Question

Considering the TCP ACK Scan that we have seen in class, write a signature for an Intrusion Detection System (IDS) that is able to catch it.

Answer 1

TCP ACK Scan:

• TCP ACK scan used for specific kinds of attacks, such as the TCP SYN flood( " It is a part of the Distributed Denial of Service attack that exploits part of the normal TCP three-way handshaking process") .
• TCP stand for Transmission control protocol.
• It is part of the Computer network.
• TCP is used for  “three-way handshake” to connect two devices.
• First, the client requests a connection by sending a synchronize message to the server.
• Then server respond with server acknowledges by sending a synchronize-acknowledge message back.
• Finally, the client responds with an acknowledge message, and the connection will be complete.
• 
• As a result, the ports stay open while they wait for the synchronize-acknowledge message to be received, during this time the attacker sends more synchronize messages, the server’s connection overflow, and the result of this that the system will crash.

Intrusion Detection System (IDS):

• It is a kind of tool or software that works with our network to keep it secure when somebody is trying to break into our system.
• It is used to monitors a network for malicious activity or policy violations.
• Some IDS’s are capable of responding to detected intrusion upon discovery.

Signature for an Intrusion Detection System (IDS):

• Signature of an Intrusion detection system are used to detecting intrusion.
• Basically, a signature is a rule that examines a packet or series of packets for certain contents, such as matches on packet header or data payload information.
• Signature of an Intrusion detection system uses a signature database to trigger intrusion alarms.
• Signature of an Intrusion detection system is a completely new attack type may not be picked up at all by signature-based IDS because the signature doesn’t exist in the database.
• It is impossible to analyze each connection and check it against the database.
• The sensor platform monitors the network and the director platform provides a single GUI management interface for the end user.
• Signature of an Intrusion detection system searching for a specify “signature,” patterns, or identity, of an specific intrusion event.
• Signature of an Intrusion detection system are implementated by two way:

1. Context implementation: Context signatures examine only the packet header information like IP address ,IP protocol etc
2. Content Implementation: Content signatures look inside the packet headers.