimate requests.
Distributed Denial of Service Attacks
• One method of creating DDoS attack is to trick routers into attacking a target.– Send a spoofed packet to routers with the
source IP of the target. The routers then attempt to talk to the target as well as other computers.
• Another method is use compromised (zombie) systems to attack the target simultaneously.
Distributed Denial of Service Attack
Master
Zombie
Zombie
Zombie
Victim
What Happens in DDoS
• Zombies contain a small attack daemon • Attacker sends control traffic to each
zombie directing it to attack the victim– Typical control channels
• IRC, ICMP• Listen for TCP SYN packets on different ports in a
specific order– Call attacker’s function
» Use header information to pass arguments
• Slaves send streams of traffic to victim– Source IP address is spoofed (often random)
Reflective DDoS Attack
Master
Zombie
Zombie
Zombie
Victim
Reflector
Reflector Reflector
Reflector
Reflector
Reflector Reflector
Reflector
What Happens in a Reflective DDoS?
• Attacker directs zombies to send requests to reflectors on the victim’s “behalf”.– Source IP of these requests is that of the victim– Destination IPs are those of reflectors
• Any host that will return a packet if sent a packet– Web servers, DNS servers, routers– Chosen from well known networks
• Reflectors reply to these solicitations back to the victim– Source IPs of these replies are that of the reflector
• Same as valid traffic from the well known network– Destination IP is that of the victim
Diffusion of the Attack from the Victim’s Viewpoint
• High of rates repetitious traffic directed from one computer from another is suspicious.
• In a reflector attack, each reflector sends at a lower rate than zombies would if they are attacking directly– If there are Nr (1 million, say) reflectors and Nz
(100,000, say) zombies, each with a flooding rate Fz, then the overall flooding rate from each reflector is Fr = Nz/Nr * Fz.
• This is because each zombie distributes its packets among some or all of the reflectors
Diffusion of the Attack from each Reflector’s viewpoint
• In a reflected attack, the reflectors need to become aware that they are being pumped by the zombies– If there are N reflectors then it will take a single
reflector N times longer to observe the same amount of traffic from a given zombie as it would take a victim who is being directly attacked by the zombie.
– This is also due to the fact that the zombies distribute their packets across reflectors.
Reflection with TCP
• By sending TCP traffic alone, you cannot get a reflector to send an initial SYN segment to a victim.– Some applications based on higher level protocols
may however accommodate this • FTP bounce
• If the reflector has guessable sequence numbers– Attacker can have a sustained one-way TCP
‘conversation’ with the reflector in which all of the reflector’s replies (ACKs) are directed at the victim.
– Or the attacker can issue a request for the download of a large image on behalf of the victim
Common Tools
• Tribal Flood Network (TFN) and TFN2K– Not viruses, used to perform a DDoS– Works in the following method
• UDP flood attacks, ICMP flood attacks, TCP SYN flood attacks
– Will look at the details of the attacks later on.• A master instructs agents to attack a target• The agents then flood the target system• Has encryption communications and decoy packets to make
it harder to trace.
• Others– Stacheldracht and Trinoo DDoS tool
• Add Smurf attacks and forges source addresses.
Denial of Service Attacks
• TCP SYN Flood– The attacker opens a TCP connection
• TCP requires a 3 way shaking: init connection from client, response from server, and final message from client, so that that the connection is setup.
– The attacker drops the connection and doesn’t respond to server
• It leaves the server with a “half-open” connection and buffer memory allocated for the connection.
– The attacker then repeats hundreds of times.– The server slows and has to clean up all the
connections, finally not responding to real requests.
Denial of Service Attacks (2)
• UDP Flood attack– Send a UDP packet to a random port number.
• Normally forging the return IP number
– Since there is no application waiting for the information the server generates an ICMP error message back to sender
– Repeat until the system is overloaded.• Since UDP doesn’t set limits on the amount of
data, you can send huge packets and lots of them very quickly.
Denial of Service Attacks (3)
• ICMP Flood Attack– Two types: Flood and nuke– Flood
• Like UDP attacks (actually will use UDP attacks) with a large number pings as well.
– Nuke• Take advantage of vulnerabilities with ICMP
– Some network boxes can be sent in test modes with special crafted ICMP ping messages
– Others may crash
» Win 9X Ping of Death, send a ping packets where it is greater then 65,000 bytes.
Denial of Service Attacks (4)
• Teardrop Attack– Send two fragments that overlap, so it makes it
impossible to reassemble without destroying the individual headers.
• Some system will crash• Variants: TearDrop2, Boink targa, Nestea Boink, NewTear,
and SYNdrop
• Land Attack– Send a forged packet with the source IP of the
destination IP. This can cause a system “to go crazy” attempting to send to itself.
• Some times the systems networking will fail or crash the system.
Denial of Service Attacks (5)
• Echo/Chargen Attack– The chargen service was designed as a test
service. It generates random characters– The echo service repeats the data it receives– So the attacker creates a forged packet where
the server connects to it’s local echo service or the chargen service.
• Server sends huge amounts of data to itself, causing it to slow down or crash.
Denial of Service Attacks (6)
• Smurf attack– Send out an ICMP echo packet with spoof
source address of the victim. The ICMP packet is sent as a broadcast, so all machines on the network will then send back to victim
• Allowing the entire network to perform the attack
– Repeat until the system crashes or is unusable.
– Normally a viruses or trojan program on comprised machine(s) makes the attack.
Amplification DDoS
• Amplification DDoS attacks, use a 1:50 to 1:200+ ratio for the attack.
• The bigger the better!
– Remember this attacks are still coming from zombie systems.
DNS Amplification Attacks
• Composes a DNS request message of about 60 bytes, response is roughly 4,000 bytes
• Or 1:70 ratio
• Simple version– Comprise a DNS server and add a record.
• DNS TXT resource record, of say 4000 bytes.– This is the amplification record.
• Slightly harder version– Use a comprised machine in the network (or
impersonate one) to use the dynamic update to add the record to the DNS server.
• Either way, now the zombie machine spoofs the target machine in the DNS requrest.
DNS Amplification Attacks (2)
• From Watchguard, https://www.watchguard.com/infocenter/editorial/41649.asp
NTP amplification
• Simple to use, NTP has a command, monlist (used for monitoring), that will return up to the last 600 machines the NTP server interacted with.– A request packet of 234 bytes, returns 48K
• Or 1:206
• So zombies spoof the target IP address and makes requests to as NTP server as fast as possible.
Other amplification attacks
• Http– A simple idea, request an web page using a
spoofed IP address. But it’s TCP protocol, so non-trivial attack to launch
• Other UDP protocols that can be used– SNMPv2, NetBIOS, SSDP, CharGEN, QOTD,
BitTorrent, Kad, Quake Network protocol, Steam Protocol
• Source: https://www.us-cert.gov/ncas/alerts/TA14-017A
Real-World examples
• MyDoom– Estimates of 500,000 to 1 million infected zombie
computers performed classic DDoS attacks against the SCO Website, successfully and quickly shutting down the website.
• Slammer– While not a DDoS attack in the classic sense– At it’s peak it performed millions of scans a second
across infected networks, bringing down many of networks.
Protections
• First update system and scan systems regularly• To minimize ICMP attack block ICMP at
firewalls.– This can prevent many attacks at the gateway.
• Remember the goal of DoS to prevent service. Protecting the system as far “upstream” as possible can minimize the effect of any DoS.– A software firewall on the target system won’t protect
it from any DoS attack.• Why?
References• Easttom, “Computer Security Fundamentals”, Prentice
Hall• Bueno, Pedro. “Defending Dynamic Web Sites: A Simple
Case Study About the Use of Correlated Log Analysis in Forensics”. http://isc.sans.org
• Comer, Douglas. “Internetworking with TCP/IP”. Volume 1
• Moore, David et al. “Inferring Internet Denial-of-Service Activity”. http://www.usenix.org/publications/library/proceedings/sec01/moore/moore.pdf
• Paxson, Vern. “An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks”. http://www.icir.org/vern/papers/reflectors.CCR.01.pdf
• http://www.honeynet.org• http://www.honeyd.org
QA&