Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Second Edition

Similar presentations


Presentation on theme: "Guide to Network Defense and Countermeasures Second Edition"— Presentation transcript:

1 Guide to Network Defense and Countermeasures Second Edition
Chapter 4 Network Traffic Signatures

2 Objectives Describe the concepts of signature analysis
Detect normal and suspicious traffic signatures Identify suspicious events Explain the Common Vulnerabilities and Exposures (CVE) standard Guide to Network Defense and Countermeasures, Second Edition

3 Understanding Signature Analysis
Signature – set of characteristics used to define a type of network activity Intrusion detection devices Some devices assemble databases of “normal” traffic signatures Deviations from normal signatures trigger an alarm Other devices refer to a database of well-known attack signatures Traffic that matches stored signatures triggers an alarm They deal with false positives and false negatives Guide to Network Defense and Countermeasures, Second Edition

4 Understanding Signature Analysis (continued)
Analyzes and understands TCP/IP communications Determines whether they are legitimate or suspicious Bad header information Common way in which packets are altered Suspicious signatures can include malformed Source and destination IP address Source and destination port number IP options, protocol and checksums IP fragmentation flags, offset, or identification Guide to Network Defense and Countermeasures, Second Edition

5 Understanding Signature Analysis (continued)
Bad header information Checksum Simple error-checking procedure Determines whether a message has been damaged or tampered with while in transit Uses a mathematical formula Suspicious data payload Payload Actual data sent from an application on one computer to an application on another Some IDSs check for specific strings in the payload Guide to Network Defense and Countermeasures, Second Edition

6 Understanding Signature Analysis (continued)
Suspicious data payload Known attacks Hack’a’Tack Trojan program Flaw in the UNIX Sendmail program Single-Packet Attacks Also called “atomic attacks” Completed by sending a single network packet from client to host Does not need a connection to be established Changes to IP option settings can cause a server to freeze up Guide to Network Defense and Countermeasures, Second Edition

7 Guide to Network Defense and Countermeasures, Second Edition

8 Understanding Signature Analysis (continued)
Multiple-Packet Attacks Also called “composite attacks” Require a series of packets to be received and executed for the attack to be completed Especially difficult to detect Denial-of-service (DoS) attacks are obvious examples ICMP flood Guide to Network Defense and Countermeasures, Second Edition

9 Capturing Packets Packet sniffer
Software or hardware that monitors traffic going into or out of a network device Captures information about each TCP/IP packet it detects Capturing packets and studying them can help you better understand what makes up a signature Guide to Network Defense and Countermeasures, Second Edition

10 Guide to Network Defense and Countermeasures, Second Edition

11 Guide to Network Defense and Countermeasures, Second Edition

12 Guide to Network Defense and Countermeasures, Second Edition

13 Capturing Packets (continued)
Packet sniffer Examples Snort Ethereal Tcpdump Guide to Network Defense and Countermeasures, Second Edition

14 Guide to Network Defense and Countermeasures, Second Edition

15 Detecting Traffic Signatures
Need to detect whether traffic is normal or suspicious Network baselining Process of determining what is normal for your network before you can identify anomalies Guide to Network Defense and Countermeasures, Second Edition

16 Normal Traffic Signatures
TCP flags SYN (0x2) ACK (0x10) PSH (0x8) URG (0x20) RST (0x4) FIN (0x1) Numbers 1 and 2 Placement and use of these flags are definite Deviations from normal use mean that the communication is suspicious Guide to Network Defense and Countermeasures, Second Edition

17 Normal Traffic Signatures (continued)
Ping signatures The sequence of packets is shown in the next slides Guide to Network Defense and Countermeasures, Second Edition

18 Guide to Network Defense and Countermeasures, Second Edition

19 Guide to Network Defense and Countermeasures, Second Edition

20 Normal Traffic Signatures (continued)
FTP signatures The sequence of packets is shown in the next slides Normal connection signature includes a three-way handshake Guide to Network Defense and Countermeasures, Second Edition

21 Guide to Network Defense and Countermeasures, Second Edition

22 Guide to Network Defense and Countermeasures, Second Edition

23 Normal Traffic Signatures (continued)
Web signatures Most of the signatures in log files are Web related Normal communication consists of a sequence of packets distinguished by their TCP flags Guide to Network Defense and Countermeasures, Second Edition

24 Guide to Network Defense and Countermeasures, Second Edition

25 Suspicious traffic signatures
Categories Informational Traffic might not be malicious Reconnaissance Attacker’s attempt to gain information Unauthorized access Traffic caused by someone who has gained unauthorized access Denial of service Traffic might be part of a more complex attack Guide to Network Defense and Countermeasures, Second Edition

26 Suspicious traffic signatures (continued)
Ping sweeps Also called an ICMP sweep Used by attackers to determine the location of a host Attacker sends a series of ICMP echo request packets in a range of IP addresses Ping sweep alone does not cause harm Guide to Network Defense and Countermeasures, Second Edition

27 Guide to Network Defense and Countermeasures, Second Edition

28 Suspicious traffic signatures (continued)
Port scans Attempt to connect to a computer’s ports to see whether any are active and listening Signature typically includes a SYN packet sent to each port Guide to Network Defense and Countermeasures, Second Edition

29 Guide to Network Defense and Countermeasures, Second Edition

30 Suspicious traffic signatures (continued)
Random back door scan Probes a computer to see if any ports are open and listening that are used by well-known Trojan programs Trojan programs Applications that seem to be harmless but can cause harm to a computer or its files Guide to Network Defense and Countermeasures, Second Edition

31 Guide to Network Defense and Countermeasures, Second Edition

32 Guide to Network Defense and Countermeasures, Second Edition

33 Suspicious traffic signatures (continued)
Specific Trojan scans Port scans can be performed in several ways Vanilla scan Probes all ports from 0 to 65,535 Strobe scan Probes only ports commonly used by specific programs Can be used to detect whether a Trojan program is already installed and running Guide to Network Defense and Countermeasures, Second Edition

34 Guide to Network Defense and Countermeasures, Second Edition

35 Suspicious traffic signatures (continued)
Nmap scans Network mapper (Nmap) Popular software tool for scanning networks Nmap scans can circumvent IDSs monitoring Examples of Nmap scans SYN scan FIN scan ACK scan Null scan Guide to Network Defense and Countermeasures, Second Edition

36 Guide to Network Defense and Countermeasures, Second Edition

37 Identifying Suspicious Events
Attackers avoid launching well-known attacks Use waiting intervals to fool detection systems Reviewing log files manually can be overwhelming Must check them and identify potential attacks You can use IDSs to help you with this task IDSs depend on extensive databases of attack signatures Guide to Network Defense and Countermeasures, Second Edition

38 Packet Header Discrepancies
Falsified IP address Attacker can insert a false address into the IP header Make the packet more difficult to trace back Also known as IP spoofing Falsified port number or protocol Protocol numbers can also be altered Illegal TCP flags Look at the TCP flags for violations of normal usage Examples of SYN and FIN flags misuse SYN/FIN SYN/FIN/PSH,SYN/FIN/RST,SYN/FIN/RST/PSH Guide to Network Defense and Countermeasures, Second Edition

39 Packet Header Discrepancies (continued)
TCP or IP options TCP options can alert you of an attack Only one MSS option should appear in a packet MSS, NOP, and SackOK should appear only in packets that have the SYN and/or ACK flag set TCP packets have two “reserved bits” IP options Originally intended as ways to insert special handling instructions into packets Attackers mostly use IP options now for attack attempts Guide to Network Defense and Countermeasures, Second Edition

40 Packet Header Discrepancies (continued)
Fragmentation abuses Maximum transmit unit (MTU) Maximum packet size that can be transmitted over a network Packets larger than the MTU must be fragmented Broken into multiple segments small enough for the network to handle Overlapping fragments Fragments that are too long or too small Fragments overwriting data Guide to Network Defense and Countermeasures, Second Edition

41 Advanced Attacks Advanced IDS evasion techniques
Polymorphic buffer overflow attack Uses a tool called ADMutate Alter an attack’s shell code to differ from the known signature many IDSs use Once packets reach the target, they reassemble into original form Path obfuscation Directory path in payload is obfuscated by using multiple forward slashes Alternatively, it can use the Unicode equivalent of a forward slash, %co%af Guide to Network Defense and Countermeasures, Second Edition

42 Advanced Attacks (continued)
Advanced IDS evasion techniques Common Gateway Interface (CGI) scripts Scripts used to process data submitted over the Internet Examples Count.cgi FormMail AnyForm Php.cgi TextCounter GuestBook Guide to Network Defense and Countermeasures, Second Edition

43 Remote Procedure Calls
Remote Procedure Call (RPC) Standard set of communication rules Allows one computer to request a service from another computer on a network Portmapper Maintains a record of each remotely accessible program and the port it uses Converts RPC program numbers into TCP/IP port numbers Guide to Network Defense and Countermeasures, Second Edition

44 Remote Procedure Calls (continued)
RPC-related security events RPC dump Targeted host receives an RPC dump request RPC set spoof Targeted host receives an RPC set request from a source IP address of 127.x.x.x RPC NFS sweep Targeted host receives series of requests for the Network File System (NFS) on different ports Guide to Network Defense and Countermeasures, Second Edition

45 Using the Common Vulnerabilities and Exposures (CVE) Standard
Make sure your security devices share information and coordinate with one another Each devices uses its own “language” Common Vulnerabilities and Exposures (CVE) Enables devices to share information using the same standard Guide to Network Defense and Countermeasures, Second Edition

46 How the CVE Works CVE enables hardware and devices to draw from the same database of vulnerabilities Benefits Stronger security Better performance Guide to Network Defense and Countermeasures, Second Edition

47 Guide to Network Defense and Countermeasures, Second Edition

48 Scanning CVE Vulnerabilities Descriptions
Can view current CVE vulnerabilities online And even download the list The CVE list is not a vulnerability database that can be used with an IDS Information in a CVE reference Name of the vulnerability Short description References to the event in other databases Such as BUGTRAQ Guide to Network Defense and Countermeasures, Second Edition

49 Guide to Network Defense and Countermeasures, Second Edition

50 Summary Interpreting network traffic signatures
Can help prevent network intrusions Analysis of traffic signatures Integral aspect of intrusion prevention Possible intrusions are marked by invalid settings Packet sniffers Capture packets Learn what normal traffic signatures look like Help identify signatures of suspicious connection attempts Guide to Network Defense and Countermeasures, Second Edition

51 Summary (continued) Suspicious network events Advanced attacks
“Orphaned” packets Land attacks Localhost source spoof Falsified protocol numbers Illegal combinations of TCP flags Advanced attacks Difficult to detect without a database of intrusion signatures or user behaviors Guide to Network Defense and Countermeasures, Second Edition

52 Summary (continued) Advanced attack methods include
Exploiting CGI vulnerabilities Misusing Remote Procedure Calls Common Vulnerabilities and Exposures (CVE) Enables security devices to share attack signatures and information about network vulnerabilities Guide to Network Defense and Countermeasures, Second Edition


Download ppt "Guide to Network Defense and Countermeasures Second Edition"

Similar presentations


Ads by Google