Radware s Behavioral Server Cracking Protection

Transcription

1 Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October

2 Page Table of Contents Abstract...3 Information Gathering...4 Scanners & Crackers...4 Scanner and Cracker Tools...4 Radware DefensePro...7 Server Cracking Protections...7 Behavioral Server Cracking Technology...8 Summary...10

3 Page Abstract The rapid development of Internet applications has brought with it new challenges. The world is in constant pursuit of innovative technologies that will replace manual processes with automated ones. This migration from manual to automated processes often introduces vulnerabilities that can be exploited by hackers and cybercriminals. The goal of these bad guys is to leverage these automatic processes to facilitate widespread attacks. Over time, hackers have developed attack tools that integrate well with legitimate forms of communication. This means that it is becoming increasingly difficult to detect and prevent network attacks. Recent attacks have exploited legitimate internet applications in order to generate hostile events. These sophisticated attacks try to take cover amid the jungle that is the new, complex Internet environment. In practice, there are several methodologies for penetrating and attacking computer networks. However, all of these methodologies generally employ the following three phases of operation: intelligence, attack planning, and attack execution, which can be explained as follows: 1. Intelligence (Information Gathering) A typical intrusion into computer networks involves pre-attack probe scanning activities, which help the attacker gain valuable knowledge about the target networks. Knowledge about which application software and versions are deployed and what level of security patches have been installed, help expose infrastructure and system vulnerabilities. Scanning methods have become more complex over the past few years. Current techniques are capable of continuously changing their scanning rate and sending decoy information during the scan - thereby making these techniques hard to detect. 2. Attack Planning Using the knowledge gained during the intelligence phase, a cyber-assailant can decide which attack type will be most effective in harming the target network. The objective is to plan an attack that can be executed in the most effective and efficient manner, i.e., execution is aimed directly at the vulnerable network resource (router, server, application, etc.) without performing unnecessary operations. Unnecessary operations can arouse suspicion that lowers the success rate of the attack. 3. Attack Execution Most network and application attacks can be executed using readily-available attack tools. These tools can be downloaded easily over the Internet. With rudimentary programming skills, these tools can be easily modified to perpetrate the pre-meditated attack. This paper describes the methods that were developed over that last few years in order to perform the first attack operation phase information gathering activity. It specifies the threat that this operation imposes, the challenge in detecting it, and the technology used by Radware s Intrusion Prevention System, the DefensePro, in order to detect and mitigate the threat.

4 Page Information Gathering Scanners & Crackers Scanners and Crackers are the main tools used for automation of security testing. In the hands of security experts they are used to speed up security audit processes that are usually done by the organization s security manager. In case of lack of expert security resources inside the organization or for regulatory reasons, the automation of the security test is done by a 3 rd party security audit company. These Scanners and Crackers tools are used to generate network-based pre-attack probes such as ping sweeps or port scans, or are used to perform application pre-attack probes such as user/password cracking and application vulnerability scans - all are done automatically rather than manual audit that can take months to conduct. While most of these tools were developed with good intention, individuals with malicious intent can also take advantage of such legitimate tools in order to quickly and efficiently find vulnerabilities in target systems and use these in order to attack the network. Moreover, worms usually propagate via automated scanning and infection processes, imitating (or simply copying) the technology used in scanners and crackers in order to identify potentially vulnerable hosts that they can automatically infect. Therefore, being able to block such tools becomes mandatory as it would eliminate most large-scale hacking attempts, block worms and considerably slow down targeted cracking operations. Scanner and Cracker Tools There are many tools used to automate security tests. To simplify the description of these tools we can map them into two main categories: Network layer and application layer tools. This paper focuses on the more challenging task of detecting and preventing scanners and crackers which fall into the application layer tools 1 category. We can recognize two main categories of threats that the application layer tools fit into: Cracking Attacks - Cracking attacks, being brute force or dictionary attacks, try to break into an application by guessing user names and passwords from known lists. The risk associated with these types of attacks is very clear. Once a useful username and password are obtained the attacker has free access to a service, information or even can get administration permissions to the server itself. Additional risks are denial of service by triggering built-in protections in the applications, locking out users or consuming system resources during authentication attempts. 1 As mentioned earlier, over time hackers have developed attack tools that integrate well with legitimate forms of communications. Application layer scanning and cracking tools are part of this family of tools.

5 Page Brute force attack tools usually use a technique called Mass Generator. This technique is designed to launch a massive number of similar operations at high speed. In the case of a brute force attack the similar operation includes different types of login attempts. A common type of brute force tool is called the generic brute forcers. These tools support the capability to target multiple applications, including methods to test more than 20 different authentication types, from the usual ones such as HTTP and FTP, to quite exotic ones such as cvs, pc anywhere etc. These types of tools test authentication methods that are defined in standards, such as the Basic HTTP authentication. Application Vulnerability Scanning - These scanners perform thousands of tests and provide a list of potential vulnerabilities that may be exploited. Typically, these scanners do not send an exploit to the server but a more legitimate request that only shows the existence of the vulnerability, and as such will not trigger signature-based protection systems. These scanners can be classified into three families: Generic scanners : These tools perform thousands of tests and provide a list of potential vulnerabilities that may be exploited; Dedicated scanners: These tools also test for multiple vulnerabilities but only those that affect one specific type of operating system or application. Exploitation tools: These tools launch a sequence of real attacks on targeted systems. As mentioned before this method is less common as it is easy to detect. These application scanners generate thousands of application requests to the server and analyze the different behaviors of its responses. Through analysis of the application responses, the tools can identify the exact targeted application information (type, version etc.). According to the discovered application s information the tool typically searches into a vulnerabilities database and selects a specific set of application requests that fit the application type and version and sends them to the probed application. Through this scheme the tool can automatically identify which vulnerabilities exist in the application.

6 Page The following figures show a typical HTTP vulnerability scanning: Get /cgi-bin/info2www HTTP/1.0 Attacker Get /cgi-bin/files.pl HTTP/1.0 Get /cgi-bin/finger HTTP/1.0 Get /cgi HTTP/1.0 Get /cgi/websendmail HTTP/1.0 Get /cgi/textcounter HTTP/1.0 Public Web Server Figure 1a HTTP Vulnerability Scan Activities (1 st phase) After the 1 st scanning phase the following results are achieved by the hacker: Information about the server application type and version is discovered. During the scanning activities the server resources (CPU and Memory) are misused and this can result in service disruption. Known potential application vulnerabilities are detected. As shown in Figure 1b below, in the 2 nd phase a direct vulnerability exploitation attempt can be generated with a high probability of success. Exploitation Attacker Figure 1b Exploitation (2 nd phase) Public Web Server Aforementioned application pre-attack probes, by definition, cloak themselves as legitimate traffic since they usually do not violate protocol rules or match pre-defined attack signatures that represent an exploitation attempt of known application vulnerabilities. Therefore, Network Intrusion Prevention Systems [NIPS] that support only signature-based detection capabilities are ineffective against these threats. Only a behavior-based product that can evaluate changing application traffic patterns will be able to effectively defeat these pre-attack probes.

7 Page Radware DefensePro Radware s Server Cracking Protection is a behavioral server-based technology that detects and prevents both known and unknown application scans and brute-force attacks. This behavioral protection is part of Radware s DefensePro Full Spectrum Protection Technology. The technology includes an adaptive behavioral network-based protection that mitigates network DoS & DDoS attacks, adaptive behavioral user-based protections that mitigate network pre-attack probes and zero-day worm propagation activities, and stateful signature-based protections against exploitation attempts of known application vulnerabilities. Figure 2 illustrates the unique layers of defense security architecture that is implemented inside the DefensePro system. The server cracking protection is part of the 2 nd layer server-based behavioral technology shown in the figure: Network & DoS/DDoS Flood attacks Server-Based Attacks Zero-Day Worms Propagation Intrusion Activities Clean Environment Proactive Network-Based Proactive Server-Based Proactive User-Based Stateful Signature- Behavioral Analysis Behavioral Analysis Behavioral Analysis Based Protections Figure 2 DefensePro Multi-layered Protections Server Cracking Protections The Server Cracking behavioral protection detects and prevents the following known and unknown (zero-day) threats: Web Authentication brute-force & dictionary attacks HTTP vulnerability scans SMTP (Mail) brute-force & dictionary attacks FTP brute-force & dictionary attacks POP3 (Mail) brute-force & dictionary attacks MySQL brute-force & dictionary attacks

8 Page MSSQL brute-force & dictionary attacks SIP brute-force & dictionary attacks SIP scans About SIP scanning & Brute-force Attacks SIP Scanning - In SIP scanning the attacker s aim is slightly different then the usual application vulnerability scanning goal. While it is possible to find vulnerable SIP implementation, the actual gain from SIP scanning is to obtain a list of SIP subscribers and to send them SIP SPAM messages, also known as SPIT (Spam over IP Telephony). Attacker will use scripts to send the SPIT messages to a list of guessed subscriber names and will note the ones that reply. SPIT can cause annoyance to the subscribers and can disrupt service if done in high volumes. SIP Brute Force - A register brute force is an attempt to gain access to a user account and through it to the service, thus allowing the attacker to use the service without paying for it. This is turn causes revenue loss, reputation loss and an increase in bill verification activities. For more detailed information about Radware s DefensePro VoIP protections, refer to Radware s Mutli-layered VoIP Security White paper at: Behavioral Server Cracking Technology Radware s server cracking behavioral-based mechanism uses an advanced statistical engine and an adaptive fuzzy logic decision engine in order to detect users that try to scan or brute force server applications. The engine classifies plurality of application response messages that are generated by the protected servers and extracts the user identifier from them. The statistical engine then computes statistical characteristics such as frequency, quantity and distribution parameters of the plurality of response messages corresponding to each user. The Fuzzy Logic decision engine assigns an anomaly weight to each characteristic parameter, correlates between these weights through expert rules, and generates a degree of anomaly corresponding to each user. One of the challenges that every system administrator faces with protection systems is to define the time-out interval in which the system will monitor the user s activities until a decision can be made (e.g., until a certain threshold is breached). Wrong time-out settings can lead immediately to false positive or false negative decisions. Monitor interval that are too long increase the chances for false positive decisions, while intervals that are set too short increase the risk that the system will not detect the scan or brute force attack.

9 Page In order to solve this problem, Radware s server cracking decision engine automatically adjusts the user monitoring interval based upon the user s degree of anomaly. This dynamic monitoring interval determines how much time the system will consider the user suspect and continue to analyze his activities until a decision can be made. This adaptation process increases the accuracy of the system s decisions and reduces dramatically the configuration and maintenance operations that are required from the system administrator. Once a user has been identified as an attacker he is blocked, meaning no more connections from this source to the attack target server will be accepted. In case of attack, DefensePro inserts the source IP to a dynamic block list, or extends the blocking duration in case the source IP address was already blocking in the past during the same attack lifecycle. Server Cracking Closed-Feedback Mechanism Besides the dynamic user monitoring interval, Radware's DP Closed Feedback Module is responsible for further minimizing false positive decisions. The closed-feedback methodology that the system supports is characterized by a dynamic blocking period. When the system discovers attacker activities, it will use a very short first blocking period against him. During this period, the system keeps tracing the blocked user and checks for consistency in his abnormal activities. If his activities are discovered as a one time case, the system will immediately reduce the blocking duration to zero and release the user. If the user s abnormal activities are consistent, then it will automatically increase the blocking duration. Figure 3 illustrates the server cracking decision making process: Dynamic Blocking Dynamic blocking closed-feedback Fuzzy Logic Decision Engine Statistics Collection Adaptive user monitoring interval User Classification Figure 3 - Server Cracking Decision Making Process

10 Page Summary Radware s DefensePro integrates multiple layers of defense, including signature-based protection, adaptive behavioral network-based protection that covers threats such as zero-day worm propagation and DoS&DDoS network flood attacks and bandwidth management. Looking into the next level of attacks, the server cracking feature set complements the IPS offering with the adaptive behavioral server-based protection technology. Understanding today s threats and security challenges lead to the conclusion that effective protection should include the following key capabilities: Wide Security Coverage Application protection should include a multi-layer of defense technology that includes network, transport and application layer protections. Both known and unknown attacks should be confronted through both proactive behavioral-based and signature-based security technologies. Scalability The security product should be able to work in a high-speed environment with minimal impact on traffic latency. This important capability should be supported through advanced hardware architecture accompanied by advanced security technologies. Low TCO Maintaining low Total Cost of Ownership forces systems to be more independent of the human factor ( hands-off systems). Relying less on the human factor means that operations that were usually conducted by the security expert need now to be performed automatically by the systems themselves. Accuracy - The accuracy of both the detection and prevention technologies that the product has to offer, especially in real-time environments are paramount. Even low percentages of false positive detections or false preventions (i.e., packets that are dropped unnecessarily) render the security product useless. Radware's Behavioral server cracking protection system has the ability to accurately prevent application pre-attack probes such as application vulnerability scans and brute force attack and the misuse of application server resources, all in real-time. The Behavioral protection supports statistical algorithms, which characterize the pattern of ongoing attacks and then filter these attacks accordingly, without any human intervention. Thus, Radware s DefensePro introduces a Network Intrusion Prevention System that was deigned to fulfill all the aforementioned key capabilities. To read more about Radware s DefensePro, please refer to: