Intruder Trends

Tom Longstaff

CERT Coordination CenterSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890

Sponsored by the U.S. Department of Defense© 1998 by Carnegie Mellon University

Changes in Intrusion Profile

• 1988– exploiting passwords

– exploiting known vulnerabilities

•Today– exploiting passwords– exploiting known

vulnerabilities– exploiting protocol flaws– examining source files for

new security flaws– abusing anonymous FTP,

web servers, email– installing sniffer programs– IP source address spoofing– denial of service attacks– widespread, automated

scanning of the Internet

The definition of “vulnerability” on the Internet is approaching that of the DoD in trusted systems

Scanning for Victims

• Today:• Wide scale scanners collect information on

100,000s of hosts around the Internet

• Sniffers now use the same technology as intrusion detection tools

• Number and complexity of trust relationships in real systems make victim selection easier

Scanning for Victims

•Tomorrow:

• Use of data reduction tools and more query-oriented search capability will allow reuse of scan data

• Inexpensive disk and computation time will encourage the use of cryptography and persistent storage of scan data

• Scan data becomes a commodity like marketing information

Probe Definition

• A single attempt to collect information, or to compromise a resource.

• Usually refers to one or more packets that traverse a computer network.

• Usually inferred to be malicious, but might be used for packets where the intent is unknown or not clear.

Scan Definition

• A scan is a collection of probes, usually with some pattern across a range of systems, services or both.

Attractive Targets

• What information is available to the public?– DNS servers– hosts mentioned in whois records– public service machines (Web, ftp, mail)

• Intruders may also identify targets with– traceroutes– DNS zone transfers– other advanced scanning techniques

Packet Types

•TCP: Transmission Control Protocol– reliable, connection oriented– 3-way handshake establishes connection– telnet, SMTP, SSH, ftp

•UDP: User Datagram Protocol– Unreliable, connectionless– DNS, bootp, tftp, NFS, SNMP

•ICMP: Internet Control Message Protocol– error and control information– ping, traceroute

Establishing a TCP Connection

Send SYN

Receive SYN + ACK

Send ACK

Site A

Receive SYN

Send SYN + ACK

Receive ACK

Site BNetwork Messages

Closing a TCP Connection

Send FIN + ACK

Receive ACK

Receive FIN + ACK

Send ACK

Inform Application

Site A

Receive FIN + ACK

Send ACK

Inform application

Send FIN + ACK

Receive ACK

Site BNetwork Messages

TCP Connect Probes

•The intruder uses the connect() system call to send the probe.

•These probes open (and perhaps close) a TCP connection as described earlier.

•Privileged access on the origin host is not needed.

•This type of probe is the most common and the easiest to detect.

TCP SYN Probes

• The intruder sends a SYN packet.

• A SYN-ACK response means the port is open.

• A RST response means the port is closed.

• These probes are harder to detect because the connection is never fully completed.

TCP FIN Probes

• The intruder sends a FIN packet.

• Some systems respond with:– RST packets for closed ports

– nothing for open ports

• Like SYN probes, FIN probes are hard to detect because the connection is never completed.

ICMP Host Unreachable Probes

•The intruder sends a packet to a host.

•If an intermediate router knows that this host does not exist, it may respond with an “ICMP host unreachable” packet.

•This technique identifies which hosts don’t exist, and by inference, which ones do.

•More information is available in IN-98.04.

Reverse Ident Probes

•The intruder first connects to an open port.

•Then they send an ident request to the probed host to determine which userid owns the port.

•Protect against these scans by using the privacy options in ident.

•These probes can be used to identify Web servers running as root, etc.

FTP Bounce Probes

•The intruder connects to an FTP server.

•Then they attempt to transfer files between the FTP server and the target host.

•Based on the error messages, the intruder can tell if the port is open.

•FTP bounce probes are often used to probe systems behind a firewall.

•More information is available in CA-97.27.

Decoy Probes

•The intruder sends several spoofed probes at the same time the real probe is sent.

•The real origin is hard to determine.

•This reduces the chance that the probe will be reported and responded to correctly.

•It can also lead system administrators to doubt the legitimacy of probes reported to them.

Spoofed Origin Probes

• The intruder sends probes with a spoofed source address.

• Then they use an ethernet sniffer to capture the probe results on a host “near” the spoofed origin of the probes.

• More information is available in IN-98-05.

Fragmented Probes

• The intruder fragments the header of the probe packet into tiny pieces.

• Some systems (including firewalls) do not properly filter these packets.

• Other types of probes can be used with the “fragmented header” technique.

Architecture Mapping

•The intruder sends probes that produce specific responses based on the operating system.

•The intruder can use this information to identify– operating system– hardware architecture– OS version number

•More information is available in IN-98.04.

Coordinated Scans

• Coordinated scans are probes that– come from multiple hosts– collectively produce a complete scan

• The results are collected by a single intruder or shared among cooperating intruders.

• It looks like there are multiple intruders, but there’s no way to know for sure.

Slow Scans

•The probes in a scan can occur slowly, over days or even weeks.

•This avoids thresholds in some firewalls.

•It’s harder to detect than a normal scan.

•It’s also harder to detect on the originating host.

•More information is available in IN-98.04.

The Future of Probes

•We’re very likely to see more:

– widespread brute-force scanning with little regard for being detected

– stealthy probes like SYN and FIN that require packet logging to detect

– attempts to hide the origin of the probes through spoofing and decoys

– automated vulnerability exploits that probe and compromise in a single step

Typical Intruder Attack

Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts

Internet

Yesterday

Distributed Coordinated Attack

Intruder scans remote sites to identify targets, then attacks vulnerable or misconfigured hosts

Internet

Today

Distributed Coordinated Attack

•Uses 100s to 1000s of clients (10,000s)

•Is triggered by a “victim” and “time” command

•Will simultaneously attack the victim from all clients

•Currently does not use random source addresses

•Today used in DoS attacks only

Issues for Responding to DoS Attacks•Filtering/detecting this attack is problematic!

•The intruder’s intent is not always clear in denial of service attacks. The intruder might be

– using the DoS attack to hide a real attack– misusing resources to attack someone else– attempting to frame someone else for the attack– disabling a trusted host as part of an intrusion

•Attacks also frequently involve– IRC abuse– intruders attacking each other– retaliation for securing systems

The Future is Automation

•Put these together and what do you get?– tools to scan for multiple vulnerabilities– architecture identification tools– widely available exploits– pre-packaged Trojan horse backdoor programs– delivery and recon through active content

•Bad news!

•Together, these publicly available tools could be modified to launch wide-spread scans and compromise systems automatically.