- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
securityfocus.com Incidents list."1
1Richard Bejtlich
In addition to detection, these large-scale intrusion detection networks also play a crucial role in response. As they collect data and the information passes a certain threshold, they can create automated or semi-automated reports and send them to the responsible party for an IP address. For instance, on February 28, 2002, IP address 217.128.207.17 from the abo.wanadoo.fr domain was detected sending 33,995 packets. Now, that certainly warrants sending a note, though sending a note to Wanadoo asking them to quit ftp scanning is a bit like sending a note to Bin Laden asking him to stop terrorism—at best, they don't care. However, many people do care, and the note from Dshield might be the first hint a system administrator gets to help him realize he has a problem. Below is a note from another satisfied customer: "Thank you for the notification of illicit activity coming from a computer in the University of XXXXX XXXXXX domain. This was a faculty member's computer that was found to have the "mummy" virus when the eSafe virus scanner was ran on the computer. We have attempted to disinfect this computer to prevent the unauthorized intrusions to your and other networks. Again thanks for the notification; and if there is anything else we can do, please let me know." By the way, I am a bit skeptical about the particulars in the report. The mummy virus is an MSDOS Jerusalem variant, so this sounds like an excuse to cover some mischief, but as long as the behavior changes, it is another win for these new defense systems. To date, only Aris has a business model to support what it is doing, so it is not clear that these first implementations of large-scale intrusion detection will survive long term. I certainly hope they are an emerging trend. I would like to close the chapter and the book with a quick review of the anti-virus industry, a discussion of hardware-based and program-based intrusion detection, and finally, some of the changes in auditing.
Emerging Techniques
Current intrusion-detection systems are fairly limited. Network-based systems are not well suited to detect the insider threat, mobile code, intelligence-gathering viruses, modem-based attacks, or runs along the trust model. Host-based systems can detect these attacks, but they suffer from two big problems: the cost of deployment and the system overhead "tax." There is a lot of money to be made by the company that can build and market the better mousetrap. The enterprise security consoles we have discussed are one technology poised to collect some of this money—after all, what security guy is not going to want a cockpit? Curiously, the market
sector that appears to have snatched defeat from the jaws of victory is the anti-virus arena.
Virus Industry Revisited
I have watched in amazement as NAI and Symantec, two companies in exactly the right place to take advantage of the gap between the increasing threat and existing response, have failed to take total control of the host-based intrusion detection market. Even if anti-virus makers do not want anything to do with the intrusion-detection market sector, they are already intersecting with it. These Trojans all have a network signature, SubSeven, and netbus and all the rest. Anti-virus companies can detect all of these and remove them as well! Well, maybe not. The first clue I had that anti-virus could be evaded was when one of my students realized he had accidentally downloaded a Trojan when he saw "notepad.exe" go by after having clicked on a download page. After some investigation, he determined it was QAZ. And yet, his antivirus didn't pick it up. But how is this possible with a well known Trojan? Well, it turns out that the attacker community can "pack" the Trojan with any number of tools. For more information
on this, go to http://rr.sans.org/malicious/trojan_war.php.
However, do not count out the anti-virus industry. It can detect the work of many of the more
popular packers and certainly can detect the Trojan when it becomes active on the network if you also have a personal firewall packaged with your anti-virus. Well, you can if the malicious code doesn't disable the firewall and/or anti-virus software as one of its first orders of business, but the companies are working on defending against this as well.
Symantec's Internet Security product that combines anti-virus with a personal firewall is not a bad product, but it could have been a killer application. Anti-virus companies are poised to be the 800-pound gorillas in intrusion detection. An anti-virus company could excel in this industry because of the following eight reasons:
●No security tool has better desktop penetration than anti-virus software.
●Intrusion-detection tools often have fewer than 500 signatures; virus software can detect more than 20,000.
●Virus software comes with implementations for firewalls, server systems, or the desktop.
●These tools can identify, contain, eradicate, and recover with minimal user intervention.
●Anti-virus companies have fully solved the issue of updating a user's signature table with a variety of painless options.
●Many large organizations have site licenses with these software companies and are pretty satisfied.
●Anti-virus companies are already oriented to very fast turnaround of a signature table when a new exploit is detected.
●These software companies often have companion products with security capabilities.
The match is so perfect that I cannot understand why we aren't seeing these products dominate the industry. It would be so easy to make the changes to the NAI or Symantec personal firewalls to let them serve as network intrusion detection systems, but with every software release, they seem to move further and further away from providing a tool that is industrial strength.
Next, we will discuss intrusion detection in hardware. Cisco, more than any other company, has been intentionally pursuing putting intrusion detection in the network itself, so that you have
hardware-based intrusion detection solutions.
Hardware-Based ID
There are three serious challenges to network-based intrusion detection:
●Encrypted packets that foil string matching
●Fast networks beyond the speed of the sensor
●Switched networks
We discuss intrusion detection in the switch shortly. Encryption is an interesting problem. It is good if your organization is doing it and having the key escrowed. Encryption is a bad thing if someone is using it to evade your detection system. How do you know if a bit stream is encrypted? You test for randomness, of course. This is easy to do, but expensive in terms of CPU cycles. There is an argument that this should be done in hardware. I am not sure this is valid; general-purpose computers keep getting faster and faster. With that said, there are places where applying hardware to the problem makes a lot of sense. One of the best applications is faster nets.
The perfect place for Cisco SecureIDS is on a card placed in a Cisco router or switch. This, however, is just a toaster without a power supply. The really interesting advances come by doing limited intrusion detection as a software process in the router or switch. This is a desperately needed future trend. One advantage of this is that you finally achieve real-time, or wire speed. In all other solutions (except intrusion detection in the firewall), you detect the intrusion right after the packet has flown by. In this case, you can literally stop it or divert it to a honeypot. The capability to do this seems to be at hand with the Policy Feature Card that is
available for the Catalyst 6000 switches. I am not sure why they built the card, perhaps to provide a product to compete with TopLayer, the application layer switch that well-funded intrusion detection analysts turn to when they have the need for speed. Perhaps they project advances in the QoS market that I just do not see on the horizon. However, the ability to filter, mark a packet, application switch, or failover switch inside the network fabric at the rate of 5 million packets per second at layer 3— much more at layer 2—opens a number of possibilities for detection and protection. This would include many of the auto-response capabilities such as dropping a connection, rate limiting, copying traffic to a more powerful IDS or binary logger, or switching the connection to a honeypot. Like large-scale intrusion detection systems, it will be a
while before we really know what to do with tools like this, but learning should be a lot of fun.
Program-Based ID
I just cannot get over the size of programs today. I used to own a computer called a Commodore 64. The 64 stood for the amount of RAM, 64K. The implication is that the programs had to load and run in that memory space. There is an important lesson to be learned by comparing the functionality of the Commodore 64 to my 400Mhz Pentium II with 1024MB of RAM. The applications that ran on the Commodore had about the same functionality as my Microsoft Office suite. However, these programs are huge! If we are going to tolerate bloatware, and it is clear we will, we might as well start asking for some security in the programs.
At the seminal conference for intrusion detection SANS' ID'99, I was fortunate enough to break away for an hour to have lunch with Simson Garfinkle, who is writing software designed for special-security applications. A lot of security software, especially vulnerability-testing programs, can be used for malicious purposes. He wants to protect his intellectual property from intrusion (software piracy), and he also wants to ensure the software cannot be misused without it being clear and obvious which copy of the software is the origin.
Can software prevent or detect that it is being copied or misused? For a while, this was a big issue for computer games, at least the copy-protection aspect. It doesn't seem to be such a hot topic today. None of the games my son has bought require a dongle. One of the forensics tools I use, Expert Witness, has some degree of license protection built in with a hardware dongle. Microsoft must have some scheme with its strange orange sticker on the CDs, the long pin numbers, and its techniques for phoning home and inspecting the network for license violations. Simson, however, was taking the issue a lot more seriously than any of these companies appear to be. He was proposing a series of countermeasures, including encrypting segments of the programs and chaining checksums.
Let's take this a step further. Could a critical program detect that it is under attack? Suppose sendmail or Bind had a static library of security functions. The program could then detect an unauthorized entity is trying to access it, or that the input it is receiving is actually binary code. It could then block the attack and raise an alarm. Programs could even develop profiles about their uses so that they can detect that someone "out of profile" is accessing their files and take some preprogrammed action. Still another way to do intrusion detection at the program level is to put a wrapper around the program, which is most certainly an emerging trend.
The first wrapper was Wietse Venema's TCP Wrapper program, which was a wonderful security tool for years—although perhaps xinetd with ICMP support is more appropriate today. But, the concept has been extended. You might want to check out immunix (www.immunix.org). I would expect that, for Internet facing applications, this will be an emerging theme to the point that
eventually, sound practice will be to chroot it, wrap it, or both.
Smart Auditors
This emerging trend was in the book the first go around and it didn't happen. I put it in again in the second edition and there was some progress—not enough for me to get hired by Miss Cleo—but I am sticking with this as an emerging trend! According to Alan Kay, the best way to predict the future is to invent it, and by the time this book is in your hands, SANS should be engaged in helping to establish pragmatic tools and resources for auditors. Auditors are already smart—that is why they do the auditing and you do the sweating. Auditors are starting to understand security technology and practices at a rapid rate. The days are gone and will not