1

Reading Log Files

2

Segment Format

Options (variable)

Data

Checksum

SrcPort DstPort

HdrLen 0 Flags

UrgPtr

AdvertisedWindow

SequenceNum

Acknowledgment

0 4 10 16 31

http://www.networksorcery.com/enp/protocol/tcp.htm

3

Datagram Header

• Three key fields– Source IP address

– Destination IP address

– Type (contents)

TCP Flags

•TCP packets have one-bit flags•Flags are used to specify the meaning of the packet.

–SYN (Start of connection): S–ACK (Acknowledge): ack–FIN ("FINish" or French for “end”): F–RESET: R–PUSH: P–URGENT: urg

5

Connection Establishment

Active participant(client)

Passive participant(server)

SYN, SequenceNum = x

ACK, Acknowledgment =y+1

Acknowledgment =x+1

SYN+ACK,

SequenceNum=y,

6

Sequence of Messages – TCP Flow Control

7

TCPDump

8

TCPdump – Absolute and Relative Sequence Numbers

9

TCPdump Trace

•3-Way Handshake

•Data Transfer

10

TCPdump Trace

•Connection Termination

11

TCPdump Trace• ACK Scan

12

Snort

13

Snort

14

Introduction to Practicals

15

Introduction to Practicals

• Network or system log trace of an event of interest on which the practical is based

• Source of the detect– e.g., snort

• Probability that the source address was spoofed• Description of the attack• Attack mechanism• Correlations• Evidence of active targeting• Severity• Defensive recommendation• Multiple-choice question

16

Introduction to Practicals

• The traffic was logged because it violated the security policy

• The network or system trace– False positives– False negatives– False interpretations

17

One Trace Example

P. 21 of the textbook

18

Probability the source address was spoofed

• Probably spoofed– DoS attacks: Smurf, ICMP broadcast, etc.

• Probably not spoofed– TCP packets are not spoofed if the three-way handshake is completed

• Combination of both aspects

• Despoof: checking TTL to determine whether a received packet is spoofed or not– http://packetstormsecurity.org/advisories/bindview/

19

Description of Attack

• Common Vulnerabilities and Exposures (CVE)– http://cve.mitre.org– One of the most important standards efforts for

intrusion detection and information security in general

– For example: TCP SYN flood, ADM buffer overflow against DNS, etc.

SYN Flood

•Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.

–CVE-1999-0116–Keeping track of each half-open connection takes

up resources

21

Attack Mechanism

• Is this a stimulus or response?– RFCs are the standards documents

– Unfortunately, different implementations of TCP/IP react differently to deliberate violations of RFC standards

• What service is being targeted?• Does the service have known vulnerabilities or

exposures?• Is this benign, an exploit, DoS, or reconnaissance?

22

Expected Stimulus-Response

• Destination Host Listens on Requested Port– Stimulus

– Response

23

Expected Stimulus-Response

• Destination Host not listening on Requested Port– Stimulus

– Response

24

Expected Stimulus-Response

• Destination Host Does not Exist– Stimulus

– Response

25

Expected Stimulus-Response

• Destination Port Blocked– Stimulus

– Response

26

Expected Stimulus-Response

• Destination Port Blocked, Router Does not Respond– Stimulus

– Response

27

Protocol Benders

• FTP– Session Negotiations

– Dir command issued by the user

28

Abnormal Stimuli

• Evasion stimulus, Lack of Response

29

Abnormal Stimuli

• No Stimulus, All Response– Suppose no out bound traffic