No Slide Title
Download
Report
Transcript No Slide Title
ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
Office: Klaus 3362
email or call for office visit
Chapter 9 - Network Intrusion
3/4/15
Network Intruders
Masquerader: A person who is not authorized to use a
computer, but gains access appearing to be someone with
authorization (steals services, violates the right to privacy,
destroys data, ...)
Misfeasor: A person who has limited authorization to use a
computer, but misuses that authorization (steals services,
violates the right to privacy, destroys data, ...)
Clandestine User: A person who seizes supervisory control of
a computer and proceeds to evade auditing and access
controls.
Hacker: generic term for someone who does unauthorized
things with other peoples’ computers (also a poor golfer,
tennis player, or programmer good at writing quick and dirty
code).
2
Access Control
Today many systems are protected only by a simple password
that is typed in, or sent over a network in the clear.Techniques
for guessing passwords:
1. Try default passwords.
2. Try all short words, 1 to 3 characters long.
3. Try all the words in an electronic dictionary (60,000).
4. Collect information about the user’s hobbies, family names,
birthday, etc.
5. Try user’s phone number, social security number, street
address, etc.
6. Try all license plate numbers (123XYZ).
Prevention: Enforce good password selection
(“c0p31an6” - not great, “wduSR-wmHb365” - better)
Three words, separate with punctuation, add a number:
e.g.: burglaR-666.Protect-ALL
3
Password Gathering
Look under keyboard, telephone etc.
Look in the Rolodex under “X” and “Z”
Call up pretending to from “micro-support,” and ask for it
(human engineering or social engineering.
“Snoop” a network and watch the plaintext passwords go by.
Tap a phone line - but this requires a very special modem.
Use a “Trojan Horse” program to record key stokes. Used
by most bots.
4
UNIX Passwords
Stored in /etc/shadow
User’s password ( should be required to
have 12 characters, some non-letters)
Random 24-bit number
R64 encoded (Salt)
SHA-512 hashed to 87
viewable R64 characters
User ID1 :
Salt Value1
Hash1
User ID2
Salt Value2
Hash2
User ID3
Salt Value3
Hash3
Line from /etc/shadow
copeland:$6$UqcJG1si$9MQO … Wkh/3PZ1:14930:0:99999:7:::
:$1$ - MD5 :$2$ - Blowfish :$5$ - SHA-256 :$6$ - SHA-512
5
Storing UNIX Passwords
Until a few years ago, UNIX password hashes were kept in a
publicly readable file, /etc/passwords. Now they are kept in a
“shadow” file only visible by “root”.
This helps prevent a reverse-lookup Dictionary Attack.
“Salt”:
• Random number shown in clear (R64) – added to password
• Prevents duplicate passwords from being easily seen as such.
• Prevents use of standard reverse-lookup dictionaries ( a
different dictionary would have to be generated for each value
of Salt).
• Does not “effectively increase the length of the password.”
6
The Stages of a Network Intrusion [RAERU]
1. Scan the network to:
[RECONNAISANCE]
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to
by Servers).
2. Run “Exploit” scripts against open ports. [ACCESS]
3. Elevate privileges to “root” or “admin” privileges. [ELEVATE]
4. Download from Hacker Web site special versions of systems files that
will let Cracker have free access in the future without his cpu time or disk
storage space being noticed by auditing programs. [ROOT KIT] (or simple
backdoor)
5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the
computer and its info (ID theft, Warz, Botnet). [UTILIZE]
For current scanning activity: http://isc.sans.org/reports.html
7
# nmap -sS -P0 -vv -p 21,22,25,110,443
209.162.185.100
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host jacsw (209.162.185.100) appears to be up ... good.
Initiating SYN Stealth Scan against victim (209.162.185.100)
Adding open port 22/tcp
Adding open port 443/tcp
The SYN Stealth Scan took 4 seconds to scan 5 ports.
Interesting ports on jacsw (209.162.185.100):
Port
State
Service
21/tcp
filtered
ftp
[response blocked by firewall]
22/tcp
open
ssh
[tcp port 22 open]
25/tcp
filtered
smtp
110/tcp
filtered
pop-3
443/tcp
open
https
Nmap run completed -- 1 IP address (1 host up) scanned in 5
seconds
# telnet 209.162.185.100 22 [telnet can connect to any port]
Trying 209.162.185.101...
[here we specified port 22]
Connected to 209.162.185.100.
SSH-2.0-OpenSSH_3.1p1
[response shows SSH version]
8
log files tell who has logged on]
Oct 15 13:45:30 lc1 sshd[12538]:
Could not reverse map address 199.77.146.103.
Oct 15 13:46:26 lc1 sshd[12538]:
Accepted password for root from 199.77.146.103 port 52388 ssh2
Oct 15 15:05:44 lc1 sshd[12591]:
Could not reverse map address 199.77.146.103.
Oct 15 15:05:48 lc1 sshd[12591]:
Accepted password for root from 199.77.146.103 port 52438 ssh2
Oct 17 07:34:10 lc1 sshd[13409]:
Accepted password for root from 130.207.226.152 port 52613
ssh2
Oct 17 07:49:33 lc1 sshd[13460]:
Accepted password for root from 130.207.226.152 port 52615
ssh2
Oct 17 08:02:37 lc1 sshd[13503]:
Accepted password for root from 130.207.237.139 port 52616
ssh2
Oct 17 08:10:40 lc1 sshd[13542]:
Accepted password for root from 130.207.237.148 port 52617
ssh2
Oct 17 08:26:16 lc1 sshd[13584]:
Accepted password for root from 130.207.237.158 port 52618
ssh2
Oct 17 11:52:18 lc1 sshd[13640]:
Could not reverse map address 199.77.146.103.
9
Protection from a Network Intrusion
Protection
1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10).
2. On Microsoft PC’s, with XP and later, use the OS firewall that
limits incoming and outgoing communications by Application
(program), not just port number. For Mac, buy "Little Snitch" ($35).
Detection
1. Use an IDS (Intrusion Detection System) to detect Cracker during
the scanning stage (lock out the IP address, or remove malware from
a local host).
2. Use a program like TripWire* on each host to detect when systems
files are altered, and email an alert to Sys Admin.
Reaction
1. Have a plan and means to implement it.
* Gene Kim and Gene Spafford (PhD GT 1986), Perdue U., http://www.cerias.purdue.edu/ 10
"Little Snitch" Firewall for MacOS
11
"Little Snitch" Firewall for MacOS - Popup
12
13
Anomaly-Based Intrusion Detection
A Negative Event, True or False, is one
that does not trigger an Alarm
High statistical variation in
most measurable network
behavior parameters results
in high false-alarm rate
Detected as
Positive, ->
Alarm
#False-Positives =
#Normal Events
x FP-rate
False
Alarms,
False Positives
(FP)
# Normal Events =
#TruePositves + #FalsePositives
Figure 9.1
Undetected
Intrusions,
#False-Negatives =
#Bad Events
x FN-rate
False Negatives
(FN)
Detection Threshold
14
If the “behavior” is a connection:
("positive" says it is malicious, "negative" it is not)
For Legitimate Connections (total number = LC)
True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1
Correctly handled connections (no alarms) = TNR * LC
Incorrectly handled connections (false alarms) = FPR * LC
For Malicious Connections (total number = MC)
False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1
Correctly handled connections (real alarms) = TPR * MC
Incorrectly handled connections (no alarms) = FNR * MC
Trade-off by shifting threshold
If LC >> MC then (FPR * LC) >> (TPR * MC)
hence “false alarms” are much greater than “real alarms”
when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1)
“Base-Rate” Fallacy
Suppose the accuracy of an IDS is 99% (both TPR and
TNR).
This means that for every 100 normal events, there will be 1
false positive. Also for every 100 intrusion events, there will
be 99 detects (true positives) and 1 missed detection (false
negative).
If there are 300,000 normal connections a day, there will be
3000 false alarms (false positives).
If there is one intrusion per week, there will be a 99% chance
of detecting it (if the IDS is still turned on).
For detailed math, see Appendix 9A of the textbook (editions 2, 3).
16
Example Problems - "Base-Rate Fallacy*"
Q. If there are 10,000,000 connections* on a network per day, and the False
Positive Rate is 0.0001:
1. How many false alarms (False Positives) will result?
Ans. 10,000,000 x 0.0001 = 1000 false alarms per day (False Positives / day)
2. How many good connections will not cause alarms (True Negatives)?
Ans. 10,000,000 x (1 - 0.0001) = 9,999,000 True Negatives per day.
*Unless stated (as in the next problem), assume none (or a negligible number) of
connections are "bad".
Q. If there are 100 "bad" (or "intrusion") connections per day, and the False
Negative Rate is 0.1:
1. How many will be detected (True Positives)? Ans. 100 x (1 - 0.1) = 90
2. How many will be missed (False Negatives)? Ans. 100 x 0.1 = 10
"Negative" means there was no Alarm, "Positive" means there was an Alarm.
"True" means the decision to issue an alarm was correct, "False" means the
decision was incorrect.
* The "Fallacy" comes from ignoring the fact that there are many more "good"
connections (the Base Rate) than "bad," and thus concluding that a False Positive
Rate as large as say 0.0001 would lead to satisfactory operation.
17
Distributed Host-Based IDS
Highly recommended for
critical servers, and PCs
Modules must be installed and configured on hosts.
Examples: Okena
(Cisco), ISS Desktop
Preventia
18
Signature-Based IDS
Data Packets are compared to a growing library of known attack
signatures. These include port numbers or sequence numbers that are
fixed in the exploit application, and sequences of characters that appear
in the data stream.
Packet streamsmust be assembled and searched, which reduces the
maximum possible data rate on the link being observed.
19
Six “Signatures” from the Snort Database
www.snort.org
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS411 - RealAudioDoS"; flags: AP; content: "|fff4 fffd 06|";)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS362 - MISC Shellcode X86 NOPS-UDP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90|";)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS359 - OVERFLOWNOOP-HP-TCP2";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS345 - OVERFLOWNOOP-Sparc-TCP";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOWNOOP-Sparc-UDP2"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS291 - MISC Shellcode x86 stealth NOP"; content: "|eb 02 eb 02 eb 02|";)
20
Signature-Based Intrusion Detection Systems
May Not Detect New Types of Attack
Back Orifice
Land Attack
Win Nuke
IP Blob
Trino
Attacks with Names
Attacks without Names
(not analyzed yet)
Alarm on Activities
in these areas.
21
Flow-Based Technology
(NBAD - Network Behavior Analysis Detection)
recognizes normal traffic to detect new types of intrusions.
Back Orifice
Land Attack
FTP
Web
Win Nuke
IP Blob
NetBIOS
Trino
Email
Attacks with Names
Attacks without Names
(not analyzed yet)
Normal Network Activities
Alarm on Activities
in this areas.
Example: Lancope’s “StealthWatch”
22
Flow-based Behaviorial Analysis
A “Flow” is the stream of packets from
one host to another related to the
same service (e.g., Web, email, telnet,
…). Data in packet headers is used to
build up counts (leads to high speed).
FlowStatistics
Counters
FlowStatistics
Counters
Number of Packets
Number of Total Bytes
After the flow is over, counters are
analyzed and a value is derived for the
probability* that the flow was crafted,
perhaps for probing the network for
vulnerabilities or for denial of service.
Number of Data Bytes
* Based on heuristic rules, not
statistical analysis.
Start Time of Flow
Stop Time of Flow
Duration of Flow
Flag-Bit True-False Combo
Fragmentation Bits
ICMP Packet Responses to
UDP Packets
Counters
23
Zone Protection
One of the Zones could be a Dark (Sinkhole*) Net.
* monitored block of IP addresses with no hosts
24
StealthWatch screen
25
IDS Types Should be Combined
Host-Based
Can detect misuse of OS access and file
permissions.
Signature
-Based
Can detect attacks embedded in
network data -if signature is known
Anomaly
-Based
On host or network. Can detect new
types, but high false alarm rate.
Flow-Based
(NBAD)
Can detect new types of attacks by
network activity. Should be used with
Host-Based and Signature Based
One of my three rules: Multiple layers of protection are
needed to optimize security, for a given cost.
26
The Stages of a Network Intrusion [RAERU]
1. Scan the network to: [RECONNAISANCE]
• locate which IP addresses are in use, Flow-based* "CI",
signature-based?
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to
by Servers). Vulnerability Scan
Signature?, Flow-Based
2. Run “Exploit” scripts against open ports. [ACCESS] Port Profile*
3. Elevate privileges to “root” privileges. [ELEVATE] Host-based
4. Download from Hacker Web site special versions of systems
files that will let Cracker have free access in the future without his
cpu time or disk storage space being noticed by auditing programs.
[ROOT KIT] Signature?, "Port-Profile*", Forbidden Zones*, Host-based
5. Use IRC (Internet Relay Chat) to invite friends to the feast, or
use the computer and its info another way. [UTILIZE]
Signature?, "Port-Profile*", Forbidden Zones*, Host-based
* StealthWatch
27
Detection of the “Mac Attack” DDoS Plan
Type "A" Probes (detected by John Copeland in Dec. 1999)
The first three UDP probes, which started my investigation, had a single
character in the data field, an 'A'. The UDP port numbers were identical,
31790->31789.
They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never
answered.
Date Time EST Source IP (Place) Destination (Place)
1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA)
1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA)
1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta)
UDP packets with an empty data field, like those generated by the "nmap" scan
program, do not stimulate the 1500-byte ICMP packets from an OS-9
Macintosh (at least one character of data was required).
http://users.ece.gatech.edu/~copeland/jac/macattack/index.html
http://users.ece.gatech.edu/~copeland/jac/ajc_mac_hacker.html
http://users.ece.gatech.edu/~copeland/jac/macattack/fox-news.mov
28
2nd Generation, “Mac Attack” Scanning
"Double-zero" Probes (James Bond, "00" -> "license to kill"), detected in Dec. 1999.
I had now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas.
These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical
UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet
and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is
never answered.
1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
*DNS name: cwa129.emirates.net.ae
1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas)
*DNS: none
1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA)
*DNS name: manchester_nas11.ida.bt.net
2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas)
*DNS name: a24b94n80client152.hawaii.rr.com
2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)
*DNS name: ad11-s16-201-41.cwci.net
29
Drawing from
Atlanta JournalConstitution article,
Dec. 1999.
Full details at
www.csc.gatech.edu
/macattack/
30
Fox News – Dec. 29, 1999
http://www.csc.gatech.edu/copeland/jac/macattack/fox-news.m4v
traceroute (tracert) to find location of IP Address
Start: 11/21/99
11:07:40 PM
Find route from: 24.88.48.47
to: www.orbicom.com. (196.28.160.129),
Host Names truncated to 32 bytes
1 24.88.48.1
(24.88.48.1
2 24.88.3.21
(24.88.3.21
3 24.93.64.69
(24.93.64.69
4 24.93.64.61
(24.93.64.61
5 24.93.64.57
(24.93.64.57
6 sgarden-sa-gsr.carolina.rr.com. (24.93.64.30
7 roc-gsr-greensboro-gsr.carolina. (24.93.64.17
8 roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6
9 12.127.173.205
(12.127.173.205
10 gbr2-a30s1.wswdc.ip.att.net.
(12.127.1.30
11 gr2-p3110.wswdc.ip.att.net.
(12.123.8.246
12 att-gw.washdc.teleglobe.net.
(192.205.32.94
13 if-7-2.core1.newyork.teleglobe.n (207.45.222.145
14 if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69
15 ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202
16 196.30.121.243
(196.30.121.243
17 fe0-0.cr3.ndf.iafrica.net.
(196.31.17.26
18 atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81
19 196.30.200.6
(196.30.200.6
20 196.4.162.86
(196.4.162.86
21 www.orbicom.com.
(196.28.160.129
• Trace completed 11/21/99
11:08:25 PM •
Max 30 hops, 40 byte packets
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
):
17ms
18ms
17ms
19ms
25ms
26ms
28ms
30ms
40ms
38ms
278ms
41ms
45ms
45ms
50ms
44ms
635ms
641ms
643ms
662ms
663ms
17ms
19ms
18ms
17ms
25ms
27ms
28ms
32ms
39ms
40ms
40ms
43ms
46ms
47ms
46ms
48ms
632ms
640ms
640ms
659ms
658ms
16ms
18ms
17ms
18ms
23ms
27ms
30ms
30ms
39ms
39ms
39ms
42ms
45ms
49ms
50ms
45ms
633ms
644ms
643ms
664ms
664ms
32
"host" (newer "nslookup") and "whois" utilities
jac:/Users/copeland root# host www.orbicom.com
www.orbicom.com has address 196.31.129.146
jac:/Users/copeland # whois www.orbicom.com [ERROR]
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to
http://www.internic.net for detailed information.
No match for "WWW.ORBICOM.COM".
jac:/Users/copeland # whois orbicom.com
…
Registrant: Multichoice Africa
P O Box 1502, Randburg, Gauteng 2125 ZA
[Zaire]
33
"host" and "whois" data put into email Alarm Message
Alarm: - Port Flood Attack Host: 200.56.54.65 No DNS Name
Victim: 130.207.125.134 pat.gatech.edu
Time: Mon Jan 3 19:27:31 EST 2005
Serial No. 300482
Port Flood Attack : Indicates that the
suspect IP has attempted to connect on an
excessive number of ports on the 'victim
IP'. This may be indicative of a denial of
service attack or an aggressive scan by the
suspect IP.
--- whois 200.56.54.65 --[Querying whois.lacnic.net]
[whois.lacnic.net]
By submitting a whois query, you agree to
use this data only for legal purposes only.
% 2005-01-03 22:27:32
inetnum: 200.55.0/18
status:
allocated
owner:
Impisat Argentina
ownerid: AR-IMAR3-LACNIC
responsible: Christian O_Flaulant
address: Alferez Parediso, 256,
address: 1107 - Buenos Aires country: AR
phone:
+54 11 51701234
nslastaa: 20041230
created: 20001121
changed: 20010926
nic-hdl:
person:
e-mail:
address:
address:
country:
phone:
CHO
Christian OFlaulant
[email protected]
Alferez Pareja, 128,
3207 - Buenos Aires AR
+54 11 51704600 []
34
Try http://www.geektools.com
35