Attack Detection and Prevention

Chapter 17 Attack Detection and Prevention Attack Overview, Taxonomy, and Examples Attack Detection Principles of Intrusion Detection Systems Knowledge-based Anomaly detection Distributed attack detection Attack Prevention [NetSec], WS 2005/06 17.1

Introduction Definition: Intrusion An Intrusion is unauthorized access to and/or activity in an information system. Definition: Intrusion Detection The process of identifying that an intrusion has been attempted, is occurring or has occurred. National Security Telecommunications Advisory Committee (NSTAC) Intrusion Detection Subgroup [NetSec], WS 2005/06 17.2

Introduction Intrusion Detection Attack- / Invasion detection: Tries to detect unauthorized access by outsiders Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to access services on the internet by bypassing security directives Anomaly Detection: Tries to detect abnormal states within a network, e.g. sudden appearance of never used protocols, big amount of unsuccessful login attempts Intrusion Prevention An IPS adds further functionality to an IDS. After detecting a possible attack the IPS tries to prevent the ongoing attack, e.g. by closing network connections or reconfiguring firewalls [NetSec], WS 2005/06 17.3

Introduction Attack Sophistication vs. Intruder Knowledge [NetSec], WS 2005/06 17.4

Categorizing Attacks Who / which device is attacking? Normal user device located outside the infrastructure: Examples: PC, PDA, mobile phone,... Commanded by a normal user not aware of what he is doing, or Hacked and commanded by a malicious attacker Device located inside the infrastructure: Examples: router, management workstation,... Either deliberately placed by an attacker inside the infrastructure, or Being part of the genuine infrastructure but hacked and commanded by a malicious attacker Which layer(s) is the attack aiming at? Physical, MAC / Data Link, Network, Transport, Application Which kind of attack is performed? Attacking user data PDUs: eavesdropping, replay, modification,... Resource depletion: TCP-SYN flood, SMURF attack,...... [NetSec], WS 2005/06 17.5

Ensuring Availability: The Key Challenge for the Next Years Security of transmitted information in the sense of confidentiality, authenticity, etc. is well researched and many network security protocols have been developed & standardized during the past decade Examples: PPP/PPTP, L2TP, IPSec, SSL/TLS, SSH, GSM/GPRS/UMTS security protocols,... In infrastructure networks (like the Internet), routing threats can be effectively countered by deploying PKI-based approaches like S-BGP However, ensuring availability of our IT- and communication infrastructure requires more than can be realized by standard network security protocols, and thus turns out to be the major challenge for the next years of security research! [NetSec], WS 2005/06 17.6

Denial of Service What is Denial of Service? Denial of Service (DoS) attacks aim at denying or degrading legitimate users access to a service or network resource, or at bringing down the servers offering such services Motivations for launching DoS attacks: Hacking (just for fun, by script kiddies,...) Gaining information leap ( 1997 attack on bureau of labor statistics server; was possibly launched as unemployment information has implications to the stock market) Discrediting an organization operating a system (i.e. web server) Revenge (personal, against a company,...) Political reasons ( information warfare )... [NetSec], WS 2005/06 17.7

Denial of Service Attacking Techniques Resource destruction (disabling services): Hacking into systems Making use of implementation weaknesses as buffer overrun Deviation from proper protocol execution Resource depletion by causing: Storage of (useless) state information High traffic load (requires high overall bandwidth from attacker) Expensive computations ( expensive cryptography!) Resource reservations that are never used (e.g. bandwidth) Origin of malicious traffic: Genuineness of source addresses: either genuine or forged Number of sources: single source, or multiple sources (Distributed DoS, DDoS) [NetSec], WS 2005/06 17.8

Examples: Resource Destruction Hacking: Exploiting weaknesses that are caused by careless operation of a system Examples: default accounts and passwords not disabled, badly chosen passwords, social engineering (incl. email worms), etc. Making use of implementation weaknesses: See later slides on security aware system design & implementation Deviation from proper protocol execution: Example: exploit IP s fragmentation & reassembly Send IP fragments to broadcast address 192.168.133.0 Operating systems with origins in BSD often respond to this address as a broadcast address In order to respond, the packets have to be reassembled first If an attacker sends a lot of fragments without ever sending a first / last fragment, the buffer of the reassembling system gets overloaded As some routers use BSD-based TCP/IP stacks, even the network infrastructure can be attacked this way! [NetSec], WS 2005/06 17.9

Countering Attacks: Three Principle Classes of Action Prevention: All measures taken in order to avert that an attacker succeeds in realizing a threat Examples: Cryptographic measures: encryption, computation of modification detection codes, running authentication protocols, etc. Firewall techniques: packet filtering, service proxying, etc. Preventive measures are by definition taken before an attack takes place Attention: it is generally impossible to prevent every potential attack! Detection: All measures taken to recognize an attack while or after it occurred Examples: Recording and analysis of audit trails On-the-fly traffic monitoring and intrusion detection Reaction: All measures taken in order react to ongoing or past attacks [NetSec], WS 2005/06 17.10

Attack Taxonomy Source: [Mircovic2004] [NetSec], WS 2005/06 17.11

Attack Strategy Scan for vulnerabilities Detection of vulnerable hosts and applications Compromising hosts Manual hacking Viruses, Trojans, Worms Distributed denial-of-service attack Bandwidth depletion Resource depletion [NetSec], WS 2005/06 17.12

Port Scan Background Identification of vulnerable systems / applications Automated distribution of worms Scan types Vertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour period Horizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour period Coordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scan Stealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection [NetSec], WS 2005/06 17.13

Port Scan (2) Scan characteristics Port distribution Source distribution Scan rates for top 10 destination port categories between May-July, 2002. Distribution of coordinated, horizontal and vertical scans for the month of June, 2002 Source: [Yegneswaran2003] [NetSec], WS 2005/06 17.14

Distributed Denial-of-Service Attacks Bandwidth depletion Resource depletion Flood UDP flood ICMP flood Amplification (i.e. using a reflector network) Smurf (ICMP echo request) Fraggle (UDP echo, e.g. chargen) Protocol exploit TCP SYN PUSH+ACK (to unload TCP buffer + ACK to overflow a receiver) Malformed packet attacks Usage of incorrect formatted IP packets to crash the victim system Sleep deprivation Rendering a pervasive computing device inoperable by draining the battery [NetSec], WS 2005/06 17.15

Distributed Denial-of-Service Attacks (2) mostly ICMP traffic Source: [Moore2001] [NetSec], WS 2005/06 17.16

History of Intrusion Detection 1980 James Anderson: Computer Security Threat Monitoring and Surveillance 1983 Dorothy Denning (SRI-International): Analysis of audit trails from government mainframe computers 1984 Dorothy Denning: Intrusion Detection Expert System (IDES) 1988 Lawrence Liverpool Laboratories: Haystack Projekt 1990 Heberlein: A Network Security Monitor (NSM) 1994 Wheel Group: First commercial NIDS (NetRanger) 1997 ISS: Real Secure... Boom of Intrusion Detection System http://www.securityfocus.com/infocus/1514 [NetSec], WS 2005/06 17.17

Intrusion Detection Data collection issues Reliable and complete data Collection is expensive, collecting the right information is important Detection techniques Misuse detection (or signature-based or knowledge-based) Anomaly detection Response Counteracting an attack Evaluation System effectiveness, performance, network-wide analysis False-positive rate False-negative rate [NetSec], WS 2005/06 17.18

Classification of Attack Detection Four dimensions Host based Knowledge based Anomaly detection Network based [NetSec], WS 2005/06 17.19

Classification of Attack Detection (2) Host Intrusion Detection Systems (HIDS) Works on information available on a system, e.g. OS-Logs, application-logs, timestamps Can easily detect attacks by insiders, as modification of files, illegal access to files, installation of Trojans or rootkits Problems: has to be installed on every System, produces lots of information, often no realtime-analysis but predefined time intervals, hard to manage a huge number of systems Network Intrusion Detection System (NIDS) Works on information provided by the network, mainly packets sniffed from the network layer. Uses signature detection (stateful), protocol decoding, statistical anomaly analysis, heuristical analysis Detects: DoS with buffer overflow attacks, invalid packets, attacks on application layer, DDoS, spoofing attacks, port scans Often used on network hubs, to monitor a segment of the network [NetSec], WS 2005/06 17.20

Placement of a Network Intrusion Detection System Monitors all incoming traffic High load High rate of false alarms Internet Monitors all traffic to and from systems in the DMZ Reduced amount of Data Can only detect Intrusions on these Computers Monitors all traffic within the corporate LAN Possible detection of misuse by insiders Possible detection of intrusion via mobile machines (notebooks...) DMZ LAN [NetSec], WS 2005/06 17.21

Knowledge-based Detection Based on signatures or patterns of well-known attacks Working principles Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web server or MSSQL databases Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets Patterns can be specified at each protocol level Network protocol (e.g. IP, ICMP) Transport protocol (e.g. TCP, UDP) Application protocol (e.g. HTTP, SMTP) Pros Fast, requires few state information, low false-positive rate Cons Recognizes only known attacks Examples Snort, Bro [NetSec], WS 2005/06 17.22

Snort OpenSource Support for Windows, UNIX, Linux,... Rule Based Intrusion Detection Ruleset can be edited individually Huge number of predefined rules Daily community rules update Reporting into: Logfiles, LogServer, Database Different formats for captured data supported: libpcap,... Supports packet de-fragmentation, protocol decoding, state inspection Possible reactions: TCP reset, ICMP unreachable, configuration of firewalls, alerting via email, pager, SMS (plugins) Graphical tools for administration and analysis are available [NetSec], WS 2005/06 17.23

Snort (2) Mainly signature based, each intrusion needs a predefined rule alert tcp $HOME_NET any -> any 9996 \ (msg:"sasser ftp script to transfer up.exe"; \ content:" 5F75702E657865 "; depth:250; flags:a+; classtype: misc-activity; \ sid:1000000; rev:3) Three step processing of captured information (capturing is done by libpcap): Preprocessing (normalized and reassembled packets) Detection Engine works on the data and decides what action should be taken Action is taken (log, alert, pass) Modular structure allows to change many parts as Preprocessor, Detection, Action Modules [NetSec], WS 2005/06 17.24

Anomaly Detection Based on the analysis of long-term and short-term traffic behavior Working principles Scan for anomalies in Traffic behavior Protocol behavior Application behavior Pros Recognizes unknown attacks as well Cons False-positive rate might be high Examples PHAD/ALAD, Emerald [NetSec], WS 2005/06 17.25

Anomaly Detection (2) Generic anomaly detection system Source: [Estevez-Tapiador2004] [NetSec], WS 2005/06 17.26

Anomaly Detection (3) Source: [Estevez-Tapiador2004] [NetSec], WS 2005/06 17.27

Anomaly Detection (4) Classification criteria Source: [Estevez-Tapiador2004] [NetSec], WS 2005/06 17.28

ALAD Application Layer Anomaly Detection (ALAD) [Mahoney2002] Extension to PHAD Five models: 1. P(src IP dest IP) Learns normal set of clients for each host, i.e. the set of clients allowed on a restricted service 2. P(src IP dest IP, dest port) Like (1), but one model for each server on each host 3. P(dest IP, dest port) Learns the set of local servers which normally receive requests 4. P(TCP flags dest port) Learns the set of TCP flags for all packets of a particular connection 5. P(keyword dest port) Examines the text in the incoming request (first 1000 bytes) [NetSec], WS 2005/06 17.29

Defense Taxonomy Source: [Mircovic2004] [NetSec], WS 2005/06 17.30

Defense Challenges Need for a distributed response at many points on the Internet Coordinated response is necessary for successful countermeasures Economic and social factors Deployment of response systems at parties that do not suffer direct damage from the DDoS attack Lack of detailed information Thorough understanding of attacks is required Lack of defense system benchmarks Difficulty of large-scale testing [NetSec], WS 2005/06 17.31

Attack Prevention / Counteracting Anti-Spoof Mechanisms Filtering of forged packets Cryptographic authentication Traceback Counteracting DDoS attacks Counteracting TCP SYN flood Distributed Firewalling Congestion control [NetSec], WS 2005/06 17.32

Address Spoofing The Spoofing Problem: Packet routing in IP networks is based on destination address information only, correctness of source address is not verified Most (D)DoS attacks consist of packets with spoofed or faked source addresses in order to disguise the identity of the attacking systems Identification of the attacking systems is needed for installing efficient defense mechanisms Some detection mechanisms also require valid information about the attack sources Further issues: legal prosecution of attackers and prevention of new attacks [NetSec], WS 2005/06 17.33

Anti-Spoof Mechanisms Filtering of forged packets Ingress filtering: implementation of anti-spoof ACLs based on (static/dynamic) knowledge about own IP address range RPF: reverse path forwarding, known from multicast routing, fails for dynamic load-balancing SAVE: source address validity enforcement protocol [Li2002] Associates interfaces with valid source address ranges Also useful for RPF check, e.g. for multicast routing Cryptographic authentication IPSec authentication, problem: key management Traceback Real-time / Forensic methods Most promising solution! [NetSec], WS 2005/06 17.34

Traceback (1) Goal: Identify the source address (or at least the ingress point) and the attack path of a packet without relying on the source address information Challenges: Short path reconstruction time Processing and storage requirements Scalability Compatibility with existing protocols [NetSec], WS 2005/06 17.35

Traceback (2) Taxonomy of traceback mechanisms Traceback active passive packet insertion packet marking network reconfig. packet logging flow logging link testing backscatter analysis [NetSec], WS 2005/06 17.36

Packet Insertion ICMP traceback (ITrace) [Bellovin2000]: For 1 out of 20.000 packets, routers send an ITrace message with router ID and information about original packet to the same destination packet P R1 R2 ITrace(R1, P) If a flow contains enough packets, the destination is likely to receive ITrace messages from every router on the path. Limitations: Router infrastructure has to be modified Requires large number of packets/flow long t.b. time for distributed low-rate attacks Destination has to store original packets for later comparison with ITrace message ITrace messages need to be authenticated, e.g. using PKI Inserted ICMP packets may influence network behavior ICMP traffic is often rate-limited by routers and preferentially dropped during congestion [NetSec], WS 2005/06 17.37

TCP-SYN flood >90% of DDoS attacks use TCP [Moore2001] Several defense mechanisms SYN cache, SYN cookies, SynDefender, SYN proxying, stateful, have to be installed at victims FW, rely on traceback Flooding detection system (FDS) [Wang2002] Stateless, low computation overhead Relies on SYN-FIN/RST pairs Uses CUSUM (cumulative sum) algorithm Automated model approach [Tupakula2004] Controller-agent model #SYN - #ACK > limit? Agent sends an alarm to the controller Central controller verifies alarm signatures and issues countermeasures Basic idea: detection, source identification, firewall configuration [NetSec], WS 2005/06 17.38

SYN Flood Protection (3) Reminder: Regular TCP 3-Way Handshake The client sends a TCP SYN message seq number = x (chosen by the client) client server ACK flag = 0 SYN seq=x SYN flag = 1 The server allocates a memory for the Transmission Control Block (TCB) The server sends a TCP SYN ACK SYN seq=y, ACK x+1 seq number = y (chosen by the server) ack number = x + 1 ACK flag = 1 ACK y+1 SYN flag = 1 The client sends a CONNECT ACK connection seq number = x + 1 established ack number = y + 1 ACK flag = 1 SYN flag = 0 The handshake ensures that both sides are ready to transmit data. [NetSec], WS 2005/06 17.39

SYN Flood Protection: TCP SYN cookies (1) SYN cookies as a reaction to an attack SYN cookies are a particular choice of the initial seq number. The server generates the initial sequence number α such as: α = h(s SYN, D SYN, K) S SYN : src addr of the SYN packet D SYN : addr of the server K: a secret key h is a cryptographic hash function. At arrival of the ACK message, the server calculates α again. Then, it verifies if the ack number is correct. If yes, it assumes that the client has sent a SYN message recently (considered as normal behavior), and allocates TCB memory. client SYN seq=x SYN seq= α, ACK x+1 server No resources are allocated here ACK α +1 connection established [NetSec], WS 2005/06 17.40

References [Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, July 2004, pp. 1569-1584. [Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE Computer - Special Issue on Security and Privacy, April 2002, pp. 27-30. [Lee2004] R. B. Lee, "Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures," Princeton University, Technical Report, 2004. [Li2002] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source Address Validity Enforcement Protocol," Proceedings of IEEE Infocom 2002, New York, USA, June 2002. [Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp. 39-53. [Paxson1999] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, December 1999, pp. 2435-2463. [Porras1997] P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of National Information Systems Security Conference, October 1997. [Roesch1999] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proceedings of 13th USENIX Conference on System Administration, 1999, pp. 229-238. [Tupakula2004] U. K. Tupakula, V. Varadharajan, and A. K. Gajam, "Counteracting TCP SYN DDoS Attacks using Automated Model," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December 2004. [Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE INFOCOM 2002, 2002. [Yegneswaran2003] V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," Proceedings of ACM SIGMETRICS, June 2003. [NetSec], WS 2005/06 17.41