Advanced Security and Mobile Networks Napier University Friday 22nd April 2005

Coursework

Automated Threat Detection and Reconfiguration

Course: CO42034

Report written by:

Mr Thomas DE LAZZARI [email protected]

Advanced Security and Mobile Networks

CO42034

Table of Content Table of Content _______________________________________________ 2 Table of Illustrations ____________________________________________ 2 Introduction __________________________________________________ 3 Introduction __________________________________________________ 3 Investigation__________________________________________________ 4 A - Intrusion Detection System__________________________________________ 4 1) Components of Snort______________________________________________ 4 2) Types of IDS ____________________________________________________ 5 3) Snort particularities _______________________________________________ 5 B - Possible threats ___________________________________________________ 5 1) Specific port_____________________________________________________ 6 2) Spam __________________________________________________________ 6 3) Ping ___________________________________________________________ 7 4) Port sweep ______________________________________________________ 8 5) Denial of Service _________________________________________________ 8 6) Distributed Denial of Service ________________________________________ 9 7) Worm_________________________________________________________ 10 C – Cisco firewall ____________________________________________________ 10 Design Description ____________________________________________ 11 A – System global operation ___________________________________________ 11 B – Incoming connection on port 1234 ___________________________________ 12 B – Incoming email with the word “Spam” ________________________________ 12 C – Incoming ping ___________________________________________________ 13 C – Port sweep _____________________________________________________ 13 D – A possible Denial of Service ________________________________________ 14 D – Distributed Denial of Service _______________________________________ 14 E – Worm _________________________________________________________ 15 Implementation ______________________________________________ 16 Conclusion___________________________________________________ 19 References __________________________________________________ 20

Table of Illustrations Figure Figure Figure Figure Figure Figure Figure Figure

1: 2: 3: 4: 5: 6: 7: 8:

Snort console ___________________________________________________ 4 Spam detection with Snort ________________________________________ 7 TCP connection__________________________________________________ 8 Components of a DDos attack ______________________________________ 9 Information flow of the system ____________________________________ 11 Snort dataflow _________________________________________________ 16 Result of a ping logging __________________________________________ 16 NetCop Port Scanner ____________________________________________ 17

Thomas DE LAZZARI - 03009323

2

Advanced Security and Mobile Networks

CO42034

Introduction The focus of this coursework is to produce a set of rules used by an intrusion detection system (IDS) to monitor a network and find malicious types of activity. Possible threats are part of the system specifications. The main objective is to detect them and reprogram the firewall with the required rules to overcome the threat. The system implementation is made with Snort IDS. It is a tool to monitor traffic on a network interface. Snorts alerts are sent to the CISCO firewall through a reconfiguration agent. The firewall is reprogrammed to block or reduce the identified threat. Contextbased access lists are added to the CISCO configuration telnet console (or emulator if not available). This paper is a rationale of the choices made in the refinement of configuration rules for the firewall (ACLs) and the IDS. It contains a specification analysis for each agent and a description of the procedures followed during the various phases of implementation as well as a discussion about encountered issues.

Requirements 1. Detects an incoming connection to a specific host on the network on port 1234, and reprogram the firewall to block the originating address from accessing the host. 2. Detects an incoming email with the word of “Spam” in the subject field, and logs it to a log file. 3. Detects an incoming ping on the network and reprograms the firewall to block the originating address from pinging the host. 4. Detects an incoming port sweep, and blocks the originating address from accessing anything on the network. 5. Detects a possible denial of service (DoS) on a WWW server, and reprograms the firewall to reduce the threat. 6. Detects a possible Distributed DoS on a WWW server, and reprograms the firewall to reduce the threat. 7. Detect the spread of a known worm, of which the organisation only knows about the source code. The achievement is to design the IDS rules and Firewall ACLs for the 7 requirements listed above.

Thomas DE LAZZARI - 03009323

3

Advanced Security and Mobile Networks

CO42034

Investigation Here begins the work on this coursework. Main background areas, required for the report, have to be defined. This part is a requirement analysis of the system to be implemented. It identifies major limits for the system design and underlines some issues that can be encountered during implementation process.

A - Intrusion Detection System An Intrusion Detection System or IDS is a software tool used to detect unauthorized access to a computer system or network. This may take the form of attacks by skilled malicious hackers, or Script kiddies using automated tools (Wikipedia, 2005). The software monitors the network traffic and computer usage searching for malicious activity. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms). A networkbased IDS cannot obviously decrypt encrypted network data packets.

1) Components of Snort The main components of Snort are: □ □

A sensor: generate security event A console: control the sensor alert and, monitor event.

Figure 1: Snort console A central engine: records events logged by the sensors. Snort is compatible with MySQL and Oracle to log alerts from security events received.

Thomas DE LAZZARI - 03009323

4

Advanced Security and Mobile Networks

CO42034

2) Types of IDS An IDS is characterized by the location and the type of its sensor. The engine behavior and its way to alert and log an event are also key settings to consider. (Price, 2001). □

First type is Network intrusion detection system (NIDS) such as Snort (see below). They can be placed within the network to monitor the all traffic of a company for example (Network IDS) or directly on strategic servers (Host IDS).

□

Secondary types of IDS behave as a log file monitor, system integrity verifier, or a user profiling agent involving monitoring the behavior of a user. A host running an IDS can also be configured as a Honey Pot with unpatched operating system to attract the attacker and detect the intrusion method.

3) Snort particularities Snort holds an inherent advantage over closed source IDSs. It can be tailored and customized for each individual deployment to a level not possible for closed source competitors which are for the majority rigid and uncustomizable. (Koziol, 2003). Snort provides a command for user to write attack signatures (called rules) and detect advanced attacks such as Denial of Service (DoS). This filter option prevents a massive flood of irrelevant alerts without deleting a potential attack which could damage the system. Snort is a gathering of three services: NIDS, Logger and Sniffer. It also requires WinPcap to be installed. WinPcap is a free packet capture library for windows. Is is also used by the sniffer Ethereal.

B - Possible threats According to Jen Luo, intrusion can be categorized as misuse intrusion and anomaly intrusion. □ □

Misuse detection model: the IDS detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities. Anomaly detection model: the intrusion detection system detects intrusions by looking for activity that is different from a user's or system's normal behavior.

For example, detecting an incoming ping on the network is nothing relevant but it can be useful in case of a ping flooding Denial of Service attack. Also if you are not running any HTTP server on a segment where the IDS is sniffing, an HTTP flow can indicate something suspicious.

Thomas DE LAZZARI - 03009323

5

Advanced Security and Mobile Networks

CO42034

For each security event specified in the introduction, an analysis is carried out to underline possible problems that might be encountered during the implementation process.

1) Specific port One objective of this coursework is to detect an incoming connection to a specific host on the network on port 1234. According to the list recently edited by the Internet Assigned Numbers Authority (IANA, 2005), the UDP and TCP port 1234 is dedicated to a software called “Infoseek Search Agent”. But it is also used by two recognized trojans: “Ultors” and “SubSeven Java client” (SiteRecon, n.d.). Trojans are malicious code that hides behind a legitimate programs waiting for a certain time or a certain program to be ran to release itself and take control of the machine’s resources. This kind of attack is generally easy to detect and block because the network connection is made on a specific port.

2) Spam Spam are unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising sent by email in mass quantities. They are time and resource consuming. One way to block them is to have a preprocessor which edit the subject field of an email identified as junk, with the word “Spam”. SpamAssassin is a software which is able to do this operation. Then Snort can manage to log all the emails containing the subject “Spam”. There are problems that can be identified while reading the Snort manual: □

The first one is that the word “Spam” can appear everywhere in the subject field, no only at the beginning. In order to catch the word everywhere in the field, an integrated library of snort called PCRE (available at http://www.pcre.org) contains tools handling regular expression and String manipulation.

□

Secondly, an email can have many TCP packets. In order to log the entire email instead of the packet containing the word “Spam” only, an option of Snort can be used: the tag keyword allow Snort rules to log more than just the single packet that triggered the rule.

Another problem is that the mail system can have two possible configurations: □

Supposing the network has its own SMTP server and manages its own Domain Name. When sending an email, the user connects to a SMTP server via the standard port 5. The mail is then transferred to the receiver using the SMTP protocol (Postel, 1982). All SMTP “jumps” (see output below) can be viewed in the mail’s header.

Thomas DE LAZZARI - 03009323

6

Advanced Security and Mobile Networks

CO42034

Here is an example of mail’s header sent from smtp4.francetelecom.fr to smtp.lanorion.net registered at sivit.org. Received: from localhost (localhost [127.0.0.1]) by maileuz.sivit.org (Postfix) with ESMTP id 1010040F5 for ; Mon, 18 Apr 2005 12:10:40 +0200 (CEST) Received: from maileuz.sivit.org ([127.0.0.1]) by localhost (maileuz.sivit.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08263-28 for ; Mon, 18 Apr 2005 12:10:31 +0200 (CEST) Received: from relais-inet.francetelecom.com (relais-inet.francetelecom.com [212.234.67.6]) by maileuz.sivit.org (Postfix) with ESMTP id 619C94104 for ; Mon, 18 Apr 2005 12:10:31 +0200 (CEST) Received: from prive-Rline1.com ([192.168.1.12] [192.168.1.12]) by Rline1.francetelecom.com with ESMTP for [email protected]; Mon, 18 Apr 2005 10:26:08 +0200 Received: from smtp4.smtpft.francetelecom.fr ([193.249.141.170] [193.249.141.170]) by Rline1.francetelecom.com with ESMTP for [email protected]; Mon, 18 Apr 2005 10:26:08 +0200 Received: from FTIVC67GE2WBRX ([10.154.31.125]) by smtp4.smtpft.francetelecom.fr (Netscape Messaging Server 4.15) with SMTP id IF4VFK01.RDK for ; Mon, 18 Apr 2005 10:26:08 +0200

□

Supposing the IDS is inside the network between a POP3 (or an IMAP) server and the host is receiving the mail. The common port used for the Post Office Protocol Version 3 is 110. IMAP, the Internet Message Access Protocol, uses the TCP port 143. Below (Figure 2) is a diagram showing all the components in the network. Snort is logging any emails with the word “Spam” in the subject field and transferring to the client through the port 110.

POP3 Mail Server

IDS Snort

Mail client Thunderbird

Figure 2: Spam detection with Snort

3) Ping Ping is a utility that forwards data packets to check the quality of a link or verify the connection of a machine to the Internet. It is a tool useful for all network administrator. The ping program sends one 64-byte datagram per second. However, it can be used by malicious hands as a kind of Denial of Service (DoS) attack. A Ping Flooding emits ICMP echo requests at the highest possible frequency and eventually combined with payload (Ping of Death). The processing of such an ammount of ICMP requests/replies might cause an extreme CPU load. The bandwidth can also collapse. (Veit, 1998). One way to resolve this problem is to implement a firewall limiting a ping request to one per second, for example. The IDS detects an incoming ping and a firewall rule to block the originating address is activated.

Thomas DE LAZZARI - 03009323

7

Advanced Security and Mobile Networks

CO42034

4) Port sweep A port sweep is a transport layer attack. It involves TCP Port Scan; one host searches for multiple TCP services on a single host. There are many kind of Port Sweep. The common one uses port scan and SYNs to port < 1024. (Ronnau, 1999). For each TCP connection, client acknowlegements (see Figure 3).

Client

and

server

exchange

SYN seq = C

some

data

and

some

Server

SYN ACK = C+1 Seq = S

ACK = S+1 Seq = C+1 Figure 3: TCP connection However there is a security hole. When the server answers with a SYN ACK, it allocates resources and opens connection. This process if repeated rapidly can easily saturate the memory, even if the server has an option to time out in case the client does not respond. Port sweep can lead to a TCP/SYN flooding attack. The originating adress has to be blocked rapidly so the port scan must be detected by Snort and then a firewall rule must be activated to ban the source IP address (Pillou, 2005).

5) Denial of Service One goal of this coursework is to implement a solution to detect via Snort a possible Denial of Service (DoS) on a WWW server and reprograms the firewall to reduce the threat. Both Ping Flooding and TCP/SYN Flooding mentioned above, are considered as Denial of Service attacks. DoS should not be confused with other attacks like viruses, Trojan Horses, and cracking or hacking. According to (Lo, 2005), there are two types of DoS attacks: □ □

Operating System attacks, which target bugs in specific OS and can be fixed with patches. Networking attacks, which exploit limitations of networking and may require firewall protection.

Thomas DE LAZZARI - 03009323

8

Advanced Security and Mobile Networks

CO42034

Networking attacks refer to the subject of this coursework because firewall rule has to be set to prevent the attack. There are many kind of networks attacks but there is also a DoS.rules file that can be retrieved from the Snort CVS. It contains a lot of signature to detect DoS. Here is an example of a Snort rule detecting Teardrop attack (Roesch et al, 2004). alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; \ reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; \ reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;)

6) Distributed Denial of Service Distributed Denial of Service (DDoS) are more complex and difficult to identify, especially if the attack target is a WWW server. To understand the basic of DDoS, refer to Figure 4 and following comments.

Figure 4: Components of a DDos attack The client here is a person responsible for the attack. A handler is a compromised host with a program running on it. Each handler can take control of many agents. Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and Stacheldraht. Agents will then send an astronomical number of TCP SYN to a WWW server for example. If the firewall which is filtering the network traffic before the WWW server is not capable to identify the DDoS and reduce the threat, the WWW server will be down in a few seconds because it will open connection for each agent’s request and saturate its memory. (Cisco Systems, 2003). Also, if SYNs are choking bandwidth, then it is impossible to differentiate between spoofed and real SYNs, as there is no bandwidth left to send back SYN Cookies or perform SYN Proxying in order to verify that those source addresses are real.

Thomas DE LAZZARI - 03009323

9

Advanced Security and Mobile Networks

CO42034

7) Worm A worm is a software program capable of reproducing itself that can spread from one computer to the next over a network. Once it enters a network, it is very difficult to stop it and can lead to many system failures and reduce overal performance of the network. Worms take advantage of automatic file sending/receiving features found on many OS.

C – Cisco firewall Once the IDS has detected a possible threat, the firewall may be reprogrammed. The Cisco firewall rules are contained within ACLs (using the access-list and access-group commands), and block or permit traffic. The rules specified in the next part of this report are thus context-based accesslists.

The design of a reconfiguration agent which could make the link between Snort and the Firewall is not required.

Thomas DE LAZZARI - 03009323

10

Advanced Security and Mobile Networks

CO42034

Design Description Now that the main background areas of this coursework have been defined, this part of the study covers the elaboration of the Snort rules and the Cisco firewall access-lists, according to the requirements specified in the introduction. - Snort rules are stored in a .rules file and one line corresponds to one command. - Firewall access list are inputed in real time to the Cisco device via a telnet console.

A – System global operation Figure 5 is a description of how the network infrastructure is designed to manage an automated threat detection and reconfiguration. Firewall Attack FROM 83.146.32.119

Serial0/0

Network 146.176.10.0/24

IDS Snort New access lists alert

Log

Reconfiguration agent Figure 5: Information flow of the system

The first component of the network is the IDS, it acts as a sniffer and log packets according to alert rules. The administrator or an automatic reconfiguration agent wakes up in case there is an alert and generate a firewall access-list to block or reduce the incoming attack. For each requirement of the coursework, snort rules are written in blue and firewall access-lists in green. In order to □ The □ The □ The

clarify the answers: network address is: 146.176.10.0 subnet mask is set to: 255.255.255.0 attacker address is: 83.146.32.119 (except for a DDoS)

The basic format of a Snort rule header is: ACTION

PROTOCOL

ADDRESS

Thomas DE LAZZARI - 03009323

PORT DIRECTION

ADDRESS

PORT

11

Advanced Security and Mobile Networks

CO42034

B – Incoming connection on port 1234 Snort rule to Detect an incoming connection on port 1234 to a specific host on the network: 146.176.10.3, for example. alert tcp any any -> 146.176.10.3 1234 (msg:"Incoming connection on port 1234!";) If the originating address of this incoming connection is 83.146.32.119, then the firewall rule to block it is: access-list 100 deny tcp 83.146.32.119 0.0.0.0 146.176.10.3 0.0.0.0 The source address 83.146.32.119 (attacker) will not be able to access the destination 146.176.10.3, and the last part (0.0.0.0) defines that the firewall should match all of the bits in the destination address. In order to apply the access-list to the incoming interface, the commands are: interface Serial0/0 ip access-group 100 in As the requirement is to deny the originating address from accessing the host, the port 1234 is not specified in the access list because all types of communication must be denied. If only the communication via port 1234 is denied, then the access-list above must be completed with: eq 1234

B – Incoming email with the word “Spam” alert tcp any 25 -> $SMTP_SERVER 25 (content:"spam" nocase; pcre:"/subject.*spam.*/im"; msg:"Spam logged!";) $SMTP_SERVER is define above and it is the IP address of the local SMTP server. The rule has a content option, looking for “Spam” which is the longest, most unique string in the attack. This option is added to allow snort’s setwise pattern match detection engine to give snort a boost in speed. The rule has a pcre option, looking for “Subject” followed at least by one space character, followed by “spam”, ignoring case. In the mail header, the subject field is written after “Subject”. Supposing the mail is 10 packets long, to log the entire spam an option tag has to be added to the above rule: tag: session, 10, packets;

Thomas DE LAZZARI - 03009323

12

Advanced Security and Mobile Networks

CO42034

C – Incoming ping A ping is sent through the network in order to know what are the packets generated. They are sniffed using tcpdump: [root@localhost etc]# tcpdump icmp -vv -X tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 14:27:41.472192 IP (tos 0x0, ttl 128, id 12102, offset 0, flags [none], length: 60) windows > 192.168.0.101: icmp 40: echo request seq 24300 0x0000 4500 003c 2f46 0000 8001 895e c0a8 0064 E.. any any (msg:"Ping detected!"; \ content:"abcdefghijklmnop"; depth:16;) Also, the itype keyword is used to check for a specific ICMP type value. ICMP request is type 8, so the following rule can also be applied: alert icmp any any -> any any (itype:8; msg:"Ping detected!";) The firewall has to be reconfigured in order to block the originating address from pinging the host: access-list 101 deny icmp 83.146.32.119 any echo

C – Port sweep Port scan can be detected with snort preprocessor “portscan” (by Patrick Mullen). The format of the rule is specified in the manual: portscan: - Number of ports accessed in the detection period = 5 - Detection period, number of seconds to count that the port access threshold is considered for = 7 preprocessor portscan: 146.176.10.0/24 5 7 log/portscan The firewall rule to block the attacker to access the entire network is as follow: access-list 102 deny tcp 83.146.32.119 0.0.0.0 146.176.10.0 0.0.0.255

Thomas DE LAZZARI - 03009323

13

Advanced Security and Mobile Networks

CO42034

D – A possible Denial of Service PING flooding is a possible Denial of Service. Snort must detect repetitive pings on the WWW server from the same source address. Snort allows event thresholding. It alerts every m times the event is occured during the time interval. It is useful here to make the distinction between a ping flood and a normal ping. For example, with this option a limit can be fixed to 100 pings per second and an alert will be generated if the server receives more. threshold: type threshold, track by_src, count 100, seconds 1; The itype function used above is also necessary here because it can detect invalid ICMP type values that are sometimes used in denial of service and flooding attacks. itype: 8; If only the WWW server is concerned and must be protected from this kind of attack, its IP address and port 80 have to be specified. Final rule to detect ping flooding is: alert icmp any any -> any any (itype:8; threshold: type threshold, track \ by_src, count 100, seconds 1; msg:"Ping flooding detected!";) Once this possible Denial of Service is identified, the firewall must be reconfigured to block the attacker from accessing the entire network: access-list 103 deny icmp 83.146.32.119 0.0.0.0 146.176.10.0 0.0.0.255 In order to prevent a lot of DoS on the WWW server, firewall rules can also be set to allow only HTTP Traffic (port 80): access-list 110 permit tcp any any eq http host $WWW_SERVER access-list 110 deny any any

D – Distributed Denial of Service With Distributed DoS, it is impossible to identify each attacker and to make the distinction between a zombie agent and a normal client. In almost all the cases, the sources are spoofed, then setting up an upstream firewall rule to block these sources won't help. An example of DDoS is distributed SYNs flooding (explained above in the port sweep chapter of the research part). Snort creates logs for each port-to-port connection of each host on the network. A key element of detecting different types of traffic is in the analysis of the TCP flags. These are (UAPRSF). The S flag is the sequence synchronize flag (SYN). An example to test for SYN flag is: alert tcp any any -> any any (flags:S;) 04/20-21:06:01.491134 192.168.0.2:2812 -> 194.146.224.98:21 TCP TTL:128 TOS:0x0 ID:62888 IpLen:20 DgmLen:48 DF ******S* Seq: 0x51874200 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Thomas DE LAZZARI - 03009323

14

Advanced Security and Mobile Networks

CO42034

Above is the result logged in the file TCP_2812-21.ids during a FTP session. Only packets including SYN flags have been logged. Final rule to detect a SYN flood must contain a threshold which will allow the logging only if the server reaches a limit: for example, 50 SYNs per second. alert tcp any any -> $WWW_SERVER 80 (flags:S; threshold: type threshold, \ track by_dst, count 50, seconds 1; msg:"DDoS SYN flooding detected!";) The threshold is tracked by the destination IP (WWW server) because in case of a DDoS, the sources IP are too many to be tracked. This limit of 50 per second is only an example and it differs according to the system’s performance. Snort can act as a performance monitor with a pre-processor measuring real-time and theoretical maximum performance. This command produces a stats.snort file which contains snort’s statistics such as packets dropped, packets received, and precisely what is needed here: syn packets per second. preprocessor perfmonitor: time 30 events flow file stats.snort max console \ pktcnt 10000 Now that Snort has detected a possible DDoS, the firewall must reduce the threat. It can’t block the DDoS because there can be too many zombie agents and they are almost impossible to identify among all normal clients browsing the web server in the same time. However, rate limit for SYN packets can be configured: interface Serial0/0 rate-limit output access-group 104 100000 100000 conform-action transmit exceed-action drop rate-limit output access-group 105 100000 100000 conform-action transmit exceed-action drop access-list 104 permit tcp any host access-list 105 permit tcp any host established

Y X eq www eq www

Where Y is the maximum link bandwidth and X a value that is between 50% and 30% of the SYN flood rate. If the burst rate is set greater than 30%, many legitimate SYNs may be dropped.

E – Worm The worm connects on port 9999 and propagates through the network. There is a chance to catch it if Snort looks for a relevant part of its code in hexadecimal. The conversion of the ASCII string “Hello… I’m the Worm” to hexadecimal has been done using http://nickciske.com/tools/hex.php). alert tcp any any -> any 9999 (msg:"Here is the worm!"; content:"|48 65 6c 6c 6f 2e 2e 2e 20 49 27 6d 20 74 68 65 20 57 6f 72 6d|";)

Thomas DE LAZZARI - 03009323

15

Advanced Security and Mobile Networks

CO42034

Implementation As the previous part was a rationale and a presentation of the choices made, the following covers all problems encountered during implementation and its actual result. All the Snort rules above can be copied to a test.rules file (see Figure 6) and launched by Snort with the command: Snort –i 2 –c file.rules The option –i select the second interface. In order to list all available interfaces on the system, if the computer has more than one network card, user must type: Snort –W

Snort Rules file (test.rules)

Event data Log

Figure 6: Snort dataflow The test for the spam detection has been made using the POP3 port 110 because there were no SMTP server on the network and the IDS was placed on the host receiving the mail. However there is a problem if one email contains the word “spam” in its subject but is relevant information. In fact, Snort alone is not sufficient and must be combined with other tool such as SpamAssassin which is a good Spam filter developed by the Apache Software Foundation (http://www.apache.org). Snort and a firewall can’t do anything to prevent spam; in this coursework Snort carries out a logging process only.

Figure 7: Result of a ping logging

Thomas DE LAZZARI - 03009323

16

Advanced Security and Mobile Networks

CO42034

To test the ping logging rule specified in the design description (paragraph C), minimum two machines are necessary: □ The first one runs a ping (echo-request) with the IP address of the second machine. □ The second machine is receiving the echo-request and running Snort. Among the 179 TCP packets and 8 ICMP (see Figure 7 above), Snort has logged only 4 packets. It means that the filtering rule has not logged the other 4 ICMP packet which are ECHO REPLY from the host. Only ECHO REQUEST (itype:8) are relevant in this case. The first word of the rule is the action: Alert generate an alert and log packet. This is why Figure 7 shows 4 logged packets for 4 alerts.

The NetCop portscanner (available at http://www.cotse.com/sw/Netcop20.zip) has been used in order to test the rules and ACLs against an incoming port sweep.

Figure 8: NetCop Port Scanner As shown in figure 8 above, a port scan has been performed on the host: 192.168.0.254. Five ports are open: 21, 23, 25, 80, 110. A port scan is the first step to any attacks on a server. Once, the attacker knows the services running on the machine he can make use of them. For example, he can enter the SMTP server easily via telnet and write an email. The command is: > telnet 192.168.0.254 25

Thomas DE LAZZARI - 03009323

17

Advanced Security and Mobile Networks

CO42034

A ping flood is really easy to implement on windows, the command is: ping $WWW_SERVER –t –l 65500 -t will send ping until manual interruption: CTRL + C. -l 65500; packet size is 65500 bytes. Sending 65500 bytes per second to a 56k modem can easily saturate the bandwidth and the modem will drop the connection in a few seconds.

On the other hand, another problem in the implementation was to check the functionality of the DDoS detection rule due to the lack of tools to simulate this kind of attack. Also, it is only a DDoS rule checking a SYN flood attack and reducing the threat thanks to the Cisco firewall. It does not prevent a time synchronized attack; for example if 40 thousand zombie machines are requesting in the same time (using a time synchronisation server, NTP for ex.) an image stored on the WWW server. For information, complete rules to detect well known DDoS such as Stacheldraht, can be retrieved from the Snort CVS at http://cvs.snort.org/viewcvs.cgi/snort/rules/ddos.rules

The OhDear! worm can’t really be detected with another method than sniffing the port 9999. The command System.Console.Writeline(“Hello… I’m the Worm”); is executed locally and only a small snippet of the source code has been released so there is no way to know how the application program will propagate in the payload of any network. The only thing sure is that, according to the following .NET code) it opens a TCP socket on port 9999: ProtocolType.Tcp m_clientSocket.Connect(ipEnd); See also http://msdn.microsoft.com for more information on the .NET framework.

Thomas DE LAZZARI - 03009323

18

Advanced Security and Mobile Networks

CO42034

Conclusion As a conclusion the conception of these various rules and access-lists is a comprehensive study of what is an IDS, how it works and how a reconfiguration agent can be implemented to reconfigure a firewall according to a specific alert. All the specifications of the system can be tested using Snort and a Cisco Firewall or a PIX Firewall Emulator (http://network-emulators.com). Snort provides interesting tools to detect and analyse network traffic. As it is an Open Source Software, it profits from a strong community support and for attacks that are just out, new signatures are written by all the Snort developers around the world. Researches undertaken in this report show how significant are the resources on this subject. Now that the common rules of Snort have been implemented to satisfy the requirements, an improvement of the system would be to develop an automatic reconfiguration agent. This is an extremely hard task that may involve other knowledge’s field such as artificial intelligence in order to configure the system for all situations. However, the PIX Firewall from Cisco has an ip audit command to detect intrusion. But one could ask the question to know if it is preferable to have only one machine configured as a firewall and a NIDS, in terms of security.

Thomas DE LAZZARI - 03009323

19

Advanced Security and Mobile Networks

CO42034

References Wikipedia (last modified 14 Apr 2005). Definition of an Intrusion-detection system. Retrieved from http://en.wikipedia.org/wiki/Intrusion-detection_system. Katherine Price (2001, Sep 22). Intrusion Detection Pages. Retrieved from http://www.cerias.purdue.edu/about/history/coast_resources/idcontent/. Jack Koziol (2003). Intrusion Detection with Snort. Sams; 1st edition. Literature review from timothy (2003, May 29). Handbook on the open source Intrusion. Retrieved from http://books.slashdot.org/books/03/05/29/1546209.shtml. Jen Luo (2001, Mar 26). Network Intrusion Detection, RealSecure from Information Security System. Retrieved from http://www.cas.mcmaster.ca/~wmfarmer/SE-4C03-01/papers/Luo-RealSecure.html. IANA, Internet Assigned Numbers Authority (last modified 20 Apr 2005). Port Numbers. Retrieved from http://www.iana.org/assignments/port-numbers. SiteRecon (n.d.). Ports used by Trojans. Retrieved from http://www.siterecon.com/Trojan-Port-List.aspx. Jonathan B. Postel (August 1982). RFC 821: SIMPLE MAIL TRANSFER PROTOCOL. Retrieved from http://www.faqs.org/rfcs/rfc821.html. Thomas Veit (1998). Internet Security Concepts. Retrieved from http://www.imn.htwk-leipzig.de/~veit/thesis/Vulnerabilities/DoS/PING.flooding/. Lou Ronnau (1999). Securing Routers Against Hackers and Denial of Service Attacks. Retrieved from http://net-services.ufl.edu/~security/itsa/attacks-ronnau.ppt. Jean-François Pillou (2005). Nuke. Retrieved from a French computing encyclopaedia, available at http://www.commentcamarche.net/attaques/nuke.php3 Joseph Lo (partly revised 2005, Mar 12). Denial of Service or Nuke Attacks. This page is part of IRChelp.org's security section at http://www.irchelp.org/irchelp/security/. Martin Roesch, Brian Caswell, et al. (2004). DoS.rules. Retrieved from http://cvs.snort.org/viewcvs.cgi/snort/rules/dos.rules. Cisco Systems (2003, Apr 29). Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Retrieved from http://www.cisco.com/warp/public/707/newsflash.html.

Thomas DE LAZZARI - 03009323

20