VERSION .01
COMPILED BY Harsh Puri
For my college project, I am designing an Intrusion Detection System. There are many sources available in NET. But there are few which tells how to code IDS. I am developing this link so that it may help some other people to develop IDS and in an Attempt we can share Knowledge.
This Doc is far from complete. It just gives an Introduction to what is IDS and what are needs to develop IDS. At present I am just planning but as soon as I begin Coding, I will definitely keep updating it.
Before going into details of IDS I will just want to say. “An IDS is not tough to design but the question remains will it be effective or not.”
So starting with IDS here are different types of IDS
available and various design issue which must be considered:
1.
Type of IDS available:
a)
Network
intrusion detection systems (NIDS)
It Monitors
packets on the network and attempts to discover an intruder by matching the
attack pattern to a database of known attack patterns. For example it
may go looking for a large number of TCP connection requests (SYN) to many different
ports on a target machine, thus discovering if someone is attempting a TCP port
scan.
b) Host based intrusion detection system
(HIDS)
It goes on monitoring security
event logs or checking for changes to the system, for example changes to critical system files or to the systems
registry.
It can be
following types:
System integrity checkers: Monitors system files
& system registry for changes made by intruders
Log file monitors: Monitor log files
generated by computer systems. Windows NT/2000 & XP systems generate
security events about critical security issues happening on the machine.
c) Deception systems:
Often known as Honey Pots, these contain
pseudo-services whose goal is to emulate well-known holes in order to trap
hackers.
2. How
to detect intrusions:
a) Anomaly detection
The idea behind this approach is to
measure a "baseline" of stats as CPU utilization, disk activity, user
logins, file activity, and so forth. Then, the system can trigger a warning when
there is a deviation from this baseline.
b)
Signature recognition
This can be as simple as a pattern
match. The classic example is to example every packet on the wire for the
pattern "/cgi-bin/phf?", which might indicate
somebody attempting to access this vulnerable CGI script on a web-server.
3. Matching
signatures with incoming traffic:
a) Protocol stack verification:
A number of intrusions use
violations of the underlying IP, TCP, UDP, and ICMP protocols in order to
attack the machine. A simple verification system can flag invalid packets.
b) Application protocol verification:
A number of intrusions use invalid
protocol behavior, such as DNS cache poisoning, which has a valid, but unusual signature.
A NIDS must re-implement a wide variety of application-layer protocols in order
to detect suspicious or invalid behavior.
c) Creating new loggable events: A NIDS can be used to extend the
auditing capabilities of your network management
software. For example, a NIDS can simply log all the application layer protocols used on a machine.
4. SNORT
Snort is
an Open Source network intrusion detection system. It has become one of the
most effective network based intrusion detection systems around. However, snort
requires a fair amount of networking knowledge. http://www.snort.org/
After Specifying basic of IDS I would love to summarize Different Type of Attacks.
Type of Attacks:
1. DDoS
(Distributed Denial of Service) attack:
A Distributed Denial of Service
consists of launching a Denial of Service attack from a good number of sites
against a single host. Such an attack is generally more effective to bring down
huge corporate sites than DoS attacks.
Type of
DDos Attack:
a) Smurf / Fraggle (most devastating DoS
attacks)
It uses bandwidth consumption to
disable a system's network resources. It accomplishes this using amplification
of the attacker’s bandwidth. Three actors participate in the DoS attack: the
attacker, the victim, and the amplifying network.
The attacker sends a ping request
to the amplifying network with the victim's address as the return address. If
the amplifying network has 100 systems, the signal can be amplified 100 times.
b) SYN Flood
During a
normal TCP handshake,
(1) a client sends a SYN request to the server,
(2) the server responds with a SYN / ACK to the client, and the
client sends a final ACK back to the server.
In
a SYN flood attack, the attacker sends multiple SYN requests to the victim with
spoofed source addresses for the return address. The spoofed addresses are for nonexistent
networks. If the attacker sends SYN requests often enough, the victim's available
resources for setting up a connection will be consumed waiting for these bogus ACKs.
2) Information gathering:
Network
mapping - ping sweeps
DNS zone
transfers
E-mail
recons
TCP or UDP
port scans - Enumeration of services
Indexing of public web servers to find web server and CGI holes.
OS
fingerprinting
3) Exploits:
Attackers make use of vulnerabilities in target servers or misconfiguration on the system/network.
some
exploits are:
CGI scripts: attacks that make use of CGI scripts include Cross
Site scripting, SQL command injection, and Path traversal.
Web server attacks: Both Apache on UNIX and IIS on Windows NT have
their share of root or SYSTEM vulnerabilities
Web browser attacks: Typical software vulnerabilities like format
string and buffer overflow attacks are also found in http clients (such as Internet
Explorer and Netscape). Active Content such as JavaScript, Java, ActiveX and
HTML itself can also pose a security risk.
POP3 and IMAP: POP3 and IMAP servers are known
to contain exploits just like any other software. Apart from that an attacker
can launch at attack in order to guess the password of a specific email
address.
IP spoofing:
SMURF
Attack
TCP
sequence number prediction
DNS
poisoning through sequence prediction
Buffer Overflows:
Buffer
overruns in major web servers.
DNS overflow: Present in older DNS server
(BIND).
DNS attacks: DNS servers are usually trusted by services and users
- meaning that compromising a DNS server cann lead to further attacks on end
users and other services.
DNS cache poisoning: In simple terms it
works by sending a Question to resolve a given domain
Final Word
This is just a small part there is a long way.
If there is a mistake or u have any suggestion please feel free to contact me
If U are interested in development of IDS and want to keep your self updated regarding development u can join group:
REFRENCES
http://www.robertgraham.com/pubs/network-intrusion-detection.html
further
http://nsl.cs.columbia.edu/projects/projects/index.html
1. SOS: Secure Overlay Services
Angelos D. Keromytis Vishal Misra Dan Rubenstein
Department of Computer Science ,
Department of Electrical Engineering
2. FlowOS
Network Security Lab at