“As news of data security breaches at high-profile companies keeps coming, so too does the need for security planning and management skills. IT security is one of the top 10 skills that will become "newly important" to companies in the next five years.” -- Kate Kaiser, Associate Professor at Marquette University, quoted in “Hot Skills, Cold Skills”, ComputerWorld, July 17, 2006 1 “Companies employ 1.4 million IT security professionals worldwide. By 2010, that number will reach 2 million, an increase of almost 30%. U.S. companies will also increase spending on information security training by 16.4% annually through 2009.” -- from a study by IDC on Security Workforce Trends quoted in “Hot Skills, Cold Skills”, ComputerWorld, July 17, 2006 2 Certifications International Information Systems Security Certification Consortium, Inc. [(ISC)²]; https://www.isc2.org/: …. 1 Certified Information Systems Security Professional (CISSP) Information Systems Audit and Control Association (ISACA); http://www.isaca.org/: Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) 3 Certifications Computing Technology Industry Association (CompTIA); http://www.comptia.org/: …. 2 CompTIA Security+ Certification CompTIA Network+ Certification CompTIA A+ Certification SysAdmin, Audit, Network, Security (SANS) Institute; http://www.sans.org/: Global Information Assurance Certification (GIAC) 4 Example 1: Telnet connection TCP Stimulus-Response 5 TCP stimulus – response Example of tcpdump data for a telnet (port 23) application Type 1: Normal system Stimulus abc.com.25020 > cde.com.telnet: S 2538567 : 2538567 (0) win 4096 <mss 1480> (DF) Response cde.com.telnet > abc.com.25020: S 38849799 : 38849799 (0) ack 2538568 win 4096 <mss 1480> 6 Anomalous cases: tcp-telnet example Type 2: Destination not listening on telnet port For the same stimulus, response will be a Reset/Ack: cde.com.telnet > abc.com.25020: R 0:0(0) ack 2538568 win 0 Type 3: Destination host: not available: Though the destination host has a registered DNS IP address, the host may be currently down, or, it may have been misconfigured preventing it from responding. The response would be from the router (Assume its address as xxx.1.) to which the network of the dest host is directly connected. 7 Anomalous cases: tcp-telnet example continued xxx.1 > abc.com: icmp: host cde.com unreachable. Type 4: Destination port blocked xxx.1 > abc.com: icmp: host cde.com unreachable – admin prohibited filter. Type5: Destination port blocked – Router is silenced. Some routers can be silenced by putting a statement like ‘no IP unreachable’ in the access control list. The stimulus will get no response. The stimulus will be sent repeatedly till the maximum number of permitted attempts is reached. 8 Example 2: Windows tracert ICMP ECHO REQUEST-RESPONSE 9 Windows tracert: Windows tracert: Consists of ICMP echo requests and ICMP echo replies. Ex: For a final dest, which is at two jumps tcpdump output from the FIRST router, at a distance of one jump from the source, the : Stimulus abc.com > cde.com: icmp: echo request [ttl = 1] Response router1 > abc.com: icmp: time exceeded in transit tracert sends the same stimulus three times (i.e. twice more) to get the response, from the same destination. 10 Windows tracert (continued): Thereafter it sends an echo request with TTL = 2. abc.com > cde.com : icmp : echo request cde.com > abc.com : icmp: echo reply abc.com would note RTT. The same message is sent again two times and the values of RTT are noted in each case. Tracert then gives an output: Over a maximum of 30 hops: 129ms 126ms 130ms router 1 229ms 124ms 118ms cde.com trace complete. 11 Example 3: UNIX traceroute UDP-ICMP PORT UNREACHABLE 12 UNIX traceroute: The default behavior of tcpdump is to print TTL only when it has a value of 1 -- to warn of an impending problem. UNIX traceroute: Sends a UDP message with increasing values of TTL, beginning with TTL = 1, to trace the route. For the destination, usually a port lying in the range 33000 to 33999 range is used. Such a port is normally not used for listening. So an ICMP port unreachable message is returned. 13 Tcpdump output of traceroute: The tcpdump output: For ttl = 1 abc.com.27822 > cde.com.33888: udp 12(DF) [ttl=1] router1 > abc.com: icmp: time exceeded in transit For ttl = 2 abc.com.27822 > cde.com.33889: udp 12 (DF) cde.com.33889 > abc.com.27822: icmp: cde.com udp port 33889 unreachable (DF) 3 similar messages are sent in each case. 14 Example 4: FTP PROCEDURE TCP 15 FTP Procedure: Active FTP: (21:command port; 20: data port) Step 1: FTP client initiates the establishment of a connection with the ftp server at port 21. Step 2: The client requests transfer of a directory file or any other file from the server to the client. Step 3: The server initiates the connection from port 20 to an ephemeral port of the client. Step 4: After the connection is established, on the new connection, the transfer of data is completed. For additional exchange of data a new connection with a new ephemeral port is made. 16 FTP: tcpdump output Step1:Establishment of Connection: abc.com.38235 > cde.com.21: S 2537895 : 2537895 (0) cde.com.21 > abc.com.38235: S 12337887 : 12337887 (0) ack 2537896 abc.com.38235 > cde.com.21 : ack 1 Step2: Exchange of packets for authentication: asking for user name, and later, the password etc. As an example, the ONLY THE FIRST TWO packets are shown below.: cde.com.21 > abc.com.38235 : P 1 : 24 (23) ack 1 P indicates Push flag. abc.com.38235 > cde.com.21 : .ack 24 17 FTP: tcpdump output (continued): Step 3: The directory command is issued by abc.com, to get the list of directories available at the server.(not shown) This leads to an establishment of a second TCP connection between the port 20 of the server and an ephemeral port of the server.: cde.com.20 > abc.com.38236:S 23376656: 23376656 (0) abc.com.38236 > cde.com.20 : S 3535736 : 3535736 (0) ack 23376657 cde.com.20 > abc.com.38236 : .ack 1 Now cde.com would send the list of directories to abc.com at the new connection. 18 Example 5: All erroneous packets may not be malicious. 19 No stimulus -- all response: Consider the following tcp output: router 1 > 182.122.150.72: icmp : time exceeded in transit (or any other error message) router 1 > 182.122.130.52 : icmp : time exceeded in transit router1 > 182.122.110.32 : icmp : time exceeded in transit Explanation:A large number of such messages to the net 182.122 net host addresses had been spoofed for sending traffic to a foreign host. Note: Such icmp message cannot be probing messages since an icmp message cannot get a response. No danger to 182.122 20 Example 6: DNS MESSAGES UDP STIMULUS-RESPONSE 21 UDP stimulus – response: Example of tcpdump data for DNS messages (port 53): Type 1: Normal: Stimulus: abc.com.25020 > cde.com.domain: 21000 + (31) (DF) + means that the domain server is asked to recursively work to obtain the resolution. 31 is the payload of the udp packet – not including the udp and ip headers. Response: cde.com.domain > abc.com. 25020 21000 1/0/0 (193) (DF) 22 UDP stimulus-response: Anomalous Cases 1/0/0 tcpdump DNS report format 1 one answer resource record 0 no authority record 0 no additional record. Type2: Destination not listening at port 53: For the same stimulus, the response is: cde.com.domain > abc.com: icmp: cde.com udp port domain unreachable. 23 DNS Background ….1 24 DNS : DNS (UDP port 53): 2-character country specific domain………. Root servers Com edu net org biz info name pro gov mil ca jp uk……. arpa (for reverse look-up) 25 DNS System: Every domain name server has many slaves, which take over in case there is a failure. The slaves keep themselves synchronized by using BIND protocol. Transfers between the primary DNS server and the slaves is through a zone transfer, which should be allowed between authorized servers only. These transfers are done by using TCP in the interest of reliability. 26 DNS RESPONSE: X/Y/Z X: gives the number of responses (usually 1 or 0) i.e. the resolved IP address Y: Authoritative records: The names of authoritative DNS servers Z: Additional records: The IP addresses of authoritative DNS servers 27 Example 7: DNS MESSAGES UDP STIMULUS-RESPONSE 28 DNS: tcpdump output abc.com.2222 > dns.cde.com.53 : 1 + (35) abc.com issues a ‘gethostbyname’ call to resolve the IP address of some host lying in SANS organization. The + sign means the request is recursive, in that it asks the local DNS server to find and give the final answer. The local DNS server has no information about SANS organization. So it goes to the root server. dns.cde.com.53 > h.root.servers.net.53: 12420(30)(DF) Root servers are busy. So only an iterative request is issued as indicated by a hyphen after 12420. Reference: The example is taken from Northcutt and Novak, Ch 6 29 DNS: Authoritative records: 12420 is the ID number for the request. h.root.servers.net.53 > dns.cde.com.53: 12420-0/3/3 (153)(DF) The root server says that it is sending: 0 / 3 / 3 No records / authoritative records /additional records Authoritative records:of 3 servers which own and maintain the records for the SANS domain. Additional records: provides the resolution of the above three authoritative DNS servers with their IP addresses. 30 DNS: Authoritative & Additional records: Authoritative records: sans.org name server = server1.sans.org sans.org name server = ns.BSD1.COM sans.org name server = ns. DELOS.COM Additional records: server1.sans.org Internet address = 167.216.133.33 ns.BSD.COM Internet address = 205.230.225.16 ns.DELOS.COM Internet address = 192.65.171.1 31 DNS: tcpdump output (continued): The local DNS server now asks the first authoritative DNS server for resolving the IP address.: dns.cde.com.53 > server1.sans.org.53:12421 + (30) DF server1 sans.org.53 > dns.cde.com.53:12421 * 1/3/3 (172) * means the IP address being given is authoritative. 3/3 are the same Authority Records and Additional Records, mentioned in the previous slide. 32 DNS Background ….2 33 DNS Cache The local DNS server caches the IP address(es), obtained as shown in the previous four slides, for a period called TTL, as specified by the authoritative domain server. As long as the record is in the cache, a request for resolving a domain address would be met by responding with the IP address from the cache. The server will mark it as unauthoritative. 34 DNS: Reverse lookup Reverse look up: Given: an IP address To find: host name by using gethostbyaddr Method : To reverse look up the address 167.216.233.33, the query is as follows: 33.233.216.167.in-addr.arpa. Limited size of UDP data: Maximum allowable size of UDP DNS response = 512 bytes Out of this IP header = 20 bytes UDP header = 8 bytes 35 Limited size of UDP data: Therefore data part of a UDP DNS message 484 bytes. If the data to be returned should be more than 484 bytes, it would be truncated and a new TCP request for DNS will be issued. Example: abc.com.2727 > dns.cde.com.53:12122 (43)(DF) dns.cde.com.53 > abc.com.2727:12122| 7/0/0 (494) The vertical line after 12122 indicates that the data has been truncated. 36 DNS: on TCP The size of the data that should have been sent was 494 bytes (which is larger than 484 bytes that is allowed with UDP). The request can be reissued with TCP. But TCP connection to 53 is usually not allowed, except for zone transfer. In such a case, larger data of the type asked for above cannot be obtained. Alternatively TCP connections to port 53 may be allowed, if an earlier udp connection exist(ed). But this would require storing the state of udp connections. 37 Weaknesses in DNS: Probing attacks: a) At any machine, on giving the following command % nslookup the name of default domain name server and its IP address are provided. Example W1 : >nslookup Default Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 38 Weaknesses in DNS: Example 2 Example W2: > on sending a ‘gethostbyname’ call to resolve the IP address of www.msn.com: Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer: Name: www.msn.com Addresses: 207.68.173.254, 207.68.171.244, 207.68.171.245, 207.68.172.234, 207.68.173.244 A Non-authoritative answer: the one that the local domain name server supplies from its cache. 39 To find your name server b) On using the command >set type=ns >domainname the system responds with your name server. Ex W3: > set type=ns > uwindsor.ca Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 ……………..next slide 40 Ex W3: continued Non-authoritative answer: uwindsor.ca nameserver = dns.uwindsor.ca uwindsor.ca nameserver = ns1.uwo.ca dns.uwindsor.ca internet address = 137.207.232.1 ns1.uwo.ca internet address = 129.100.2.12 There are two name servers. Names and IP addresses of both are provided. 41 Weaknesses in DNS: Example W4 Example W4: > set type=ns > msn.com Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 Non-authoritative answer: msn.com msn.com msn.com msn.com nameserver nameserver nameserver nameserver = = = = dns1.cp.msft.net dns1.dc.msft.net dns1.sj.msft.net dns1.tk.msft.net 42 Weaknesses in DNS: Example W4 continued msn.com nameserver = dns3.jp.msft.net msn.com nameserver = dns3.uk.msft.net dns1.cp.msft.net dns1.dc.msft.net dns1.sj.msft.net dns1.tk.msft.net dns3.jp.msft.net dns3.uk.msft.net internet address = 207.46.138.20 internet address = 64.4.25.30 internet address = 65.54.248.222 internet address = 207.46.245.230 internet address = 207.46.72.123 internet address = 213.199.144.151 43 Weaknesses in DNS(continued): c) Many domain name servers store host information like name of the machine, details of its hardware and operating system. Example: The command > set type = hinfo > host49 will get the hardware and OS information of host 49, if available. It is wise not to store such information in a DNS server, since the DNS protocol provides a means of accessing the information to any one (including a hacker) easily. 44 Host Information: Example W5 > set type=hinfo > davinci.newcs.uwindsor.ca Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 newcs.uwindsor.ca primary name server = davinci.newcs.uwindsor.ca responsible mail addr = walid.uwindsor.ca serial = 2003112403 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 86400 (1 day) 45 Host Information: Definitions Master/Secondary servers ..1 Serial: serial number at the beginning of Start Of Authority (SOA) data: updated every time the dns database is updated. A secondary dns server updates its data, only if the Serial number of the Master is higher than its Serial number Serial: defines when the DNS data was updated. Refresh: is the time interval (in seconds) between two successive updating of the database of a secondary name server Retry: If the secondary should not be able to reach the Master after a Refresh interval, it starts trying to reach the Master every Retry interval. Retry Interval < Refresh Interval 46 Host Information: Definitions Master/Secondary servers ..2 Expire:If the secondary should not be able to reach the Master after a Expire interval, it stops responding to domain name resolution queries. i.e. it expires its data. default TTL: TTL for every record of the name server’s database is supplied by the authoritative ns in its response to the query. The default value is used if no such value is supplied in the response. 47 Host Information: Example W6 > set type=hinfo > nismail.uwindsor.ca Server: davinci.newcs.uwindsor.ca Address: 137.207.76.3 uwindsor.ca primary name server = dns.uwindsor.ca responsible mail addr = clw.uwindsor.ca serial = 2004020400 refresh = 14400 (4 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 129600 (1 day 12 hours) 48 Weaknesses in DNS(continued): d) the command > ls -d abc.com may list the entire DNS server record of the domain abc.com. Example W7: > ls -d newcs.uwindsor.ca [davinci.newcs.uwindsor.ca] newcs.uwindsor.ca. SOA (Start of Authoority) davinci.newcs.uwindsor.ca walid.uwindsor.ca. (2003020700 10800 3600 604800 86400) newcs.uwindsor.ca. NS uwindsor.ca newcs.uwindsor.ca. NS davinci.newcs.uwindsor.ca ……………..next slide 49 Weaknesses in DNS: Example W7: continued ……2 newcs.uwindsor.ca. NS naps.uwindsor.ca router-nt A 137.207.76.2 Symmetra ups A 137.207.76.15 xylan ATM machine A 137.207.76.54 cs-ssr-6th router at 6thfl A 137.207.76.250 davinci MX 5 davinci.newcs.uwindsor.ca davinci MX 10 nismail.uwindsor.ca cs-ssr-main main router A 137.207.76.254 davinci.newcs.uwindsor.ca walid.uwindsor.ca. (2003020700 10800 3600 604800 86400) Notes: A: Authoritatve Record; MX: Mail exchange 50 Weaknesses in DNS: Example W7: continued ….3 Ex.W7: For the domain, there are two mail exchangers available with Priority values of 5 and 10. Allowed priority values: 0 to 65,535. The highest priority: 0 and the lowest priority:65,535. A mail server would try to deliver the mail first to a Mail Exchange of the highest value of priority. In case, that mail exchanger is down, it would deliver the mail to the mail exchanger with the next lower value of priority. This method avoids looping in a large system 51 Weaknesses in DNS (continued) e) A tool called ‘Domain Internet Groper’ (DIG): supplied with some implementations of BIND. This can provide the version number of BIND. (versions in use: 4.8.3 and 4.9.4) f) Sneaky traceroute Since port 53 is usually kept open, and firewalls allow the port 53 messages udp messages to port 53, with increasing values of TTL, can tell whether the host is alive. This method ( to find whether a host is alive) may be used --if ICMP echo requests are blocked. 52 sneaky traceroute Generate udp messages for the destination host (which should not be a ns) with progressively increasing values of ttl. Intermediate routers would respond with time exceeded ICMP message. If the dest host is alive, it would respond with a port unreachable ICMP message. If the dest host is not alive, the last router would respond with a host unreachable ICMP message. 53 Weaknesses in DNS Cache Poisoning attack: g) Since DNS message format for query and the message format for the response is the same, a query may contain a poisoned IP address. The domain name server would cache it for later use. This can misdirect other users to the wrong site. 54 References For Mitnic attack: 1.http://www.totse.com/en/hack/hack_attack/hacker03.html 2. http://www.shado.info/blog/archives/000112.html (home page of the blog: http://www.shado.info/ 55 Two news-items and Two stories (p. 103-105 and Ch 7 of the text book on Intrusion Detection) 56 WHY DID AL – JAZEERA WEB-SITES GO DOWN? “At this point we're not able to triangulate to a particular reason…. It could just be an overall traffic increase that adds to the load or it could be an increase in the rate at which users are coming to the site. Or it could be some external event like a DoS or a virus that's propagating. Al-Jazeera put this site together in a hurry…. You have to do at least some basic load testing.” Roopak Patel, Senior Internet Data Analyst, Keynote Systems Inc., a performance management and testingcompany, San Mateo, Calif March 25, 2003 57 Dangerous times The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive DDoS attack at any time. CERT is monitoring .. five large networks of compromised machines installed with bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines. Officials at the CERT Coordination Center 58 Carnegie- Mellon University, 17 March 2003