Download presentation
Presentation is loading. Please wait.
1
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon University
2
Changes in Intrusion Profile 1988 –exploiting passwords –exploiting known vulnerabilities Today –exploiting passwords –exploiting known vulnerabilities –exploiting protocol flaws –examining source files for new security flaws –abusing anonymous FTP, web servers, email –installing sniffer programs –IP source address spoofing –denial of service attacks –widespread, automated scanning of the Internet The definition of “vulnerability” on the Internet is approaching that of the DoD in trusted systems
3
Scanning for Victims Today: Wide scale scanners collect information on 100,000s of hosts around the Internet Sniffers now use the same technology as intrusion detection tools Number and complexity of trust relationships in real systems make victim selection easier
4
Scanning for Victims Tomorrow: Use of data reduction tools and more query-oriented search capability will allow reuse of scan data Inexpensive disk and computation time will encourage the use of cryptography and persistent storage of scan data Scan data becomes a commodity like marketing information
5
Probe Definition A single attempt to collect information, or to compromise a resource. Usually refers to one or more packets that traverse a computer network. Usually inferred to be malicious, but might be used for packets where the intent is unknown or not clear.
6
Scan Definition A scan is a collection of probes, usually with some pattern across a range of systems, services or both.
7
Attractive Targets What information is available to the public? –DNS servers –hosts mentioned in whois records –public service machines (Web, ftp, mail) Intruders may also identify targets with –traceroutes –DNS zone transfers –other advanced scanning techniques
8
Packet Types TCP: Transmission Control Protocol –reliable, connection oriented –3-way handshake establishes connection –telnet, SMTP, SSH, ftp UDP: User Datagram Protocol –Unreliable, connectionless –DNS, bootp, tftp, NFS, SNMP ICMP: Internet Control Message Protocol –error and control information –ping, traceroute
9
Establishing a TCP Connection Send SYN Receive SYN + ACK Send ACK Site A Receive SYN Send SYN + ACK Receive ACK Site B Network Messages
10
Closing a TCP Connection Send FIN + ACK Receive ACK Receive FIN + ACK Send ACK Inform Application Site A Receive FIN + ACK Send ACK Inform application Send FIN + ACK Receive ACK Site B Network Messages
11
TCP Connect Probes The intruder uses the connect() system call to send the probe. These probes open (and perhaps close) a TCP connection as described earlier. Privileged access on the origin host is not needed. This type of probe is the most common and the easiest to detect.
12
TCP SYN Probes The intruder sends a SYN packet. A SYN-ACK response means the port is open. A RST response means the port is closed. These probes are harder to detect because the connection is never fully completed.
13
TCP FIN Probes The intruder sends a FIN packet. Some systems respond with: –RST packets for closed ports –nothing for open ports Like SYN probes, FIN probes are hard to detect because the connection is never completed.
14
ICMP Host Unreachable Probes The intruder sends a packet to a host. If an intermediate router knows that this host does not exist, it may respond with an “ICMP host unreachable” packet. This technique identifies which hosts don’t exist, and by inference, which ones do. More information is available in IN-98.04.
15
Reverse Ident Probes The intruder first connects to an open port. Then they send an ident request to the probed host to determine which userid owns the port. Protect against these scans by using the privacy options in ident. These probes can be used to identify Web servers running as root, etc.
16
FTP Bounce Probes The intruder connects to an FTP server. Then they attempt to transfer files between the FTP server and the target host. Based on the error messages, the intruder can tell if the port is open. FTP bounce probes are often used to probe systems behind a firewall. More information is available in CA-97.27.
17
Decoy Probes The intruder sends several spoofed probes at the same time the real probe is sent. The real origin is hard to determine. This reduces the chance that the probe will be reported and responded to correctly. It can also lead system administrators to doubt the legitimacy of probes reported to them.
18
Spoofed Origin Probes The intruder sends probes with a spoofed source address. Then they use an ethernet sniffer to capture the probe results on a host “near” the spoofed origin of the probes. More information is available in IN-98-05.
19
Fragmented Probes The intruder fragments the header of the probe packet into tiny pieces. Some systems (including firewalls) do not properly filter these packets. Other types of probes can be used with the “fragmented header” technique.
20
Architecture Mapping The intruder sends probes that produce specific responses based on the operating system. The intruder can use this information to identify –operating system –hardware architecture –OS version number More information is available in IN-98.04.
21
Coordinated Scans Coordinated scans are probes that –come from multiple hosts –collectively produce a complete scan The results are collected by a single intruder or shared among cooperating intruders. It looks like there are multiple intruders, but there’s no way to know for sure.
22
Slow Scans The probes in a scan can occur slowly, over days or even weeks. This avoids thresholds in some firewalls. It’s harder to detect than a normal scan. It’s also harder to detect on the originating host. More information is available in IN-98.04.
23
The Future of Probes We’re very likely to see more: –widespread brute-force scanning with little regard for being detected –stealthy probes like SYN and FIN that require packet logging to detect –attempts to hide the origin of the probes through spoofing and decoys –automated vulnerability exploits that probe and compromise in a single step
24
Typical Intruder Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Yesterday
25
Distributed Coordinated Attack Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts Internet Today
26
Distributed Coordinated Attack Uses 100s to 1000s of clients (10,000s) Is triggered by a “victim” and “time” command Will simultaneously attack the victim from all clients Currently does not use random source addresses Today used in DoS attacks only
27
Issues for Responding to DoS Attacks Filtering/detecting this attack is problematic! The intruder’s intent is not always clear in denial of service attacks. The intruder might be –using the DoS attack to hide a real attack –misusing resources to attack someone else –attempting to frame someone else for the attack –disabling a trusted host as part of an intrusion Attacks also frequently involve –IRC abuse –intruders attacking each other –retaliation for securing systems
28
The Future is Automation Put these together and what do you get? –tools to scan for multiple vulnerabilities –architecture identification tools –widely available exploits –pre-packaged Trojan horse backdoor programs –delivery and recon through active content Bad news! Together, these publicly available tools could be modified to launch wide-spread scans and compromise systems automatically.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.