Intrusion Detection
Content
Intrusion Detection
1
Abstract
Intrusion Detection System as the name implies detects intrusion in the network. It implies both intrusions from inside and from outside the network. IDS, these days, have become vital component in the security toolbox.
2
Introduction
Intrusion Detection System is any hardware, software, or a combination of both that monitors a system or network of systems against any malicious activity. This is mainly used for detecting break-ins or misuse of the network. In short, we can say that IDS is the ¶burglar alarm· for the network because much like a burglar alarm, IDS detects the presence of an attack in the network and raises an alert. An IDS provides three functions: monitoring, detecting and generating an alert. IDS are often considered as the functionality of firewall. But there is a thin line of difference between them. A firewall must be regarded as a fence that protects the information flow and prevent intrusions where as IDS detects if the network is under attack or if the security enforced by the firewall has been breached. Together firewall and IDS enhance the security of network. Intrusion Detection System uses a security policy (or rules) to detect unusual activity. These rules are defined by the administrator based on the needs of the organization. Any activity that violates this security policy will be considered a security threat and will be reported to the administrator via email or as page or as SNMP traps. These policies must be updated regularly to keep up with the threats and needs.
3 Type of IDS
There are three main types of Intrusion Detection Systems: y Host Based y Network Based y Stack Based.
3.1
Host Based IDS
Intrusion Detection System is installed on a host in the network. HIDS collects and analyzes the traffic that is originated or is intended to that host. HIDS leverages their privileged access to monitor specific components of a host that are not readily accessible to other systems. Specific components of the operating system such as passwd files in UNIX and the Registry in Windows can be watched for misuse. There is great risk in making these types of components available to NIDS to monitor. Although HIDS is far better than NIDS in detecting malicious activities for a particular host, they have limited view of entire network topology and they cannot detect attack that is targeted for a host in a network which does not have HIDS installed.
3.2
Network Based IDS
Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the network and detecting the malicious activities intended for that network. Monitoring criteria for a specific host in the network can be increased or decreased with relative ease. NIDS should be capable of standing against large amount number of network traffic to remain effective. As network traffic increases exponentially NIDS must grab all the traffic and analyze in a timely manner.
3.3
Stack Based IDS
Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets.
4
4.1
IDS Techniques
Signature Detection
In this technique known representations of intrusions are stored in the IDS and are then compared to the system activity. When a known intrusion matches these signatures, an alert is raised. Signatures must be created to exactly match the characteristics (protocols or the contents of traffic) of a specific intrusion and no other activities to avoid false positives. This technique is most accurate for detecting known attacks e.g. DoS attack.
4.2
Anomaly Detection
Anomaly detection detects a misuse by measuring norm overtime and then generating alert when a pattern differs from a norm. In this technique a set of data is gathered from the system activity of the user and this data set is base lined. If the flow of traffic deviates from the base lined data set pattern an alarm is raised.
4.3
Target Monitoring
Target monitoring works by means of generating a cryptographic hash for every file on the system and periodically comparing that hash to the original file to ensure that no change has occurred. This type of system is the easiest to implement, because it does not require constant monitoring by the administrator. Integrity checksum hashes can be computed at whatever intervals we wish on either all files or just the critical files.
4.4
Stealth Probes
Stealth probe technique attempts to detect any attackers that choose to carry out their mission over prolonged periods of time. Attackers, for example, will check for system vulnerabilities and open ports over a two-month period, and wait another two months to actually launch the attacks. This technique will collect a wide-variety of data throughout the system, checking for any methodical attacks over a long period of time. They take a wide-area sampling and attempt to discover any correlating attacks.
5
Common ID Framework
Common ID Framework defines a set of components that are widely used by the existing ID systems.
Event Generator (E-Box): The function of the E-box is to provide information about the events to the rest of the IDS. It grabs the event in raw form and makes it available to IDS for further operation on that event. Event Analyzer (A-Box): It mainly analyzes the event which it got from the generator and looks for any potential intrusion activity. Event Database (D-Box): It defines the means for storing data for further analysis over the data. The amount of data generated by E-boxes and A-boxes can be immense and they may require that data in future for further analysis. Response Box (R-Box): This R-box enables the ID system to take appropriate counter measures against the detected intrusion by killing process, resetting the connection etc.
6
Issues with IDS
Although IDS is not a new idea, it is not yet fully mature and researched technology. It has some limitations which include,
y y y y
Generating too much ¶false positive· alerts. An administrator may dismiss real attack as another false alarm, in effect, negating the function of IDS. IDS output a large amount of audit data that must be analyzed and examined by human operators in detecting instructions and misuses. In IDS it is difficult to constantly configure and update security rules. Network based IDS is unreliable on high-speed and switched networks.
Port Scanning Introduction There are various port scanners that use a simple method of scanning. These applications work at the application level and are quite slow. This scanner is faster than a normal scanner. It is based on the TCP Half Open Scanning or TCP SYN scanning technique. This method is less detectable than the simple port scanner. Packet Sniffing Introduction A packet sniffer, the network analyzer, is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic. To capture the information going over the network is called sniffing. It is a "sniffing" program that lets someone listen in on computer conversations. However, computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as "protocol analysis", which allow them to "decode" the computer traffic and make sense of it. These tools known as network sniffers are named after a product called the Sniffer Network Analyzer. Introduced in 1988 by Network General Corp. (now Network Associates Inc.), the Sniffer was one of the first devices that let managers sit at their desks and take the pulse of the larger network. The original sniffers read the message headers of data packets on the network, giving administrators details about the addresses of senders and receivers, file sizes and other low-level information about those packets, in addition to verifying transmission. Using
graphs and text-based descriptions, sniffers helped network managers evaluate and diagnose performance problems with servers, the network wire, hubs and applications. They help keep networks humming, but they can also be used by hackers to uncover user names and passwords from data packets traveling across public or private WANs. Encrypting the headers of data packets (using the Secure Sockets Layer standard in browser-based environments, for example) thwarts snifferassisted password thefts. Sniffing also has one advantage over telephone wiretaps: many networks use "shared media". Sharing means that computers can receive information that was intended for other machines. This means that you don't need to break into a wiring closet to install your wiretap, you can do it from almost any network connection to eavesdrop on your neighbors. However, this "shared" technology is moving quickly toward "switched" technology where this will no longer be possible, which means you will have to actually tap into the wire. A sniffer being used on a network to snoop passwords and anything else is considered to be a passive attack. A passive attack is one that doesn't directly intrude onto a foreign network or computer. On the other hand, an active attack directly interfaces with a remote machine. Remote buffer overflows, network floods and other similar attacks fall under the category of an active attack . By nature, passive attacks are not meant to be discovered by the person(s) being attacked. At no point should they have indication of your activity. This makes sniffers just as serious as any active attack.
Types of Sniffers Today, sniffers exist in two broad varieties: y The first is a stand-alone product incorporated into a portable computer that consultants can carry to customer sites and plug into the network to gather diagnostic data.
y
The second is part of a larger package of network-monitoring hardware and software for helping organizations keep tabs on their LANs, WANs and Web services. Thus Commercial packet sniffers are used to help maintain
networks.Underground packet sniffers are used to break into computers.
Functions of sniffers
y They provide administrators a centralized view of networks to monitor highlevel activity, such as which applications are running, which users are logged on to the network and who is the source of unusually large files or high volumes of traffic. y Rather than merely identifying low-level characteristics such as packet source and destination, current sniffers can decode data from all seven layers of the Open System Interconnection network stack and can often recommend fixes for problems. If application-level analysis fails to provide a solution, sniffers can drill into low-level activities. y Conversion of data to human readable formats so that people can read the traffic. y Used along with Network intrusion detection in order to discover hackers/crackers. y Modern sniffers typically incorporate remote monitoring standards (Rmon and Rmon 2), that define a standard way for systems to automatically collect key performance data points such as resource utilization. Rmon-savvy sniffers can take constant readings on the health of network components and compare those readings against historical trends. If necessary, they can trigger alarms when traffic loads or performance delays surpass limits set by network administrators.
Capturing of Packets by Sniffers A sniffer captures the data coming in and going out of the Network Interface card or modem and displays that information in a table. The analysis of a captured frame The following is a captured frame that is actually an HTTP GET request issued from my PC to another host. This frame was captured using the Windows NT Server (4.0) Network Monitor.
3C 2E AC 00 01 01 00 01 D0 E1 66 80 08 00 45 00 01 F7 E8 80 40 00 80 06 39 40 C2 7E 57 A5 D1 01 EC 1A
A Captured Frame
Each box represents a byte of the frame. The number in each box is actually a hexadecimal number. This frame can be broken down into different parts : The Ethernet header - Bytes 1 to 14 The IP header - Bytes 15 to 35
The TCP header - Bytes 36 to 56
The actual data i.e. the HTTP GET request. The Ethernet Header 3C 2E AC 00 01 01 00 01 D0 E1 66 80 08 00 The Ethernet Header The Ethernet header is 14 bytes long. Ethernet operates at the Network Access layer and is a type of datalink protocol. Other datalink protocols include Token Ring, ATM, Frame Relay. Each of these have a standard set of rules to which they must comply defining such things a media access control, the
maximum transmission unit size and what we are looking at here : the header length and makeup. Every network interface card has a unique address known as a MAC (Media Access Control) address. This is a physical address and not a logical one such as IP addresses. The first 6 bytes actually represent the source MAC address and the next 6 bytes denote the destination MAC address. Communications between hosts at the datalink level of communication use this MAC address. When a message is propagated throughout a network segment each receiving NIC will look at the destination hardware address in the frame and either A) ignore it or B) pick it up. It will only do B in these circumstances : If the destination address is the address of the receiving computer or if the broadcast MAC address (FFFFFF) is set as the destination address. This leads to the question what happens if you don't know the MAC address of the machine you trying to communicate with? A protocol call the Address Resolution Protocol (ARP) does this for you. ARP will send out a message using the broadcast MAC address, requesting that the machine using IP address xxx.xxx.xxx.xxx respond with its MAC address. Every machine on the network segment will receive this message and check its IP address. If it finds it does have that IP address it will respond accordingly. If not then it will go on about its business. The next two bytes represent which protocol the Ethernet header is framing. Here we can see the value is 08 00. Hex 08 00 represents IPv4. Below are some other common protocols 08 06 - ARP 08 08 - Frame Relay ARP 86 DD - IP Next Generation (IPv6) 08 05 - X.25 level 3
The IP Header 45 00 01 F7 E8 80 40 00 80 06 39 40 C2 7E 57 A5 D1 01 EC 1A The IP Header Each box represents an 8-bit byte (commonly known as an octet). The figure in each box is a hexadecimal number. A normal IP header breaks down like this : Byte number 1 The first byte (45) is divided into two 4 bit halves. The leading 4 bits (the number 4) denotes what version of IP the datagram is using. As we can see it using IPv4. In an IPv6 header this 4 would become a 6. However the IPv6 header is somewhat different to the IPv4 header. But as this tutorial is about v4 we won't go into that now. The remaining 4 bits of the first byte show how long the IP header is. Each bit is worth 4 bytes so we know that the IP header is 20 bytes long (5 bits x the 4 bytes each bit represents = 20). In binary format the first byte is represented as this : 0100 0101 Byte number 2 The second byte provides information to the gateways (or routers) as it travels along the network path from the source to the destination host. This byte is commonly known as the Type of Service TOS) byte and is also divided like the first byte but not so equally. The first 3 bits denote how important this IP datagram is i.e. its Precedence. Usually all the bits are set to 0 (000). This is the standard and marks the IP datagram as being "Routine". The more important the data is these three bits will be set accordingly. (001) for Priority (010) for Immediate (011) for Flash and so on... A router will drop everything else to pass through a flash datagram. Note how close this information is to the beginning of the header....this way a router learns almost immediately the priority of a datagram and can base its following
actions on that. The next 4 bits represent the delay, throughput, reliability and cost. Delay If this bit is set to 1 it is requesting of the router that it be sent via a path that offers least amount of delay time (propagation delay). Throughput If this bit is set to 1 it is asking that the router send the datagram through a path that has the most bandwidth i.e. the amount of data that can be stuffed through a pipe in a given moment. Reliability While data is travelling over the lines if there is too much noise (whether this be cross talk or electromagnetic interference (EMI)) it can become corrupt or lost. If this bit is set to 1 it is requesting to be sent through a path with the least chance of data loss. Cost Some network paths can be more expensive to use than others eg the using microwave technology is more expensive than using a frame relay route. This bit allows you to request a path whether that be the more expensive one or not. The last bit of the second byte is reserved, as per the RFC, for future use. Bytes 3 and 4 The next two bytes (01 F7) represent the total IP datagram length. In this case it's 503 bytes (01 F7 hex > dec = 503). Because the total length field is limited to two bytes this means the maximum possible size for an IP datagram is 65535 bytes (FF FF hex). Remember though that the datalink protocol being used may have a maximum transmission unit (MTU) that is smaller than 65535 bytes. In this case the datalink protocol being used is Ethernet and this has an MTU of 1500 bytes.
Bytes 5 and 6 When an IP datagram is fragmented i.e. it is chopped up into more managable chunks there has to be a way for the receiving host to reassemble the fragmented IP datagram. The next two bytes (E8 80) denote the datagram ID number. Each fragment of the IP datagram will have the same ID number. The next two bytes are linked to this. Bytes 7 and 8 These bytes represent the fragment area.... When IP has a datagram to send it contacts the protocol operating at the datalink level to ascertain how much data it can handle at anyone time i.e. the MTU. IP will then divide its data into chunks that the datalink protocol can handle. If fragmentation is necessary IP uses these two bytes to keep a track of each fragment. Byte number 9 This byte (80) represents the Time To Live (TTL). The TTL is a timing method used by routers to kill off any datagrams that are not delivered for whatever reason. The TTL byte here is set to hex 80 (128 dec.). So this datagram has 128 "seconds" to live. If it doesn't reach the destination by then it'll be discarded. When the datagram comes to the first router in its journey the router will reduce this number. Every router along the way will reduce this number. When it reaches the host at the receiving end this number would have a lower value. Byte number 10 This byte denotes what higher level protocol the IP datagram is carrying. In this case it's (06) .i.e. the Transmission Control Protocol (TCP). Others are: (01) ICMP (Internet Control Message Protocol) (08) EGP (11) UDP (User Datagram Protocol)
(59) OSPF (Open Shortest Path First) (58) IGRP. Bytes 11 and 12 Starting on the next line down, these two bytes (39 40) make up the header checksum. This is as much as IP will do for data integrity...it is a connectionless protocol after all. IP assumes that most of the error checking will be done by the higher level protocols such as TCP. Bytes 14 to 20 The first four make up the source IP address and the last 4 bytes make up the destination IP address : C2 7E 57 A5 > 194.126.87.165 D1 01 EC 1A > 209.1.236.26
Internet
ALICE
ROUTER
BOB
SNIFFE
An Ethernet Setup Alice has IP address: 10.0.0.23 Bob has IP address: 192.168.100.54 In order to talk to Bob, Alice needs to create an IP packet of the form 10.0.0.23 192.168.100.54
As the packet traverses the Internet, it will be passed from router-torouter. Therefore, Alice must first hand off the packet to the first router. Each router along the way will examine the destination IP address (192.168.100.54) and decide the correct path it should take. In the diagram, we draw the Internet as a "cloud". All Alice knows about is the local connection to the first router, and
Bob's eventual IP address. Alice knows nothing about the structure of the Internet and the route that packet will take.Alice must talk to the router in order to send the packet. She uses the Ethernet to do so. An Ethernet frame looks like the following:
Destination MAC Source MAC 08 00 IP packet .
.
CRC
Fig.An Ethernet Frame What this means is that the TCP/IP stack in Alice's machine might create a packet that is 100 bytes long (let's say 20 bytes for the IP info, 20 bytes for the TCP info, and 60 bytes of data). The TCP/IP stack then sends it to the Ethernet module, which puts 14 bytes on the front for the destination MAC address, source MAC address, and the ethertype 0x0800 to indicate that the other end's TCP/IP stack should process the frame. It also attaches 4-bytes on the end with a checksum/CRC (a validator to see if the frame gets corrupted as it goes across the wire). What Is Half Open Scanning? When any two hosts want to communicate together, a connection must be established between them. In the case of TCP, a three-way handshake takes place before any communication begins. This is called Full connection and the process is described below. 1. Host A sends the SYN packet (TCP packet with SYN flag set) to host B.
2. If the port is open, host B responds by sending a SYN+ACK packet. Otherwise, it sends the RST+ACK packet to host B. 3. Host A sends the ACK packet to host B (if the SYN+ACK packet is received). Once the connection is established, both machines can transmit data packet until one of them ends the connection by sending a FIN packet. Some of the simple port scanners use this technique. It can be implemented by creating a socket and calling a Connect method on each port. This is simple to implement but quite slow and moreover it can easily be detected. Half scanning is faster and more efficient than full scanning technique. The half open connection is explained below. 1. Host A sends the SYN packet (TCP packet with SYN flag set) to host B. 2. If the port is open, host B responds by sending a SYN+ACK packet. Otherwise, it sends the RST+ACK packet to host B.
Becaise host A does not send any additional ACK packet, it is called a half open connection. Now, the host can easily find out whether the target port is open or closed. It receives the TCP packet with the SYN+ACK flag set; that means that the target port is open. If it receives a RST+ACK packet, that implies that target port is closed. In this method, a full handshake does not take place; therefore, it is much faster than the full scanning method. Because the implementation has to be done at the protocol level, knowledge of TCP/IP protocol suite is essential. Implementation The core part of the implementation is sending the TCP packet and ARP packet. This involves building the raw packet by filling all headers. For this, we must know the MAC address of the source and destination machine. A MAC address, also called an Ethernet address, is the address associated with an Ethernet adapter. Find source MAC address
There are various methods for obtaining the source MAC address. This method is simple. IP_ADAPTER_INFO adapter[5];
DWORD buflen=sizeof(adapter); DWORD status=GetAdaptersInfo(adapter,&buflen); Now, the adapter structure contains the source MAC address. Find destination MAC address This is done by sending an ARP packet. An ARP packet is used to determine the host's MAC address when its IP address is known. First, an ARP request packet is sent by specifying the source MAC address, source IP address, and destination IP Address. The ARP reply packet contains the destination MAC address. This method also prevents the target host from sending an ARP packet to the source host when the source host sends the first SYN packet during the scanning process. From the ARP request packet that we have sent, the target host will come to know about the MAC address of the source host. Scanning process The scanning process involves building a TCP packet. For this, one has to prepare the Ethernet Header, IP header, and TCP header. Header file packet.h contains the format details for each of these headers. You can refer to the RFC for details regarding these formats. Each time during scanning a TCP SYN packet is sent with different port numbers. Then, the corresponding reply packet is checked for the flag RST+ACK or SYN+ACK. Based upon this flag, the target port status is determined. Requirements You need Winpcap (Windows version of Libpcap) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packets in detail. I advise to you to go through the WinPcap documentation before going through the source code.
Diagram
IDS STRUCTURE
Future Enhancement
1. Ports scan Detection. 2. Signature based intrusion Detection. 3. Hardware based Firewall.
1
Abstract
Intrusion Detection System as the name implies detects intrusion in the network. It implies both intrusions from inside and from outside the network. IDS, these days, have become vital component in the security toolbox.
2
Introduction
Intrusion Detection System is any hardware, software, or a combination of both that monitors a system or network of systems against any malicious activity. This is mainly used for detecting break-ins or misuse of the network. In short, we can say that IDS is the ¶burglar alarm· for the network because much like a burglar alarm, IDS detects the presence of an attack in the network and raises an alert. An IDS provides three functions: monitoring, detecting and generating an alert. IDS are often considered as the functionality of firewall. But there is a thin line of difference between them. A firewall must be regarded as a fence that protects the information flow and prevent intrusions where as IDS detects if the network is under attack or if the security enforced by the firewall has been breached. Together firewall and IDS enhance the security of network. Intrusion Detection System uses a security policy (or rules) to detect unusual activity. These rules are defined by the administrator based on the needs of the organization. Any activity that violates this security policy will be considered a security threat and will be reported to the administrator via email or as page or as SNMP traps. These policies must be updated regularly to keep up with the threats and needs.
3 Type of IDS
There are three main types of Intrusion Detection Systems: y Host Based y Network Based y Stack Based.
3.1
Host Based IDS
Intrusion Detection System is installed on a host in the network. HIDS collects and analyzes the traffic that is originated or is intended to that host. HIDS leverages their privileged access to monitor specific components of a host that are not readily accessible to other systems. Specific components of the operating system such as passwd files in UNIX and the Registry in Windows can be watched for misuse. There is great risk in making these types of components available to NIDS to monitor. Although HIDS is far better than NIDS in detecting malicious activities for a particular host, they have limited view of entire network topology and they cannot detect attack that is targeted for a host in a network which does not have HIDS installed.
3.2
Network Based IDS
Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the network and detecting the malicious activities intended for that network. Monitoring criteria for a specific host in the network can be increased or decreased with relative ease. NIDS should be capable of standing against large amount number of network traffic to remain effective. As network traffic increases exponentially NIDS must grab all the traffic and analyze in a timely manner.
3.3
Stack Based IDS
Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets.
4
4.1
IDS Techniques
Signature Detection
In this technique known representations of intrusions are stored in the IDS and are then compared to the system activity. When a known intrusion matches these signatures, an alert is raised. Signatures must be created to exactly match the characteristics (protocols or the contents of traffic) of a specific intrusion and no other activities to avoid false positives. This technique is most accurate for detecting known attacks e.g. DoS attack.
4.2
Anomaly Detection
Anomaly detection detects a misuse by measuring norm overtime and then generating alert when a pattern differs from a norm. In this technique a set of data is gathered from the system activity of the user and this data set is base lined. If the flow of traffic deviates from the base lined data set pattern an alarm is raised.
4.3
Target Monitoring
Target monitoring works by means of generating a cryptographic hash for every file on the system and periodically comparing that hash to the original file to ensure that no change has occurred. This type of system is the easiest to implement, because it does not require constant monitoring by the administrator. Integrity checksum hashes can be computed at whatever intervals we wish on either all files or just the critical files.
4.4
Stealth Probes
Stealth probe technique attempts to detect any attackers that choose to carry out their mission over prolonged periods of time. Attackers, for example, will check for system vulnerabilities and open ports over a two-month period, and wait another two months to actually launch the attacks. This technique will collect a wide-variety of data throughout the system, checking for any methodical attacks over a long period of time. They take a wide-area sampling and attempt to discover any correlating attacks.
5
Common ID Framework
Common ID Framework defines a set of components that are widely used by the existing ID systems.
Event Generator (E-Box): The function of the E-box is to provide information about the events to the rest of the IDS. It grabs the event in raw form and makes it available to IDS for further operation on that event. Event Analyzer (A-Box): It mainly analyzes the event which it got from the generator and looks for any potential intrusion activity. Event Database (D-Box): It defines the means for storing data for further analysis over the data. The amount of data generated by E-boxes and A-boxes can be immense and they may require that data in future for further analysis. Response Box (R-Box): This R-box enables the ID system to take appropriate counter measures against the detected intrusion by killing process, resetting the connection etc.
6
Issues with IDS
Although IDS is not a new idea, it is not yet fully mature and researched technology. It has some limitations which include,
y y y y
Generating too much ¶false positive· alerts. An administrator may dismiss real attack as another false alarm, in effect, negating the function of IDS. IDS output a large amount of audit data that must be analyzed and examined by human operators in detecting instructions and misuses. In IDS it is difficult to constantly configure and update security rules. Network based IDS is unreliable on high-speed and switched networks.
Port Scanning Introduction There are various port scanners that use a simple method of scanning. These applications work at the application level and are quite slow. This scanner is faster than a normal scanner. It is based on the TCP Half Open Scanning or TCP SYN scanning technique. This method is less detectable than the simple port scanner. Packet Sniffing Introduction A packet sniffer, the network analyzer, is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic. To capture the information going over the network is called sniffing. It is a "sniffing" program that lets someone listen in on computer conversations. However, computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as "protocol analysis", which allow them to "decode" the computer traffic and make sense of it. These tools known as network sniffers are named after a product called the Sniffer Network Analyzer. Introduced in 1988 by Network General Corp. (now Network Associates Inc.), the Sniffer was one of the first devices that let managers sit at their desks and take the pulse of the larger network. The original sniffers read the message headers of data packets on the network, giving administrators details about the addresses of senders and receivers, file sizes and other low-level information about those packets, in addition to verifying transmission. Using
graphs and text-based descriptions, sniffers helped network managers evaluate and diagnose performance problems with servers, the network wire, hubs and applications. They help keep networks humming, but they can also be used by hackers to uncover user names and passwords from data packets traveling across public or private WANs. Encrypting the headers of data packets (using the Secure Sockets Layer standard in browser-based environments, for example) thwarts snifferassisted password thefts. Sniffing also has one advantage over telephone wiretaps: many networks use "shared media". Sharing means that computers can receive information that was intended for other machines. This means that you don't need to break into a wiring closet to install your wiretap, you can do it from almost any network connection to eavesdrop on your neighbors. However, this "shared" technology is moving quickly toward "switched" technology where this will no longer be possible, which means you will have to actually tap into the wire. A sniffer being used on a network to snoop passwords and anything else is considered to be a passive attack. A passive attack is one that doesn't directly intrude onto a foreign network or computer. On the other hand, an active attack directly interfaces with a remote machine. Remote buffer overflows, network floods and other similar attacks fall under the category of an active attack . By nature, passive attacks are not meant to be discovered by the person(s) being attacked. At no point should they have indication of your activity. This makes sniffers just as serious as any active attack.
Types of Sniffers Today, sniffers exist in two broad varieties: y The first is a stand-alone product incorporated into a portable computer that consultants can carry to customer sites and plug into the network to gather diagnostic data.
y
The second is part of a larger package of network-monitoring hardware and software for helping organizations keep tabs on their LANs, WANs and Web services. Thus Commercial packet sniffers are used to help maintain
networks.Underground packet sniffers are used to break into computers.
Functions of sniffers
y They provide administrators a centralized view of networks to monitor highlevel activity, such as which applications are running, which users are logged on to the network and who is the source of unusually large files or high volumes of traffic. y Rather than merely identifying low-level characteristics such as packet source and destination, current sniffers can decode data from all seven layers of the Open System Interconnection network stack and can often recommend fixes for problems. If application-level analysis fails to provide a solution, sniffers can drill into low-level activities. y Conversion of data to human readable formats so that people can read the traffic. y Used along with Network intrusion detection in order to discover hackers/crackers. y Modern sniffers typically incorporate remote monitoring standards (Rmon and Rmon 2), that define a standard way for systems to automatically collect key performance data points such as resource utilization. Rmon-savvy sniffers can take constant readings on the health of network components and compare those readings against historical trends. If necessary, they can trigger alarms when traffic loads or performance delays surpass limits set by network administrators.
Capturing of Packets by Sniffers A sniffer captures the data coming in and going out of the Network Interface card or modem and displays that information in a table. The analysis of a captured frame The following is a captured frame that is actually an HTTP GET request issued from my PC to another host. This frame was captured using the Windows NT Server (4.0) Network Monitor.
3C 2E AC 00 01 01 00 01 D0 E1 66 80 08 00 45 00 01 F7 E8 80 40 00 80 06 39 40 C2 7E 57 A5 D1 01 EC 1A
A Captured Frame
Each box represents a byte of the frame. The number in each box is actually a hexadecimal number. This frame can be broken down into different parts : The Ethernet header - Bytes 1 to 14 The IP header - Bytes 15 to 35
The TCP header - Bytes 36 to 56
The actual data i.e. the HTTP GET request. The Ethernet Header 3C 2E AC 00 01 01 00 01 D0 E1 66 80 08 00 The Ethernet Header The Ethernet header is 14 bytes long. Ethernet operates at the Network Access layer and is a type of datalink protocol. Other datalink protocols include Token Ring, ATM, Frame Relay. Each of these have a standard set of rules to which they must comply defining such things a media access control, the
maximum transmission unit size and what we are looking at here : the header length and makeup. Every network interface card has a unique address known as a MAC (Media Access Control) address. This is a physical address and not a logical one such as IP addresses. The first 6 bytes actually represent the source MAC address and the next 6 bytes denote the destination MAC address. Communications between hosts at the datalink level of communication use this MAC address. When a message is propagated throughout a network segment each receiving NIC will look at the destination hardware address in the frame and either A) ignore it or B) pick it up. It will only do B in these circumstances : If the destination address is the address of the receiving computer or if the broadcast MAC address (FFFFFF) is set as the destination address. This leads to the question what happens if you don't know the MAC address of the machine you trying to communicate with? A protocol call the Address Resolution Protocol (ARP) does this for you. ARP will send out a message using the broadcast MAC address, requesting that the machine using IP address xxx.xxx.xxx.xxx respond with its MAC address. Every machine on the network segment will receive this message and check its IP address. If it finds it does have that IP address it will respond accordingly. If not then it will go on about its business. The next two bytes represent which protocol the Ethernet header is framing. Here we can see the value is 08 00. Hex 08 00 represents IPv4. Below are some other common protocols 08 06 - ARP 08 08 - Frame Relay ARP 86 DD - IP Next Generation (IPv6) 08 05 - X.25 level 3
The IP Header 45 00 01 F7 E8 80 40 00 80 06 39 40 C2 7E 57 A5 D1 01 EC 1A The IP Header Each box represents an 8-bit byte (commonly known as an octet). The figure in each box is a hexadecimal number. A normal IP header breaks down like this : Byte number 1 The first byte (45) is divided into two 4 bit halves. The leading 4 bits (the number 4) denotes what version of IP the datagram is using. As we can see it using IPv4. In an IPv6 header this 4 would become a 6. However the IPv6 header is somewhat different to the IPv4 header. But as this tutorial is about v4 we won't go into that now. The remaining 4 bits of the first byte show how long the IP header is. Each bit is worth 4 bytes so we know that the IP header is 20 bytes long (5 bits x the 4 bytes each bit represents = 20). In binary format the first byte is represented as this : 0100 0101 Byte number 2 The second byte provides information to the gateways (or routers) as it travels along the network path from the source to the destination host. This byte is commonly known as the Type of Service TOS) byte and is also divided like the first byte but not so equally. The first 3 bits denote how important this IP datagram is i.e. its Precedence. Usually all the bits are set to 0 (000). This is the standard and marks the IP datagram as being "Routine". The more important the data is these three bits will be set accordingly. (001) for Priority (010) for Immediate (011) for Flash and so on... A router will drop everything else to pass through a flash datagram. Note how close this information is to the beginning of the header....this way a router learns almost immediately the priority of a datagram and can base its following
actions on that. The next 4 bits represent the delay, throughput, reliability and cost. Delay If this bit is set to 1 it is requesting of the router that it be sent via a path that offers least amount of delay time (propagation delay). Throughput If this bit is set to 1 it is asking that the router send the datagram through a path that has the most bandwidth i.e. the amount of data that can be stuffed through a pipe in a given moment. Reliability While data is travelling over the lines if there is too much noise (whether this be cross talk or electromagnetic interference (EMI)) it can become corrupt or lost. If this bit is set to 1 it is requesting to be sent through a path with the least chance of data loss. Cost Some network paths can be more expensive to use than others eg the using microwave technology is more expensive than using a frame relay route. This bit allows you to request a path whether that be the more expensive one or not. The last bit of the second byte is reserved, as per the RFC, for future use. Bytes 3 and 4 The next two bytes (01 F7) represent the total IP datagram length. In this case it's 503 bytes (01 F7 hex > dec = 503). Because the total length field is limited to two bytes this means the maximum possible size for an IP datagram is 65535 bytes (FF FF hex). Remember though that the datalink protocol being used may have a maximum transmission unit (MTU) that is smaller than 65535 bytes. In this case the datalink protocol being used is Ethernet and this has an MTU of 1500 bytes.
Bytes 5 and 6 When an IP datagram is fragmented i.e. it is chopped up into more managable chunks there has to be a way for the receiving host to reassemble the fragmented IP datagram. The next two bytes (E8 80) denote the datagram ID number. Each fragment of the IP datagram will have the same ID number. The next two bytes are linked to this. Bytes 7 and 8 These bytes represent the fragment area.... When IP has a datagram to send it contacts the protocol operating at the datalink level to ascertain how much data it can handle at anyone time i.e. the MTU. IP will then divide its data into chunks that the datalink protocol can handle. If fragmentation is necessary IP uses these two bytes to keep a track of each fragment. Byte number 9 This byte (80) represents the Time To Live (TTL). The TTL is a timing method used by routers to kill off any datagrams that are not delivered for whatever reason. The TTL byte here is set to hex 80 (128 dec.). So this datagram has 128 "seconds" to live. If it doesn't reach the destination by then it'll be discarded. When the datagram comes to the first router in its journey the router will reduce this number. Every router along the way will reduce this number. When it reaches the host at the receiving end this number would have a lower value. Byte number 10 This byte denotes what higher level protocol the IP datagram is carrying. In this case it's (06) .i.e. the Transmission Control Protocol (TCP). Others are: (01) ICMP (Internet Control Message Protocol) (08) EGP (11) UDP (User Datagram Protocol)
(59) OSPF (Open Shortest Path First) (58) IGRP. Bytes 11 and 12 Starting on the next line down, these two bytes (39 40) make up the header checksum. This is as much as IP will do for data integrity...it is a connectionless protocol after all. IP assumes that most of the error checking will be done by the higher level protocols such as TCP. Bytes 14 to 20 The first four make up the source IP address and the last 4 bytes make up the destination IP address : C2 7E 57 A5 > 194.126.87.165 D1 01 EC 1A > 209.1.236.26
Internet
ALICE
ROUTER
BOB
SNIFFE
An Ethernet Setup Alice has IP address: 10.0.0.23 Bob has IP address: 192.168.100.54 In order to talk to Bob, Alice needs to create an IP packet of the form 10.0.0.23 192.168.100.54
As the packet traverses the Internet, it will be passed from router-torouter. Therefore, Alice must first hand off the packet to the first router. Each router along the way will examine the destination IP address (192.168.100.54) and decide the correct path it should take. In the diagram, we draw the Internet as a "cloud". All Alice knows about is the local connection to the first router, and
Bob's eventual IP address. Alice knows nothing about the structure of the Internet and the route that packet will take.Alice must talk to the router in order to send the packet. She uses the Ethernet to do so. An Ethernet frame looks like the following:
Destination MAC Source MAC 08 00 IP packet .
.
CRC
Fig.An Ethernet Frame What this means is that the TCP/IP stack in Alice's machine might create a packet that is 100 bytes long (let's say 20 bytes for the IP info, 20 bytes for the TCP info, and 60 bytes of data). The TCP/IP stack then sends it to the Ethernet module, which puts 14 bytes on the front for the destination MAC address, source MAC address, and the ethertype 0x0800 to indicate that the other end's TCP/IP stack should process the frame. It also attaches 4-bytes on the end with a checksum/CRC (a validator to see if the frame gets corrupted as it goes across the wire). What Is Half Open Scanning? When any two hosts want to communicate together, a connection must be established between them. In the case of TCP, a three-way handshake takes place before any communication begins. This is called Full connection and the process is described below. 1. Host A sends the SYN packet (TCP packet with SYN flag set) to host B.
2. If the port is open, host B responds by sending a SYN+ACK packet. Otherwise, it sends the RST+ACK packet to host B. 3. Host A sends the ACK packet to host B (if the SYN+ACK packet is received). Once the connection is established, both machines can transmit data packet until one of them ends the connection by sending a FIN packet. Some of the simple port scanners use this technique. It can be implemented by creating a socket and calling a Connect method on each port. This is simple to implement but quite slow and moreover it can easily be detected. Half scanning is faster and more efficient than full scanning technique. The half open connection is explained below. 1. Host A sends the SYN packet (TCP packet with SYN flag set) to host B. 2. If the port is open, host B responds by sending a SYN+ACK packet. Otherwise, it sends the RST+ACK packet to host B.
Becaise host A does not send any additional ACK packet, it is called a half open connection. Now, the host can easily find out whether the target port is open or closed. It receives the TCP packet with the SYN+ACK flag set; that means that the target port is open. If it receives a RST+ACK packet, that implies that target port is closed. In this method, a full handshake does not take place; therefore, it is much faster than the full scanning method. Because the implementation has to be done at the protocol level, knowledge of TCP/IP protocol suite is essential. Implementation The core part of the implementation is sending the TCP packet and ARP packet. This involves building the raw packet by filling all headers. For this, we must know the MAC address of the source and destination machine. A MAC address, also called an Ethernet address, is the address associated with an Ethernet adapter. Find source MAC address
There are various methods for obtaining the source MAC address. This method is simple. IP_ADAPTER_INFO adapter[5];
DWORD buflen=sizeof(adapter); DWORD status=GetAdaptersInfo(adapter,&buflen); Now, the adapter structure contains the source MAC address. Find destination MAC address This is done by sending an ARP packet. An ARP packet is used to determine the host's MAC address when its IP address is known. First, an ARP request packet is sent by specifying the source MAC address, source IP address, and destination IP Address. The ARP reply packet contains the destination MAC address. This method also prevents the target host from sending an ARP packet to the source host when the source host sends the first SYN packet during the scanning process. From the ARP request packet that we have sent, the target host will come to know about the MAC address of the source host. Scanning process The scanning process involves building a TCP packet. For this, one has to prepare the Ethernet Header, IP header, and TCP header. Header file packet.h contains the format details for each of these headers. You can refer to the RFC for details regarding these formats. Each time during scanning a TCP SYN packet is sent with different port numbers. Then, the corresponding reply packet is checked for the flag RST+ACK or SYN+ACK. Based upon this flag, the target port status is determined. Requirements You need Winpcap (Windows version of Libpcap) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packets in detail. I advise to you to go through the WinPcap documentation before going through the source code.
Diagram
IDS STRUCTURE
Future Enhancement
1. Ports scan Detection. 2. Signature based intrusion Detection. 3. Hardware based Firewall.
