Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

IDS definition and classification

advertisement 
Basic Elements of Attacks and
Their Detection
Contents
• Elements of TCP/IP addressing
• Layers in Internet communication
• Phases of an attack
2/46
Elements of TCP/IP addressing
• IP address
– IPv4: a 32 bit number usually presented as 4
dotted fields – field1.field2.field3.field4
• Example: 194.147.191.31
– IPv6: a 128 bit number arranged as 8 groups
of 16 bits each separated by colons.
• Example:
00DC:BA02:5644:A201:1FAB:BA5C:7000:001D
• Multiple 0s can be replaced by double colon
• All IPv4 addresses fit in the rightmost 8 digits of an
IPv6 address, e.g. IPv6 ::C293:BF1F is IPv4
3/46
194.147.191.31 (C2hex=19410 etc.)
Elements of TCP/IP addressing
• Encapsulation is extensively used in
packet data transmission
– A lower level protocol is seen as data at the
immediately higher level
– These levels are called layers.
4/46
Layers in Internet communication
• Layers relevant for Internet packet
communication
– Hardware (link) layer
– IP layer
– Protocol (transport) layer
– Application layer
5/46
Layers in Internet communication
• Hardware (link) layer
– Interfaces with the network hardware (e.g.
Ethernet, IEEE 802.11 etc.)
– Packets physically sent/received
– Handles specific information about the local
hardware (e.g. MAC address).
6/46
Layers in Internet communication
• IP layer
– Implements the IP protocol
– Reads IP addresses
– IP is unreliable: no guarantee whatsoever that
a packet will arrive
– Packets may be broken into fragments if
necessary and this layer handles the
fragmentation.
7/46
Layers in Internet communication
• IP header
8/46
Layers in Internet communication
• IP header fields
– Version (4 bits): IP version number (4 or 6).
– Length (4 bits): number of 4-byte words in the
header (maximum 60 bytes).
– Type of service (1 byte): routing preference:
•
•
•
•
Minimize delay
Maximize throughput
Maximize reliability
Minimize monetary cost.
9/46
Layers in Internet communication
• IP header fields (cont.)
– Total Packet Length (2 bytes): total number of
bytes of the IP datagram.
– Identification (2 bytes): unique identifier for
the packet.
– Flags (3 bits): flags indicating fragmentation
status.
– Fragment Offset (13 bits): offset of
fragmented packet.
10/46
Layers in Internet communication
• IP header fields (cont.)
– Time to Live (1 byte): how many routers to
allow the packet to traverse.
– Protocol (1 byte): code indicating what
protocol is used in the protocol header.
– Header Checksum (2 bytes): error checking
code to ensure the packet is not corrupted in
transit.
11/46
Layers in Internet communication
• IP header fields (cont.)
– Source IP Address (4 bytes): address of the
source host.
– Destination IP Address (4 bytes): address of
the destination host.
– Options: rarely used nowadays and often not
implemented at all.
12/46
Layers in Internet communication
• Protocol (transport) layer
– Reliability of communication is implemented
here.
– TCP, UDP or ICMP may be implemented at
this level, unlike the IP layer where only IP
packets may exist.
13/46
Layers in Internet communication
• TCP protocol
– Provides a reliable mode of communication
between applications
– Implements “ports”
– Two-way communication
– Implements a communication “channel” with
mechanisms to ensure packets arrive or are
resent as needed.
– Web, ftp, telnet, SSH, E-mail use TCP.
14/46
Layers in Internet communication
• TCP header
15/46
Layers in Internet communication
• TCP header fields
– Source Port (2 bytes): communications port
number
– Destination Port (2 bytes): communications
port number for the destination application
– Sequence Number (4 bytes): unique number
for the packet (they are sequential in the
session)
16/46
Layers in Internet communication
• TCP header fields (cont.)
– Acknowledgement Number (4 bytes): like the
sequence number.
– Length (4 bits): length of the header in 4 byte
words.
– Reserved (6 bits): reserved bits.
– Flags (6 bits): flags controlling the
communications session.
17/46
Layers in Internet communication
• TCP header fields (cont.)
– Window Size (2 bytes): number of bytes in the
transfer buffer.
– Checksum (2 bytes): checksum for the TCP
header.
– Urgent Pointer (2 bytes): control for
emergency aborts.
– Options: various options.
18/46
Layers in Internet communication
• UDP protocol
– Provides a mode of communication between
applications
– Each packet has a “port” number that indicates
the application
– Does not implement any guarantees of service.
– One way communication
– Applications must implement necessary
checks.
19/46
Layers in Internet communication
• UDP header
20/46
Layers in Internet communication
• UDP header fields
– Source Port (2 bytes): communications port
number; 65,536 possible values
– Destination Port (2 bytes): communications
port number for the destination application;
usually fixed for given applications (80 - Web)
– Length (2 bytes): total length of the UDP
datagram in bytes
– Checksum (2 bytes): checksum for the UDP
header.
21/46
Layers in Internet communication
• ICMP protocol
– The control and error message mechanism
for the Internet
– Each packet has a type/code indicator telling
what kind of information is in the packet
– Different types of ICMP packets have slightly
different headers/data
– Automatically generated (almost always).
22/46
Layers in Internet communication
• ICMP header – ordinary
• ICMP header – echo request/reply
23/46
Layers in Internet communication
• ICMP header fields
– Type (1 byte): type of control message the
packet represents (0 – echo reply, 8 – echo
request, 3 – destination unreachable etc.)
– Code (1 byte): indicator of what sub-type of
message the packet contains
– Checksum (2 bytes): checksum for the ICMP
header.
24/46
Layers in Internet communication
• Application layer
– Applications run at this level, i.e. application
protocols are implemented here
– Common applications:
•
•
•
•
•
•
Web
ftp
E-mail
telnet
SSH
...
25/46
Layers in Internet communication
• Protocol headers give information about:
– source and destination
– protocol details
– application
• The data give information about:
– login, password information
– commands attempted
– files accessed.
26/46
Phases of an attack
• Four phases in the attacking process:
– Planning phase
– Reconnaissance phase
– Attack phase
– Post attack phase.
• The attack process is in general cyclic
– After completing an attack, another attack is
planned – an extension of the previous one.
27/46
Phases of an attack
28/46
Phases of an attack
• Planning phase
– Can take many different forms.
– The attacker often makes use of the system in
its intended manner before making the attack.
– Example: the attacker may sign up for an
account on an online e-commerce system or
log onto a public server.
– This type of publicly available legitimate
access helps the attacker define the scope
and goals of the attack.
29/46
Phases of an attack
• Planning phase (cont.)
– After the initial preparation is complete, the
attacker decides on the scope of the attack.
– The attacker may have various goals:
•
•
•
•
Denial of service
Escalation of legitimate privileges
Unauthorized access
Data manipulation
– The motivation behind an attack often dictates
which of these goals are chosen.
30/46
Phases of an attack
• Reconnaissance phase
– The attacker next gathers information or
performs reconnaissance on the targeted
network.
– The attacker carries out a variety of different
inquiries with the goal of pinpointing a specific
method of attack (port scanning etc.)
– The goal of the attacker in this phase is to
narrow down the field of thousands of
possible exploits to a small number of
vulnerabilities that are specific to the targeted
host/network.
31/46
Phases of an attack
• Reconnaissance phase (cont.)
– The attacker attempts to make this
reconnaissance as hard to notice as possible.
– Even so, there are many different means of
reconnaissance and some of them can be
detected by an intrusion detection system.
– Sources of information for the attacker:
• Legitimate public data (forums, public databases,
public monitoring tools, etc.)
• Vulnerability scanning (ping, TCP connect, OS and
version scanning, etc.)
32/46
Phases of an attack
• Attack phase
– The traffic generated from attacks can take
many different forms.
– Types of attacks:
•
•
•
•
Denial of service
Remote exploits
Trojans and backdoor programs
Misuse of legitimate access
33/46
Phases of an attack
• Attack phase (cont.)
– Denial of service (DoS)
• Any attack that disrupts the function of a system so
that legitimate users can no longer access it.
• Possible on most network equipment: routers,
servers, firewalls, remote access machines, etc.
• Can be specific to a service (e.g. FTP attack), or
an entire machine.
• Categories of DoS
– Resource depletion
– Malicious packet attacks.
34/46
Phases of an attack
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• Resource depletion DoS attack
– Functions by flooding a service with so much normal
traffic that legitimate users cannot access the service.
– An attacker inundating a service with normal traffic can
exhaust finite resources such as bandwidth, memory and
processor cycles.
– Examples: SYN flood, Smurf, etc.
35/46
Phases of an attack
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• Malicious packet DoS attacks
– Function by sending abnormal traffic to a host to cause
the service or the host itself to crash.
– Occur when software is not properly coded to handle
abnormal or unusual traffic.
– Such traffic can cause software to react unexpectedly
and crash.
– Attackers can use these attacks to bring down even IDS.
– Examples: Microsoft FTP DoS, SNORT ICMP DoS, etc.
36/46
Phases of an attack
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• Malicious packet DoS attacks (cont.)
– In addition to unusual traffic, malicious packets can
contain payloads that cause a system to crash.
– A packet's payload is taken as input into a service.
– If this input is not properly checked, the application can
be brought down.
37/46
Phases of an attack
• Attack phase (cont.)
– Denial of service (DoS) (cont.)
• DoS attacks commonly utilize spoofed IP
addresses because the attack is successful even if
the response is misdirected.
• The attacker requires no response, and in cases
like the Smurf attack, wants at all costs to avoid a
response.
• This can make DoS attacks difficult to defend from,
and even more difficult to detect.
38/46
Phases of an attack
• Attack phase (cont.)
– Remote exploits
• Attacks designed to take advantage of improperly
coded software to compromise and take control of
a vulnerable host.
• Can function in the same manner as the malicious
payload traffic DoS attacks.
• Take advantage of improperly checked input or
configuration errors.
• Examples: buffer overflow, Unicode exploit, Cookie
poisoning, SQL injection, etc.
39/46
Phases of an attack
• Attack phase (cont.)
– Trojans and Backdoor programs
• By installing a backdoor program or a Trojan, an
attacker can bypass normal security controls and
gain privileged unauthorized access to a host.
• A backdoor program can be deployed on a system
in a variety of different ways. E.g. a malicious
software engineer can add a backdoor program
into legitimate software code.
• Backdoor programs might be added for legitimate
maintenance reasons in the software development
life cycle, but later forgotten.
40/46
Phases of an attack
• Attack phase (cont.)
– Trojans and Backdoor programs (cont.)
• A Trojan is defined as software that is disguised as
a benign application.
• Remote control Trojans typically listen on a port
like a genuine application.
• Through this open port, an attacker controls them
remotely.
• Trojans can be used to perform any number of
functions on the host.
41/46
Phases of an attack
• Attack phase (cont.)
– Trojans and Backdoor programs (cont.)
• Some Trojans include portscanning and DoS
features.
• Others can take screen and Webcam captures and
send them back to the attacker.
• Trojans and backdoor programs have traditionally
listened on a TCP or UDP port, making it easy to
detect them and undertake countermeasures.
42/46
Phases of an attack
• Attacks phase (cont.)
– Trojans and Backdoor programs (cont.)
• Because of that, Trojans have evolved so they no
longer need to listen on a TCP or UDP port.
• Instead, they listen for a specific sequence of
events before processing commands.
• It may be a combination of predetermined source
addresses, TCP header information, or false
destination ports that do not match to a listening
service.
43/46
Phases of an attack
• Attack phase (cont.)
– Misuse of Legitimate Access
• Attackers often attempt to gain unauthorized use of
legitimate accounts by getting authentication
information.
• This can be performed by means of technical
and/or social engineering methods.
• IDS, especially the anomaly detection ones, may
be used to detect such activities.
44/46
Phases of an attack
• Post-attack phase
– After an attacker has successfully penetrated
into a host on the targeted network, further
actions he will take are in general
unpredictable.
– In this phase, the attacker carries out his plan
and makes use of information resources as
he considers appropriate.
45/46
Phases of an attack
• Post-attack phase
– Possible post-attack activities:
•
•
•
•
•
•
Covering tracks
Penetrating deeper into network infrastructure
Using the host to attack other networks
Gathering, manipulating, or destroying data
Handing over the host to a friend or a hacker group
Walking or running away without doing anything.
46/46
Related documents
Reaction Papers
Reaction Papers
IP Packets Deconstructed
IP Packets Deconstructed
Joe Pavlik TCP/IP HW 1 How are OSI and ISO related to each other
Joe Pavlik TCP/IP HW 1 How are OSI and ISO related to each other
Principle of Input/Output Software
Principle of Input/Output Software
The Computer System
The Computer System
Finals Study Notes
Finals Study Notes
Carving out files from pcap - cyber
Carving out files from pcap - cyber
CS3235 Eweek slides for DoS and DDoS
CS3235 Eweek slides for DoS and DDoS
Download
advertisement