Intrusion Detection Systems FAQ

FAQ topic 

[25] Intrusion Detection Systems FAQ

Updated: Feb 01, 2005

[23] Trojans FAQ

Updated: Jun 26, 2003

What is a honeypot? 

While not strictly sniffer-based intrusion detection systems, honeypots still process network protocols in much the same ways. Therefore, I've decided to add this section to my FAQ.
Deception systems (A.K.A. decoys, lures, fly-traps, honeypots) which contain pseudo-services whose goal is to emulate well-known holes in order to trap hackers. See The Deception ToolKit http://www.all.net/dtk/ for an example. Also, simple tricks by renaming "administrator" account on NT, then setting up a dummy account with no rights by extensive auditing can be used. There is more on "deception" later in this document. Also see http://www.enteract.com/~lspitz/honeypot.html
A honeypot is a system designed to look like something that an intruder can hack. Examples can be:

• Installing a machine on the network with no particular purpose other than to log all attempted access.
• Installing an older unpatched operating system on a machine. For example, the default installation of WinNT 4 with IIS 4 can be hacked using several different techniques. A standard intrusion detection system can then be used to log hacks directed against the machine, and further track what the intruder attempts to do with the system once it is compromised.
• Install special software designed for this purpose. It has the advantage of making it look like the intruder is successful without really allowing them access.
• Any existing system can be "honeypot-ized". For example, on WinNT, it is possible to rename the default "administrator" account, then create a dummy account called "administrator" with no password. WinNT allows extensive logging of a person's activities, so this honeypot will track users attempting to gain administrator access and exploit that access.

What are the limitations of a network based IDS? 

A network based Intrusion Detection system has 2 big limitations:
Switched networks - A network based IDS must be able to see all network traffic of the network that it is protecting. If a network uses a switch (most do nowadays) a sniffer will not be able to see all the network traffic. This usually means that you would deploy a network based IDS at the gateway only, i.e. on your Internet connection. However this does not protect you from internal attacks.
High Speed - Modern networks are so fast, that an Intrusion Detection system has a hard time keeping up.

Why do I need IDS if I already have a firewall? 

A common misunderstanding is that firewalls recognize attacks and block them. This is not true.
Firewalls are simply a device that shuts off everything, and then turns back on only a few well-chosen items. In a perfect world, systems would already be "locked down" and secure, and firewalls would be unneeded. The reason we have firewalls is precisely because security holes are left open accidentally.
Thus, when installing a firewall, the first thing it does is it stops ALL communication. The firewall administrator then carefully adds "rules" that allow specific types of traffic to go through the firewall. For example, a typical corporate firewall allowing access to the Internet would stop all UDP and ICMP datagram traffic, stops incoming TCP connections, but allows outgoing TCP connections. This stops all incoming connections from Internet hackers, but still allows internal users to connect in the outgoing direction.
A firewall is simply a fence around you network, with a couple of well-chosen gates. A fence has no capability of detecting somebody trying to break in (such as digging a hole underneath it), nor does a fence know if somebody coming through the gate is allowed in. It simply restricts access to the designated points.
In summary, a firewall is not the dynamic defensive system that users imagine it to be. In contrast, an IDS is much more of that dynamic system. An IDS does recognize attacks against the network that firewalls are unable to see.
For example, in April of 1999, many sites were hacked via a bug in ColdFusion. These sites all had firewalls that restricted access only to the web server at port 80. However, it was the web server that was hacked. Thus, the firewall provided no defense. On the other hand, an intrusion detection system would have discovered the attack, because it matched the signature configured in the system.
Another problem with firewalls is that they are only at the boundary to your network. Roughly 80% of all financial losses due to hacking come from inside the network. A firewall at the perimeter of the network sees nothing going on inside; it only sees that traffic which passes between the internal network and the Internet.
Some reasons for adding IDS to your firewall are:

• Double-checks misconfigured firewalls.
• Catches attacks that firewalls legitimate allow through (such as attacks against web servers).
• Catches attempts that fail.
• Catches insider hacking.

"Defense in depth, and overkill paranoia, are your friends." (quote by Bennett Todd). Hackers are much more capable than you think; the more defenses you have, the better. And they still won't protect you from the determined hacker. They will, however, raise the bar on determination needed by the hackers.

What intrusion detection systems are available? 

Click here for a list of Intrusion Detection Systems.

What is Snort? 

Snort is a freeware network intrusion detection system. It runs on Linux and has become one of the most effective network based intrusion detection systems around. However, snort requires a fair amount of both Linux and networking knowledge. http://www.snort.org/

How do I collect enough evidence about the hacker? 

An interesting field of IDS is collecting enough information about the incident to identify the hacker. This can be very hard because truly elite hackers will be bouncing their attacks from another compromised system. Hackers will also often employ IP address spoofing, which may appear as if attacks are coming from machines that aren't even turned on.
As far as I can tell, the best technique is to collect as much information as you can. For example, I've put a packet sniffer capturing to trace files on our T-1 line saving to files on a 16-gigabyte disk (most any sniffing program on most platforms can do this). You may not think it fun, but I enjoy perusing these files. It's amazing how many TCP/UDP scans and other probes I see on a regular basis.
Likewise, you should make sure you have full auditing and logging enabled on any/all systems exposed to the Internet. These will help you figure out what happened when you were hacked.

What are the main things to do to secure a Win NT/2000/XP system? 

The following lists items that make WinNT more secure, including detection as well as prevention. These are roughly listed in order of importance.

1. Install the latest service packs and "hot fixes".
2. Use NTFS instead of FAT. NTFS allows permissions to be set on a per-file/per-directory basis and allows auditing on a per-file/per-directory basis.
3. Rename the "administrator" account. A common attack is to use a Dictionary or brute force attack on the "administrator" account.
4. Create a new account named "administrator" for detecting intrusion attempts.
5. Disable the "guest" account. You may also want to rename this account as (much like "administrator"). Once you've renamed the "guest" account, you may want to create a new account named "guest" for detecting hacking attempts.
6. Turn on auditing for "HKEY_LOCAL_MACHINE\Security" in order to detect remote registry browsing.
7. Enable "Password Protected" on the screensaver.
8. Turn off automatic sharing of ADMIN$, C$, D$, etc. via the "AutoShare" parameter in the registry. This parameter is under "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters", and is "AutoShareServer" for WinNT Server or "AutoShareWks" for WinNT Workstation. This is a DWORD, with a value of '1' for enabled (default), or a value of '0' for disabled. You will have to add the value yourself because it doesn't already exist in the registry.

How are intrusions detected? 

Anomaly detection
The most common way people approach network intrusion detection is to detect statistical anomalies. The idea behind this approach is to measure a "baseline" of such stats as CPU utilization, disk activity, user logins, file activity, and so forth. Then, the system can trigger when there is a deviation from this baseline.
The benefit of this approach is that it can detect the anomalies without having to understand the underlying cause behind the anomalies.
For example, let's say that you monitor the traffic from individual workstations. Then, the system notes that at 2am, a lot of these workstations start logging into the servers and carrying out tasks. This is something interesting to note and possibly take action on.
Signature recognition
The majority of commercial products are based upon examining the traffic looking for well-known patterns of attack. This means that for every hacker technique, the engineers code something into the system for that technique.
This can be as simple as a pattern match. The classic example is to example every packet on the wire for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable CGI script on a web-server. Some IDS systems are built from large databases that contain hundreds (or thousands) of such strings. They just plug into the wire and trigger on every packet they see that contains one of these strings.

Where can I find some Statistics on intrusions? 

Internet Storm Center - http://ww.incidents.org/
Reports on trends on ports and services being scanned by collecting intrusion detection log entries to detect new malicious activity.
CERT Reports, Articles, and Presentations (http://www.cert.org/nav/reports.html)
CERT has a number of historical statistics on intrusions, but they aren't nearly as up-to-date as the NIPC. 

What is a DDoS (Distributed Denial of Service) attack? 

A Distributed Denial of Service consists of launching a Denial of Service attack from a good number of sites against a single host. Such an attack is generally more effective to bring down huge corporate sites than DoS attacks. A typical DDoS attack consists of master, slave and victim - master being the attacker, slave being the compromised systems and victim of course being the attacker's target. Once the attacker sends out a specific command to the slave or zombie systems, the attack is launched.