ECE8843

1
ECE-8843 http//www.csc.gatech.edu/copeland/jac/88
43/ Prof. John A. Copeland john.copeland_at_ece.gat
ech.edu 404 894-5177 fax 404 894-0035 Office
GCATT Bldg 579 email or call for office visit, or
call Kathy Cheek, 404 894-5696 Chapter 9 -
Network Intrusion
2
Network Intruders
Masquerader A person who is not authorized to
use a computer, but gains access appearing to be
someone with authorization (steals services,
violates the right to privacy, destroys data,
...) Misfeasor A person who has limited
authorization to use a computer, but misuses that
authorization (steals services, violates the
right to privacy, destroys data,
...) Clandestine User A person who seizes
supervisory control of a computer and proceeds to
evade auditing and access controls. Hacker
generic term for someone who does unauthorized
things with other peoples computers (also a poor
golfer, tennis player, or programmer good at
quick and dirty code).
2
3
Access Control
Today almost all systems are protected only by a
simple password that is typed in, or sent over a
network in the clear.Techniques for guessing
passwords 1. Try default passwords. 2. Try all
short words, 1 to 3 characters long. 3. Try all
the words in an electronic dictionary(60,000). 4.
Collect information about the users hobbies,
family names, birthday, etc. 5. Try users phone
number, social security number, street address,
etc. 6. Try all license plate numbers
(123XYZ). Prevention Enforce good password
selection (c0p31an6 - not great,
wduSR-wmHb365 - better).
3
4
Password Gathering
Look under keyboard, telephone etc. Look in the
Rolodex under X and Z Call up pretending to
from micro-support, and ask for it. Snoop a
network and watch the plaintext passwords go
by. Tap a phone line - but this requires a very
special modem. Use a Trojan Horse program to
record key stokes.
4
5
UNIX Passwords
Users password ( should be required to have 8
characters, some non-letters)
Random 12-bit number (Salt)
DES Encrypted to 11 viewable characters
5
6
Storing UNIX Passwords
Until a few years ago, UNIX password hashes were
kept in in a publicly readable file,
/etc/passwords. Now they are kept in a shadow
directory only visible by root. This helps
prevent a reverse-lookup dictionary
attack. Salt prevents duplicate passwords
from being easily seen as such. prevents use of
standard reverse-lookup dictionaries ( a
different dictionary would have to be generated
for each value of Salt). does not effectively
increase the length of the password.
6
7
The Stages of a Network Intrusion
1. Scan the network to locate which IP
addresses are in use, what operating system
is in use, what TCP or UDP ports are open
(being listened to by Servers). 2. Run
Exploit scripts against open ports 3. Get
access to Shell program which is suid (has
root privileges). 4. Download from Hacker Web
site special versions of systems files that will
let Cracker have free access in the future
without his cpu time or disk storage space being
noticed by auditing programs. 5. Use IRC
(Internet Relay Chat) to invite friends to the
feast.
7
8
nmap -sS -P0 -vv -p 21,22,25,110,443
209.162.185.100 Starting nmap V. 3.00 (
www.insecure.org/nmap/ ) Host jacsw
(209.162.185.100) appears to be up ...
good. Initiating SYN Stealth Scan against victim
(209.162.185.100) Adding open port 22/tcp Adding
open port 443/tcp The SYN Stealth Scan took 4
seconds to scan 5 ports. Interesting ports on
jacsw (209.162.185.100) Port State
Service 21/tcp filtered ftp response
blocked by firewall 22/tcp open
ssh tcp port 22 open 25/tcp filtered
smtp 110/tcp filtered
pop-3 443/tcp open
https Nmap run completed -- 1
IP address (1 host up) scanned in 5 seconds
telnet 209.162.185.100 22 telnet can connect to
any port Trying 209.162.185.101... here we
specified port 22 Connected to
209.162.185.100. SSH-2.0-OpenSSH_3.1p1
response shows SSH version
8
9
less /var/log/secure Oct 15 134530 lc1
sshd12538 Could not reverse map address
199.77.146.103. Oct 15 134626 lc1 sshd12538
Accepted password for root from
199.77.146.103 port 52388 ssh2 Oct 15 150544
lc1 sshd12591 Could not reverse map
address 199.77.146.103. Oct 15 150548 lc1
sshd12591 Accepted password for root from
199.77.146.103 port 52438 ssh2 Oct 17 073410
lc1 sshd13409 Accepted password for root
from 130.207.226.152 port 52613 ssh2 Oct 17
074933 lc1 sshd13460 Accepted password
for root from 130.207.226.152 port 52615 ssh2 Oct
17 080237 lc1 sshd13503 Accepted
password for root from 130.207.237.139 port 52616
ssh2 Oct 17 081040 lc1 sshd13542
Accepted password for root from 130.207.237.148
port 52617 ssh2 Oct 17 082616 lc1 sshd13584
Accepted password for root from
130.207.237.158 port 52618 ssh2 Oct 17 115218
lc1 sshd13640 Could not reverse map
address 199.77.146.103. Oct 17 115227 lc1
sshd13640 Accepted password for root from
199.77.146.103 port 52639 ssh2
9
10
Protection from a Network Intrusion
1. Use a Firewall between the local area
network and the world-wide Internet to limit
access (Chapter 10). 2. Use an IDS (Intrusion
Detection System) to detect Cracker during the
scanning stage (lock out the IP address, or
monitor and prosecute). 3. Use a program like
TripWire on each host to detect when systems
files are altered, and email an alert to Sys
Admin. 4. On Microsoft PCs, a program like
BlackIce or Zone Alarm is easier to install (and
more fun) than learning how to reset all of the
Windows default parameters to make the system
safe.
10
11
(No Transcript)
12
Anomaly-Based Intrusion Detection
High statistical variation in most measurable
network behavior parameters results in high
false-alarm rate
False Alarms
Undetected Intrusions
Detection Threshold
12
13
Base-Rate Fallacy
Suppose the accuracy of an IDS is 99. This
means that for every 100 normal events, there
will be 1 false positive. Also for every 100
intrusion events, there will be 99 detects (true
positives) and 1 missed detection (false
negative). If there are 300,000 normal
connections a day, there will be 3000 false
alarms. If there is one intrusion per week,
there will be a 99 chance of detecting it (if
the IDS is still turned on). For detailed math,
see Appendix 9A of the textbook (edition 2).
13
14
Distributed Host-Based IDS
Highly recommended for critical servers
Modules must be installed and configured on hosts.
Examples Okena (Cisco), ISS Desktop Proventia
14
15
Signature-Based IDS
Data Packets are compared to a growing library of
known attack signatures. These include port
numbers or sequence numbers that are fixed in the
exploit application, and sequences of characters
that appear in the data stream. Packet streams
must be assembled and searched, which reduces the
maximum possible data rate on the link being
observed.
15
16
Six Signatures from the Snort Database
www.snort.org
alert tcp EXTERNAL_NET any - HOME_NET 7070
(msg "IDS411 - RealAudio-DoS" flags AP
content "fff4 fffd 06") alert udp
EXTERNAL_NET any - HOME_NET any (msg "IDS362
- MISC - Shellcode X86 NOPS-UDP" content "90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90") alert tcp EXTERNAL_NET
any - HOME_NET any (msg"IDS359 -
OVERFLOW-NOOP-HP-TCP2"flagsPA content"0b39
0280 0b39 0280 0b39 0280 0b39 0280") alert tcp
EXTERNAL_NET any - HOME_NET any (msg"IDS345 -
OVERFLOW-NOOP-Sparc-TCP"flagsPA content"13c0
1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6") alert udp
EXTERNAL_NET any - HOME_NET any (msg"IDS355 -
OVERFLOW-NOOP-Sparc-UDP2" content"a61c c013
a61c c013 a61c c013 a61c c013") alert tcp
EXTERNAL_NET any - HOME_NET any (msg "IDS291
- MISC - Shellcode x86 stealth NOP" content
"eb 02 eb 02 eb 02")
Other systems Dragon, ISS RealSecure, Arbor
16
17
Signature-Based Intrusion Detection Systems May
Not Detect New Types of Attack
Back Orifice
Land Attack
Win Nuke
IP Blob
Trino
Attacks with Names
Alarm on Activities in these areas.
Attacks without Names (not analyzed yet)
17
18
Flow-Based Technology -An approach that
recognizes normal traffic can detect new types of
intrusions.
Back Orifice
Land Attack
FTP
Web
Win Nuke
IP Blob
NetBIOS
Trino
Email
Attacks with Names
Normal Network Activities
Attacks without Names (not analyzed yet)
Alarm on Activities in this areas.
Example Lancopes StealthWatch
18
19
Flow-based Statistical Analysis
A Flow is the stream of packets from one host
to another related to the same service (e.g.,
Web, email, telnet, ). Data in packet headers
is used to build up counts (leads to high
speed). After the flow is over, counters are
analyzed and a value is derived for the
probability that the flow was crafted, perhaps
for probing the network for vulnerabilities or
for denial of service.
Flow- Statistics Counters
Flow- Statistics Counters
Number of Packets
Number of Total Bytes
Number of Data Bytes
Start Time of Flow
Stop Time of Flow
Duration of Flow
Flag-Bit True-False Combo
Fragmentation Bits
ICMP Packet Responses to UDP Packets
Counters
19
20
Zone Protection
20
21
IDS Types Should be Combined
Host-Based
Can detect misuse of OS access and file
permissions.
Signature -Based
Can detect attacks embedded in network data -if
signature is known
Anomaly -Based
On host or network. Can detect new types, but
high false alarm rate.
Flow-Based
Can detect new types of attacks by network
activity. Should be used with Host-Based and/or
Signature Based
21
22
The Stages of a Network Intrusion
Flow-based "CI", signature-based?
1. Scan the network to locate which IP
addresses are in use, what operating system
is in use, what TCP or UDP ports are open
(being listened to by Servers). 2. Run
Exploit scripts against open ports 3. Get
access to Shell program which is suid (has
root privileges). 4. Download from Hacker Web
site special versions of systems files that will
let Cracker have free access in the future
without his cpu time or disk storage space being
noticed by auditing programs. 5. Use IRC
(Internet Relay Chat) to invite friends to the
feast.
Vulnerability Scan
Signature?, Flow-Based Port Profile
Host-based
Signature?, "Port-Profile", Forbidden Zones,
Host-based
Signature?, "Port-Profile", Forbidden Zones,
Host-based
StealthWatch
22
23
Detection of the Mac Attack DDoS Plan
Type "A" Probes (detected by John Copeland in
Dec. 1999) The first three UDP probes, which
started my investigation, had a single character
in the data field, an 'A'. The UDP port
numbers were identical, 31790-31789. They
stimulate the 1500-byte ICMP Echo-Request packet
and the normal 58-byte ICMP Destination_Unreachab
le-Port Packets. The Echo-Request is never
answered. Date Time EST Source IP
(Place) Destination (Place) 1999-12-28
1840 151.21.82.251 (Italy) to 24.88.48.47
(Atlanta, GA) 1999-12-10 1828 152.169.145.206
( AOL ) to 24.88.48.47 (Atlanta, GA) 1999-12-16
0334 212.24.231.131 (Saudi Arabia) to
24.88.48.47 (Atlanta, GA) UDP packets with an
empty data field, like those generated by the
"nmap" scan program, do not stimulate the
1500-byte ICMP packets from an OS-9 Macintosh.
23
24
2nd Generation, Mac Attack Scanning
"Double-zero" Probes (James Bond, "00" -
"license to kill"), detected in Dec. 1999. I
have now seen 3 UDP type "00" probes, and had
another "00" probe reported from Kansas. These
probes use a single UDP packet, two bytes of data
(ascii zeroes) and identical UDP port numbers,
60000-2140. They stimulate the 1500-byte ICMP
Echo-Request packet and the normal 58-byte ICMP
Destination_Unreachable-Port Packets. The
Echo-Request is never answered. 1999-12-20
0704 195.229.024.212 (Arab Emirates) to
24.88.48.47 (Atlanta, GA) 1999-12-21 0804
195.229.024.213 (Arab Emirates) to 24.88.48.47
(Atlanta, GA)
DNS name cwa129.emirates.net.ae 1999-12-25
0939 212.174.198.29 (Turkey) to 24.94.xxx.xxx
(Wichita, Kansas)
DNS none 1999-12-31 0535 195.99.56.179
(Manchester, UK) to 14.88.xx.xx (Atlanta, GA)
DNS name
manchester_nas11.ida.bt.net 2000-01-04 0508
24.94.80.152 (Road Runner, Hawaii) to
24.94.xxx.xxx (Wichita, Kansas)
DNS name a24b94n80client152.ha
waii.rr.com 2000-01-06 0448 195.44.201.41
(cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)
DNS name
ad11-s16-201-41.cwci.net
24
25
Drawing from Atlanta Journal-Constitution
article, Dec. 1999. Full details at
www.csc,gatech.edu /macattack/
25
26
Traceroute to find location of IP Address
Start 11/21/99 110740 PM Find route from
24.88.48.47 to www.orbicom.com.
(196.28.160.129), Max 30 hops, 40 byte
packets Host Names truncated to 32 bytes 1
24.88.48.1 (24.88.48.1
) 17ms 17ms 16ms 2 24.88.3.21
(24.88.3.21 ) 18ms
19ms 18ms 3 24.93.64.69
(24.93.64.69 ) 17ms 18ms
17ms 4 24.93.64.61
(24.93.64.61 ) 19ms 17ms 18ms
5 24.93.64.57 (24.93.64.57
) 25ms 25ms 23ms 6
sgarden-sa-gsr.carolina.rr.com. (24.93.64.30
) 26ms 27ms 27ms 7
roc-gsr-greensboro-gsr.carolina. (24.93.64.17
) 28ms 28ms 30ms 8
roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6
) 30ms 32ms 30ms 9
12.127.173.205 (12.127.173.205
) 40ms 39ms 39ms 10
gbr2-a30s1.wswdc.ip.att.net. (12.127.1.30
) 38ms 40ms 39ms 11
gr2-p3110.wswdc.ip.att.net. (12.123.8.246
) 278ms 40ms 39ms 12
att-gw.washdc.teleglobe.net. (192.205.32.94
) 41ms 43ms 42ms 13
if-7-2.core1.newyork.teleglobe.n (207.45.222.145
) 45ms 46ms 45ms 14
if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69
) 45ms 47ms 49ms 15
ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202
) 50ms 46ms 50ms 16
196.30.121.243 (196.30.121.243
) 44ms 48ms 45ms 17
fe0-0.cr3.ndf.iafrica.net. (196.31.17.26
) 635ms 632ms 633ms 18
atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81
) 641ms 640ms 644ms 19
196.30.200.6 (196.30.200.6
) 643ms 640ms 643ms 20
196.4.162.86 (196.4.162.86
) 662ms 659ms 664ms 21
www.orbicom.com. (196.28.160.129
) 663ms 658ms 664ms Trace
completed 11/21/99 110825 PM
26