Packet filter - Department of Computer Science

Chapter 8
Deworming
Deworming
 Deworming?
1.
2.
3.
Here, we discuss…
Defenses
Capture and containment
Automatic counter-measures
Example Network
Example Network
 Perimeter
computer
o Dedicated router or other computer
o Shuffles packets back and forth
o May also perform defensive tasks
 User
--- self-explanatory
 Internal network
o Some critical machines to protect
 Honeypot
is optional (discussed later)
Defenses
 We
consider defenses from
perspective of…
o Users
o Hosts (i.e., users’ computers)
o Perimeter
Defenses: User
 User
education
o Email worms
 User
might detect suspicious activity
o E.g., slowdown in network response
o So, users might act as a type of IDS
Defenses: Host
 Most
effective host-based defenses
are the most mundane
1. Apply patches
2. Limit available services
3. Defend against likely attack vectors
4. Anti-virus software
Patching
 Most
worms
exploit known
problems
 Patching follows
curve something
like this 
o Curve never
reaches 0
Patching
 Many
machines remain vulnerable long
after patch is available
 Some machines never patched
 Strangely, patching rate does not
increase much when highly publicized
attack occurs
Patching
 Why
so slow?
o Nobody available to install patch
o Don’t know about patch
o Some don’t want to install patch early
(Why?)
 Modern
OSs use automatic updates
o Is this a good idea?
Limit Available Services
 Why
limit services?
1. Worms often exploit technical
weaknesses in servers
2. Technical weaknesses likely to be
uniformly distributed in server code
3. Other reasons?
 Which services to shut down?
Specific Countermeasures
Canaries, ASLR, and other buffer
overflow prevention/detection
2. Anomaly detection
 These are of little/no use against new
vulnerabilities or attacks
 Might not catch worms that use social
engineering to spread
1.
Anti-Virus Software
 AV
does look for worms
 But 3 problems limit effectiveness
1. Rapidly spreading worms may not be
detected using signatures
2. Integrity check and emulation might
not work
o Worm could be injected into “clean” code
3.
Worm might reside in memory only
Memory Scanning
 Search
for malware in memory
 Once upon a time this was easy, now
complicated due to…
o Memory protection, which keeps process
memory separate
o Virtual memory, which is “extra” memory
on disk, not readily available for scanning
 Aside:
Hash check code in memory…
Memory Scanning
 How
to scan?
o Challenging due to memory protection and
virtual memory
 Use
API available for debugging?
o Avoids memory protection, but slow if
scan virtual memory
o Ideally, only scan memory that changes
o But not all processes can be debugged…
o …unless AV runs as part of kernel
Memory Scanning
 What
to do when malware found?
o Terminate infected process?
o Terminate infected thread(s)?
o Patch process as it runs?
 Scanning
cannot be continuous
o Opens a window of vulnerability
 Philosophically
speaking, is memory
scanning a good idea?
Perimeter
 Perimeter
is 1st line of defense
 Perimeter computer might include…
o Firewall and/or
o IDS
 Discuss
firewalls and IDS next
Firewalls
Firewalls
Internet


Firewall
Internal
network
Firewall decides what to let in to internal
network and/or what to let out
Access control for the network
Firewall as Secretary

A firewall is like a secretary

To meet with an executive
o First contact the secretary
o Secretary decides if meeting is important
o So, secretary filters out many requests

You want to meet chair of CS department?
o Secretary does some filtering

You want to meet the POTUS?
o Secretary does lots of filtering
Firewall Terminology
 No
standard firewall terminology
 Types
of firewalls
o Packet filter  works at network layer
o Stateful packet filter  transport layer
o Application proxy  application layer
 Other
terms often used
o E.g., “deep packet inspection”
Packet Filter
 Operates
at network layer
 Can filters based on…
o
o
o
o
o
o
Source IP address
Destination IP address
Source Port
Destination Port
Flag bits (SYN, ACK, etc.)
Egress or ingress
application
transport
network
link
physical
Packet Filter
 Advantages?
o Speed
 Disadvantages?
o No concept of state
o Cannot see TCP connections
o Blind to application data
application
transport
network
link
physical
Packet Filter

Configured via Access Control Lists (ACLs)
o Different meaning than at start of Chapter 8
Protocol
Flag
Bits
80
HTTP
Any
80
> 1023
HTTP
ACK
All
All
All
All
Action
Source
IP
Dest
IP
Source
Port
Allow
Inside
Outside
Any
Allow
Outside
Inside
Deny
All
All
Dest
Port

Q: Intention?

A: Restrict traffic to Web browsing
TCP ACK Scan

Attacker scans for open ports thru firewall
o Port scanning is first step in many attacks

Attacker sends packet with ACK bit set,
without prior 3-way handshake
o Violates TCP/IP protocol
o ACK packet pass thru packet filter firewall
o Appears to be part of an ongoing connection
o RST sent by recipient of such packet
TCP ACK Scan
ACK dest port 1207
ACK dest port 1208
ACK dest port 1209
Trudy
Packet
Filter
RST
Internal
Network
Attacker knows port 1209 open thru firewall
 A stateful packet filter can prevent this

o Since scans not part of established connections
Stateful Packet Filter
 Adds
state to packet filter
 Operates
at transport layer
 Remembers
TCP connections,
flag bits, etc.
 Can
even remember UDP
packets (e.g., DNS requests)
application
transport
network
link
physical
Stateful Packet Filter

Advantages?
application
o Can do everything a packet filter
can do plus...
o Keep track of ongoing connections
(e.g., prevents TCP ACK scan)

Disadvantages?
o Cannot see application data
o Slower than packet filtering
transport
network
link
physical
Application Proxy



A proxy is something that
acts on your behalf
Application proxy looks at
incoming application data
Verifies that data is safe
before letting it in
application
transport
network
link
physical
Application Proxy

Advantages?
o Complete view of connections
and applications data
o Filter bad data at application
layer (viruses, Word macros)

Disadvantages?
o Speed
application
transport
network
link
physical
Application Proxy




Creates a new packet before sending it
thru to internal network
Attacker must talk to proxy and convince
it to forward message
Proxy has complete view of connection
Prevents some scans stateful packet filter
cannot  next slides
Firewalk


Tool to scan for open ports thru firewall
Attacker knows IP address of firewall and
IP address of one system inside firewall
o Set TTL to 1 more than number of hops to
firewall, and set destination port to N

If firewall allows data on port N thru
firewall, get time exceeded error message
o Otherwise, no response
Firewalk and Proxy Firewall
Trudy
Router
Router
Packet
filter
Router
Dest port 12343, TTL=4
Dest port 12344, TTL=4
Dest port 12345, TTL=4
Time exceeded

This will not work thru an application proxy (why?)

The proxy creates a new packet, destroys old TTL
Deep Packet Inspection
 Many
buzzwords used for firewalls
o One example: deep packet inspection
 What
could this mean?
 Look
into packets, but don’t really
“process” the packets
o Like an application proxy, but faster
Firewalls and Defense in Depth
 Typical
network security architecture
DMZ
FTP server
Web server
DNS server
Internet
Packet
Filter
Application
Proxy
Intranet with
additional
defense
Intrusion Detection Systems
Intrusion Prevention
 Want
to keep bad guys out
 Intrusion prevention is a traditional
focus of computer security
o Authentication is to prevent intrusions
o Firewalls a form of intrusion prevention
o Virus defenses aimed at intrusion
prevention
 Like
locking the door on your car
Intrusion Detection


In spite of intrusion prevention, bad guys
will sometime be successful
Intrusion detection systems (IDS)
o Detect attacks in progress (or soon after)
o Look for unusual or suspicious activity

IDS evolved from log file analysis

IDS is currently a hot research topic

How to respond when intrusion detected?
o We don’t deal with this topic here…
Intrusion Detection Systems

Who is likely intruder?
o May be outsider who got thru firewall
o May be evil insider

What do intruders do?
o Launch well-known attacks
o Launch variations on well-known attacks
o Launch new/little-known attacks
o “Borrow” system resources
o Use compromised system to attack others. etc.
IDS

Intrusion detection approaches
o Signature-based IDS
o Anomaly-based IDS

Intrusion detection architectures
o Host-based IDS
o Network-based IDS

Any IDS can be classified as above
o In spite of marketing claims to the contrary!
Host-Based IDS
 Monitor
activities on hosts for
o Known attacks
o Suspicious behavior
 Designed
to detect attacks such as
o Buffer overflow
o Escalation of privilege, …
 Little
or no view of network activities
Network-Based IDS

Monitor activity on the network for…

Designed to detect attacks such as
o Known attacks
o Suspicious network activity
o Denial of service (DoS)
o Network probes (e.g., port scanning)
o Malformed packets, etc.
Some overlap with firewall
 Little or no view of host-base attacks
 Can have both host and network IDS

Signature Detection Example
Failed login attempts may indicate
password cracking attack
 IDS could use the rule “N failed login
attempts in M seconds” as a signature

o So, if N or more failed login attempts in M
seconds, IDS warns of attack

Note that such a warning is specific
o Admin knows what attack is suspected
o Easy to verify attack (or false alarm)
Signature Detection

Suppose IDS warns whenever N or more
failed logins in M seconds
o Set N and M so false alarms not common
o Can do this based on “normal” behavior


But, if Trudy knows signature threshold,
she can try N − 1 logins every M seconds…
Then signature detection could slow down
Trudy, but might not stop her
Signature Detection
Many techniques used to make signature
detection more robust
 Goal is to detect “almost” signatures
 For example, if “about” N login attempts in
“about” M seconds

o Warn of possible password cracking attempt
o What are reasonable values for “about”?
o Can use statistical analysis, heuristics, etc.
o Must not increase false alarm rate too much
Signature Detection

Advantages of signature detection
o Simple
o Detect known attacks
o Know which attack at time of detection
o Efficient (if reasonable number of signatures)

Disadvantages of signature detection
o Signature files must be kept up to date
o Number of signatures may become large
o Can only detect known attacks
o Variation on known attack may not be detected
Anomaly Detection


Anomaly detection systems look for unusual
or abnormal behavior
There are (at least) two challenges
o What is normal for this system?
o How “far” from normal is abnormal?

No avoiding statistics here!
o mean defines normal
o variance gives distance from normal to abnormal
How to Measure Normal?
 How
to measure normal?
o Must measure during “representative”
behavior
o Must not measure during an attack…
o …or else attack will seem normal!
o Normal is statistical mean
o Must also compute variance to have any
reasonable idea of abnormal
How to Measure Abnormal?

Abnormal is relative to some “normal”

Statistical discrimination techniques include
o Abnormal indicates possible attack
o
o
o
o

Bayesian statistics
Linear discriminant analysis (LDA)
Quadratic discriminant analysis (QDA)
Neural nets, hidden Markov models (HMMs), etc.
Fancy modeling techniques also used
o Artificial intelligence
o Artificial immune system principles
o Many, many, many others
Anomaly Detection (1)

Spse we monitor use of three commands:
open, read, close

Under normal use we observe Alice:
open, read, close, open, open, read, close, …

Of the six possible ordered pairs, we see
four pairs are normal for Alice,
(open,read), (read,close), (close,open), (open,open)

Can we use this to identify unusual activity?
Anomaly Detection (1)
We monitor use of the three commands
open, read, close
 If the ratio of abnormal to normal pairs is
“too high”, warn of possible attack
 Could improve this approach by

o Also use expected frequency of each pair
o Use more than two consecutive commands
o Include more commands/behavior in the model
o More sophisticated statistical discrimination
Anomaly Detection (2)

Over time, Alice has
accessed file Fn at
rate Hn

Recently, “Alice”
has accessed Fn at
rate An
H0
H1
H2
H3
A0
A1
A2
A3
.10
.40
.40
.10
.10
.40
.30
.20

Is recent activity normal for Alice?

We compute S = (H0A0)2+(H1A1)2+…+(H3A3)2 = .02
o We consider S < 0.1 to be normal, so this is normal

How to account for use that varies over time?
Anomaly Detection (2)



To allow “normal” to adapt to new use, we
update averages: Hn = 0.2An + 0.8Hn
In this example, Hn are updated…
H2=.2.3+.8.4=.38 and H3=.2.2+.8.1=.12
And we now have new long-term averages:
H0
H1
H2
H3
.10 .40 .38 .12
Anomaly Detection (2)

The updated long
term average is

Suppose new
observed rates…
H0
H1
H2
H3
A0
A1
A2
A3
.10
.40
.38
.12
.10
.30
.30
.30
Is this normal use?
 Compute S = (H0A0)2+…+(H3A3)2 = .0488

o Since S = .0488 < 0.1 we consider this normal

And we again update the long term averages:
Hn = 0.2An + 0.8Hn
Anomaly Detection (2)

The starting
averages were:

After 2 iterations,
averages are:
H0
H1
H2
H3
H0
H1
.10
.40
.40
.10
.10
.38
H2
H3
.364 .156
Statistics slowly evolve to match behavior
 This reduces false alarms…
 …but also opens an avenue for attack

o Suppose Trudy always wants to access F3
o Can she convince IDS this is normal for Alice?
Anomaly Detection (2)


To make this approach more robust, must
incorporate the variance
Can also combine N stats Si as, say,
T = (S1 + S2 + S3 + … + SN) / N
to obtain a more complete view of “normal”


Similar (but more sophisticated) approach
is used in an IDS known as NIDES
NIDES combines anomaly & signature IDS
Anomaly Detection Issues

Systems constantly evolve and so must IDS
o Static system would place huge burden on SAs
o But evolving IDS makes it possible for attacker to
(slowly) convince IDS that an attack is normal
o Attacker may win by simply “going slow”

What does “abnormal” really mean?
o Indicates there may be an attack
o Might not be any specific info about “attack”
o How to respond to such vague information?
o In contrast, signature detection is very specific
Anomaly Detection

Advantages?
o Chance of detecting unknown attacks

Disadvantages?
o Cannot use anomaly detection alone…
o …must be used with signature detection
o Reliability is unclear
o May be subject to attack
o Anomaly detection indicates “something unusual”,
but lacks specific info on possible attack
Anomaly Detection: The
Bottom Line
Anomaly-based IDS is active research topic
 Many people have high hopes for its ultimate
success
 Often cited as key future security technology
 Hackers are not convinced

o Title of a talk at Defcon: “Why Anomaly-based
IDS is an Attacker’s Best Friend”
Anomaly detection is difficult and tricky
 As hard as AI?

Capture and Containment
 Defense
--- keep worms out
 Capture and contain --- keep worms in
o That is, prevent further spread
o Might “sacrifice” some machines
 Early
capture is useful
o Honeypot
 Containment
measures?
o Reverse firewalls and throttling
Honeypots
 Designed
to look like a good target
 Originally aimed at human attackers
 But now, for viruses, worms, etc.
 Used by researchers and AV vendors
o AV vendor sees new attacks
o Researchers study new attacks, attack
patterns, malware development cycle,
etc.
Honeypots
 Properties
of honeypot?
o Must be complete enough to look real
o Impossible for worm to “break out”
o Easy to restore after attack
 How
is honeypot built?
o Emulation --- many of same difficulties
as in virus detection
Honeypots
 How
do you know if it’s a worm in the
honeypot?
o Perhaps honeypot does not attract any
legitimate traffic
o This won’t attract passive scanning worm
 For
random scanning worm, need lots
of honeypots
 For “smart” worm, honeypot must make
itself look attractive --- how?
Honeypots
 What
does honeypot do with worm?
o Samples for analysis
o Early warning
o Measure of worm activity
 Honeypot
might act as a “tarpit”
o Respond slowly --- slow down rapid worm
o No response --- could be devastating to
“hit list” worm
Reverse Firewalls
 Filter
outgoing traffic
o Same principles as inbound firewalls
 Host-based
reverse firewall
o Can limit activity based on application
 Worm
might still succeed…
o Use shared network directories
o Subvert previously-checked code
o Use social engineering
o Take advantage of false positives
Throttling
 Limit
rate of
connections
o For
outbound
connections
o Throttle all
applications
Throttling
 Can
be refined
o Allow more connections to those recently
connected to
o Take success into account
o “Safe” connections delayed by a little
o Lots of waiting connections is suspicious
 Load
balancing/fair share?
o Might adversely affect fast worms
Automatic Countermeasures
 How
to respond automatically?
o I.e., no human intervention required
o Why would we want to do this?
 Two
questions to consider…
 How to detect worm activity?
 What countermeasures to take?
How to Detect Worms?
 Automatic
detection, that is
 Already considered honeypots,
throttling issues, IDS, etc.
 Others?
o Lots of traffic on one port with many
different destination IPs (Why?)
o Few DNS queries relative to number of
connection attempts (Why?)
Worm Detected?
 Automatic
countermeasures?
o Isolate affected machines
o Isolate critical networks
o Shut down targeted servers
o Automatically insert filtering rules into
firewalls
o Drop traffic to affected servers
 Risks
of automatic countermeasures?