lecture10-NIDS-evasion

lecture10-NIDS-evasion - 1 Lecture 10 NIDS Evasion, Traffic...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1 Lecture 10 NIDS Evasion, Traffic Normalization Adrian Perrig Sudeep Modi 18-731: Network Security Spring 2009 Overview s Administrative issues Homework 1 due on Tuesday at the beginning of the class Research Project: One of the course staff will be assigned as a mentor and will contact you s In this lecture More about IDS Attacks on NIDS Traffic Normalizer s Upcoming lectures Accountability in NGSI Broadcast security 2 IDS Justification s Comments on IDS IDS easy to circumvent Installing IDS is useless Impossible to design bulletproof IDS s Responses IDS is one component of a security system: Prevention, Detection & Recovery, Redundancy, Deterrence Increases difficulty of successful attack: Raising the bar If system defends against 95% of attackers, we can concentrate on the remaining 5% Firewall vs. NIDS s Firewall Active filtering Fail-close s Network IDS Passive monitoring Fail-open s Advantages and disadvantages? Internet FW Internet NIDS 3 Bro: Detecting Intruders in Real-Time s Bro is a standalone NIDS developed by Vern Paxson s Designed to keep LBL an open environment (to resist the need to install a firewall) s Goals High-speed monitoring, no packet drops Real-time notification and ability to take action Extensibility Simple to use, guard against mistakes Tolerate attacks on NIDS s More powerful than Snort, but less popular. Why? Bro System Architecture Network Network libpcap libpcap Event Engine Event Engine Policy Script Interpreter Policy Script Interpreter Packet stream Packet stream Filtered packet stream Filtered packet stream Event stream Event stream Alerts/notifications Alerts/notifications Policy script Policy script Event control Event control tcpdump filters tcpdump filters 4 libpcap Layer s Only passes relevant packets to Event Engine s Uses BSD Packet Filter (BPF) to efficiently filter packets s Sample filter rule: tcp port finger or tcp port ftp or tcp port telnet or port 111 or tcp[13] & 7 != 0 What attacks will not be seen in this example? Event Engine s State for each connection, based on <SrcIP, SrcPort, DstIP, DstPort> If state not present, allocate fresh state s TCP processing Update state based on SYN/FIN/RST flags Process acknowledgment SYN generates a timer event, if nothing happens after...
View Full Document

Page1 / 15

lecture10-NIDS-evasion - 1 Lecture 10 NIDS Evasion, Traffic...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online