DOI QR코드

DOI QR Code

A Brute-force Technique for the Stepping Stone Self-Diagnosis of Interactive Services on Linux Servers

리눅스 서버에서 인터렉티브 서비스 Stepping Stone 자가진단을 위한 brute-force 기법

  • Kang, Koo-Hong (Dept. of Information and Communication Engineering, Seowon University)
  • 강구홍 (서원대학교 정보통신공학과)
  • Received : 2015.02.11
  • Accepted : 2015.05.06
  • Published : 2015.05.30

Abstract

In order to hide their identities, intruders on the Internet often attack targets indirectly by staging their attacks through intermediate hosts known as stepping stones. In this paper, we propose a brute-force technique to detect the stepping stone behavior on a Linux server where some shell processes remotely logged into using interactive services are trying to connect other hosts using the same interactive services such as Telnet, Secure Shell, and rlogin. The proposed scheme can provide an absolute solution even for the encrypted connections using SSH because it traces the system calls of all processes concerned with the interactive service daemon and their child processes. We also implement the proposed technique on a CentOS 6.5 x86_64 environment by the ptrace system call and a simple shell script using strace utility. Finally the experimental results show that the proposed scheme works perfectly under test scenarios.

인터넷을 통해 악의적으로 접근하는 공격자들은 자신의 노출을 최대한 감추기 위해 중간 호스트(소위, stepping stone으로 불림)를 경유한다. 본 논문에서는 텔넷, SSH, 그리고 rlogin 등 인터렉티브 서비스를 이용하여 리눅스 서버에 접근하여 다시 이러한 인터렉티브 서비스를 이용하여 다른 컴퓨터로 원격 접속을 시도하는 행위를 brute-force한 방법으로 검출하는 기법을 제안한다. 제안된 기법은 인터렉티브 서비스 데몬(Daemon) 프로세스의 시스템 콜(system call)을 감시하여 stepping stone 여부를 진단하기 때문에 ssh 접속과 같은 암호화 연결에서 대해서도 완벽한 검출 결과를 제공할 수 있다. 본 논문에서는 ptrace 시스템 콜과 간단한 쉘 스크립트를 작성하여 제안된 기법을 CentOS 6.5 64비트 환경에서 실질적으로 구현하였다. 마지막으로 몇몇 실험 시나리오를 대상으로 실시한 현장 운영을 통해 제안된 brute-force 기법을 검증하였다.

Keywords

References

  1. S.R. Sanpp, J. Brentano, G.V. Dias, T.L Goan, L.T. Heberlein, C.L. Ho, K.N. Levitt, B. Mukherjee, S.E. Smaha, T. Grance, D.M. Teal, and D. Mansur, "DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype," In Proceedings of the 14th National Computer Security Conference, pp. 167-176, Oct. 1991.
  2. H.T. Jung, H.L. Kim, Y.M. Seo, G. Choe, S.L. Min, C.S. Kim, "Caller Identification System in the Internet Environment'" In Proceedings of UNIX Security Symposium IV, pp. 69-78, Oct. 1993.
  3. S. Staniford-Chen and L.T. Heberlein, "Holding Intruders Accountable on the Internet," In Proceedings of the IEEE Symposium on Security and Privacy, pp. 39-49, May 1995.
  4. Y. Zhang and V. Paxson, "Detecting Stepping Stones," In Proceedings of the 9th Conference on USENIX Security Symposium, pp. 184-194, 2000.
  5. K. Yoda and H. Etho, "Finding a Connection Chain for Tracing Intruders," In Proceedings of the Computer Security - European Symposium on Research in Computer Security (ESORICS 2000), pp. 191-205, 2000.
  6. X. Wang, D.S. Reeves, and S.F. Wu, "Inter-Packet Delay Based Correlation for tracing Encrypted Connections Through Stepping Stones," In Proceedings of the Computer Security - European Symposium on Research in Computer Security (ESORICS 2002), pp. 244-263, 2002.
  7. B.A. Forouzan, "TCP/IP Protocol Suite" Fourth Edition, McGraw-Hill, pp. 610-629, 2010.
  8. M.G. Sobell, "A Practical Guide to Fedora and Red Hat Enterprise Linux" Prentice Hall, pp. 227-301, 2013.
  9. M. Wilding and D. Behman, "Self-Service Linux: Mastering the Art of Problem Determination" Prentice Hall, pp. 41-88, 2005.
  10. htop, "htop - an interactive process viewer for Linux," http://hishan.hm/htop
  11. A. Robbins and N. Beebe, "Classic Shell Scripting," O'Reilly Media, pp. 109-266, 2005.
  12. K. Kang, "An Implementation Strategy for the Physical Security Threat Meter Using Information Technology," Journal of the Korea Society of Computer and Information, Vol. 19, No. 7, pp. 47-57, July 2014. https://doi.org/10.9708/jksci.2014.19.7.047