DESCRIPTION OF ATTACKS AND NORMAL USE ACTIVITIES Table gives a list of eleven attacks and two normal use activities which are executed on

a computer to collect the Windows performance objects data from this computer under each attack and normal use condition. Table 7.2 also lists the software used for each activity with the reference. These attack and normal use activities are briefly described below.

7.2.1 Apache Resource DoS

The Apache Resource DoS attack exploits a vulnerability [2] in an Apache web server which is implemented using Apache 2.0.52. By opening a few connections with a long header to the Apache server, an attacker can force the server to allocate more and more memory space to these connections, resulting in either degraded performance or crash of the server and thus DoS. The attack ends when it completes its attacking procedure.

7.2.2 ARP Poison

In the ARP (Address Resolution Protocol) Poison attack, the attacker first builds a list of MAC addresses of computers on the local network of the attacking computer by using Et- tercap 0.7.2 to send out a series of ARP requests asking for MAC addresses of computers on the network of the attacking computer. These ARP requests consist of one request going out to every IP address on the network. The list of MAC addresses is used to set up traffic forwarding on the attacking computer. The Ettercap software is then instructed to send out unsolicited ARP replies to computers on the network about every ten seconds to keep these computers’ ARP table poisoned. These ARP replies contain information which falsely maps the IP address of each computer on the network to the MAC address of the attacking com- puter. Upon receiving a spoofed ARP reply, an active computer updates its ARP table with the

Table 7.2 Attacks and normal use activities executed for data collection

Name of activity

Type of activity (name abbreviation) Software used Reference Attack Apache Resource DoS

(Apache)

Apache 2.0.52 http://www.apache.org/ http://seclists.org/lists/

fulldisclosure/2004/Nov/ 0022.html

ARP Poison (ARP) Ettercap 0.7.2 http://ettercap.sourceforge.net Distributed DoS

(Distributed)

Trinoo http://packetstormsecurity.org/ distributed/trinoo.tgz Fork Bomb (Fork) Winfb.pl http://www.iamaphex.cjb.net FTP Buffer Overflow (FTP) Warftpd 1.65 http://metasploit.com/projects/ Framework/exploits.html #warftpd 165 user Hardware Keylogger (Hardware)

Keykatcher 64K mini http://www.keykatcher.com

Remote Dictionary (Remote)

Tscrack 2.1 http://www.archive.org

Rootkit (Rootkit) AFX Rootkit 2005 http://www.iamaphex.cjb.net Security Audit

(Security)

Nessus 2.2.5 http://www.nessus.org

Software Keylogger (Software)

Windows Keylogger 5.0 http://www.littlesister.de

Vulnerability Scan (Vulnerability)

NMAP 3.81 http://www.insecure.org/nmap

Normal Use Text Editing Microsoft Word 2002 http://www.microsoft.com Web Browsing Internet Explore 6.0 http://www.microsoft.com

false information. As a result, all network traffic on the network is directed to the attacking computer rather than to its intended destination. In the execution of this attack, the attacking computer alters network traffic before sending it out to its intended destination. Alternatively, the attacking computer can also pull out information such as usernames and passwords, or even drop network traffic. After the attack has lasted about ten minutes, the attacker stops the attack by sending out ARP replies with original MAC addresses of computers on the network.

7.2.3 Distributed DoS

Trinoo is used to execute the Distributed DoS attack through the Trinoo master which controls a Trinoo client to send massive amounts of network traffic to the victim computer. Both the Trinoo master and the Trinoo client run on the attacking computer. As a result, the network bandwidth of the victim is used up by such malicious network traffic, and some other computer resources such as the processor are also taken up to their full capacities. The attack is stopped by the attacker after about ten minutes.

Description of attacks and normal use activities 113

7.2.4 Fork Bomb

The Fork Bomb attack involves a process with a loop of creating a new process in each iteration. These processes fill up the process table with many new entries, and consume other computer resources with the consequences of degraded service or denial of service. Winfb.pl is used to execute the Fork Bomb attack which spawns about 101 processes of the Windows calculator, producing a significant load on the victim computer. The attack ends when it completes its attacking procedure.

7.2.5 FTP Buffer Overflow

A FTP server implemented using Warftpd 1.65 which has a buffer overflow vulnerability associated with the FTP command, USER. In the FTP Buffer Overflow attack, the attacker uses Metasploit 2.4 on the attacking computer to overflow the input buffer of the USER command on the victim computer and open a shell environment which allows the attacker to remotely control the victim computer. The attack ends when it completes its attacking procedure.

7.2.6 Hardware Keylogger

In the Hardware Keylogger attack, a keykatcher mini device with an internal memory of 64KB to store keystrokes is plugged between the keyboard and the keyboard port on the victim computer to intercept all keystrokes. With the 64K memory, the keykatcher can record over 65,000 keystrokes. Since only the victim computer is involved in this attack, the attacking computer is turned off during this attack. After plugging the keykatcher, the attack is stopped after about ten minutes by unplugging the keykatcher between the keyboard and the keyboard port on the victim computer.

7.2.7 Remote Dictionary

In the Remote Dictionary attack, Tscrack 2.1 running on Windows 2000 of the attacking computer attempts to remotely login the administrator account on the victim computer using passwords which are taken from a dictionary of passwords. On Windows, the administrator account is never locked out even if there are multiple (e.g., three) incorrect login attempts. The victim computer is set up with a password for the administrator account. The password is approximately in the middle of the dictionary file, and is reached to allow a successful login after about ten minutes of failed login attempts. This is when the attack ends.

7.2.8 Rootkit

Rootkit is a collection of tools which can be used to gain the administrator-level access to computer resources and also hide the presence of Rootkit processes running on a victim computer. An attacker can use a password cracking, buffer overflow, or another form of attack

to gain initial access to a victim computer. With the initial access, the attacker uploads and installs Rootkit on the victim computer. Rootkit can also get installed on a victim computer through a user downloading Trojan software, executing a file attached to an email, and so on. After the installation, Rootkit can be used to set up a network backdoor, install a keylogger, or carry out other harmful activities using the tools in Rootkit. To execute this attack, AFX Rootkit 2005 is installed to run on the victim computer and alter binaries, files or system utilities to hide Rootkit processes from the list of running processes in the Windows task manager, system’s tray icons, network sockets, and files/folders. The attack lasts about ten minutes.

7.2.9 Security Audit

In the Security Audit attack, Nessus 2.2.5, which is an automated security auditor, is used to test and discover certain security vulnerabilities of the victim computer. Nessus first uses NMAP (see Section 7.2.11) to scan vulnerabilities on the victim computer, matches the scan results with known vulnerabilities stored in a database, and attempts to exploit a number of known vulnerabilities. The attack ends when Nessus completes its auditing procedure.

7.2.10 Software Keylogger

Windows keylogger 5.0 is installed on the victim computer to execute the Software Keylogger attack. The attack begins by using the software to trap and record system calls which are related to keyboard events on the victim computer. The attack lasts about ten minutes. The keystroke events are recorded to a log file. In the real world, a keylogger software can be installed on a victim computer through, for example, a virus or Trojan program in an attached file to an email.

7.2.11 Vulnerability Scan

NMAP 3.81, which is used in the Vulnerability Scan attack, probes each port on the victim computer to find open ports, and then examines each open port to determine the type and version of software providing service at each port as well as the type and version of the operating system through, for example, inspecting the reply packets for sequence numbers, response messages, and so on. The attack ends when NMAP completes its scanning procedure.

7.2.12 Text Editing

In the text editing activity, the user is asked to open a Microsoft WORD file and type the text from a piece of paper given to the user for ten or more minutes.

7.2.13 Web Browsing

In the web browsing activity, the user is asked to use Windows Internet Explore to search the Google web site, www.google.com, for a topic (e.g., ‘intrusion detection’) and keep visiting the related sites for ten or more minutes.

Procedure of data collection 115

NetGear Router

Dell PC #1 with Linux (Attacker)

Dell PC #4 with Windows XP (Normal User) DLink DSS-16 Switch Outside Network Ethernet Ethernet Ethernet Ethernet

Dell PC #2 with Windows XP (Attacker)

Dell PC #3 with Windows 2000 (Attacker)

Ethernet Ethernet

Figure 7.1 Computer network setup for data collection.

7.3 COMPUTER NETWORK SETUP FOR DATA COLLECTION