计算机网络攻击和防护技术计算机网络攻击和防护技术第八课第八课2OutlineDeep Packet InspectionWhatisDeepPacketInspection(DPI)?WhyDPIisimportant?Intrusion Detection System DesignMalware and Host security3What is DPI?Any non-endpoint network equipment using fields beyond layer-3 informationInspect/do action when packets pass the deviceInspectProtocolcompliancePolicycomplianceVirus,worm,spamorothermalwaresIntrusionStatisticsActEnforcepolicyTakeactionstopacketsLogProvide SecurityDataminingEavesdroppingCensorshipWidely used by enterprise, service providers, and governmentWiderangeofapplicationsIPS The Second Shield of Security5Firewall Alone Is Not EnoughFirewall is the first level of defense, but cannot look into applicationsIPS is the key to keep up with new security threats protectionTimelineVulnerabilitiesVulnerabilitiesDiscoveredDiscoveredAdvisory Advisory IssuedIssuedWorm Worm ReleasedReleasedExploits Exploits ReleasedReleasedGetting ShorterGetting ShorterLifecycle of Vulnerabilities and Threats6Benefits of Network IPSDropped from the networkBenefitsAttacks never reach their victim, eliminating impact to the networkNo need to waste time investigating the attackWorks for all traffic (IP, TCP, UDP, etc.)Drops only the offending trafficAn active, in-line system detects an attack and drops malicious traffic during the detection processUserUserUserServersMailServerWebServerFirewallHTTP TrafficCode red7Source: Infonetics 3Q08 Network Security Appliances Market Report IPS Market is GrowingWorld Wide Market ForecastSource:InfoneticsResearch,NetworkSecurityAppliancesandSoftwareQuarterlyWorldwideMarketShareandForecasts2Q09Revenue in US$ billions8Market ShareNo Significant China-Company PresenceSource: Infonetics 2008 Network Security Appliance Market Share Report2008 Worldwide Network-based Inline IDS/IPS9IPS Typical DeploymentsLarge Enterprise / Service ProvidersRegional OfficesSmall/Mid-size companiesMid-size companiesIntegrated FW/IPSIPSFW/IPSIPSIPS10IPS Product Examples Remote Office VendorJuniperTippingPoint(3Com)McAfeeIBM/ISSCisco ModelIDP250TP200I-1400GX4004IPS4240 Throughput (mbps)350200200200250 Concurrent Sessions70,0002,000,00080,0001,200,000500,000 Ports8x10/100/10004x10/100/1004x1004x10/100/10004x10/100/1000TX Integrated BypassYesNoYesYesNo Price$19,000$25,000$15,000$16,000$12,00011IPS Product Examples -Core VendorJuniperTippingPoint(3Com)McAfeeIBM/ISSSourcefire ModelIDP8200TP5500G+IPSM-8000GX61163D9800 Throughput10Gbps10Gbps10Gbps15Gbps(6Gbpsinspected)10Gbps Concurrent Sessions5,000,0004,000,0004,600,0001,000,000 PortsUpto8x10GEOrUpto16xGE(ormixthereof)DependantondeployedIPSdevices16xGE12x10GE16xSFP(1,000TX/SX/LX)4x10GE(Fiber) Integrated BypassYesNoNoNoYes Price$70,000+$60K+IPS$230K$189,000$240KIDP Technology Overview13IPS system SensorEnforcementpointDevicemanagement(interfaces,configuration,modes)Variousdetectionmechanismforinspectingpackets/streamsManagement ServerCentralizedpolicies,logsUnifiedviewofallsensorsUIPolicymanagementlogviewingEventcorrelation&forensicanalysis14Thwart Attacks at Every TurnMultiple Methods of DetectionTraffic Anomaly DetectionTraffic Anomaly DetectionNetwork HoneypotNetwork HoneypotProtocol Anomaly DetectionProtocol Anomaly DetectionStateful SignaturesStateful SignaturesSynflood ProtectorSynflood ProtectorBackdoor DetectionBackdoor DetectionIP Spoof DetectionIP Spoof DetectionLayer-2 Attack DetectionLayer-2 Attack Detection Malicious ActivitiesMalicious ActivitiesMalicious ActivitiesReconReconAttackAttackProliferationProliferation15PacketEngineIPS Sensor ArchitecturesPacket engine packetIOpacketdefragmentationflowandsessionmanagementDetector analyzes and decodes applicationsPolicy contains signatures and rules to detect attacksBoth policy and detector can be dynamically loadableLog for forensic analysisDetectorPolicyLogManagementActionNetwork Interface16IPS ArchitectureIP Fragment ReassemblyTCP ReassemblyLine-breakingApplication (HTTP) Parsing Event CorrelationLogs + PacketsFlow Lookup/ReconstructionActionsSignaturesAttack MatchingNetwork Interface17ProtectedNetworkDenial-of-Service ProtectionIPSSYNtodeathProtectionTCPProxyICMPfloodUDPfloodIPspoofingPer-sessionlimitingSYNfragmentsMalformed Packet ProtectionSYNandFINbitsetNoflagsinTCPFINwithnoACKICMPfragmentLargeICMP18Protocol Anomaly DetectionProtocols are well-definedAccuratedescriptionof“normal”usageIPS appliances can detect “abuse” or abnormal usageEnable Zero-Day Protection/CoverageSecuredfromvulnerabilitiesnotyetexploitedExample: Wide range of buffer overrun attacksExploitlackofrangecheckinginapplicationsSendingexorbitantlylongdataforparticularfieldcancrashthesystemandexecutemaliciouscode19Stateful SignaturesLook for specific pattern in trafficAnalyze in context based on type of trafficAvoid blindly scanning all trafficImproveefficiencyReducefalse-positivesExample: Code Red WormUtilizeGETrequestinHTTPprotocolforattackApplypatternmatchingtospecificsubsetofHTTPtraffic20Traffic Anomaly DetectionIdentify abnormal usage patternNo protocol anomalies or attack patterns but unusual traffic usage/volumeExample: Ping SweepReconnaissanceScannetworkstoidentifyresourcesforpossibleattackPingSweepfromexternal/suspicioussourceshouldalertadministrator21Backdoor Detection/TrojanWell known concept of Trojan HorseChallenge in identifying attack when first line of defense is compromisedAnalyze interactive trafficExample: Traffic originating from web serverWebserversusuallyrespondtorequests,notinitiatethemSignofinfectedserver/node22IPS Policyidp-policy test rulebase-ips rule 1 match from-zone trust; source-address 10.158.131.00/24; to-zone untrust; destination-address 17.158.121.00/24; application http; attacks custom-attacks http-url-idx-test ; predefined-attacks HTTP:OVERFLOW:PI3WEB-SLASH-OF HTTP:CISCO:IOS-ADMIN-ACCESS ; then action close-client; ip-action ip-block; log; notification log-attacks; 23RuleBase ActionIPSAbnormalBackdoorShell codeFirewall Close-client Close-client-and-server Close-server Drop-connection Drop-packet Ignore-connection Mark-diffserv No-action RecommendedRecommendedactionbyattackobjectsIP Action is for future traffic24Attack SignatureAttack: wget http:/13.0.1.1/index123.html :http-url-idx-test_new (http-url-idx-test_new :supercedes ( : (http-url-idx-test) ) :type (signature) :severity (5) :members ( : ( :type (signature :signature ( :context (http-url) :pattern (.*index123.*) :hidden (false) :negate (false) :flow (control) :direction (CTS) ) ) ) ) :service (appservice :appservice (http) ) )Attack: wget http:/13.0.1.1/level/18/exec/-/pwd HTTP:CISCO:IOS-ADMIN-ACCESS (HTTP:CISCO:IOS-ADMIN-ACCESS :type (signature) :attack-id (1644) :severity (5) :time-binding (disabled) :members ( : ( :type (signature :signature ( :context (http-url-parsed-param) :pattern (/level/(15-9|2-90-9)/exec/.*) :hidden (false) :negate (false) :flow (control) :direction (CTS) ) ) ) ) :service (appservice :appservice (http) ) ) 25IPS WeaknessesFalse positivesFalse negativeExpenseVolume/speedLockupsSpoofed IP addressesDOS26IPS Evasion TechniquesMalware VariantFragmentation attacksObfuscation and encodingEncrypted trafficProlonged attacks False positive attacks27IPS Success FactorsFast Packet Processing speedHighthroughputLowdelayanddelayjitterAccurate Policy Lessfalse-positiveLessfalse-negativeTimelyupdatedApplicationidentificationSelf-defenseHigh-availabilityMultiple protection mechanisms28Other DPI DevicesUnified Thread Management (UTM)Access Control and Auditing SystemMalware30What is a malware?A Malware is a set of instructions runonacomputernotapprovedbytheownerMakethecomputerdosomethingthatanattackerwants.31What the malware do?Steal personal informationSteal valuable informationCorrupt files or OSClick fraudUse computers as relay for attack or other mal-intentions32Malware ClassificationVirus(病毒病毒)CopyandinfectwithoutpermissionWorm(蠕虫蠕虫)Self-propagatingacrossnetworksTrojan(木马木马)DestructiveprogrammasqueradingasabenignapplicationBot and Botnet (僵尸和僵尸网僵尸和僵尸网)Usedfortheco-ordinationandoperationofanattackSpyware (间谍软件间谍软件)InterceptortakepartialcontroloverusersinteractionBackdoor (后门后门)CovertaccesstoacomputerDownloader Download/installmalicioussoftwareRansomware/scarewareProgramtoencryptuserusefuldataandrequestransomforrestorationAdwareDownloadadvertisingsoftwareanddisplayadvertisementswithoutuserconsentRootkit SubvertcontrolofOS33What is a Virus ?a program that can infect other programs by modifying them to include a, possibly evolved, version of itselfFred Cohen 198334Some Virus TypePolymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer)Methamorpic : Change after each infection35What is a trojanA trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computerWikipedia36What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machineSymantec37What is a wormA computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.38History1981 First reported virus : Elk Cloner (Apple 2)1983 Virus get defined1986 First PC virus MS DOS1988 First worm : Morris worm1990 First polymorphic virus 1998 First Java virus1998 Back orifice 1999 Melissa virus1999 Zombie concept1999 Knark rootkit2000 love bug2001 Code Red Worm2001 Kernel Intrusion System2001 Nimda worm2003 SQL Slammer worm2008-2009 Conflicker39Number of malware signaturesSymantecreport200940Malware CompositionTrojan: 74%, Adware: 9%, spyware: 13%, Worm: 3%, Other 1%PandaQ1report200941What malwares Infect?ExecutableInterpreted fileKernelService 42Overwriting MalwareTargetedTargetedExecutableExecutableMalwareMalwareMalwareMalware43Prepending MalwareTargetedTargetedExecutableExecutableMalwareMalwareInfectedInfectedhosthostExecutableExecutableMalwareMalware44Appending MalwareTargetedTargetedExecutableExecutableMalwareMalwareInfectedInfectedhosthostExecutableExecutableMalwareMalware45Cavity malwareTargetedTargetedExecutableExecutableInfectedInfectedhosthostExecutableExecutableMalwareMalwareMalwareMalware46Multi-Cavity malwareTargetedTargetedExecutableExecutableMalwareMalwareMalwareMalwareMalwareMalwareMalwareMalware47Malware PackersMalwareMalwareInfectedhostInfectedhostExecutableExecutablePackerPackerPayloadCompress EncryptRandomize (polymorphism)Anti-debug technique (int / fake jmp)Add-junkVirtualization48Window Malware Auto StartFolder auto-start : C:DocumentsandSettingsuser_nameStartMenuProgramsStartupWin.ini : run=backdoor or load=backdoor.System.ini : shell=”myexplorer.exe”WininitConfig.sysAssign know extension (.doc) to the malwareAdd a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRunAdd a task in the task schedulerRun as service49Linux Malware Auto StartInit.d/etc/rc.local.login .xsession crontab crontab-e/etc/crontab50Macro virusUse the builtin script engineExample of call back used (word)AutoExec()AutoClose()AutoOpen()AutoNew()MS OfficeOpen OfficeAcrobat51Rootkit A software system that consists of one or more programs designed to obscure the fact that a system has been compromisedSource:Wikipediareplace vital system executablesTechniquesInstallthemselvesasdriversorkernelmodules,concealingrunningprocessesfrommonitoringprogramshidingfilesHidingsystemdataInstallbackdoorExists in Microsoft Windows, Linux, Unix, Mac OS52Rootkit typesFirmwareusesdeviceorplatformfirmwaretocreateapersistentmalwareimageHypervisormodifyingthebootsequenceofthemachinetoloadthemselvesasahypervisorundertheoriginaloperatingsystemBoot loader levelbootkitorEvilMaidAttack“usedpredominantlyagainstfulldiskencryptionsystemsKerneladdadditionalcodeand/orreplaceportionsofanoperatingsystemincludingboththekernelandassociateddevicedriversLibrarypatch,hook,orreplacesystemcallswithversionsthathideinformationabouttheattackerApplication levelplaceregularapplicationbinarieswithTrojanfakes,ormodifythebehaviorofexistingapplicationsUsinghooks,patches,injectedcode,orothermeans.53Subverting the KernelKernel tasksProcessmanagementFileaccessMemorymanagementNetworkmanagementTechniques:KernelpatchLoadableKernelModuleKernelmemorypatching(/dev/kmem)WhattohideProcessFilesNetworktraffic54Kernel rootkitPSPSKERNELKERNELHardware:Hardware:HD,keyboard,mouse,NIC,GPUHD,keyboard,mouse,NIC,GPUP1P1P2P2P3P3P3P3rootkitrootkit55Rootkit DetectionSignature or heuristics-based antivirus programsShut down the computer suspected of infection, and then check its storage by booting from an alternative trusted mediumPrograms available to detect rootkitsUnix:chkrootkit,rkhunterandOSSECWindows:avast!antivirus,SophosAnti-Rootkit,F-SecureBlacklight,andRadixCompare content of binaries present on disk with their copies in operating memory Prevention is better than cure56Rootkit RemovalDirect removal of a rootkit may be impractical Save data file, reinstall systemPrevention is better than cure5757WormA worm is self-replicating software designed to spread through the networknExploitsecurityflawsinwidelyusedservicesnExploitsocialengineeringtospreadnEmailattachmentnDrivebydownloadnCauseenormousdamagewDDOSattacks,installbotnetworkswAccesssensitiveinformationwCauseconfusionbycorruptingthesensitiveinformationWorm vs Virus vs Trojan horsenAvirusiscodeembeddedinafileorprogramnVirusesandTrojanhorsesrelyonhumaninterventionnWormsareself-containedandmayspreadautonomously5858Worm Detection and DefenseDetect via honeyfarms: collections of “honeypots” fed by a network telescope.nAnyoutboundconnectionfromhoneyfarm=worm.IntheorynDistillsignaturefrominbound/outboundtraffic.nIftelescopecoversNaddresses,expectdetectionwhenwormhasinfected1/Nofpopulation.Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hostsminutestoweekstowriteasignatureSeveralhoursormorefortesting5959monthsdayshrsminssecsProgramVirusesMacroVirusesE-mailWormsNetworkWormsFlashWormsPre-automationPost-automationContagionPeriodSignatureResponsePeriodNeed for automationCurrent threats can spread faster than defenses can reactionManual capture/analyze/signature/rollout model too slow1990Time2005ContagionPeriodSignatureResponsePeriodSlide:CareyNachenberg,Symantec6060Signature inferenceChallengenneedtoautomaticallylearnacontent“signature”foreachnewwormpotentiallyinlessthanasecond!Some proposed solutionsnSinghetal,AutomatedWormFingerprinting,OSDI04nKimetal,Autograph:TowardAutomated,DistributedWormSignatureDetection,USENIXSec046161Signature inferenceMonitor network and look for strings common to traffic with worm-like behaviornSignaturescanthenbeusedforcontentfilteringSlide:SSavage6262Content siftingAssume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow.)Two consequencesnContent Prevalence:W willbemorecommonintrafficthanotherbitstringsofthesamelengthnAddress Dispersion:thesetofpacketscontainingW willaddressadisproportionatenumberofdistinctsourcesanddestinationsContent sifting: find Ws with high content prevalence and high address dispersion and drop that trafficSlide:SSavage6363Observation:High-prevalence strings are rare(StefanSavage,UCSD*)Only0.6%ofthe40bytesubstringsrepeatmorethan3timesinaminute6464AddressDispersionTableSourcesDestinationsPrevalenceTableThe basic algorithmDetectorinnetworkABcnn.comCDE(StefanSavage,UCSD*)65651 (B)1 (A)AddressDispersionTableSourcesDestinations1PrevalenceTableDetectorinnetworkABcnn.comCDE(StefanSavage,UCSD*)66661 (A)1 (C)1 (B)1 (A)AddressDispersionTableSourcesDestinations11PrevalenceTableDetectorinnetworkABcnn.comCDE(StefanSavage,UCSD*)67671 (A)1 (C)2 (B,D)2 (A,B)AddressDispersionTableSourcesDestinations12PrevalenceTableDetectorinnetworkABcnn.comCDE(StefanSavage,UCSD*)68681 (A)1 (C)3 (B,D,E)3 (A,B,D)AddressDispersionTableSourcesDestinations13PrevalenceTableDetectorinnetworkABcnn.comCDE(StefanSavage,UCSD*)6969ChallengesComputationnTosupporta1Gbpslineratewehave12ustoprocesseachpacket,at10Gbps1.2us,at40GbpswDominatedbymemoryreferences;stateexpensivenContentsiftingrequireslookingateverybyteinapacketStatenOnafully-loaded1Gbpslinkanaveimplementationcaneasilyconsume100MB/secfortablenComputation/memoryduality:onhigh-speed(ASIC)implementation,latencyrequirementsmaylimitstatetoon-chipSRAM(StefanSavage,UCSD*)70ConclusionsSecurity is becoming a bigger problem in the cyber world.Network security is a field that has great potential BusinessResearchThank you!