計(jì)算機(jī)網(wǎng)絡(luò)攻擊和防護(hù)技術(shù)：第八課

1、計(jì)算機(jī)網(wǎng)絡(luò)攻擊和防護(hù)技術(shù)第八課OutlineDeep Packet InspectionWhat is Deep Packet Inspection (DPI)?Why DPI is important?Intrusion Detection System DesignMalware and Host securityWhat is DPI?Any non-endpoint network equipment using fields beyond layer-3 informationInspect/do action when packets pass the deviceInspectP

2、rotocol compliancePolicy complianceVirus, worm, spam or other malwaresIntrusionStatisticsActEnforce policyTake actions to packetsLogProvide SecurityData miningEavesdroppingCensorshipWidely used by enterprise, service providers, and governmentWide range of applicationsIPS The Second Shield of Securit

3、yFirewall Alone Is Not EnoughFirewall is the first level of defense, but cannot look into applicationsIPS is the key to keep up with new security threats protectionTimelineVulnerabilitiesDiscoveredAdvisory IssuedWorm ReleasedExploits ReleasedGetting ShorterLifecycle of Vulnerabilities and ThreatsBen

4、efits of Network IPSDropped from the networkBenefitsAttacks never reach their victim, eliminating impact to the networkNo need to waste time investigating the attackWorks for all traffic (IP, TCP, UDP, etc.)Drops only the offending trafficAn active, in-line system detects an attack and drops malicio

5、us traffic during the detection processUserUserUserServersMailServerWebServerFirewallHTTP TrafficCode redSource: Infonetics 3Q08 Network Security Appliances Market Report IPS Market is GrowingWorld Wide Market ForecastSource: Infonetics Research, Network Security Appliances and Software Quarterly Wo

6、rldwide Market Share and Forecasts 2Q09Revenue in US$ billionsMarket ShareNo Significant China-Company PresenceSource: Infonetics 2008 Network Security Appliance Market Share Report2008 Worldwide Network-based Inline IDS/IPSIPS Typical DeploymentsLarge Enterprise / Service ProvidersRegional OfficesS

7、mall/Mid-size companiesMid-size companiesIntegrated FW/IPSIPSFW/IPSIPSIPSIPS Product Examples Remote Office VendorJuniperTippingPoint(3Com)McAfeeIBM/ISSCisco ModelIDP250TP200I-1400GX4004IPS4240 Throughput (mbps)350200200200250 Concurrent Sessions70,0002,000,00080,0001,200,000500,000 Ports8 x 10/100/

8、10004 x 10/100/1004 x 1004 x 10/100/10004 x 10/100/1000TX Integrated BypassYesNoYesYesNo Price$19,000$25,000 $15,000$16,000 $12,000 IPS Product Examples -Core VendorJuniperTippingPoint(3Com)McAfeeIBM/ISSSourcefire ModelIDP8200TP5500G + IPSM-8000GX61163D9800 Throughput10Gbps10Gbps10Gbps15Gbps (6Gbps

9、inspected)10Gbps Concurrent Sessions5,000,0004,000,0004,600,0001,000,000 PortsUp to 8 x 10GEOrUp to 16 x GE (or mix thereof)Dependant on deployed IPS devices16xGE 12x10GE 16 x SFP (1,000 TX/SX/LX)4 x 10GE (Fiber) Integrated BypassYesNoNoNoYes Price$70,000+$60K + IPS$230K$189,000 $240KIDP Technology

10、OverviewIPS system SensorEnforcement pointDevice management (interfaces, configuration, modes)Various detection mechanism for inspecting packets/streamsManagement ServerCentralized policies, logsUnified view of all sensorsUIPolicy managementlog viewingEvent correlation & forensic analysisThwart Atta

11、cks at Every TurnMultiple Methods of DetectionTraffic Anomaly DetectionNetwork HoneypotProtocol Anomaly DetectionStateful SignaturesSynflood ProtectorBackdoor DetectionIP Spoof DetectionLayer-2 Attack Detection Malicious ActivitiesMalicious ActivitiesMalicious ActivitiesReconAttackProliferationPacke

12、tEngineIPS Sensor ArchitecturesPacket engine packet IOpacket defragmentationflow and session managementDetector analyzes and decodes applicationsPolicy contains signatures and rules to detect attacksBoth policy and detector can be dynamically loadableLog for forensic analysisDetectorPolicyLogManagem

13、entActionNetwork InterfaceIPS ArchitectureIP Fragment ReassemblyTCP ReassemblyLine-breakingApplication (HTTP) Parsing Event CorrelationLogs + PacketsFlow Lookup/ReconstructionActionsSignaturesAttack MatchingNetwork InterfaceProtectedNetworkDenial-of-Service ProtectionIPSSYN to death ProtectionTCP Pr

14、oxyICMP flood UDP floodIP spoofingPer-session limitingSYN fragmentsMalformed Packet ProtectionSYN and FIN bit setNo flags in TCPFIN with no ACKICMP fragmentLarge ICMPProtocol Anomaly DetectionProtocols are well-definedAccurate description of “normal” usageIPS appliances can detect “abuse” or abnorma

15、l usageEnable Zero-Day Protection/CoverageSecured from vulnerabilities not yet exploitedExample: Wide range of buffer overrun attacksExploit lack of range checking in applicationsSending exorbitantly long data for particular field can crash the system and execute malicious codeStateful SignaturesLoo

16、k for specific pattern in trafficAnalyze in context based on type of trafficAvoid blindly scanning all trafficImprove efficiencyReduce false-positivesExample: Code Red WormUtilize GET request in HTTP protocol for attackApply pattern matching to specific subset of HTTP traffic Traffic Anomaly Detecti

17、onIdentify abnormal usage patternNo protocol anomalies or attack patterns but unusual traffic usage/volumeExample: Ping SweepReconnaissance Scan networks to identify resources for possible attackPing Sweep from external/suspicious source should alert administratorBackdoor Detection/TrojanWell known

18、concept of Trojan HorseChallenge in identifying attack when first line of defense is compromisedAnalyze interactive trafficExample: Traffic originating from web serverWeb servers usually respond to requests, not initiate themSign of infected server/nodeIPS Policyidp-policy test rulebase-ips rule 1 m

19、atch from-zone trust; source-address 0/24; to-zone untrust; destination-address 0/24; application http; attacks custom-attacks http-url-idx-test ; predefined-attacks HTTP:OVERFLOW:PI3WEB-SLASH-OF HTTP:CISCO:IOS-ADMIN-ACCESS ; then action close-client; ip-action ip-block; log; notification log-attack

20、s; RuleBase ActionIPSAbnormalBackdoorShell codeFirewall Close-client Close-client-and-server Close-server Drop-connection Drop-packet Ignore-connection Mark-diffserv No-action RecommendedRecommended action by attack objectsIP Action is for future trafficAttack SignatureAttack: wget /index123.html :h

21、ttp-url-idx-test_new (http-url-idx-test_new :supercedes ( : (http-url-idx-test) ) :type (signature) :severity (5) :members ( : ( :type (signature :signature ( :context (http-url) :pattern (.*index123.*) :hidden (false) :negate (false) :flow (control) :direction (CTS) ) ) ) ) :service (appservice :ap

22、pservice (http) ) )Attack: wget /level/18/exec/-/pwd HTTP:CISCO:IOS-ADMIN-ACCESS (HTTP:CISCO:IOS-ADMIN-ACCESS :type (signature) :attack-id (1644) :severity (5) :time-binding (disabled) :members ( : ( :type (signature :signature ( :context (http-url-parsed-param) :pattern (/level/(15-9|2-90-9)/exec/.

23、*) :hidden (false) :negate (false) :flow (control) :direction (CTS) ) ) ) ) :service (appservice :appservice (http) ) ) IPS WeaknessesFalse positivesFalse negativeExpenseVolume/speedLockupsSpoofed IP addressesDOSIPS Evasion TechniquesMalware VariantFragmentation attacksObfuscation and encodingEncryp

24、ted trafficProlonged attacks False positive attacksIPS Success FactorsFast Packet Processing speedHigh throughputLow delay and delay jitterAccurate Policy Less false-positiveLess false-negativeTimely updatedApplication identificationSelf-defenseHigh-availabilityMultiple protection mechanismsOther DP

25、I DevicesUnified Thread Management (UTM)Access Control and Auditing SystemMalwareWhat is a malware?A Malware is a set of instructions run on a computer not approved by the ownerMake the computer do something that an attacker wants.What the malware do?Steal personal informationSteal valuable informat

26、ionCorrupt files or OSClick fraudUse computers as relay for attack or other mal-intentionsMalware ClassificationVirus(病毒)Copy and infect without permissionWorm(蠕蟲(chóng))Self-propagating across networksTrojan(木馬)Destructive program masquerading as a benign applicationBot and Botnet (僵尸和僵尸網(wǎng))Used for the co-

27、ordination and operation of an attackSpyware (間諜軟件)Intercept or take partial control over users interactionBackdoor (后門(mén))Covert access to a computerDownloader Download/install malicious softwareRansomware/scarewareProgram to encrypt user useful data and request ransom for restoration AdwareDownload a

28、dvertising software and display advertisements without user consentRootkit Subvert control of OSWhat is a Virus ?a program that can infect other programs by modifying them to include a, possibly evolved, version of itselfFred Cohen 1983Some Virus TypePolymorphic : uses a polymorphic engine to mutate

29、 while keeping the original algorithm intact (packer)Methamorpic : Change after each infectionWhat is a trojanA trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim compute

30、rWikipediaWhat is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machineSymantecWhat is a wormA computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user in

31、tervention.History1981 First reported virus : Elk Cloner (Apple 2)1983 Virus get defined1986 First PC virus MS DOS1988 First worm : Morris worm1990 First polymorphic virus 1998 First Java virus1998 Back orifice 1999 Melissa virus1999 Zombie concept1999 Knark rootkit2000 love bug2001 Code Red Worm200

32、1 Kernel Intrusion System2001 Nimda worm2003 SQL Slammer worm2008-2009 ConflickerNumber of malware signaturesSymantec report 2009Malware CompositionTrojan: 74%, Adware: 9%, spyware: 13%, Worm: 3%, Other 1%Panda Q1 report 2009What malwares Infect?ExecutableInterpreted fileKernelService Overwriting Ma

33、lwareTargetedExecutableMalwareMalwarePrepending MalwareTargetedExecutableMalwareInfected hostExecutableMalwareAppending MalwareTargetedExecutable MalwareInfectedhostExecutableMalwareCavity malwareTargetedExecutableInfected hostExecutableMalwareMalwareMulti-Cavity malwareTargetedExecutableMalwareMalw

34、areMalwareMalwareMalware PackersMalwareInfected hostExecutablePackerPayloadCompress EncryptRandomize (polymorphism)Anti-debug technique (int / fake jmp)Add-junkVirtualizationWindow Malware Auto StartFolder auto-start : C:Documents and Settingsuser_nameStart MenuProgramsStartupWin.ini : run=backdoor

35、or load=backdoor.System.ini : shell=”myexplorer.exe”WininitConfig.sysAssign know extension (.doc) to the malwareAdd a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRunAdd a task in the task schedulerRun as serviceLinux Malware Auto StartInit.d/etc/rc.local.login .xsession crontab c

36、rontab -e/etc/crontabMacro virusUse the builtin script engineExample of call back used (word)AutoExec()AutoClose()AutoOpen()AutoNew()MS OfficeOpen OfficeAcrobatRootkit A software system that consists of one or more programs designed to obscure the fact that a system has been compromisedSource: Wikip

37、ediareplace vital system executablesTechniquesInstall themselves as drivers or kernel modules,concealing running processes from monitoring programshiding filesHiding system dataInstall backdoorExists in Microsoft Windows, Linux, Unix, Mac OSRootkit typesFirmwareuses device or platform firmware to cr

38、eate a persistent malware imageHypervisormodifying the boot sequence of the machine to load themselves as a hypervisor under the original operating systemBoot loader levelbootkit or Evil Maid Attack“used predominantly against full disk encryption systemsKerneladd additional code and/or replace porti

39、ons of an operating systemincluding both the kernel and associated device driversLibrarypatch, hook, or replace system calls with versions that hide information about the attackerApplication levelplace regular application binaries with Trojan fakes, or modify the behavior of existing applications Us

40、ing hooks, patches, injected code, or other means.Subverting the KernelKernel tasksProcess management File access Memory management Network managementTechniques:Kernel patchLoadable Kernel Module Kernel memory patching (/dev/kmem)What to hideProcessFiles Network traffic Kernel rootkitPSKERNELHardwar

41、e : HD, keyboard, mouse, NIC, GPUP1P2P3P3rootkitRootkit DetectionSignature or heuristics-based antivirus programsShut down the computer suspected of infection, and then check its storage by booting from an alternative trusted mediumPrograms available to detect rootkitsUnix: chkrootkit, rkhunter and

42、OSSECWindows: avast! antivirus, Sophos Anti-Rootkit, F-Secure Blacklight, and RadixCompare content of binaries present on disk with their copies in operating memory Prevention is better than cureRootkit RemovalDirect removal of a rootkit may be impractical Save data file, reinstall systemPrevention

43、is better than cure57WormA worm is self-replicating software designed to spread through the networkExploit security flaws in widely used servicesExploit social engineering to spread Email attachmentDriveby downloadCause enormous damage DDOS attacks, install bot networks Access sensitive informationC

44、ause confusion by corrupting the sensitive informationWorm vs Virus vs Trojan horseA virus is code embedded in a file or programViruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously58Worm Detection and DefenseDetect via honeyfarms: collections of “

45、honeypots” fed by a network telescope.Any outbound connection from honeyfarm = worm.In theoryDistill signature from inbound/outbound traffic.If telescope covers N addresses, expect detection when worm has infected 1/N of population.Thwart via scan suppressors: network elements that block traffic fro

46、m hosts that make failed connection attempts to too many other hostsminutes to weeks to write a signatureSeveral hours or more for testing59monthsdayshrsminssecsProgramVirusesMacroVirusesE-mailWormsNetworkWormsFlashWormsPre-automationPost-automationContagion PeriodSignatureResponse PeriodNeed for au

47、tomationCurrent threats can spread faster than defenses can reactionManual capture/analyze/signature/rollout model too slow1990Time2005 Contagion PeriodSignature Response PeriodSlide: Carey Nachenberg, Symantec60Signature inferenceChallengeneed to automatically learn a content “signature” for each n

48、ew worm potentially in less than a second!Some proposed solutionsSingh et al, Automated Worm Fingerprinting, OSDI 04Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec 0461Signature inferenceMonitor network and look for strings common to traffic with worm-like be

49、haviorSignatures can then be used for content filteringSlide: S Savage62Content siftingAssume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow.)Two consequencesContent Prevalence: W will be more common in traffic than other bitstrings of the same lengthAddress Dispersio