- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
Part One: Management Issues
Your goal is to show management that this is part of an overall integrated informationassurance strategy that has tangible benefits to the organization. The key to doing this is to show that your proposed solution has the following characteristics:
●Bang for the buck.
●The expenditure is finite and predictable.
●The technology will not destabilize the organization.
●This is part of a larger, documented strategy.
Bang for the Buck
You need to be realistic. Intrusion detection is fairly costly. You need two fast computers ($2.5k each). If you choose commercial intrusion-detection solutions, the software license ($10k, to start), means that it costs $15k just to say intrusion detection. The network might need to be altered and there is the __ work-year salary and overhead for the intrusion-detection analyst; you could easily be talking $100k. But wait, there is more, bandwidth is increasing, so you need six sensors and a Top Layer switch just to watch the web farm, add another $100K. You need a database to search for slow speed scans and a correlation engine with a hardware RAID to hold all this data, add another $150K easily. In an environment focused on cost reduction, you are going to have to show a significant benefit to justify this expense.
The good news is that you can do exactly that. Risk is part of the business equation. In fact, there are markets that buy and sell denominated risk every day. Did you skip over the risk chapter? What is one way an intrusion-detection system helps reduce the annualized loss expectancy (ALE)? By observing the attacks against your organization, the analyst can assist the organization in fine-tuning its firewall and other defenses to be resistant to these attacks. Is that worth $100k - $350k? If not, here is another way an intrusion-detection system helps reduce loss. To conduct business, you might find that certain applications, or situations, require that some vulnerabilities need to be left on systems. A common example is that when you apply the recommended security patches to a system, it breaks some application. The intrusion detection can be focused on that particular vulnerability. In fact, this is an ideal opportunity to use that Reset kill you have been itching to try. There is a bang for the buck using intrusiondetection systems.You can show it, and you can quantify it.
Intrusion Detection Using Firewalls
One of the incredible changes on the market has been firewalls that log full binary data. OpenBSD's IPFilter and the commercial Raptor firewall can log data in BPF format. This binary logging allows you to run Snort or TCPdump filters against this information. This is incredible! I have already mentioned hogwash and UnityOne, firewall appliances with an IDS capability built in. My personal preference is to use two devices—if one fails the other continues to run.
Also, firewalls that do not have a binary logging capability can still be used in intrusion detection. As an example, Dshield (www.dshield.org), the technology that powers incidents.org, uses firewall data for its large-scale intrusion-detection capability. Firewalls certainly can be sensors. To be sure, firewalls that do not log most of the TCP header field values, such as TCP flags, only allow for very limited analysis. If you have a firewall with the fidelity of a Linux firewall (such as IPtables, for example), however, you can do a lot of the traffic-analysis techniques you have learned in this book.
If you do not have an IDS available, you can and should begin to apply what you have learned from this book by reviewing your organization's firewall logs. Needless to say, get permission first and be slow to raise alarms!
The Expenditure Is Finite
You know the old adage about a boat being a hole in the water you throw money into. I was
reading a Sunday paper column recently titled, "Ten Tips on How to Increase Your Personal Wealth." One of the tips was don't buy a boat; if you have a boat, sell it. I am not so interested in wealth that I am ready to ditch my boats, but they do keep costing money (and they are mostly sea kayaks).
Here is one more house story that will help you understand a senior manager's concerns about containing expense. One day, I realized that everything I did was done on a small fleet of laptops and a cell phone with a trillion monthly minutes. In that moment, I realized I could live anywhere I want as long as the area has cell towers and DSL or better. My wife and I settled on Hawaii, and as luck would have it, DoD called the next day and asked me to do two weeks of consulting on an IDS visualization project on Oahu, so Kathy and I flew down to the islands. Two weeks later, we bought a dream house on Kauai on the rim of a canyon overlooking the Wailua River halfway between the rainforest and the beach. A month after we moved in, the dream house became a nightmare house as it suddenly settled into the soft earth of what had formerly been a pineapple field. A parade of insurance agents came through claiming it was not covered, followed by structural engineers saying they had never seen this before. Finally, a wise local pointed me to the best contractor on the island, Luis Soltren—truly the best contractor I have ever seen—but the house was totaled. Luis, like anyone who is the best at what he does, is not cheap. It was the money pit, (never watch that movie if you are remodeling), up close and personal. Every time they pulled a piece of sheetrock or a tile, we would find more problems. Luis would shout for one of us and we would look and shudder. I did remodeling in college, have built a house, and roofed dozens, so I know a bit about the trade, and Luis was spot on—these were all must-do repairs. The bill kept getting higher and higher. When it crossed, no joke, $200k, I was sick to my stomach, and it kept going. We are finally done, and I learned a very important lesson. The phrase total cost of ownership is very popular in information technology, and I never really considered it until I was caught in a project, my house, where it wasn't possible to calculate what the final costs were going to be; they just kept going up.
Now, let's apply what we have learned from this story to intrusion detection and your organization's senior management. Keep in mind that good managers treat every dollar as if it is their own, and uncontrollable costs make them feel the way my house made me feel.
When it comes to intrusion detection, management might well be willing to pay the $100k or whatever, but management needs to be shown why the expenses you propose in your plan are probably correct and that you aren't going to have to come back for more and more money. For instance, a classic error is to plan on using older, last-generation PCs for the intrusion system. I propose the opposite. Buy the latest-generation PCs for intrusion detection, and after six months to a year, roll them out as desktop machines.
Management will appreciate this as an honest and workable approach. It gives the organization the best possible intrusion-detection capability and the hardware upgrades are essentially free
because buying new desktops is part of the computing life cycle.
Technology Used to Destabilize
The signature line of the hymn "Amazing Grace" is "I once…was blind, but now I see." This is what an intrusion-detection system does: It helps an organization go from a blind state to a seeing state. Time and time again, students who take the intrusion-detection curriculum we teach at SANS go back and start looking at their data and they realize they really need to change the way they do business. This is a good thing! However, it is a change, and people are suspicious of and resistant to change. When you propose intrusion detection, you must be sensitive to the potential for organizational change and make every effort to show that the IDS will "fit in." Some of the potential impacts to the organization are the configuration of the network, the effects on behavior of employees, and the need for additional policy support.
Network Impacts
We have discussed the challenges of deployment on switched networks. This needs to be carefully coordinated with the network operations people before the purchase order for the IDS is cut. The best thing to do is to get the spanning port working with a protocol analyzer; most
network operations groups have one or more protocol analyzers. If the spanning port is difficult for your networks operations people to configure and maintain, network taps should be considered for the listening ports on the IDS. Many people feel that good practice for an IDS sensor is to be provisioned with multiple interface cards:
●Listening ports in promiscuous mode but without IP addresses. This makes it hard for attackers to find the sensor's listening ports.
●One interface, with an IP address, is used to communicate with the sensor.
The IDS will almost certainly require a firewall modification. Commercial vendors all seem to think that writing their own proprietary protocol for communications among their IDS consoles, sensors, and databases sets them apart from their competition. And of course, they are literally correct. Do your homework and research what ports need to be opened. If the IDS can be modified to use an existing hole in the firewall, use that. Even proxy-based firewalls often have a pass-through hole; a "suck-and-spit" proxy with no protocol knowledge already running to support some application or another. It will be great when the Intrusion Detection Working Group (IDWG) finishes its work and there is a standard transport protocol based on beep
(www.beepcore.org/beepcore/docs/profile-idxp.html) for intrusion-detection systems.
IDS Behavioral Modification
Behavioral modification is another aspect of running an IDS. You already know that I have concerns about using the IDS as big brother, even though many organizations are losing a lot of money to wasteful activities. The IDS is a data collection and analysis tool, however; so even if you aren't looking for trouble, you might still find it. You need to be prepared as an organization to deal with what you find now that you are no longer blind to network traffic. Let's use an IRC server as an example scenario.
You turn the IDS on and soon realize that a bright young kid in the computer operations department has set up one of your internal systems as an IRC server. How did you find this out if you weren't monitoring for IRC? We have discussed the fact that DNS, web, and email servers draw a lot of fire. That is nothing compared to the fire IRC servers draw! What the analysts see is a ba-zillion attacks and probes directed at a system in computer operations. When you look into it further, you find out the rest of the story. Obviously, the organization wants to turn this around and get the problem cleaned up. The wise analyst and organization will have established policy before the IDS was powered on to handle these things.
The Policy
I suggest that the organization consider an initial amnesty policy. By this, I mean the first 10 or so violations of the organization's acceptable-use computer policy be dealt with quietly and in a lenient fashion. A memo can be sent out that doesn't name anyone, but lists some of the examples and warns that in the future these activities will not be tolerated. I know of organizations that have turned on their shiny new IDS and examined their traffic for the first time. Imagine their surprise when they see things they do not approve of entering and leaving their network. They are now at an important decision point. If the organization reacts in a kneejerk fashion and walks the employee straight to the door, the IDS will always be viewed with suspicion and hatred. Be especially careful with the way you deal with systems and network administrators; they are used to doing whatever they want. If you walk someone from the computer or network operations group to the door because they broke an acceptable-use policy you just started enforcing, your IDS might break down or suffer blindness caused by loose cables a lot in the future!
Management knows all about firestorms—hate and discontent and the interactions between folks with strong personalities. Managers deal with this kind of stuff every single working day. If your implementation plan shows that you are sensitive to the other players in the organization and that the IDS is not guaranteed to produce Excedrin headache number 36, they will be far more supportive of your plan.