Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University

TCP SORCERY A TALE OF UNINTENDED HAPPENINGS IN A HIDDEN W0RLD

ABOUT ME

ABO

UT M

E Head up the “Security & Network Research Group” within the Rhodes University CS Department

Interested in: Packet Wrangling Passive Monitoring Collaborative Defense VizSec

Contacts: b.irwin@ru.ac.za @barryirwin

365 DAYS LATER....

Conficker burst on the world...... 21/11/2008

HO

W W

E GO

T HERE

Intro Network Telescope Research The quandry -- Active vs Passive Traffic

Whats the difference? Why care?

The Protocols ICMP is trivial Well defined in specs TCP is not too difficult Brute force all combos UDP is a pain Needs protocol /L7 decodes

TCP FU

ND

AM

ENTA

L Hi, My name is TCP

TCP FU

ND

AM

ENTA

L Hi, My name is TCP

TCP State Tests How do we Determine what is active vs passive traffic ? Write an empirical test

Whats most important is how things respond to combos of the TCP flags. RFC793 && Stevens don’t define all the actions

Six Flags •  URG •  ACK •  PSH •  RST •  SYN •  FIN

TCPFuzzing Flags give us 26 Combinations == 64 options Fuzzer iterates though these. Tested against different targets   Linux 2.6 Kernel   FreeBSD 6.4/7.1   Windows Server 2003 +patches   Cisco Switch (IOS 12.x) Both Open and closed ports tested

512 Responses Recorded using TCPdump 64 States * 4 targets * two ports (open/closed)

FUZZIN

G R

ESULTS

What we Found….. Of the 64 possible responses

Only 50% were of any interest (across the board) RST flags are no fun – the generate no response ‘X-mas tree ’ packets garner no response either

Of the Remainder: 16 Combinations only produce RST packet This is what we expect Responses the same for Open and Closed ports Some flag combos produced different reponses

SIN

GLE PA

CKET O

S CH

ECK

So whats your Genus ? We have shown it is possible to determine the Remote OS family using a single packet probe

SYN,FIN SYN, FIN, PSH SYN, FIN, URG SYN, FIN, URG,PSH

Give the same distinctive results for Open Ports: Linux 2.6

6 [ SYN,ACK ] datagrams FreeBSD

4 [ SYN,ACK ] datagrams Windows 2003

3 [ SYN,ACK ] datagrams Cisco IOS

[ SYN,ACK ] [RST] datagrams Closed ports give [RST, ACK]

SIN

GLE PA

CKET O

S CH

ECK

Unix Family Differentiation ? Linux/FreeBSD can also be differentiated from other IP Stack implementations using an Additional Single packet Probe

No Flags FIN URG PSH FIN, PSH, URG

Give the same distinctive results for Open Ports: Open ports give nor response on FreeBSD/Lunux Windows and IOS both reply with [RST, ACK]

Closed ports give [RST, ACK]

MA

KING

MISC

HIEF

Seen any Tiny blue guys around ? Using what have seen we can build a little amplification attack

Linux and some other target:

Attacker sends a TCP packet with a SYN,FIN variation to a linux target Source Address is forged to be Victim TARGET generated 6 datagrams back for every one received. VICTIM receives 6 SYN,ACK packets VICTIM responds with 6 RST packets

Values vary with FreeBSD (8x) and Windows (6x) This is a VERY crude attack Mostly useful for noisemaking Not about to be the next Smurf(ette)

MA

KING

MISC

HIEF

No way did I scan that host What we have seen is that that certain Flag combinations can elicit and active response form a target which in turn can activate yet another (although passive) reponse.

Given access to a Network Choke point, switch, shared media etc One can coerce a target into scanning a 3rd party with some level of success

Possible uses are: Shifing blame IDS evasion Exploiting ‘allow friends’ Firewall rules

CO

NC

LUSIO

N So What ? NMAP has been fingerprinting for a while

Active, multi pkt probe More Accurate, but noisy

Sideband/Reflective scanning can be of use: Covert OPS Reflectively scanning your own Network

Obfustication/Noise Generation 12x traffic multiplier It’s a Packet Count smokescreen Small probability of this able to be realised to a Bandwidth

consumption

QUESTIONS ?

Contacts: b.irwin@ru.ac.za @barryirwin