Radware’s Behavioral Server

Cracking Protection

A DefensePro Whitepaper

By Renaud Bidou
Senior Security Specialist,Radware

October 2007

www.radware.com
Behavioral Server Cracking Protection
Date: October 2007
Page - 2 -

Table of Contents

Abstract ................................................................................................................3

Information Gathering .........................................................................................4

Scanners & Crackers ............................................................................................. 4
Scanner and Cracker Tools.................................................................................... 4
Radware DefensePro ...........................................................................................7
Server Cracking Protections .................................................................................. 7
Behavioral Server Cracking Technology ................................................................ 8
Summary ............................................................................................................10
Behavioral Server Cracking Protection
Date: October 2007
Page - 3 -

Abstract

The rapid development of Internet applications has brought with it new challenges. The
world is in constant pursuit of innovative technologies that will replace manual processes
with automated ones. This migration from manual to automated processes often
introduces vulnerabilities that can be exploited by hackers and cybercriminals. The goal
of these “bad guys” is to leverage these automatic processes to facilitate widespread
attacks. Over time, hackers have developed attack tools that integrate well with legitimate
forms of communication. This means that it is becoming increasingly difficult to detect
and prevent network attacks. Recent attacks have exploited legitimate internet
applications in order to generate hostile events. These sophisticated attacks try to “take
cover” amid the jungle that is the new, complex Internet environment.
In practice, there are several methodologies for penetrating and attacking computer
networks. However, all of these methodologies generally employ the following three
phases of operation: intelligence, attack planning, and attack execution, which can be
explained as follows:

1. Intelligence (Information Gathering) – A typical intrusion into computer

networks involves pre-attack probe scanning activities, which help the attacker
gain valuable knowledge about the target networks. Knowledge about which
application software and versions are deployed and what level of security patches
have been installed, help expose infrastructure and system vulnerabilities.
Scanning methods have become more complex over the past few years. Current
techniques are capable of continuously changing their scanning rate and sending
decoy information during the scan - thereby making these techniques hard to
detect.
2. Attack Planning – Using the knowledge gained during the intelligence phase, a
cyber-assailant can decide which attack type will be most effective in harming the
target network. The objective is to plan an attack that can be executed in the most
effective and efficient manner, i.e., execution is aimed directly at the vulnerable
network resource (router, server, application, etc.) without performing
unnecessary operations. Unnecessary operations can arouse suspicion that
lowers the success rate of the attack.
3. Attack Execution – Most network and application attacks can be executed using
readily-available attack tools. These tools can be downloaded easily over the
Internet. With rudimentary programming skills, these tools can be easily modified
to perpetrate the pre-meditated attack.

This paper describes the methods that were developed over that last few years in order
to perform the first attack operation phase – information gathering activity. It specifies the
threat that this operation imposes, the challenge in detecting it, and the technology used
by Radware’s Intrusion Prevention System, the DefensePro, in order to detect and
mitigate the threat.
Behavioral Server Cracking Protection
Date: October 2007
Page - 4 -

Information Gathering

Scanners & Crackers

Scanners and Crackers are the main tools used for automation of security testing. In the
hands of security experts they are used to speed up security audit processes that are
usually done by the organization’s security manager. In case of lack of expert security
resources inside the organization or for regulatory reasons, the automation of the security
test is done by a 3rd party security audit company.
These Scanners and Crackers tools are used to generate network-based pre-attack
probes such as ping sweeps or port scans, or are used to perform application pre-attack
probes such as user/password cracking and application vulnerability scans - all are done
automatically rather than manual audit that can take months to conduct.
While most of these tools were developed with good intention, individuals with malicious
intent can also take advantage of such “legitimate” tools in order to quickly and efficiently
find vulnerabilities in target systems and use these in order to attack the network.
Moreover, worms usually propagate via automated scanning and infection processes,
imitating (or simply copying) the technology used in scanners and crackers in order to
identify potentially vulnerable hosts that they can automatically infect.
Therefore, being able to block such tools becomes mandatory as it would eliminate most
large-scale hacking attempts, block worms and considerably slow down targeted cracking
operations.

Scanner and Cracker Tools

There are many tools used to automate security tests. To simplify the description of these
tools we can map them into two main categories: Network layer and application layer
tools.
This paper focuses on the more challenging task of detecting and preventing scanners
and crackers which fall into the application layer tools1 category.
We can recognize two main categories of threats that the application layer tools fit into:

Cracking Attacks - Cracking attacks, being brute force or dictionary attacks, try to break
into an application by guessing user names and passwords from known lists. The risk
associated with these types of attacks is very clear. Once a useful username and
password are obtained the attacker has free access to a service, information or even can
get administration permissions to the server itself.
Additional risks are denial of service by triggering built-in protections in the applications,
locking out users or consuming system resources during authentication attempts.

1
As mentioned earlier, over time hackers have developed attack tools that integrate well with legitimate forms of
communications. Application layer scanning and cracking tools are part of this family of tools.
Behavioral Server Cracking Protection
Date: October 2007
Page - 5 -

Brute force attack tools usually use a technique called Mass Generator. This technique is
designed to launch a massive number of similar operations at high speed. In the case of
a brute force attack the similar operation includes different types of login attempts.
A common type of brute force tool is called the generic brute forcers. These tools support
the capability to target multiple applications, including methods to test more than 20
different authentication types, from the usual ones such as HTTP and FTP, to quite exotic
ones such as cvs, pc anywhere etc. These types of tools test authentication methods that
are defined in standards, such as the Basic HTTP authentication.

Application Vulnerability Scanning - These scanners perform thousands of tests and

provide a list of potential vulnerabilities that may be exploited. Typically, these scanners
do not send an exploit to the server but a more legitimate request that only shows the
existence of the vulnerability, and as such will not trigger signature-based protection
systems.
These scanners can be classified into three families:
• Generic scanners : These tools perform thousands of tests and provide a list of
potential vulnerabilities that may be exploited;
• Dedicated scanners: These tools also test for multiple vulnerabilities but only
those that affect one specific type of operating system or application.
• Exploitation tools: These tools launch a sequence of real attacks on targeted
systems. As mentioned before this method is less common as it is easy to detect.

These application scanners generate thousands of application requests to the server and
analyze the different behaviors of its responses. Through analysis of the application
responses, the tools can identify the exact targeted application information (type, version
etc.). According to the discovered application’s information the tool typically searches into
a vulnerabilities database and selects a specific set of application requests that fit the
application type and version and sends them to the probed application. Through this
scheme the tool can automatically identify which vulnerabilities exist in the application.
Behavioral Server Cracking Protection
Date: October 2007
Page - 6 -

The following figures show a typical HTTP vulnerability scanning:

Get /cgi-bin/info2www HTTP/1.0

Get /cgi-bin/files.pl HTTP/1.0 Response code

Get /cgi-bin/finger HTTP/1.0 Response code

Get /cgi HTTP/1.0 Response code

Get /cgi/websendmail HTTP/1.0 Response code

Attacker
Get /cgi/textcounter HTTP/1.0… Response code

Response code
Public Web Server
st
Figure 1a – HTTP Vulnerability Scan Activities (1 phase)

After the 1st scanning phase the following results are achieved by the hacker:
• Information about the server application type and version is discovered.
• During the scanning activities the server resources (CPU and Memory) are
misused and this can result in service disruption.
• Known potential application vulnerabilities are detected.
• As shown in Figure 1b below, in the 2nd phase a direct vulnerability exploitation
attempt can be generated with a high probability of success.

Exploitation

Attacker

Public Web Server

nd
Figure 1b – Exploitation (2 phase)

Aforementioned application pre-attack probes, by definition, cloak themselves as

legitimate traffic since they usually do not violate protocol rules or match pre-defined
attack signatures that represent an exploitation attempt of known application
vulnerabilities. Therefore, Network Intrusion Prevention Systems [NIPS] that support only
signature-based detection capabilities are ineffective against these threats.
Only a behavior-based product that can evaluate changing application traffic patterns will
be able to effectively defeat these pre-attack probes.
Behavioral Server Cracking Protection
Date: October 2007
Page - 7 -

Radware DefensePro

Radware’s Server Cracking Protection is a behavioral server-based technology that

detects and prevents both known and unknown application scans and brute-force
attacks.
This behavioral protection is part of Radware’s DefensePro Full Spectrum Protection
Technology. The technology includes an adaptive behavioral network-based protection
that mitigates network DoS & DDoS attacks, adaptive behavioral user-based protections
that mitigate network pre-attack probes and zero-day worm propagation activities, and
stateful signature-based protections against exploitation attempts of known application
vulnerabilities.
Figure 2 illustrates the unique layers of defense security architecture that is implemented
inside the DefensePro system. The server cracking protection is part of the 2nd layer
server-based behavioral technology shown in the figure:

Network & DoS/DDoS Server-

Server-Based Zero-Day Worms
Intrusion Activities Clean Environment
Flood attacks Attacks Propagation

Proactive Network-Based Proactive Server-Based Proactive User-Based Stateful Signature-

Behavioral Analysis Behavioral Analysis Behavioral Analysis Based Protections

Figure 2 – DefensePro Multi-layered Protections

Server Cracking Protections

The Server Cracking behavioral protection detects and prevents the following known and
unknown (zero-day) threats:
• Web Authentication brute-force & dictionary attacks
• HTTP vulnerability scans
• SMTP (Mail) brute-force & dictionary attacks
• FTP brute-force & dictionary attacks
• POP3 (Mail) brute-force & dictionary attacks
• MySQL brute-force & dictionary attacks
Behavioral Server Cracking Protection
Date: October 2007
Page - 8 -

• MSSQL brute-force & dictionary attacks

• SIP brute-force & dictionary attacks
• SIP scans

About SIP scanning & Brute-force Attacks

SIP Scanning - In SIP scanning the attacker’s aim is slightly different then the usual
application vulnerability scanning goal. While it is possible to find vulnerable SIP
implementation, the actual gain from SIP scanning is to obtain a list of SIP subscribers
and to send them SIP SPAM messages, also known as SPIT (Spam over IP Telephony).
Attacker will use scripts to send the SPIT messages to a list of guessed subscriber
names and will note the ones that reply. SPIT can cause annoyance to the subscribers
and can disrupt service if done in high volumes.
SIP Brute Force - A register brute force is an attempt to gain access to a user account
and through it to the service, thus allowing the attacker to use the service without paying
for it. This is turn causes revenue loss, reputation loss and an increase in bill verification
activities.
For more detailed information about Radware’s DefensePro VoIP protections, refer to
Radware’s Mutli-layered VoIP Security White paper at:
http://www.radware.com/content/document.asp?_v=about&document=7490

Behavioral Server Cracking Technology

Radware’s server cracking behavioral-based mechanism uses an advanced statistical

engine and an adaptive fuzzy logic decision engine in order to detect users that try to
scan or brute force server applications. The engine classifies plurality of application
response messages that are generated by the protected servers and extracts the user
identifier from them.
The statistical engine then computes statistical characteristics such as frequency,
quantity and distribution parameters of the plurality of response messages corresponding
to each user.
The Fuzzy Logic decision engine assigns an anomaly weight to each characteristic
parameter, correlates between these weights through expert rules, and generates a
degree of anomaly corresponding to each user.
One of the challenges that every system administrator faces with protection systems is to
define the time-out interval in which the system will monitor the user’s activities until a
decision can be made (e.g., until a certain threshold is breached). Wrong time-out
settings can lead immediately to false positive or false negative decisions. Monitor
interval that are too long increase the chances for false positive decisions, while intervals
that are set too short increase the risk that the system will not detect the scan or brute
force attack.
Behavioral Server Cracking Protection
Date: October 2007
Page - 9 -

In order to solve this problem, Radware’s server cracking decision engine automatically
adjusts the user monitoring interval based upon the user’s degree of anomaly. This
dynamic monitoring interval determines how much time the system will consider the user
suspect and continue to analyze his activities until a decision can be made. This
adaptation process increases the accuracy of the system’s decisions and reduces
dramatically the configuration and maintenance operations that are required from the
system administrator.
Once a user has been identified as an attacker he is blocked, meaning no more
connections from this source to the attack target server will be accepted. In case of
attack, DefensePro inserts the source IP to a dynamic block list, or extends the blocking
duration in case the source IP address was already blocking in the past during the same
attack lifecycle.

Server Cracking Closed-Feedback Mechanism

Besides the dynamic user monitoring interval, Radware's DP Closed Feedback Module is
responsible for further minimizing false positive decisions. The closed-feedback
methodology that the system supports is characterized by a dynamic blocking period.
When the system discovers attacker activities, it will use a very short first blocking period
against him. During this period, the system keeps tracing the blocked user and checks for
consistency in his abnormal activities. If his activities are discovered as a one time case,
the system will immediately reduce the blocking duration to zero and release the user. If
the user’s abnormal activities are consistent, then it will automatically increase the
blocking duration. Figure 3 illustrates the server cracking decision making process:

Dynamic Blocking

Dynamic blocking
closed-feedback

Fuzzy Logic
Decision Engine

Adaptive user
Statistics Collection monitoring interval

User Classification

Figure 3 - Server Cracking Decision Making Process

Behavioral Server Cracking Protection
Date: October 2007
Page - 10 -

Summary
Radware’s DefensePro integrates multiple layers of defense, including signature-based
protection, adaptive behavioral network-based protection that covers threats such as
zero-day worm propagation and DoS&DDoS network flood attacks and bandwidth
management. Looking into the next level of attacks, the server cracking feature set
complements the IPS offering with the adaptive behavioral server-based protection
technology.
Understanding today’s threats and security challenges lead to the conclusion that
effective protection should include the following key capabilities:
• Wide Security Coverage – Application protection should include a multi-layer of
defense technology that includes network, transport and application layer protections.
Both known and unknown attacks should be confronted through both proactive
behavioral-based and signature-based security technologies.
• Scalability – The security product should be able to work in a high-speed
environment with minimal impact on traffic latency. This important capability should
be supported through advanced hardware architecture accompanied by advanced
security technologies.
• Low TCO – Maintaining low Total Cost of Ownership forces systems to be more
independent of the human factor (“hands-off” systems). Relying less on the human
factor means that operations that were usually conducted by the security expert need
now to be performed automatically by the systems themselves.
• Accuracy - The accuracy of both the detection and prevention technologies that the
product has to offer, especially in real-time environments are paramount. Even low
percentages of false positive detections or false preventions (i.e., packets that are
dropped unnecessarily) render the security product useless.

Radware's Behavioral server cracking protection system has the ability to accurately
prevent application pre-attack probes such as application vulnerability scans and brute
force attack and the misuse of application server resources, all in real-time.
The Behavioral protection supports statistical algorithms, which characterize the pattern
of ongoing attacks and then filter these attacks accordingly, without any human
intervention. Thus, Radware’s DefensePro introduces a Network Intrusion Prevention
System that was deigned to fulfill all the aforementioned key capabilities.

To read more about Radware’s DefensePro, please refer to:

http://www.radware.com/content/document.asp?_v=about&document=7156