Network Security. Chapter 18 Attack Detection and Prevention. Dr.-Ing. Falko Dressler

Transcription

1 Network Security Chapter 18 Attack Detection and Prevention Dr.-Ing. Falko Dressler Computer Networks and Communication Systems Department of Computer Sciences University of Erlangen-Nürnberg Network Security, WS 2004/

2 Network Security Chapter 18 Attack Detection and Prevention Attack Overview, Taxonomy, and Examples Attack Detection Principles of Intrusion Detection Systems Knowledge-based Anomaly detection Distributed attack detection Attack Prevention Network Security, WS 2004/

3 Introduction Definition: Intrusion An Intrusion is unauthorized access to and/or activity in an information system. Definition: Intrusion Detection The process of identifying that an intrusion has been attempted, is occurring or has occurred. National Security Telecommunications Advisory Committee (NSTAC) Intrusion Detection Subgroup Network Security, WS 2004/

4 Introduction (2) Intrusion Detection Attack- / Invasion detection: Tries to detect unauthorized access by outsiders Misuse Detection: Tries to detect misuse by insiders, e.g. users that try to access services on the internet by bypassing security directives Anomaly Detection: Tries to detect abnormal states within a network, e.g. sudden appearance of never used protocols, big amount of unsuccessful login attempts Intrusion Prevention An IPS adds further functionality to an IDS. After detecting a possible attack the IPS tries to prevent the ongoing attack, e.g. by closing network connections or reconfiguring firewalls Network Security, WS 2004/

5 Introduction (3) Why Intrusion Detection? Common question: Why do I need Intrusion Detection? I've got a great firewall! Firewall blocks all unwanted network traffic, but allows traffic to services offered A firewall does usually not detect any attacks on offered services A firewall does not detect any attacks from the inside Firewalls can be bypassed by opening connections that are made from a Notebook infected by a Trojan or a BotNet-Client. => Can be detected by Intrusion Detection Systems Network Security, WS 2004/

6 Introduction (4) Attack Sophistication vs. Intruder Knowledge Network Security, WS 2004/

7 Attack Overview What makes DDoS attacks possible? End-to-end paradigm Best-effort packet forwarding service Resources are limited; intelligence and resources are not collocated Accountability is not enforced Control is distributed How are DDoS attacks performed? Recruit/exploit/infect strategy Why do people perpetrate DDoS attacks? To inflict damage on the victim Personal reasons, prestige, political reasons, sabotage/espionage Network Security, WS 2004/

8 Attack Taxonomy Source: [Mircovic2004] Network Security, WS 2004/

9 Attack Strategy Scan for vulnerabilities Detection of vulnerable hosts and applications Compromising hosts Manual hacking Viruses, Trojans, Worms Distributed denial-of-service attack Bandwidth depletion Resource depletion Network Security, WS 2004/

10 Port Scan Background Identification of vulnerable systems / applications Automated distribution of worms Scan types Vertical scan: sequential or random scan of multiple (5 or more) ports of a single IP address from the same source during a one hour period Horizontal scan: scan of several machines (5 or more) in a subnet at the same target port from the same source during a one hour period Coordinated scan: scans from multiple sources (5 or more) aimed at a particular port of destinations in the same /24 subnet within a one hour window; also called distributed scan Stealth scan: horizontal or vertical scans initiated with a very low frequency to avoid detection Network Security, WS 2004/

11 Port Scan (2) Scan characteristics Port distribution Source distribution Scan rates for top 10 destination port categories between May-July, Distribution of coordinated, horizontal and vertical scans for the month of June, 2002 Source: [Yegneswaran2003] Network Security, WS 2004/

12 Distributed Denial-of-Service Attacks Bandwidth depletion Resource depletion Flood UDP flood ICMP flood Amplification (i.e. using a reflector network) Smurf (ICMP echo request) Fraggle (UDP echo, e.g. chargen) Protocol exploit TCP SYN PUSH+ACK (to unload TCP buffer + ACK to overflow a receiver) Malformed packet attacks Usage of incorrect formatted IP packets to crash the victim system Sleep deprivation Rendering a pervasive computing device inoperable by draining the battery Network Security, WS 2004/

13 Distributed Denial-of-Service Attacks (2) mostly ICMP traffic Source: [Moore2001] Network Security, WS 2004/

14 History of Intrusion Detection 1980 James Anderson: Computer Security Threat Monitoring and Surveillance 1983 Dorothy Denning (SRI-International): Analysis of audit trails from government mainframe computers 1984 Dorothy Denning: Intrusion Detection Expert System (IDES) 1988 Lawrence Liverpool Laboratories: Haystack Projekt 1990 Heberlein: A Network Security Monitor (NSM) 1994 Wheel Group: First commercial NIDS (NetRanger) 1997 ISS: Real Secure... Boom of Intrusion Detection System Network Security, WS 2004/

15 Intrusion Detection Data collection issues Reliable and complete data Collection is expensive, collecting the right information is important Detection techniques Misuse detection (or signature-based or knowledge-based) Anomaly detection Response Counteracting an attack Evaluation System effectiveness, performance, network-wide analysis False-positive rate False-negative rate Network Security, WS 2004/

16 Classification of Attack Detection Four dimensions Host based Knowledge based Anomaly detection Network based Network Security, WS 2004/

17 Classification of Attack Detection (2) Host Intrusion Detection Systems (HIDS) Works on information available on a system, e.g. OS-Logs, application-logs, timestamps Can easily detect attacks by insiders, as modification of files, illegal access to files, installation of Trojans or rootkits Problems: has to be installed on every System, produces lots of information, often no realtime-analysis but predefined time intervals, hard to manage a huge number of systems Network Intrusion Detection System (NIDS) Works on information provided by the network, mainly packets sniffed from the network layer. Uses signature detection (stateful), protocol decoding, statistical anomaly analysis, heuristical analysis Detects: DoS with buffer overflow attacks, invalid packets, attacks on application layer, DDoS, spoofing attacks, port scans Often used on network hubs, to monitor a segment of the network Network Security, WS 2004/

18 Placement of a Network Intrusion Detection System Monitors all incoming traffic High load High rate of false alarms Internet Monitors all traffic to and from systems in the DMZ Reduced amount of Data Can only detect Intrusions on these Computers Monitors all traffic within the corporate LAN Possible detection of misuse by insiders Possible detection of intrusion via mobile machines (notebooks...) DMZ LAN Network Security, WS 2004/

19 Knowledge-based Detection Based on signatures or patterns of well-known attacks Working principles Scan for attacks using well known vulnerabilities, e.g. patterns to attack IIS web server or MSSQL databases Scan for pre-defined numbers of ICMP, TCP SYN, etc. packets Patterns can be specified at each protocol level Network protocol (e.g. IP, ICMP) Transport protocol (e.g. TCP, UDP) Application protocol (e.g. HTTP, SMTP) Pros Fast, requires few state information, low false-positive rate Cons Recognizes only known attacks Examples Snort, Bro Network Security, WS 2004/

20 Snort OpenSource Support for Windows, UNIX, Linux,... Rule Based Intrusion Detection Ruleset can be edited individually Huge number of predefined rules Daily community rules update Reporting into: Logfiles, LogServer, Database Different formats for captured data supported: libpcap,... Supports packet de-fragmentation, protocol decoding, state inspection Possible reactions: TCP reset, ICMP unreachable, configuration of firewalls, alerting via , pager, SMS (plugins) Graphical tools for administration and analysis are available Network Security, WS 2004/

21 Snort (2) Mainly signature based, each intrusion needs a predefined rule alert tcp $HOME_NET any -> any 9996 \ (msg:"sasser ftp script to transfer up.exe"; \ content:" 5F75702E "; depth:250; flags:a+; classtype: misc-activity; \ sid: ; rev:3) Three step processing of captured information (capturing is done by libpcap): Preprocessing (normalized and reassembled packets) Detection Engine works on the data and decides what action should be taken Action is taken (log, alert, pass) Modular structure allows to change many parts as Preprocessor, Detection, Action Modules Network Security, WS 2004/

22 Snort (3) Snort-Inline, Snort as IPS IPTables inserts packets into a queue Snort receives packets from queue. If packets are not received the are dropped Preprocessing of data (normalization, reassembly, ) Scan engine performs string detection upon the data delivered by the preprocessor Possible algorithms Wu Manber Boyer More Aho-Corasick After detecting an intrusion the correspondent action is taken Snort-Inline has the capability to make the packet filter to drop packets, close connections... Also reconfigures (commercial) firewalls Network Security, WS 2004/

23 Bro OpenSource Available for Unix and Linux Signature based intrusion detection (can work with Snort rules) Signatures can be edited individually Huge number of predefined signatures Reporting: into Logfiles, Log-Hosts, via Saves captured data into libpcap compatible files Supports packet de-fragmentation, protocol decoding, state inspection Reaction possibilities: connection reset, reconfiguration of firewalls No graphical administration or analysis tools available Network Security, WS 2004/

24 Bro (2) Bro uses several steps to process data The amount of data is reduced by every step The less data has to be processed the more sophisticated actions can be done Lipcab is used the capture data from network A packet filter removes all packets that are not examined Event engine does some first examinations passes events to the next level Event is created if: header check failed,... Packet de-fragmentation is done on this level Signature Engine is used to define reoccurring events Policy engine analyses the network traffic, processes all events created by event engine Network Security, WS 2004/

25 Bro (3) Event layer only knows that something has happened, not what Bro signatures make use of regular expressions to also detect variations of a certain intrusion Example of a bro signature to detect variations of the formmail shell command exploit: signature formmail-cve { ip-proto == tcp dst-ip == /16 dst-port = 80 http /.*formmail.*\?.*recipient=[ˆ&]*[; ]/ event "formmail shell command } Bro uses a scripting language specially designed to facilitate network traffic analysis and to detect anomalies due to its high flexibility (implicit typing,...) it is very powerful Network Security, WS 2004/

26 Anomaly Detection Based on the analysis of long-term and short-term traffic behavior Working principles Scan for anomalies in Traffic behavior Protocol behavior Application behavior Pros Recognizes unknown attacks as well Cons False-positive rate might be high Examples PHAD/ALAD, Emerald Network Security, WS 2004/

27 Anomaly Detection (2) Generic anomaly detection system Source: [Estevez-Tapiador2004] Network Security, WS 2004/

28 Anomaly Detection (3) Source: [Estevez-Tapiador2004] Network Security, WS 2004/

29 Anomaly Detection (4) Classification criteria Source: [Estevez-Tapiador2004] Network Security, WS 2004/

30 PHAD Packet Header Anomaly Detection (PHAD) [Mahoney2001] Protocol analysis learns normal ranges of values for each header field (link, network, transport layer) score field = t n/r t time since previous anomaly n number of observations r number of distinct values Learning phase + detection phase Network Security, WS 2004/

31 ALAD Application Layer Anomaly Detection (ALAD) [Mahoney2002] Extension to PHAD Five models: 1. P(src IP dest IP) Learns normal set of clients for each host, i.e. the set of clients allowed on a restricted service 2. P(src IP dest IP, dest port) Like (1), but one model for each server on each host 3. P(dest IP, dest port) Learns the set of local servers which normally receive requests 4. P(TCP flags dest port) Learns the set of TCP flags for all packets of a particular connection 5. P(keyword dest port) Examines the text in the incoming request (first 1000 bytes) Network Security, WS 2004/

32 EMERALD Event Monitoring Enabling Responses to Anomalous Live Disturbances [Porras1997] Network Security, WS 2004/

33 CATS Cooperating Autonomous Detection Systems (CATS) [Dressler2004] P : Monitoring probe CATS CATS : Autonomous detection system monitoring data exchange of monitoring data and alert information CATS P P P Attackers P P Victim CATS Network Security, WS 2004/

34 CATS (2) Concept and benefits of CATS Separation of monitoring and detection Utilization of a distributed monitoring environment Deployment of multiple independently working autonomous detection systems Self-X properties of the detection systems Improved detection performance through cooperation between multiple detection systems Combination of knowledge-based and anomaly detection techniques using both local and global context information Export of packet data and flow statistics utilizing standardized protocols, e.g. IPFIX and PSAMP Network Security, WS 2004/

35 CATS (3) PSAMP Data IPFIX Data Events & Characterization Events & Characterization Anomaly detection looking for unusual behavior without any precognition - comparing long-time behavior to short-time behavior - maintaining different profiles (per destination, aggregate,...) Potential Techniques: - statistical tests, neural networks, Bayes networks Knowledge-based detection looking for known signatures and misbehavior Potential Tools: - Snort & Plugins -Bro Statistical measures - bit rate, packet rate, # of connections,... - gathered per aggregate or single flow Packet monitoring & sampling Raw Packet Data PSAMP Data IPFIX Data Network Security, WS 2004/

36 Defense Taxonomy Source: [Mircovic2004] Network Security, WS 2004/

37 Defense Challenges Need for a distributed response at many points on the Internet Coordinated response is necessary for successful countermeasures Economic and social factors Deployment of response systems at parties that do not suffer direct damage from the DDoS attack Lack of detailed information Thorough understanding of attacks is required Lack of defense system benchmarks Difficulty of large-scale testing Network Security, WS 2004/

38 Attack Prevention / Counteracting Anti-Spoof Mechanisms Filtering of forged packets Cryptographic authentication Traceback Counteracting DDoS attacks Counteracting TCP SYN flood Distributed Firewalling Congestion control Network Security, WS 2004/

39 Anti-Spoof Mechanisms Filtering of forged packets Ingress filtering: implementation of anti-spoof ACLs based on (static/dynamic) knowledge about own IP address range RPF: reverse path forwarding, known from multicast routing, fails for dynamic load-balancing SAVE: source address validity enforcement protocol [Li2002] Associates interfaces with valid source address ranges Also useful for RPF check, e.g. for multicast routing Cryptographic authentication IPSec authentication, problem: key management Traceback Real-time / Forensic methods Most promising solution! Network Security, WS 2004/

40 TCP-SYN flood >90% of DDoS attacks use TCP [Moore2001] Several defense mechanisms SYN cache, SYN cookies, SynDefender, SYN proxying, stateful, have to be installed at victims FW, rely on traceback Flooding detection system (FDS) [Wang2002] Stateless, low computation overhead Relies on SYN-FIN/RST pairs Uses CUSUM (cumulative sum) algorithm Automated model approach [Tupakula2004] Controller-agent model #SYN - #ACK > limit? Agent sends an alarm to the controller Central controller verifies alarm signatures and issues countermeasures Basic idea: detection, source identification, firewall configuration Network Security, WS 2004/

41 DDoS Defense Secure Collective Defense System (SCOLD) [Chow2004] Key idea is to provide clients with alternate routes via proxies Main techniques: indirect route and secure DNS updates Network Security, WS 2004/

42 Congestion Control Handling congestion leads to indirect detection and recovery from DDoS attacks Push-forward mechanism [Krishnamoorthy2004] Once an access router identifies potential attack traffic, it alerts the downstream router using a push-forward message On-path-mechanism Architecture Collection module Statistics module Drop module Push-forward message generation module Network Security, WS 2004/

43 References [Dressler2004] F. Dressler, G. Münz, and G. Carle, "CATS - Cooperating Autonomous Detection Systems," Proceedings of 1st IFIP TC6 WG6.6 International Workshop on Autonomic Communication (WAC 2004), Berlin, Germany, October [Estevez-Tapiador2004] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo, "Anomaly detection methods in wired networks: a survey and taxonomy," Computer Communications, vol. 27, July 2004, pp [Hussain2003] A. Hussain, J. Heidemann, and C. Papadopoulos, "A Framework for Classifying Denial of Service Attacks," Proceedings of ACM SIGCOMM Conference, Karlsruhe, Germany, August 2003, pp [Kemmerer2002] R. Kemmerer and G. Vigna, "Intrusion Detection: A Brief History and Overview," IEEE Computer - Special Issue on Security and Privacy, April 2002, pp [Krishnamoorthy2004] S. Krishnamoorthy and P. Dasgupta, "Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December [Lee2004] R. B. Lee, "Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures," Princeton University, Technical Report, [Li2002] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, "SAVE: Source Address Validity Enforcement Protocol," Proceedings of IEEE Infocom 2002, New York, USA, June [Mahoney2001] M. V. Mahoney and P. K. Chan, "PHAD: Packet Header Anomaly Detection for Identifying Hostile Network Traffic," Florida Tech., Technical Report CS , [Mahoney2002] M. V. Mahoney and P. K. Chan, "Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks," Proceedings of 8th ACM International Conference on Knowledge Discovery and Data Mining, 2002, pp [Mahoney2003] M. V. Mahoney, "A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic," Ph.D. Thesis, Florida Tech., Network Security, WS 2004/

44 References (2) [Martin2004] T. Martin, M. Hsiao, D. Ha, and J. Krishnaswami, "Denial-of-Service Attacks on Batterypowered Mobile Computers," Proceedings of Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04), Orlando, Florida, March [Mirkovic2004] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, April 2004, pp [Moore2001] D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity," Proceedings of USENIX Security Symposium, Washington, DC, August [Paxson1999] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, December 1999, pp [Porras1997] P. A. Porras and P. G. Neumann, "EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances," Proceedings of National Information Systems Security Conference, October [Roesch1999] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proceedings of 13th USENIX Conference on System Administration, 1999, pp [Tupakula2004] U. K. Tupakula, V. Varadharajan, and A. K. Gajam, "Counteracting TCP SYN DDoS Attacks using Automated Model," Proceedings of IEEE Globecom 2004, Dallas, TX, USA, December [Wang2002] H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN Flooding Attacks," Proceedings of IEEE INFOCOM 2002, [Yegneswaran2003] V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," Proceedings of ACM SIGMETRICS, June Network Security, WS 2004/