Text sheet: Tasks
Aim Higher College system administrators have requested that you review network traffic to determine whether the institution’s intrusion detection system (IDS) and intrusion prevention system (IPS) can be used to prevent inbound attacks that are being detected. Your manager has requested that you analyze the detected attacks and create a report that describes each attack, explains the threat it presents, and if an IDS or an IPS is suited to dealing with it. Specifically, your report should include:
This is the contents of document that is supposed to be used with answering the questions.
The following is a compiled list of odd network behaviors reported by network engineers and system administrators of Aim Higher College:
1. Network traffic analysis shows that a single host is opening hundreds of SSH sessions to a single host every minute.
This is a type of called a DoS, or Denial of Service attack. DoS attacks try to flood the target with requests, stopping its intended users from accessing the service. IDS/IPS can work together, with IDS detecting the source of the repeated hosts, while the IPS can then drop all packets coming from that source.
2. Network traffic shows that hundreds of hosts are constantly sending only SYN packets to a single Web server on campus.
This is a SYN flood attack. It is a type of DoS attack, where the attacker will initiate the TCP handshake with the SYN sognal, but will not reply to the SYN/ACK packet sent by the server. This wastes the server's resources, waiting on half opened connections. Again, this takes up resources meant for the service's actual users. The IDS can detect a pattern of multiple ACK/SYN requests going unacknowledged and report them to the IPS, but since this is a distributed attack, with enough numbers of machines in the flood, the IPS cannot filter them all out.
3. A system administrator reports that a single host is attempting to log on to a campus SSH server using a different username and password combination thousands of time per day.
This is a SSH Brute force attack. By trying numerous passwords, the attacker is trying to arrive at the right password by sheer chance. By counting the number of tries a machine makes to login, IDS can detect a suspicously high number of attempts coming from an IP. IPS can shut down the traffic of the suspected IP to stop this attack.
4. A new PDF-based exploit is announced that uses a malformed PDF to exploit Windows XP systems.
This a exploit driven attack, targeting the vulnerabilities in an application to mount a more complex attack. An IDS would have had to encounter this exploit before to recognize and stop it. An IPS can recognize the similarities between the anomalous behaviour of this attack and previous exploits, and can block the malware with the help of IDS. Updating the system and antivirus is the best way to prevent these attacks.
5. Spam e-mail is being sent to campus users claiming to be from the campus helpdesk. It asks them to send their username and password to retain access to their e-mail.
This is known as a phishing attack, which uses social engineering and our trust in known authorities. The attacker is disguising himself as a campus authority and hoping that no one notices, and replies with thier username and password. An IDs cannot stop this attack, and can only warn the user on the machine about suspicious activity. An IPS can filter new messages coming in from the attacker and mark them as dangerous, rendering them ineffective.
6. A DNS changer malware package has been detected on several workstations.
This attack is a form of phishing, which relies less on social engineering or the user's lack of caution, instead relying on the an altered DNS that sends the IP to a site that the attacker wants the user to visit. For instance, when a user types in the url of his bank into the browser, the altered DNS server will send them to a site which looks very much like the banking website, but is built by the attacker. The user will enter the login credentials assuming it to be the secure website, handing them to the attacker. IDS can detect the malware's attempts to change the IP and warn the user, while IPS can block the traffic from the attacker's phishing website server.
7. A JavaScript vulnerability is being used to exploit browsers via ad networks on major news sites, resulting in systems being infected with malware.
This attack is called cross site scripting, and is an example of a client side code injection attack. The attacker includes malicious code onto the components of a completely legitimate site. When the user visits these sites, this code is downloaded onto the user's browser, allowing the attacker to execute malicious scripts on the browser. Since the IDS does not parse the content of the packet, it cannot detect this attack. The IPS on the other hand can detect anomalous data packets being sent and prevent it from being delivered, saving the user's browser.
8. A zero-day vulnerability has been announced in the primary campus backup software’s remote administration interface.
A zero day vulerability refers to a system flaw in a new software package that has not been fixed by the manufacturer yet. Attackers can exploit these weaknesses to gain access to the protected data in all machines running the software. The IDS can notify the user when it notices the attack happening, as it will be very anomalous. The IPS can shut down all the data coming in and out of the service, in a sense isolating the source of the infection.
9. A virus is being sent via e-mail to campus users.
This attack is very similar to a phishing attack. The attacker wiil disguise themselves as a known entity and attempt to make the user download the virus onto their computer. The IDS can detect this virus if it is similar to previous viruses, while the IPS can stop all the emails coming from the attacker's IP.
Get Answers For Free
Most questions answered within 1 hours.