Network Security CS 192

Transcription

1 Network Security CS 192 Network Scanning (Idlescan) Department of Computer Science George Washington University Jonathan Stanton 1

2 Today s topics Discussion of new DNS flaws Network Scanning (Idlescan) OS-Fingerprinting Jonathan Stanton 2

3 Additional Resources Reference: Idlescan DNS IDN: OS Fingerprinting Jonathan Stanton 3

4 DNS IDN Vulnerability Internationalized Domain Names 1990 s talked about 2002 detailed proposals 2002 The Homograph Attack by Evgeniy Gabrilovich and Alex Gontmakher. Communications of the ACM, 45(2):128, February IDN services built into browsers (Jan/Feb) Advisory and proof of concept. Basic problem: Multiple languages and character sets have characters that look identical but are different (a in roman alphabet and a in cyrillic) Internationalized domain names (in native alphabets) also have roman equivelent form for backwards compatibility. Jonathan Stanton 4

5 DNS IDN What solutions can be proposed? CAs? (SSL certificate issuers) Stronger checking? Refuse obviously bad registrations? Browsers? Do not show roman names? Highlight non-roman characters in domain names? Give warning dialog box when domain name with mixed characters is loaded (roman and non-roman)? Jonathan Stanton 5

6 Network Scanning Purpose is to gather information about a network remotely. Types of information: Hosts that are on Ports/services that are running on those hosts Version of services running Type of operating system running (including version and firmware for network hardware) Jonathan Stanton 6

7 Types of Host Scans Most common is a Ping Send ICMP echo request packet Receive ICMP echo reply packet if host is up Receive ICMP host not reachable packet if host is not routable/reachable Receive nothing if host down Also can do DNS query (forward or reverse) to find hosts. Traceroute can find router hosts and gateways Jonathan Stanton 7

8 Types of Service Scans Direct scans: (Attacker - Target) Standard/Vanilla/Open Scan (TCP Connect) Stealth Null, Syn, XMAS, Fin, Indirect Scans: Idlescan DNS registries Jonathan Stanton 8

9 Idle Scan Indirect scan where attacker never sends packets to target which appear to come from attackers IP address. Builds on key TCP/IP properties: TCP responds to SYN with SYN ACK TCP responds with RST packet to unsolicited SYN ACK TCP ignores unsolicited RST packets. IP ID field increases with every packet sent (including RST packets) Jonathan Stanton 9

10 Idlescan Jonathan Stanton 10

11 Benefits: Idle scan Stealth: No packets appear to be sent by attacker Bypass Firewalls and router rules: Since packets appear to be from 3rd party host, that host can be chosen to bypass rules. It can be already inside the firewall It can be a trusted host outside (Exec s home machine) Jonathan Stanton 11

12 Defenses: Idle Scan Defenses Filter to deny bogus source IP addresses at network border (internal addresses, reserved, localhost) Use stateful firewall rules. Run OS s with unpredictable IPID sequences (prevents them from becoming zombies) Egress filtering of spoofed addresses prevents you from being the source of attacks. OS: Use per-connection IPID sequences. Use randomized IPID sequences (tricky to get right). Jonathan Stanton 12

13 Traffic Analysis: Sniffing Host IDS Network IDS Host Analysis Detecting Scans Log file analysis Service IDS (watch for rare commands that reveal information) Honeynets monitor only networks that are not actually used by the organization but look real so attackers will probe and attack them. Jonathan Stanton 13

14 Firewall Preventing Scans Some types of ICMP can be blocked TCP connection monitoring Blocking ports not used Host service deception: Hosts can pretend to have services they don t really use. Knock codes required to open ports Jonathan Stanton 14

15 Information Slide Homework exercise 2 assigned today. Due next Tuesday. Lecture slides, course updates, and assignments can be obtained at the course web page Jonathan Stanton 15