Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Second Edition Chapter 4 Network Traffic Signatures.

Similar presentations


Presentation on theme: "Guide to Network Defense and Countermeasures Second Edition Chapter 4 Network Traffic Signatures."— Presentation transcript:

1 Guide to Network Defense and Countermeasures Second Edition Chapter 4 Network Traffic Signatures

2 Guide to Network Defense and Countermeasures, Second Edition2 Objectives Describe the concepts of signature analysis Detect normal and suspicious traffic signatures Identify suspicious events Explain the Common Vulnerabilities and Exposures (CVE) standard

3 Guide to Network Defense and Countermeasures, Second Edition3 Understanding Signature Analysis Signature – set of characteristics used to define a type of network activity Intrusion detection devices –Some devices assemble databases of “normal” traffic signatures Deviations from normal signatures trigger an alarm –Other devices refer to a database of well-known attack signatures Traffic that matches stored signatures triggers an alarm –They deal with false positives and false negatives

4 Guide to Network Defense and Countermeasures, Second Edition4 Understanding Signature Analysis (continued) Signature analysis –Analyzes and understands TCP/IP communications –Determines whether they are legitimate or suspicious Bad header information –Common way in which packets are altered –Suspicious signatures can include malformed Source and destination IP address Source and destination port number IP options, protocol and checksums IP fragmentation flags, offset, or identification

5 Guide to Network Defense and Countermeasures, Second Edition5 Understanding Signature Analysis (continued) Bad header information –Checksum Simple error-checking procedure Determines whether a message has been damaged or tampered with while in transit Uses a mathematical formula Suspicious data payload –Payload Actual data sent from an application on one computer to an application on another –Some IDSs check for specific strings in the payload

6 Guide to Network Defense and Countermeasures, Second Edition6 Understanding Signature Analysis (continued) Suspicious data payload –Known attacks Hack’a’Tack Trojan program Flaw in the UNIX Sendmail program Single-Packet Attacks –Also called “atomic attacks” –Completed by sending a single network packet from client to host –Does not need a connection to be established –Changes to IP option settings can cause a server to freeze up

7 Guide to Network Defense and Countermeasures, Second Edition7

8 8 Understanding Signature Analysis (continued) Multiple-Packet Attacks –Also called “composite attacks” –Require a series of packets to be received and executed for the attack to be completed –Especially difficult to detect –Denial-of-service (DoS) attacks are obvious examples ICMP flood

9 Guide to Network Defense and Countermeasures, Second Edition9 Capturing Packets Packet sniffer –Software or hardware that monitors traffic going into or out of a network device –Captures information about each TCP/IP packet it detects –Capturing packets and studying them can help you better understand what makes up a signature

10 Guide to Network Defense and Countermeasures, Second Edition10

11 Guide to Network Defense and Countermeasures, Second Edition11

12 Guide to Network Defense and Countermeasures, Second Edition12

13 Guide to Network Defense and Countermeasures, Second Edition13 Capturing Packets (continued) Packet sniffer –Examples Snort Ethereal Tcpdump

14 Guide to Network Defense and Countermeasures, Second Edition14

15 Guide to Network Defense and Countermeasures, Second Edition15 Detecting Traffic Signatures Need to detect whether traffic is normal or suspicious Network baselining –Process of determining what is normal for your network before you can identify anomalies

16 Guide to Network Defense and Countermeasures, Second Edition16 Normal Traffic Signatures TCP flags –SYN (0x2) –ACK (0x10) –PSH (0x8) –URG (0x20) –RST (0x4) –FIN (0x1) –Numbers 1 and 2 Placement and use of these flags are definite –Deviations from normal use mean that the communication is suspicious

17 Guide to Network Defense and Countermeasures, Second Edition17 Normal Traffic Signatures (continued) Ping signatures –The sequence of packets is shown in the next slides

18 Guide to Network Defense and Countermeasures, Second Edition18

19 Guide to Network Defense and Countermeasures, Second Edition19

20 Guide to Network Defense and Countermeasures, Second Edition20 Normal Traffic Signatures (continued) FTP signatures –The sequence of packets is shown in the next slides –Normal connection signature includes a three-way handshake

21 Guide to Network Defense and Countermeasures, Second Edition21

22 Guide to Network Defense and Countermeasures, Second Edition22

23 Guide to Network Defense and Countermeasures, Second Edition23 Normal Traffic Signatures (continued) Web signatures –Most of the signatures in log files are Web related –Normal communication consists of a sequence of packets distinguished by their TCP flags

24 Guide to Network Defense and Countermeasures, Second Edition24

25 Guide to Network Defense and Countermeasures, Second Edition25 Suspicious traffic signatures Categories –Informational Traffic might not be malicious –Reconnaissance Attacker’s attempt to gain information –Unauthorized access Traffic caused by someone who has gained unauthorized access –Denial of service Traffic might be part of a more complex attack

26 Guide to Network Defense and Countermeasures, Second Edition26 Suspicious traffic signatures (continued) Ping sweeps –Also called an ICMP sweep –Used by attackers to determine the location of a host –Attacker sends a series of ICMP echo request packets in a range of IP addresses –Ping sweep alone does not cause harm

27 Guide to Network Defense and Countermeasures, Second Edition27

28 Guide to Network Defense and Countermeasures, Second Edition28 Suspicious traffic signatures (continued) Port scans –Attempt to connect to a computer’s ports to see whether any are active and listening –Signature typically includes a SYN packet sent to each port

29 Guide to Network Defense and Countermeasures, Second Edition29

30 Guide to Network Defense and Countermeasures, Second Edition30 Suspicious traffic signatures (continued) Random back door scan –Probes a computer to see if any ports are open and listening that are used by well-known Trojan programs –Trojan programs Applications that seem to be harmless but can cause harm to a computer or its files

31 Guide to Network Defense and Countermeasures, Second Edition31

32 Guide to Network Defense and Countermeasures, Second Edition32

33 Guide to Network Defense and Countermeasures, Second Edition33 Suspicious traffic signatures (continued) Specific Trojan scans –Port scans can be performed in several ways –Vanilla scan Probes all ports from 0 to 65,535 –Strobe scan Probes only ports commonly used by specific programs Can be used to detect whether a Trojan program is already installed and running

34 Guide to Network Defense and Countermeasures, Second Edition34

35 Guide to Network Defense and Countermeasures, Second Edition35 Suspicious traffic signatures (continued) Nmap scans –Network mapper (Nmap) Popular software tool for scanning networks –Nmap scans can circumvent IDSs monitoring –Examples of Nmap scans SYN scan FIN scan ACK scan Null scan

36 Guide to Network Defense and Countermeasures, Second Edition36

37 Guide to Network Defense and Countermeasures, Second Edition37 Identifying Suspicious Events Attackers avoid launching well-known attacks –Use waiting intervals to fool detection systems Reviewing log files manually can be overwhelming –Must check them and identify potential attacks You can use IDSs to help you with this task –IDSs depend on extensive databases of attack signatures

38 Guide to Network Defense and Countermeasures, Second Edition38 Packet Header Discrepancies Falsified IP address –Attacker can insert a false address into the IP header Make the packet more difficult to trace back –Also known as IP spoofing Falsified port number or protocol –Protocol numbers can also be altered Illegal TCP flags –Look at the TCP flags for violations of normal usage –Examples of SYN and FIN flags misuse SYN/FIN SYN/FIN/PSH,SYN/FIN/RST,SYN/FIN/RST/PSH

39 Guide to Network Defense and Countermeasures, Second Edition39 Packet Header Discrepancies (continued) TCP or IP options –TCP options can alert you of an attack Only one MSS option should appear in a packet MSS, NOP, and SackOK should appear only in packets that have the SYN and/or ACK flag set TCP packets have two “reserved bits” –IP options Originally intended as ways to insert special handling instructions into packets Attackers mostly use IP options now for attack attempts

40 Guide to Network Defense and Countermeasures, Second Edition40 Packet Header Discrepancies (continued) Fragmentation abuses –Maximum transmit unit (MTU) Maximum packet size that can be transmitted over a network –Packets larger than the MTU must be fragmented Broken into multiple segments small enough for the network to handle –Fragmentation abuses Overlapping fragments Fragments that are too long or too small Fragments overwriting data

41 Guide to Network Defense and Countermeasures, Second Edition41 Advanced Attacks Advanced IDS evasion techniques –Polymorphic buffer overflow attack Uses a tool called ADMutate Alter an attack’s shell code to differ from the known signature many IDSs use Once packets reach the target, they reassemble into original form –Path obfuscation Directory path in payload is obfuscated by using multiple forward slashes Alternatively, it can use the Unicode equivalent of a forward slash, %co%af

42 Guide to Network Defense and Countermeasures, Second Edition42 Advanced Attacks (continued) Advanced IDS evasion techniques –Common Gateway Interface (CGI) scripts Scripts used to process data submitted over the Internet Examples –Count.cgi –FormMail –AnyForm –Php.cgi –TextCounter –GuestBook

43 Guide to Network Defense and Countermeasures, Second Edition43 Remote Procedure Calls Remote Procedure Call (RPC) –Standard set of communication rules –Allows one computer to request a service from another computer on a network Portmapper –Maintains a record of each remotely accessible program and the port it uses –Converts RPC program numbers into TCP/IP port numbers

44 Guide to Network Defense and Countermeasures, Second Edition44 Remote Procedure Calls (continued) RPC-related security events –RPC dump Targeted host receives an RPC dump request –RPC set spoof Targeted host receives an RPC set request from a source IP address of 127.x.x.x –RPC NFS sweep Targeted host receives series of requests for the Network File System (NFS) on different ports

45 Guide to Network Defense and Countermeasures, Second Edition45 Using the Common Vulnerabilities and Exposures (CVE) Standard Make sure your security devices share information and coordinate with one another –Each devices uses its own “language” Common Vulnerabilities and Exposures (CVE) –Enables devices to share information using the same standard

46 Guide to Network Defense and Countermeasures, Second Edition46 How the CVE Works CVE enables hardware and devices to draw from the same database of vulnerabilities Benefits –Stronger security –Better performance

47 Guide to Network Defense and Countermeasures, Second Edition47

48 Guide to Network Defense and Countermeasures, Second Edition48 Scanning CVE Vulnerabilities Descriptions Can view current CVE vulnerabilities online –And even download the list The CVE list is not a vulnerability database that can be used with an IDS Information in a CVE reference –Name of the vulnerability –Short description –References to the event in other databases Such as BUGTRAQ

49 Guide to Network Defense and Countermeasures, Second Edition49

50 Guide to Network Defense and Countermeasures, Second Edition50 Summary Interpreting network traffic signatures –Can help prevent network intrusions Analysis of traffic signatures –Integral aspect of intrusion prevention Possible intrusions are marked by invalid settings Packet sniffers –Capture packets Learn what normal traffic signatures look like –Help identify signatures of suspicious connection attempts

51 Guide to Network Defense and Countermeasures, Second Edition51 Summary (continued) Suspicious network events –“Orphaned” packets –Land attacks –Localhost source spoof –Falsified protocol numbers –Illegal combinations of TCP flags Advanced attacks –Difficult to detect without a database of intrusion signatures or user behaviors

52 Guide to Network Defense and Countermeasures, Second Edition52 Summary (continued) Advanced attack methods include –Exploiting CGI vulnerabilities –Misusing Remote Procedure Calls Common Vulnerabilities and Exposures (CVE) –Enables security devices to share attack signatures and information about network vulnerabilities


Download ppt "Guide to Network Defense and Countermeasures Second Edition Chapter 4 Network Traffic Signatures."

Similar presentations


Ads by Google