TCPDump and WinDump

Transcription

TCPDump and WinDump

TCPDump and WinDump
Section 2 of SWE5900
This material is intended for
students of this course only. No
further reproduction or distribution
is authorized.
Network Security
1-1
TCPDump
UNIX tool that collects network data and
displays it in specified format.
It may be run “live” on a specified
interface – but only if authorized.
It may read data from a file that has
previously been saved using TCPDump.
It offers a number of filtering capabilities.
Must be downloaded with libcap or the
windows equivalent. (Do this by next class!)
Network Security
1-2
Man Page
If not on unix system go to
http://www.rt.com/man/tcpdump.1.html
NAME tcpdump - dump traffic on a network
SYNOPSIS tcpdump [ -adeflnNOpqStvx ] [ -c
count ] [ -F file ] [ -i interface ] [ -r file ] [ -s
snaplen ] [ -T type ] [ -w file ] [ expression ]
DESCRIPTION Tcpdump prints out the
headers of packets on a network interface
that match the boolean expression.
Network Security
1-3
TCPDump Traffic Capture
Network Security
1-4
Type of Service Field
Bits 0-2: Precedence.
Bit 3: 0 = Normal Delay, 1 = Low Delay.
Bit 4: 0 = Normal Throughput, 1 = High Throughput.
Bit 5: 0 = Normal Relibility, 1 = High Relibility.
Bits 6-7: Reserved for Future Use.
0
1
2
3
4
5
6
7
+-----+-----+-----+-----+-----+-----+-----+-----+
|
|
|
|
|
|
|
|PRECEDENCE| D | T | R | 0 | 0 |
|
|
|
|
|
|
+-----+-----+-----+-----+-----+-----+-----+-----+
Network Security
1-5
TCPDump Traffic Capture
cont…

00:28:24.573542 blackwidow.se.fit.edu.ssh > 163.118.231.25.3197: P 536784:536912(128) ack
7073 win 19872 (DF) [tos 0x10]

00:28:24.573542 – time packet was received
blackwidow.se.fit.edu.ssh – source host and port. In this case the port is SSH or 22
> - direction of the traffic
163.118.231.25.3197 – destination IP and port
P – flag set, in this case is P for push. Pushes data from the sending host to the receiving host
536784:536912 – beginning and ending sequence numbers. This is used to order the data that is received.
(128) – bytes in the packet
ack 7073– TCP flag, ACK represents the acknowledgement of data received. The 7073 is the
acknowledgement number
Win 18872 – this is the windows size. This means that the client has a window size or incoming buffer of
18872 bytes.
(DF) – don’t fragment. This flag is used if and when the size of the datagram to be sent exceeds the
maximum amount allowed by the route.
[tos 0x10] – type of service. This this case is 10 which stands for minimize delay
Network Security
1-6
IP datagram format
IP protocol version
number
header length
(bytes)
“type” of data
max number
remaining hops
(decremented at
each router)
upper layer protocol
to deliver payload to
32 bits
ver head. type of
len service
length
fragment
16-bit identifier flgs
offset
upper
time to
Internet
layer
live
checksum
total datagram
length (bytes)
for
fragmentation/
reassembly
32 bit source IP address
32 bit destination IP address
Options (if any)
data
(variable length,
typically a TCP
or UDP segment)
E.g. timestamp,
record route
taken, specify
list of routers
to visit.
Network Security
1-7
TCP segment structure
32 bits
URG: urgent data
(generally not used)
ACK: ACK #
valid
PSH: push data now
(generally not used)
RST, SYN, FIN:
connection estab
(setup, teardown
commands)
Internet
checksum
(as in UDP)
source port #
dest port #
sequence number
acknowledgement number
head not
UA P R S F
len used
checksum
Receive window
Urg data pnter
Options (variable length)
counting
by bytes
of data
(not segments!)
# bytes
rcvr willing
to accept
application
data
(variable length)
Network Security
1-8
WELL KNOWN PORT NUMBERS The Well Known
Ports are assigned by the IANA and on most
systems can only be used by system (or root)
processes or by programs executed by privileged
users. Ports are used in the TCP [RFC793] to
name the ends of logical connections which carry
long term conversations. For the purpose of
providing services to unknown callers, a service
contact port is defined. This list specifies the port
used by the server process as its contact port. The
contact port is sometimes called the "well-known
port". To the extent possible, these same port
assignments are used with the UDP [RFC768]. The
range for assigned ports managed by the IANA is
0-1023.
Network Security
1-9
Port Examples:
chargen 19/tcp Character Generator
chargen 19/udp Character Generator
ftp-data 20/tcp File Transfer [Default Data]
ftp-data 20/udp File Transfer [Default Data]
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control]
ssh 22/tcp SSH Remote Login Protocol
ssh 22/udp SSH Remote Login Protocol
telnet 23/tcp Telnet
telnet 23/udp Telnet
24/tcp any private mail system
24/udp any private mail system
smtp 25/tcp Simple Mail Transfer
smtp 25/udp Simple Mail Transfer
26/tcp Unassigned # 26/udp Unassigned
Network Security
1-10
Absolute and Relative Seq Nos

Consider the following:

client.com.38060 > telnet.com.telnet: S
3774957990:3774957990(0) win 8760 <mss 1460> (DF)
telnet.com.telnet > client.com.38060: S
2009600000:2009600000(0) ack 3774957991 win 1024
<mss 1460>
client.com.38060 > telnet.com.telnet: . ack 1 win 8760
(DF)
client.com.38060 > telnet.com.telnet: P 1:28(27) ack 1 win
8760 (DF)
Note use of relative sequence numbers beginning
with 3rd packet.
Network Security
1-11
Ethereal Traffic Capture
Network Security
1-12
Ethereal Traffic Capture
Network Security
1-13
TCP 3-way Handshake
tclient.net.39904 > telnet.com.23: S
733381829:733381829(0) win 8760 <mss
1460> (DF)
telnet.com.23 > tclient.net.39904: S
1192930639:1192930639(0) ack
733381830 win 1024 <mss 1460> (DF)
tclient.net.39904 > telnet.com.23: . Ack 1
win 8760 (DF)
Network Security
1-14
TCP Takedown
tclient.net.39904 > telnet.com.23: F
14:14(0) ack 186 win 8760 (DF)
telnet.com.23 > tclient.net.39904: . ack 15
win 1024 (DF)
Server next initiates a FIN and client acks
to finally close the connection.
Abrupt version uses reset:
tclient.net.39904
ack 1 8760 (DF)
> telnet.com.23: R 28:28(0)
Network Security
1-15
Rudimentary Analysis
Was the three-way handshake
completed between two hosts?
Were data transmitted?
Who began and/or ended the
connection?
Recall Syn Flood (Neptune) Attack
Network Security
1-16
SYN Flood (Neptune)
Leverages TCP 3-way Handshake
Attacker sends opening “SYN”
Target responds with “SYN/ACK” and
builds a record in a data structure to hold
connection information
The attack consists of many SYN packets
being sent from unreachable sources (nonexistent) so that handshake is not
completed and data structure overflows.
Network Security
1-17
Observations
No sure way to filter at single packet level
Characteristics:
Unusually large number of TCP SYNs directed
at a single destination address
Unusually large number of destination
unreachable responses to SYN/ACKs
Unusual source address patterns
Network Security
1-18
Ack Scan (page 39 of NID)
Attacker sends lone ack to probe specific
ports
Live
hosts respond with reset to unexpected
ack.
May be used by hacker to determine location of
live hosts.
Note that lone ack should be found as
follows:
Final
transmission of 3-way handshake
Acknowledgement of received data or data in
progress
Acknowledgement of received FIN
Do you see evidence of any such normal use?
Network Security
1-19
TCP Session Hijacking
Objective is to intercept an established
TCP session and capture (impersonate) one
end of the connection.
Nontrivial effort that must maintain:
IP
number
Established port numbers
Proper sequence number increments
Proper ack increments.
Network Security
1-20
Fragmentation
Fragmentation allows an IPV4 datagram to
cross a network that has an MTU smaller
than the IP datagram.
Recall
that MTU is the max payload of the link
layer frame.
Fragment ID
Offset number (13 bits)
Fragment Length
More Fragments Flag
Network Security
1-21
IP datagram format
IP protocol version
number
header length
(bytes)
“type” of data
max number
remaining hops
(decremented at
each router)
upper layer protocol
to deliver payload to
32 bits
ver head. type of
len service
length
fragment
16-bit identifier flgs
offset
upper
time to
Internet
layer
live
checksum
total datagram
length (bytes)
for
fragmentation/
reassembly
32 bit source IP address
32 bit destination IP address
Options (if any)
data
(variable length,
typically a TCP
or UDP segment)
E.g. timestamp,
record route
taken, specify
list of routers
to visit.
Network Security
1-22
IP Fragmentation & Reassembly
network links have MTU
(max.transfer size) - largest
possible link-level frame.
different link types,
different MTUs
large IP datagram divided
(“fragmented”) within net
one datagram becomes
several datagrams
“reassembled” only at final
destination
IP header bits used to
identify, order related
fragments

fragmentation:
in: one large datagram
out: 3 smaller datagrams
reassembly
Network Security
1-23
IP Fragmentation and Reassembly
length ID fragflag offset
=4000 =x
=0
=0
One large datagram becomes
several smaller datagrams
=1500 =x
=1
=0
=1500 =x
=1
=1480
“185”
=1040 =x
=0
=2960
“370”
Network Security
1-24
View Fragmentation: TCPDUMP
Ping.com > myhost.com: icmp: echo request
(frag 21223:1480@0+)
Ping.com > myhost.com: (frag
21223:1480@1480+)
Ping.com > myhost.com: (frag
21223:1048@2960)
Data w no IP header incl.
Does incl 8 byte ICMP hdr.
MF=1
MF=0
Shows fragmentation of an ICMP echo request (seen in 1st fragment
only) with packet ID = 21223 and length of original IP packet equal
to 1480+1480+1048=4008 bytes data + 20 bytes header.
Network Security
1-25
Fragmentation & Packet Filtering Devices
If filtering device is set to reject ICMP
echo requests, it will reject first fragment.
No
ICMP header info in following fragments.
Many devices do not maintain “state” and
so will not know that any fragments with
ID=21223 (same source/dest) should also
be rejected.
Same thing may occur with TCP or UDP
packets.
Note: recall that if one fragment does not
arrive at destination, all are resent.
Network Security
1-26
Don’t Fragment Flag (DF)
Appears as (DF) in TCPDUMP output.
If packet with this flag set reaches a
router that needs to fragment, router
discards packet and returns “ICMP
unreachable – need to frag” error message
to sending host.
Sometimes
used by hosts to discover the “path
MTU” and avoid fragmentation.
Can be used maliciously.
Network Security
1-27
Ping O’ Death
ICMP Echo request is sent with an illegally
long payload (greater than 64k bytes).
Older attack that could cause operating
systems to lock or reboot.
Similar
in effect to LAND attack
Observation: Look closely at any ICMP
packet that has been fragmented.
Network Security
1-28
Analysis
Mal.com.139 > target.net.139: udp 28 (frag
242:36@0+)
Mal.com.139 > target.net.139: (frag
242:4@24)
Notice 36 data bytes in first fragment beginning at 0. Next are 4
bytes beginning at 24. Illegal overlap known as Teardrop attack.
Network Security
1-29
Teardrop
IPV4 packets support fragmentation, but
fragments not permitted to overlap.
In this attack packets are created with
illegal overlap of fragments.
Older operating systems may crash upon
receipt of such fragments.
Observation: Can check all arriving
packets for illegal fragmentation.
Requires
some state be maintained (previous
termination point for this src,dest,ID)
Network Security
1-30
Internet Control Message
Protocol - ICMP
Network Security
1-31
RFC 792
Occasionally a gateway or destination host
will communicate with a source host, for
example, to report an error in datagram
processing. For such purposes this
protocol, the Internet Control Message
Protocol (ICMP), is used. ICMP, uses the
basic support of IP as if it were a higher
level protocol, however, ICMP is actually an
integral part of IP, and must be
implemented by every IP module.
Network Security
1-32
RCF792 Continued
ICMP messages are sent in several situations: for
example, when a datagram cannot reach its
destination, when the gateway does not have the
buffering capacity to forward a datagram, and
when the gateway can direct the host to send
traffic on a shorter route.
The ICMP messages typically report errors in the
processing of datagrams. To avoid the infinite
regress of messages about messages etc., no ICMP
messages are sent about ICMP messages. Also
ICMP messages are only sent about errors in
handling fragment zero of fragemented
datagrams.

Network Security
1-33
Typical ICMP Message Format
IP Header with Protocol Number = 1
8-bit type|8-bit code|16-bit checksum
Depending on type may include
information such as the original IP
header + 64 bits of original
datagram data.
Network Security
1-34
ICMP: Internet Control Message Protocol
used by hosts, routers,
gateways to communication
network-level information
error reporting:
unreachable host,
network, port, protocol
echo request/reply
(used by ping)
network-layer “above” IP:
ICMP msgs carried in IP
datagrams

More at
www.iana.org/assignme
nts/icmp-parameters
Type
0
3
3
3
3
3
3
4
Code
0
0
1
2
3
6
7
0
8
9
10
11
12
0
0
0
0
0
description
echo reply (ping)
dest. network unreachable
dest host unreachable
dest protocol unreachable
dest port unreachable
dest network unknown
dest host unknown
source quench (congestion
control - not used)
echo request (ping)
route advertisement
router discovery
TTL expired
bad IP header
Note: ICMP is often used for “mapping.”
Network Security
1-35
Overview of Normal ICMP Msgs

Host Unreachable

Port Unreachable

Router > sending.host: icmp: host target.host unreachable
– admin prohibited
Need to frag

Target.host > sending.host: icmp: target.host udp port
ntp unreachable (DF)
Admin Prohibited

Router > sending.host: icmp: host target.host unreachable
Router > sending.host.net: icmp: target.host unreachable
– need to frag (mtu 1500)
Others…
Network Security
1-36
Stealthy Trojan horse attempts to gather
data on Web sites
October 22, 1999
Web posted at: 11:17 a.m. EDT (1517
GMT)
by Sean M. Dugan
IDG) -- In a scenario not unlike a story line from a
Tom Clancy novel, the Systems Administration
Networking & Security (SANS) Institute is
reporting what appears to be a widespread attempt
to gather information on proxy servers and send that
information to a Russian Web site.
From...
Network Security
1-37
RingZero Trojan (CNN online)
“On Oct. 7, SANS Institute members started to try to piece together
what was happening. They found what appears to be a Trojan horse
application, dubbed RingZero, which systematically searches out
and probes proxy servers from an infected machine and sends that
information to a central Web server.
The RingZero Trojan horse, which gets its name from a component
called Ring0.vxd first discovered at Vanderbilt University, appears
to be divided into two distinct parts, both of which arrive on a
system as compressed archives. One component, pst.exe, probes for
proxy servers and has the proxy servers send port information and
IP numbers to the Web site rusftpsearch.com. The pst.exe
component apparently scans ports 80, 8080 and 3128, and other
8000 series ports.”
Network Security
1-38
SMURF Attack
Attacker spoofs its IP address to be that
of target.
Sends ICMP echo request to x.y.255.255
Potentially thousands of machines in the
x.y destination network may respond with
ICMP echo replies
Responses will all go to spoofed address of
target.
Network Security
1-39
Observations
No way to observe attack based on a single
packet.
Target may suddenly observe all bandwidth
being consumed at its network interface.
Network monitoring may observe an
unusually large number of ICMP echo
response packets (especially directed at
one target).
Some systems now block all ICMP packets
or block all packets destined to …255
address.
Network Security
1-40
Network Security
1-41
Must Reading
Distributed Reflection Denial of
Service
Description and analysis of a potent,
increasingly
prevalent, and worrisome Internet
attack
By Steve Gibson of GRC
• http://www.grc.com/dos/drdos.htm
Network Security
1-42
Distributed Denial of Service
At 2:00 AM, January 11th, 2002, the GRC.COM site
was blasted off the Internet by a new (for us)
distributed denial of service attack.
Perhaps the most startling aspect of this attack was that the apparent source was hundreds of
the Internet's "core routers", web servers belonging to yahoo.com, and even a machine with
an IP resolving to "gary7.nsa.gov". We appeared to be under attack by hundreds of very
powerful and well-connected machines.
Once we determined how to block this attack and
returned to the Internet, 1,072,519,399 blocked
packets were counted before the attack ended.
Network Security
1-43
Tribal Flood Network Attack
Requires master and daemon hosts to be
established.
Master instructs daemons by sending
commands in ICMP echo replies.
The
ICMP identification number field in the
ICMP header of the ICMP echo reply is used to
direct daemons with args provided in ICMP data
portion.
Network Security
1-44
WinFreeze Attack

Takes advantage of ICMP redirect message which
informs a sending host that it has tried to use a
non-optimal router and directs the adding of a
more optimal router to host’s table.
Router > victim.com: icmp: redirect 243.148.16.61
to host victim.com
to host victim.com
to host victim.com
to host victim.com
…host attacks itself
Network Security
1-45
Loki
Prior to Loki, ICMP used for DoS attacks
and network mapping.
Loki uses ICMP as a tunneling protocol for
a covert channel.
Loki
server must be installed in a compromised
host.
ICMP carries covert messages to the Loki
server.
More information at www.phrack.com issue
49 article 6.
Network Security
1-46
Loki continued
Loki uses ICMP echo-request and echo-reply for
communication with server.
ICMP echo-request

20 bytes of IP header
8 bytes of ICMP header
…arbitrary amount of data usually timing information for
use by ping
No checks!
Loki creates covert channel by tunneling
information inside the data portions of ICMP
echo-request and echo-reply packets.
Can pass commands that server can execute on
compromised system.
Observation and prevention??

Network Security
1-47
Why not block ICMP?
You cannot then issue pings for your own
diagnostic purposes. If you allow them
outbound, then you still are vulnerable to
echo-replies that are inbound.
You cannot use the windows trace route
utility. (But Unix uses UDP.)
Don’t get any of the info messages that
routers attempt to send with ICMP.
Can’t use MTU discovery because won’t
receive the “need to frag.”
Network Security
1-48
TCP Variants

Destination host not listening

Destination host does not exist

Router.com > tel_client.com: icmp: host myhost.com
unreachable
Destination port blocked

Tel_client.com.38060 > myhost.com.telnet: S
3774957990:3774957990(0) win 8760 <mss 1460> (DF)
Myhost.com.telnet > tel_client.com.38060: R 0:0(0) ack
3774957991 win 0
Router.com > tel_client.com: icmp: host myhost.com
unreachable – admin prohibited filter
Destination port blocked and router does not
respond

Will see multiple TCP connect requests until max no of
retries.
Network Security
1-49
UDP Variants
Destination host listening on requested
port.
Nslookup.com.45070
> myhost.com.domain:
51007+ (31) (DF)
Myhost.com.domain > nslookup.com.45070 51007
1/0/0 (193) (DF)
Destination host not listening
Myhost.com > nslookup.com: icmp:myhost.com
udp port domain unreachable
Note: one can send a udp packet to a port x
and receive the udp port x unreachable – normal
behavior. NMAP uses this to determine that a
port is listening if it does NOT receive this
response.
Network Security
1-50
Active and Passive FTP
TCP processes usually use two ports (client
and server)
FTP communicates using two different
server ports.
In Active FTP the server initiates a data
connection to the user (in response to some
FTP command from the client) on port 20.
Implies
that firewalls must remain open to
packets from any source IP/20.
In Passive FTP the client initiates the data
connection to the server.
Network Security
1-51
Active FTP Example (text)
ftp.client.com.35955 > ftp.server.com.21: S
1884312222:1884312222(0)
ftp.server.com.21 > ftp.client.com.35955: S
3113925437:3113925437(0) ack 1884312223
ftp.client.com.35955 > ftp.server.com.21: . ack 1
ftp.server.com.21 > ftp.client.com.35955: P 1:24(23) ack 1
ftp.client.com.35955 > ftp.server.com.21: . ack 24
Dir command issued by user then:
ftp.server.com.20 > ftp.client.com.35956: S
3558632705:3558632705(0) (client has informed server that it
is listening on port 35956 using port command)
ftp.client.com.35956 > ftp.server.com.20: S
1901007864:1901007864(0) ack 3558632706
ftp.server.com.20 > ftp.client.com.35956: . ack 1
Network Security
1-52
Passive FTP Example
ftp.client.com.44890 > ftp.server2.com.21: S 4276284026:4276284026(0)
win 8760 <mss 1380> DF
ftp.server2.com.21 > ftp.client.com.44890: S 1669630260:1669630260(0)
ack 4276284027 win 8280 <mss 1460> DF
ftp.client.com.44890 > ftp.server2.com.21: . ack 1 win 9660 (DF)
Dir command issued by user and then
ftp.client.com.44891 > ftp.server2.com.3967: S 4282611109:4282611109(0)
win 8760 <mss 1380> DF (ftp.server2.com has informed ftp.client.com that it
is listening on port 3967)
ftp.server2.com.3967 > ftp.client.com.44891: S 1669768808>1669768808(0)
ack 4282611110 win 8280 <mss 1460> DF
ftp.client.com.44891 > ftp.server2.com.3967: . ack 1 win 9660 (DF)
Network Security
1-53
Network Security
1-54
TraceRoute
Traceroute (UNIX) or Tracert (Windows)
is used to discover path that datagram
takes from source to destination.
Uses TTL header and responses.
Illustrated here using NetScanPro from
FIT w/s to UCF.
Note…UCF blocks ICMP echo responses.
Network Security
1-55
Network Security
1-56
Hop
IP Address
1
Time
Status
163.118.133.254
?
4
11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit
2
163.118.143.254
?
3
3
163.118.152.42 ?
3
4
209.114.211.97 open.airwire.net
5
216.22.64.81
Exceeded in Transit
Hostname
11
miamfllr1m6-ge-0-0-0-36.ip.epik.net
24
11:0:Time Exceeded:Time To Live (TTL)
6
216.22.67.230 jcvlflnj2m6-so-4-0-0.ip.epik.net
Exceeded in Transit
29
7
216.22.67.254 atlngamq1m6-so-3-0-0.ip.epik.net
Exceeded in Transit
29
8
216.22.67.154 atlngamq2m6-so-6-0-0.ip.epik.net
Exceeded in Transit
36
9
205.198.2.149 ge3-13.as.sdatlga.aleron.net
33
10
205.198.2.73
ge6-0.ar.sdatlga.aleron.net
32
11
205.198.0.74
ge2-8.as.eqxashva.aleron.net
43
12
152.63.41.14
Exceeded in Transit
0.so-1-0-0.CL1.IAD8.ALTER.NET
47
13
152.63.41.14
Exceeded in Transit
0.so-1-0-0.CL1.IAD8.ALTER.NET
37
14
152.63.38.69
Exceeded in Transit
0.so-0-0-0.TL1.DCA6.ALTER.NET
42
15
152.63.38.62
Exceeded in Transit
0.so-3-0-0.TL1.ATL5.ALTER.NET
61
16
152.63.86.189 0.so-7-0-0.XL1.MIA4.ALTER.NET
Exceeded in Transit
82
17
152.63.84.129 0.so-6-0-0.GW8.MIA4.ALTER.NET
Exceeded in Transit
74
18
65.208.86.154 bs-mia-gw1.customer.alter.net 72
19
65.83.236.21
20
65.83.237.49 ixc01mco-5-1-1.bellsouth.net
axr01mia-0-0-0.bellsouth.net 76
81
Network Security
1-57
1
Transit
205.152.237.21
?
96
11:0:Time Exceeded:Time To Live (TTL) Exceeded in
22
*
*
*
No packet received from this hop.
23
*
*
*
24
*
*
*
25
*
*
*
26
*
*
*
27
*
*
*
28
*
*
*
29
*
*
*
30
*
*
*
31
*
*
*
32
*
*
*
33
*
*
*
34
*
*
*
35
*
*
*
TraceRoute Statistics: 32 data bytes to www.ucf.edu [132.170.240.131]
Start Time: Wed, 07 Jan 2004 14:58:37
ANALYSIS: Target not reached. ICMP packets may be blocked along the route
or Setup/Packet Timeout is too short.
35 packets transmitted, 21 packets received, 40% packet loss
round-trip (ms) min/avg/max = 3/43/96
Network Security
1-58
Some of the Routers
163.118.133.254 is LAN router at
FIT.
163.118.152.42 campus edge router
209.114.211.97 airwire.net
216.22.67.154 epik.net
205.198.0.74 aleron.com
152.63.84.129 uunet (MCI Worldcom)
65.83.237.49 BellSouth.net
205.152.237.21 BellSouth.net
Blocked?
Network Security
1-59
Moral of the story
RFCs describe how TCP/IP is supposed to
work.
Available
at www.ietf.org
Hackers know that different TCP/IP
implementations react differently to
protocol violations.
Hackers can also use normal responses to
find out which ports are listening (services
are available to exploit).
Network Security
1-60
From RFC 793: TCP/IP
Review principal state diagram: Figure 6.
Then…
Reset Generation As a general rule, reset (RST) must be sent
whenever a segment arrives which apparently is not intended for the
current connection. A reset must not be sent if it is not clear that this
is the case. There are three groups of states:
1. If the connection does not exist (CLOSED) then a reset is sent in
response to any incoming segment except another reset. In
particular, SYNs addressed to a non-existent connection are rejected
by this means. If the incoming segment has an ACK field, the reset
takes its sequence number from the ACK field of the segment,
otherwise the reset has sequence number zero and the ACK field is
set to the sum of the sequence number and segment length of the
incoming segment. The connection remains in the CLOSED state.
Network Security
1-61
TCP Connection Management (cont)
TCP server
lifecycle
TCP client
lifecycle
Network Security
1-62
2. If the connection is in any non-synchronized state (LISTEN,
SYN-SENT, SYN-RECEIVED), and the incoming segment
acknowledges something not yet sent (the segment carries an
unacceptable ACK), or if an incoming segment has a security level
or compartment which does not exactly match the level and
compartment requested for the connection, a reset is sent. If our
SYN has not been acknowledged and the precedence level of the
incoming segment is higher than the precedence level requested
then either raise the local precedence level (if allowed by the user
and the system) or send a reset; or if the precedence level of the
incoming segment is lower than the precedence level requested
then continue as if the precedence matched exactly (if the remote
TCP cannot raise the precedence level to match ours this will be
detected in the next segment it sends, and the connection will be
terminated then). If our SYN has been acknowledged (perhaps in
this incoming segment) the precedence level of the incoming
segment must match the local precedence level exactly, if it does
not a reset must be sent. If the incoming segment has an ACK
field, the reset takes its sequence number from the ACK field of the
segment, otherwise the reset has sequence number zero and the
ACK field is set to the sum of the sequence number and segment
Network
length of the incoming segment. The connection remains
in theSecurity
t t
1-63
3. If the connection is in a synchronized state
(ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSEWAIT, CLOSING, LAST-ACK, TIME-WAIT), any
unacceptable segment (out of window sequence
number or unacceptible acknowledgment number)
must elicit only an empty acknowledgment segment
containing the current send-sequence number and an
acknowledgment indicating the next sequence number
expected to be received, and the connection remains in
the same state. If an incoming segment has a security
level, or compartment, or precedence which does not
exactly match the level, and compartment, and
precedence requested for the connection,a reset is
sent and connection goes to the CLOSED state. The
reset takes its sequence number from the ACK field of
the incoming segment.
Network Security
1-64
FIN Scan

RFC 793 says:

Listening port should not respond to a FIN
Non-listening port should respond with RESET/ACK
Hackers can use this to map listening ports with FIN scan.
Sealthy.com.50141>victim.org.5: F 0:0(0) win4096 DF
…
Network Security
1-65
Jolt2 DoS
Attack designed to consume memory in
Windows boxes.
Sends an endless stream of ICMP echo
requests as fragments
Same
fragment ID
Same non-zero fragment offsets

Ex: verbo.com>win98.com: (frag 1109:9@65520)
verbo.com>win98.com: (frag 1109:9@65520)…
Receiver keeps trying to reassemble, find
header, etc.
Network Security
1-66
Analyze this
Router.com>1.2.10.72: icmp: time exceeded
in-transit
in-transit
in-transit
in-transit…
Network Security
1-67
Ex: Unexpected Responses
Router.com>1.2.10.72: icmp: time exceeded in-transit
Router.com>1.2.16.13: icmp: time exceeded in-transit…
Note all “responses” from Router.com but no
traffic sent from the 1.2. Network.
Can’t be surveillance of 1.2 network because no
responses to ICMP traffic.
Most likely explanation is traffic sent to
Router.com by someone spoofing the 1.2 network.

Sometimes such traffic is called “backscatter.”
Network Security
1-68
READ: Ref: Inferring Internet DoS
Activity
Paper by Moore, Voelker, and Savage in 2001
(www.cs.ucsd.edu/~savage/papers/UsenixSe
c01.pdf).
•Introduces “Backscatter Analysis” being
used in a ClassA Network to project
worldwide DoS attack numbers.
•Observed more than 12,000 attacks against
more than 5,000 targets.
•Found that 90-94% of attacks are TCP
based followed by UDP and ICMP.
•Obtained many other characteristics
including types, rates, durations of attacks.
Network Security
1-69
DNS: Domain Name System
People: many identifiers:

SSN, name, passport #
Domain Name System:

distributed database

application-layer protocol
Internet hosts, routers:

IP address (32 bit) used for addressing
datagrams
“name”, e.g.,
gaia.cs.umass.edu - used
by humans
Q: map between IP
addresses and name ?
implemented in hierarchy of
many name servers
host, routers, name servers to
communicate to resolve names
(address/name translation)
note: core Internet
function, implemented as
application-layer protocol
complexity at network’s
“edge”
Network Security
1-70
DNS name servers
Why not centralize DNS?
single point of failure
traffic volume
distant centralized
database
maintenance
doesn’t scale!
no server has all nameto-IP address mappings
local name servers:

each ISP, company has
local (default) name server
host DNS query first goes
to local name server
authoritative name server:

for a host: stores that
host’s IP address, name
can perform name/address
translation for that host’s
name
Network Security
1-71
DNS: Root name servers
contacted by local name server that can not resolve name
root name server:

contacts authoritative name server if name mapping not known
gets mapping
returns mapping to local name server
a NSI Herndon, VA
c PSInet Herndon, VA
d U Maryland College Park, MD
g DISA Vienna, VA
h ARL Aberdeen, MD
j NSI (TBD) Herndon, VA
k RIPE London
i NORDUnet Stockholm
m WIDE Tokyo
e NASA Mt View, CA
f Internet Software C. Palo Alto,
CA
b USC-ISI Marina del Rey, CA
l ICANN Marina del Rey, CA
13 root name
servers worldwide
Network Security
1-72
; This file holds the information on root name servers
needed to ; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>" ;
configuration file of BIND domain name servers). ; ; This file
is made available by InterNIC ; under anonymous FTP as ;
file /domain/named.cache ; on server FTP.INTERNIC.NET ;
; last update: Nov 5, 2002 ; related version of root zone:
2002110501 ; ; ; formerly NS.INTERNIC.NET ; . 3600000
IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ;
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ;
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ;
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ;
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ;
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ;
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ;
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ;
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ;
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 ; ;
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; ;
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ;
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 Network Security
1-73
Simple DNS example
host surf.eurecom.fr
wants IP address of
gaia.cs.umass.edu
root name server
2
4
5
1. contacts its local DNS
server, dns.eurecom.fr
2. dns.eurecom.fr contacts local name server
dns.eurecom.fr
root name server, if
necessary
1
6
3. root name server contacts
authoritative name server,
dns.umass.edu, if
requesting host
necessary
surf.eurecom.fr
3
authorititive name server
dns.umass.edu
gaia.cs.umass.edu
Network Security
1-74
DNS example
root name server
Root name server:
may not know
7
authoritative name
server
may know
intermediate name
server: whom to
contact to find
authoritative name
server
6
2
local name server
dns.eurecom.fr
1
8
requesting host
3
intermediate name server
dns.umass.edu
4
5
authoritative name server
dns.cs.umass.edu
surf.eurecom.fr
gaia.cs.umass.edu
Network Security
1-75
DNS: iterated queries
recursive query:
iterated query:
contacted server
replies with name of
server to contact
“I don’t know this
name, but ask this
server”
iterated query
2
puts burden of name
resolution on
contacted name
server
heavy load?
root name server
3
4
7
local name server
dns.eurecom.fr
1
8
requesting host
intermediate name server
dns.umass.edu
5
6
authoritative name server
dns.cs.umass.edu
surf.eurecom.fr
gaia.cs.umass.edu
Network Security
1-76
DNS: caching and updating records
once (any) name server learns mapping, it caches
mapping
cache entries timeout (disappear) after some
time
update/notify mechanisms under design by IETF

RFC 2136

http://www.ietf.org/html.charters/dnsind-charter.html
Network Security
1-77
DNS records
DNS: distributed db storing resource records (RR)
RR format: (name,

Type=A

name is hostname
value is IP address

value, type,ttl)
Type=CNAME

Type=NS

name is alias name for some
“cannonical” (the real) name
www.ibm.com is really
servereast.backup2.ibm.com
name is domain (e.g.
foo.com)
value is cannonical name
value is IP address of
authoritative name server Type=MX
for this domain

value is name of mailserver
associated with name
Network Security
1-78
DNS protocol, messages
DNS protocol : query and reply messages, both with same
message format
msg header
identification: 16 bit #
for query, reply to query
uses same #
flags:
query or reply
recursion desired
recursion available
reply is authoritative
Network Security
1-79
DNS protocol, messages
Name, type fields
for a query
RRs in reponse
to query
records for
authoritative servers
additional “helpful”
info that may be used
Network Security
1-80
DNS Example (lookup www.sans.org)
host.my.com.1716>dns.my.com.53: 1+ (35)
dns.my.com.53>h.root-servers.net.53: 12420 (30) DF
h.root-servers.net.53> dns.my.com.53: 12420- 0/3/3 (153) (DF)
dns.my.com.53>server1.sans.org.53: 12421+ (30) (DF)
server1.sans.org.53> dns.my.com.53: 12421* 1/3/3 (172)
dns.my.com.53> host.my.com.1716: 1* 1/3/3 (197) (DF)
Notes:
You might not see all traffic depending on your network.
No acks appear because DNS apl is using UDP.
The + indicates a “recursive” request (find the answer).
The – indicates no recursive request was made.
The * indicates an authoritative response.
Local DNS server will cache response for time (TTL).
Network Security
1-81
Reverse Lookups
DNS resolver actually issues a
GetHostByName request to its local
server.
Reverse is available: GetHostByNumber
When DNS attemps a reverse lookup for
12.33.247.6 the application software
reformats to 6.247.33.12.in-addr.arpa
Arpa
domain server available to handle
• In-addr is sub-server
Search
done from least specific to most
specific (6 ..arpa).
Network Security
1-82
The SANS Practicals
Based on work done by candidates for the
Intrusion Detection Professional Certification
from the Global Incident Analysis Center. See
www.giac.org/GCIA.php
Standard Analysis Pattern:

Network or system log trace of event of interest.
Source of the detect – such as SNORT.
Probability that source address was spoofed.
Description of attack
Attack mechanism
Correlation
Evidence of active targeting.
Network Security
1-83
Big-3 Falsehoods
False Positives
Occurs when a filter matches traffic other
than the attack traffic that it was designed to
detec.
False Negatives
Occurs when one fails to detect malicious
traffic.
False Interpretations
Occurs when an analysis results in a mistaken
impression of what really is occuring.
GIAC says current practical format is
designed to mitigate these problems.
Network Security
1-84
Source of the detection
SNORT, Shadow, Cisco PIX Firewall, …
Version of the code
Do you have the filter or rule set being
used?
Do you have the access violation or filter
that triggered the detection?
Analyze the log file carefully.
Network Security
1-85
Probability that Source was Spoofed.

Attempt to sort into one of three:

Probably spoofed
Probably not spoofed
Third party or backscatter (someone uses your address
space to attack elsewhere).
Note: reconnaissance does not usually work if
source is spoofed (attacker could be listening
nearby, however).
TCP packets are not usually spoofed if the 3-way
handshake complete.
Despoof is a freeware opensource utility that
attempts to determine spoofing using TTL
(http://razor.bindview.com/tools/).

Network Security
1-86
Description of Attack
Intent of this is obvious
Note many, many attacks already
documented and various security web sites.
Favorites according to insecure.org
magazine subscribers include those on next
slide.
Top 53 listed
athttp://seclists.org/lists/nmaphackers/2003/Oct-Dec/0003.html
Network Security
1-87
276 securityfocus.com 159 packetstormsecurity.nl
92 sans.org 86 cert.org 46 securiteam.com
38 linuxsecurity.com 37 phrack.org 30 neworder.box.sk
29 slashdot.org 24 google.com 18 securitynewsportal.com
17 infosyssec.com 15 snort.org 15 honeynet.org
15 dshield.org 15 astalavista.com 13 whitehats.com
13 incidents.org 12 microsoft.com 12 iss.net
11 cisecurity.org 10 networkintrusion.co.uk
10 isc.incidents.org 10 grc.com 10 foundstone.com
10 cve.mitre.org 10 atstake.com 10 astalavista.box.sk
9 security-forums.com 9 packetstorm.org 9 net-security.org
9 nessus.org 9 hack.co.za 9 deadly.org 9 attrition.org
8 samspade.org 7 zone-h.org 7 secureroot.com
7 packetfactory.net 7 openbsd.org 7 counterpane.com
7 2600.com 6 theregister.co.uk 6 thc.org 6 team-teso.net
6 symantec.com 6 securitytracker.com 6 phoneboy.com
6 ntbugtraq.com 6 netsys.com 6 neohapsis.com
6 heise.de 6 antionline.com 5 tlsecurity.net 5 sourceforge.net
5 icat.nist.gov 5 hackingexposed.com 5 eeye.com 5 cotse.com
Network Security
1-88
Correlations
Idea is to correlate present activity to
known attack or scanning patterns.
Rare to find anything totally new
(especially with SNORT!)
If convinced it is new, you can report to
SANS ([email protected]) or elsewhere.
Network Security
1-89
Active Targeting
Are we really targeted or just receiving
packets at random?
Targeting a specific host? (Already have
reonnaissance info?)
General scan of your network? (Attack
may be next.)
Just a mis-addressed packet?
Network Security
1-90
Attack Mechanism Questions
Stimulus or response?
What service is targeted?
Does the service have known vulnerabilities or
exposures?
Is this benign? An exploit? Denial of Service?
Reconnaissance?
What is this?
User.somewhere.org:60000>me.at.home:2140
UDP TTL:50 TOS:0x0 ID:2320 Len: 10
Network Security
1-91
Steps to identify - varied
Here port 60000 looks unique so check
with google and quickly find it is associated
with a trojan called “deepthroat.”
Then go, for example to
http://sh1204.sajthotellet.com/trojanhunt
er/portlist/ to determine that responses
from the trojan usually appear on port
2140. Confirms!
Network Security
1-92
Review Tadaaki Nagao Practical
Network Security
1-93