CHAPTER 1

NETWORK ATTACK TRACEBACK

I. INTRODUCTION

While increasing in number, sophistication, and severity, the networkattacks on governmental, business, academic, and critical infrastructurenetworks need immediate attention. In this research, prevention, detectionand reaction are the truism of the network security vulnerability andassessment. Variable aspects or processes are addressed with regardto attacks. Investigated attacks include, data collection, which refers tothe collection of data from multiple operating systems. Vatis states that,"Investigators also need tools to automate the collection of data files frommultiple operating systems in the victims' network or the network beingattacked."

II. ATTACK TRACEBACK IN A NETWORK ATTACK

The UNIX System is more complex than Windows, and is necessary for thedigital evidence examiner. Usually UNIX is configured to print, log, and storeuser data (e.g. files, e-mail, passwords) on remote location systems.

One of the options to trace back the attack in the network is MappingNetwork Topology. This provides a solution to automate the process ofdeveloping the map of the network quickly and accurately. It maps thevictim's network during the preliminary stage of a network-attack tracebackto assess the extent of the attack.

What follows are the specific network attack data recovery tools toautomate the digital evidence recovery process; capturing residentmemory data is also part of network attack traceback, as well as analyzingexcessively large media storage devices.

Michael A. Vatis described Log Analysis and Reporting as automated log fileanalysis and developing graphical reporting. Furthermore, he defined LogCompilation as recognizing and importing preliminary investigation data,recognizing and importing logs across a network, reconstructing alteredor damaged logs, placing log data into an organized timeline, organizeoutput to a common and portable format. Thus, Vitas presents IP Tracingand Real-Time Interception as critical for tracking cyber attackers. Accordingto the reporting, the distributed denial of service attacks or (DDoS) originand location of the attacker remain hidden. Non-technical issues such asunderemployed technologies to counter attacks utilizing spoofing and lackof record keeping by Internet Service Providers (ISP) hamper the tracing ofIP addresses. The real-time interception of digital data is a use of specializedforensic solutions for retrieving, storing, and analyzing very large mediastorage devices compromised by network attacks.

The other important point is that data collection from multiple operatingsystems is demonstrated because of computers' usage of several differentoperating systems to perform different tasks. Data collections from severalcomputers are relevant to understand how a network was compromised. Ithappens that Windows operating systems dominated their caseloads in theuse of the types of operating systems encountered in the traceback attack.

UNIX and Linux operating systems were encountered less frequently. MacOS (through version 9) and Mac OSX were seen the least during the lastthree years, but still on occasion by some investigators. Solutions that canautomate the collection of data from multiple operating systems are stillneeded, as well as solutions to identify and report system configurationsand file locations.

There is a need of tools that will help analyze the attack data across multipleplatforms, regardless of the platform that the investigator is working on.After data collection, this tool will reduce time and focus on analysis ratherthan collection.

III. DENIAL OF SERVICES IN THE NETWORK ATTACK—(DOS)

Symantec Security Response supports the thought that Denial of Service(DoS) attack is not a virus, but a method hackers use to prevent or denylegitimate users access to a computer. In order to traceback an attack inthe network better, we should know how the attack occurred. In so doing,Symantec Security Response indicates that DoS attacks are some type ofexecution using DoS tools that send many request packets to a targetedInternet server (usually Web, FTP, or Mail server), which floods the server'sresources, making the system useless. Therefore, any system that isconnected to the Internet and is equipped with TCP-based network servicesis subject to attack. It presents the capability of the many DoS attack toolsto executing a distributed (DoS), (DDoS) attack. DDoS tools are TFN, TFN2K,and Trinoo. The DoS tools can be secretly installed onto a large numberof innocent systems, which can be managed by the attacker centrally toinitiate DoS attacks at a target computer. Zombie agents, or Drones, are asystem that unknowingly has DoS. Smurf DoS attacks use a forged InternetControl Message Protocol (ICMP) echo request. TFN and Tribal FloodNetwork 2000 (TFN2K) use the SYN flooding technique, which creates half-openconnections. It can perform various attacks such as UDP flood attacks(similar to Trinoo), ICMP flood attack (similar to Smurf), and TCP SYN floodattacks. The systems affected are Linux, UNIX, Windows 2000, Windows NT,and Windows XP. The aftermath question is about how to prevent, or howto trace the origin of the request packets in a DoS attack, particularly whenthis is a distributed DoS attack.

It is impossible to prevent all DoS attacks; but there are simple precautionsthat server administrators can take to reduce the risk of being compromisedby a DoS attack. For example, disabling ICMP responses can protect from aSmurf-type attack; or configuring a router to filter and check if an IP comingfrom the outside has an external IP (or vice versa) can avoid a TFN-typeattack. But the query consists of the attack traceback, whereas the networkforensic part of this review will answer some questions about the DoSattacks.

IV. NETWORK FORENSICS

About the Network Forensic in the network attack traceback, I will just limitmy research over some Network Forensic tools and their capabilities. MarisaMack indicates that, "Hundreds of tools and applications address forensicincident response, but there's no single solution." Earlier in this research,we saw that network attack traceback needs a complete forensic incident-responsetoolkit, which must include data acquisition or digital evidencerecovery, text and file searching, Internet history analysis, Internet protocol(IP) tracing and real-time interception, and proprietary analysis of mail filesand data stores. Mack argues that three general investigation scenarios, orstages, are resuming products reviewed. Thus, the second-stage productsshould become the primary forensic-investigation tools.

You will find the Tools and theirs capabilities in the different stages asfollows:

• Stage 1: Network-capable initial analysis products for firstresponders. Guidance Software's EnCase Enterprise Edition andTechnology Pathway's ProDiscover are two products which canacquire drive images remotely in a live environment, and their useeliminates the need for the Stage 2 tools.

• Stage 2: Primary analysis and drive-image acquisition. This stageusually entails obtaining the hard disk of a suspect machine andinvestigating it in a controlled (not live) environment. AccessDataForensic Toolkit, Encase Forensic Edition and the open-sourceSleuth Kit fit this stage. Any one can be used as the primaryinvestigative tool in environments that don't require a network-capableacquisition application. All these products can acquire a fullsector-by-sector drive image of any hard disk under investigation;additional sleuthing functionality varies by application.

• Stage 3: Fine-grained keyword searches. Search through diskor partition contents, e-mail specific searches or Internet historyanalysis. Paraben's NetAnalysis, E-Mail Examiner and NetE-Mail Examiner, and dtSearch's dtSearch excel here. These toolsoperate on disk images created by any of the applications fromStages 1 or 2.

V. INTRUSION DETECTION SYSTEMS (IDS)

Intrusion detection systems (IDS) are increasingly important, as they helpmaintain proper network security. IDS often stores a database of knownattack signatures and can compare patterns of activity, traffic, or behaviorit sees in the logs it's monitoring against those signatures. It can recognizewhen a close match between a signature and current or recent behavioroccurs. Then IDS can issue alarms or alerts, take various automatic actionsranging from shutting down Internet links or specific servers to launchingtraceback, and make other active attempts to identify attackers and activelycollect evidence of their nefarious activities. In a nutshell, the simplest wayto define IDS might be to describe it as a specialized tool which can readand interpret the contents of log files from routers, firewalls, servers, andother network devices.

• DragonIDS: An IDS tool designed to meet the unique securityrequirements of the enterprise environment, the Dragon IntrusionDefense System offers comprehensive features that minimizenetwork vulnerabilities and bring improved security to theenterprise.

• RealSecure Network 10/100 software provides networkintrusion detection and response capabilities that monitor10/100Mbps network segments within a centralized operationaland management framework. RealSecure Network 10/100installations are centrally administered and maintained through theSiteProtector management system with tight integration with ISS'other enterprise protection products. Backed by X-Force securityintelligence, ongoing X-Press Update product enhancementsensure up-to-date protection so that customers can effectivelymonitor and protect their networks against both known andunknown attacks.

• RealSecure Network Gigabit software provides network intrusiondetection and response capabilities that monitor Gigabit networksegments within a centralized operational and managementframework.

• Cisco IPS 4200 Series sensors offer significant protection to thenetwork by helping to detect, classify, and stop threats, includingworms, spyware/adware, network viruses, and application abuse.

• IDS Sensor Software Version 4.x is the central element in theCisco® Intrusion Detection System (IDS) portfolio. Cisco IDS SensorSoftware Version 4.x provides unprecedented security againstknown and unknown threats targeting your network, includingworms, denial-of-service (DoS) attacks, and application attacks.

VI. CONCLUSION

No matter how much a network is hardened, network vulnerability andthreats are still obstinate. The network attacks on governmental, business,academic, and critical infrastructure networks, are increasing in number,sophistication, and severity. The technological impediments facingnetwork attack investigators need immediate attention. The networkattack traceback is a use of tools, but the attacker uses tools as well. Thedevelopment of new tools to prevent attacks is relevant. As in medicine,prevention is better than treatment. Network attack prevention is the mainpurpose of the development of firewalls, best policy, etc.

CHAPTER 2

SECURITY ARCHITECTURE AND ANALYSIS

INTRUSION DETECTION SYSTEM INTEGRATED INTO THE ROUTERUSING CISCO INTRUSION PREVENTION SYSTEM (IPS) SENSOR

I. INTRODUCTION

In 2004, ninety-four percent of firms polled by Network World magazine hadexperienced some security-related downtime. Firms can lose significantrevenues as critical production systems like e-commerce, supply chain andplant management, or point-of-sale go offline due to devastating attackslike Sasser, Nimda, Blaster and SQL Slammer. The IT research and advisoryfirm Aberdeen Group has stated that the cost per security incident, onaverage, is $2 million. According to the 269 respondents of the 2004 CSI/FBI Computer Crime and Security Survey, denial-of-service (DoS) attacksaccounted for over $26 million in losses, while worms and virus attacksare among the most common security breaches of organizations today.These became very important at the point that called for the need offurther examination of Intrusion detection systems versus Intrusionprevention systems used in the network. Consider using both systems withthe network module for Cisco access routers. Furthermore, the intrusiondetection system is integrated into the router using Cisco preventionsystem (IPS) sensor.

II. INTRUSION DETECTION SYSTEM V INTRUSIONPREVENTION SYSTEM

Intrusion detection systems are used as traditional security solutions suchas firewalls and anti-virus software. They are necessary to identify andprevent many attacks that have plagued the network. Intrusion detectionsystem is used as a sentinel function, for alarming and alerting responsibleparties when activities of interest occur. They are defined as the processof monitoring the events occurring in a computer system or network,and analyzing them for signs of security problems. On a grander scale,civil defense and military early-warning systems fall into this functionalcategory.

According to Secure Computing Magazine, in 1999, the time between avulnerability disclosure and availability of a networking exploit was 288days. Furthermore, the article supports that in the last five years, thisduration of time has decreased to a shocking six days or less. Last year'sWitty Worm, which exploited the ICQ parsing process in ISS securityproducts, left system administrators and consumers scrambling after havingonly two days to prepare following the vulnerability announcement.Intrusion detection systems are proving less and less effective in thwartinghybrid worm attacks such as Code Red and Nimda. Malware writers arewreaking havoc on networks all over the world. Meanwhile, intrusionprevention is an emerging network security technology that is proving tohelp firms counter many of these new hybrid attacks. Carefully thoughtoutimplementation of an intrusion prevention system can, however, reappositive results if deployed to solve the right problems. While helpingmany firms block attacks rather than just alert users of their occurrence, asIntrusion detection system (IDS) does, Intrusion prevention systems (IPS)are proving to be a proactive defense mechanism.

III. NETWORK MODULE FOR CISCO ACCESS ROUTERS

The Cisco 3700 Series Application Service Router is a new family of modularrouters. Deployment of this application accelerates cost reduction benefitsof e-business applications, infrastructure and improves competitiveleverage of networks. This application supports the Cisco AVVID(Architecture for Voice, Video and Integrated Data), which is an enterprise-wide,standards-based network architecture. Complementing the existingCisco1700/2600/3600 modular multi-service routers, they are optimized tosupport the broadest array of connectivity options. This is ideal for sites andsolutions requiring the highest levels of integration at the edge, such as:

• Integration of flexible routing and low density switching

• Single platform solution for branch Office IP Telephony and VoiceGateway allowing flexible, incremental migration and serviceintegration

• Consolidation of service infrastructure and high service density ina compact form factor

It is important to note that the two Cisco 3700 platforms, the Cisco 3725and Cisco 3745, introduce a new, wider interface form factor. The high-densityservices module (HDSM) enables the NM slots to integrateadditional services, and offers increased Flash and DRAM default memoryto accelerate and simplify future service and feature additions. The Cisco3745 router offers additional availability features that may be requiredin high-density, multiple-services configurations. This helps deploy asingle, integrated platform that combines the industry-leading routingand switching technologies with the highest level of WAN flexibility toaccommodate the dynamic remote office environment. The 4 NM-slot Cisco3745 router can accept two HDSMs in place of four NMs by removing thecenter guides between each pair of adjacent NM slots. The 2 NM-slot Cisco3725 router can accept an HDSM in one of its two NM slots and still acceptan NM in the remaining slot.