Fun with Packets: Endeavor Systems DRAFT Endeavor@nexus.net



Similar documents
Firewalls, Tunnels, and Network Intrusion Detection

CSCI 4250/6250 Fall 2015 Computer and Networks Security

IDS / IPS. James E. Thiel S.W.A.T.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

PROFESSIONAL SECURITY SYSTEMS

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Firewalls and Intrusion Detection

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls, IDS and IPS

Introduction of Intrusion Detection Systems

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Managing Latency in IPS Networks

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Barracuda Intrusion Detection and Prevention System

Deployment of Snort IDS in SIP based VoIP environments

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Intrusion Detection in AlienVault

Firewalls. Chapter 3

Linux Network Security

co Characterizing and Tracing Packet Floods Using Cisco R

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Survey on DDoS Attack Detection and Prevention in Cloud

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewalls & Intrusion Detection

CS 356 Lecture 16 Denial of Service. Spring 2013

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Intrusion Detections Systems

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network- vs. Host-based Intrusion Detection

Networking for Caribbean Development

ACHILLES CERTIFICATION. SIS Module SLS 1508

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

The Advantages of a Firewall Over an Interafer

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Security Toolsets for ISP Defense

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

CMPT 471 Networking II

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

How To Protect Your Network From Attack From Outside From Inside And Outside

Distributed Denial of Service (DDoS)

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Yahoo Attack. Is DDoS a Real Problem?

Chapter 15. Firewalls, IDS and IPS

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

CIT 380: Securing Computer Systems

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Intrusion Detection Systems

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Outline. Outline. Outline

Announcements. Lab 2 now on web site

About Firewall Protection

Network Forensics: Log Analysis

Chapter 8 Security Pt 2

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Network Incident Report

Chapter 8 Network Security

Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001

From Network Security To Content Filtering

Intrusion Detection Systems

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Host Discovery with nmap

Chapter 9 Firewalls and Intrusion Prevention Systems

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Divide and Conquer Real World Distributed Port Scanning

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Firewall Firewall August, 2003

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February Version 1.

FIREWALLS & CBAC. philip.heimer@hh.se

Cisco IPS Tuning Overview

Attack and Defense Techniques

Architecture Overview

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Course Title: Penetration Testing: Security Analysis

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Denial of Service Attacks

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04

Denial Of Service. Types of attacks

Transcription:

Fun with Packets: Designing a Stick DRAFT By Coretez Giovanni This paper outlines a denial-of-service attack against not the computer network, but the human processes that support intrusion detection. This attack is a resource exhaustion attack as outlined in the previous paper Topology of denial of service. It is informally written to express my opinion by which the tool stick was written to exploit. Hopefully this tool clearly shows some IDS flaws that will soon be remedied by better IDS products. Arthur Money spoke at Blackhat 00 about quality. Too bad there must not have been any software developers there to listen. I use Stick and other self-developed tools for evaluating stress capability of IDS and firewalls. At this time I do not have comprehensive listing of IDS that are unaffected by the preceding methodology that can be implemented using the Stick code. I am not endorsing any products in this paper. This paper and tool are opinion and should be treated as such. There are two IDS that I found checked the state before payload alarm which is essential for defending against Stick, but these systems did not detected other header attacks nor were they robust enough to detect a good deal of other attacks. If my home lab ever gets big enough I might be able to give a fair unbiased opinion. Until then, you should evaluate and consider this opinion with your own opinion and testing (as you always should do). Designing of the Attack People are the essential element in intrusion detection. Automated responses are rare due to self induced denial-of-service 1. Alarms are sorted in priority and are reviewed and summarized for response. Organizations hire just enough, people as to accomplish handling a normal load of alarms. Therefore, when a high number of false alarms are produced, finding the actual attack becomes impossible due to the lack of resources to investigate actual from spoofed attacks. When a high number of false alarms occur, the shear number of alarms makes the alarm data useless in informing the decision makers of the real status of the network. This is a form of information overload. The key of course is to create a high number of alarms that will trigger the system/network intrusion logs. Create An Alarm The easiest system to create alarms on is signature based intrusion detection systems (IDS). I will refer to IDS, in particular I mean network based IDS. Signature based IDS use a predetermined criteria in order to determine bad from good. The three most common attributes in signatures are IP packet header fields, transport layer header fields and packet data payload. If the attributes to set off the criteria for these three sections are known, a trigger packet can be created. Stateless Analysis For reasons of speed and processing power, a packet is often evaluated on its own individual merit regardless of other packets on the network. This is seen in many early detectors like Shadow and exists in most commercial detectors. It is a primary concern to most IDS companies and a 1 When testing this tool against other IDS, we found that it made Black Ice Defender deny access to DNS servers, and attack chosen sections of the Internet 3/14/2001 2000 Endeavor Systems, Inc. 1

common measure of quality when evaluated by the media. A design based on speed most likely means that a trigger packet needs no precursor event or post event in order for the trigger packet to set off an alarm. Triggering an alarm purposefully is not something the designers think about much. Designers do care about false-positives (bad alarms), but false-positives are considered in the context of normal traffic, and that these alarms can be filtered out in time. Validity The first weakness that an IDS has in dealing with information overload attacks, is validity. An IDS should only care about scans because they mark a precursor to a possible attack. The scan itself causes no loss damage to the network except a decrease in obscurity. When an alarm signature is written certain assumptions are made that is not always true. In the case of Snort, it is assumed a packet is in its proper state. Meaning a data packet had a successful handshake. Therefore, producing a TCP data packet that meets all the requirements of a given signature sets off an alarm. This occurs regardless of the fact that no handshake occurred prior to the packet. The alarm is not valid. Yes, it is an anomaly. Yes, dropped packets occur and the IDS might have missed a handshake. Yes, it s a pain to manage the stack in an IDS system. The alarm has still not been validated. Managing the Alarms A small number of alarms might be forgivable, but computers due one thing better than anything else. Computer repeat simple, mind numbing tasks over and over again. Stick happens. Within two seconds there are over 450 alarms 2. The CPU of the sensor is hitting 100%. The system is too busy to listen to a control-c to turn off the sensor software. Meanwhile, the database is filled with alarms from every possible (and impossible) IP address from the Internet. The attack can last for as long as the attacker wishes. And if there was a real attack in the list of 60,000 attacks, which one is real? Did anything really happen? How many people do you have to validate all the attacks? Computer response groups act like any other emergency coordination center. They estimate the average load and manage resources just above the line with auxiliary people. False alarms are a big deal because they take away from scarce resources. If an attacker can generate a large number of false alarms, the resource planning becomes invalid. The structure fails and must fall back on handling only critical elements without the aid of the emergency system. Designing the Tool, Stick The design of the tool is centered on speed and flexibility. If the tool was based on a set number of alarm patterns, it could be removed from the noise using trivial filters. So the tool needed to be based off the current signatures of an IDS in question and to be able to be upgraded without re-write to handle new configuration files when they are produced. To ensure speed the code is generated and avoids too much depth in function calls, comparisons and jumps. To meet these objects an observation must be made. The rule structure for an IDS can be seen as a language. N-Code is a language. But so are the snort rules. I took advantage of this fact and wrote a compiler for the snort rules that would create a random packet generator. In the UNIX world there are tools for doing just this: Lex and Yacc. lex is a short for lexicon analyzer yacc is an acronym for yet another compiler compiler 2 ISS Real Secure preferred to turn itself off consistently two seconds after the start of the attack. I m not sure why it does. Your results may vary, we tried over ten times and it always died but the NT system was fine. 3/14/2001 2000 Endeavor Systems, Inc. 2

If I still had the skill I had ten years ago I would have followed through with the proper way and used yacc, but my brain is not as good as it use to be so I cheated and kept the state tables in the lex code. The result is close enough as it produces most of the code needed. This lex generated code is added to a collection of functions and a main loop to produce the resulting generator. As an after though I created a command line that assigned function pointers to randomization functions as to allow for random IP zones for targeting and spoofing. The final result is a quickly configurable packet generator. Looking at Snort Let s take a look at Snort s basic deign from an IDS point of view. It has the components that the Common Intrusion Detection Framework Outlines. So, it has a formal IDS structure. Note: Please excuse out of date material as the Snort product has been evolving. Note the language describes a signature. It really is a language. It has a structured syntax that describes in a complete fashion the entire purpose. Snort is a data driven interpreter to the Snort rules. ArachNIDS ruleset Now arachnids, maintain by www.whitehats.com, is a list of high profile signatures to be used by snort. I use these signatures to help induce the snort IDS to alarm. Note that these rules being used are stateless. alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS162/Ping Nmap 2.36BETA"; itype: 8; dsize: 0;) alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS2/mworm-ftp-retrieval"; content: "USER mw 0D0A "; flags: AP;) alert TCP $INTERNAL 5400 -> $EXTERNAL any (msg: "IDS110/trojan-activebladerunner"; flags: SA;) 3 3 This is a subset from Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems. Please see http://whitehats.com/ids/ for signature details So, the code will only need to send these packets and not establish the handshake necessary to induce a full connection. The last packet will make the IDS inform the system administrator that there is a Trojan on the network, but routing requires that this type of packet will need to come from inside which if discovered will hint at the location of the generator. To solve this we will ignore the direction requests of the rules and treat every rule as an external IP address going to an internal one. If time permitted the outgoing rules should be removed entirely. Record Lets take a look at the recording of events in the Snort utility using arachnid. We are using arachnid because it is open source and you can go through the design to understand the flow, handling and manipulation of the IDS processes. Also, these rules are consistent with the approach commercial systems use in intrusion detection. These are good rules. The problem is not with the work done on this signature base, but the granularity of the Snort language and the defects in the Snort design. Notice that the rules do not record events that do not trigger an alarm (an attribute of granularity). This is common in IDS design. The overhead of recording all packets that are transmitted across the network are high compared to the apparent return on cost. Without certain non-alarm data, it will be impossible to determine the validity or damage of most attacks. IDS Implementation Weaknesses Attack validation This topic was covered before. To determine validity there must be marker events that are precursors events or post events (negative markers), or the lack of certain markers (positive markers). This is what data mining gains you, but to do so you must already know the makers that need to be recorded. and credits. vision@whitehats.com, Export date: Thu Jul 20 07:00:01 PDT 2000 3/14/2001 2000 Endeavor Systems, Inc. 3

Weight of an event A technique to determine responding to an event is a combination of weighted values on the alarms. These weights can be attached to the possibility of: 1. the attack being real (false-positive weight), 2. the danger of the attack (if true, then how damaging is the attack) and 3. of the event compared to the number of times the event occurs (threshold weighting most commonly seen in determining floods and scans). Weighting allows the assigning of priorities. It is important to remember that a priority is what events need to be responded too, and not what events have the greatest threat. These are not the same. Also threshold profiling, like in Spice (www.silconedefense.net) can be defeated by introducing an anomalies that are not valid. The profiling algorithm will eventually reduce like anomalous event in priority. Once the anomalous events are accepted as normal, the actual attack can occur in the statistical space created with a reduced chance of detection. Statically profiling was originally a feature in NID from Lawrence Livermore National Labs. Operators soon learned to not trust this assigned value once an intrusion began, due to the nature of the attack over time being considered normal. It can be hypothesized that spoofed attacks would have had the same effect. Lack of recording The IO time cost and the disk space cost can cause the IDS not to handle the higher speeds. Marketing people require the speed metric to compare their product favorably against the competition. Marketing of IDS is not on the quality of the IDS, but on its speed. This is a sociological flaw that will enable attackers little to fear from IDS when properly prepared. Speed does come into play for the rare organization that is using OC-3 and gigabyte Ethernet. But, techniques for handling these speeds via load balancing are no different than that of downstream monitoring. If your organization is this large you better have a good budget and control over your infrastructure. There is a large amount of data that IDS tend not to collect. One is the MAC address. This tends to make it difficult to tell if packets are spoofed entering the system or leaving it. Also, most IDS do not start recording an attack until an alarm is triggered. This means that the original flaw that allowed access will not be recorded. Some IDS buffer that data, so that the IDS will have the last X number of bytes before the alarm to see what occurred before it. Regardless, IDS do not usually record packet in great detail due to the recording requirements on IO and remote management. Mis-Categorization as a weakness Is there a danger in not categorizing an attack correctly? Often IDS quickly categorize attacks based of extremely general criteria. Port scans and network scans are the commonly mis-categorized events. BO2K scan versus port scan A pure BO2K scan would look appear as a series of SYN packets looking for a response on port 32767 as such 10.0.0.1 1055 10.0.1.1 32767 10.0.0.1 1055 10.0.1.2 32767 10.0.0.1 1055 10.0.1.3 32767 10.0.0.1 1055 10.0.1.4 32767 10.0.0.1 1055 10.0.1.5 32767 10.0.0.1 1055 10.0.1.6 32767 But is the following sequence a port scan or BO2K scan? 10.0.0.1 1055 10.0.1.1 10188 10.0.0.1 1055 10.0.1.2 32767 3/14/2001 2000 Endeavor Systems, Inc. 4

10.0.0.1 1055 10.0.1.3 32767 10.0.0.1 1055 10.0.1.3 9876 10.0.0.1 1055 10.0.1.2 14555 10.0.0.1 1055 10.0.1.1 32767 The scan is created by a BO2K scanner with a noise maker on it. A noise maker tricks an IDS system into improperly categorizing an attack. A response team may never see the actual packet data as they trust the IDS to inform them correctly. Miscategorization means that the results will not be reviewed and therefore missing the intent and possibly the existence of a BO2K Trojan. On a side note, snort can be programmed (not in current rule set) to catch the success of a scan by recording the SYN ACK and UDP responses of a scan, but the MAC address needs to be added for directional validity against insider threat. The point of mis-categorization is that response is based off the alarm received. If an IDS sees an attack as NMAP then the response will react differently than if seeing a Vetescan (which uses NMAP). Therefore, if an attacker wishes there purpose to be hidden, using a larger signature (scan) that incorporates a smaller one (BO2K scan) will hide there intent. Conclusion At one point I had I real long reason for writing stick. The best reason remains that open communication increasing the knowledge base of the community. Stick succeeds because script kiddies are operating security. People are downloading IDS and buying IDS without knowing what or why. First, an IDS must be able to validate that the alarm is correct. This means that the IDS needs to determine if the pre-cursor and post events occurred that confirm or deny that an attack is real. Second, the IDS signature language needs to be more accurate as to incorporate the accuracy of the alarms. Stateless analysis is was a flaw in firewall design, and it is also true that IDS cannot have signatures that are stateless. Finally, the IDS should be generating alarms that aid in the response. Not all scans are equal. Progress should be occuring in the methodologies in how intrusions are determined and responded to. Instead, the methodologies simular to that of Virus detection is entrenching itself as a solution. Signature based IDS in itself is flawed, but the implementation of signature based IDS is done so immaturely that common programming methodologies are ignored. The most common ignored software development idiom that is software is based off a solution and not a marketting requirement. IDS first must detect an attack acurately and lead to a response before issues of speed, user interface, and first to market are concerned. For if the objects of IDS were placed first in development, this tool would be more than likely only a testing tool to separate the wheat from the shaft. I started with Arthur Money s plea for quality software, and I end this paper with it. The information contained in this paper is for education purposes only. This paper is the property of Endeavor Systems, Inc., and is not to be replicated for commercial advertisement or gain without the written permission of Endeavor Systems, Inc. 2000 Endeavor Systems, Inc. 3/14/2001 2000 Endeavor Systems, Inc. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information