Order (or just read more about) Network Intrusion Detection (2d edition) from Amazon.com
This is NOT a general security book. It is very specifically what the title says it is: a book about detecting network activity.
The authors write in an easy to read, conversational style. Everything is explained extremely well, unlike so many technical books which presume prior knowledge. Sometimes that can be a little maddening- for example, they devote two entire pages to explaining how a logical AND is used to extract bit fields. I can't imagine anyone actually interested in this subject who wouldn't already understand that, but I suppose it is better to have too much explanation rather than too little. This is the first place I've seen a lucid explanation of the infamous "Mitnick" attack- most references assume that you will instantly comprehend the weakness of predictable sequence numbers. This book completely explains the exploit from start to finish. Smurf, Ping of Death, and Teardrop attacks are also completely explained.
The text includes numerous tcpdump examples which are fully commented and explained. Whenever some part of the dump is particularly important, that part is shown in bold. You can learn quite a bit about just tcpdump alone from these examples.
As I was reading this, I was again reminded that the security weaknesses that have caused so much trouble are all due to bad code and/or just plain dumb design. For example, many real attacks have used spoofed IP addresses. Why should a router pass a packet that cannot have legitimately originated on the interface it came in on? It shouldn't. Why should network stacks accept packets with bits set that shouldn't be set? They shouldn't. Why should code assume that unimplemented bits will be zero? It shouldn't. The authors are certainly aware of these issues, and even devote some editorializing to such things. It's therefore rather amazing that they give code examples to detect attacks where the detect is badly coded- testing a bit field with an XOR rather than masking with AND, for example. The authors note the problem- I'm just surprised that such code was even used as an example- that might be of value for illustrative purposes (don't make THIS mistake), but that's not how it was presented.
However, this is a very worthwhile read. I think I would have organized the chapters differently - you might like to start at chapter 9 and then pickup 1 through 8 after you finish the book - but I read it through twice cover to cover and I'm quite sure I'll be thumbing through it again.
Got something to add? Send me email.
More Articles by Tony Lawrence © 2011-03-08 Tony Lawrence
Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief. (Tim O'Reilly)