1 / 34

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 Office: Klaus 3362 email or call for office visit Chapter 9 - Network Intrusion. Network Intruders.

mirra
Download Presentation

ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 Office: Klaus 3362 email or call for office visit Chapter 9 - Network Intrusion

  2. Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, ...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, ...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. Hacker: generic term for someone who does unauthorized things with other peoples’ computers (also a poor golfer, tennis player, or programmer good at writing quick and dirty code). 2

  3. Access Control Today many systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords: 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary (60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (123XYZ). Prevention: Enforce good password selection (“c0p31an6” - not great, “wduSR-wmHb365” - better) Two words, separate with punctuation, add a number: e.g.: burglaR-666.Protect-ALL 3

  4. Password Gathering Look under keyboard, telephone etc. Look in the Rolodex under “X” and “Z” Call up pretending to from “micro-support,” and ask for it. “Snoop” a network and watch the plaintext passwords go by. Tap a phone line - but this requires a very special modem. Use a “Trojan Horse” program to record key stokes. 4

  5. User ID2 User ID3 Salt Value1 Salt Value2 Salt Value3 Hash1 Hash2 Hash3 User ID1 : UNIX Passwords Stored in /etc/shadow User’s password ( should be required to have 12 characters, some non-letters) Random 24-bit number R64 encoded (Salt) SHA-512 hashed to 87 viewable R64 characters copeland:$6$UqcJG1si$9MQO … usZkWkh/3PZ1:14930:0:99999:7::: :$1$ - MD5 :$2$ - Blowfish :$5$ - SHA-256 :$6$ - SHA-512 5

  6. Storing UNIX Passwords Until a few years ago, UNIX password hashes were kept in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” file only visible by “root”. This helps prevent a reverse-lookup Dictionary Attack. “Salt”: • Random number shown in clear (R64) – added to password • Prevents duplicate passwords from being easily seen as such. • Prevents use of standard reverse-lookup dictionaries ( a different dictionary would have to be generated for each value of Salt). • does not“effectively increase the length of the password.” 6

  7. The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” or “admin” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] (or simple backdoor) 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info (ID theft, Warz, Botnet). [UTILIZE] For current scanning activity: http://isc.sans.org/reports.html 7

  8. # nmap -sS -P0 -vv -p 21,22,25,110,443 209.162.185.100 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host jacsw (209.162.185.100) appears to be up ... good. Initiating SYN Stealth Scan against victim (209.162.185.100) Adding open port 22/tcp Adding open port 443/tcp The SYN Stealth Scan took 4 seconds to scan 5 ports. Interesting ports on jacsw (209.162.185.100): Port State Service 21/tcp filtered ftp [response blocked by firewall] 22/tcp open ssh [tcp port 22 open] 25/tcp filtered smtp 110/tcp filtered pop-3 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds # telnet 209.162.185.100 22 [telnet can connect to any port] Trying 209.162.185.101... [here we specified port 22] Connected to 209.162.185.100. SSH-2.0-OpenSSH_3.1p1 [response shows SSH version] 8

  9. # less /var/log/secure [unless a root kit is installed, log files tell who has logged on] Oct 15 13:45:30 lc1 sshd[12538]: Could not reverse map address 199.77.146.103. Oct 15 13:46:26 lc1 sshd[12538]: Accepted password for root from 199.77.146.103 port 52388 ssh2 Oct 15 15:05:44 lc1 sshd[12591]: Could not reverse map address 199.77.146.103. Oct 15 15:05:48 lc1 sshd[12591]: Accepted password for root from 199.77.146.103 port 52438 ssh2 Oct 17 07:34:10 lc1 sshd[13409]: Accepted password for root from 130.207.226.152 port 52613 ssh2 Oct 17 07:49:33 lc1 sshd[13460]: Accepted password for root from 130.207.226.152 port 52615 ssh2 Oct 17 08:02:37 lc1 sshd[13503]: Accepted password for root from 130.207.237.139 port 52616 ssh2 Oct 17 08:10:40 lc1 sshd[13542]: Accepted password for root from 130.207.237.148 port 52617 ssh2 Oct 17 08:26:16 lc1 sshd[13584]: Accepted password for root from 130.207.237.158 port 52618 ssh2 Oct 17 11:52:18 lc1 sshd[13640]: Could not reverse map address 199.77.146.103. Windows – use “Event Viewer” Mac – use “Console” 9

  10. Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire* on each host to detect when systems files are altered, and email an alert to Sys Admin. 4. On Microsoft PC’s, with XP or Vista, use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. For Mac, buy "Little Snitch" ($25). * Gene Kim and Gene Spafford (PhD GT 1986), Perdue U., http://www.cerias.purdue.edu/ 10

  11. "Little Snitch" Firewall for MacOS 11

  12. "Little Snitch" Firewall for MacOS - Popup 12

  13. 13

  14. Anomaly-Based Intrusion Detection A Negative Event, True or False, is one that does not trigger an Alarm High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detected as Positive, -> Alarm #False-Positives = #Normal Events x FP-rate #False-Negatives = #Bad Events x FN-rate False Alarms, False Positives (FP) Undetected Intrusions, False Negatives (FN) # Normal Events = #True Negatives + #False Positives Detection Threshold Figure 9.1 14

  15. Trade-off by shifting threshold If the “behavior” is a connection: ("positive" says it is malicious, "negative" it is not) For Legitimate Connections (total number = LC) True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC For Malicious Connections (total number = MC) False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC If LC >> MC then (FPR * LC) >> (TPR * MC) hence “false alarms” are much greater than “real alarms” when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1)

  16. “Base-Rate” Fallacy Suppose the accuracy of an IDS is 99% (both TPR and TNR). This means that for every 100 normal events, there will be 1 false positive. Also for every 100 intrusion events, there will be 99 detects (true positives) and 1 missed detection (false negative). If there are 300,000 normal connections a day, there will be 3000 false alarms (false positives). If there is one intrusion per week, there will be a 99% chance of detecting it (if the IDS is still turned on). For detailed math, see Appendix 9A of the textbook (editions 2, 3). 16

  17. Example Problems - "Base-Rate Fallacy*" Q. If there are 10,000,000 connections* on a network per day, and the False Positive Rate is 0.0001: 1. How many false alarms (False Positives) will result? Ans. 10,000,000 x 0.0001 = 1000 false alarms per day (False Positives / day) 2. How many good connections will not cause alarms (True Negatives)? Ans. 10,000,000 x (1 - 0.0001) = 9,999,000 True Negatives per day. *Unless stated (as in the next problem), assume none (or a negligible number) of connections are "bad". Q. If there are 100 "bad" (or "intrusion") connections per day, and the False Negative Rate is 0.1: 1. How many will be detected (True Positives)? Ans. 100 x (1 - 0.1) = 90 2. How many will be missed (False Negatives)? Ans. 100 x 0.1 = 10 "Negative" means there was no Alarm, "Positive" means there was an Alarm. "True" means the decision to issue an alarm was correct, "False" means the decision was incorrect. * The "Fallacy" comes from ignoring the fact that there are many more "good" connections (the Base Rate) than "bad," and thus concluding that a False Positive Rate as large as say 0.0001 would lead to satisfactory operation. 17

  18. Distributed Host-Based IDS Highly recommended for critical servers, and PCs Modules must be installed and configured on hosts. Examples: Okena (Cisco), ISS Desktop Preventia 18

  19. Signature-Based IDS Data Packets are compared to a growing library of known attack signatures. These include port numbers or sequence numbers that are fixed in the exploit application, and sequences of characters that appear in the data stream. Packet streamsmust be assembled and searched, which reduces the maximum possible data rate on the link being observed. 19

  20. Six “Signatures” from the Snort Database www.snort.org alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS411 - RealAudio-DoS"; flags: AP; content: "|fff4 fffd 06|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS362 - MISC - Shellcode X86 NOPS-UDP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS359 - OVERFLOW-NOOP-HP-TCP2";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS345 - OVERFLOW-NOOP-Sparc-TCP";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW-NOOP-Sparc-UDP2"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS291 - MISC - Shellcode x86 stealth NOP"; content: "|eb 02 eb 02 eb 02|";) Other systems: “Dragon”, ISS RealSecure, Arbor 20

  21. Signature-Based Intrusion Detection Systems May Not Detect New Types of Attack Back Orifice Land Attack Win Nuke IP Blob Trino Attacks with Names Alarm on Activities in these areas. Attacks without Names (not analyzed yet) 21

  22. Flow-Based Technology (NBAD - Network Behavior Analysis Detection) recognizes normal traffic to detect new types of intrusions. Back Orifice Land Attack FTP Web Win Nuke IP Blob NetBIOS Trino Email Attacks with Names Normal Network Activities Attacks without Names (not analyzed yet) Alarm on Activities in this areas. Example: Lancope’s “StealthWatch” 22

  23. Flow-based Behaviorial Analysis A “Flow” is the stream of packets from one host to another related to the same service (e.g., Web, email, telnet, …). Data in packet headers is used to build up counts (leads to high speed). After the flow is over, counters are analyzed and a value is derived for the probability* that the flow was crafted, perhaps for probing the network for vulnerabilities or for denial of service. * Based on heuristic rules, not statistical analysis. Flow- Statistics Counters Flow- Statistics Counters Number of Packets Number of Total Bytes Number of Data Bytes Start Time of Flow Stop Time of Flow Duration of Flow Flag-Bit True-False Combo Fragmentation Bits ICMP Packet Responses to UDP Packets Counters 23

  24. Zone Protection One of the Zones could be a Dark (Sinkhole*) Net. * monitored block of IP addresses with no hosts 24

  25. StealthWatch screen 25

  26. IDS Types Should be Combined Host-Based Can detect misuse of OS access and file permissions. Signature -Based Can detect attacks embedded in network data -if signature is known Anomaly -Based On host or network. Can detect new types, but high false alarm rate. Flow-Based (NBAD) Can detect new types of attacks by network activity. Should be used with Host-Based and Signature Based One of my three rules: Multiple layers of protection are needed to optimize security, for a given cost. 26

  27. The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Flow-based* "CI", signature-based? Vulnerability Scan Signature?, Flow-Based Port Profile* Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based * StealthWatch 27

  28. Detection of the “Mac Attack” DDoS Plan Type "A" Probes (detected by John Copeland in Dec. 1999) The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790->31789. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) 1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA) 1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA) 1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh (at least one character of data was required). http://users.ece.gatech.edu/~copeland/jac/macattack/index.html http://users.ece.gatech.edu/~copeland/jac/ajc_mac_hacker.html http://users.ece.gatech.edu/~copeland/jac/macattack/fox-news.mov 28

  29. 2nd Generation, “Mac Attack” Scanning "Double-zero" Probes (James Bond, "00" -> "license to kill"), detected in Dec. 1999. I had now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. 1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) 1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA) *DNS name: cwa129.emirates.net.ae 1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas) *DNS: none 1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA) *DNS name: manchester_nas11.ida.bt.net 2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas) *DNS name: a24b94n80client152.hawaii.rr.com 2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA) *DNS name: ad11-s16-201-41.cwci.net 29

  30. Drawing from Atlanta Journal-Constitution article, Dec. 1999. Full details at www.csc,gatech.edu /macattack/ 30

  31. traceroute (tracert) to find location of IP Address Start: 11/21/99 11:07:40 PM Find route from: 24.88.48.47 to: www.orbicom.com. (196.28.160.129), Max 30 hops, 40 byte packets Host Names truncated to 32 bytes 1 24.88.48.1 (24.88.48.1 ): 17ms 17ms 16ms 2 24.88.3.21 (24.88.3.21 ): 18ms 19ms 18ms 3 24.93.64.69 (24.93.64.69 ): 17ms 18ms 17ms 4 24.93.64.61 (24.93.64.61 ): 19ms 17ms 18ms 5 24.93.64.57 (24.93.64.57 ): 25ms 25ms 23ms 6 sgarden-sa-gsr.carolina.rr.com. (24.93.64.30 ): 26ms 27ms 27ms 7 roc-gsr-greensboro-gsr.carolina. (24.93.64.17 ): 28ms 28ms 30ms 8 roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6 ): 30ms 32ms 30ms 9 12.127.173.205 (12.127.173.205 ): 40ms 39ms 39ms 10 gbr2-a30s1.wswdc.ip.att.net. (12.127.1.30 ): 38ms 40ms 39ms 11 gr2-p3110.wswdc.ip.att.net. (12.123.8.246 ): 278ms 40ms 39ms 12 att-gw.washdc.teleglobe.net. (192.205.32.94 ): 41ms 43ms 42ms 13 if-7-2.core1.newyork.teleglobe.n (207.45.222.145 ): 45ms 46ms 45ms 14 if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69 ): 45ms 47ms 49ms 15 ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202 ): 50ms 46ms 50ms 16 196.30.121.243 (196.30.121.243 ): 44ms 48ms 45ms 17 fe0-0.cr3.ndf.iafrica.net. (196.31.17.26 ): 635ms 632ms 633ms 18 atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81 ): 641ms 640ms 644ms 19 196.30.200.6 (196.30.200.6 ): 643ms 640ms 643ms 20 196.4.162.86 (196.4.162.86 ): 662ms 659ms 664ms 21 www.orbicom.com. (196.28.160.129 ): 663ms 658ms 664ms • Trace completed 11/21/99 11:08:25 PM • 31

  32. "host" (newer "nslookup") and "whois" utilities jac:/Users/copeland root# host www.orbicom.com www.orbicom.com has address 196.31.129.146 jac:/Users/copeland # whoiswww.orbicom.com[ERROR] Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. No match for "WWW.ORBICOM.COM". jac:/Users/copeland # whois orbicom.com … Registrant: Multichoice Africa P O Box 1502, Randburg, Gauteng 2125 ZA [Zaire] 32

  33. "host" and "whois" data put into email Alarm Message % 2005-01-03 22:27:32 inetnum: 200.55.0/18 status: allocated owner: Impisat Argentina ownerid: AR-IMAR3-LACNIC responsible: Christian O_Flaulant address: Alferez Parediso, 256, address: 1107 - Buenos Aires - country: AR phone: +54 11 51701234 nslastaa: 20041230 created: 20001121 changed: 20010926 nic-hdl: CHO person: Christian OFlaulant e-mail: coflaulant@IMPISAT.COM.AR address: Alferez Pareja, 128, address: 3207 - Buenos Aires - country: AR phone: +54 11 51704600 [] Alarm: - Port Flood Attack - Host: 200.56.54.65 No DNS Name Victim: 130.207.125.134 pat.gatech.edu Time: Mon Jan 3 19:27:31 EST 2005 Serial No. 300482 Port Flood Attack : Indicates that the suspect IP has attempted to connect on an excessive number of ports on the 'victim IP'. This may be indicative of a denial of service attack or an aggressive scan by the suspect IP. --- whois 200.56.54.65 --- [Querying whois.lacnic.net] [whois.lacnic.net] By submitting a whois query, you agree to use this data only for legal purposes only. 33

  34. Try http://www.geektools.com 34

More Related