信息系统安全 -...

四川大学信息安全工程系方勇

信息系统安全


第第77章章 IDSIDS


AGENDAAGENDA

IntroductionIntroductionThreatsThreatsIDSIDS


What Is An Intrusion?What Is An Intrusion?An intrusion can be defined as:An intrusion can be defined as:

Any set of actions that attempts to compromise Any set of actions that attempts to compromise the integrity, confidentiality or availability of a the integrity, confidentiality or availability of a resourceresource

All intrusions are defined relative to a All intrusions are defined relative to a security policysecurity policy

A security policy defines what is permitted and A security policy defines what is permitted and what is denied on the systemwhat is denied on the systemWithout a set of normal behavior defined, it is Without a set of normal behavior defined, it is useless to catch intrusionsuseless to catch intrusions


What is Intrusion Detection?What is Intrusion Detection?““Intrusion detection is the process of Intrusion detection is the process of identifying and responding to malicious identifying and responding to malicious activity targeted at computing and activity targeted at computing and networking resources.networking resources.””

–– Edward AmorosoEdward Amoroso

““An environment for anomaly and misuse detection An environment for anomaly and misuse detection and subsequent analysis of the behavior of and subsequent analysis of the behavior of

systems and networkssystems and networks””..


Intrusions over the decadesIntrusions over the decades


Attacks vs. AttackersAttacks vs. Attackers


AGENDAAGENDA


Threat AnalysisThreat Analysis


Types of AttacksTypes of Attacks

Location of Attacks: Layer Location of Attacks: Layer 22 -- 77

GetsAccess

Gets noAccess

AuthorisedUser DoS

UnauthorisedUser Intrusion


Layer 2: ARP SpoofingLayer 2: ARP Spoofing

CCIE’99 Vienna © 1999, Cisco Systems, Inc. 11

IP aMAC A

IP bMAC B

IP cMAC C• C is sending faked

gratuitous ARP reply to A• C sees traffic from IP a to IP b

C->A, ARP, b=C

C->A, ARP, b=CA->C, IP, a->b

A->C, IP, a->bC->B, IP, a->b

C->B, IP, a->b


Layer 3: IP SpoofingLayer 3: IP Spoofing

Ra

Rb

Rc

A

B

C

B->A via C, Rc,Ra

Back traffic uses the same source route

B->A via C,Rc Ra

B->A via C,Rc,Ra

A->B via Ra, Rc,C

A->B via Ra, Rc,C

A->B via Ra, Rc,C

B is a friendallow access


Layer 3: Smurf Attack...Layer 3: Smurf Attack...

Attacker

Innocent/unprotected relays/amplifiers

Victim

A

Network B, local broadcast B.*

A-> B.*: ping

A-> B.*: pin

gA-> B.*: ping

B.1-> A: pong

B.2-> A: pong

B.3-> A: pong

B.n-> A: pong

B.1-> A: pongB.2-> A: pong

B.3-> A: pong

B.n-> A: pongB.1-> A: pong

B.2-> A: pong

B.3-> A: pong

B.n-> A: pong

Dated 1998


Layer 4: SYN attackLayer 4: SYN attackB A

flags=SYN, seq=(Sb,?)

flags=SYN+ACK, seq=(Sa,Sb)

C (masquerading B)

A allocates kernel resourcefor handling the starting connectionA allocates kernel resourceA allocates kernel resourcefor handling the starting connectionfor handling the starting connection

No answer from B…120 sec timeoutFree the resource

No answer from BNo answer from B……120 sec timeout120 sec timeoutFree the resourceFree the resource Denial of Services

kernel resources exhausted


DNS spoofingDNS spoofing

HOST DNSserverX.localdomain.it

10.1.1.50

MITM

10.1.1.1

If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server


mbehring

DoSDoS: The Procedure: The Procedure

ISP CPE Target

“Zombies”or “Bots”

Hacker

1. Cracking2. Signalling 3. Flooding

InnocentUser PCs


Distributed Denial of Service: Distributed Denial of Service: DDoSDDoSDDoSDDoS attacks originate from a large number of attacks originate from a large number of systems.systems.TrinooTrinoo, Tribal Flood Network, , Tribal Flood Network, MstreamMstream, and , and StacheldrahtStacheldraht are some of the new are some of the new DDoSDDoS attack attack toolstoolsA hacker talks to a master or server that has A hacker talks to a master or server that has been placed on a compromised system.been placed on a compromised system.The master talks to the slave or client The master talks to the slave or client processes that have been placed on other processes that have been placed on other compromised systems. The slaves, also called compromised systems. The slaves, also called zombies, perform the actual attack against the zombies, perform the actual attack against the target system.target system.


The architecture of The architecture of DDoSDDoS attacks.attacks.


Code RedCode RedInfects Microsoft IIS web serversInfects Microsoft IIS web serversSpread: Using real source, random destinationSpread: Using real source, random destinationAttack: accessing a specific serverAttack: accessing a specific server

http get Fill buffer Unicode encoded Assembler code

Infected host (real IP!)

217.33.138.14- - [07/Aug/2001:01:17:32 +0100] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 328


Buffer OverflowsBuffer Overflowsvoid void foo(charfoo(char *s) {*s) {

char buf[10];char buf[10];strcpy(buf,sstrcpy(buf,s););printf(printf(““bufbuf is %sis %s\\nn””,s);,s);

}}……foo(foo(““thisstringistolongforfoothisstringistolongforfoo””););


stackstack


Intrusion Intrusion


AGENDAAGENDA



But IBut I’’ve got a Firewallve got a Firewall…….!!!.!!!

E-commerce Servers

Step 1: Penetrate PerimeterExploit “permitted” conduits

Step 2: Decommission or Compromise DeviceLaunch buffer overflow attack to plant Trojan horse

Provides Perimeter Security That:

Internet

Policy:permit HTTP permit FTPpermit SMTP

Attack Scenario:Firewalls = Access ControlFirewalls = Access Control

Blocks specific unwanted protocols

Cannot Provide Security For:Malicious attacks contained within

“permitted” traffic

Step 3: Escalate PrivilegesUse compromised system to access internal network

Blocks comm over specific ports

Threats including cgi-bin attacks, buffer overflows, fragmented, or Unicode attacks

DMZ


……And IPSecAnd IPSec--VPNVPN…….!!!.!!!

VPN = PrivacyVPN = Privacy

Step 1: Compromise ExtranetAttack “weak-link” in extranet chain to gain back door access to corporate network

Step 2: Compromise Remote AccessExploit weakness in remote access or dial-up devices to gain “trusted” access

Provides Data Privacy By:

Attack Scenario:

Encrypting contents of traffic

Cannot Provide Security For:Insider threat – 80% of attacks come from

“trusted” sources

Ensuring basic authentication of user

Malicious content embedded in encrypted traffic

Site-to-Site VPNs do not authenticate users or traffic


TerminologyTerminologyFalse positives:False positives: System System mistakenly reports certain mistakenly reports certain benign activity as maliciousbenign activity as maliciousFalse negatives:False negatives: System does System does not detect and report actual not detect and report actual malicious activitymalicious activity


Detection TechniquesDetection Techniques

Pattern MatchingPattern MatchingStatefulStateful Pattern MatchingPattern MatchingProtocol DecodeProtocol Decode--Based AnalysisBased AnalysisHeuristicHeuristic--Based AnalysisBased AnalysisAnomalyAnomaly--Based AnalysisBased Analysis

signaturesignature--based IDS != pattern matchingbased IDS != pattern matching


Bottom Line AnalysisBottom Line AnalysisTo do its job right, a good IDS must To do its job right, a good IDS must implement various analysis technologyimplement various analysis technologyThe number of attacks detected is much The number of attacks detected is much more relevant than the number of signature more relevant than the number of signature supported or usedsupported or usedIDS challenges areIDS challenges are

Minimizing false positiveMinimizing false positiveMinimizing false negativeMinimizing false negativeKeeping up with performanceKeeping up with performanceHandling the large amount of data generatedHandling the large amount of data generated


Management consoleReal-time event displayEvent databaseSensor configuration

SensorPacket signature analysisGenerate alarmsResponse/countermeasures

ProductionNetwork Segment

Management Console

Component Communications

IDS Sensor

Typical Network IDS ArchitectureTypical Network IDS Architecture


Monitoring TrafficMonitoring Traffic

Must see all of the monitored trafficMust see all of the monitored trafficMust be able to keep up with Must be able to keep up with monitored traffic (current technology monitored traffic (current technology is about few 100 Mbps)is about few 100 Mbps)


Sensors on Outside or Inside?Sensors on Outside or Inside?

SiSi

AttackerInsideInsideDMZDMZ

Internet

Sensor on Outside• Sees everything including

traffic blocked by firewallCan’t tell what is denied or permitted by firewallTools like Stick can generate lots of “noise”

• Monitors both DMZ and inside traffic

Sensors on Inside• Sees only traffic permitted

by the firewallYou know you need to respond

• Need sensor on each internal leg off firewall


Typical Response ActionsTypical Response Actions

TCP resets: disconnecting the TCP resets: disconnecting the attacker (Be careful in switched attacker (Be careful in switched environments)environments)IP session loggingIP session logging““Shunning/blockingShunning/blocking””


Blocking/Shunning with a RouterBlocking/Shunning with a Router

Deny172.29.29.2

Write the ACL Detect the attackDetect attack on sniffing interface

Configure ACL on management interface

Attacker172.29.29.2

InternetSiSi

InsideInside

Confusing IDSConfusing IDS


Network IDS Evasion techniquesNetwork IDS Evasion techniques1.1. Obfuscating the attack: sending fragmented Obfuscating the attack: sending fragmented

packets (IP), using unusual encoding, packets (IP), using unusual encoding, sending packets out of order (TCP)sending packets out of order (TCP)

2.2. Overwhelming the IDS: sending 1000Overwhelming the IDS: sending 1000’’s of s of spoofed attacks (spoofed attacks (tools like snot, sticktools like snot, stick))so IDS sensors cannot follow and will miss so IDS sensors cannot follow and will miss an attackan attackso monitoring systems cannot follow as so monitoring systems cannot follow as wellwellmost human beings will not locate most human beings will not locate thetheattack among all false alarmsattack among all false alarms……


Confusing Traditional IDS SystemsConfusing Traditional IDS Systems

IDS evasion techniquesIDS evasion techniquesFragmented IP Fragmented IP datagramsdatagrams ((FragrouterFragrouter) ) Overlapping and/or Overlapping and/or reordered TCP streams reordered TCP streams ((FragrouteFragroute))Unicode obfuscated Unicode obfuscated characters (Whisker)characters (Whisker)

IDS overrun toolsIDS overrun toolsStickStick——Simulate large Simulate large volume of false alarmsvolume of false alarms

cmd.cmd.

exeexe

Fragmented Attack Example

cmd.execmd.exe

P1

P2

End Host

cmd.junkcmd.junk

exeexe

cmd.execmd.exe

P1

P2

End Host

Equal fragment offset

More info >> http://online.securityfocus.com/infocus/1577

Tracking a Evolving Target


Evasion techniquesEvasion techniquesDe-obfuscation

• Multiple character representations

e.g. Unicode

• Whisker attacks


Reconstructing FlowsReconstructing FlowsLetLet’’s say you want to search for the text s say you want to search for the text ““USER rootUSER root””. Is it enough to just search . Is it enough to just search the data portion of TCP segments you see?the data portion of TCP segments you see?

USER root

HDR USERTCP: HDR root

HDR USHDR ERHDR HDR HDR ro HDR otIP:(Uh oh… we have to reassemble frags and resequence segs)


Fun with FragmentsFun with Fragments

HDR USHDR

ERHDR

HDRHDR ro

HDR ot

1.

2.

4.

5.

3. 1,000,000 unrelated fragments

Imagine an attacker sends:


Fragmented IP Fragmented IP datagramsdatagramsHDR USHDR

ERHDR

HDR HDR ro

HDR ot

Should we consider 3a part of the data stream “USER root”?Or is 3b part of the data stream? “USER foot”!-- If the OS makes a different decision than the monitor: Bad.-- Even worse: Different OS’s have different protocol interpretations,

1.

2.

3b.

4.

Imagine an attacker sends:

HDR HDR fo

3a.

Seq. #

Time


Fragmented IP Fragmented IP datagramsdatagrams -- SolarisSolaris--NTNT


Fragmented IP Fragmented IP datagramsdatagrams -- LinuxLinux


TCP fragmentation evasion techniquesTCP fragmentation evasion techniques

• TTL expiration

• URG Pointer Use in TCP

• RST or FIN Out of Order

• Sending Packets Out of Order

• Vary the Window Size to Desynchronize the IDS

• Checksum

• Data in the Three Way Handshake

Overlaps in a TCP stream could occur but are extremely rare. Overwrites in the TCP session should not ever occur and if it does, then someone is intentionally attempting to hide from an IDS .


Fragroute is not your friend !!Fragroute is not your friend !!Fragment all traffic to a Windows host into forwardFragment all traffic to a Windows host into forward--overlapping 8overlapping 8--byte fragments (byte fragments (favoringfavoring older data), older data), reorder randomly, and print to standard output: reorder randomly, and print to standard output:

IpIp__fragfrag 8 8 oldoldorder random order random

printprint

Segment all TCP data to a host into forwardSegment all TCP data to a host into forward--overlapping 4overlapping 4--byte segments (byte segments (favoringfavoring newer data), newer data), interleave with overwriting, random chaff segments interleave with overwriting, random chaff segments bearing older timestamp options for PAWS elimination, bearing older timestamp options for PAWS elimination, reorder randomly, and print to standard output: reorder randomly, and print to standard output:

tcp_segtcp_seg 4 new 4 new tcp_chafftcp_chaff paws paws order random order random printprint

http://www.monkey.org/~dugsong/fragroute/


Insertion, Evasion, and Denial of Service: Eluding Network Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection Intrusion Detection

http://http://secinf.net/info/ids/idspaper/idspaper.htmlsecinf.net/info/ids/idspaper/idspaper.htmlNetwork Intrusion Detection: Evasion, Network Intrusion Detection: Evasion, Traffic Normalization, and EndTraffic Normalization, and End--toto--End Protocol SemanticsEnd Protocol Semanticshttp://www.icir.org/vern/papers/normhttp://www.icir.org/vern/papers/norm--usenixusenix--secsec--0101--htmlhtml//IDS Evasion Techniques and Tactics IDS Evasion Techniques and Tactics http://online.securityfocus.com/infocus/1577http://online.securityfocus.com/infocus/1577SANSSANSDug Song Dug Song –– FragrouteFragroutehttp://www.monkey.org/~dugsong/talks/csw02/index.htmlhttp://www.monkey.org/~dugsong/talks/csw02/index.html

References References -- PapersPapers

http://online.securityfocus.com/infocus/1577

信息系统安全 -...

Documents

Transcript of 信息系统安全 -...