- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
Repeat the Executive Summary
You know the drill. Tell them what you are going to tell them, tell it to them, and then tell them what you told them. This is an excellent time to repeat your Executive Summary points.
Summary
I hope this chapter and this book have been helpful to you. This chapter was tailored for security professionals who don't have an intrusion-detection capability, want to upgrade their capability, or have these job positions under scrutiny. In much of the book, we try to give you a bit of insight into the enemy. In this chapter, we have tried to give you insight into management and business processes.
The most important thing to keep in mind, both for yourself and when you brief management, is that intrusion detection should be an integral part of your organization's information-assurance strategy. In fact, intrusion detection should be a part of every nation's information-assurance strategy. The events of this coming year with massive IRC bot driven distributed denial-of- service attacks, SNMP/ASN.1 exploits, and polymorphic attacks will prove this to be true. You don't need an IDS to detect a DDoS attack, but it will help you find the compromised hosts before they can be used to hurt someone. Now, let us take some time to discuss the future of intrusion detection in our final chapter in this book.
Chapter 20. Future Directions
Prognostication is dangerous. Have you seen the studies on the accuracy of newspaper and tabloid predictions? How will we do better? It is time to discuss the leading edge, the emerging tools and trends in intrusion detection. I am asked to speak on the future of various information assurance topics a couple times a year and try to stay abreast of trends, hold focus groups, and so forth. None of that ensures that I will be right about anything; so, consider what you read in this chapter with care. With that, here is my read on the future for intrusion detection.
In terms of broad trends, we will discuss the emerging threat, cyber-terrorism, the ease by which attackers are able to install and run malicious code on our systems, the improvements in reconnaissance and targeting, skills versus tools, defense in depth, and large-scale intrusion detection. Finally, we'll close with some short takes on emerging trends.
Increasing Threat
One of the drivers that fuels the continued interest in intrusion detection is the increasing threat. The progress in attacker tools over the past year has been incredible. I am not talking about Code Red so much as Leaves and the IRC bot (robot programs) nets that reached a significant level of sophistication in mid-2001. Attackers have the firepower to knock almost any site off the Internet. They can coordinate a fast scan, blowing through half of a class B in about five minutes from 2,500 or so discrete source hosts. They can also scan very slowly, modulating the technique to be almost undetectable. Many of these attackers are also security practitioners by day, a disturbing fact, and they are not planning to stop writing attack code.
Cyber-Terrorism
"Have you seen any evidence of increasing attacks, anything significant?" No less than five of my friends that work for the government had asked me that question by noon on 9/11/2001. Suddenly, we started hearing about cyber-terrorism and, with Executive Order 13231 filed after the attack, we see the US Government preparing defensive mechanisms against cyberterrorism. Although we have tried to detail the increasing threat, and to be sure there is a lot of firepower out there, I do not see any evidence that cyber-based terrorism is a near-term threat. There are hints and glimmerings of it, but the emphasis of terrorism seems to remain fixed on bombs and guns. Is cyber-terrorism a credible threat? In some sense, it has to be. Much of the infrastructure is computer controlled, and the computers are certainly vulnerable. The main thing that seems to be holding cyber-based terrorism back seems to be the attacker's apparent lack of skill and motivation. In other words, the committed terrorists still seem to prefer bombs and guns to laptops for now.
With that said, we do need to consider the implications of the large attack networks that have been formed in the past year. One reason we have not seen more damage is that many of the people involved in creating these attack networks are not really malevolent.
An interesting trend that is as true today as it was when I first learned about it in 1997 is that a main theme of all this advanced denial of service is Internet Relay Chat (IRC). Groups of hackers fighting for control of IRC chatrooms developed the denial-of-service tools. As long as people were content to clobber IRC servers, who cared? Now the genie is out of the bottle and it cannot be put back. It is interesting that the latest attack networks are IRC bots, but they are certainly not constrained to IRC targets. If a group bent on terrorism was to gain control of one of these networks, it could certainly do significant damage, especially financially. If you could keep the top ten Internet businesses offline for a week, what would the potential financial damage be? It is more than just the lost revenue; it would include the weakened state of the companies and potentially a serious effect on the stock market, especially the technology rich NASDAQ exchange.
The bottom line on terrorism, cyber or not, is that your organization should have a contingency plan. Right after 9/11, there was a bit of concern about creating and updating business continuity plans, but it seemed to pass quickly, even while the site of the World Trade Center was still smoking. The main thing is to make sure you have an alternative way of doing business in case the net infrastructure gets severely perturbed at some point.
Large-Scale Compromise
Trojan horses, logic bombs, and software vulnerabilities are incredibly rampant. The bad news is that it is essentially impossible to secure modern operating systems. One of the reasons for this is their complexity. Take a look at your active processes, ps –ax or ps –ef on UNIX and
Ctrl+Alt+Del on Windows. Ask yourself if you would recognize if something changed on anything that is shown. These are high-level listings, not the function calls and .dlls themselves. If someone were able to plant a malicious routine on one of your systems, you would probably not be able to find it except with a tool like anti-virus software. So how do these backdoors and such get planted on your systems?
A huge vector for Windows systems in the past two years has been browser related problems. A number of vulnerabilities in Microsoft's Internet Explorer have been reported that allow attackers to run arbitrary programs on systems when the browser downloads web pages with specially formatted strings. This is on top of the previous trend of creating attacks based on vulnerabilities in the Outlook mail program. Granted, these attacks are at the bottom of the food chain in some sense—PCs—many of which are on dial up connections and cannot do that much damage; but just as many are inside government facilities, corporations, educational institutions, and homes with broadband connectivity. On UNIX systems, a variety of buffer overflows have been found and exploited that allow attackers to accomplish the same thing. In addition to the techniques that attackers use to break into systems, they are also becoming more adept at finding systems to break into.
Improved Targeting
In this book, you have learned a lot about the various reconnaissance techniques attackers use. Multiple organizations are involved in Internet mapping efforts. Some of the aspects of advanced targeting include the following:
∙Techniques to maximize results using broadcast packets when possible. If a site allows broadcast packets to enter its network from the Internet, this allows the attackers to get significant results with a fairly low number of stimulus packets. Scanning is actually fairly slow going; this is the reason nmap and other tools default to an echo request first. If they get a reply, they invest in scanning for open ports and protocols.
∙Avoidance of dangerous IP address ranges, based on lists of honeypots and sites that are known to be alert and active in reporting to CIRTs and law enforcement.
∙Sharing reconnaissance data between scanning organizations minimizes the footprint. If two groups have different techniques and they share the results, it is harder to detect them in action, especially if they both use distributed scanning.
Because the reconnaissance has been going on for a long time, we are now seeing the results of long-term mapping efforts. When you see a few probes, they might be validating that the site map the attackers hold is still fairly up-to-date. As new vulnerabilities are found, the attackers will have the capability to launch precision attacks.
How the Threat Will Be Manifested
The fact that systems are vulnerable and attackers are perfecting their techniques for finding vulnerable systems is not news. What changed in late 2001 and early 2002 was the scale. Largescale, successful attacks such as Leaves SubSeven scans, Code Red and nimda against IIS, and the SNMP/ASN.1 and Apache PHP attacks in early 2002, left attackers with networks of thousands and thousands of compromised zombie systems, and they had primitive, but workable command and control systems to manage these networks.