Intrusion Detection

and

Prevention

Objectives

● Purpose of IDS's

● Function of IDS's in a secure network design

● Install and use an IDS

● Customize the IDS signature database

IDSWhat are they?

● Dedicated hardened host

● Sensors

● Sits on a network that you want to protect

● Network sniffer

● Packet pattern analyzer

● Unlike firewalls an IDS is passive (this is changing)

● They are often on each layer of your layered network

Location of IDS's

Exterior

FirewallInternet

Protected Network

Internal

Clients

Internal DNS

Mail Server

External DNS

SMTP ServerWeb Server

IDS

Interior

Firewall

Logging

Alerting

Server

Internal

Servers

Public Network

Internal

IDS

IDSThe Need

● Detection of probes, scans

● Detection of network reconnaissance activity

● Record of attempted exploits

● Location of a compromised host on your network

● Determined compromised information

The Attack Plan

● Usually multiphased

● Phase 1: Network scan

● Characterizing the hosts on the network

● Looking for particular services, e.g DNS, HTTP

● Determining the versions and OS types

● Phase 2: Exploits a buffer overflow in DNS

● Compromises the DNS host

● Phase 3: Compromises other hosts on the network

● Without IDS you would not know

Protection Plan

● Analyze all packets continuously

● Look for patterns of known attacks

● Network IDS Signatures

● The science behind IDS

● Like virus signatures IDS signatures must be updated

● Do it your self signature writing● Sometime necessary

● Look for statistical anomalies

● Not a very well developed science as yet

Land Attack1997

● Based on hand crafted packets

● Source IP and destination IP addresses are the same

● Older systems would crash

● NT & 95 depended on proper packets

● Basically a denial of service attack

● www.kb.cert.org/vuls/id/396645

Teardrop Attack1997 – 1998

● Improper packet sequence

● The IP fragment offset is malformed

● Consecutive packets overlap

● Newtear.c (on web site)

● Another DoS attack

Teardropcont'd

● Packet 1

● Total length of IP datagram● 48 bytes

● More fragments flag is set

● Fragment offset is 0

● UDP length● 48 bytes – incorrect length should be length – 20 = 28

Teardropcont'd

● Packet 2

● Total length of IP datagram● 24 bytes

● Fragment offset is 3 (* 8 bytes)

● More fragments bit is cleared

● 24 bytes are sent

Teardropcont'd

IP Datagram header UDP Segment header

Length

48

More Frags

Bit

1 Offset

0Src port Dest port Length

48Checksum

Packet 1

Byte 20 Byte 28 Byte 47Byte 0

IP Datagram header IP Payload

Length

24

More Frags

Bit

0 Offset

3

Src port Dest port

Packet 2

Byte 20 Byte 23Byte 0

Length

48Checkum

Byte 0 Byte 27Byte 3

UDP payload

Byte 7

New fragment

Fragment

reconstructionByte 23

Should be 28

nimda worm2001

● Scan phase

● Determine if a web server is an unpatched MS IIS box

● Is it vulnerable to a Unicode-related exploit?

● Attack phase

● Exploit a buffer overflow

nimda wormcont'd

● IDS can detect the scan phase of nimda attack

● “%c0%af../winnt/etc” is contained in the URL● %c0%af is the Unicode of a slash

● Most web servers scan for a “/”stuff indicating a cd to root

● Success of this attempt to change to the root directory

indicates an unpatched IIS

nimda wormcont'd

● IDS rule ● /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir

● Specific text search for %c0%af

● Attack may change and this rule would not catch it

● Better approach

● Convert %c0%af to “/” and then check for validity of URL

● More robust

False +/-

● False positives

● Classifying benign activity as malicious

● Get a lot of attention since people see the alerts

● Annoying, usually the rule gets shut off entirely

● False negatives

● Missing a malicious activity

● Not seen and ignored

● Dangerous

● The risks in classification

IDS Evasion Techniques

● The attacker is patient

● The attacker is clever

● The attacker has nothing else to do

● Examples

● cmd.exe in the URL is often bad

● However cmd.exe-analysis.html may be OK

● cmd.%65xe is the same thing

● Text searches are not always good or effective

IDS Software

● Popular systems

● Snort – open source

● Cisco recommends using snort

● ISS RealSecure

● NFR Security NID

● Centralizing all IDS logs

● Easier analysis

● Alerts – logs, e-mails, pagers, etc.

Distributed IDS

● IDS logs submitted to third party for collective analysis

● Attack Registry &Intelligence Service

● ttp://aris.securityfocus.com● Dshield

● ttp://www.dshield.org

Outsourced IDS

● Counterpane

● Trusecure

● Deloitte & Touche