Skip to main content

Intrusion Detection and Network-Based Attacks

Part of the Information Security and Cryptography book series (ISC)

Abstract

This second chapter on network security complements Chap. 10’s treatment of firewalls and tunnels. Here we discuss intrusion detection and various tools for network monitoring (packet sniffing) and vulnerability assessment, followed by denial of service and other network-based attacks that exploit standard TCP/IP network or Ethernet protocols.We consider TCP session hijacking, and two categories of address resolution attacks— DNS-based attacks, which facilitate pharming, and attacks involving Address Resolution Protocol (ARP) spoofing.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83411-1_11
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83411-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Abliz. Internet denial of service attacks and defense mechanisms, Mar. 2011. University of Pittsburgh Technical Report TR-11-178, pp.1–50.

    Google Scholar 

  2. W. Aiello, S. M. Bellovin, M. Blaze, J. Ioannidis, O. Reingold, R. Canetti, and A. D. Keromytis. Efficient, DoS-resistant, secure key exchange for Internet protocols. In ACM Comp. & Comm. Security (CCS), pages 48–58, 2002. Journal version: ACM TISSEC, 2004.

    Google Scholar 

  3. J. P. Anderson. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co., Fort Washington, PA, USA. Feb 1980, revised 15 Apr 1980. (Distinct from Anderson’s 1972 report).

    Google Scholar 

  4. C. Anley, J. Heasman, F. Lindner, and G. Richarte. The Shellcoder’s Handbook: Discovering and Exploiting Security Holes (2nd edition). Wiley, 2007.

    Google Scholar 

  5. M. Antonakakis and 18 others. Understanding the Mirai botnet. In USENIX Security, 2017.

    Google Scholar 

  6. R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. RFC 4033: DNS Security Introduction and Requirements, Mar. 2005. Proposed Standard. Obsoletes RFC 2535 (which obsoleted 2065, Jan 1997); updated by RFC 6014, 6840.

    Google Scholar 

  7. R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. RFC 4034: Resource Records for the DNS Security Extensions, Mar. 2005. Proposed Standard. Updated by RFC 4470, 6014, 6840, 6944.

    Google Scholar 

  8. R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. RFC 4035: Protocol Modifications for the DNS Security Extensions, Mar. 2005. Proposed Standard. Updated by RFC 4470, 6014, 6840, 8198.

    Google Scholar 

  9. D. Atkins and R. Austein. RFC 3833: Threat Analysis of the Domain Name System (DNS), Aug. 2004. Informational.

    Google Scholar 

  10. S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In ACM Comp. & Comm. Security (CCS), pages 1–7, 1999. Journal version: ACM TISSEC, 2000.

    Google Scholar 

  11. R. G. Bace. Intrusion Detection. Macmillan, 2000.

    Google Scholar 

  12. P. Beauchemin, G. Brassard, C. Crépeau, C. Goutier, and C. Pomerance. The generation of random numbers that are probably prime. Journal of Cryptology, 1(1):53–64, 1988.

    Google Scholar 

  13. R. Bejtlich. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Addison-Wesley, 2004.

    Google Scholar 

  14. R. Bejtlich. Extrusion Detection: Security Monitoring for Internal Intrusions. Addison-Wesley, 2005.

    Google Scholar 

  15. S. M. Bellovin. There be dragons. In Proc. Summer USENIX Technical Conf., 1992.

    Google Scholar 

  16. S. M. Bellovin. Packets found on an Internet. Computer Communication Review, 23(3):26–31, 1993.

    Google Scholar 

  17. S. M. Bellovin. Using the domain name system for system break-ins. In USENIX Security, 1995.

    Google Scholar 

  18. S. M. Bellovin. A look back at “Security problems in the TCP/IP protocol suite”. In Annual Computer Security Applications Conf. (ACSAC), pages 229–249, 2004. Embeds commentary into 1989 original “Security problems in the TCP/IP protocol suite”, Comp. Commn Review 19(2):32–48, Apr 1989.

    Google Scholar 

  19. F. Biancuzzi. The men behind ettercapNG. On linux.com, 9 Nov 2004, https://www.linux.com/news/men-behind-ettercapng; see also https://www.ettercap-project.org/.

  20. D. Bruschi, A. Ornaghi, and E. Rosti. S-ARP: A secure address resolution protocol. In Annual Computer Security Applications Conf. (ACSAC), pages 66–74, 2003.

    Google Scholar 

  21. B. Cheswick. An evening with Berferd in which a cracker is lured, endured, and studied. In Proc. Winter USENIX Technical Conf., 1992.

    Google Scholar 

  22. daemon9, route, and infinity. Project Neptune. In Phrack Magazine. 1 Sept 1996, vol.7 no.48, file 13 of 18 (with Linux source), http://www.phrack.org.

  23. D. Dagon, M. Antonakakis, P. Vixie, T. Jinmei, and W. Lee. Increased DNS forgery resistance through 0x20-bit encoding: SecURItY viA LeET QueRieS. In ACM Comp. & Comm. Security (CCS), 2008.

    Google Scholar 

  24. H. Debar, M. Dacier, and A. Wespi. A revised taxonomy for intrusion-detection systems. Annales des Télécommunications, 55(7-8):361–378, 2000.

    Google Scholar 

  25. D. Denning and P. G. Neumann. Requirements and model for IDES—A real-time intrusion-detection expert system, Aug. 1985. SRI Project 6169-10, Menlo Park, CA, USA.

    Google Scholar 

  26. D. E. Denning. An intrusion-detection model. In IEEE Symp. Security and Privacy, pages 118–133, 1986. Journal version: IEEE Trans. Software Eng., 1987.

    Google Scholar 

  27. D. Dittrich. The DoS Project’s ‘trinoo’ distributed denial of service attack tool. 21 Oct 1999, University of Washington, https://staff.washington.edu/dittrich/misc/ddos/.

  28. Z. Durumeric, E. Wustrow, and J. A. Halderman. Zmap: Fast internet-wide scanning and its security applications. In USENIX Security, pages 605–620, 2013.

    Google Scholar 

  29. W. Eddy. RFC 4987: TCP SYN Flooding Attacks and Common Mitigations, Aug. 2007. Informational.

    Google Scholar 

  30. D. Farmer and E. H. Spafford. The COPS security checker system. In Proc. Summer USENIX Technical Conf., pages 165–170, 1990.

    Google Scholar 

  31. D. Farmer and W. Venema. Improving the security of your site by breaking into it. White paper, 1993, http://www.porcupine.org/satan/admin-guide-to-cracking.html (software tool openly available).

  32. D. Farmer and W. Venema. Forensic Discovery. Addison-Wesley, 2005.

    Google Scholar 

  33. P. Ferguson and D. Senie. RFC 2827: Network Ingress Filtering—Defeating Denial of Service Attacks that employ IP Source Address Spoofing, May 2000. Best Current Practice (BCP 38). Updated by RFC 3704: Ingress Filtering for Multihomed Networks, Mar 2004.

    Google Scholar 

  34. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. In IEEE Symp. Security and Privacy, pages 120–128, 1996.

    Google Scholar 

  35. Fyodor. Remote OS detection via TCP/IP Stack FingerPrinting. In Phrack Magazine. 25 Dec 1998, vol.8 no.54, article 9 of 12, http://www.phrack.org. Nmap details: https://nmap.org/book/.

  36. F. Gont. RFC 5927: ICMP Attacks Against TCP, July 2010. Informational.

    Google Scholar 

  37. F. Gont and S. Bellovin. RFC 6528: Defending Against Sequence Number Attacks, Feb. 2012. Proposed Standard. Obsoletes RFC 1948. Updates RFC 793.

    Google Scholar 

  38. F. Gont (on behalf of CPNI). Security assessment of the Transmission Control Protocol (TCP). Technical Note 3/2009, Centre for the Protection of National Infrastructure (CPNI), UK.

    Google Scholar 

  39. M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In USENIX Security, 2001.

    Google Scholar 

  40. A. Harper, S. Harris, J. Ness, C. Eagle, G. Lenkey, and T. Williams. Gray Hat Hacking: The Ethical Hacker’s Handbook (3rd edition). McGraw-Hill, 2011.

    Google Scholar 

  41. S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151–180, 1998.

    Google Scholar 

  42. L. Joncheray. A simple active attack against TCP. In USENIX Security, 1995.

    Google Scholar 

  43. J. Jung, B. Krishnamurthy, and M. Rabinovich. Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In WWW—Int’l Conf. on World Wide Web, 2002.

    Google Scholar 

  44. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In IEEE Symp. Security and Privacy, pages 211–225, 2004.

    Google Scholar 

  45. C. Kaufman, R. J. Perlman, and B. Sommerfeld. DoS protection for UDP-based protocols. In ACM Comp. & Comm. Security (CCS), pages 2–7, 2003.

    Google Scholar 

  46. D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni. Metasploit: The Penetration Tester’s Guide. No Starch Press, 2011. See also: The Metasploit Project, https://www.metasploit.com.

  47. C. Ko, M. Ruschitzka, and K. N. Levitt. Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In IEEE Symp. Security and Privacy, 1997.

    Google Scholar 

  48. C. Kolias, G. Kambourakis, A. Stavrou, and J. M. Voas. DDoS in the IoT: Mirai and Other Botnets. IEEE Computer, 50(7):80–84, 2017.

    Google Scholar 

  49. M. Kührer, T. Hupperich, C. Rossow, and T. Holz. Exit from hell? Reducing the impact of amplification DDoS attacks. In USENIX Security, pages 111–125, 2014.

    Google Scholar 

  50. M. Larsen and F. Gont. RFC 6056: Recommendations for Transport-Protocol Port Randomization, Jan. 2011. Best Current Practice (BCP 156).

    Google Scholar 

  51. J. Lemon. Resisting SYN flood DoS attacks with a SYN cache. In USENIX BSDCon, 2002.

    Google Scholar 

  52. T. F. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, P. G. Neumann, and C. Jalali. IDES: A progress report. In Annual Computer Security Applications Conf. (ACSAC), pages 273–285, 1990. For details of the IDES anomaly-based statistical subsystem, see H.S. Javitz and A. Valdes, “The SRI IDES statistical anomaly detector”, IEEE Symp. Security and Privacy, 1991.

    Google Scholar 

  53. S. McCanne and V. Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In Proc. Winter USENIX Technical Conf., pages 259–270, 1993.

    Google Scholar 

  54. G. McGraw. Software Security: Building Security In. Addison-Wesley, 2006. Includes extensive annotated bibliography.

    Google Scholar 

  55. B. P. Miller, G. Cooksey, and F. Moore. An empirical study of the robustness of MacOS applications using random testing. ACM Operating Sys. Review, 41(1):78–86, 2007.

    Google Scholar 

  56. B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Comm. ACM, 33(12):32–44, 1990. Revisited in Tech. Report CS-TR-95-1268 (Apr 1995), Univ. of Wisconsin.

    Google Scholar 

  57. P. Mockapetris. RFC 1034: Domain Names—Concepts and Facilities, Nov. 1987. Internet Standard. Obsoletes RFC 882, 883, 973.

    Google Scholar 

  58. P. Mockapetris. RFC 1035: Domain Names—Implementation and Specification, Nov. 1987. Internet Standard. Obsoletes RFC 882, 883, 973.

    Google Scholar 

  59. D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring Internet denial-of-service activity. ACM Trans. Comput. Syst., 24(2):115–139, May 2006. Earlier: USENIX Security 2001.

    Google Scholar 

  60. S. Northcutt, M. Cooper, M. Fearnow, and K. Frederick. Intrusion Signatures and Analysis. New Riders Publishing, 2001.

    Google Scholar 

  61. S. Northcutt, J. Novak, and D. McLachlan. Network Intrusion Detection: An Analyst’s Handbook (2nd edition). New Riders Publishing, 2000.

    Google Scholar 

  62. Ofir Arkin and Fyodor Yarochkin. ICMP based remote OS TCP/IP stack fingerprinting techniques. In Phrack Magazine. 11 Aug 2001, vol.11 no.57, file 7 of 12, http://www.phrack.org.

  63. G. Ollmann. The pharming guide: Understanding and preventing DNS-related attacks by phishers. Whitepaper, available online, July 2005.

    Google Scholar 

  64. V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23-24):2435–2463, 1999. Earlier version: USENIX Security, 1998.

    Google Scholar 

  65. V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks. Computer Communication Review, 31(3):38–47, 2001. See also: Steve Gibson, “Distributed reflection denial of service”, 22 Feb 2002 (online).

    Google Scholar 

  66. D. C. Plummer. RFC 826: An Ethernet Address Resolution Protocol, Nov. 1982. Internet Standard.

    Google Scholar 

  67. N. Provos and T. Holz. Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley, 2007.

    Google Scholar 

  68. T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. January 1998, available online.

    Google Scholar 

  69. A. Ramaiah, R. Stewart, and M. Dalal. RFC 5961: Improving TCP’s Robustness to Blind In-Window Attacks, Aug. 2010. Proposed Standard.

    Google Scholar 

  70. E. Ramirez-Silva and M. Dacier. Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces. In Asian Computing Sci. Conf. (ASIAN), pages 198–211, 2007. Springer LNCS 4846.

    Google Scholar 

  71. M. J. Ranum, K. Landfield, M. T. Stolarchuk, M. Sienkiewicz, A. Lambeth, and E.Wall. Implementing a generalized tool for network monitoring. In Large Installation Sys. Admin. Conf. (LISA), 1997.

    Google Scholar 

  72. M. Roesch. Snort: Lightweight intrusion detection for networks. In Large Installation Sys. Admin. Conf. (LISA), pages 229–238, 1999. For official documentation see https://www.snort.org.

  73. C. Rossow. Amplification hell: Revisiting network protocols for DDoS abuse. In Netw. Dist. Sys. Security (NDSS), 2014.

    Google Scholar 

  74. D. Safford, D. L. Schales, and D. K. Hess. The TAMU security package: An ongoing response to internet intruders in an academic environment. In USENIX Security, 1993.

    Google Scholar 

  75. K. Scarfone and P. Mell. Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800–94, National Inst. Standards and Tech., USA, Feb. 2007.

    Google Scholar 

  76. E. Skoudis and T. Liston. Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd edition). Prentice Hall, 2006 (first edition: 2001).

    Google Scholar 

  77. R. Sommer. Bro: An open source network intrusion detection system. In 17th DFN Workshop on Communication Networks, pages 273–288, 2003.

    Google Scholar 

  78. R. Sommer and V. Paxson. Enhancing byte-level network intrusion detection signatures with context. In ACM Comp. & Comm. Security (CCS), pages 262–271, 2003. (Compares Bro to Snort).

    Google Scholar 

  79. S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105–136, 2002.

    Google Scholar 

  80. P. Uppuluri and R. Sekar. Experiences with specification-based intrusion detection. In Reseach in Attacks, Intrusions, Defenses (RAID), pages 172–189, 2001.

    Google Scholar 

  81. J. Voas and G. McGraw. Software Fault Injection: Inoculating Programs Against Errors. Wiley, 1998.

    Google Scholar 

  82. S. Weiler and D. Blacka. RFC 6840: Clarifications and Implementation Notes for DNS Security (DNSSEC), Feb. 2013. Proposed Standard.

    Google Scholar 

  83. J. White, T. Fitzsimmons, J. Licata, and J. Matthews. Quantitative analysis of intrusion detection systems: Snort and Suricata. In Proc. SPIE 8757, Cyber Sensing 2013, pages 275–289. Apr 30, 2013.

    Google Scholar 

  84. D. Whyte, P. C. van Oorschot, and E. Kranakis. Tracking darkports for network defense. In Annual Computer Security Applications Conf. (ACSAC), pages 161–171, 2007. Earlier version: USENIX Hot-Sec, 2006, “Exposure maps: Removing reliance on attribution during scan detecion”.

    Google Scholar 

  85. M. Zalewski. Silence on the Wire: a Field Guide to Passive Reconnaissance and Indirect Attacks. No Starch Press, 2005. See also “p0f v3: passive fingerprinter”, http://lcamtuf.coredump.cx/p0f3/README

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

van Oorschot, P.C. (2021). Intrusion Detection and Network-Based Attacks. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83411-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83410-4

  • Online ISBN: 978-3-030-83411-1

  • eBook Packages: Computer ScienceComputer Science (R0)