A amplification attack See Also: scanner amplification attack Any type of attack that magnifies the effect of a single attacking host.. The resulting effect is that a single attacking
Trang 1A amplification attack
See Also: scanner
amplification attack
Any type of attack that magnifies the effect of a single
attacking host
Overview
Amplification attacks work by having one packet gen
erate multiple responses The resulting effect is that a
single attacking host appears as multiple hosts, with the
goal of intensifying the effect of the attack to bring
down entire networks Distributed denial-of-service
(DDoS) attacks are classic examples of amplification
attacks in which intermediary compromised hosts
are used to multiply the malicious intent of a single
intruder The Smurf attack is another type of amplifica
tion attack and relies on the fact that a single spoofed
Internet Control Message Protocol (ICMP) echo
request will cause multiple hosts on a network to gener
ate ICMP echo replies, the amplification factor here
being the number of accessible hosts on the compro
mised network
See Also: distributed denial of service (DDoS), Smurf
attack
Annual Computer
Security Applications
Conference (ACSAC)
An annual conference on computer security organized
and sponsored by Applied Computer Security Associ
ates (ACSA)
Overview
Since 1985, the Annual Computer Security Applica
tions Conference (ACSAC) has helped advance the
principles and practices of computer security Confer
ence attendees work primarily in technical fields and
include engineers, researchers, and practitioners in the
field of computer security Attendance at ACSAC
aver-ages around 250 people and is heavily weighted toward
industry and government
18
anomaly-based IDS
For More Information
For information on upcoming conference schedules and
registration, see www.acsac.org
See Also: Applied Computer Security Associates
(ACSA)
anomaly-based IDS
An intrusion detection system (IDS) that uses a baseline instead of signatures to detect intrusions
Overview
While signature-based (or rule-based) IDSs are more common, they are limited to recognizing known attacks and require their signature database to be updated regu larly An anomaly-based IDS takes a different approach and begins by capturing network traffic to form a profile
or baseline of acceptable network events Once this database has been created, an anomaly-based IDS then compares current traffic to baseline traffic and uses pattern-recognition algorithms to identify possible intrusion events by detecting traffic anomalies To make the process more efficient, anomaly-based IDSs usually begin by filtering out known “safe” traffic such as Sim ple Mail Transfer Protocol (SMTP) mail or Domain Name System (DNS) lookups to reduce the amount of data they need to inspect
Anomaly-based IDSs tend to be good at detecting the initial stage of an attack when an intruder is probing the network using port scans and sweeps They can also detect when a new network service appears on any host
on the network, indicating a possible breach of that host’s security
The downside of anomaly-based IDSs is that they tend
to be more difficult to configure than signature-based IDSs, because it is sometimes difficult to distinguish what constitutes “normal” traffic from “abnormal” and,
as a result, they tend to generate more false alerts than signature-based ones As a result, anomaly-based IDSs usually require a larger degree of human intervention in order to determine the status of “questionable” traffic and reconfigure the IDS to accept or reject such traffic
in the future Finally, anomaly-based IDSs usually need
to be deployed in a distributed fashion across a network, close to the servers they are protecting, in order to
Trang 2A amplification attack
See Also: scanner
amplification attack
Any type of attack that magnifies the effect of a single
attacking host
Overview
Amplification attacks work by having one packet gen
erate multiple responses The resulting effect is that a
single attacking host appears as multiple hosts, with the
goal of intensifying the effect of the attack to bring
down entire networks Distributed denial-of-service
(DDoS) attacks are classic examples of amplification
attacks in which intermediary compromised hosts
are used to multiply the malicious intent of a single
intruder The Smurf attack is another type of amplifica
tion attack and relies on the fact that a single spoofed
Internet Control Message Protocol (ICMP) echo
request will cause multiple hosts on a network to gener
ate ICMP echo replies, the amplification factor here
being the number of accessible hosts on the compro
mised network
See Also: distributed denial of service (DDoS), Smurf
attack
Annual Computer
Security Applications
Conference (ACSAC)
An annual conference on computer security organized
and sponsored by Applied Computer Security Associ
ates (ACSA)
Overview
Since 1985, the Annual Computer Security Applica
tions Conference (ACSAC) has helped advance the
principles and practices of computer security Confer
ence attendees work primarily in technical fields and
include engineers, researchers, and practitioners in the
field of computer security Attendance at ACSAC
aver-ages around 250 people and is heavily weighted toward
industry and government
18
anomaly-based IDS
For More Information
For information on upcoming conference schedules and
registration, see www.acsac.org
See Also: Applied Computer Security Associates
(ACSA)
anomaly-based IDS
An intrusion detection system (IDS) that uses a baseline instead of signatures to detect intrusions
Overview
While signature-based (or rule-based) IDSs are more common, they are limited to recognizing known attacks and require their signature database to be updated regu larly An anomaly-based IDS takes a different approach and begins by capturing network traffic to form a profile
or baseline of acceptable network events Once this database has been created, an anomaly-based IDS then compares current traffic to baseline traffic and uses pattern-recognition algorithms to identify possible intrusion events by detecting traffic anomalies To make the process more efficient, anomaly-based IDSs usually begin by filtering out known “safe” traffic such as Sim ple Mail Transfer Protocol (SMTP) mail or Domain Name System (DNS) lookups to reduce the amount of data they need to inspect
Anomaly-based IDSs tend to be good at detecting the initial stage of an attack when an intruder is probing the network using port scans and sweeps They can also detect when a new network service appears on any host
on the network, indicating a possible breach of that host’s security
The downside of anomaly-based IDSs is that they tend
to be more difficult to configure than signature-based IDSs, because it is sometimes difficult to distinguish what constitutes “normal” traffic from “abnormal” and,
as a result, they tend to generate more false alerts than signature-based ones As a result, anomaly-based IDSs usually require a larger degree of human intervention in order to determine the status of “questionable” traffic and reconfigure the IDS to accept or reject such traffic
in the future Finally, anomaly-based IDSs usually need
to be deployed in a distributed fashion across a network, close to the servers they are protecting, in order to