440 likes | 619 Views
“GIAC Certified Intrusion Analyst and GIAC Certified Incident Handler—rank among the top 14 highest-paying certificates, with, respectively, 12 percent and 10 percent median salary premiums.” ---- Foote Partners quoted in ‘ Breaking the code on security certs’
E N D
“GIAC Certified Intrusion Analystand GIAC Certified Incident Handler—rank among the top 14 highest-paying certificates, with, respectively, 12 percent and 10 percent median salary premiums.” ---- Foote Partners quoted in ‘ Breaking the code on security certs’ Security Supersite, March 17, 2003 G.I.A.C.: Global Information Assurance Certification
TCP stimulus – response • Example of tcpdump data for a telnet (port 23) application • Type 1: Normal system • Stimulus abc.com.25020 > cde.com.telnet: S 2538567 : 2538567 (0) win 4096 <ms 1480> (DF) • Response cde.com.telnet > abc.com.25020: S 38849799 : 38849799 (0) ack 2538568 win 4096 <mss 1480>
Anomalous cases: tcp-telnet example • Type 2: Destination not listening on telnet port • For the same stimulus, response will be a Reset/Ack: cde.com.telnet > abc.com.25020: R 0:0(0) ack 2538568 win 0 • Type 3:Destination host: not available: Though the destination host has a registered DNS IP address, • the host may be currently down, or, • it may have been misconfigured preventing it from responding. The response would be from the router (Assume its address as xxx.1.)to which the network of the dest host is directly connected.
Anomalous cases: tcp-telnet example continued xxx.1 > abc.com: icmp: host cde.com unreachable. • Type 4: Destination port blocked xxx.1 > abc.com: icmp: host cde.com unreachable – admin prohibited filter. • Type5:Destination port blocked – Router is silenced. • Some routers can be silenced by putting a statement like ‘no IP unreachable’ in the access control list. • The stimulus will get no response. • The stimulus will be sent repeatedly till the maximum number of permitted attempts is reached.
UDP stimulus – response: • Example of tcpdump data for DNS messages (port 53): • Type 1: Normal: • Stimulus: abc.com.25020 > cde.com.domain: 21000 + (31) (DF) + means that the domain server is asked to recursively work to obtain the resolution. 31 is the payload of the udp packet – not including the udp and ip headers. • Response: cde.com.domain > abc.com. 25020 21000 1/0/0 (193) (DF)
UDP stimulus-response: Anomalous Cases • 1/0/0 tcpdump DNS report format 1 one answer resource record 0 no authority record 0 no additional record. • Type2:Destination not listening at port 53: • For the same stimulus, the response is: cde.com.domain > abc.com: icmp: cde.com udp port domain unreachable.
Windows tracert: Windows tracert: • Consists of ICMP echo requests and ICMP echo replies. • Ex: For a final dest, which is at two jumps For a router, at a distance of one jump from the source, the tcpdump output: • Stimulus abc.com > cde.com: icmp: echo request [ttl = 1] • Response router1 > abc.com: icmp: time exceeded in transit tracert sends the same stimulus three times (i.e. twice more) to get the response, from the same destination.
Windows tracert (continued): • Thereafter it sends an echo request with TTL = 2. abc.com > cde.com : icmp : echo request cde.com > abc.com : icmp: echo reply abc.com would note RTT. The same message is sent again two times and the values of RTT are noted in each case. Tracert then gives an output: Over a maximum of 30 hops: 129ms 126ms 130ms router 1 229ms 124ms 118ms cde.com trace complete.
UNIX traceroute: • The default behavior of tcpdump is to print TTL only when it has a value of 1 -- to warn of an impending problem. • UNIX traceroute: • Sends a UDP message with increasing values of TTL, beginning with TTL = 1, to trace the route. • For the destination, usually a port lying in the range 33000 to 33999 range is used. Such a port is normally not used for listening. So an ICMP port unreachable message is returned.
Tcpdump output of traceroute: • The tcpdump output: For ttl = 1 abc.com.27822 > cde.com.33888: udp 12(DF) [ttl=1] router1 > abc.com: icmp: time exceeded in transit For ttl = 2 abc.com.27822 > cde.com.33889: udp 12 (DF) cde.com.33889 > abc.com.27822: icmp: cde.com udp port 33889 unreachable (DF) 3 similar messages are sent in each case.
FTP Procedure: Active FTP: (21:command port; 20: data port) • Step 1: FTP client initiates the establishment of a connection with the ftp server at port 21. • Step 2: The client requests transfer of a directory file or any other file from the server to the client. • Step 3: The server initiates the connection from port 20 to an ephemeral port of the client. • Step 4: After the connection is established, on the new connection, the transfer of data is completed. For additional exchange of data a new connection with a new ephemeral port is made.
FTP: tcpdump output • Step1:Establishment of Connection: abc.com.38235 > cde.com.21: S 2537895 : 2537895 (0) cde.com.21 > abc.com.38235: S 12337887 : 12337887 (0) ack 2537896 abc.com.38235 > cde.com.21 : ack 1 Step2: Exchange of packets for authentication: asking for user name, and later, the password etc. As an example, the first two packets are shown below.: cde.com.21 > abc.com.38235 : P 1 : 24 (23) ack 1 P indicates Push flag. abc.com.38235 > cde.com.21 : .ack 24
FTP: tcpdump output (continued): Step 3: The directory command is issued by abc.com, to get the list of directories available at the server. This leads to an establishment of a second TCP connection between the port 20 of the server and an ephemeral port of the server.: cde.com.20 > abc.com.38236:S 23376656: 23376656 (0) abc.com.38236 > cde.com.20 : S 3535736 : 3535736 (0) ack 23376657 cde.com.20 > abc.com.38236 : .ack 1 Now cde.com would send the list of directories to abc.com at the new connection.
No stimulus -- all response: Consider the following tcp output: • router 1 > 182.122.150.72: icmp : time exceeded in transit • router 1 > 182.122.130.52 : icmp : time exceeded in transit • router1 > 182.122.110.32 : icmp : time exceeded in transit Explanation:A large number of such messages to the net 182.122 net host addresses had been spoofed for sending traffic to a foreign host. Note: Such icmp message cannot be probing messages since an icmp message cannot get a response. No danger to 182.122
DNS : • DNS (UDP port 53): 2-character country specific domain Root servers Com edu net org biz info name pro gov mil ca jp uk arpa (for reverse look-up)
DNS System: • Every domain name server has many slaves, which take over in case there is a failure. • The slaves keep themselves synchronized by using BIND protocol. • Transfers between the primary DNS server and the slaves is through a zone transfer, which should be allowed between authorized servers only. • These transfers are done by using TCP in the interest of reliability.
DNS: tcpdump output abc.com.2222 > dns.cde.com.53 : 1 + (35) • abc.com issues a ‘gethostbyname’ call to resolve the IP address of some host lying in Sans organization. • The + sign means the request is recursive, in that it asks the local dns server to find and give the final answer. The local dns server has no information about Sans organization. So it goes to the root server. dns.cde.com.53 > h.root.servers.net.53: 12420-(30)(DF) • Root servers are busy. So only an iterative request is issued as indicated by a hyphen after 12420. Ref: The example is taken from Northcutt and Novak, Ch 6
DNS: Authoritative records: • 12420 is the ID number for the request. h.root.servers.net.53 > dns.cde.com.53: 12420-0/3/3 (153)(DF) • The root server says that it is sending: 0 / 3 / 3 No records / authoritative records /additional records • Authoritative records:of 3 servers which own and maintain the records for the SANS domain. • Additional records: provides the resolution of the above three authoritative DNS servers with their IP addresses.
DNS: Authoritative & Additional records: • Authoritative records: sans.org name server = server1.sans.org sans.org name server = ns.BSD1.COM sans.org name server = ns. DELOS.COM • Additional records: • server1.sans.org Internet address = 167.216.133.33 ns.BSD.COM Internet address = 205.230.225.16 ns.DELOS.COM Internet address = 192.65.171.1
DNS: tcpdump output (continued): The local dns server now asks the first authoritative dns server for resolving the IP address.: dns.cde.com.53 > server1.sans.org.53:12421 + (30) DF server1 sans.org.53 > dns.cde.com.53:12421 * 1/3/3 (172) • * means the IP address being given is authoritative. • 3/3 are the same Authority Records and Additional Records, mentioned in slide 67.
DNS Cache • The local DNS server caches the IP address(es), obtained as shown in the previous four slides, for a period called TTL, as specified by the authoritative domain server. As long as the record is in the cache, a request for resolving a domain address would be met by responding with the IP address from the cache. The server will mark it as unauthoritative.
DNS: Reverse lookup • Reverse look up: • Given: an IP address • To find: host name by using gethostbyaddr • Method : To reverse look up the address 167.216.233.33, the query is as follows: 33.233.216.167.in-addr.arpa. • Limited size of UDP data: • Maximum allowable size of UDP DNS response = 512 bytes • Out of this IP header = 20 bytes UDP header = 8 bytes
Limited size of UDP data: • Therefore data part of a UDP DNS message 484 bytes. • If the data to be returned should be more than 484 bytes, it would be truncated and a new TCP request for DNS will be issued. • Example: abc.com.2727 > dns.cde.com.53:12122 (43)(DF) dns.cde.com.53 > abc.com.2727:12122| 7/0/0 (494) • The vertical line after 12122 indicates that the data has been truncated.
DNS: on TCP • The size of the data that should have been sent was 494 bytes (which is larger than 484 bytes that is allowed with UDP). • The request can be reissued with TCP. But TCP connection to 53 is usually not allowed, except for zone transfer. In such a case, larger data of the type asked for above cannot be obtained. Alternatively TCP connections to port 53 may be allowed, if an earlier udp connection exist(ed). But this would require storing the state of udp connections.
“Intrusion Detection has gone from a theoretical concept to a practical solution, from a research dream to a major product area and from an idea worthy of study to a key element of the national plan for cyber defence.” ---- Dorothy Denning quoted on the cover page of the book “ The Practical Intrusion detection Handbook” by Paul E. Proctor, Prentice Hall, 2001
Weaknesses in DNS: • Probing attacks: a) At any machine on giving the following command % nslookup • the name of default domain name server and • its IP address are provided. Example1 : >nslookup Default Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3
Weaknesses in DNS: Example 2 Example 2: > www.msn.com Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer: Name: www.msn.com Addresses: 207.68.171.244, 207.68.171.245, 207.68.171.247, 207.68.172.234,207.68.173.244, 207.68.173.254 A Non-authoritative answer is the one that the local domain name server supplies from its cache.
Weaknesses in DNS: Example 3 Example 3: > set type=ns > msn.com Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer: msn.com nameserver = dns1.cp.msft.net msn.com nameserver = dns1.tk.msft.net msn.com nameserver =dns3.uk.msft.net msn.com nameserver = dns3.jp.msft.net
Weaknesses in DNS: Example 3 continued msn.com nameserver = dns1.dc.msft.net msn.com nameserver = dns1.sj.msft.net dns1.cp.msft.net 207.46.138.20 dns1.tk.msft.net 207.46.245.230 dns3.uk.msft.net 213.199.144.151 dns3.jp.msft.net 207.46.72.123 dns1.dc.msft.net 207.68.128.151 dns1.sj.msft.net 65.54.248.222
Weaknesses in DNS(continued): • b) Many domain name servers store host information like • name of the machine, • details of its hardware and • operating system. Example: The command > set type = hinfo > host49 will get the hardware and OS information of host 49, if available. It is wise not to store such information in a DNS server, since the DNS protocol provides a means of accessing the information to any one (including a hacker) easily.
Host Information: Example 4 > set type=hinfo > davinci.newcs.uwindsor.ca Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 newcs.uwindsor.ca primary name server = davinci.newcs.uwindsor.ca responsible mail addr = walid.uwindsor.ca serial = 2003020700 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 86400 (1 day)
Host Information: Definitions Serial: serial number at the beginning of Start Of Authority (SOA) data: updated every time the dns database is updated. A secondary dns server updates its data, only if the Serial number of the Master is higher than its Serial number Refresh: is the time interval between two successive updating of the database of a secondary name server Retry: If the secondary should not be able to reach the Master after a Refresh interval, it starts trying to reach the Master every Retry interval. Retry Interval < Refresh Interval
Host Information: Definitions continued Expire:If the secondary should not be able to reach the Master after a Expire interval, it stops responding to domain name resolution queries. i.e. it expires its data. default TTL: TTL for every record of the name server’s database is supplied by the authoritative ns in its response to the query. The default value is used if no such value is supplied in the response.
Weaknesses in DNS(continued): • c) the command > ls -d abc.com may list the entire DNS server record of the domain abc.com. • Example 5: > ls -d newcs.uwindsor.ca [davinci.newcs.uwindsor.ca] newcs.uwindsor.ca. SOA davinci.newcs.uwindsor.ca walid.uwindsor.ca. (2003020700 10800 3600 604800 86400) newcs.uwindsor.ca. NS uwindsor.ca newcs.uwindsor.ca. NS davinci.newcs.uwindsor.ca ……………..next slide
Weaknesses in DNS: Example 5: continued newcs.uwindsor.ca. NS naps.uwindsor.ca router-nt A 137.207.76.2 Symmetra ups A 137.207.76.15 xylan ATM machine A 137.207.76.54 cs-ssr-6th router at 6thfl A 137.207.76.250 davinci MX 5 davinci.newcs.uwindsor.ca davinci MX 10 nismail.uwindsor.ca cs-ssr-main main router A 137.207.76.254 newcs.uwindsor.ca. SOA davinci.newcs.uwindsor.ca walid.uwindsor.ca. (2003020700 10800 3600 604800 86400)
Example 5: continued A: Authoritatve Record; MX: Mail exchange Ex.5: For the domain, there are two mail exchangers available with Priority values of 5 and 10. Allowed priority values: 0 to 65,535. The highest priority: 0 and the lowest priority:65,535. A mail server would try to deliver the mail first to a Mail Exchange of the highest value of priority. In case, that mail exchanger is down, it would deliver the mail to the mail exchanger with the next lower value of priority. This method avoids looping in a large system
To find your name server On using the command >set type=ns >domainname the system responds with your name server. Ex 6: > set type=ns > uwindsor.ca Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 ……………..next slide
Ex 6: continued Non-authoritative answer: uwindsor.ca nameserver = dns.uwindsor.ca uwindsor.ca nameserver = ns1.uwo.ca dns.uwindsor.ca internet address = 137.207.232.1 ns1.uwo.ca internet address = 129.100.2.12 The response is from the cache of the server davinci.newcs.uwindsor.ca There are two name servers. Names and IP addresses of both are provided.
Weaknesses in DNS (continued) • d) A tool called ‘Domain Internet Groper’ (DIG) is supplied with some implementations of BIND. This can provide the version number of BIND. (versions in use: 4.8.3 and 4.9.4) • e) Sneaky traceroute Since port 53 is usually kept open, udp messages to port 53, with increasing values of TTL, can tell whether the host is alive. If ICMP echo requests are blocked, this method may be used. Most of the firewalls, would allow port 53 messages to go through.
sneaky traceroute Generate udp messages for the destination host (which should not be a ns) with progressively increasing values of ttl. Intermediate routers would respond with time exceeded ICMP message. If the dest host is alive, it would respond with a port unreachable ICMP message. If the dest host is not alive, the last router would respond with a host unreachable ICMP message.
Cache Poisoning attack: • Since DNS message format for query and the message format for the response is the same, a query may contain a poisoned IP address. • The domain name server would cache it for later use. • This can misdirect other users to the wrong site.
Two news-items and • Two stories (p. 103-105 and Ch 7 of the text book on Intrusion Detection)
WHY DID AL – JAZEERA WEB-SITES GO DOWN? “At this point we're not able to triangulate to a particular reason…. It could just be an overall traffic increase that adds to the load or it could be an increase in the rate at which users are coming to the site. Or it could be some external event like a DoS or a virus that's propagating. Al-Jazeera put this site together in a hurry…. You have to do at least some basic load testing.” Roopak Patel, Senior Internet Data Analyst, Keynote Systems Inc., a performance management and testingcompany, San Mateo, Calif March 25, 2003
Dangerous times The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive DDoS attack at any time. CERT is monitoring .. five large networks of compromised machines installed with bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines. Officials at the CERT Coordination Center Carnegie- Mellon University 17 March 2003