Packets and Protocols Chapter Seven Real World Packet Captures.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

By Hiranmayi Pai Neeraj Jain
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
Guide to Network Defense and Countermeasures Second Edition
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Web Server Administration TEC 236 Securing the Web Environment.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Beyond Intrusion Detection - Prevention & Protection.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Intrusion Detection Systems and Practices
Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Profile-Based Web Intrusion Prevention System by Donovan Thorpe CS526 Fall 2002.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Computer Security and Penetration Testing
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Port Scanning.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
1 Guide to Network Defense and Countermeasures Chapter 2.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
1 Guide to Network Defense and Countermeasures Chapter 9.
Security at NCAR David Mitchell February 20th, 2007.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Hands-On Ethical Hacking and Network Defense
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Port Scanning Detection Zelfi Security Team Project1 Supervised by Loai Bani Melhim Issa Smadi April 11 1 Network Security Project Team.
Role Of Network IDS in Network Perimeter Defense.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Filip Chytrý Everyone of you in here can help us improve online security....
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Protection (tools).
Port Scanning James Tate II
DDoS Attacks on Financial Institutions Presentation
Working at a Small-to-Medium Business or ISP – Chapter 8
CITA 352 Chapter 5 Port Scanning.
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Module 18 (More Network Discovery)
CS4622 Team 4 Worms, DoS, and Smurf Attacks
Intrusion Detection & Prevention
A Distributed DoS in Action
TCP XMAS.
Presentation transcript:

Packets and Protocols Chapter Seven Real World Packet Captures

Packets and Protocols Chapter 7  Scanning –Usually done by a hacker (white hat or black hat) to find vulnerabilities –Can also be part of a worm or other attack –Attacks are often preceded with a ping

Packets and Protocols Chapter 7  Reference Capture file scan1.log –TCP Connect Scan Attack  Look for a large number of TCP resets using the same source port (52218)  Filter on  Filter on   tcp.flags.syn==1&&tcp.flags.ack==1 or   tcp.flags==18

Packets and Protocols Chapter 7  Same port used over and over and over

Packets and Protocols Chapter 7  Reference Capture file scan1.log –SYN Flood Attack   An intruder sends a SYN packet and analyzes the response. If an RST/ACK is received, it indicates that the port is closed. If a SYN/ACK is received, it indicates that the port is open and listening.  Look for a large number of TCP resets and incrementing port numbers –Filter on –Filter on   tcp.flags == 0x14

Packets and Protocols Chapter 7  Does this look normal???

Packets and Protocols Chapter 7  Reference Capture file scan1.log –XMAS Scan “The XMAS scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This XMAS scan sends packets with the Finish (FIN), Push (PSH), and Urgent (URG) flags set.”   Harder to detect, but the key is to look for patterns   Works well against Windows systems

Packets and Protocols Chapter 7  tcp.flags == 0x29 (i.e. fin, psh, urg)

Packets and Protocols Chapter 7  Reference Capture file scan1.log –NULL Scan “The Null scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDS’s more easily than the SYN scans. This Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK, and open ports will drop the packet and not respond.”   Harder to detect, but the key is to look for patterns   Not affective against Windows systems, but works on Cisco, HP UX MVS, etc

Packets and Protocols Chapter 7  tcp.flags == 0x0 (i.e. no TCP flags)

Packets and Protocols Chapter 7  Reference Capture file scan2.log –Remote Access Trojan Horse Scans  Subseven legend scan –Very common, easy to detect, but there are many variations –Attacks a windows backdoor vulnerability

Packets and Protocols Chapter 7  Exploits port (tcp.dstport == 27374)

Packets and Protocols Chapter 7  Reference Capture file netbus.log –Remote Access Trojan Horse Scans  Netbus scan –Very common, easy to detect, but there are many variations –Attacks a windows backdoor vulnerability

Packets and Protocols Chapter 7  Exploits port and (tcp.dstport == 27374)

Packets and Protocols Chapter 7  Reference Capture file scan2.log –RST.b  Affects LINUX systems –Look for the word “DOM” in the payload

Packets and Protocols Chapter 7  Search for “DOM” with the find tool

Packets and Protocols Chapter 7  Worms! –Becoming more common –Getting smarter –Multiple vulnerabilities –Ability to propagate faster than ever

Packets and Protocols Chapter 7  SQL/Slammer Reference Capture file scan3.log   January 25,   It exploits a vulnerability in the Resolution Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000

Packets and Protocols Chapter 7  Reference Capture file scan3.log –Slammer  Affects LINUX systems –Look for the word “DOM” in the payload

Packets and Protocols Chapter 7  udp.dstport == 1434

Packets and Protocols Chapter 7  Reference Capture file: CodeRed_Stage1 CodeRed_Stage1andCodeRed_Stage2 –Code Red  Several variants  Attacks IIS web servers and causes a buffer overflow

Packets and Protocols Chapter 7  Look for the string “GET /default.ida?NNNNNNNN”

Packets and Protocols Chapter 7  Reference Capture file  Reference Capture file ramenattack.gz –Ramen   Targets Red Hat Linux 6.2 and Red Hat Linux 7.0  Easy to detect, make no attempt at stealth  Search for the word “ramen”

Packets and Protocols Chapter 7  Attempts to create a /usr/scr.poop directory  Encourages people to eat ramen noodles

Packets and Protocols Chapter 7  Active responses to attacks –Snort and other IDS systems can stop attacks by sending a TCP fin to the attacker and closing the TCP stream  It can then notify the administrator of an attack –Firewalls can stop the attacks by trashing the packets  It can then notify the administrator of an attack

Packets and Protocols Chapter 7  Kowalski Virus mitigation theory –Disconnect –Filter at the border –Clean the LAN(s) –Reopen the border –Monitor, monitor, monitor

Packets and Protocols Chapter 7  Virus detection tips: –Look for patterns  Same port  Incrementing port –Look for unusual TCP flags  Fin – rst – psh  No flags –Sniffer companies will post filters for your use so you can detect if you are infected –Look for unusual protocols

Packets and Protocols Chapter 7  Virus Prevention Tips –Most attacks can be thwarted by keeping your patches up to date –Some viruses have common embedded stings and are easy to detect –Use a firewall or IDS –TURN OFF OR BLOCK WHAT YOU DO NOT NEED!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.