《计算机网络攻击和防护技术:第八课》由会员分享,可在线阅读,更多相关《计算机网络攻击和防护技术:第八课(70页珍藏版)》请在金锄头文库上搜索。
1、计算机网络攻击和防护技术计算机网络攻击和防护技术第八课第八课2OutlineDeep Packet InspectionWhatisDeepPacketInspection(DPI)?WhyDPIisimportant?Intrusion Detection System DesignMalware and Host security3What is DPI?Any non-endpoint network equipment using fields beyond layer-3 informationInspect/do action when packets pass the devic
2、eInspectProtocolcompliancePolicycomplianceVirus,worm,spamorothermalwaresIntrusionStatisticsActEnforcepolicyTakeactionstopacketsLogProvide SecurityDataminingEavesdroppingCensorshipWidely used by enterprise, service providers, and governmentWiderangeofapplicationsIPS The Second Shield of Security5Fire
3、wall Alone Is Not EnoughFirewall is the first level of defense, but cannot look into applicationsIPS is the key to keep up with new security threats protectionTimelineVulnerabilitiesVulnerabilitiesDiscoveredDiscoveredAdvisory Advisory IssuedIssuedWorm Worm ReleasedReleasedExploits Exploits ReleasedR
4、eleasedGetting ShorterGetting ShorterLifecycle of Vulnerabilities and Threats6Benefits of Network IPSDropped from the networkBenefitsAttacks never reach their victim, eliminating impact to the networkNo need to waste time investigating the attackWorks for all traffic (IP, TCP, UDP, etc.)Drops only t
5、he offending trafficAn active, in-line system detects an attack and drops malicious traffic during the detection processUserUserUserServersMailServerWebServerFirewallHTTP TrafficCode red7Source: Infonetics 3Q08 Network Security Appliances Market Report IPS Market is GrowingWorld Wide Market Forecast
6、Source:InfoneticsResearch,NetworkSecurityAppliancesandSoftwareQuarterlyWorldwideMarketShareandForecasts2Q09Revenue in US$ billions8Market ShareNo Significant China-Company PresenceSource: Infonetics 2008 Network Security Appliance Market Share Report2008 Worldwide Network-based Inline IDS/IPS9IPS Ty
7、pical DeploymentsLarge Enterprise / Service ProvidersRegional OfficesSmall/Mid-size companiesMid-size companiesIntegrated FW/IPSIPSFW/IPSIPSIPS10IPS Product Examples Remote Office VendorJuniperTippingPoint(3Com)McAfeeIBM/ISSCisco ModelIDP250TP200I-1400GX4004IPS4240 Throughput (mbps)350200200200250 C
8、oncurrent Sessions70,0002,000,00080,0001,200,000500,000 Ports8x10/100/10004x10/100/1004x1004x10/100/10004x10/100/1000TX Integrated BypassYesNoYesYesNo Price$19,000$25,000$15,000$16,000$12,00011IPS Product Examples -Core VendorJuniperTippingPoint(3Com)McAfeeIBM/ISSSourcefire ModelIDP8200TP5500G+IPSM-
9、8000GX61163D9800 Throughput10Gbps10Gbps10Gbps15Gbps(6Gbpsinspected)10Gbps Concurrent Sessions5,000,0004,000,0004,600,0001,000,000 PortsUpto8x10GEOrUpto16xGE(ormixthereof)DependantondeployedIPSdevices16xGE12x10GE16xSFP(1,000TX/SX/LX)4x10GE(Fiber) Integrated BypassYesNoNoNoYes Price$70,000+$60K+IPS$23
10、0K$189,000$240KIDP Technology Overview13IPS system SensorEnforcementpointDevicemanagement(interfaces,configuration,modes)Variousdetectionmechanismforinspectingpackets/streamsManagement ServerCentralizedpolicies,logsUnifiedviewofallsensorsUIPolicymanagementlogviewingEventcorrelation&forensicanalysis1
11、4Thwart Attacks at Every TurnMultiple Methods of DetectionTraffic Anomaly DetectionTraffic Anomaly DetectionNetwork HoneypotNetwork HoneypotProtocol Anomaly DetectionProtocol Anomaly DetectionStateful SignaturesStateful SignaturesSynflood ProtectorSynflood ProtectorBackdoor DetectionBackdoor Detecti
12、onIP Spoof DetectionIP Spoof DetectionLayer-2 Attack DetectionLayer-2 Attack Detection Malicious ActivitiesMalicious ActivitiesMalicious ActivitiesReconReconAttackAttackProliferationProliferation15PacketEngineIPS Sensor ArchitecturesPacket engine packetIOpacketdefragmentationflowandsessionmanagement
13、Detector analyzes and decodes applicationsPolicy contains signatures and rules to detect attacksBoth policy and detector can be dynamically loadableLog for forensic analysisDetectorPolicyLogManagementActionNetwork Interface16IPS ArchitectureIP Fragment ReassemblyTCP ReassemblyLine-breakingApplicatio
14、n (HTTP) Parsing Event CorrelationLogs + PacketsFlow Lookup/ReconstructionActionsSignaturesAttack MatchingNetwork Interface17ProtectedNetworkDenial-of-Service ProtectionIPSSYNtodeathProtectionTCPProxyICMPfloodUDPfloodIPspoofingPer-sessionlimitingSYNfragmentsMalformed Packet ProtectionSYNandFINbitset
15、NoflagsinTCPFINwithnoACKICMPfragmentLargeICMP18Protocol Anomaly DetectionProtocols are well-definedAccuratedescriptionof“normal”usageIPS appliances can detect “abuse” or abnormal usageEnable Zero-Day Protection/CoverageSecuredfromvulnerabilitiesnotyetexploitedExample: Wide range of buffer overrun at
16、tacksExploitlackofrangecheckinginapplicationsSendingexorbitantlylongdataforparticularfieldcancrashthesystemandexecutemaliciouscode19Stateful SignaturesLook for specific pattern in trafficAnalyze in context based on type of trafficAvoid blindly scanning all trafficImproveefficiencyReducefalse-positiv
17、esExample: Code Red WormUtilizeGETrequestinHTTPprotocolforattackApplypatternmatchingtospecificsubsetofHTTPtraffic20Traffic Anomaly DetectionIdentify abnormal usage patternNo protocol anomalies or attack patterns but unusual traffic usage/volumeExample: Ping SweepReconnaissanceScannetworkstoidentifyr
18、esourcesforpossibleattackPingSweepfromexternal/suspicioussourceshouldalertadministrator21Backdoor Detection/TrojanWell known concept of Trojan HorseChallenge in identifying attack when first line of defense is compromisedAnalyze interactive trafficExample: Traffic originating from web serverWebserve
19、rsusuallyrespondtorequests,notinitiatethemSignofinfectedserver/node22IPS Policyidp-policy test rulebase-ips rule 1 match from-zone trust; source-address 10.158.131.00/24; to-zone untrust; destination-address 17.158.121.00/24; application http; attacks custom-attacks http-url-idx-test ; predefined-at
20、tacks HTTP:OVERFLOW:PI3WEB-SLASH-OF HTTP:CISCO:IOS-ADMIN-ACCESS ; then action close-client; ip-action ip-block; log; notification log-attacks; 23RuleBase ActionIPSAbnormalBackdoorShell codeFirewall Close-client Close-client-and-server Close-server Drop-connection Drop-packet Ignore-connection Mark-d
21、iffserv No-action RecommendedRecommendedactionbyattackobjectsIP Action is for future traffic24Attack SignatureAttack: wget http:/13.0.1.1/index123.html :http-url-idx-test_new (http-url-idx-test_new :supercedes ( : (http-url-idx-test) ) :type (signature) :severity (5) :members ( : ( :type (signature
22、:signature ( :context (http-url) :pattern (.*index123.*) :hidden (false) :negate (false) :flow (control) :direction (CTS) ) ) ) ) :service (appservice :appservice (http) ) )Attack: wget http:/13.0.1.1/level/18/exec/-/pwd HTTP:CISCO:IOS-ADMIN-ACCESS (HTTP:CISCO:IOS-ADMIN-ACCESS :type (signature) :att
23、ack-id (1644) :severity (5) :time-binding (disabled) :members ( : ( :type (signature :signature ( :context (http-url-parsed-param) :pattern (/level/(15-9|2-90-9)/exec/.*) :hidden (false) :negate (false) :flow (control) :direction (CTS) ) ) ) ) :service (appservice :appservice (http) ) ) 25IPS Weakne
24、ssesFalse positivesFalse negativeExpenseVolume/speedLockupsSpoofed IP addressesDOS26IPS Evasion TechniquesMalware VariantFragmentation attacksObfuscation and encodingEncrypted trafficProlonged attacks False positive attacks27IPS Success FactorsFast Packet Processing speedHighthroughputLowdelayanddel
25、ayjitterAccurate Policy Lessfalse-positiveLessfalse-negativeTimelyupdatedApplicationidentificationSelf-defenseHigh-availabilityMultiple protection mechanisms28Other DPI DevicesUnified Thread Management (UTM)Access Control and Auditing SystemMalware30What is a malware?A Malware is a set of instructio
26、ns runonacomputernotapprovedbytheownerMakethecomputerdosomethingthatanattackerwants.31What the malware do?Steal personal informationSteal valuable informationCorrupt files or OSClick fraudUse computers as relay for attack or other mal-intentions32Malware ClassificationVirus(病毒病毒)Copyandinfectwithout
27、permissionWorm(蠕虫蠕虫)Self-propagatingacrossnetworksTrojan(木马木马)DestructiveprogrammasqueradingasabenignapplicationBot and Botnet (僵尸和僵尸网僵尸和僵尸网)Usedfortheco-ordinationandoperationofanattackSpyware (间谍软件间谍软件)InterceptortakepartialcontroloverusersinteractionBackdoor (后门后门)CovertaccesstoacomputerDownloade
28、r Download/installmalicioussoftwareRansomware/scarewareProgramtoencryptuserusefuldataandrequestransomforrestorationAdwareDownloadadvertisingsoftwareanddisplayadvertisementswithoutuserconsentRootkit SubvertcontrolofOS33What is a Virus ?a program that can infect other programs by modifying them to inc
29、lude a, possibly evolved, version of itselfFred Cohen 198334Some Virus TypePolymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer)Methamorpic : Change after each infection35What is a trojanA trojan describes the class of malware that appears to perform
30、a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computerWikipedia36What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machineSymantec37What is a wormA computer wo
31、rm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.38History1981 First reported virus : Elk Cloner (Apple 2)1983 Virus get defined1986 First PC virus MS DOS1988 First worm : Morris worm1990 First polymorphic vi
32、rus 1998 First Java virus1998 Back orifice 1999 Melissa virus1999 Zombie concept1999 Knark rootkit2000 love bug2001 Code Red Worm2001 Kernel Intrusion System2001 Nimda worm2003 SQL Slammer worm2008-2009 Conflicker39Number of malware signaturesSymantecreport200940Malware CompositionTrojan: 74%, Adwar
33、e: 9%, spyware: 13%, Worm: 3%, Other 1%PandaQ1report200941What malwares Infect?ExecutableInterpreted fileKernelService 42Overwriting MalwareTargetedTargetedExecutableExecutableMalwareMalwareMalwareMalware43Prepending MalwareTargetedTargetedExecutableExecutableMalwareMalwareInfectedInfectedhosthostEx
34、ecutableExecutableMalwareMalware44Appending MalwareTargetedTargetedExecutableExecutableMalwareMalwareInfectedInfectedhosthostExecutableExecutableMalwareMalware45Cavity malwareTargetedTargetedExecutableExecutableInfectedInfectedhosthostExecutableExecutableMalwareMalwareMalwareMalware46Multi-Cavity ma
35、lwareTargetedTargetedExecutableExecutableMalwareMalwareMalwareMalwareMalwareMalwareMalwareMalware47Malware PackersMalwareMalwareInfectedhostInfectedhostExecutableExecutablePackerPackerPayloadCompress EncryptRandomize (polymorphism)Anti-debug technique (int / fake jmp)Add-junkVirtualization48Window M
36、alware Auto StartFolder auto-start : C:DocumentsandSettingsuser_nameStartMenuProgramsStartupWin.ini : run=backdoor or load=backdoor.System.ini : shell=”myexplorer.exe”WininitConfig.sysAssign know extension (.doc) to the malwareAdd a Registry key such as HKCUSOFTWAREMicrosoftWindows CurrentVersionRun
37、Add a task in the task schedulerRun as service49Linux Malware Auto StartInit.d/etc/rc.local.login .xsession crontab crontab-e/etc/crontab50Macro virusUse the builtin script engineExample of call back used (word)AutoExec()AutoClose()AutoOpen()AutoNew()MS OfficeOpen OfficeAcrobat51Rootkit A software s
38、ystem that consists of one or more programs designed to obscure the fact that a system has been compromisedSource:Wikipediareplace vital system executablesTechniquesInstallthemselvesasdriversorkernelmodules,concealingrunningprocessesfrommonitoringprogramshidingfilesHidingsystemdataInstallbackdoorExi
39、sts in Microsoft Windows, Linux, Unix, Mac OS52Rootkit typesFirmwareusesdeviceorplatformfirmwaretocreateapersistentmalwareimageHypervisormodifyingthebootsequenceofthemachinetoloadthemselvesasahypervisorundertheoriginaloperatingsystemBoot loader levelbootkitorEvilMaidAttack“usedpredominantlyagainstfu
40、lldiskencryptionsystemsKerneladdadditionalcodeand/orreplaceportionsofanoperatingsystemincludingboththekernelandassociateddevicedriversLibrarypatch,hook,orreplacesystemcallswithversionsthathideinformationabouttheattackerApplication levelplaceregularapplicationbinarieswithTrojanfakes,ormodifythebehavi
41、orofexistingapplicationsUsinghooks,patches,injectedcode,orothermeans.53Subverting the KernelKernel tasksProcessmanagementFileaccessMemorymanagementNetworkmanagementTechniques:KernelpatchLoadableKernelModuleKernelmemorypatching(/dev/kmem)WhattohideProcessFilesNetworktraffic54Kernel rootkitPSPSKERNELK
42、ERNELHardware:Hardware:HD,keyboard,mouse,NIC,GPUHD,keyboard,mouse,NIC,GPUP1P1P2P2P3P3P3P3rootkitrootkit55Rootkit DetectionSignature or heuristics-based antivirus programsShut down the computer suspected of infection, and then check its storage by booting from an alternative trusted mediumPrograms av
43、ailable to detect rootkitsUnix:chkrootkit,rkhunterandOSSECWindows:avast!antivirus,SophosAnti-Rootkit,F-SecureBlacklight,andRadixCompare content of binaries present on disk with their copies in operating memory Prevention is better than cure56Rootkit RemovalDirect removal of a rootkit may be impracti
44、cal Save data file, reinstall systemPrevention is better than cure5757WormA worm is self-replicating software designed to spread through the networknExploitsecurityflawsinwidelyusedservicesnExploitsocialengineeringtospreadnEmailattachmentnDrivebydownloadnCauseenormousdamagewDDOSattacks,installbotnet
45、workswAccesssensitiveinformationwCauseconfusionbycorruptingthesensitiveinformationWorm vs Virus vs Trojan horsenAvirusiscodeembeddedinafileorprogramnVirusesandTrojanhorsesrelyonhumaninterventionnWormsareself-containedandmayspreadautonomously5858Worm Detection and DefenseDetect via honeyfarms: collec
46、tions of “honeypots” fed by a network telescope.nAnyoutboundconnectionfromhoneyfarm=worm.IntheorynDistillsignaturefrominbound/outboundtraffic.nIftelescopecoversNaddresses,expectdetectionwhenwormhasinfected1/Nofpopulation.Thwart via scan suppressors: network elements that block traffic from hosts tha
47、t make failed connection attempts to too many other hostsminutestoweekstowriteasignatureSeveralhoursormorefortesting5959monthsdayshrsminssecsProgramVirusesMacroVirusesE-mailWormsNetworkWormsFlashWormsPre-automationPost-automationContagionPeriodSignatureResponsePeriodNeed for automationCurrent threat
48、s can spread faster than defenses can reactionManual capture/analyze/signature/rollout model too slow1990Time2005ContagionPeriodSignatureResponsePeriodSlide:CareyNachenberg,Symantec6060Signature inferenceChallengenneedtoautomaticallylearnacontent“signature”foreachnewwormpotentiallyinlessthanasecond!
49、Some proposed solutionsnSinghetal,AutomatedWormFingerprinting,OSDI04nKimetal,Autograph:TowardAutomated,DistributedWormSignatureDetection,USENIXSec046161Signature inferenceMonitor network and look for strings common to traffic with worm-like behaviornSignaturescanthenbeusedforcontentfilteringSlide:SS
50、avage6262Content siftingAssume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow.)Two consequencesnContent Prevalence:W willbemorecommonintrafficthanotherbitstringsofthesamelengthnAddress Dispersion:thesetofpacketscontaini
51、ngW willaddressadisproportionatenumberofdistinctsourcesanddestinationsContent sifting: find Ws with high content prevalence and high address dispersion and drop that trafficSlide:SSavage6363Observation:High-prevalence strings are rare(StefanSavage,UCSD*)Only0.6%ofthe40bytesubstringsrepeatmorethan3ti
52、mesinaminute6464AddressDispersionTableSourcesDestinationsPrevalenceTableThe basic algorithmDetectorinnetworkABCDE(StefanSavage,UCSD*)65651 (B)1 (A)AddressDispersionTableSourcesDestinations1PrevalenceTableDetectorinnetworkABCDE(StefanSavage,UCSD*)66661 (A)1 (C)1 (B)1 (A)AddressDispersionTableSourcesD
53、estinations11PrevalenceTableDetectorinnetworkABCDE(StefanSavage,UCSD*)67671 (A)1 (C)2 (B,D)2 (A,B)AddressDispersionTableSourcesDestinations12PrevalenceTableDetectorinnetworkABCDE(StefanSavage,UCSD*)68681 (A)1 (C)3 (B,D,E)3 (A,B,D)AddressDispersionTableSourcesDestinations13PrevalenceTableDetectorinne
54、tworkABCDE(StefanSavage,UCSD*)6969ChallengesComputationnTosupporta1Gbpslineratewehave12ustoprocesseachpacket,at10Gbps1.2us,at40GbpswDominatedbymemoryreferences;stateexpensivenContentsiftingrequireslookingateverybyteinapacketStatenOnafully-loaded1Gbpslinkanaveimplementationcaneasilyconsume100MB/secfortablenComputation/memoryduality:onhigh-speed(ASIC)implementation,latencyrequirementsmaylimitstatetoon-chipSRAM(StefanSavage,UCSD*)70ConclusionsSecurity is becoming a bigger problem in the cyber world.Network security is a field that has great potential BusinessResearchThank you!
