CS代考 database Network Security & Attacks – Part II

Network Security & Attacks – Part II
COMP90073 Security Analytics
Dr. , CIS Semester 2, 2021
COMP90073 Security Analytics © University of Melbourne 2021

Outline
• More Network Attacks
• Network Security Systems
• Case Study – Network Attack Traffic Analysis
COMP90073 Security Analytics © University of Melbourne 2021

More Network Attacks
• Spoofing Attacks & BGP Hijacking Attack • Password Attacks
• Wireless Attacks
• Key Patterns for Well-Known Attacks
COMP90073 Security Analytics © University of Melbourne 2021

Spoofing Attacks & BGP Hijacking Attack
• Spoofing attack: an attacker impersonates another device to execute an attack
– IP address spoofing attack: The attacker sends IP packets from a fake source address in order to disguise itself. DDoS attacks typically use IP spoofing to make the packets appear to be from legitimate source IP addresses
– ARP spoofing attack: The attacker sends spoofed ARP packets across the Layer 2 network in order to link the attacker’s MAC address with the IP address of a legitimate host
– DNS server spoofing attack: The attacker modifies the DNS server in order to reroute a specific domain name to a different IP address. DNS server spoofing attacks are typically used to spread malware
• BGPhijackingattack:acommonroutermanipulationattack,canbelaunched by an attacker by configuring or compromising an edge router to announce prefixes that have not been assigned to his or her organization, to reroute victim’s traffic to the attacker
COMP90073 Security Analytics © University of Melbourne 2021

Spoofing Attacks & BGP Hijacking Attack
ARP spoofing
https://www.imperva.com/learn/wp- content/uploads/sites/13/2020/03/thumbnail_he- ARP-spoofing-attacker-pretends-to-be-both-sides- of-a-network-communication-channel.jpg.webp
COMP90073 Security Analytics © University of Melbourne 2021

Spoofing Attacks & BGP Hijacking Attack
• BGP Hijacking
https://labs.bishopfox.com/tech-blog/2015/08/an-overview-of-bgp-hijacking
COMP90073 Security Analytics © University of Melbourne 2021

Password Attacks
• Password-guessing attack: This is the most common type of password attack, but some of these techniques may be very inefficient. Threat actors can guess passwords locally or remotely using either a manual or automated approach
• Password-resetting attack: In many cases, it is easier to reset passwords than to use tools to guess them. Several cracking tools just attempt to reset passwords. In most cases, the attacker boots from a USB or CD-ROM to get around the typical Windows protections
COMP90073 Security Analytics © University of Melbourne 2021

Password Attacks
• Password cracking: These attacks work by taking a password hash and converting it to its original plaintext. In this case, the attacker needs tools such as extractors for hash guessing, rainbow tables for looking up plaintext passwords, and password sniffers to extract authentication information
• Password sniffing: The threat actor just sniffs authentication packets between a client and server and extracts password hashes or enough authentication information to begin the cracking process
• Password capturing: This is typically done by using key loggers or Trojan horses
COMP90073 Security Analytics © University of Melbourne 2021

Wireless Attacks
• Installing a rogue access point: The attacker basically installs an access point and can create a backdoor and obtain access to the network and its systems
• Jamming wireless signals and causing interference: The purpose of this attack is to cause a full or partial denial-of-service condition in the wireless network
• Evil twin attack: This is done when the attacker is trying to create rogue access points so as to gain access to the network or steal information, e.g.,
– the attacker purchases a wireless access point, plugs it into the network, and configures it exactly the same as the existing network
COMP90073 Security Analytics © University of Melbourne 2021

Wireless Attacks
• War driving: This is a methodology used by attackers to find wireless access points wherever they may be. The term war driving is used because the attacker can just drive around and get a very huge amount of information over a very short period of time
• Bluejacking: The attacker sends unsolicited messages to another device via Bluetooth
• IV attack: The attacker can cause some modification on the Initialization Vector (IV) of a wireless packet that is encrypted during transmission. The goal of the attacker is to obtain a lot of information about the plaintext of a single packet and generate another encryption key that then can be used to decrypt other packets using the same IV
• WEP/WPA attack: WEP and several versions of WPA are susceptible to different vulnerabilities and are considered weak
• WPS attack: This attack is carried out with WPS password-guessing tools to obtain the WPS passwords and use them to gain access to the network and its data
COMP90073 Security Analytics © University of Melbourne 2021

Wireless Attacks (Jamming)
• RTS/CTS
• Jamming attacks [3]:
– Constant jamming
– Reactive jamming
– Random and periodic jamming
RTS/CTS Reactive jamming
COMP90073 Security Analytics © University of Melbourne 2021

Key Patterns for Well-Known Attacks
Patterns and their corresponding attack activities (Source: [2])
COMP90073 Security Analytics © University of Melbourne 2021

Key Patterns for Well-Known Attacks
• Pattern1consistsofasinglefeature-sourceIPaddress(srcIP).Inmostlarge scale scan scenarios, a common source IP address can be observed across different network domains, since attackers try to map the whole network at once
• Pattern2consistsofthecombinationofsourceIPaddressandsourceport (srcIP + srcPrt). For example, during a flashcrowd (a huge number of hosts create excessive connections to unintentionally overwhelm a server) on a webserver, there are a large number of responses from this webserver that will be sent out in reply to the flashcrowd requests. Consequently, it can be observed that there are many HTTP (srcPrt = 80) traffic flows from this web server(srcIP)
• Pattern3consistsofthecombinationofsourceIPaddressanddestinationport (srcIP + dstPrt). For example, this pattern can be observed when a master controller instructs its daemons or slave hosts (on destination port 27444) to launch a denial of service attack against a target system
COMP90073 Security Analytics © University of Melbourne 2021

Key Patterns for Well-Known Attacks
• Pattern4consistsofthecombinationofsourceIPaddressandprotocol(srcIP + protocol). In most worm attacks when an infected system tries to spread itself to others, this pattern can be observed across different subnetworks
• Pattern5consistsofthecombinationofsourceIPaddress,sourceport,and destination port (srcIP + srcPrt + dstPrt). For example, this pattern can be observed during a distributed reflector DoS attack
• Pattern6consistsofthecombinationofsourceIPaddress,sourceportand protocol (srcIP + srcPrt + protocol). For example, if a target is undergoing a large-scale SYN flood attack, there will be a large number of SYN-ACK packets sent by the target in reply to the attack sources. From the perspective of the subnetworks that contain the attack sources, they will see many SYN-ACK packets (protocol = TCP) arriving where there is no ongoing transaction, sent by a target system on a certain port (srcIP)
COMP90073 Security Analytics © University of Melbourne 2021

Key Patterns for Well-Known Attacks
• Pattern 7 consists of the combination of source IP address, destination port and protocol (srcIP + dstPrt + protocol). For example, this pattern was observed during the W32/Blaster worm outbreak
• Pattern 8 consists of the combination of source IP address, source port, destination port and protocol (srcIP + srcPrt + dstPrt + protocol). For example, this pattern can be observed across different network domains when an infected system tries to spread itself to others during SQL- Slammer worm outbreak
COMP90073 Security Analytics © University of Melbourne 2021

Network Security Systems
• Traditional and next-generation firewalls
• Intrusion detection systems (IDSs) & intrusion prevention systems (IPSs)
COMP90073 Security Analytics © University of Melbourne 2021

Traditional & Next-Generation Firewalls
• Firewalls: devices placed between a trusted and an untrusted network
• Network-based firewalls
– Provide key features used for perimeter security
– Primary task is to deny or permit traffic that attempts to enter or leave the network based on explicit preconfigured policies and rules
COMP90073 Security Analytics © University of Melbourne 2021

Traditional & Next-Generation Firewalls
• Demilitarized zones (DMZ): provide security to the systems that reside within them with different security levels and policies between them, e.g.,
DMZ (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Traditional & Next-Generation Firewalls
• Firewall provides network segmentations while enforcing policy between those segments, e.g.,
Network segmentations (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Traditional & Next-Generation Firewalls
• How do firewalls allow or block traffic: – Packet-filtering techniques
– Application proxies
– Network address translation (NAT)
– Stateful inspection firewalls
– Next-generation context-aware firewalls
COMP90073 Security Analytics © University of Melbourne 2021

Packet-filtering Techniques
• Purpose: to control access to specific network segments by defining which traffic can pass through them
• ACL (Access Control List): a set of predetermined rules
– Configured in firewalls, routers, switches, wireless access
controllers, and etc.
– ACE (Access Control Entry): each entry of an ACL, it inspects OSI Layer 2 – 4 headers
• Layer 2 protocol information such as EtherTypes
• Layer 3 protocol information such as ICMP, TCP, or UDP
• Layer 3 header information such as source and destination IP addresses
• Layer 4 header information such as source and destination TCP or UDP ports
COMP90073 Security Analytics © University of Melbourne 2021

Packet-filtering Techniques
– ACL common practices
• When a new ACE is added to an existing ACL, it is appended to the
end of the ACL
• When a packet enters the firewall, the ACEs are evaluated in sequential order. Hence, the order of an ACE is critical
• Implicit deny at the end of all ACLs
• Return traffic for TCP/UDP is automatically allowed since the
connections are considered established and bidirectional
• Return traffic for other protocols such as ICMP is automatically denied since the connections are considered unidirectional
COMP90073 Security Analytics © University of Melbourne 2021

Packet-filtering Techniques
– ACL configuration example on Cisco ASA
• First two ACEs allow HTTP traffic destined for 10.10.202.131 and
209.165.202.131 from the two client machines
• Last two ACEs allow SMTP access to 10.10.20.112 from both machines
ACL configuration example (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Application Proxies
• Operate as intermediary agents on behalf of clients that are on a private or protected network
• Clients on the protected network send connection requests to the application proxy to transfer data to the unprotected network or the Internet
• Application proxy (or web proxy) sends the request on behalf of the internal client
• Work at OSI Layer 7
• Most proxy firewalls can cache information to accelerate their transactions
COMP90073 Security Analytics © University of Melbourne 2021

Network Address Translation (NAT)
• NAT: translate the internal host’s private (or real) IP addresses to a publicly routable (or mapped) address, e.g.,
RFC 1918 Private Address Ranges (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Network Address Translation (NAT)
• Port Address Translation (PAT): a subset of NAT, it allows many devices on the internal protected network to share one IP address by inspecting the Layer 4 information on the packet, e.g.,
PAT (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Stateful Inspection Firewalls
• Track every packet passing through their interfaces by ensuring that they are valid, established connections.
• Examine not only the packet header contents but also the application layer information within the payload
• Different rules can be created on the firewall to permit or deny traffic based on specific payload patterns
• State table: database of the state of the connection detailing whether such a connection has been established, closed, reset, or is being negotiated
COMP90073 Security Analytics © University of Melbourne 2021

Next-Generation Firewalls
• Context-aware firewalls: be aware of not only the applications and users accessing the infrastructure but also the device in use, the location of the user, and the time of day
• Provide granular control of applications, comprehensive user identification, and location-based control
COMP90073 Security Analytics © University of Melbourne 2021

Network Security Systems
• Traditional and next-generation firewalls
• Intrusion detection systems (IDSs) & intrusion prevention systems (IPSs)
COMP90073 Security Analytics © University of Melbourne 2021

IDSs & IPSs
• IDSs: Devices that detect attempts from an attacker to gain unauthorized access to a network or a host, to create performance degradation, or to steal information, e.g.,
IDS (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

IDSs & IPSs
• IPSs: Devices that are capable of not only detecting all security threats, but also dropping malicious packets inline, e.g.,
IPS (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

IDSs & IPSs
• Detection methodologies
– Pattern matching and stateful pattern-matching recognition – Protocol analysis
– Anomaly-based analysis
COMP90073 Security Analytics © University of Melbourne 2021

Pattern Matching
• Searchforafixedsequenceofbyteswithinthepacketstraversingthenetwork
• Usestheconceptofsignature-asetofconditionsthatpointoutsometypeof
intrusion occurrence, e.g.,
– “TCPpackethasadestinationportof1234anditspayloadcontainsthe
string ff11ff22”
• Pros:
– Directcorrelationofanexploit
– Triggeralertsonthepatternspecified
– Canbeappliedacrossdifferentservicesandprotocols
• Cons:
– Highfalsepositives
– Highfalsenegativesifattackpatternalters
COMP90073 Security Analytics © University of Melbourne 2021

Stateful Pattern-Matching Recognition
• Dictate that systems performing this type of signature analysis must consider the chronological order of packets in a TCP stream, i.e., judge and maintain a stateful inspection of such packets and flows
• Pros:
– The capability to directly correlate a specific exploit within a given
pattern
– Supports all non-encrypted IP protocols
• Cons:
– Uncertain rate of false positives
– Possibility of some false negatives
– Resource intensive (Memory & CPU)
COMP90073 Security Analytics © University of Melbourne 2021

Protocol Analysis
• Decodeallprotocolorclient-serverconversations,andidentifytheelementsof the protocol and analyse them while looking for an infringement
• Lookatexplicitprotocolfieldswithintheinspectedpackets,ormore sophisticated techniques such as examination of the length of a field within the protocol or the number of arguments, e.g.,
– ExaminespecificcommandsandfieldsinSMTPprotocolsuchasHELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT
• Pros:
– Lowfalsepositivesiftheprotocolbeinganalysedisproperlydefinedand
enforced
• Cons:
– Highfalsepositivesiftheprotocoldefinitionisambiguousortolerates flexibility in its implementation
COMP90073 Security Analytics © University of Melbourne 2021

Anomaly-Based Analysis
• Keep track of network traffic that diverges from “normal” behavioural patterns
• Limitation: what is considered to be normal must be defined
• Challenges: to classify a specific behaviour as normal or
abnormal based on different factors below:
– Negotiated protocols and ports
– Specific application changes
– Changes in the architecture of the network
COMP90073 Security Analytics © University of Melbourne 2021

Case Study – Network Attack Traffic Analysis
• LAN segment data:
– LAN segment range: 172.16.4.0/24
– Domain: mind-hammer.net
– Domain controller: 172.16.4.4 (Mind-Hammer-DC) – LAN segment gateway: 172.16.4.1
– LAN segment broadcast address: 172.16.4.255
• IDS alerts triggered:
Source: www.malware-traffic-analysis.net

Case Study – Network Attack Traffic Analysis
• Q: What is the IP address, MAC address, and host name of the infected Windows host?
• A: 172.16.4.205, 00:59:07:b0:63:a4, ROTTERDAM-PC

Case Study – Network Attack Traffic Analysis
• Q: Based on the alerts what is the name of the campaign that delivered the malware?
• A: SocGholish also known as FakeUpdates

Case Study – Network Attack Traffic Analysis

Case Study – Network Attack Traffic Analysis
• Q: Based on the alerts, what is the final malware that infected the Windows host?
• A: NetSupport Manager RAT. The alerts say “NetSupport Remote Admin Checkin” and “NetSupport Remote Admin Response”

Summary
• More Network Attacks
– Compare different types of attacks
– Understand how network attacks work
– Describe examples of different types of attacks – Select key patterns to detect well-known attacks
• Network Security Systems
– Traditional and next-generation firewalls • Explain DMZ and network segmentation
• Describe ACL and its common practices
• Explain NAT & PAT process
– IDSs & IPSs
• Compare the difference between IDS and IPS • Understand different detection methodologies
• Case Study
– Understand the network attack traffic analysis process – Apply the analysis process to other network attacks
• Understand stateful inspection firewalls
COMP90073 Security Analytics © University of Melbourne 2021

Reference
• [1] , et al., 2017, CCNA Cyber Ops SECFND #210-250 Official Cert Guide (Certification Guide), Cisco Press
• [2] C.V.Zhou, et al., 2009, Decentralized multi-dimensional alert correlation for collaborative intrusion detection, Journal of Network and Computer Applications
• [3] , . Jamming Attacks and Anti- Jamming Strategies in Wireless Networks: A Comprehensive Survey. Available from: https://arxiv.org/pdf/2101.00292.pdf
COMP90073 Security Analytics © University of Melbourne 2021