Agenda. Review: DNS Security Intrusion Detection and Prevention Systems 1/21

Transcription

1 Agenda Review: DNS Security Intrusion Detection and Prevention Systems 1/21

2 The DNS system is organized in a structure. A. bitmap B. tree C. matrix D. array E. doubly linked list F. queue 2/21

3 The FactCheck.org and FactCheck.com Story In the 2004 presidential debate between John Edward and the vice president Dick Cheney, Cheney said the following: Well, the reason they keep mentioning Halliburton is because they re trying to throw up a smokescreen. They know the charges are false. They know that if you go, for example, to FactCheck.com, an independent Web site sponsored by the University of Pennsylvania, you can get the specific details with respect to Halliburton. ( in the 41st min.) Unfortunately, Cheney got the FactCheck.org domain name wrong-calling it "FactCheck.com". The debate was broadcasted live on TV. Within a few minutes, a lot of people attemped to access FactCheck.com, however, what they saw was a website owned by George Soros, where the top item was an article by Soros entitled "Why We Must Not Re-Elect President Bush". 3/21

4 In this story, which of the following statements is true? A. The mapping between FactCheck.com and its IP address was stored in those DNS root servers. B. The mapping between FactCheck.com and its IP address was stored in every user s computer. C. In the DNS system, FactCheck.com and FactCheck.org were mapped to the same IP address. D. In the above incident, the traffic to FactCheck.org was redirected to a website owned by Soros. E. In the above incident, the traffic to FactCheck.com was redirected to a website owned by Soros. 4/21

5 The attack of making a DNS server cache false information is called? A. DNS spoofing B. DNS cache poisoning C. DNS ID hacking D. DNS pharming E. DNS amplification 5/21

6 Which of the following is NOT a key factor that makes DNS amplification attack possible? A. Forgeability of source addresses of DNS messages. B. Availability of open DNS resolvers. C. Various DNS software do not conform to the DNS protocol. D. Asymmetry of DNS requests and responses. 6/21

7 Intrusion Detection and Prevention Systems 7/21

8 Detection In order to respond to an event, we need to detect it. Test your awareness: Do the test 8/21

9 Detection In order to respond to an event, we need to detect it. Test your awareness: Do the test The point is, data is complicated, network traffic is complicated, among the huge volume of traffic, you need to know what you are looking for and what you want to detect. 8/21

10 Terminology True positive False positive True negative False negative Which are the worst in terms of detection? 9/21

11 Intrusion Detection Systems An intrusion detection system (IDS) monitors activity and produce reports and alerts. Network-based IDS does so by watching network traffic (thereby monitoring multiple computers) Host-based IDS monitors system activity, such as system calls, logs, file metadata. 10/21

12 Intrusion Prevention Systems An intrusion prevention system (IPS), is an IDS that proactively reacts to prevent attacks. e.g., resetting a TCP connection when it looks like an attack is taking place. IDS systems may only monitor traffic, but with sufficient processing power it is possible to do something about it (IPS). Also known as an intrusion detection and prevention system (IDPS). 11/21

13 Intrusion Detection System and Intrusion Prevention Systems An IPS is typically placed in-line, so that it can actively respond to the connection. An IDS may be placed anywhere on the network, or simply have traffic forwarded to it for it to analyze. 12/21

14 Intrusion Detection System and Intrusion Prevention Systems 13/21

15 Common Detection Methodologies Anomaly Detection Systems Signature Detection Systems 14/21

16 Anomaly Detection System An anomaly detection system makes use of profiles that describe the services and resources each authorized user or group normally accesses on the network. (network baselines) The system can monitor users and groups for suspicious activity (anomalies) that does not fit the profiles. e.g., users accessing a database that they never used before (statistical anomaly), something on port 80 that is not HTTP (protocol anomaly). Use anomaly detection if you are especially concerned about network misuse within the organization or you want to monitor all traffic, Web usage, and FTP servers. For a large-scale network, you might not want to create profiles by yourself, you can create baselines during a "training period" - let the IDPS monitors network traffic to observe what constitutes normal network behavior. 15/21

17 Signature Detection System A signature detection system triggers alarms based on characteristic signatures of known external attacks. e.g., an SQL injection attack, or a known buffer overflow exploit, may contain certain strings or patterns, or steps that can be identified. Good for organizations that want a basic IDPS and are mostly concerned with known attacks from intruders trying to access internal hosts from the Internet. Network engineers research well-known attacks and record rules associated with each signature into a database. Signatures should be updated regularly. 16/21

18 Anomaly-based vs Signature-based Anomaly Advantage: Because an anomaly detection system is based on profiles an administrator creates, an attacker cannot test the IDPS beforehand and anticipate what will trigger an alarm. Advantage: Because an anomaly detection system does not rely on published signatures, it can detect new attacks. Disadvantage: Updating IDPS profiles can be time consuming, normal changes in activity can cause false positive. Signature Advantage: Can begin working immediately after installation, easy to understand and less difficult to configure Disadvantage: Novel unknown (zero-day) attacks or new types of attacks might not be included in the database. 17/21

19 Well-known IDS/IPS Vendors Sourcefire Cisco Juniper Networks IBM McAfee TippingPoint 18/21

20 An anomaly-based IDPS can be circumvented in which of the following ways? A. new attacks B. changes in user habits C. changes in published signatures D. minor changes in attack methods that do not match known signatures 19/21

21 A signature-based IDPS can be circumvented in which of the following ways? A. changes in attack methods B. a stolen user account C. making traffic appear normal D. attacks made during the IDPS training period 20/21

22 References A large portion of the material is adapted from: Intrusion Detection and Prevention Systems (IDS/IPS): Computer Security Lectures - by Z. Cliffe Schreuders Guide to Network Defense and Countermeasures - Randy Weaver, Dawn Weaver, Dean Farwood 21/21