Intrusion Detection Systems FAQ

FAQ topic 

[25] Intrusion Detection Systems FAQ

Updated: Feb 01, 2005

[23] Trojans FAQ

Updated: Jun 26, 2003

What are the types of DoS (Denial of Service) attacks? 

Three generic DoS methods stand out as particularly dangerous: Smurf or Fraggle, SYN Flood, and DNS attacks.
Smurf / Fraggle
The Smurf / Fraggle attack is one of the most devastating DoS attacks. It uses bandwidth consumption to disable a system's network resources. It accomplishes this using amplification of the attackers bandwidth. Three actors participate in the DoS attack: the attacker, the victim, and the amplifying network. The attacker sends a ping request to the amplifying network with the victim's address as the return address. If the amplifying network has 100 systems, the signal can be amplified 100 times. It is easy to see how a Smurf attack can be launched by an attacker with relatively low bandwidth to disable a system with much higher bandwidth.
SYN Flood
The SYN flood attack was considered to be the most devastating DoS method before the Smurf was discovered. This method uses resource starvation to achieve the DoS. During a normal TCP handshake, (1) a client sends a SYN request to the server, (2) the server responds with a SYN / ACK to the client, and the client sends a final ACK back to the server. In a SYN flood attack, the attacker sends multiple SYN requests to the victim with spoofed source addresses for the return address. The spoofed addresses are for nonexistent networks. The victim's server then responds with a SYN / ACK back to the nonexistent network. Because no network receives this SYN / ACK, the victim's system just waits for the ACK from the client. The ACK never arrives, and the victim's server eventually times out. If the attacker sends SYN requests often enough, the victim's available resources for setting up a connection will be consumed waiting for these bogus ACKs. These resources are usually low in number, so relatively few bogus SYN requests (as few as a dozen) can create a DoS event.
DNS Attacks
On earlier versions of BIND, attackers could effectively poison the cache on a DNS server that was using recursion to look up a zone not served by the nameserver. Once the cache was poisoned, a potential legitimate user would be directed to the attacker's network or a nonexistent network. This problem has been corrected with later versions of BIND.

What is a Denial of Service attack? 

A Denial of Service (DoS) attack is an attempt to prevent legitimate users of a service from accessing that service. DoS attacks usually make use of software bugs to crash or freeze a service, or bandwidth limits by making use of a flood attack to saturate all bandwidth.

What are some host/service discovery methods? 

Ping sweeps
Attackers will usually check which IP addresses are active by sending an ICMP ping packet and expecting a reply. Similarly some tools make use of SNMP, TCP/IP and other protocols to "ping" a host to see it its up.
TCP scans
Enumerating open TCP ports on a target machine is very important in an attack since this allows hackers to find exploitable services. Attackers will most of the times make use of stealth scans to try avoid being discovered at this early stage of the attack. Scans can be either sequential, randomized, or configured lists of ports.
UDP scans
Due to the design of the UDP, scanning this protocol is considerably slower and produces a lot of false positives. This is due to the fact that UDP is a connectionless protocol - which means that when a port is open it does not have to send a confirmation that the UDP packet was received. Most UDP implementations send an ICMP destination packet unreachable message when the port is closed. Firewalls should be configured not to respond with ICMP destination port unreachable - this would give a hard time to hackers using traditional UDP scanning. Apart from this many machines throttle ICMP messages, which means that scanning such machines is a very slow process.
OS Fingerprinting
One method to identify the target Operating System is to send illegal or ambiguous packets. Although protocol definitions (RFCs) usually define how a machine should reply to data that it's expecting, these same standards do not always take in consideration illegal packets. The result of this is that each Operating System responds uniquely to invalid inputs and therefore hackers can guess the remote Operating System without being caught using normal System logging.
Another method to discover the Operating system of a target include Banner Grabbing - which consists of analyzing responses by services running on the victim server.
Account scans
Tries to log on with accounts

• Accounts with no password set
• Accounts with password same as username, or "password".
• Default accounts that were shipped with the product
• Accounts installed with software products

How do systems get hacked? 

Systems can get hacked when either of the following get compromised:

1. Physical Security - An attacker will in this case obtain physical access to the machine. This can be done easily once the intruder gets past any physical security systems in place - for example by removing the disk drive and accessing it from home.
2. System Security - An attacker will gain access to the system by gaining privileges on the system such as by obtaining access to a user account.

This FAQ will focus Physical Security. System Security tries to prevent against the following issues:

Software security issues

There are a large number of generic security vulnerabilities produced by "bad coding practices". While some of these loopholes are already well known and might be fixed, others are waiting to be discovered. These software bugs can be found and exploited in server software, client applications and the operating system itself. Sometimes protocols are inheritely flawed and therefore any applications making use of that specific protocol will be vulnerable.
Software bugs can be classified in the following manner:
Buffer overflows: The most traditional and probably best-known security vulnerability tends to be the Buffer Overrun or Buffer overflow.
Example of how buffer overflow holes are produced:
A programmer assumes that users of his software will never supply input longer than 256 characters as a username.
A hacker will instead try input more than 256 characters as the username and see what happens. What happens in this case is a buffer overflow - which means that the extra characters will be executed as instructions on the remote server.
Buffer overflows are normally found in C and C++ programs, and are very rare on programs written using higher-level computer languages such as Java.
Unexpected input: At design stage sometimes programmers do not think about all possible input combinations. This can result in creating major security holes. A Path Traversal attack is usually carried out via unchecked URL input parameters, cookies and HTTP request headers - this is one example of unexpected input.
Unhandled input: Sometimes programmers overlook the possibility that someone may enter input that doesn't match what the program is expecting. This can result in denial of service where some programs/services may crash as well as user privileges escalation.
Race conditions: When two or more processes/threads access a shared data item, the result depends on the order of execution. In the security world, if a privileged process is forced to write custom code to a certain file which is then executed by another privileged process, code execution may take place resulting in a security vulnerability.
System configuration
System configuration bugs can be classified in the following manner:
Default configurations: On installation a system will have the most common settings. Most of the times this means easy to use and abuse. In fact most Windows NT/2000 and XP systems shipped have to be patched and configured or else it is very easy to break into. In fact "script kiddies" - the less sophisticated hackers - tend to search for default installations of Windows 2000 and Linux systems to break into.
Empty or common passwords: A huge number of servers on come corporate networks do not have a password set. This can be very convenient for quick installation of a huge number of systems but will create a very obvious hole. Sometimes administrators will also get obvious passwords for all machines on the network. This means that once an attacker guesses the password for one machine, this password will grant him access on the other machines on the network.
Mis-configuration: Most applications and server software can be configured to allow easier access - i.e. run with no security. This can include enabling a feature - or just enabling all features within a program.
Trust relationships: Security is only as strong as your weakest link. Computers on a corporate network make use of trust relationships, so that a server allows another specific system to make use of a service on the server. If the specific system is compromised, the attacker also gets to enjoy access to the server.

Password cracking

Most security systems are based around a username/password system. This systems has various attack points:
Weak passwords: It is very common for people to make use of their name as password. Other common choices for passwords include birthdays, relative's names, car model, nicknames and other familiar things. It is also common for people to choose "password" or something such as "letmein" as password - as well as simply set a blank password. Of course if an attacker knows the person just a little he can easily guess the password.
Dictionary attacks: A very common attack is to make use of a list of well-known passwords and run it against the login system or a stolen password file. This means trying out every password in the dictionary - a task that can take just a few seconds on an NT SAM file depending on the size of the dictionary file as well as the number of users in the database.
Brute force attacks: This kind of attack is very similar to the Dictionary attack, but it tries all possible combinations of characters. The advantage is that any password can be guessed using this attack. However this attack is of course very time consuming. Hackers chose to try certain characters only, such as lower case characters and limit the length of the password so that this attack is more feasible.

Sniffing unsecured traffic

Shared network: Traditional Ethernets allow attackers to simply set the network card to promiscuous mode and obtain all data passing through the network. The attacker would usually make use of a protocol analyzer (better known as a sniffer) to launch this attack. While this attack is very difficult to detect, most corporate networks have now turned to switched Ethernet, which do not allow passive attacks such as this one.
Sniffing on a switched network: Although switched networks prevent passive snooping, there are still a few attacks that can be launched:

1. Server sniffing: If a router is compromised, an attacker can usually still sniff network data since a lot of packets flow through routers.
2. Active attacks against Switched networks: ARP Spoofing, MAC flooding, MAC duplicating. These attacks allow hackers to capture unencrypted passwords and data over the network.
3. Rogue DHCP servers. If an attacker launches a rogue DHCP server he can effectively set up his machine as a router and force computers on the network to think it is a legitimate router.

Remote sniffing: SNMP has a service called RMON that allows for remote monitoring of data. Various SNMP implementations contain security issues and make use of default public community strings.

Design flaws

Many times software is not designed with security in mind from the start. This means that sometimes security issues will emerge even when software implementation is flawless. Such a problem will often require a full software redesign. However many programmers and designers choose to patch existing software to hide design flaws.
Underlying protocol flaws: Most network programs are built to make use of TCP/IP to communicate with other services across the Internet. Athough TCP/IP is robust, it was not designed with security in mind and it inherits many possible problems. Examples include IP spoofing, DNS hijacking and SYN floods. Ipsec on the other hand has been designed to fix flaws within TCP/IP - however it is not widely implemented yet.

What are the legal implications of honeypots? 

Do honeypots constitute entrapment?
No. This is the most commonly asked question about honeypots, and the answer is a clear no. Entrapment has a clear legal definition whereby law enforcement officers encourage somebody to a commit a crime that they were not otherwise disposed to do. This means:

• If you are not a law enforcement officer, you cannot entrap.
• Affording the means for somebody to commit a crime is not the same as encouraging the crime. The FBI can setup a honeypot without risk of entrapment.
• If the FBI contacts somebody in alt.2600 and posts a bounty for cracking into a system, then it would be entrapment.

Am I aiding and abetting a crime?
Possibly. You are certainly not abetting the person breaking into your system. However, if he/she uses your system to launch attacks against other systems, you might be partially liable for the actions. Click here for an interesting story.

Am liable for attacks launched from the compromised honeypot?
Very probably. This hasn't been tested in court, but if you have a lot of money and the hacker causes lots of damage, guess who the victim is going to sue? It doesn't matter what the law says, there is a good chance you will have to defend yourself in court. Note that this also applies when the hacker breaks into any of your systems.