Chapter 17
Attack Detection and Prevention
Attack Overview, Taxonomy, and Examples
Attack Detection
Principles of Intrusion Detection Systems
Knowledge-based
Introduction
Definition: Intrusion
“An Intrusion is unauthorized access to and/or activity in an information system.”
Definition: Intrusion Detection
“The process of identifying that an intrusion has been attempted, is occurring or has occurred.”
Introduction
Intrusion Detection
Attack- / Invasion detection: Tries to detect unauthorized access by outsiders
Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to access services on the internet by bypassing security directives
Anomaly Detection: Tries to detect abnormal states within a network, e.g. sudden appearance of never used protocols, big amount of unsuccessful login attempts
Intrusion Prevention
An IPS adds further functionality to an IDS. After detecting a possible attack the IPS tries to prevent the ongoing attack, e.g. by closing network
Introduction
Categorizing Attacks
Who / which device is attacking?
Normal user device located outside the infrastructure:
Examples: PC, PDA, mobile phone, ...
Commanded by a normal user not aware of what he is doing, or Hacked and commanded by a malicious attacker
Device located inside the infrastructure:
Examples: router, management workstation, ...
Either deliberately placed by an attacker inside the infrastructure, or Being part of the genuine infrastructure but hacked and commanded
by a malicious attacker
Which layer(s) is the attack aiming at?
Physical, MAC / Data Link, Network, Transport, Application
Which kind of attack is performed?
Ensuring Availability: The Key Challenge for the Next Years
Security of transmitted information in the sense of confidentiality,
authenticity, etc. is well researched and many network security
protocols have been developed & standardized during the past decade
Examples: PPP/PPTP, L2TP, IPSec, SSL/TLS, SSH, GSM/GPRS/UMTS security protocols, ....
In “infrastructure networks” (like the Internet), routing threats can be
effectively countered by deploying PKI-based approaches like S-BGP
However, ensuring availability
of our IT- and communication
infrastructure requires more than can be realized by standard network
security protocols, and thus turns out to be the major challenge
for
the next years of security research!
Denial of Service
What is Denial of Service?
Denial of Service (DoS) attacks aim at denying or degrading legitimate users’ access to a service or network resource, or at bringing down the servers offering such services
Motivations for launching DoS attacks:
Hacking (just for fun, by “script kiddies”, ...)
Gaining information leap (→ 1997 attack on bureau of labor statistics server; was possibly launched as unemployment information has implications to the stock market)
Discrediting an organization operating a system (i.e. web server)
Revenge (personal, against a company, ...)
Political reasons (“information warfare”)
Denial of Service Attacking Techniques
Resource destruction
(disabling services):
Hacking into systems
Making use of implementation weaknesses as buffer overrun
Deviation from proper protocol execution
Resource depletion
by causing:
Storage of (useless) state information
High traffic load (requires high overall bandwidth from attacker)
Expensive computations (“expensive cryptography”!)
Resource reservations that are never used (e.g. bandwidth)
Origin of malicious traffic:
Genuineness of source addresses: either genuine or forged
Number of sources:
single source, or
Examples: Resource Destruction
Hacking:
Exploiting weaknesses that are caused by careless operation of a system
Examples: default accounts and passwords not disabled, badly chosen passwords, social engineering (incl. email worms), etc.
Making use of implementation weaknesses:
See later slides on security aware system design & implementation
Deviation from proper protocol execution:
Example: exploit IP’s fragmentation & reassembly
Send IP fragments to broadcast address 192.168.133.0
Operating systems with origins in BSD often respond to this address
as a broadcast address
In order to respond, the packets have to be reassembled first
If an attacker sends a lot of fragments without ever sending a first /
Countering Attacks: Three Principle Classes of Action
Prevention:
All measures taken in order to avert that an attacker succeeds in realizing a threat
Examples:
Cryptographic measures: encryption, computation of modification
detection codes, running authentication protocols, etc.
Firewall techniques: packet filtering, service proxying, etc.
Preventive measures are by definition taken before an attack takes place
Attention: it is generally impossible to prevent every potential attack!
Detection:
All measures taken to recognize an attack while or after it occurred
Examples:
Recording and analysis of audit trails
On-the-fly traffic monitoring and intrusion detection
Reaction:
Attack Taxonomy
Attack Strategy
Scan for vulnerabilities
Detection of vulnerable hosts and applications
Compromising hosts
Manual hacking
Viruses, Trojans, Worms
Distributed denial-of-service attack
Bandwidth depletion
Port Scan
Background
Identification of vulnerable systems / applications
Automated distribution of worms
Scan types
Vertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour period
Horizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour period
Coordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scan
Stealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection
Port Scan (2)
Scan characteristics
Port distribution
Source distribution
Scan rates for top 10
destination port categories between May-July, 2002.
Distribution of coordinated, horizontal and vertical
scans for the month of June, 2002
Distributed Denial-of-Service Attacks
Bandwidth depletion
Flood
UDP flood
ICMP flood
Amplification (i.e. using a
reflector network)
Smurf (ICMP echo request)
Fraggle (UDP echo, e.g. chargen)
Resource depletion
Protocol exploit
TCP SYN
PUSH+ACK (to unload TCP buffer + ACK to overflow a receiver)
Malformed packet attacks
Usage of incorrect formatted IP packets to crash the victim
system
Sleep deprivation
Rendering a pervasive
Distributed Denial-of-Service Attacks (2)
Source: [Moore2001]
mostly ICMP traffic
History of Intrusion Detection
1980 – James Anderson: Computer Security Threat Monitoring and Surveillance
1983 – Dorothy Denning (SRI-International): Analysis of audit trails from government mainframe computers
1984 – Dorothy Denning: Intrusion Detection Expert System (IDES)
1988 – Lawrence Liverpool Laboratories: Haystack Projekt
1990 – Heberlein: A Network Security Monitor (NSM)
1994 – Wheel Group: First commercial NIDS (NetRanger)
1997 – ISS: Real Secure
Intrusion Detection
Data collection issues
Reliable and complete data
Collection is expensive, collecting the right information is important
Detection techniques
Misuse detection (or signature-based or knowledge-based)
Anomaly detection
Response
Counteracting an attack
Evaluation
System effectiveness, performance, network-wide analysis
False-positive rate
Classification of Attack Detection
Four dimensions
Host
based
Knowledge
based
Anomaly
detection
Classification of Attack Detection (2)
Host Intrusion Detection Systems (HIDS)
Works on information available on a system, e.g. OS-Logs, application-logs, timestamps
Can easily detect attacks by insiders, as modification of files, illegal access to files, installation of Trojans or rootkits
Problems: has to be installed on every System, produces lots of information, often no realtime-analysis but predefined time intervals, hard to manage a huge number of systems
Network Intrusion Detection System (NIDS)
Works on information provided by the network, mainly packets sniffed from the network layer. Uses signature detection (stateful), protocol decoding, statistical anomaly analysis, heuristical analysis
Detects: DoS with buffer overflow attacks, invalid packets, attacks on application layer, DDoS, spoofing attacks, port scans
Placement of a Network Intrusion Detection System
Internet
DMZ
Monitors all incoming traffic •High load
•High rate of false alarms
Monitors all traffic to and from systems in the DMZ •Reduced amount of Data •Can only detect Intrusions on these Computers
Monitors all traffic within the corporate LAN
•Possible detection of misuse by insiders •Possible detection of intrusion via mobile machines (notebooks...)
Knowledge-based Detection
Based on signatures or patterns of well-known attacks
Working principles
Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web server or MSSQL databases
Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets
Patterns can be specified at each protocol level Network protocol (e.g. IP, ICMP)
Transport protocol (e.g. TCP, UDP) Application protocol (e.g. HTTP, SMTP)
Pros
Fast, requires few state information, low false-positive rate
Cons
Recognizes only known attacks
Examples
Snort
OpenSource
Support for Windows, UNIX, Linux,...
Rule Based Intrusion Detection
Ruleset can be edited individually
Huge number of predefined rules
Daily community rules update
Reporting into: Logfiles, LogServer, Database
Different formats for captured data supported: libpcap, ...
Supports packet de-fragmentation, protocol decoding, state inspection
Possible reactions: TCP reset, ICMP unreachable, configuration of
firewalls, alerting via email, pager, SMS (plugins)
Snort (2)
Mainly signature based, each intrusion needs a predefined rule
alert tcp $HOME_NET any -> any 9996 \(msg:"Sasser ftp script to transfer up.exe"; \
content:"|5F75702E657865|"; depth:250; flags:A+; classtype: misc-activity; \ sid:1000000; rev:3)
Three step processing of captured information (capturing is done by
libpcap):
Preprocessing (normalized and reassembled packets)
Detection Engine works on the data and decides what action should be taken
Action is taken (log, alert, pass)
Modular structure allows to change many parts as
Anomaly Detection
Based on the analysis of long-term and short-term traffic behavior
Working principles
Scan for anomalies in
Traffic behavior Protocol behavior Application behavior
Pros
Recognizes unknown attacks as well
Cons
False-positive rate might be high
Anomaly Detection (2)
Generic anomaly detection system
Anomaly Detection (4)
Source: [Estevez-Tapiador2004]
ALAD
Application Layer Anomaly Detection (ALAD) [Mahoney2002]
Extension to PHAD
Five models:
1. P(src IP | dest IP)
Learns normal set of clients for each host, i.e. the set of clients allowed on a restricted service
2. P(src IP | dest IP, dest port)
Like (1), but one model for each server on each host
3. P(dest IP, dest port)
Learns the set of local servers which normally receive requests
4. P(TCP flags | dest port)
Defense Taxonomy
Defense Challenges
Need for a distributed response at many points on the Internet
Coordinated response is necessary for successful countermeasures
Economic and social factors
Deployment of response systems at parties that do not suffer direct damage from the DDoS attack
Lack of detailed information
Thorough understanding of attacks is required
Lack of defense system benchmarks
Attack Prevention / Counteracting
Anti-Spoof Mechanisms
Filtering of forged packets
Cryptographic authentication
Traceback
Counteracting DDoS attacks
Counteracting TCP SYN flood
Distributed Firewalling
Address Spoofing
The Spoofing Problem:
Packet routing in IP networks is based on destination address information only, correctness of source address is not verified
Most (D)DoS attacks consist of packets with spoofed or faked source addresses in order to disguise the identity of the attacking systems
Identification of the attacking systems is needed for installing efficient defense mechanisms
Some detection mechanisms also require valid information about the attack sources
Further issues: legal prosecution of attackers and prevention of new attacks
Anti-Spoof Mechanisms
Filtering of forged packets
Ingress filtering: implementation of “anti-spoof” ACLs based on (static/dynamic) knowledge about “own” IP address range
RPF: reverse path forwarding, known from multicast routing, fails for dynamic load-balancing
SAVE: source address validity enforcement protocol [Li2002]
Associates interfaces with valid source address ranges Also useful for RPF check, e.g. for multicast routing
Cryptographic authentication
IPSec authentication, problem: key management
Traceback
Real-time / Forensic methods
Traceback (1)
Goal:
Identify the source address (or at least the ingress point) and the attack path of a packet without relying on the source address information
Challenges:
Short path reconstruction time
Processing and storage requirements
Scalability
Traceback (2)
Taxonomy of traceback mechanisms
active passive Traceback packet insertion packet marking packet logging flow logging network reconfig. link testing backscatter analysis
Packet Insertion
ICMP traceback (ITrace) [Bellovin2000]:
For 1 out of 20.000 packets, routers send an ITrace message with router ID and information about original packet to the same destination
If a flow contains enough packets, the destination is likely to receive ITrace messages from every router on the path.
Limitations:
Router infrastructure has to be modified
Requires large number of packets/flow Î long t.b. time for distributed low-rate attacks
Destination has to store original packets for later comparison with ITrace message
ITrace messages need to be authenticated, e.g. using PKI packet P
ITrace(R1, P)
TCP-SYN flood
>90% of DDoS attacks use TCP [Moore2001]
Several defense mechanisms
SYN cache, SYN cookies, SynDefender, SYN proxying, …
… stateful, have to be installed at victims FW, rely on traceback
Flooding detection system (FDS) [Wang2002] Stateless, low computation overhead Relies on SYN-FIN/RST pairs
Uses CUSUM (cumulative sum) algorithm
Automated model approach [Tupakula2004] Controller-agent model
#SYN - #ACK > limit? Agent sends an alarm to the controller
Central controller verifies alarm signatures and issues countermeasures
SYN Flood Protection (3)
Reminder: Regular TCP 3-Way Handshake
The client sends a ‘TCP SYN’ message seq number = x (chosen by the client) ACK flag = 0
SYN flag = 1
The server allocates a memory for the Transmission Control Block (TCB)
The server sends a ‘TCP SYN ACK’
seq number = y (chosen by the server) ack number = x + 1
ACK flag = 1 SYN flag = 1
The client sends a ‘CONNECT ACK’ seq number = x + 1 ack number = y + 1 ACK flag = 1 SYN flag = 0 client server SYN seq=x
SYN seq=y, ACK x+1
ACK y+1
connection established
SYN Flood Protection: TCP SYN cookies (1)
SYN cookies as a reaction to an attack
SYN cookies are a particular choice of the initial seq number.
The server generates the initial sequence number α such as:
α = h(SSYN, DSYN , K)
SSYN: src addr of the SYN packet
DSYN: addr of the server
K: a secret key
h is a cryptographic hash function.
At arrival of the ACK message, the server calculates α again.
Then, it verifies if the ack number is correct.
If yes, it assumes that the client has sent a SYN message recently (considered as normal behavior), and allocates TCB memory.
client server SYN seq=x
SYN seq= α , ACK x+1
ACK α +1
connection established
References
[Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, July 2004, pp. 1569-1584.
[Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE
Computer - Special Issue on Security and Privacy, April 2002, pp. 27-30.
[Lee2004] R. B. Lee, "Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures," Princeton University, Technical Report, 2004.
[Li2002] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source Address Validity Enforcement Protocol," Proceedings of IEEE Infocom 2002, New York, USA, June 2002. [Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense
Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp. 39-53. [Paxson1999] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer
Networks, vol. 31, December 1999, pp. 2435-2463.
[Porras1997] P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of National Information Systems Security Conference, October 1997.
[Roesch1999] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proceedings of 13th USENIX Conference on System Administration, 1999, pp. 229-238.
[Tupakula2004] U. K. Tupakula, V. Varadharajan, and A. K. Gajam, "Counteracting TCP SYN DDoS
Attacks using Automated Model," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December 2004.
[Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE INFOCOM 2002, 2002.
