User-Level Packet Capture - TCP/IP - Assignment Example

Questions and Answers A. TCP/IP According to Wright and Stephens (1995), problems encountered if IP reassembly attempts in intermediate devices like routers are as follows: Fragmentation of data program, either by the originating device or one or additional routers transmitting the datagram, it becomes compound fragment datagram. The destination of the whole message must gather these fragments and then reassemble them into the unique message. Reassembly is brought by using the unique information to unite jigsaw puzzle back together again. Henderson (2009) argues that reassembly is the complement to fragmentation, although not symmetric. Principal differentiation among the two is that whereas intermediate routers can fragment a unit datagram or fragment further a datagram that is a fragment already, intermediate devices do not perform reassembly. This can be accomplished only by the critical target of the IP message. An intermediate router on one side of a physical network of a datagram with an MTU of 1,300, if it fragments 3,300 byte datagram, the router on the other end of 1,300 MTU link will not return the 3,000 byte datagram to its initial state. It will mail all the 1,300 byte fragments down on the internet. Wright and Stephens (1995) argue that the decision to implement IP reassembly this way, is carried out to avoid certain problems. First, fragments can acquire diverse routes to obtain, from the source to target so any given router may not see a message in all the fragments. Secondly, having routers need to concern about reassembling fragments would increase their difficulty. Last, message reassembly requires that all fragments are waited for before sending on the message reassembled. Allowing routers perform this would slow routing down. Since routers do not reassemble, they can forward immediately all fragments on to the ultimate recipient. Some of the drawbacks include according to Henderson (2009) are: First, it results in smaller fragments traveling longer routes than if intermediate reassembly occurred. This increases the likelihood of a fragment getting lost and thus discarding the entire message. Secondly, there is a probable inefficiency in the data utilization of link layer frame capacity. For example, the 3,300 byte datagram at the end of the 1,000-MTU link would not be reassembled back by 1,300-byte fragments. If the link after that one also had an MTU of 3, 300, and then it would have to be sending in frames of three, every encapsulating a 1,300-byte fragment, instead of a larger single frame, which is slightly slower. B. According to Henderson (2009), the Host A (receiver) and host B (sender) should do the following: The management window in TCP is not tied directly to acknowledgements as it is in most data link protocols. If the 2048-byte segment that is correctly received is transmitted by the sender, the segment will be acknowledged by the receiver. However, since only 2048 bytes of buffer space is available, it will advertise a window of 2048 starting at the next byte expected. Henderson (2009), states another 2048 bytes transmitted, which are approved, but the advertised window is 0. Until the application process on the host receiving has detached some information from the buffer, at which time TCP can broadcast a larger window, the sender must stop. The sender may not normally send segments when the window is 0, with two exceptions. First, urgent data may be sent, for example, to permit the user to terminate the progression running on the remote machine. Second, the dispatcher may send a 1-byte segment to permit the receiver re-announce the next byte that the window expects. The TCP standard openly provides this option to prevent deadlock if a window announcement ever gets lost. Henderson (2009) argues that, senders are not permitted to transmit data when they come from the application while receivers are limited to send acknowledgements immediately. When the first 1 KB of data came in, TCP, because it has a 2-KB window present, would have been perfectly acceptable by buffering the data till another 2 KB was received, so as to transmit a segment with a 2-KB payload. 5). According to Koziol (2003), Snort groups rules by protocol (imp, top, up, imp), then by ports (imp and imp use slightly different logic), then by those with and without content. For rules with content, a multi-pattern marcher is used to choose rules that have a chance at matching based on a single content. Selecting rules via this fast pattern marcher for evaluation is found to increase performance, especially when applied to large rule groups like HTTP. The more unique and longer content is the less likely is the rule and all options will be evaluated unnecessarily, and it is safe to say there is good traffic than bad (Henderson, 2009). Rules without content are evaluated according to the protocol and port group, where they inhabit, potentially dragging the performance. While some detection options, such as byte and pyre test, perform detection in the section the packet payload, they are not used by the rapid matching engine pattern. If at all achievable, try and have at least one content known as discontent rule option in your rule. Koziol (2003) argues that the first category of suspicious connection Bro identifies and reports is susceptibility scans directed against systems. Instead of burdening with every vulnerability scan, however, tiny they are against systems that occur, it reports only scans that occur above or at its threshold in terms of the size specified, such as the number of vulnerability scan attempts per second. Bro finds attacks against user accounts, such as password guessing attempts reporting them. A number of types of alarms Bro generates, such as suspicious connection attempts directed at your systems port scans, and attempts to get access to user accounts, thus in my opinion it can do a better job detecting ACK scans. Disruption of the session is the most popular method of circumvention, because of the simplicity of its implementation (Koziol, 2003). Depending on the established session, IDS, UDP or TCP that is configured for disruption of the session can knock down or reset the connection established. This does not stop the attacker from initiating additional attacks, but it does prevent the attacker from causing any further damage in union with the session broken. When using disruption method of the session, if an attacker launches consequent attacks, the IDS must continually attempt to close every initiated attack session. , Henderson (2009) claims that, with disruption of session the IDS employ different approaches for breaking the connection depending on the traffic it sees. If TCP sessions are used by an attacker, RST packet resets them and is sent to reset one or both hosts the IDS in a session. A session can be fragmented by sending ICMP packets from IDS box to the host In the case of UDP. An Id might send a RST TCP packet to an invader and victim after detecting malicious traffic like a reputable Sub seven connection. According to Henderson (2009), another correction measure is filter rule manipulation. This method works by modifying the access control list on a firewall or router. Filter rule manipulation firewalls the IP of the attacker blocking any additional attacks. This alternative should be used with considerable care because an invader can use to Dos the network. If an attacker uses the IP address of an associate, it could spoof the address. When the IDS see the attack and goes to respond, it would block your partner access. According to Koziol (2003), there are a few IDS products that provide filter rule manipulation. Checkpoint firewall modifies Real Secure. Cisco Intrusion Detection System (IDS) is hardware based IDS that can counter to an attack by accumulating an access control list to a router. Snort, when used with IDS center, can offer filter rule manipulation, a tool used to manage snort, when run on a Black ICE Defender and Win32 systems. Attackers are blocked by IDS center after an alert is triggered, which modifies the file firewall. In access lists, used by Black ICE defender, a personal desktop firewall that only protects the machine where it is installed. According to McCanne and Jacobson (1993) a lightweight intrusion detection system can easily be deployed on the majority all network nodes, with less interruption to the whole processes. IDS of lightweight should be cross platform, with a small foot print and configured easily by the administrators of the system who require implementing given solutions to security in a short duration. Any set of software can be assembled and put into action in feedback to arising situations of security. IDS can be used as stable elements security of the network infrastructure as they are small, flexible and powerful. The detection engine which comprise of headers and chain options can be used. 6 SQL injection is an attack on your database through poorly-coded forms gets or post parameters (Henderson, 2009). It means an attacker can run SQL straight into your database, allowing them to write or read at will any of your inscriptions. On the other end, Cross-site scripting is a system used to insert code into the web browser of the client allowing an attacker to intercept the data the user is sending or receiving. 7). A. Henderson (2009) states that, the following snort rules will be applied. First, the class keyword type is used to classify a rule as attack detecting that is part of a more general attack class. Default set of attack classes provided by Snort that are used by the default set of rules it provides. Defining rules for classifications provide a means to organize the event data that Snort produces. Secondly, the message rules option that tells the alerting and logging engine the content to print along with a dump packet or to an alert. It is an ordinary text string that uses the \ as an escape character to specify a distinct character that might otherwise interfere Snort’s rules parser (such as the semi-colon ; character). This will bypass other irrelevant inscriptions not required. According to Henderson (2009), thirdly, the reference keyword allows rules to consist of references to attacks from external identification systems. The plug-in currently supports several systems as well as unique URLs. This plug-in is to be used to supply a link by output to additional information about produced alert. The Sid keyword is used uniquely to identify Snort rules. This information allows output plug-in to identify rules easily. Standard access lists build filters based on source addresses and are used for filtering server (Henderson, 2009). Address based access lists differentiate routes on a network to be controlled by applying network address number. Access lists based on Address comprise of a list of addresses along with a report if access to or from that address is allowed or denied. Henderson (2009) argues that, for example, R1 (configuration) number access-list {1-99} {permit | deny} source-address. The first value {1-99} specifies the standard ACL number range. The second value specifies whether to deny or permit the configured source IP address traffic. The third value is the IP address source that must be matched. The wildcard mask is the fourth value to be used to the previously IP address configured to indicate the range. Secondly, extended access lists create filters which base on source addresses, protocol, port number, destination addresses and other features used for packet filtering for packets that traverse the network. Another portion of the rule header (Henderson, 2009), is the rule header that deals with IP address and information of port for a given rule. Any is the keyword that may be used to define any address. No mechanism is given by Snort to give a host lookup for the IP address fields in the file configuration. CIDR block and straight numeric IP forms the addresses. The net mask that should be useful to the rule’s address and all arriving packets that are scrutinized parallel to the rule are indicated by the CIDR. A CIDR block mask of /24 shows a class C network, a /32 and /16 class B network, indicates a specific machine address. For example, the CIDR/address combination 192.168.1.0/24 signifies a block of address from 192.168.1.1 to 192.168.1.255. With CIDR, a short hand way to delegate large address spaces with just few characters is available. B.) According to Henderson (2009), ranges of port numbers can be entered, similar to ranges of IP addresses. Most of the ports are 80 for the Web port, 443 for the encrypted Web port, and 25 for send mail. The whole range of ports available extends from 0 to 65535. For a range of ports, a colon is just placed between the two ports. The following rule looks for any traffic containing “eBay.com” occurring on any TCP port between 1 and 1023. Henderson (2009) argues that maximum and minimum ports ranges can be placed by omitting off a number. Wildcards simplify rules just like those “splat” asterisks that can type to a DOS window or UNIX shell to list only certain files. In Snort, any keyword is the most powerful wildcard, and it is all over the place. According to Henderson (2009), wildcard can be used in both the port configurations and network: any matches everything for the group it is placed. In the previous section, we used any wildcard in certain places. When the host 192.168.1.18 attempts to initiate a message on any port with any host on ports 1–1023, it is a match, and the message eBaying comes in the logs. Moreover, Henderson (2009) claims that, elements of the rule of body after being distorted by the pre-processors and whittled down by the rule’s header filters of the rule’s body contains virtual tests of cornucopia. The most powerful pattern-matching test what slips through phrases for keywords, or strings of binary data. Frequently the most critical inspection is this because what is being searched for is the fingerprint of the attack itself. References Henderson, H. (2009). Encyclopedia of Computer Science and Technology, Revised Edition. New York: Savannah Schroll Guz - Library Journal. Koziol, J. (2003). Intrusion Detection with Snort. Chicago: Sams Publishing. McCanne, S and Jacobson, V. (1993). The BSD Packet Filter: A New Architecture for User-level Packet Capture. California: Lawrence Berkeley Laboratory. Wright, R.G. & Stephens R.W. (1995). TCP/IP Illustrated: Vol. 2: The Implementation. Washington DC: Addison-Wesley Professional. Read More