Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system

US 5,892,903 A
Filed: 09/12/1996
Issued: 04/06/1999
Est. Priority Date: 09/12/1996
Status: Expired due to Term

First Claim

Patent Images

1. A system for detecting a security vulnerability in open network communications comprising:

an internet protocol (IP) spoofing attack generator for generating an IP spoofing attack on a target computer coupled to an open network to determine whether said target computer is vulnerable to an IP spoofing attack which emulates communication from another computer on said open network;

a service command message generator for generating a service command to be executed by a service coupled to a port on said target computer; and

said IP spoofing attack generator transmitting said service command to said target computer to generate a response in said target computer that provides a compromise indication without altering system operational parameters of said target computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is disclosed for detecting security vulnerabilities in a computer network. The system includes an IP spoofing attack detector, a stealth port service map generator, a source port verifier, source routing verifier, an RPC service detector and a Socks configuration verifier. Each of these verifiers may be operated separately or as a group to detect security vulnerabilities on a network. Each verifier may be programmed to exhaustively test all ports of all computers on a network to detect susceptibility to IP spoofing attacks, access to services with little or no authorization checks or misconfigured routers or Socks servers. The detected vulnerabilities or the location of services having little or no authorization checks may be stored in a table for reference by a network administrator. The service map generated by the stealth service map generator may be used to identify all service ports on a network to facilitate the operation of the other verifiers which send service command messages to service ports to detect their accessibility. A graphic user interface (GUI) may be used to provide input and control by a user to the security verifiers and to present options and display information to the user.

756 Citations

41 Claims

1. A system for detecting a security vulnerability in open network communications comprising:
- an internet protocol (IP) spoofing attack generator for generating an IP spoofing attack on a target computer coupled to an open network to determine whether said target computer is vulnerable to an IP spoofing attack which emulates communication from another computer on said open network;
  
  a service command message generator for generating a service command to be executed by a service coupled to a port on said target computer; and
  
  said IP spoofing attack generator transmitting said service command to said target computer to generate a response in said target computer that provides a compromise indication without altering system operational parameters of said target computer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein said generated service command is for one of an rsh and an rlogin service to determine whether authorization checks for said service exist.
  - 3. The system of claim 2, wherein said generated service command causes said target computer to generate an electronic mail message indicative that said target computer has been compromised.
  - 4. The system of claim 3, wherein said generated service command causes said target computer to initiate a Telnet session with a computer which logs said Telnet session to indicate said target computer has been compromised.
  - 5. The system of claim 1, further comprising:
    - a source/destination address generator which generates source and destination addresses for messages corresponding to an open network protocol used to communicate on said open network, said destination address corresponding to said target computer and said source address corresponding to said computer being emulated for said attack.
  - 6. The system of claim 5, wherein said source/destination address generator generates source and destination address combinations which are used by said IP spoofing attack generator to test vulnerability of each computer in said open network to an IP spoofing attack which emulates communication from each of said other computers on said open network.

7. A system for generating a service topology map for each computer on an open network without completing a communication connection with any computer on the open network comprising:
- a communication initiation message generator for generating communication initiation messages, said communication initiation messages being transmitted to ports on a computer on an open network; and
  
  a response message evaluator for determining from response messages received from said ports receiving said communication initiation messages whether services exist on said ports receiving said communication initiation messages, said response messages not completing communication connections with said ports so that services coupled to said ports may be detected without completing communication connection with said ports.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system of claim 7, further comprising:
    - a table for storing service indicators indicative of which ports responding to said communication initiation messages are coupled to services.
  - 9. The system of claim 8, wherein said communication initiation message generator generates a communication initiation message for each port address on a computer on said open network.
  - 10. The system of claim 9, wherein a source/destination address generator generates a destination address for each computer on an open network so that each port on each computer on said open network receives a communication initiation message and said table contains service indicators for each port of each computer on said open network which responds to said communication initiation messages.
  - 11. The system of claim 7, wherein said communication initiation message generator generates sync messages for a TCP/IP protocol.
  - 12. The system of claim 11, wherein said response message evaluator determines a service is coupled to a port receiving a communication initiation message in response to detecting a sync/ack message.
  - 13. The system of claim 7, wherein said communication initiation message is the first message for a three handshake protocol to establish a communication connection.

14. A system for detecting vulnerability of ports coupled to remote procedure call (RPC) services on a computer of an open network comprising:
- a remote procedure call (RPC) message generator for generating and sending RPC service commands to ports on a computer on an open network; and
  
  a response message evaluator for evaluating response messages from said ports of said computer receiving said RPC service commands, said response messages indicating whether said RPC service commands were executed by an RPC service coupled to said ports of said computer receiving said RPC service commands without establishing a communication connection with said ports.
- View Dependent Claims (15)
- - 15. The system of claim 14, further comprising:
    - a table for storing port addresses and service indicators that indicate which particular RPC services are coupled to ports receiving said service commands.

16. A system for detecting vulnerabilities in routers comprising:
- a communication message generator for generating and sending service commands from a computer external to an open network to ports on computers coupled to said open network through a router; and
  
  a response message evaluator for evaluating response messages received from said ports on computers of said open network in response to said service commands sent from said communication message generator external to said open network whereby access to said computers on said open network through said router may be determined without referencing configuration files of said router.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The system of claim 16, wherein said communication message generator includes a source routing verifier for generating source routed messages with a destination address of a computer on said open network and an intermediate source address on said open network;
    - andsaid response message evaluator evaluating response messages received from said ports on computers of said open network in response to said service commands sent from said communication message generator external to said open network to detect a vulnerability in said router of permitting source routed messages to bypass rules configured for filtering inbound messages on said router.
  - 18. The system of claim 17, wherein each source address for each computer on said open network is used as said intermediate source address with each destination address for each computer on said open network to test each possible intermediate source/destination address combination for source routed messages on said open network.
  - 19. The system of claim 18, further comprising:
    - a table for storing indicators for each intermediate source address/destination address combination that is detected as being vulnerable to receiving source routed messages.
  - 20. The system of claim 16, wherein said communication message generator includes a source porting verifier for generating service command messages with a source port address having a predetermined value;
    - andsaid response message evaluator evaluating response messages received from said ports on computers of said open network in response to said service command messages having said predetermined source port address values sent from said source porting verifier external to said open network to detect said router passing messages having said predetermined source port address values to ports coupled to services on said open network.
  - 21. The system of claim 20, wherein service command messages having said predetermined source port address value are sent to each computer on said open network.
  - 22. The system of claim 21, further comprising:
    - a table for storing service indicators for each computer address that is detected as being vulnerable to receiving source ported messages.
  - 23. The system of claim 22, wherein said predetermined value corresponds to a default source port address for a file transfer protocol (FTP) message of a TCP/IP protocol.
  - 24. The system of claim 16, further comprising:
    - a Socks configuration verifier for establishing a communication connection with a Socks server and for sending service command messages to computers on said open network coupled to said Socks server; and
      
      said response message evaluator evaluating said messages received in response to said service command messages to determine whether said service command message was passed by said Socks server to one of said computers on said open network.
  - 25. The system of claim 24 said response message evaluator determining whether said service command message was executed by said one computer on said open network.
  - 26. The system of claim 25 said response message evaluator storing service indicators indicative of said services which executed said service command messages received at said port addresses.

27. A method for detecting a security vulnerability in an open network comprised of the steps of:
- attempting an Internet Protocol (IP) spoofing attack against a target computer and open network;
  
  generating a service command message; and
  
  sending said service command message to said target computer following said IP spoofing attack to determine whether said target computer has been compromised, said service command message generating an indicator of the success of the IP spoofing attack without altering the operational parameters of the target computer.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The method of claim 27, wherein said generating service command message step generates one of an rsh and rlogin command.
  - 29. The method of claim 28, wherein said generating step:
    - generates an electronic mail message indicative of the success of the IP spoofing attack in response to said service command message.
  - 30. The method of claim 27, further comprising the step of:
    - initiating a Telnet session between said target computer and another computer to indicate the success of said IP spoofing attack in response to said service command message.
  - 31. The method of claim 27, further comprising the steps of:
    - generating source addresses and destination addresses for said IP spoofing attack; and
      
      attempting said IP spoofing attack against each said generated destination address by emulating communication from each of said source addresses.

32. A method for generating a service topology map of an open network comprising the steps of:
- generating a communication command initiation message;
  
  sending said communication command initiation message to a port on a computer on an open network;
  
  receiving a message from said port in response to said communication initiation message being received at said port; and
  
  evaluating said message received from said port to determine whether a service is coupled to said port without establishing a communication connection with said port.
- View Dependent Claims (33)
- - 33. The method of claim 32, further comprising the step of:
    - storing a service indicator to provide a reference that said port has a service coupled thereto which may be accessed from another computer.

34. A method for detecting availability of a service on a port of a computer on an open network comprising the steps of:
- generating a service command message;
  
  sending said generated service command message to a port of a computer on said open network;
  
  receiving a message from said port in response to said port receiving said generated service command message; and
  
  evaluating said message received from said port to determine whether a service coupled to said port executed said service command message, without establishing a communication connection with said ports.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
- - 35. The method of claim 34, further comprising the step of:
    - storing a service indicator indicative that said service coupled to said port executed said service command message.
  - 36. The method of claim 35, wherein said generating step generates service command messages for different services;
    - andsaid evaluating step determines the type of service coupled to said port which executed said service command message.
  - 37. The method of claim 36, wherein said generating step generates said service command messages for each port of a computer of said open network.
  - 38. The method of claim 34, further comprising the steps of:
    - establishing a communication connection with a Socks server;
      
      requesting said Socks server establish a communication connection with a computer on said open network; and
      
      said evaluating step determining whether said Socks server is configured to stop said service command message from being sent to said port of said computer of said open network.
  - 39. The method of claim 34, wherein said generating step generates remote procedure call (RPC) service command messages.
  - 40. The method of claim 34, wherein said generating step generates service command messages having predetermined source port addresses.
  - 41. The method of claim 34, wherein said generating step generates source routed service command messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Internet Security Systems Incorporated (International Business Machines Corporation)
Inventors
Klaus, Christopher W.
Primary Examiner(s)
Decady, Albert
Assistant Examiner(s)
BADERMAN, SCOTT T

Application Number

US08/710,162
Time in Patent Office

936 Days
Field of Search

395/187.01, 395/186, 395/188.01, 395/200.59, 395/200.57, 395/183.04, 395/200.67, 395/200.68
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

756 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting and identifying security vulnerabilities in an open network computer communication system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

756 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links