Distributed Port-Scan Attack in Cloud Environment Prachi Deshpandel, Aditi Aggarwall, S. C. Sharma1, P. Sateesh Kumarl 1 Indian Institute of Technology Roorkee, Roorkee-lndia-247 667 {deprachi3, aditil 27, scs60fpt, prof. sateesh} gmail. com AJith Abraham 2 3 Machine Intelligence Research Labs (MIR Labs), WA, USA. IT41nnovations – Center of Excellence, VSB – Technical University of Ostrava, Czech Republic. Abstract??” Cloud Computing is becoming a promising technology for processing a huge chunk of data.
Hence, its security aspect has drawn the attentions of researchers and academician. The security of the cloud environment must be reliable as well as scalable. The cloud environment is vulnerable to many security attacks. Attacks can be launched individually or in tandem. In this article, the overview of port-scan attack and the response of IDS are studied. The experimentation is carried out using virtual-box and SNORT, the open-source IDS. Keywords- Cloud computing; Firewall; Distributed attacks; Intrusion Detection System; Port-scan; Security.
INTRODUCTION According to National Institute of Standards and Technology (NIST), Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access o a shared pool of confgurable computing resources (e. g. , networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [1]. Cloud computing refers to a collection of computing and users. It is considered as internet based computing service provided by various infrastructure providers on an ondemand basis.
It provides high performance computing for many data intensive and scientific applications with easy scalability. Deshpande et al [2] illustrated a collection of various errors and the possible solution to set up a private cloud. Security in cloud computing is key aspect which is most desired by a cloud user. Data privacy and security concerns are discussed in [3] with provision of trusted third party as a solution for providing security solutions. Intrusion detection system (IDS) based approaches was proposed for cloud security in [4].
Most general security attacks in the cloud environment includes flooding, Denial of service, root-kits, port-scan, malwares [5-6]. An evolutionary design is proposed in [7] for intrusion detection. Further, in this regard, an IDS using hybrid intelligence is proposed in [8], which is helpful under variety of conditions. Further the approach in [8] is extended for the mobile computing environment in [9] by Alvaro et. al. To improve the 978-1-4799-1409-8/13/$31. 00 2013 IEEE 27 performance of public cloud monitoring, a lightweight monitoring framework was proposed in [10].
The article discussed various performance related issues in cloud computing and its security. Different type of intrusion detection systems in cloud with their limitations is nicely categorized in [11]. The Criminal psychology starts with the finding the loopholes in the system. First step toward launching the attack is to get the information about the system by portscanning. With the aid of port-scanning, attacker can get information like open ports, supported network services, and protocols used by the host. The attacks can be launched in various stages, of which the first stage is to get maximum information about the target.
Scanning with stealth scanner is preferred by intelligent attacker to retrieve information of the target. On the basis of collected information, attacker tries to gain access of the target. After successful access of the target, the attacker tries to get the enhanced privileges to achieve its goal. Malicious code is inserted by attacker after aining the required privileges. In this article, port-scan attack is evaluated. Basic information about the user can be easily extracted by using it. The port-scan attack is classified as Horizontal port-scan, Vertical port-scan and block scan [12].
The Brute force port-scan and stealth scan attacks are also used for port-scanning. ‘Brute force’ scanners scan the port in a sequential manner one after another for the range specified by the user. These scanners can easily get detected. Stealth scanner technique is more sophisticated one in which attackers send a single packet with a specified flag. When attacker gets eply for this packet, ports are determined [12]. Providing security and privacy to cloud user is essential as the attackers’ can be outsider as well as an insider i. e. a virtual machine exploiting vulnerabilities of the system to launch the attack.
To provide security, use of intrusion detection system is suggested along with the analysis of placement of intrusion detection system inside cloud [4]. Nowadays various techniques are used to evade the intrusion detection system. A careful scan at a rate lower than the threshold can easily go undetected [12]. ‘Decoys’ are the hosts which are up and idle. These systems can be sed to launch port-scanning attack along with the actual attacker. They help in hiding the IP of the attacker. IPs of the attacker and the IPs of all the ‘Decoys’ are mixed. Victim may not be able to decide the IP of the attacker.
Combining ‘Decoys’ and stealth port-scanning techniques, port-scanning attack can be launched on target machines by the attacking virtual machines (VM). One of the major challenges for the attacker is to find out the ‘Decoys’ available on the network. Fig. l shows the proposed model with different VM acting as an attacker. Port Scan Attack SNORT system scan is achieved by transmitting packets at slow ace. After sending the first packet, ‘Nmap’ waits for some time and then sends the second packet. Between the successive transmissions of every two packets ‘Nmap’ waits for specified time delay.
Most of the IDS work on the principal of ‘X’ number of probes in Y time units. By launching stealthy scan, criterion of IDS is not satisfied and it may not be able to detect the attack. RESULTS AND DISCUSSIONS During analysis, firstly, using ‘Nmap’ tool two VM are scanning the target IPs i. e. 172. 17. 4. 246. The IPs scanning the target using ‘Nmap’ utility are 192. 168. 42. 1 192. 168. 42. 2 and 192. 168. 42. 254. Ubuntu 12. 10 VM and Ubuntu 12. 04 VM are used for scanning the target. Fig. 2 shows the scanning results of Ubuntu 12. 04 VM. Base OS Figure 1. Port-scanning attack by VM.
Once some of the ‘Decoys’ are found, those can be used persistently to launch the attack on the victim. In ‘decoy scanning many ‘Decoys’ launch the attack on the victim. Similarly, in distributed port-scanning, multiple virtual machines launch the attack on a host in the cloud infrastructure. In ‘decoy scanning idle hosts are used by a single machine for launching the attack while in distributed scanning multiple machines launch attack ith their own resolve. They are not being directed by any single virtual machine. In this analysis, the base operating system is Windows 2007.
Virtual-box software is installed on windows operating system for creation of VM. Two Ubuntu VM are created with the help of virtual-box. SNORT is used as deployed on the base operating system to identify the effects of intrusion on base operating system and VM. Various open source tools such as ‘Nmap’, ‘Metasploit’, and ‘Scapy are used for scanning the target machine information The primary goal of this analysis is to launch portscanning attack such that it should ot be detected by an intrusion detection system. ‘Nmap-6. 25’ (Network Mapper) is used to launch port-scanning attack from one virtual machine to another.
Various options are available with Nmap for this purpose. Apart from ‘Nmap’, ‘Metasploit’ and Scapy are also used to verify the performance. A graphical user interface called ‘Zenmap’ is provided by Nmap suite so as to provide user friendliness to all the users. ‘Zenmap’ provides all the 28 Figure 2. Scanning environment target using Ubuntu 12. 04 VM The ‘Nmap’ tool uses Ubuntu as the launch pad for portscanning purpose. The ‘Nmap’ cans the target IP and provides the information about the available services and ports. This is helpful for the attacker to gain the privileged access of the target.
Fig. 3 shows the log entries of IDS response for the port-scan attack using ‘Nmap’ Figure 3. Log entries of IDS response SNORT has different priority levels for detection of attacks. These priorities indicate the bad responses against the possible attacks. Higher priority count indicates more number of bad responses. Further, the attacks are launched 2013 Fifth International Conference on Computational Aspects of Social Networks (CASON) y using ‘Metasploit’ tool. It is used to launch TCP scan on the target virtual machine using the ‘Msfconsole’ interface provided by Metasploit. Msfconsole’ provides different option to the user for launching exploits. Fig. 4 shows the ‘Metasploit’ environment to launch TCP scan on the target machine. TCP port-scanning is launched by writing the command for it in the first line. The command ‘show options’ is to check available module options. It provides the name of the option along with its description and the current settings. The values of the options can be modified according to the need. In this analysis, ‘RHOSTS’ option is used to shown in the Fig. 4.
It shows that the TCP ports 135, 139, 445, 903, 913, 1026, 1025, 1029, 1027, 1028, 3790 and 5357 are open on the target host. Port number is appended after the IP address of the target followed by a colon. A large variety of port-scanning attacks can be launched using ‘Msfconsole’ such as ‘ack firewall scan’, ftp bounce port-scan’, ‘syn portscan’, tcp port-scan’ and ‘xmas port-scan’. ‘Ping scan’ and ‘NAT-PMP external port-scanning are also available. packets are received from the target. In total, five answers are received. It indicates hat the status of five ports is known to the attacking virtual machine.
Port protocol 135 tcp dcerpc Name 138 445 smb 1025 1026 Endpoint Mapper (151) services Windows 7 Home Basic (Build 7601) (language: Unknown) (name: WINDOWS) (domain: workgroup) D95afe70-a6d5-4259-822 e-2c84da lddbOd vl . 0 b25a52bf-e5dd-4f4a-aea 6 8G7272aoe86 VI . 0keylso Figure 5. Scanning results using ‘Metasploit’ tool Figure 6. Log entry of Snort with ‘Metasploit’ Figure 4. ‘Metasploit’ environment for TCP scan Fig. 5. shows scanning results using ‘Metasploit’ tool. At port 445, the information about the operating system on the arget machine is revealed. It also exposes the various services available at each port of the target machine.
This information is very much important for the attacker to gain the privileged access of the target. The log entry of SNORT when ‘Metasploit’ is used is shown in Fig. 6. It also shows that with ‘O’ priority level, “Decoys” are detected. Fig. 7 shows the usage of ‘Scapy to launch SYN scan. Scapy is launched using Scapy command from the terminal. The destination of packets is specified using the ‘dst’ command. Ports which are to be scanned on target are listed using ‘dport’. SYN flag is set by making flags equal to ‘S’. Any other flags can also be specified. In this analysis, six packets are sent to the target as six ports are specified.
In turn, 134 After TCP SYN scan is being launched by the attacker, the status of the ports within the square brackets is analyzed. ‘SA’ and ‘RA’ indicates the ‘port is open’ and ‘port is closed’, respectively. Fig. 7 shows that ports 1025 and 1029 are open while port 5358 is closed. Instead of specifying individual ports, a range of ports can also be specified. To specify a range of ports parenthesis is used instead of square brackets. The range of ports to be scanned is specified in the Parenthesis. Fig. 8 shows launching of ‘SYN scan’ using ‘Scapy to a range of ports on the target virtual machine. canned, 1024 packets are being sent to the target virtual machine by the attacker. 370 packets are received in response from the victim target machine and 162 answers are obtained. 29 Figure 9. Log entries for ‘ScapV scan. Figure 7. Use of ‘Scapy to launch SYN scan The summary of the result is obtained by using the ‘summary 0’ command. The ports shown in Fig. 8 are closed because TCP flag is RA. SNORT is run in IDS mode on the victim to see whether it can detect the scan launched by ‘Scapy or not. In this analysis, more than one VM is launching the attack.
The situation become worst when the all the attacking VM shares the scan information with each other. To cope with such condition, script of IDS has to be modified. FRONT-END ONED DRIVERS IMAGES SSH IDS HYPERVISOR VM3 HOST MACHINE Figure 8. SYN scan using ‘Scapy on a range of ports The Fig. 9 shows the report maintained by the SNORT. The log entry shows the IP address of the attacker and victim. The type of attack being launched is also specified. Priority count is kept zero. Higher the priority count more dangerous is the scan. For attacker, lower priority count is desired so that the victim assumes that the log entry to be a false positive.
By analyzing the different tools for port-scanning, it can be concluded that with high priority, the attacks can be detected by SNORT. This priority level information can be used to enhance the prevention mechanism. Further, ‘Metasploit’ and ‘Scapy is the best option for launching the attacks. With port-scan attack, various information of the target is identified by the attacker. By using it, further attacks can be launched by the attacker to get the privileged access of the target machine/system. Fig. 10 shows a private cloud implemented by [2]. Table I gives the analysis of the capabilities of different tools used for port-scan attack.
TABLE l. ANALYSIS OF PORT SCANNING TOOLS Parameters Tools Used Scanning Method Packet Crafting by User Specification Priority Count With Varied Sense Level Not allowed O or 20 Not Specific Metasploit -rcp Possible or 10 Scapy UDP Easy to perform Table I shows that with varying sense level, SNORT can detect any type of port- scan attack. CONCLUSIONS The port-scan attack is verified using SNORT IDS and VMs. This attack can be used by the intruders to gain the rivileged access of the target system as it provides information like open ports, operating system, protocols used and network services of target machine.
In this analysis, ‘Nmap’, ‘Metasploit’ and ‘Scapy tools are used for launching the attacks. It has been found that ‘Metasploit’ and ‘Scapy are providing more detailed information about the target machine and its environment. Services information of target OS is given by ‘Metasploit’. Using this information the exploits can be built such as privilege escalations. With the help of ‘Scapy different packets can be crafted utilizing the information gathered by port scanning.
