Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by."— Presentation transcript:

1 Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon University

2 Changes in Intrusion Profile 1988 –exploiting passwords –exploiting known vulnerabilities Today –exploiting passwords –exploiting known vulnerabilities –exploiting protocol flaws –examining source files for new security flaws –abusing anonymous FTP, web servers, email –installing sniffer programs –IP source address spoofing –denial of service attacks –widespread, automated scanning of the Internet The definition of “vulnerability” on the Internet is approaching that of the DoD in trusted systems

3 Scanning for Victims Today: Wide scale scanners collect information on 100,000s of hosts around the Internet Sniffers now use the same technology as intrusion detection tools Number and complexity of trust relationships in real systems make victim selection easier

4 Scanning for Victims Tomorrow: Use of data reduction tools and more query-oriented search capability will allow reuse of scan data Inexpensive disk and computation time will encourage the use of cryptography and persistent storage of scan data Scan data becomes a commodity like marketing information

5 Probe Definition A single attempt to collect information, or to compromise a resource. Usually refers to one or more packets that traverse a computer network. Usually inferred to be malicious, but might be used for packets where the intent is unknown or not clear.

6 Scan Definition A scan is a collection of probes, usually with some pattern across a range of systems, services or both.

7 Attractive Targets What information is available to the public? –DNS servers –hosts mentioned in whois records –public service machines (Web, ftp, mail) Intruders may also identify targets with –traceroutes –DNS zone transfers –other advanced scanning techniques

8 Packet Types TCP: Transmission Control Protocol –reliable, connection oriented –3-way handshake establishes connection –telnet, SMTP, SSH, ftp UDP: User Datagram Protocol –Unreliable, connectionless –DNS, bootp, tftp, NFS, SNMP ICMP: Internet Control Message Protocol –error and control information –ping, traceroute

9 Establishing a TCP Connection Send SYN Receive SYN + ACK Send ACK Site A Receive SYN Send SYN + ACK Receive ACK Site B Network Messages

10 Closing a TCP Connection Send FIN + ACK Receive ACK Receive FIN + ACK Send ACK Inform Application Site A Receive FIN + ACK Send ACK Inform application Send FIN + ACK Receive ACK Site B Network Messages

11 TCP Connect Probes The intruder uses the connect() system call to send the probe. These probes open (and perhaps close) a TCP connection as described earlier. Privileged access on the origin host is not needed. This type of probe is the most common and the easiest to detect.

12 TCP SYN Probes The intruder sends a SYN packet. A SYN-ACK response means the port is open. A RST response means the port is closed. These probes are harder to detect because the connection is never fully completed.

13 TCP FIN Probes The intruder sends a FIN packet. Some systems respond with: –RST packets for closed ports –nothing for open ports Like SYN probes, FIN probes are hard to detect because the connection is never completed.

14 ICMP Host Unreachable Probes The intruder sends a packet to a host. If an intermediate router knows that this host does not exist, it may respond with an “ICMP host unreachable” packet. This technique identifies which hosts don’t exist, and by inference, which ones do. More information is available in IN-98.04.

15 Reverse Ident Probes The intruder first connects to an open port. Then they send an ident request to the probed host to determine which userid owns the port. Protect against these scans by using the privacy options in ident. These probes can be used to identify Web servers running as root, etc.

16 FTP Bounce Probes The intruder connects to an FTP server. Then they attempt to transfer files between the FTP server and the target host. Based on the error messages, the intruder can tell if the port is open. FTP bounce probes are often used to probe systems behind a firewall. More information is available in CA-97.27.

17 Decoy Probes The intruder sends several spoofed probes at the same time the real probe is sent. The real origin is hard to determine. This reduces the chance that the probe will be reported and responded to correctly. It can also lead system administrators to doubt the legitimacy of probes reported to them.

18 Spoofed Origin Probes The intruder sends probes with a spoofed source address. Then they use an ethernet sniffer to capture the probe results on a host “near” the spoofed origin of the probes. More information is available in IN-98-05.

19 Fragmented Probes The intruder fragments the header of the probe packet into tiny pieces. Some systems (including firewalls) do not properly filter these packets. Other types of probes can be used with the “fragmented header” technique.

20 Architecture Mapping The intruder sends probes that produce specific responses based on the operating system. The intruder can use this information to identify –operating system –hardware architecture –OS version number More information is available in IN-98.04.

21 Coordinated Scans Coordinated scans are probes that –come from multiple hosts –collectively produce a complete scan The results are collected by a single intruder or shared among cooperating intruders. It looks like there are multiple intruders, but there’s no way to know for sure.

22 Slow Scans The probes in a scan can occur slowly, over days or even weeks. This avoids thresholds in some firewalls. It’s harder to detect than a normal scan. It’s also harder to detect on the originating host. More information is available in IN-98.04.

23 The Future of Probes We’re very likely to see more: –widespread brute-force scanning with little regard for being detected –stealthy probes like SYN and FIN that require packet logging to detect –attempts to hide the origin of the probes through spoofing and decoys –automated vulnerability exploits that probe and compromise in a single step

24 Typical Intruder Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Yesterday

25 Distributed Coordinated Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Today

26 Distributed Coordinated Attack Uses 100s to 1000s of clients (10,000s) Is triggered by a “victim” and “time” command Will simultaneously attack the victim from all clients Currently does not use random source addresses Today used in DoS attacks only

27 Issues for Responding to DoS Attacks Filtering/detecting this attack is problematic! The intruder’s intent is not always clear in denial of service attacks. The intruder might be –using the DoS attack to hide a real attack –misusing resources to attack someone else –attempting to frame someone else for the attack –disabling a trusted host as part of an intrusion Attacks also frequently involve –IRC abuse –intruders attacking each other –retaliation for securing systems

28 The Future is Automation Put these together and what do you get? –tools to scan for multiple vulnerabilities –architecture identification tools –widely available exploits –pre-packaged Trojan horse backdoor programs –delivery and recon through active content Bad news! Together, these publicly available tools could be modified to launch wide-spread scans and compromise systems automatically.

Download ppt "Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by."

Similar presentations

TCP/IP MODEL Maninder Kaur www.eazynotes.com.

TCP/IP MODEL Maninder Kaur
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google