Attacks

1
Attacks

• Spring 2002

2
Attack

• Phases of an attack
• Reconnaissance
• Vulnerability identification
• Penetration
• Control
• Embedding
• Data extraction/modification
• Attack relay

3
Reconnaissance

• Get to know the network topology in the region
  surrounding the target and the parties it
  corresponds with
• nmap program
• queso program
• Tools
• Coordinated multi-site scanners
• Probe packets sent from many sites to the target
• So low rate of packets from any one site
• Sniffer detectors
• Overwhelm sniffers with traffic
• Take advantage of promiscuous mode that sniffers
  use
• Infrastructure
• Capture DNS servers to determine who the target
  talks to
• Then attack a less secure target that the target
  talks to and attack the target from there

4
Reconnaissance

• DHCP servers
• Take advantage of periodic renewals needed with
  DHCP servers
• Subnet attacks
• Take over a host on same subnet and use ARP/DHCP
  attacks
• SNMP systems
• SNMP is simple and is information rich
• Routers
• Seems quite difficult

5
Vulnerability identification

• Find externally accessible traffic paths into the
  system
• Classic vulnerabilities
• FTP Server Exploits. Especially vulnerable are
  servers withanonymous write access
• NFS and SMB share vulnerabilities.
• Holes in POP and IMAP mail delivery servers.
• Vulnerabilities in the "bind" name daemon
  software.
• Web server CGI exploits (Apache, MS IIS).
• Installed control daemons such as BackOrifice.
• Best targets
• Widely known, very much used, difficult to take
  off-line or relocate

6
Penetration

• Penetrate systems taking the help of clueless
  newbies
• Span geographical and political boundaries to
  hide your trail
• Never use a system with your name or org to
  attack
• Attack tools
• Firewall tunnels
• Tunnel your traffic through firewall and IDS
  systems to make it look like innocuous transfers
  from your captured systems
• Identify sites visited by the target, taint the
  DNS database so that the next time the target
  contacts a site, is directed to your system
• Use unused padding in regular data packets
• Buffer overflow attacks

7
More steps

• Control
• Attempt to control the host
• A piece of small code, exploit, is first gotten
  into the target and the vulnerability is used to
  execute the code
• Code can contact one of attack relay systems and
  download further code and instructions
• Embedding
• To ensure that you retain control even if actions
  are discovered
• Encrypt and spread binary over many files
• Store the bootstrap sequence on the network card
  (has small amount of memory)

8
More steps

• Data extraction/modification
• Embed encrypted information deep in say HTTP
  packets
• Many IDS systems only capture the initial
  portions of packets
• Try to send data without violating the traffic
  pattern from the host
• Attack relay
• To build a large fleet of attack stations
• Some principles
• Avoid using the same attack station twice in a
  short period
• Occasional strange packets might be ignored but
  not repeated strange packets by a good IDS

9
Security So Far

• The past
• Emphasis on prevention and detection
• The future
• Layered Protection

Detection
Prevention
Tolerance
Attacks
10
Intrusion detection
11
Intrusion detection

• Process of monitoring events occurring in a
  computer system and analyzing them for signs of
  intrusion
• IDS systems
• Software or hardware products that automate this
  monitoring and analysis process
• Advantages
• Acts as a deterrent for attackers
• Detects problems that bypass other security
  measures
• Detect attack preambles
• Quality control for security design and
  administration
• Provide information about actual intrusions

12
ID process

• Three components
• Information sources
• Network, hosts, applications
• Analysis
• Misuse detection, anomaly detection
• Response
• Passive, Active
• Architecture
• Host-target co-location
• Host-target separation

13
ID systems

• Objectives
• Accountability
• Difficult in systems with weak identification and
  authentication mechanisms (e.g. IP spoofing in
  TCP/IP systems)
• Response
• Capability to recognize and respond to an attack
• Control strategies
• Centralized
• All monitoring, detection and reporting
  controlled from a central location
• Partially distributed
• Reporting to one or more locations
• Fully distributed
• Monitoring, detection and response are all
  controlled locally

14
ID systems

• Timing
• Elapsed time between capture and analysis of
  events
• Interval based (batch mode)
• Information flow from capture points to analysis
  engines is done in batches
• Precluded from performing active responses
• Real-time (continuous)
• Actions affecting an ongoing attack can be
  executed
• Sources
• Network-based IDS
• Host-based IDS
• Application-based IDS

15
Network based IDS

• Detects attacks by monitoring packets over a
  network
• Can protect multiple hosts
• Consists of a set of single-purpose sensors or
  hosts
• Sensors can be more easily secured against
  attacks since
• They run only minimal applications, run in
  stealth mode
• Advantages
• Few sensors can monitor a large network
• Easy to retrofit existing networks with minimal
  effort
• Can be made secure against attack and also
  invisible to attackers
• Disadvantages
• Difficulty in large bandwidth networks
• May not be useful in switch-based networks
• Cannot analyze encrypted information
• Might not be able to detect the effectiveness of
  an attack
• Fragmented packets can cause IDSs to become
  unstable and crash

16
Host based IDS

• Monitors an individual computer system
• Can determine precisely the processes involved in
  an attack
• Utilize
• Operating system audit trails
• System logs
• Advantages
• Can detect attacks missed by network-based IDS
• Can operate with encrypted information
• Unaffected by switched networks
• Disadvantages
• harder to manage
• Easier to attack the IDS and disable it
• Not suited for detecting some attacks like
  network scans
• Can be disabled by certain DOS attacks
• Use the computing resources of the hosts being
  monitored

17
Application based IDS

• Subset of host based IDS
• Analyze the events within a software application
• Use applications transaction log files
• Interfaces with the application directly taking
  advantage of domain or application-specific
  knowledge
• Advantages
• Can monitor the interaction between user and
  application
• Can work in environments encrypting data
• Disadvantages
• More vulnerable to attacks than host-based IDSs
• Since application logs might not be
  well-protected as OS audit trails
• Might not be able to detect software tampering
  attacks

18
Analysis

• Misuse detection
• Look for events or a set of events that match a
  predefined pattern
• Hence also called as signature based detection
• Sophisticated approaches leverage a single
  signature to detect attack groups
• State based analysis techniques
• Not made use of in commercial systems
• Most widely used method
• Advantages
• Effective at detecting attacks without too many
  false alarms
• Can reliably diagnose the use of a specific
  attack tool or technique
• Disadvantages
• Can only detect attacks whose signatures are
  known

19
Analysis

• Anomaly detection
• Identify abnormal unusual behavior on a
  host/network
• Make use of profiles of normal behavior of users
• Techniques used
• Threshold detection
• Statistical measures
• Pattern specified as distributions
• Rule based measures
• Patterns specified as rules
• Other measures
• Neural networks, genetic algorithms, immune
  system models
• Used in a limited form in current commercial IDSs
• Normally used to detect network or port scanning
• An active area of research

20
Analysis

• Anomaly detection
• Advantages
• Detect unusual behavior and hence can be used to
  detect new attacks
• Can in turn be used to define signatures for
  misuse detectors
• Disadvantages
• Produce a large number of false alarms
• Require extensive training sets of system
  events

21
Response

• Active response
• Automated actions taken when certain types of
  intrusions are detected
• Categories
• Collect additional information
• To help resolve attack detection, investigation
  and apprehension of the attacker
• Change the environment
• Halt an attack in progress and then block
  subsequent access by the attacker
• Injecting TCP reset packets
• Reconfiguring routers and firewalls
• Responding back to the attacker
• Legal issues
• Whom to attack

22
Response

• Passive response
• Provide information to system users
• Rely on humans to take subsequent actions
• Approach used by many commercial IDSs
• Alarms and notifications
• Onscreen alert or popup window
• Considerations for responses
• Provide silent, reliable monitoring of attackers
• So need encrypted tunnels or other cryptographic
  measures to hide and authenticate IDS
  communications

23
Tools to complement IDS

• Vulnerability analysis systems
• Test to determine if a network or host is
  vulnerable to attacks
• Batch mode misuse detectors
• Types
• Host based vulnerability analysis
• Credential based passive vulnerability assessment
  
• Network based vulnerability analysis
• Non-credential based active vulnerability
  assessment
• Testing by exploit
• Systems reenact an actual attack
• Inference methods
• Looks for artifacts of successful attacks

24
Tools to complement IDS

• File integrity checkers
• Utilize crypto techniques to determine when files
  have been modified
• Can also be used to check if patches have been
  applied to binaries
• Tripwire
• Honey pots
• Decoy systems designed to lure an attacker away
  from critical systems
• Also collect information about the attackers
  activity

25
Selecting IDS

• Technical and policy considerations
• System environment
• Technical specifications
• Technical specifications of current security
  protection
• Goals of the enterprise
• Security goals of the enterprise
• Insider attacks
• Outsider attacks
• Product features and quality
• Scalability
• Previous performance
• Level of expertise needed by the product
• Commitments for product support

26
Deploying IDS

• Need to have proper security plans, policies and
  procedures
• Staged deployment
• Network based IDS
• Behind firewalls
• Outside firewalls
• On major backbones or subnets
• Host based IDS
• Go from few critical hosts to a majority of hosts
  
• Alarm strategies

27
Strengths and limitations of IDS

• Strengths
• Monitoring and analysis of system events and user
  behaviors
• Recognizing system event patterns corresponding
  to known attacks
• Alerts in case of known attacks or abnormal
  behavior
• Can make use of non-security experts
• Limitations
• Will not compensate for missing or weak security
  mechanisms
• Detecting new attack types
• Cannot deal with heavy network loads, switched
  networks etc.

28
IDS

• Like anti-virus software
• IDS capabilities will become core capabilities of
  network infrastructure like routers, bridges,
  APs, switches etc.

29
Attacking an IDS

• Problems with Network ID systems
• Insufficiency of information on the wire
• Network IDS work by predicting the behavior of
  networked machines based on the packets seen
• Different OS and network driver implementations
• Time-lag between NIDS and targets
• Target systems suffer from out-of-memory, CPU
  exhaustion etc
• Vulnerability to denial of service
• Ping of death, teardrop

30
Attacks on an IDS

• Objective
• To thwart protocol analysis using signature based
  ID
• Cause the NIDS to be unavailable
• Types
• Insertion
• Involves an attacker stuffing the ID system with
  invalid packets
• End-system sees less than the IDS
• Evasion
• Involves exploiting inconsistencies between IDS
  and end system to evade packets from the IDS
• End-system sees more than the IDS
• Resource Exhaustion

31
Ambiguities

• Insertion, Evasion and Resource Exhaustion
  attacks
• IP TTL field may (or may not) be large enough
• Packets size too large for a downstream to handle
  without fragmentation and packets transmitted
  with the DF bit set
• Destination may be configured to drop
  source-routed packets
• Destination may reassemble overlapping fragments
  differently based on its OS
• Spoofing MAC addresses when NIDS on the same
  subnet
• Fragmented out of order packets
• Manipulation of SYN, SYN/ACK, RST
• Three way handshake
• State maintenance
• IDS
• Exhausting CPU resources, exhausting memory,
  exhausting network bandwidth

32
CIDF (IETF)

• Defines a set of components that make up an IDS
• Event generators
• Analysis engines
• Storage mechanisms
• Countermeasures

33
Intrusion Tolerance Techniques
34
Intrusion Tolerance Overview

• An intrusion tolerant system
• one that continues to function correctly and
  provide the intended user services in a timely
  manner even in the face of an information attack
  .
• Intrusion tolerant systems must be able to
  (under information attacks)
• maintain the integrity of application data and
  programs
• assure high availability
• Distinct from intrusion detection and intrusion
  prevention

From DARPA BAA00-15 PIP
35
Intrusion Tolerance techniques

• Fragmentation-Redundancy-Scattering technique
• Cryptography
• Dynamic Secret sharing
• Threshold Cryptography
• Masking, Adaptation etc.

36
FRS
Persistent FRS (data)
Application
Non-persistent FRS(messages)
Sender
Receiver