Unit 3 - DNS Attacks PDF

Summary

This document provides an overview of DNS attacks, including local and remote attacks. It explains the process of DNS poisoning and cache poisoning, the timing of spoofing and the cache effect, and discusses the breakthrough solution by Dan Kaminsky to address the caching effect. It includes details about the Kaminsky attack and important points.

Full Transcript

Local DNS Attack
DNS poisoning or DNS cache poisoning
DNS cache is manipulated to redirect traffic from a legitimate website to a
malicious one
Local DNS attack is carried out within a local network
Steps of execution
1. Compromise - Attacker gains access to local DNS servers
2. Cache Poisoning - attacker injects false DNS records into cache
3. Redirection - users legitimate request triggers a DNS request which
gets intercepted by the compromised server
4. Traffic Diversion - user receives malicious websites IP and the
traffic is redirected to compromised website
5. Attack Execution - The user is redirected to malicious website
which can get data and use it for various attacks like phishing, data
theft, malware distribution, etc.

Remote DNS Attack
While the end goal of this is similar to Local DNS attack, the process involved
is very different. The attacker is not part of the internal network but rather tries
to manipulate the DNS servers from outside the local network.
This kind of attack is much more harder than a local DNS attack owing to the
simple fact that the DNS queries or any other traffic packets cannot be sniffed
by the attacker hence making it very hard to get any details.

Challenges

For attackers not on the same network as the local DNS server, spoofing
DNS replies becomes more complex.
 Why?
They cannot see the DNS queries directly.
They must guess two key values:
1. Source Port Number (16-bit random number).
2. Transaction ID (16-bit random number).

Probability of Success:

The chance of guessing both values correctly is 1 in 232 for each attempt.
Example: If 1000 spoofed packets are sent per second:
A single attacker needs ~50 days to exhaust all combinations.
Using a botnet with 1000 hosts reduces the time to ~1.2 hours.

Key Obstacles

1. Timing of Spoofing:
The attacker needs to know when the DNS server sends out the
query.
Hard to find this DNS query time when attacker is not in the same
network
Solution: Instead of waiting for the DNS query to be sent, the
attacker triggers the query themselves to initiate the attack.
2. Cache Effect:
If the spoofing fails, the legitimate response is cached.
The attacker must wait for the cache to expire before retrying.
Waiting periods can range from hours to days, making attacks
impractical.
Solution
Negate the cache effect → this was an open problem which
was addressed by Dan Kaminsky
Breakthrough Solution by Dan Kaminsky (2008)

Kaminsky introduced a method to bypass the cache effect.
This allowed attackers to conduct continuous spoofing attacks without
waiting for cache expiration.

Kaminsky Attack
Kaminsky solved the caching effect problem by a simple solution. Never
trigger the DNS server to send out query for the hostname. The reason for this
is that if it failed the cache would store the answer for that hostname and
attacker has to wait for timeout.

The alternate to this was the following

Look away from the answer section → this meant that instead of querying
for the hostname directly and getting the answer section we could try
using the other sections mainly authoritative section
The authority section of example.com will provide it's name server details,
this means that any sub-domain within that will query the name server
provided in this section.
Instead of spoofing the reply through the answer section, we can spoof
the authority section of example.com to point to malicious DNS server
Once the attack is successful and the cache stores the malicious name
server, any query within that domain will go to the attacker and the
attacker can manipulate the answers through the dns response

Important Points

The query that is sent should be within the target domain and should not
be the actual hostname that is to be compromised
 The DNS server must be triggered continuously to send out DNS queries,
this is to ensure at some point the random values chosen by attacker
matches the source port and transaction ID of the query → only if it is
matched will the response be cached
The answer part of the response does not matter, only the name server
pointed in the authority section is used

Steps Involved

1. Trigger the DNS server to send out DNS query
The attacker triggers the local DNS server (e.g., "Apollo") to send out
a DNS query.
This involves querying for random, non-cached hostnames under the
target domain (e.g., random.example.com ).
2. Spoof the reply
The attacker floods the DNS server with spoofed responses
containing forged transaction IDs and source port numbers.
The goal is to make the server cache fake information.
3. Negate cache effect
Instead of directly targeting the IP address, the attacker focuses on
the authority section of the response:
Provides nameserver details for the target domain (e.g.,
ns.attacker32.com ).

If successful, the DNS server caches the attacker-controlled
nameserver information.

DNS Query Process
 1. Attacker queries the victim DNS server for the IP of a domain
2. Since the Server does not have the information it queries the Root server
which iteratively continues to the.com server and example.com server to
finally get the IP
3. The IP is sent back to attacker and cached on the target DNS server

DNS Query Process if Attack is Successful
 Attacker triggers DNS query for twysw.example.com
DNS server queries example.com's name server for the above hostname
and gets the IP if it is valid or else gets that it is not valid
In the meantime the attacker spoofs the reply and sends
ns.dnslabattacker.net in the replies authority section

If the transaction id and source port matches the query, this spoofed reply
caches example.com's name server as the attacker DNS , hence all sub-
domains in example.com will query from this name server when the attack
is successful

Protection Against DNS Cache Poisoning
Cryptography Basics

Key Objectives

1. Confidentiality:
Prevent unauthorized access to data.
 2. Integrity:
Detect and prevent unauthorized modifications.
3. Authentication:
Verify the identities of communicating parties.
4. Non-Repudiation:
Ensure that a sender cannot deny sending data.

Types of Cryptography

1. Symmetric Key Cryptography:
A single key is used for encryption and decryption.
Examples: AES, DES.
2. Asymmetric Key Cryptography:
Uses a public/private key pair.
Examples: RSA, DSA.

Hash Function

One way mathematical function (arbitrary length input → fixed length
output)
Output may be referred as digest or hash value
Hashing algorithms - MD5, SHA-128, SHA-256, NTLM (New Technology
LAN Manager), LANMAN

Digital Signatures

A digital signature is created by:
1. Hashing the data to produce a digest.
2. Encrypting the digest with the sender’s private key.

It ensures:
Authenticity: The signature verifies the sender.
 Integrity: Any alteration invalidates the signature.
Non-repudiation: The sender cannot deny creating the signature.
Electronic, encrypted stamp of authentication
signature that confirms the message's origin and integrity
DS uses asymmetric cryptography and assures authenticity, integrity and
non-repudiation

The document is the data to be shared
Hash value of the document is found (digest)
Arnold's private key is used to encrypt the digest (digital signature)
→ this value is shared to Jamie along with original document
Jamie finds the digest by hashing the document
Simultaneously Jamie decrypts the digital signature using Arnold's
public key to get a value
Both these values are compared to ensure the document is tamper
proof and Arnold is indeed the sender
DNSSEC (Domain Name System Security Extensions)

A set of extensions to DNS that:
1. Strengthens authentication.
2. Ensures data integrity using digital signatures based on public key
cryptography.

How DNSSEC Works

1. Digital Signatures:
DNS data is signed by the data owner.
All DNSSEC-protected zones return digitally signed answers.
2. Chain of Trust:
Validates DNS responses through a hierarchy of trusted zones.
Each zone verifies the signatures of its child zones.

Example:

If example.com is DNSSEC-enabled:
The resolver retrieves the zone’s public key.
It verifies the signature over DNS data.
If valid, the resolver considers the response authentic.

Benefits

Prevents DNS cache poisoning by rejecting forged data that fails
signature validation.
Protects against attackers attempting to inject false records.

TLS/SSL

Ensures secure communication between a client and a server.
Prevents DNS spoofing by requiring proof of identity from the server.
Process

1. The client requests a public-key certificate from the server.

2. The server provides its certificate, signed by a trusted Certificate Authority
(CA).
3. The client verifies the certificate and establishes an encrypted session.

Advantages

Encrypts data in transit.
Ensures that the server is legitimate and prevents man-in-the-middle
attacks.

DNSSEC
Trust Model

The root zone’s public key acts as the trust anchor.
Recursive resolvers use the root’s public key to validate signatures
throughout the DNS hierarchy.

DNSSEC Query Process

1. A DNS resolver queries a domain (e.g., www.example.com ).
2. The query traverses the DNS hierarchy (root → TLD → authoritative
nameserver).
3. Along the way:
Each zone provides digital signatures for its DNS data.
Public keys are fetched to validate these signatures.
4. If all signatures validate successfully:
The DNS resolver deems the response authentic and sends the
requested data to the user.
5. If any signature fails validation:
 The DNS resolver discards the response and returns an error,
preventing the user from accessing potentially malicious data.

Example

1. A resolver queries for www.example.net.
2. It receives signed records from:
The root zone.
The.net zone.
The example.net zone.
3. Each signature is validated using the public key of the parent zone.

Key Components

1. Zone Signing Key (ZSK):
Signs individual DNS records.
2. Key Signing Key (KSK):
Signs the ZSK.
3. Resource Records (RRs):
Include DNSKEY, RRSIG, DS, and NSEC records.

Key Pairs

Public and Private Keys:
The zone owner uses a private key to sign DNS records.
The public key is published for DNS resolvers to verify signatures.

Resource Record (RR) Types

DNSSEC introduces several new types of resource records for security
RR Type Purpose

DNSKEY Contains public keys used for
signing and validation.
RRSIG Holds the digital signature for a
specific DNS resource record.
NSEC/NSEC3 Indicates the next secure name in a
zone, preventing enumeration
attacks.
DS (Delegation Signer) Contains the hash of the child
zone's public key, used for trust
delegation.

DNSSEC Operations

Signing Zones

The zone owner signs DNS records using a Zone Signing Key (ZSK).
A Key Signing Key (KSK) is used to sign the ZSK itself.
This layered approach ensures flexibility in key management.

Verification by Resolvers

1. The resolver retrieves DNS records along with their corresponding digital
signatures (RRSIG).
2. It fetches the zone's public key (DNSKEY) to validate the signature.

3. The chain of trust ensures that every record and key can be traced back
to a trusted source (e.g., the root zone).

Chain of Trust

Trust Hierarchy

Root Zone:
The root zone is the starting point and provides the "trust anchor."
 Its public key is pre-configured in DNS resolvers.
Top-Level Domains (TLDs):
Each TLD (e.g.,.com ,.org ) has its public key signed by the root
zone.
Child Zones:
Public keys of child zones (e.g., example.com ) are signed by their
parent zones (e.g.,.com ).

Chain Validation

A query for www.example.net
Resolver queries the root zone, which provides the public key for.net.

Resolver queries the.net zone, which provides the public key for
example.net.

Resolver queries the example.net zone, which provides the signed
record for www.example.net.
The resolver validates
Root zone's signature using its pre-configured public key..net zone's signature using the root zone's public key.

example.net zone's signature using.net 's public key.

TLS/SSL
HTTP vs HTTPS

HTTP (Hypertext Transfer Protocol):
Protocol for viewing web pages.
Transmits data in plain text, vulnerable to eavesdropping and
attacks.
HTTPS (Secure HTTP):
 Combines HTTP with TLS/SSL for security.
Key Features:
Encryption: Protects data during transmission.
Authentication: Verifies server identity.

TLS/SSL Overview

SSL (Secure Sockets Layer):
Uses public key encryption for secure communication.
Handshake Process:
1. Client requests server identification.

2. Server provides an SSL certificate (contains public key).
3. Certificate is validated by the client.
4. Secure session is established, and encrypted communication
begins.

TLS (Transport Layer Security):
Successor to SSL; provides stronger encryption and performance.

Encryption in TLS/SSL

Asymmetric Encryption:
Uses public-private key pairs for secure key exchange during the
handshake.
Symmetric Encryption:
A shared session key is used for faster, real-time encrypted
communication after the handshake.

Public Key Infrastructure (PKI)

Definition: System to create, manage, and validate digital certificates.
Components:
 1. Certificate Authority (CA):
Issues and verifies certificates.
2. Digital Certificates:
Contain server public keys and identity details.

Protection Using TLS/SSL

Defends Against DNS Cache Poisoning:
1. The client resolves a domain name using DNS.
2. Server provides a CA-signed certificate to prove domain
ownership.
3. Server demonstrates knowledge of its private key.
4. HTTPS ensures security: Even if DNS is spoofed, attackers cannot
present a valid certificate, and connections fail.

Benefits of TLS/SSL

1. Prevents Cache Poisoning: Verifies server authenticity.

2. Encrypts Data: Secures sensitive information.
3. Authentication: Validates server identity through trusted CAs.
4. Prevents MITM Attacks: Secures communication channels.

DNSSEC vs TLS/SSL

Aspect DNSSEC TLS/SSL

Purpose Authenticates DNS Encrypts communication
data. between client and
server.
Chain of Trust Relies on DNS zone Uses Public Key
hierarchy. Infrastructure (PKI) with
Certificate Authorities
(CAs).
 Aspect DNSSEC TLS/SSL

Focus Protects DNS Secures data in transit
responses from being (e.g., HTTPS traffic).
forged.

Firewall
A firewall is a security system that monitors incoming and outgoing network
traffic and decides whether to allow or block specific traffic based on a defined
set of security rules.
It acts as a barrier between a trusted network and an untrusted network, such
as the internet.

Firewall Decision

Firewalls make decisions about network traffic based on a set of rules, often
referred to as a firewall policy or ruleset.
These rules are configured to specify:

Source IP Address: The IP address of the device/interface sending the
traffic.
Destination IP Address: The IP address of the device/interface receiving
the traffic.
Source Port: The port number used by the source device.
Destination Port: The port number used by the destination device.
Protocol: The network protocol used (e.g., TCP, UDP, ICMP).

A firewall rule-sets follow the organization policy and a firewall is only as
good as its rule-set

Based on these criteria, the firewall can take various actions

Actions
There are three main types of actions

Accept/Allow - allow the packets to enter the firewall
Deny/Dropped - packets are not allowed to enter the firewall and will be
dropped
Rejected - similar to Deny but additionally the source will be informed of
the decision through a ICMP packet

Ingress filtering can be used to inspect traffic incoming at a interface and
protect the internal network from outside attacks

Egress filtering can be sued to inspect traffic outgoing from an interface and
can prevent exposing internal sensitive data to outside world, or accessing
specific websites in the outside network.

Firewall Location
Network Zone is a collection of systems that requires the same access control
policy. For a secure network, it is divided into various network zones
(segmented network)
The split can be based on the users that access it, the type of data contained
in the zone and the access controls needed in it.

External/boundary firewall → placed at edge of the local or enterprise
network where it connects to the internet or WAN
Internal firewalls protect the internal organization network and helps in
segmentation

Host-based

Software based firewall that inspects traffic before it interacts with any
application on the host
The capabilities are built in on the OS
Network-based

These are devices that are placed in-path on the network along the route
that the packets flow through
These provide protection for more than one device
Independent of devices
They are standalone devices that are almost always hardware with
multiple network interfaces
It can also be implemented as a software module in the router or switch

Demilitarized Zone

DMZ → service network
It is a small, isolated network that is positioned between the internet and
the private network
Resources that are used as a service can be placed in this zone
Web servers
Mail servers
FTP servers
Since the contents of the DMZ are not as secure as the internal network,
the machines in the DMZ have limited connectivity
They are not as secure as the internal network nor insecure like the
external internet

Single Firewall

Only one firewall is placed between the Internet, LAN and DMZ
Needs atleast three interfaces
Single point of failure and must handle all traffic going to the DMZ and
also the internal network

Dual Firewall
 First firewall (frontend)
configured to allow traffic only destined for DMZ
Second firewall (backend)
only allows traffic from internal network to DMZ

More secure as two devices need to be compromised

These firewall serve two purpose - Protect internal network from attacks
launched by DMZ and also protect DMZ from internal attacks

Advantages

Offers three levels of protection
outside firewall router
bastion host (proxy)
inside firewall router
With the help of DMZ, internet needs to access only DMZ zone machines
and the rest of the internal network is invisible to outside network
Similarly the internal machines also have access to only DMZ hence
protecting it from outside machines
Internal hosts don't have a direct route to the internet and needs the
help of a proxy service that resides on the bastion host
DMZ and internal network are of different subnets, NAT installed on
bastion host so as to eliminate renumbering and re subnet

Bastion Host
What is a Bastion Host?
A bastion host is a dedicated server that acts as a secure gateway between a
public network (like the internet) and a private network. It's designed to provide
controlled access to internal resources.

Key Functions:
 Authentication: Verifies the identity of users attempting to access
internal resources.
Proxy: Acts as an intermediary, forwarding traffic between the external
network and internal systems.

Placement:

Outside the Firewall: This placement exposes the bastion host to
potential attacks, but it can provide a clear separation between the public
and private networks.
Within a DMZ: This placement offers additional security by isolating the
bastion host from the internal network.

Distributed Firewall

What is a Distributed Firewall?
A distributed firewall configuration involves a combination of stand-alone
firewalls and host-based firewalls, all managed under a centralized control
system. This approach offers a layered security strategy, enhancing protection
against both internal and external threats.

Key Components:

1. Stand-alone Firewalls:
External Firewall: Protects the entire network from external threats.
Internal Firewalls: Segment the internal network into smaller, more
secure zones.
DMZ Firewall: Protects the DMZ, a buffer zone for public-facing
servers.
2. Host-Based Firewalls:
Reside on individual devices (servers, workstations, etc.).
 Provide granular protection tailored to specific machines and
applications.
Protect against internal threats and unauthorized access.

Benefits of a Distributed Firewall:

Enhanced Security: Multiple layers of defense against a variety of
threats.
Granular Control: Fine-grained control over network traffic at both the
network and host levels.
Flexibility: Adaptable to changing network requirements and security
needs.
Improved Performance: Distributed firewalls can offload some
processing tasks to host-based firewalls, improving overall network
performance.

Firewall Design
Firewall Policy

A firewall policy is a critical component of a network security strategy. It outlines
the rules and guidelines for how a firewall should handle network traffic.

Key Considerations for Firewall Policy Design:

1. Risk Assessment:
Identify potential threats and vulnerabilities.
Assess the impact of a successful attack.
Determine the level of security required for different network
segments.
2. Traffic Analysis:
Analyze the organization's network traffic patterns.
 Identify essential traffic that must be allowed.
Determine the level of scrutiny required for different types of traffic.
3. Rule Creation:
Allow Rules: Define specific rules for allowed traffic, including
source and destination IP addresses, ports, and protocols.
Deny Rules: Create default deny rules to block all unauthorized
traffic.
Logging Rules: Configure logging rules to record specific types of
traffic for analysis.
4. Security Best Practices:
Principle of Least Privilege: Grant only the necessary permissions
to users and devices.
Input Validation: Validate and sanitize user input to prevent injection
attacks.
Regular Updates: Keep firewall software and rules up-to-date.
Monitoring and Logging: Monitor network traffic and logs for
suspicious activity.

Zero Trust Architecture

Zero Trust is a security model that challenges the traditional network security
paradigm of "trust but verify." Instead, it adopts a "never trust, always verify"
approach, where every user, device, and application is considered a potential
threat until explicitly verified.

Key Principles of Zero Trust:

1. Continuous Verification: Every user, device, and application must be
continuously authenticated and authorized before accessing resources.
2. Least Privilege Access: Grant users and devices only the minimum level
of access required to perform their tasks.
 3. Micro-Segmentation: Divide the network into smaller segments, limiting
lateral movement and minimizing the impact of a security breach.

Monitoring Outgoing Traffic

While it's essential to protect against external threats, internal threats can be
equally damaging. Monitoring outgoing traffic helps organizations identify and
mitigate risks associated with

Data Exfiltration: Employees may unintentionally or maliciously transfer
sensitive data outside the organization.
Malware Outbreaks: Infected systems can spread malware to other
devices on the network or external systems.
Unauthorized Access: Employees may attempt to access unauthorized
resources or systems.

Types
Packet Filter Firewall

Stateless firewall
How Packet Filter Firewalls Work:
Packet Inspection: Examines each packet of network traffic based on
specific criteria. Parameters such as IP, port, packet type
Decision Making: Compares packet information against a set of rules
(Access Control Lists or ACLs).
Action: Allows or denies the packet based on the rule match.

Key Characteristics:

Stateless: Examines each packet independently, without considering the
context of previous packets.
Fast and Efficient: Can process large volumes of traffic quickly.
 Low-Cost: Relatively inexpensive to implement and maintain.

Advantages:

Simplicity: Easy to configure and manage.
Performance: Minimal impact on network performance.
Cost-Effective: Affordable for small and medium-sized organizations.

Disadvantages:

Limited Security: Relies solely on packet header information, making it
vulnerable to spoofing attacks.
Lack of Context: Cannot analyze the content of packets, limiting its
ability to detect sophisticated attacks.
Complexity: ACLs can become complex to manage as the network
grows.

Use Cases:

Low cost firewall
Small or budget constrained organizations
Larger enterprises for part of layered defense

Stateful Firewall

Stateful firewalls track the state of network connections, analyzing each packet
in the context of its associated connection. By maintaining a state table, the
firewall can

Identify Established Connections: Allow packets that belong to
established connections.
Block New Connections: Prevent unauthorized connections from being
initiated.
 Detect Anomalies: Flag suspicious traffic patterns that may indicate
attacks.

Key Advantages:

Enhanced Security: More effective in blocking attacks that exploit
connection state, such as SYN flooding.
Simplified Rules: Less complex rule sets due to implicit rules.
Improved Performance: Optimized performance by avoiding
unnecessary packet inspection.

Application/Proxy Firewall

An application-level firewall, also known as a proxy firewall, is a type of firewall
that operates at the application layer of the OSI model. It inspects not only the
packet headers but also the application data within the packets.

How it Works:

1. Client Connection: A client connects to the application-level firewall.

2. Proxy Connection: The firewall establishes a separate connection to the
destination server.
3. Data Inspection: The firewall inspects the application data for malicious
content, viruses, or unauthorized access attempts.
4. Traffic Filtering: If the data is deemed safe, the firewall forwards it to the
destination server. Otherwise, it blocks the traffic.

Key Advantages:

Deep Packet Inspection (DPI): Analyzes the content of packets to
identify and block malicious traffic.
Protection Against Application-Layer Attacks: Protects against attacks
 like SQL injection, cross-site scripting (XSS), and buffer overflows.
Content Filtering: Can filter specific content, such as pornography or
malicious websites.
User Authentication and Authorization: Enforces strong authentication
and authorization policies.

Disadvantages:

Performance Overhead: Can significantly impact network performance
due to the additional processing required for packet inspection.
Complexity: More complex to configure and manage than simpler
firewalls.
Cost: Can be more expensive to implement and maintain.

Use Cases:

Web Application Firewalls (WAFs): Protect web applications from
attacks like SQL injection and XSS.
Intranet Security: Protect internal networks from external threats.
Remote Access: Secure remote access to internal resources.

Next-generation Firewall

A Next-Generation Firewall (NGFW) is a network security device that provides
a comprehensive security solution beyond traditional firewalls. It combines
multiple security features into a single device, offering advanced protection
against a wide range of threats.

Key Features of NGFWs:

Deep Packet Inspection (DPI): Analyzes the content of network traffic to
identify malicious payloads and suspicious activity.
 Application Awareness: Identifies and controls specific applications,
allowing for granular security policies.
Intrusion Prevention System (IPS): Detects and prevents attacks by
analyzing network traffic for malicious patterns.
VPN Functionality: Enables secure remote access to the network.
URL Filtering: Blocks access to malicious websites and unwanted
content.

Benefits of NGFWs:

Enhanced Security: Provides comprehensive protection against a wide
range of threats, including malware, viruses, and hacking attempts.
Improved Visibility: Offers detailed insights into network traffic, enabling
proactive threat detection and response.
Simplified Management: Consolidates multiple security functions into a
single device, reducing complexity.
Increased Performance: Optimizes network performance by offloading
security tasks to specialized hardware.

How NGFWs Work:

1. Packet Inspection: The NGFW inspects each packet of network traffic,
analyzing the packet header and payload.
2. Threat Detection: The NGFW uses various techniques, such as
signature-based detection and anomaly detection, to identify malicious
traffic.
3. Policy Enforcement: Based on the security policies, the NGFW takes
appropriate actions, such as blocking traffic, generating alerts, or applying
security measures.

NAT
 Network Address Translation

What is NAT?
Network Address Translation (NAT) is a technique used to map one IP address
space into another. It's primarily used to conserve public IP addresses by
allowing multiple devices on a private network to share a single public IP
address.

Why Use NAT?

IP Address Conservation: Reduces the need for globally unique IP
addresses.
Security: Hides internal IP addresses from external networks, providing a
layer of security.

Types of NAT:

1. Basic NAT:
Maps one-to-one between private and public IP addresses.
Less common due to its limited address conservation benefits.
2. Network Address Port Translation (NAPT):
Maps multiple private IP addresses to a single public IP address
using different port numbers.
More efficient and widely used.

NAT Address Pool

A NAT device often has a pool of public IP addresses available for use. This
pool of addresses is known as the NAT address pool. When a device behind
the NAT initiates a connection, the NAT device selects a public IP address from
this pool to use for the connection.

Address Pairing
Address pairing is a technique where a NAT device assigns the same public
IP address to multiple connections initiated by the same internal host. This can
be beneficial for certain applications, especially those that rely on stateful
connections, as it can help to avoid issues with connection tracking and state
management.

Why Address Pairing is Important:

Consistent Connection: If a remote host receives packets from different
public IP addresses, it may think it's communicating with multiple hosts,
leading to unexpected behavior or connection failures.
Stateful Protocols: Protocols like TCP rely on connection state. If the
source IP address changes, the remote host may not be able to maintain
the connection.

When Address Pairing is Not Necessary:

Stateless Protocols: Protocols like UDP are stateless, so address
pairing is not strictly necessary.
Single Public IP Address: If the NAT device only has a single public IP
address, address pairing is implicit.

Nat With Protocols
NAT And TCP

A wireless client at 10.0.0.126 (internal network) initiates a TCP
connection with a web server at www.pes.edu (212.110.167.157).
Client Initiation:
The client sends a packet with source IP 10.0.0.126 and port 9200,
destination IP 212.110.167.157 and port 80 (HTTP).
NAT Processing:
 The NAT recognizes a new connection (TCP SYN flag is set).
It translates the source IP address to the public IP of the NAT router
(e.g., 63.204.134.177).
The NAT creates a session entry with the client's internal IP and port
(10.0.0.126, 9200).
The modified packet becomes (63.204.134.177:9200;
212.110.167.157:80).
Server Response:
The server replies to the external NAT address
(63.204.134.177:9200) on port 9200 (port preservation).
NAT Translation:
The NAT recognizes the reply based on the destination port (9200)
matching a NAT session.
It translates the destination IP address back to the client's internal IP
(10.0.0.126) and port (9200).
The modified response becomes (212.110.167.157:80;
10.0.0.126:9200).
Client Receives Response:
The client receives the translated response and the connection is
established.
Session Termination:
The NAT removes the session entry when both sides exchange FIN
(connection termination) packets.

Key Points for TCP with NAT:

Port preservation is often used to simplify communication.
NAT maintains session state to map traffic between internal and external
addresses.
 Timeouts are used to clear stale session entries.

NAT And UDP

Connectionless Nature of UDP: UDP is a connectionless protocol,
meaning each packet is independent and doesn't require a long-lived
connection.
NAT's Handling of UDP:
NAT devices handle each UDP packet individually.
They translate source IP addresses and port numbers to public IP
addresses and unique port numbers.
When a response arrives, the NAT device uses the destination port
number to identify the original internal host.
NAT Timers for UDP:
To manage UDP connections efficiently, NAT devices use timers.
These timers clear stale NAT mappings to prevent resource
exhaustion.
The "recently" threshold for clearing mappings can vary, but RFC
4787 recommends a minimum of 2 minutes and suggests 5 minutes.
Timers are refreshed when packets are sent from the internal
network to the external network.

NAT And ICMP

ICMP (Internet Control Message Protocol) is a network protocol used for error
reporting and diagnostic messages. When ICMP packets traverse a NAT
device, the NAT device needs to handle them carefully to ensure correct
delivery and interpretation.

Key Points:

ICMP Error Messages:
 When an ICMP error message is received from the internet, the NAT
device needs to rewrite the IP addresses in the included "offending
datagram" to match the original internal IP addresses. This process
is known as ICMP fix-up.
ICMP Requests:
For ICMP requests like ping requests, the NAT device translates the
source IP address to its public IP address.
When the response arrives, the NAT device translates the
destination IP address back to the original internal IP address.
NAT Timers:
NAT devices may use timers to track ICMP requests and expected
responses.
This helps in handling situations where ICMP responses are delayed
or lost.

Security

IP Address Masking:
Hides the internal IP addresses of devices, making it more difficult
for external attackers to target specific systems.
Reduced Attack Surface:
Limits the number of public IP addresses exposed to the internet,
reducing the potential attack surface.
Blocking Incoming Connections:
By default, NAT can be configured to block incoming connections,
preventing unsolicited traffic from reaching internal systems. This
helps mitigate probing attacks and reduces the risk of unauthorized
access.
Topology Hiding:
 NAT can mask the number and configuration of internal devices,
making it harder for attackers to understand the network topology
and identify potential vulnerabilities.

Port Forwarding

Challenges of Providing Services Behind NAT:

1. IP Address Reachability: Devices behind a NAT have private IP
addresses that are not routable on the public internet.
2. NAT's Role as a Router: The NAT device acts as a router, deciding
which packets to forward. It must be configured to forward traffic destined
for the internal server.

Port Forwarding: A Solution
Port forwarding is a technique used to route incoming traffic to a specific
internal server. Here's how it works:

1. Configuration: The NAT device is configured with a rule that specifies:
The public IP address of the NAT device.
The public port number (e.g., 80 for HTTP).
The internal IP address of the server.
The internal port number (e.g., 80 for HTTP).
2. Incoming Traffic: When a packet arrives at the NAT device with the
public IP address and port number specified in the rule, the NAT device:
Translates the destination IP address to the internal IP address of
the server.
Translates the destination port number to the internal port number.
Forwards the packet to the internal server.
3. Outgoing Traffic: Any traffic originating from the internal server is
translated by the NAT device to use the public IP address and port
 number.

Limitations of Port Forwarding:

Single Public IP Address: If the NAT device has only one public IP
address, it can only forward a single port of a specific protocol to one
internal server.
Static Configuration: The NAT device must be manually configured for
each service, which can be time-consuming and error-prone.
Security Risks: Port forwarding can expose internal services to the
internet, increasing the risk of attacks.

Firewall Implementation
Simple Packet Firewall

Packet Filtering Basics:
Only possible inside the kernel.
Linux supports two primary mechanisms:
1. Netfilter:
Provides hooks at critical packet traversal points in the
kernel.
Hooks allow custom logic (e.g., packet filtering) to be
added dynamically.
2. Loadable Kernel Modules (LKMs):
Dynamically load/unload modules without recompiling the
kernel.

Loadable Kernel Modules (LKMs)

Definition:
 LKMs are independent pieces of code that can be added to the
kernel at runtime.
Requirements:
Root privileges or CAP_SYS_MODULE capability to add/remove
modules.
Structure:
Two Entry Points:
module_init() : Initialization function when the module is
loaded ( insmod ).
module_exit() : Cleanup function when the module is removed
( rmmod ).

Implementation:
Use the printk() function to log messages to the kernel buffer.
Kernel logs can be viewed using dmesg.
Use case
Support a new hardware
**All containers share the same kernel, kernel modules are global. Which
container is used does not matter

Netfilter

Overview:

A packet processing and filtering framework in the Linux kernel.
Allows developers to register callback functions at specific hooks.

Hooks for IPv4

NF_INET_PRE_ROUTING: Before routing decisions.
NF_INET_LOCAL_IN: Packets destined for the local machine.
 NF_INET_FORWARD: Packets forwarded to another machine.
NF_INET_LOCAL_OUT: Outgoing packets from the local machine.
NF_INET_POST_ROUTING: Outgoing packets after routing.

Netfilter Return Values:

NF_ACCEPT : Packet is allowed.

NF_DROP : Packet is discarded.

NF_QUEUE : Packet sent to user space for further processing.

NF_STOLEN : Packet is taken for additional processing by the module.

NF_REPEAT : Retry processing by the same hook.

Priority Management:

Multiple functions can hook into the same Netfilter hook.
Priority is a signed integer, with lower numbers indicating higher priority.

Simple Packet Filtering with LKMs and Netfilter

Goal: Block specific traffic based on rules (e.g., block Telnet traffic on port
23).
Implementation:
1. Create a callback function ( telnetFilter ) to analyze packets.
2. Inspect protocol headers using Linux header files:
IP Header: struct iphdr *iph = ip_hdr(skb)
TCP Header: struct tcphdr *tcph = tcp_hdr(skb)
3. Logic:
Drop packets with destination port 23.
Log the action using printk().

Filtering can be ingress or egress depending on the hook used
IPtables
Overview

User-space program to manage firewall rules.
Works with the Netfilter framework.

Structure

Tables: define the category or purpose of rules
filter : Packet filtering rules.

nat : Network Address Translation rules.

mangle : Rules for modifying packet headers.

Chains: Within each table, chains represent the stages of packet
processing
PREROUTING : Process packets before routing decisions.

INPUT : Process packets destined for the local machine.

FORWARD : Process packets being routed to another machine.

OUTPUT : Process outgoing packets from the local machine.

POSTROUTING : Process packets after routing decisions.

Rules: Within each chain, rules define the specific criteria for matching
packets
Matching: Criteria for packets (e.g., source/destination IP, protocol,
port).
Target: Action for matching packets (e.g., ACCEPT, DROP,
RETURN).

Common iptables Commands

Syntax: iptables -t -A -j
Common Options:
-A : Append rule to the chain.
 -I : Insert rule at a specific position.

-D : Delete a specific rule.

-F : Flush all rules in a chain.

Examples:
Block incoming traffic: iptables -A INPUT -j DROP.
Allow SSH traffic: iptables -A INPUT -p tcp --dport 22 -j ACCEPT.
Increase TTL: iptables -t mangle -A OUTPUT -j TTL --ttl-inc 10.

Stateful Firewalls and Connection Tracking

Why Connection Tracking?

Packets are often part of larger connections, and analyzing them
individually can miss the bigger picture.
Example Scenario:
Servers inside an organization might have open ports (e.g., 22, 80,
443) for public network services.
Open ports allow external users to establish connections to internal
servers.
Basic Protection:
A firewall can restrict access to only these open ports.
However, outgoing traffic must also be allowed to ensure users can
receive responses from these servers.
Challenges:
Allowing all outgoing TCP traffic is too broad.
Creating rules for specific ports can become cumbersome with a
large number of ports or complex protocols (e.g., FTP uses multiple
ports).

Solution
 Instead of adding individual rules, a single rule can be used to allow traffic
as part of an existing TCP connection.
Approach:
1. Restrict which ports can accept incoming connections.
2. Allow only packets that belong to established connections to exit.

Mechanism for Connection Tracking

The Linux kernel uses a connection tracking module (built on top of
Netfilter) to:
Track connections.
Identify whether a packet belongs to an existing connection.
Record connections (using attributes like port numbers).
Tools:
Netfilter: The base framework for packet filtering.
Xtables: The kernel component used by iptables for enforcing rules.
iptables: A user-space application to define firewall rules, which can
leverage connection tracking.

Connection Tracking Framework in Linux

nf_conntrack :

A connection tracking framework in the Linux kernel, built on
Netfilter.
Marks each packet with a connection state:
NEW: Indicates a new connection starting with a valid packet
sequence.
ESTABLISHED: A two-way communication is active.
RELATED: Links related connections (e.g., FTP control and
data traffic).
 INVALID: Packets that do not match expected connection
behavior.

Stateful firewalls can use nf_conntrack to create rules based on these
states.

Stateful Firewall using Connection Tracking

Definition: Monitors packets over time, recording attributes like IP
addresses, ports, and sequence numbers (collectively called connection
states).
Connection-Oriented and Connectionless Protocols:
Applies to TCP (naturally connection-oriented), UDP, and ICMP.
For UDP (connectionless), heuristics based on port numbers and
traffic direction are used.
For ICMP, request-reply pairs are tracked as a single connection.
Timeouts:
Connections have expiration times to avoid resource overload.
Once a connection expires, it is no longer considered valid.

Application Firewall
Application/Proxy Firewall

Definition: Controls input, output, and access to/from an application.
Functionality: Inspects network traffic up to the application layer.
Typical Implementation: Often implemented as a proxy (application
proxy).

Web Proxy

Purpose: Controls what web browsers can access (e.g., Squid ).
Setup:
 1. Redirect Web Traffic:
Configure each host computer to send web traffic to the proxy.
Achieved via browser network settings or using iptables.
2. Network Bridge:
Place web proxies on a network bridge that connects internal
and external networks to capture all traffic.

Proxies and Firewall Evasion

Egress Filtering Evasion:
If a firewall filters packets based on destination address, a proxy can
bypass this by altering the destination address to the proxy
server’s address.
This defeats the packet filtering rules of the firewall.

Anonymizing Proxy

Purpose: Hides the origin of a network request.
How it Works:
The source IP address visible to the destination server is the proxy
server's IP, not the original user's.
This anonymizes the actual origin of the request, improving privacy
and evading tracking.

Intrusion Detection System (IDS)
Introduction to Intrusion Detection

Intrusion: An unauthorized attempt to access, manipulate, or misuse
systems, networks, or data, potentially rendering them unreliable or
unusable.
Examples:
 System intrusions: Unused logins, unauthorized account creation,
deleted logs, and unexpected system behavior.
Network intrusions: Repeated login attempts, packet sniffers, and
excessive bandwidth usage.
File intrusions: Unknown files, file permission changes, and missing
files.
Other examples: Password cracking, copying sensitive data, web
server defacement, and pirated software distribution.

Need for IDS

Limitations of Firewalls:
Effective only for configured rules.
Cannot protect against social engineering or authorized applications
with vulnerabilities.
Do not monitor internal network traffic or detect tunneling attempts.
Purpose of IDS:
Monitors and analyzes system/network events. (internal network)
Provides real-time or near real-time warnings of suspicious activity.
Analogy:
Firewall: Acts as a gatekeeper.
IDS: Acts like CCTV surveillance for monitoring internal and external
activity.

IDS vs IPS

Intrusion Detection System (IDS):
Passively detects unauthorized access and generates alerts.
Intrusion Prevention System (IPS):
Actively blocks unauthorized access by filtering network traffic.
 Both are complementary; IDS detects, and IPS prevents.

IDS Requirements

Operate continuously with minimal human intervention.
Adapt to system/user changes and scale to large networks.
Be fault-tolerant, resist subversion, and impose minimal overhead.
Detect a substantial percentage of intrusions while minimizing false
alarms.
Configured according to system security policies
Provide graceful degradation of service
Allow dynamic reconfiguration

Classes of Intruders
Based on Origin

1. Masquerader:
An intruder who pretends to be an authorized user.
Usually an external attacker who gains access by falsifying
credentials or exploiting vulnerabilities.
2. Misfeasor:
An authorized user who improperly or maliciously abuses their
access to the system.
Often internal users who use their legitimate privileges for
unauthorized purposes.
3. Clandestine User:
An intruder who has privileged access but uses it covertly and
without authorization.
They typically try to cover their tracks and hide their activities from
administrators.
Based on Motive

1. Cybercriminal:
An individual or group motivated by financial gain or other illegal
activities.
They might engage in data theft, fraud, or spreading malware for
profit.
2. Activists:
Intruders driven by social, political, or ideological causes.
Known for acts like hacking to expose wrongdoing, disrupt services,
or promote a cause (e.g., hacktivism).
3. State-Sponsored:
Government-backed attackers engaging in espionage, sabotage, or
cyber warfare.
Their motives can include intelligence gathering, compromising
national security, or damaging rival nations.
4. Others:
This category includes various intruders whose motives may vary
widely.
Examples might include boredom-driven hackers, researchers
testing security, or revenge-driven individuals.

Based on Skill Level

1. Apprentice:
A beginner with limited technical knowledge.
Relies heavily on automated tools or scripts to perform attacks.
2. Journeyman:
An intermediate-level intruder with a solid understanding of systems
and security techniques.
 Can manually exploit vulnerabilities and potentially craft custom
attacks.
3. Master:
Highly skilled and experienced attackers who understand systems at
an advanced level.
Capable of sophisticated attacks, often undetectable, and able to
exploit complex vulnerabilities.

Intruder Behavior and Common Attack Methodology
Steps in Common Attack Methodology

1. Target Acquisition and Information Gathering
Identify the target using publicly available information.
Use network exploration tools to map target resources.
Examples:
Explore the target website for details.
Use dig , host , or other DNS lookup tools to gather network
information.
Map the network for accessible services using tools like Nmap.
Send a query to customer care and observe information on the
server, OS used, and the response.
Identify vulnerable services or third-party apps used by the
target.
2. Initial Access
Exploit remote network vulnerabilities to gain access.
Example: Guess weak authentication credentials used by
remote services.
Social engineering to install malware on the system.
 Example: Send spear-phishing emails to trick users into
installing malicious software.

3. Privilege Escalation
Exploit any vulnerable application to gain elevated privileges (e.g.,
from a regular user to admin).
Install sniffers to capture admin passwords.
Use captured passwords to access privileged information.
4. Information Gathering or System Exploit
Scan files for desired information.
Modify information or resources on the system.
Target other servers on the network for further compromise.
Data exfiltration: Steal sensitive data from the system or network.
5. Maintaining Access
Enable continued access after the initial attack by:
Installing backdoors or other malicious software.
Modify or disable antivirus/IDS programs running on the system to
avoid detection.
6. Covering Tracks
Remove evidence of the attack activity to avoid detection.
Edit or disable audit logs.
Use rootkits (a type of malware) to hide installed files or
malicious code.

Intrusion Detection Techniques

Intrusion Detection Systems - Logical Components

1. Sensors
Responsibility: Collects data.
Inputs to a sensor include:
 Network packets
Log files
System call traces
Forwards the collected information to the Analyzer.
2. Analyzers
Receives input from one or more sensors or other analyzers.
Determines if an intrusion has occurred.
May include evidence supporting the conclusion.
May provide guidance on actions to be taken in response to the
intrusion.
Sensor input may be stored in a database for future analysis and
review.
3. User Interface
Used to view output or control system behavior.

An IDS may use a single sensor and analyzer, such as:
Classic HIDS on a host.
NIDS in a firewall device.
More sophisticated IDS systems can use multiple sensors across
various host and network devices, sending information to a centralized
analyzer.

Intrusion Detection Systems - Types (Environment)

1. Host-based IDS (HIDS)
Monitors the characteristics of a single host for suspicious activity.
Focuses on the host's system logs, file integrity, and behavior to
detect any unusual or malicious behavior.
2. Network-based IDS (NIDS)
 Monitors network traffic for specific network segments.
Analyzes network, transport, and application protocols to identify
suspicious activity.
Focuses on detecting attacks like DoS, DDoS, or other malicious
activity within the network.
3. Distributed or Hybrid IDS
Combines information from multiple sensors, which can be both
host-based and network-based.
Uses a centralized analyzer to better identify and respond to
intrusion activity.
Provides a more comprehensive view of the network and host
security.

Host-Based IDS (HIDS)

Definition: Monitors system activity and logs suspicious events on a
single host.
Data Sources:
System call traces.
Log files and file integrity checksums.
Registry access (Windows-specific).
Audit Records:
Native audit records: Built-in OS logs.
Detection-specific audit records: Custom logs tailored for IDS.
Example:
Tracks user operations like file copying or failed permissions.

Network-Based IDS (NIDS)
 Definition: Monitors network traffic to detect anomalous or unauthorized
activity.
Components:
Sensors: Deployed at aggregation points to capture traffic.
Analyzers: Process captured data to detect anomalies or signatures.
Management Consoles: Provide human interface for alert
monitoring.
Types of Sensors:
Inline Sensors: Traffic passes through the sensor, enabling intrusion
prevention.
Passive Sensors: Traffic is copied and analyzed without delay.
Deployment Locations:
Behind external firewalls to monitor external attacks.
Within internal networks to detect insider threats or unauthorized
activity.

Hybrid/Distributed IDS

Combines HIDS and NIDS to provide comprehensive coverage.
Challenges:
Interoperability between different IDS technologies.
Coordination and data exchange in distributed systems.

IDS Analysis Approaches

1. Anomaly (Behavior) Detection
Data Collection: Involves collecting data on the behavior of
legitimate users over a period of time.
Analysis: The current behavior is analyzed to determine whether it
aligns with legitimate user behavior or if it indicates the presence
 of an intruder.
Detection of Unknown Attacks: Capable of detecting unknown or
zero-day attacks since it compares behavior rather than known
attack signatures.
Goal: The aim is to define what constitutes normal or expected
behavior to identify malicious or unauthorized behavior.
2. Signature (Data Patterns) / Heuristic (Attack Rules) Detection
Data Patterns: Uses a set of known malicious data patterns or
attack rules to compare against current behavior.
Also known as misuse detection.
Limitation: Can only identify known attacks for which it has
predefined patterns or rules.
Goal: Directly defines what constitutes malicious or unauthorized
behavior based on predefined patterns or rules.

Anomaly-Based IDS

Requires Understanding of Normal Behavior: It needs a clear definition
of what is considered "normal" behavior for the system or network.
Performance Baseline: Establishes a baseline of normal traffic and
activity, which is used for comparison.
Identification of Unexpected Conditions: Conditions that deviate from
the baseline are flagged as suspicious or potentially malicious.
Learning Systems: Anomaly-based IDS are "learning" systems because
they continuously create and update norms or profiles of normal activities
over time.
Comparison to Normal Profiles: The system compares observed
activity against the learned normal usage profiles to identify potential
anomalies.
Detection of Intrusions: Anomalies detected can indicate intrusions or
malicious activities that are different from what is considered normal
behavior.
Approaches:
Threshold detection: Tracks excessive events over time.
Checks excessive event occurrences over time to identify
anomalies.
Thresholds and Time Intervals: Requires setting both
threshold values (e.g., how many times an event can occur)
and the time intervals within which the events should be
counted.
Challenges:
▪ Due to variability across users, threshold detection is
prone to false positives (too many alerts) or false
negatives (missed detections).
Threshold detection can be used alongside more
sophisticated techniques for better accuracy and fewer
errors.
Profile-based detection: Develops user or system profiles using audit
records.
Profiles can be developed for different entities such as:
▪ Users
▪ Groups of users
▪ Applications
▪ System resource usage (CPU, memory, etc.)

Foundation: This approach is based on the analysis of audit
records (logs and historical activity) to create profiles that
define what normal behavior looks like for each entity.

Metrics:
 Counters (e.g., login attempts).
Gauges (e.g., current resource usage).
Resource utilization (e.g., pages printed during a session).
Statistical Test
Mean and Standard Deviation
Reflects average behavior and variability.
Applied to counters, timers, and resource usage.
Multivariate
Considers correlations between multiple variables (e.g.,
processor time and resource usage).
Markov Process
Analyzes state transitions (e.g., transitions between
commands).
Time Series
Focuses on event timing (too rapid or slow sequences).
Operational
Based on fixed limits; intrusion suspected if an observation is
outside these limits.

Anomaly-based IDS Classification Approaches

1. Statistical Approaches
Pros: Simple, low computational cost, no assumptions.
Cons: Difficulty in selecting metrics for balancing false
positives/negatives; not all behaviors can be modeled.
2. Knowledge-based Approaches
Pros: Robust and flexible.
Cons: Time-consuming, requires human experts, and hard to
develop high-quality knowledge from data.
 3. Machine Learning Approaches
Pros: Efficient once the model is trained.
Cons: Requires significant time and resources for training.
Examples: Bayesian networks, Markov models, Neural networks,
Fuzzy logic, Genetic algorithms, Clustering, Outlier detection.

Signature-Based IDS

How It Works:
Matches observed data with known malicious patterns (signatures)
or heuristic rules.
Examples:
Signature-based: Detects exact attack patterns (e.g., malware
signatures).
Rule-based heuristic: Uses rules to identify suspicious behavior even
within normal bounds.
Applications:
Anti-virus software, network traffic monitoring (e.g., SNORT).

Common Attacks Detected by IDS

Signature-Based:
Application-layer attacks (e.g., HTTP, SMTP).
Transport-layer attacks (e.g., SYN floods).
Network-layer attacks (e.g., spoofed IPs).
Anomaly-Based:
Denial-of-Service (DoS) attacks.
Scanning attacks (e.g., port scans).
Worm propagation.

Logging and Alerting
 Logged Information:
Timestamp, session ID, event type, priority/severity,
source/destination IPs and ports, and payload data.
Uses:
Refining detection algorithms.
Evidence collection for legal proceedings.

Challenges in IDS

High rate of false alarms.
Managing large volumes of alerts.
Analyzing encrypted traffic.
Ensuring scalability and effective deployment.

Response to Intrusions

Incident Response Team (IRT):
Handles intrusion reports, assesses damage, and coordinates
recovery.
Responsibilities include updating security measures and maintaining
logs.
IDS Logs:
Serve as evidence for legal actions.
Require user consent policies for monitoring internal networks.

Implementing an IDS

An effective IDS should be supported by other systems for better security.
These include:

1. Operating Systems
 A good operating system should have logging and auditing
features.
Modern operating systems (e.g., Windows, Unix, and other Unix
variants) include these features.
These features help in monitoring security-critical resources.
2. Auditing Features
All applications on servers (e.g., Web servers, email servers,
databases) should include logging and auditing features to track
activities.
3. Firewalls
A good firewall should have network intrusion detection
capabilities to help prevent unauthorized access.
4. Network Management Platform
Use network management services (e.g., OpenView) to set up
alerts for suspicious activities.

Intrusion Prevention System (IPS)
An Intrusion Prevention System (IPS) is a proactive network security
technology that identifies, blocks, and prevents malicious activity in real
time.

Key Features

1. Continuous Monitoring: Monitors the network around the clock for signs
of intrusion.
2. Automated Responses: Blocks malicious activity immediately without
waiting for manual action.
3. Real-Time Threat Mitigation: Reduces the effectiveness of attacks by
identifying and preventing them.
 4. Modern Technology: More advanced than traditional IDS (Intrusion
Detection Systems), offering preventive capabilities.

Advantages of IPS:

Prevents downtime caused by security incidents.
Helps maintain the integrity of sensitive data.
Enables compliance with regulatory standards.

4. IDS vs. IPS

Feature IDS (Intrusion Detection System) IPS (Intrusion Prevention System)

Description Detects and alerts for Detects and prevents
suspicious activities. malicious activities in
real time.
Placement Out-of-band (passive); Inline (active); affects
does not affect traffic network performance.
flow.
Response Generates alerts but Automatically blocks
requires manual threats and can take
intervention to respond. remedial actions.
Impact of False False positives are False positives can
Positives harmless and do not disrupt legitimate
affect operations. activities.
Performance Impact Minimal, as it does not Inline placement may
analyze live traffic. cause latency in traffic
flow.

Host-Based Intrusion Prevention System (HIPS)

HIPS is installed on individual hosts (devices) and protects them by
identifying and mitigating malicious activity at the system level.

Detection Techniques
 1. Signature-Based Detection:
Matches activity patterns to a database of known malicious
behaviors.
Effective for detecting known threats.
2. Anomaly-Based Detection:
Detects deviations from normal behavior (e.g., unusual file
modifications or privilege escalations).

Features

Provides protection for
1. System Calls: Monitors and controls the functions called by
programs.
2. File System Access: Tracks unauthorized changes to files or
directories.
3. Registry Settings: Prevents malicious modifications to the registry.
4. Host Input/Output: Ensures safe communication between devices.

Malicious Activities Prevented by HIPS:
Buffer overflow exploits.
Unauthorized access to email contact lists.
Privilege escalation attacks.

Network-Based Intrusion Prevention System (NIPS)

Deployed at the network level to monitor, analyze, and block malicious
data packets.

Techniques for Malicious Packet Identification

1. Pattern Matching: Compares packets to predefined malicious patterns.
 2. Stateful Matching: Tracks the state of connections to identify abnormal
behavior.
3. Protocol Anomaly Detection: Flags deviations from protocol standards
(e.g., non-compliant HTTP requests).
4. Traffic Anomaly Detection: Monitors traffic volumes and patterns to
detect unusual spikes.
5. Statistical Anomaly Detection: Uses statistical methods to identify
abnormal activity trends.

Special Features of NIPS

Can reassemble fragmented packets to detect hidden threats.
Modifies or discards suspicious packets in real time.

Distributed or Hybrid Intrusion Prevention Systems

Combines host-based and network-based detection methods for broader
and more effective security coverage.

Architecture

Utilizes multiple sensors across hosts and networks.
Relays collected data to a central system for analysis.
Updates signatures and behavior patterns dynamically.

Example

IBM's Digital Immune System: Developed to detect and neutralize
internet-based malware.
Motivation: Rising threats from rapidly propagating malware.
Objective: Provides immediate response upon malware detection.

Honeypots
Decoy systems designed to attract attackers, gather intelligence about their
activities, and distract them from real targets.

Key Characteristics

1. Mimics real systems to deceive attackers.
2. Contains fabricated data to keep attackers engaged.
3. Provides a safe environment to study attack methods.

Types of Honeypots

1. Host Trap: Simulates vulnerable computers with real or emulated
services.
2. Network Trap: Gives the illusion of a compromised network.
3. Email/Spam Trap: Identifies and blocks spam sources.
4. Malware Honeypot: Simulates software or APIs to attract and analyze
malware.

Classification

1. Low-Interaction Honeypots:
Simulates basic functions of a system or service.
Less realistic but easier to maintain.
2. High-Interaction Honeypots:
Fully functional systems that provide detailed insights.
Resource-intensive but more effective in engaging attackers.

Benefits

Identifies threat sources.
Exposes vulnerabilities in the organization.
Helps slow down attack progression.
Deployment
Core Components:

Honeypots: These are decoy systems that mimic real systems, such as
servers, network devices, or applications. They are designed to lure
attackers into interacting with them.
Firewall: A firewall is a security device that monitors and controls
incoming and outgoing network traffic. In this deployment, the firewall
protects the internal network and the honeypots from unauthorized
access.
Internal Network: This represents the organization's internal network,
which houses critical servers and systems.

Deployment Scenarios:

1. Internet-Facing Honeypot:
A honeypot is directly exposed to the internet, making it a prime
target for attackers.
This setup allows for early detection of new attack techniques and
zero-day vulnerabilities.
2. Internal Honeypot:
A honeypot is deployed within the internal network to monitor for
insider threats or lateral movement of attackers.
This helps identify potential security weaknesses and vulnerabilities
within the network.
3. Multiple Honeypots:
Deploying multiple honeypots with different configurations and levels
of sophistication can provide a more comprehensive security
solution.
 This can help to attract a wider range of attackers and gather
valuable intelligence.

Snort: An Open-Source IDS/IPS
Snort is a powerful and lightweight IDS/IPS capable of packet sniffing, logging,
and real-time intrusion detection.

Uses

1. Packet Sniffer

2. Packet Logger
3. IDS/IPS (Detects and prevents intrusions)

Key Features

1. Open-source and community-supported.
2. Highly scalable and customizable.
3. Continuously updated to include new rules.

Capturing Network Traffic

Sniffing Interface:
Libpcap-based for traffic capture.
Deployment Methods:
1. Close to Choke Point:
Position Snort where all traffic flows in/out (e.g., after the
firewall).
2. In-line Device:
Place Snort behind or after the firewall/router.
3. Span/Mirror Port:
Use a span/mirror port on the switch to send traffic to Snort.
 Caution:
Avoid overloading switch ports when using mirror ports.

Snort Rules

File Format:
Snort rules are plain text files.
Adding Rules:
Simply drop new rule files into /etc/snort/rules/.
Loading Rules:
Groups of rules can be loaded using the “include” statement in
snort.conf.
Types of Rules:
Community Ruleset (free)
Snort Subscriber Ruleset (paid)
Rule Matching:
Technical: Web attacks, buffer overflow, port scanning, etc.
Policy/User-Oriented: URL filtering, keyword blocking, forbidden
apps, etc.

Categories

Meta-data:
Provides additional information about the rule (e.g., rule description,
priority)
Does not affect detection.
Payload:
Looks for specific data inside the packet payload.
Can be interrelated with other parts of the packet.
Non-payload:
 Focuses on non-payload data (e.g., header fields, packet flags).
Post-detection:
Triggered after the rule matches a packet, such as logging or alerting
actions.

Operations

Modes Snort Can Run In:

1. Packet Sniffer
2. Packet Logger
3. IDS/IPS

Packet Sniffer:
snort -dev

Packet Logger:
snort -dev -l /var/log/snortdump -L snort.output

IDS Mode:
snort -c /etc/snort/snort.conf

IPS Mode:
snort -Q -i br0 -c /etc/snort/snort.conf

Tuning Strategies

Enable Only Necessary Rules:
Only activate rules that are relevant to your environment to avoid
unnecessary alerts.
Configure Preprocessors:
Adjust preprocessor settings for your specific environment to reduce
false alerts caused by default configurations.
Tune snort.conf Variables:
 Fine-tune variables in snort.conf to optimize Snort’s performance
and detection capabilities.
Care with Custom Rules:
Writing custom rules requires caution:
Performance Impact: Poorly written rules can slow down
Snort.
False Positives: Incorrect rules can lead to unnecessary alerts.
False Negatives: Bad rules might miss detecting actual threats.

Evading Firewall
What is Firewall Evasion?

Firewall Evasion refers to methods used to bypass or circumvent
firewalls, enabling access to restricted resources.
Reasons for Firewall Evasion:
1. For Attack: Malicious actors use these techniques to bypass
defenses and gain unauthorized access.
2. For Convenience: Legitimate users may evade firewalls to
overcome restrictions or access blocked resources.

Evasion Techniques

SSH Tunneling
Dynamic Port Forwarding
Virtual Private Network

SSH Tunneling

SSH (Secure Shell) Tunneling is a technique used to securely forward data
through an encrypted connection, bypassing firewalls.
Scenario 1: Ingress Filtering

Problem: A company firewall blocks incoming Telnet traffic from "home" to
"work."
Solution:
Establish an SSH tunnel from "home" to an intermediate machine
"apollo" within the company.
The tunnel forwards traffic from "home" → "apollo" → "work."
Since SSH traffic is encrypted, the firewall cannot detect the Telnet
connection.

Steps for Implementation:

1. Establish a tunnel between "home" and "apollo."
Use the following SSH command for Local Port Forwarding:
ssh -L 8000:work:23 apollo

2. Telnet to localhost:8000. The traffic is forwarded through the tunnel to
the machine "work."

Scenario 2: Egress Filtering

Problem: A company firewall prevents access to websites like Facebook
from "work."
Solution:
Establish an SSH tunnel from "work" to an external machine "home."
Forward HTTP traffic through the tunnel to bypass the firewall.

Steps for Implementation:

1. Establish a tunnel from "work" to "home."
Use the following SSH command:
ssh -L 8000:home:80 home
 2. In the browser, type localhost:8000. The tunnel forwards requests to the
destination site via "home."

Local Port Forwarding

Command:
ssh -L 8000:192.168.60.5:80 10.0.2.7

Explanation:
-L : Local port forwarding.

8000 : Local port used for forwarding.

192.168.60.5:80 : Target destination (IP and port).

10.0.2.7 : SSH server acting as the middleman.

Remote Port Forwarding

Command:
ssh -R 8000:work:23 home

Explanation:
-R : Remote port forwarding.

Traffic from "home" will be forwarded to port 23 on "work."

Dynamic Port Forwarding

Dynamic Port Forwarding is an advanced SSH tunneling technique where a
SOCKS proxy is used to route traffic.

Key Features

Unlike static port forwarding, dynamic port forwarding does not specify
the destination upfront.
Instead, the client determines the final destination at runtime.

Implementation
 1. Set up a SOCKS proxy on the localhost using SSH:
ssh -D 9000 home

2. Configure the browser to route traffic through the SOCKS proxy at
localhost:9000.

3. Enter any blocked site URL in the browser. The SSH tunnel forwards the
traffic to "home," which communicates with the blocked site.

VPN

A Virtual Private Network (VPN) can also be used to bypass firewalls.

How It Works

A VPN establishes a secure tunnel between a computer inside the
network and another outside.
Encrypted traffic passes through the tunnel, making it invisible to the
firewall.
Example: A company employee uses a VPN to access blocked websites.

Advantages

VPNs allow unrestricted internet access.
The firewall cannot filter or analyze the encrypted traffic within the VPN
tunnel.

Firewall Limitations
Bypassing via Alternate Connections:
Dial-up connections, VPNs, and extranets can bypass the firewall.
Internal Threats:
Firewalls are ineffective against malicious activities initiated by
trusted insiders.
Application Layer Attacks:
 Threats targeting application layers (e.g., HTTP or HTTPS) may
sneak through.
Improperly Secured Wireless LANs:
Attackers can access the network from outside the organization.
Portable Devices:
Laptops, PDAs, or USB drives infected outside the network can
compromise internal systems.