Intrusion Detection SystemsOutlineWhat is intrusion detection?Why do we need intrusion detection?Types of Network Attacks?Network AttacksExamples of Network AttacksDoS via Syn FloodSlide 9Distributed DoS attacksSlide 11TFN AttackSlide 13Slide 14Slide 15Systems vulnerable to Land AttackSlide 17Slide 18The Process of Intrusion DetectionClassification of signaturesCase studyCisco Secure Intrusion DetectionBasic principles of placing sensors and management consolesTypes of SensorsNotesWhat sensor device to use? (p.448)Intrusion Detection SystemsChapter 14, 15 of Malikhttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt2Outline•Introduction•Types of network attacks•How intrusion detection work•Case studyhttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt3What is intrusion detection?•Intrusion detection is the process of detecting & defeating attempts to gain unauthorized access to a network or to create network degradation.•Basic procedure of countering network attacks1. Detecting & stopping the intrusiona) Understand how network attacks occur.b) Stop the attacks:-Make sure that general patterns of malicious activity are detected-Ensure that specific events that don’t fall into common categories of attacks are dealt with swiftly2. Tracking the intruder to the sourceUsually spoofed IPs are used!3. Persecute the intruderA significant law enforcement effort!http://sce.uhcl.edu/yang/teaching/.../IDS.ppt4Why do we need intrusion detection?1. Information carried over networks are more valuable.2. The WWW has become a common delivery medium.3. Launching attacks has become readily easy! (Fig. 14-1)4. Anonymous attackers5. Easy access to network (esp. internal attackers)6. Large amount of traffic  making visual examination of the logs ineffective!http://sce.uhcl.edu/yang/teaching/.../IDS.ppt5Types of Network Attacks?•By different attackers:•By different attack goals:–DoS attacks: to disrupt the service(s)e.g., TCP SYNC attack–Network access attacks: to gain access to resources •Data access e.g., eavesdropping, privilege escalation•System access e.g., password guessing/cracking, Trojan horse attacks, …a. Trusted (internal) users b. Untrusted (external) users1. Inexperienced hackersa1 Inexperienced trusted b1 inexperienced untrusted2. Experienced hackersa2 experienced trusted b2 experienced untrustedhttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt6Network Attacks•Network attacks are usually preceded by reconnaissance attacks.–Automated tools are available to collect information, and to find vulnerabilities–May be carried out manually–Usually involves a series of stepshttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt7Examples of Network AttacksA. DoS Attacks (pp.405-415)1. Resource exhaustion attacksAvailable resources (CPU, bandwidth, etc.) are consumed by the attack, causing disruption of services to legitimate users.2. Cessation (or disruption) attacks at OS or a protocolVulnerabilities in the OS or a protocol are exploited by the attacker, causing cessation of normal OS operations.B. Network Access Attacks (p.415-418)http://sce.uhcl.edu/yang/teaching/.../IDS.ppt8DoS via Syn Flood•A: the initiator; •B: the destination•The three-way TCP handshake:–A: SYN to initiate–B: SYN+ACK to respond–A: ACK gets agreementhttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt9Examples of Network AttacksA1. Resource exhaustion DoS attacksa) Simple DoS attackse.g., TCP SYN Floods: Fig. 14-3Solution? Most network-based IDSs can detect SYN floods by looking for patterns of activity giving away SYN flooding.b) Distributed DoS attacks (DDoS)Coordinated large-scale attacks at the victim machines, by a large number of attacking machinese.g., The February 7-11, 2000 attacks: A combination of 4 DDoS attacks (Trinoo, TFN, TFN2K, and Stacheldraht)http://sce.uhcl.edu/yang/teaching/.../IDS.ppt10Distributed DoS attacks•Trinoo–A network of master/slave programs that coordinate with each other to launch a UDP DoS flood against a victim machine–Figure 14-4–4 steps to set up a Trinoo network attack:1. Using a compromised account, compile a list of machines that can be compromised.2. Run scripts to compromise the machines in the list, and convert them to Trinoo masters or daemons. (A Trinoo master controls several daemons; the masters are controlled by the compromised host in Step 1).3. Launch the DDoS attack!4. Each daemon launch a UDP DoS attack against the targeted victim, by sending UDP packets to random destination ports.http://sce.uhcl.edu/yang/teaching/.../IDS.ppt11Distributed DoS attacks•TFN (Tribal Flood Network) and TFN2K–A network of master/slave (clients/daemons) programs that coordinate with each other to launch an attack against a victim machine–Fig. 14-5 (next slide)–Variety of attacks: SYN flood, ICMP flood, smurf attacks (Fig.21-3)–c.f.,•Stacheldraht–Enhancements over Trinoo and TFNTrinoo TFNUDP flood SYN floodICMP floodSmurfhttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt12TFN Attackhttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt13Distributed DoS attacks•How can IDS prevent DDoS attacks?–DDoS attacks are not easy to prevent.–May be detected by using known IDS signaturese.g., (p.413)Cisco IDS signatures 6505 and 6506 are used to detect Trinoo networksCisco IDS signatures 6503 and 6504 are for Stacheldraht networks…http://sce.uhcl.edu/yang/teaching/.../IDS.ppt14A2. Cessation-of-operations attacks at OSThese attacks try to exploit a bug or oversight in the code of an OS, and may cause the OS to stop functioning normally.a) Ping of death attack-Exploits the maximum length of an IP packet (65,535 bytes)-When a vulnerable machine receives a packet larger than the maximum, its buffer may overflow, causing the OS to hang or crash.-Usually carried out by sending an ICMP packet encapsulated in an IP packet.Solution? b) Land.c attackExamples of Network Attackshttp://sce.uhcl.edu/yang/teaching/.../IDS.ppt15A2. Cessation-of-operations attacks at OSb) Land.c attack-A DoS attack in which an attacker sends a host a TCP SYN packet with the source and destination IP address set to the host’s IP address.-The source and the destination port number are the same as well.-The OS eventually becomes trapped in an endless loop of sending and acknowledging SYN packets.Solution? The IDS may look for the impossible IP packets (with the same source and destination addresses).A passive IDS (in sniffing only mode) cannot thwart such an attack (even after having detected it).An active IDS