Basic Elements of Attacks and Their Detection

1. Basic Elements of Attacks and Their Detection

2. Contents • Elements of TCP/IP addressing • Layers in Internet communication • Phases of an attack

3. Elements of TCP/IP addressing • IP address • IPv4: a 32 bit number usually presented as 4 dotted fields – field1.field2.field3.field4 • Example: 194.147.191.31 • IPv6: a 128 bit number arranged as 8 groups of 16 bits each separated by colons. • Example: 00DC:BA02:5644:A201:1FAB:BA5C:7000:001D • Multiple 0s can be replaced by double colon • All IPv4 addresses fit in the rightmost 8 digits of an IPv6 address, e.g. IPv6 ::C293:BF1F is IPv4 194.147.191.31 (C2hex=19410 etc.)

4. Elements of TCP/IP addressing • Encapsulation is extensively used in packet data transmission • A lower level protocol is seen as data at the immediately higher level • These levels are called layers.

5. Layers in Internet communication • Layers relevant for Internet packet communication • Hardware (link) layer • IP layer • Protocol (transport) layer • Application layer

6. Layers in Internet communication • Hardware (link) layer • Interfaces with the network hardware (e.g. Ethernet, IEEE 802.11 etc.) • Packets physically sent/received • Handles specific information about the local hardware (e.g. MAC address).

7. Layers in Internet communication • IP layer • Implements the IP protocol • Reads IP addresses • IP is unreliable: no guarantee whatsoever that a packet will arrive • Packets may be broken into fragments if necessary and this layer handles the fragmentation.

8. Layers in Internet communication • IP header

9. Layers in Internet communication • IP header fields • Version (4 bits): IP version number (4 or 6). • Length (4 bits): number of 4-byte words in the header (maximum 60 bytes). • Type of service (1 byte): routing preference: • Minimize delay • Maximize throughput • Maximize reliability • Minimize monetary cost.

10. Layers in Internet communication • IP header fields (cont.) • Total Packet Length (2 bytes): total number of bytes of the IP datagram. • Identification (2 bytes): unique identifier for the packet. • Flags (3 bits): flags indicating fragmentation status. • Fragment Offset (13 bits): offset of fragmented packet.

11. Layers in Internet communication • IP header fields (cont.) • Time to Live (1 byte): how many routers to allow the packet to traverse. • Protocol (1 byte): code indicating what protocol is used in the protocol header. • Header Checksum (2 bytes): error checking code to ensure the packet is not corrupted in transit.

12. Layers in Internet communication • IP header fields (cont.) • Source IP Address (4 bytes): address of the source host. • Destination IP Address (4 bytes): address of the destination host. • Options: rarely used nowadays and often not implemented at all.

13. Layers in Internet communication • Protocol (transport) layer • Reliability of communication is implemented here. • TCP, UDP or ICMP may be implemented at this level, unlike the IP layer where only IP packets may exist.

14. Layers in Internet communication • TCP protocol • Provides a reliable mode of communication between applications • Implements “ports” • Two-way communication • Implements a communication “channel” with mechanisms to ensure packets arrive or are resent as needed. • Web, ftp, telnet, SSH, E-mail use TCP.

15. Layers in Internet communication • TCP header

16. Layers in Internet communication • TCP header fields • Source Port (2 bytes): communications port number • Destination Port (2 bytes): communications port number for the destination application • Sequence Number (4 bytes): unique number for the packet (they are sequential in the session)

17. Layers in Internet communication • TCP header fields (cont.) • Acknowledgement Number (4 bytes): like the sequence number. • Length (4 bits): length of the header in 4 byte words. • Reserved (6 bits): reserved bits. • Flags (6 bits): flags controlling the communications session.

18. Layers in Internet communication • TCP header fields (cont.) • Window Size (2 bytes): number of bytes in the transfer buffer. • Checksum (2 bytes): checksum for the TCP header. • Urgent Pointer (2 bytes): control for emergency aborts. • Options: various options.

19. Layers in Internet communication • UDP protocol • Provides a mode of communication between applications • Each packet has a “port” number that indicates the application • Does not implement any guarantees of service. • One way communication • Applications must implement necessary checks.

20. Layers in Internet communication • UDP header

21. Layers in Internet communication • UDP header fields • Source Port (2 bytes): communications port number; 65,536 possible values • Destination Port (2 bytes): communications port number for the destination application; usually fixed for given applications (80 - Web) • Length (2 bytes): total length of the UDP datagram in bytes • Checksum (2 bytes): checksum for the UDP header.

22. Layers in Internet communication • ICMP protocol • The control and error message mechanism for the Internet • Each packet has a type/code indicator telling what kind of information is in the packet • Different types of ICMP packets have slightly different headers/data • Automatically generated (almost always).

23. Layers in Internet communication • ICMP header – ordinary • ICMP header – echo request/reply

24. Layers in Internet communication • ICMP header fields • Type (1 byte): type of control message the packet represents (0 – echo reply, 8 – echo request, 3 – destination unreachable etc.) • Code (1 byte): indicator of what sub-type of message the packet contains • Checksum (2 bytes): checksum for the ICMP header.

25. Layers in Internet communication • Application layer • Applications run at this level, i.e. application protocols are implemented here • Common applications: • Web • ftp • E-mail • telnet • SSH • ...

26. Layers in Internet communication • Protocol headers give information about: • source and destination • protocol details • application • The data give information about: • login, password information • commands attempted • files accessed.

27. Phases of an attack • Four phases in the attacking process: • Planning phase • Reconnaissance phase • Attack phase • Post attack phase. • The attack process is in general cyclic • After completing an attack, another attack is planned – an extension of the previous one.

28. Phases of an attack

29. Phases of an attack • Planning phase • Can take many different forms. • The attacker often makes use of the system in its intended manner before making the attack. • Example: the attacker may sign up for an account on an online e-commerce system or log onto a public server. • This type of publicly available legitimate access helps the attacker define the scope and goals of the attack.

30. Phases of an attack • Planning phase (cont.) • After the initial preparation is complete, the attacker decides on the scope of the attack. • The attacker may have various goals: • Denial of service • Escalation of legitimate privileges • Unauthorized access • Data manipulation • The motivation behind an attack often dictates which of these goals are chosen.

31. Phases of an attack • Reconnaissance phase • The attacker next gathers information or performs reconnaissance on the targeted network. • The attacker carries out a variety of different inquiries with the goal of pinpointing a specific method of attack (port scanning etc.) • The goal of the attacker in this phase is to narrow down the field of thousands of possible exploits to a small number of vulnerabilities that are specific to the targeted host/network.

32. Phases of an attack • Reconnaissance phase (cont.) • The attacker attempts to make this reconnaissance as hard to notice as possible. • Even so, there are many different means of reconnaissance and some of them can be detected by an intrusion detection system. • Sources of information for the attacker: • Legitimate public data (forums, public databases, public monitoring tools, etc.) • Vulnerability scanning (ping, TCP connect, OS and version scanning, etc.)

33. Phases of an attack • Attack phase • The traffic generated from attacks can take many different forms. • Types of attacks: • Denial of service • Remote exploits • Trojans and backdoor programs • Misuse of legitimate access

34. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) • Any attack that disrupts the function of a system so that legitimate users can no longer access it. • Possible on most network equipment: routers, servers, firewalls, remote access machines, etc. • Can be specific to a service (e.g. FTP attack), or an entire machine. • Categories of DoS • Resource depletion • Malicious packet attacks.

35. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • Resource depletion DoS attack • Functions by flooding a service with so much normal traffic that legitimate users cannot access the service. • An attacker inundating a service with normal traffic can exhaust finite resources such as bandwidth, memory and processor cycles. • Examples: SYN flood, Smurf, etc.

36. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • Malicious packet DoS attacks • Function by sending abnormal traffic to a host to cause the service or the host itself to crash. • Occur when software is not properly coded to handle abnormal or unusual traffic. • Such traffic can cause software to react unexpectedly and crash. • Attackers can use these attacks to bring down even IDS. • Examples: Microsoft FTP DoS, SNORT ICMP DoS, etc.

37. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • Malicious packet DoS attacks (cont.) • In addition to unusual traffic, malicious packets can contain payloads that cause a system to crash. • A packet's payload is taken as input into a service. • If this input is not properly checked, the application can be brought down.

38. Phases of an attack • Attack phase (cont.) • Denial of service (DoS) (cont.) • DoS attacks commonly utilize spoofed IP addresses because the attack is successful even if the response is misdirected. • The attacker requires no response, and in cases like the Smurf attack, wants at all costs to avoid a response. • This can make DoS attacks difficult to defend from, and even more difficult to detect.

39. Phases of an attack • Attack phase (cont.) • Remote exploits • Attacks designed to take advantage of improperly coded software to compromise and take control of a vulnerable host. • Can function in the same manner as the malicious payload traffic DoS attacks. • Take advantage of improperly checked input or configuration errors. • Examples: buffer overflow, Unicode exploit, Cookie poisoning, SQL injection, etc.

40. Phases of an attack • Attack phase (cont.) • Trojans and Backdoor programs • By installing a backdoor program or a Trojan, an attacker can bypass normal security controls and gain privileged unauthorized access to a host. • A backdoor program can be deployed on a system in a variety of different ways. E.g. a malicious software engineer can add a backdoor program into legitimate software code. • Backdoor programs might be added for legitimate maintenance reasons in the software development life cycle, but later forgotten.

41. Phases of an attack • Attack phase (cont.) • Trojans and Backdoor programs (cont.) • A Trojan is defined as software that is disguised as a benign application. • Remote control Trojans typically listen on a port like a genuine application. • Through this open port, an attacker controls them remotely. • Trojans can be used to perform any number of functions on the host.

42. Phases of an attack • Attack phase (cont.) • Trojans and Backdoor programs (cont.) • Some Trojans include portscanning and DoS features. • Others can take screen and Webcam captures and send them back to the attacker. • Trojans and backdoor programs have traditionally listened on a TCP or UDP port, making it easy to detect them and undertake countermeasures.

43. Phases of an attack • Attacks phase (cont.) • Trojans and Backdoor programs (cont.) • Because of that, Trojans have evolved so they no longer need to listen on a TCP or UDP port. • Instead, they listen for a specific sequence of events before processing commands. • It may be a combination of predetermined source addresses, TCP header information, or false destination ports that do not match to a listening service.

44. Phases of an attack • Attack phase (cont.) • Misuse of Legitimate Access • Attackers often attempt to gain unauthorized use of legitimate accounts by getting authentication information. • This can be performed by means of technical and/or social engineering methods. • IDS, especially the anomaly detection ones, may be used to detect such activities.

45. Phases of an attack • Post-attack phase • After an attacker has successfully penetrated into a host on the targeted network, further actions he will take are in general unpredictable. • In this phase, the attacker carries out his plan and makes use of information resources as he considers appropriate.

46. Phases of an attack • Post-attack phase • Possible post-attack activities: • Covering tracks • Penetrating deeper into network infrastructure • Using the host to attack other networks • Gathering, manipulating, or destroying data • Handing over the host to a friend or a hacker group • Walking or running away without doing anything.