Argus-2.0 Clients

Russell Fulton r.fulton at auckland.ac.nz
Thu Jul 20 22:25:32 EDT 2000


On Wed, 19 Jul 2000 08:24:07 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Russell,
>    Thanks for the reply!!  Do you think that Argus
> has all the information you need, or have you run into
> situations where you really needed something more?

Firstly, I don't consider myself to be an expert in this area.  
Basically all I have done is write some scripts that do some fairly 
obvious things.  I think David, Neil and Peter all know more about the 
the low level mechanics of what attackers are doing than I do so I 
would be very interested in their opinions of this matter.

What I will do over the next week or so it install the latest nmap and 
capture samples of the various scans and tcp fingerprinting packets.

The fingerprinting packets change as new systems are added to the 
database.  The key feature of these packets is that tcp does not define 
what should be done with them so different systems respond differently.

> 
>    I know that you focus on security quite a bit
> and Argus has a number of security features that are
> underused, because again, we haven't supplied clients
> to "show off" the feature.  One in particular is
> TCP takeover detection and/or spoofing.  Argus already
> provides base sequence numbers in each TCP connection
> attempt, when it runs in detail mode.  We did this,
> because TCP base sequence number prediction is a
> serious problem, and a machines susceptibility to this
> type of attack is easily detected by a simple scan
> of these records.  I'm moving the data into non-detail
> TCP Argus records so that we can do this type of scan
> routinely.  The client that will do the scan will be
> in Argus-2.0.

That sounds great!  I am aware of the issues with spoofing and tcp 
splicing.  I was also at least vaguely aware that argus could detect 
such activity but had never persued it.  My experience is that we are 
mostly attacked with blunt instruments not scaples.  That said, if we 
can easily detect such activity we should certainly keep an eye out for 
it.

I am about to install a new box with lots of memory, disk and a 
fast cpu to store and process argus data that means that I can afford 
to look for much wider variety of things.

> 
>    Another example where we can improve Argus's strength
> in security would be in the area of TCP flow control
> activity reporting.  TCP flow control can be used to
> mount very subtitle, and very effective DOS attacks. This
> I believe will emerge in the next year or two.  But,
> again, we don't have any clients that really emphasize
> Argus's ability to report TCP flow control activity.
> So I'd propose a client in Argus-2.0 that could analyze
> for anomalous TCP flow control behavior.

Our traffic is now all run through 'traffic shapers' some going via 
satellite and some going on terrestial paths.  The traffic shaper 
fiddles with the window size to try and ensure fair share on heavily 
congested links.  So, in our case, I doubt whether this would be 
useful.

That, of course does not mean that it won't be useful in general.
May be, one day soon there will actually be enough fiber between NZ and 
US that we won't have to indulge in such nonsense.

Cheers, Russell.




More information about the argus mailing list