Hacking 101.6 - Intrusion Detection Systems
from the June 2001 Actrix Newsletter

by Dean Moor

I am again grateful to Dean Moor for this next article in his series on hacking and security. To many it is a fascinating topic. It really would be a good idea for those interested but new to computers or the net to read over Dean's articles in previous newsletters. -Editor

Hi Folks, well, last month we started to discuss what you can to to keep the "Bad Guys" of the Internet out of your machine, this month we will continue with this theme.

Last time I explained a few basics about how firewalls work. I also mentioned that several ports must remain open for your traffic to get through. The fact is that, with a simple port scan, anyone can get a list of which ports are open on your machine, and then figure out how to exploit them. So, what can we do?

Lets go back to my analogy of a house for just a moment. Your house has doors and windows (ports) and all traffic enters and exits your home this way. The firewall is like dead bolts and bars, locking most doors and windows. And just like any house, the "Bad Guys" can still break in through the doors or windows that aren't protected. Now, just like any homeowner concerned with this, you would install a home security system. This is exactly what we will describe.

An Intrusion Detection System, or IDS, is exactly the same as your house alarm. Should any one break into your house, they will be detected by the motion sensors, and the alarm will sound. However with computers this is a much more complicated process. For starters, each packet must first be allowed by your firewall. Once through your firewall, it must be scrutinised by your Intrusion Detection System. Now, each packet can be broken down to smaller parts, and your IDS will examine each part with a set of rules. Lets first of all cover briefly what each part of the packet is and why they are there.

packetdetails.gifEverything above the Source Address describes what type of packet this is.
(e.g. TCP or UDP, Fragmented or not, etc..)

Source and Destination Addresses obviously contain the source and destination of the packet, and the same for the Source and Destination Ports.

And lastly we have the time the packet was created, sequence number (see the demonstration in last month's article) and a couple of extra pieces of information for your machine.

Now, your IDS system will examine the packet in a similar fashion.

Firstly, do the checksums add up, or does that packet contain the information the headers suggest, has it been corrupted along the way, and does its size match with what it should be?

Secondly, has the source address been blocked by you or your security server? Also, is the destination address you?

Are the ports used acceptable for the type of information sent or received? (e.g. if it is an E-mail packet, are your receiving it from port 110?)

Do the sequence numbers match up with other packets that you have already received?

Does the time stamp look right?

And lastly, what exactly is the data?

You see, most good IDSystems act in a similar way to a virus scanner. They will have a database of known attack signatures and if the incoming packet matches one of the signatures, the packet will be flagged as a known attack. Assuming that all checks pass, the packet will be allowed to pass through to your computer, and be put back together by the application, or program that is the intended recipient of the data.

However, should one or more of the checks fail (e.g. IP Address is blocked, packet has been altered after it was sent, etc...) the packet is flagged as a danger, and depending on the IDS you have installed, you will hear an alarm, see an icon flash, or receive a warning pop up on your screen. What most IDSystems do now, is use the information provided in the packet to begin tracing the origin of the attack. For example, one product that I use will get the attacker's IP address, and attempt to connect to the attacker's machine to gain further information. It will then log as much as possible for further follow up. As a final measure my IDS blacklists all packets from the attacker's IP Address for 48hrs (effectively locking the attacker out of my machines) or until I allow them to communicate with me again.

Once you have some details about the hacker (his or her ip address, time of attack etc), it is recommended that you send your log file to the ISP that the hacker is using, including as much information as possible so that they may deal with the intrusion. Almost all ISPs have an e-mail address for this sort of thing. It will be abuse@whateverisp.com. Responses will vary according to the policies of the ISP and whether or not, or how much they care. Most ISPs have a similar policy to Actrix where their customers will be warned for small breaches and their account closed if they persist. Serious breaches may result in instant closure and reporting to the police. Actrix also has an abuse officer (abuse@actrix.co.nz) who can help you decipher and deal with the information your IDS gives you. However, please understand that due to time restraints these complaints can not always be followed up immediately. Please also remember that if you are being hacked, it is primarily your own responsibility to deal with it. Actrix will help where they can, but they have no more power in dealing with another ISP than you do.

So, hopefully you see that a firewall is not a complete security package. Even though you may have one installed, there are still various ways of by-passing firewalls, and utilising holes, to gain access to your machine, and your IDS will catch most of what your firewall misses.

Next month I will cover the next line of defense in our battle against the Cyber Attacker, and follow up with a recap, and a bit more detail after that. Please understand that there is just so much to explain, and I may lose some of you from time to time, but if you bear with me, you will get the general idea, and hopefully avoid becoming a victim of the next Cyber Punk surfing past you on the Internet.

Until Next time,
Safe Browsing and Good Luck. Most of all Have Fun.

Dean Moor