Analyzing Intrusion Detection System Evasions Through Honeynets

Transcription

1 Analyzing Intrusion Detection System Evasions Through Honeynets J.S Bhatia 1, Rakesh Sehgal 2, Simardeep Kaur 3, Siddharth Popli 4 and Nishant Taneja 5 1 Centre for Development of Advanced Computing 2, 3, 4 Centre for Development of Advanced Computing 5 Chandigarh College of Engineering and Technology Abstract Intrusion detection systems have developed a lot after their inception. They are now used prominently in the various security solutions provided by different vendors. However certain anomalies and limitations still exist. These have enabled the attackers to bypass IDS and carry out various attacks. These attacks can be generated with ease and can be used to compromise the security of a system. Through this paper we identify such IDS evasions and generate a triggering mechanism that can evade the IDS. We also provide validation architecture for detecting such an evasion using Honeynet technology and generate an effective script to detect such an attack. This paper aims to provide sufficient information for analyzing IDS evasions with the help of Honeynets INTRODUCTION. Intrusion detection is a security technology that attempts to identify and isolate `ìntrusions'' against computer systems. Different ID systems have differing classifications of `ìntrusion''; a system attempting to detect attacks against web servers might consider only malicious HTTP requests, while a system intended to monitor dynamic routing protocols might only consider RIP spoofing. Regardless, all ID systems share a general definition of `ìntrusion'' as an unauthorized usage of or misuse of a computer system. Intrusion detection is an important component of a security system, and it complements other security technologies. By providing information to site administration, ID allows not only for the detection of attacks explicitly addressed by other security components (such as firewalls and service wrappers), but also attempts to provide notification of attacks unforeseen by other components. Intrusion detection systems also provide forensic information that potentially allows organizations to discover the origins of an attack. In this manner, ID systems attempt to make attackers more accountable for their actions, and, to some extent, act as a deterrent to future attacks. Intrusion detection systems can be broadly classified as Network based Intrusion Detection Systems and Host Based Intrusion Systems. A NIDS passively monitors network traffic on a link looking for suspicious activity as defined by its protocol analyzers. NIDS works by analyzing the network traffic and determines an effective way to prevent intrusions. However the ability of the NIDS rests on its ability to perform a complete simulation of the network which can not always be complete or precise as the NIDS has to overcome ambiguous conditions that are characteristic of any network. Such a condition can easily be used by an attacker to his advantage, NIDS can be obfuscated into believing that no intrusion has occurred even though an intrusion my have been carried out. Host based IDS are based on a completely different logic than NIDS. HIDS software works at a different level. However attempts have been successfully carried out to evade HIDS as well. Most of these attacks rely on the ability to evade Signature based HIDS products. Another problem with HIDS is that they tend to alarm too late to be of much use. During this interval an attacker can easily gain access to sensitive areas of the system. Researchers have long since been engaged in Detecting IDS Evasions. Several Limitations of IDS have enabled full scale evasion of the same. Most of such attacks exploit weaknesses within IDS. Basic String Matching weaknesses can easily be exploited and evasion techniques are easy to implement. Signature-based IDS devices rely almost entirely on string matching and breaking the string match of a poorly written signature is trivial. Not all IDS devices are signature-based; however, most have a strong dependency on string matching. Snort Signatures have been used to demonstrate the weaknesses of IDS. Another prevalent evasion technique is Polymorphic Shell Code [1]. Polymorphic shell code is a more dangerous, recently developed evasion tactic that IDS devices cannot so easily defend against. Polymorphic shell code was devolved by K2 and is based on virus evasion techniques. This technique is limited to buffer overflows, and is much more effective against signature-based systems than anomaly or protocol analysis-based systems. Yet another evasion technique is based on Fragmentation Attacks. Until recently, many devices didn t properly reassemble fragments before comparing them to the string. There are still several ways to evade an IDS through fragmentation. The problem with fragmentation reassembly is the IDS needs to keep the packet in memory and fully reassemble the packet before comparison to the string. The IDS also needs to understand how the packet will be reassembled by the destination host. In [2] the author details several network based fragmentation evasion methods as well as other network-based evasion techniques. Some of the possible evasion attacks based on fragmentation are fragmentation overlap, fragmentation overwrite, fragmentation timeouts and fragmentation techniques using network topology. However

2 Pg 9-2 the most common IDS evasion technique has been launching Denial of Service Attacks. The denial of service can be either against the device or the personnel managing the device. Tools such a s Stick, Snot and several testing tools can be used to create a vast amount of alarms that can: consume the devices processing power and allow attacks to sneak by; fill up disk space causing attacks to not be logged; cause more alarms than can be handled by management systems (such as databases, ticketing systems, correlation engines, or alerting facilities); cause personnel to not be able to investigate all the alarms; and, cause the device to lock up However launching Denial of Service Attack requires seasoned Hackers. In this paper we present a technique for bypassing IDS. We then show how this new attack which completely evades IDS can be captured by Honeynets. Furthermore the flowchart for the detection script has been elaborated which could be useful against such an attack. Finally we examine the scope of our research and demonstrate how such a technique would help in minimizes IDS Evasions. Scenario for bypassing IDS In this section we present a ubiquitous technique to evade Intrusion Detection Systems. Test Bed consisted of a 3 Ghz Pentium 4 Processor, 1 GB of RAM and Ethernet of speed of 10 Mbps. The Operating System used was Linux The IDS tested was Snort Version Snort is widely regarded as the best IDS among Open Source Tools today. The underlying concept behind this technique is that when a port scanner is sending packets to different ports of a system, either sequentially or in a random manner,, it first PINGs the system to check whether the remote host is up or not and then, start with port scanning [3], However in our scenario, we tried to exploit the limitation of IDS utilizing the concept that its Time Window is very small (usually, a few seconds). Time Window may be described as the time delay between related packets stored in the buffer of IDS. During this time delay, the IDS cannot correlate the relationship between similar nature packets stored in the buffer.we then start by sending packets after longer intervals for two ports on a system and remove the initial PING test [4]. This technique is basically an implementation of a slow scan that is possibly undetectable by the IDS. A SYN scan was carried out using a custom made script where interval between two successive packets was kept variable. The following algorithm illustrates the task that was carried out: //This algorithm finds open and closed ports between P s and P e for the specified IP address I p where T d is the variable time delay between two probes where 31sec< T d <2 min//(p s - Starting port Number, P e - Ending port Number) 1. Set i= P s. 2. Repeat step 3 to 5 while i< P e 3. Connect to i on I p 4. [Wait for T d ] Delay next probe by the specified time T d 5. [Increase counter] Set i=i+1; [End of loop] 6. Exit We found that the above algorithm successfully executed and was undetectable by IDS (Snort). It can be inferred from above that IDS is extremely vulnerable to such kind of Triggering Mechanisms. Snort Time window is usually of the order of 30 seconds. This represented a major anomaly of Snort IDS. The above algorithm was tested by using both a Shell Script and C code. In both the cases it was able to successfully able to trigger the anomaly present within Snort. At the same time we also found that if Honeynet was installed in conjunction with the IDS, it was able to log such an evasion. Using Honeynets we were able to generate a script for detecting such an evasion, the details of which have been illustrated later. In the case of Honeynets with total network data captured present, the theoretical Time Window can be raised to infinite so that it is still able to detect the events happening over a large period of time. This is illustrated in the next section.

3 Pg 9-3 HONEYNET IMPLEMENTATION: Honeynets are architecture which creates a highly controlled network, one that we can control and monitor all activity that happens within it [5]. We then place the target systems, honeypots, within that architecture. The goal of a honeynet is to create an environment where the tools and behavior of threats can be captured and analyzed. Based on this information, we can gain intelligence on threats faced by the Internet community. Honeynet captures all the traffic interacting with it. Total network data is captured parallel to the IDS using a Sniffer and the following Honeynet architecture was implemented to detect the above mentioned attack. The architecture implemented takes attack from its source and feeds it in a parallel manner to both, a Honeynet and an IDS. The corresponding attack is analyzed both by the IDS and the Honeynet and the corresponding results are compared. If any difference of information is obtained, we can assert that IDS has been evaded. When the above mentioned attack was carried out over this architecture, we found that IDS was not generating any Alerts however the corresponding attack was logged by the Honeynet and was subsequently analyzed. Figure 1. Honeynet Architecture to capture IDS Attacks. Attack detection by using IDS is subject to some significant limitations. IDS are per definition passive systems. Their task is primarily alarm generation. Typically IDS are not designed to cope with realtime requirements. Although NIDS continuously monitor network traffic, alarms are typically gathered in log files which have to be evaluated manually by the administrator, thus limiting the capabilities for realtime response. Our measurements have shown that the commonly used NIDS Snort needs up to 40 seconds to report an attack signature under heavy network load conditions. Snort IDS does not correlate isolated incidents they have detected. As a consequence, every single signature or modification is logged separately resulting in huge log files. Detection of multi-phase attacks is not supported by these tools. Furthermore, they provide no means to isolate suspicious systems even if they can be identified. Hence, again human intervention is required to reinstate network integrity. The role of Honeynet becomes extremely crucial. A Honeynet is an artificial network including Honeypots but typically no production systems. Data traffic in the Honeynet is tightly monitored by NIDS sensors. In addition, all network traffic is logged on packet level. Since no production systems have to be protected and no (disturbing) production traffic is present in a Honeynet, successful attacks can be allowed in a controlled fashion and a medium to long term observation of attacker activities is possible. Even detailed offline forensic analysis is possible due to the comprehensive traffic logging. Thus, a Honeynet allows far more detailed and flexible attack observations than IDS in production networks, where immediate countermeasures are required. Using Honeynets we are able to analyze and correlate information regarding the above mentioned attack. During the analysis process, we ran our own custom made script which detected the attack. The script was successfully able to help us to analyze such an attack. The script was able to not only detect the attack but also filter it out from the rest of the received data. The flow chart governing the logic for the above script is shown in Figure 2.The first step in generating any detection script is to check for available memory. The designated TCPDump data is loaded into the memory. We determined the total number of unique IPs present in the data. We then counted the total combinations based upon the sessions present in the data. These combinations were generated on the basis of the interaction between a particular IP-Port pair on one system to that of our Honeypot. The next step was to filter out the TCPDump data based on the network flow for each session or Port-IP combination pair present. Tethereal was used to filter out the aforementioned data.

4 Pg 9-4 Tethereal is a network protocol analyzer. It allows us to capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. Tethereal's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools [6]. Tethereal is able to detect, read and write the same capture files that are supported by Ethereal. Using the combinations generated by Tethereal we checked for the packets coming to our different ports of our Honeypot from the system. If a one to many relationship was detected, we inferred it to be the triggering mechanism sent earlier [7]. Additionally we also checked for specific signature patterns that could have been present. The results showed that the attack sent earlier was being successfully detected by the Honeynet. This was primarily due to the script written to detect the attack. This can be seen in a snapshot of the TCPdump data generated using ethereal (refer to Figure 3).As described in the paper the main limitation of IDS was lack of data to correlate due to small time window taken into account by IDS. However in case of Honeynets, as all the data is available and there are more system events to correlate with Network Data therefore the time available and applicable for Honeynets is infinite and hence it is useful for overcoming the basic limitation of IDS. Referring to the flowchart of the script implemented by us in the Honeynet, as it is searching for the occurrence of port scan attack in the total data available with the Honeynet, it is able to identify and detect the attacker ranging over long period of times.this is one of the benefits of using the script written by us as it is able to search for and identify such kind of triggering mechanisms which exploit this very limitation of both Signature based IDS and Anomaly based Intrusion Detection Systems.

5 Pg 9-5 Figure 2. Flowchart to represent the Detection Script for the Attack

6 Pg 9-6 Figure 3. Snapshot of the TCPdump generated using Ethereal. CONCLUSION Intrusion Detection Systems have been in vogue for a long period of time. They have been traditionally used to detect attacks as and when they occur. However latest studies have shown that it is not a foolproof system. Simple Logical attacks can be generated at random and can be used to successfully evade them.through this paper we analyzed the futility of IDS using our own customized attack. This attack was successful in evading Snort, considered to be one of the best among the entire open source IDS. We also showed using a Flowchart that it is possible to generate a script using Honeynets that is capable of detecting such kind of attacks triggered externally. Therefore we conclude that Honeynets should be used in association with Intrusion Detection systems. Although this would not guarantee all round security but at least would also enable us to provide a robust Security Solution applicable across all kinds of Network Attacks. REFERENCES [1] Ptacek, Newsham Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, January 1998 [2] Cohen, Fred 50 Ways to defeat your Intrusion Detection, May 2003 [3] Ron Gula Bypassing Intrusion Detection System, Network Security Wizards [4] L.Deri and S.Suin Improving Network Security using Ntop, Proc, Third International Workshop on recent Advances in Intrusion Detection (RAID2000), 2000 [5] Know Your Enemy: Honeynets, [6]Christina Abad, Jed Taylor, Cigdem Sengul, William Yurcik, Yuanyuan Zhou and Ken Rowe. Log Correlation for Intrusion Detection: A proof of concept. Proc. of 19 Annual Computer Security Applications Conference (ACSAC2003)pp ,Las Vegas Nevada, USA, December , ACSA Computer Society

7 Pg 9-7 [7] M. Handley,V.Paxson,C.Kreibrich, Network Intrusion Detection: Evasion, Traffic Normalization, and end to end protocol Semantics. Proc. Of the 10 th USENIX Security Symposium, 2001