8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Transcription

1 Computer Forensics Network forensics Thomas Mundt Data sources Assessment Monitoring Monitoring Software Logs and Log Analysis Incident Analysis External Assessment Hackers 2 Monitoring Monitoring software eases administrators tasks System overview Logging Alerting Examples Big Brother Nagios 3 1

2 Monitoring SNMP Extensible designed protocol to monitor and manage network components Components Masteragent Subagent Management station Trap mechanism used to alert 4 Incident response Incident is an anomalous event that impacts confidentiality, integrity, or availability of the infrastructure. IDS and monitoring tools detect such events. Notification options SMS Mail Call 5 Log analysis Purpose of log files is to keep information about incidents. Usually recorded information: Timestamp Network addresses Kind of incident 6 2

3 Log analysis Rules of thumb: Establish a set time each day to review logs Choose reasonable length of time to review logs Decide how deep logs must be analyzed Logs are also the basis of reports 7 Assessment Roadmap Planning Reconnaissance Background information whois DNS System enumeration Topology discovery System accessibility from the Internet 8 Assessment Service enumeration Port scans Vulnerability enumeration Look for known vulnerabilities Search security bulletins and hacker sites 9 3

4 Assessment tools Packit IPSorcery FragRoute LFT XProbe 2 Cisco DoS 10 Packet filtering Mass data requires filtering of traffic. By source or destination. By application (port). Services listen on designated ports 21 - ftp 22 - ssh 23 - telnet 25 - smtp 53 - dns 80 - http Clients usually use a port number above 1023 for outbound traffic 11 How packet filtering works Network packets are accepted or rejected according to certain parameters such as Source address / source ports (if concept known by protocol) Destination address / destination ports (if concept known by protocol) Flags Accepted packets are stored (logged) for further investigation. TCP/IP protocol suite as example 12 4

5 OSI stack and respective protocols Layer Protocol Telnet TFTP FTP SMTP SNMP DNS TCP UDP IP RARP ARP ICMP Logical Link Control & Media Access Control IEEE 802.2, Ethernet, ISDN 13 IP Header Bit 8-Bit 16-Bit Total Length (in bytes) 4-Bit Version 16-Bit Identification 8-Bit TTL Header Length Type of Service (TOS) 8-Bit Protocol 3Bit Flags 32-Bit Source IP Address 32-Bit Destination IP Address 16-Bit Header Checksum Options (Padding, Time Stamp etc.) 13-Bit Frag. Offset 20 Byt es Data (if any) 14 UDP Header Bit Source Port Number 16-Bit Destination Port Number 8 16-Bit UDP Length 16-Bit UDP Checksum Bytes Data (if any) 15 5

6 TCP Header (v.4) Bit Source Port Number 16-Bit Destination Port Number 32-Bit Sequence Number 32-Bit Acknowledgement Number 4-Bit Header reserved U A P R S F R C S S Y IN Length (6 Bits) G K H T N 16-Bit TCP checksum 16-Bit Window Size 16-Bit Urgent Pointer 20 Byt es Options (if any, eg. MSS - Maximum Segment Size) Data (if any) 16 Packet analysis Protocol Type Example ftp in active mode 20 data FTP Server 21 command 3007 command FTP Client 3008 data Port 3008 OK Data channel TCP ACK 18 6

7 Example ftp in passive mode 20 data FTP Server 21 command 3007 command FTP Client 3008 data 3012 PASV OK 3012 Data channel TCP ACK 19 Rules Rules can be applied according to flags, addresses, and ports Packet filtering can also be applied to content of packets 20 Example - iptables [root@titan etc]# iptables -A INPUT -j ULOG --ulogqthreshold 10 [root@titan etc]# iptables -A INPUT -i ppp+ -j external_in [root@titan etc]# iptables -A INPUT -i eth+ -j external_in [root@titan etc]# iptables -A external_in -p tcp -m tcp! --tcp-flags SYN,RST,ACK SYN -j RETURN [root@titan etc]# iptables -A external_in -p tcp -m tcp -- dport 22 -j RETURN [root@titan etc]# iptables -A external_in -i! ppp+ -p tcp -m tcp --dport 80 -j RETURN [root@titan etc]# iptables -A external_in -p rcp -j REJECT --reject-with icmp-port-unreachable 21 7

8 Example - iptables [root@titan etc]# iptables -L -v Chain INPUT (policy ACCEPT 190M packets, 82G bytes) pkts bytes target prot opt in out source destination 190M 82G ULOG all -- any any anywhere anywhere ULOG copy_range 0 nlgroup 1 queue_threshold 10 24M 5190M external_in all -- ppp+ any anywhere anywhere 151M 66G external_in all -- eth+ any anywhere anywhere Chain external_in (2 references) pkts bytes target prot opt in out source destination 3319K 1237M RETURN tcp -- any any anywhere anywhere tcp flags:!syn,rst,ack/syn K RETURN tcp -- any any anywhere anywhere tcp dpt:ssh K RETURN tcp --!ppp+ any anywhere anywhere tcp dpt:http 388K 49M REJECT tcp -- any any anywhere anywhere reject-with icmpport-unreachable 22 Problems with packet filtering Fragmentation Packet filters examine header information Splitting up the packet in a way that the header was split and addresses / ports could not be used for filtering Early packet filters failed with fragmented packets 23 Problems with packet filtering Holes Services need to be reachable from external networks Those ports used by these services have to be openned Limiting targets hosts Hardening the respective service on that host 24 8

9 Honeypot Anti virus software manufactorer want to learn about new viruses and variants. Research honeypots. Usually a larger distributed network of traps. Network administrators want to have information about current threats. Productive honeypots. To attract attention of well-known types of attacks. 25 Honeypots Administrators want to distract attackers from more vulnerable targets. Not an acceptable method in the view of network security. 26 Working principles Honeypots behave like real system. An attacker shall not be able to realize that he is interacting with a honeypot. Honeypots record all user / client actions. Administrator wants to follow the traces of an attacker. Later follows an analysis of attack patterns. 27 9

10 Honeynets Real systems behind a gateway that monitors all network activities. Only network activity can be monitored. Local activities such as virus attacks are not of interest. 28 Spam traps addresses are placed in highly visible places. All sent to a spam trap is considered spam, because the address is not used for real applications. Later blacklisting according to content and sender addresses. 29 Virus traps Anti virus researchers monitor all virus activities in a sand box. A wide variety of system configurations is necessary. Countermeasures have to be developed very fast usually within 6 hours

11 Tarpits Similar to honeypots, but with active function. Slow down attackers by inserting waiting periods in protocols. Reduce spreading speed of worms. Increases costs for attacks. For instance a tarpit might delay SMTP answers almost as long as the time-out value permits