tcpdump and windump - florida institute of technology

Network Security 1-1

TCPDump and WinDump

Section 2 of SWE5900This material is intended for students of this course only. No further reproduction or distribution is authorized.


TCPDump

UNIX tool that collects network data and displays it in specified format. It may be run “live” on a specified interface – but only if authorized.It may read data from a file that has previously been saved using TCPDump. It offers a number of filtering capabilities.Must be downloaded with libcap or the windows equivalent. (Do this by next class!)


Man Page

If not on unix system go to http://www.rt.com/man/tcpdump.1.htmlNAME tcpdump - dump traffic on a network SYNOPSIS tcpdump [ -adeflnNOpqStvx ] [ -ccount ] [ -F file ] [ -i interface ] [ -r file ] [ -ssnaplen ] [ -T type ] [ -w file ] [ expression ] DESCRIPTION Tcpdump prints out the headers of packets on a network interface that match the boolean expression.

http://www.rt.com/man/tcpdump.1.html


TCPDump Traffic Capture


Type of Service Field

Bits 0-2: Precedence. Bit 3: 0 = Normal Delay, 1 = Low Delay. Bit 4: 0 = Normal Throughput, 1 = High Throughput. Bit 5: 0 = Normal Relibility, 1 = High Relibility. Bits 6-7: Reserved for Future Use.

0 1 2 3 4 5 6 7+-----+-----+-----+-----+-----+-----+-----+-----+ | | | | | | ||PRECEDENCE| D | T | R | 0 | 0 || | | | | |+-----+-----+-----+-----+-----+-----+-----+-----+


TCPDump Traffic Capture cont…

00:28:24.573542 blackwidow.se.fit.edu.ssh > 163.118.231.25.3197: P 536784:536912(128) ack7073 win 19872 (DF) [tos 0x10]

00:28:24.573542 – time packet was receivedblackwidow.se.fit.edu.ssh – source host and port. In this case the port is SSH or 22> - direction of the traffic163.118.231.25.3197 – destination IP and portP – flag set, in this case is P for push. Pushes data from the sending host to the receiving host536784:536912 – beginning and ending sequence numbers. This is used to order the data that is received.(128) – bytes in the packetack 7073– TCP flag, ACK represents the acknowledgement of data received. The 7073 is the acknowledgement numberWin 18872 – this is the windows size. This means that the client has a window size or incoming buffer of 18872 bytes. (DF) – don’t fragment. This flag is used if and when the size of the datagram to be sent exceeds the maximum amount allowed by the route.[tos 0x10] – type of service. This this case is 10 which stands for minimize delay


IP datagram format

ver length

32 bits

data (variable length,typically a TCP

or UDP segment)

16-bit identifierInternetchecksum

time tolive

32 bit source IP address

IP protocol versionnumber

header length(bytes)

max numberremaining hops

(decremented at each router)

forfragmentation/reassembly

total datagramlength (bytes)

upper layer protocolto deliver payload to

head.len

type ofservice

“type” of data flgs fragmentoffset

upperlayer

32 bit destination IP address

Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.


TCP segment structure

source port # dest port #

32 bits

applicationdata

(variable length)

sequence numberacknowledgement number

Receive windowUrg data pnterchecksum

FSRPAUheadlen

notused

Options (variable length)

URG: urgent data (generally not used)

ACK: ACK #valid

PSH: push data now(generally not used)

RST, SYN, FIN:connection estab(setup, teardown

commands)

# bytes rcvr willingto accept

Internetchecksum

(as in UDP)

countingby bytes of data(not segments!)


WELL KNOWN PORT NUMBERS The Well Known Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users. Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port. The contact port is sometimes called the "well-known port". To the extent possible, these same port assignments are used with the UDP [RFC768]. The range for assigned ports managed by the IANA is 0-1023.


Port Examples:chargen 19/tcp Character Generatorchargen 19/udp Character Generator ftp-data 20/tcp File Transfer [Default Data] ftp-data 20/udp File Transfer [Default Data] ftp 21/tcp File Transfer [Control] ftp 21/udp File Transfer [Control]ssh 22/tcp SSH Remote Login Protocol ssh 22/udp SSH Remote Login Protocol telnet 23/tcp Telnet telnet 23/udp Telnet24/tcp any private mail system 24/udp any private mail systemsmtp 25/tcp Simple Mail Transfer smtp 25/udp Simple Mail Transfer26/tcp Unassigned # 26/udp Unassigned


Absolute and Relative Seq Nos

Consider the following:client.com.38060 > telnet.com.telnet: S 3774957990:3774957990(0) win 8760 <mss 1460> (DF)telnet.com.telnet > client.com.38060: S 2009600000:2009600000(0) ack 3774957991 win 1024 <mss 1460>client.com.38060 > telnet.com.telnet: . ack 1 win 8760 (DF)client.com.38060 > telnet.com.telnet: P 1:28(27) ack 1 win 8760 (DF)

Note use of relative sequence numbers beginning with 3rd packet.


Ethereal Traffic Capture


TCP 3-way Handshake

tclient.net.39904 > telnet.com.23: S 733381829:733381829(0) win 8760 <mss 1460> (DF)telnet.com.23 > tclient.net.39904: S 1192930639:1192930639(0) ack733381830 win 1024 <mss 1460> (DF)tclient.net.39904 > telnet.com.23: . Ack 1 win 8760 (DF)


TCP Takedown

tclient.net.39904 > telnet.com.23: F 14:14(0) ack 186 win 8760 (DF)telnet.com.23 > tclient.net.39904: . ack 15 win 1024 (DF)Server next initiates a FIN and client acksto finally close the connection. Abrupt version uses reset:

tclient.net.39904 > telnet.com.23: R 28:28(0) ack 1 8760 (DF)


Rudimentary Analysis

Was the three-way handshake completed between two hosts?Were data transmitted?Who began and/or ended the connection?Recall Syn Flood (Neptune) Attack


SYN Flood (Neptune)

Leverages TCP 3-way HandshakeAttacker sends opening “SYN”Target responds with “SYN/ACK” and builds a record in a data structure to hold connection informationThe attack consists of many SYN packets being sent from unreachable sources (non-existent) so that handshake is not completed and data structure overflows.


Observations

No sure way to filter at single packet levelCharacteristics:

Unusually large number of TCP SYNs directed at a single destination addressUnusually large number of destination unreachable responses to SYN/ACKsUnusual source address patterns


Ack Scan (page 39 of NID)Attacker sends lone ack to probe specific ports

Live hosts respond with reset to unexpected ack.May be used by hacker to determine location of live hosts.

Note that lone ack should be found as follows:

Final transmission of 3-way handshakeAcknowledgement of received data or data in progressAcknowledgement of received FINDo you see evidence of any such normal use?


TCP Session Hijacking

Objective is to intercept an established TCP session and capture (impersonate) one end of the connection.Nontrivial effort that must maintain:

IP numberEstablished port numbersProper sequence number incrementsProper ack increments.


Fragmentation

Fragmentation allows an IPV4 datagram to cross a network that has an MTU smaller than the IP datagram.

Recall that MTU is the max payload of the link layer frame. Fragment IDOffset number (13 bits)Fragment LengthMore Fragments Flag


IP datagram format

ver length

32 bits

data (variable length,typically a TCP

or UDP segment)

16-bit identifierInternetchecksum

time tolive

32 bit source IP address

IP protocol versionnumber

header length(bytes)

max numberremaining hops

(decremented at each router)

forfragmentation/reassembly

total datagramlength (bytes)

upper layer protocolto deliver payload to

head.len

type ofservice

“type” of data flgs fragmentoffset

upperlayer

32 bit destination IP address

Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.


IP Fragmentation & Reassemblynetwork links have MTU (max.transfer size) - largest possible link-level frame.

different link types, different MTUs

large IP datagram divided (“fragmented”) within net

one datagram becomes several datagrams“reassembled” only at final destinationIP header bits used to identify, order related fragments

fragmentation: in: one large datagramout: 3 smaller datagrams

reassembly


IP Fragmentation and ReassemblyID=x

offset=0

fragflag=0

length=4000

ID=x

offset=0

fragflag=1

length=1500

ID=x

offset=1480

fragflag=1

length=1500

ID=x

offset=2960

fragflag=0

length=1040

One large datagram becomesseveral smaller datagrams

“185”

“370”


View Fragmentation: TCPDUMP

Ping.com > myhost.com: icmp: echo request (frag 21223:1480@0+)Ping.com > myhost.com: (frag 21223:1480@1480+)Ping.com > myhost.com: (frag21223:1048@2960)

Data w no IP header incl.Does incl 8 byte ICMP hdr.

Shows fragmentation of an ICMP echo request (seen in 1st fragment only) with packet ID = 21223 and length of original IP packet equal to 1480+1480+1048=4008 bytes data + 20 bytes header.

MF=1

MF=0


Fragmentation & Packet Filtering DevicesIf filtering device is set to reject ICMP echo requests, it will reject first fragment.

No ICMP header info in following fragments.Many devices do not maintain “state” and so will not know that any fragments with ID=21223 (same source/dest) should also be rejected.Same thing may occur with TCP or UDP packets. Note: recall that if one fragment does not arrive at destination, all are resent.


Don’t Fragment Flag (DF)

Appears as (DF) in TCPDUMP output.If packet with this flag set reaches a router that needs to fragment, router discards packet and returns “ICMP unreachable – need to frag” error message to sending host.

Sometimes used by hosts to discover the “path MTU” and avoid fragmentation.Can be used maliciously.


Ping O’ Death

ICMP Echo request is sent with an illegally long payload (greater than 64k bytes).Older attack that could cause operating systems to lock or reboot.

Similar in effect to LAND attack

Observation: Look closely at any ICMP packet that has been fragmented.


Analysis

Mal.com.139 > target.net.139: udp 28 (frag 242:36@0+)Mal.com.139 > target.net.139: (frag 242:4@24)

Notice 36 data bytes in first fragment beginning at 0. Next are 4 bytes beginning at 24. Illegal overlap known as Teardrop attack.


TeardropIPV4 packets support fragmentation, but fragments not permitted to overlap. In this attack packets are created with illegal overlap of fragments.Older operating systems may crash upon receipt of such fragments. Observation: Can check all arriving packets for illegal fragmentation.

Requires some state be maintained (previous termination point for this src,dest,ID)


Internet Control Message Protocol - ICMP


RFC 792

Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagramprocessing. For such purposes this protocol, the Internet Control Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.


RCF792 Continued

ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. The ICMP messages typically report errors in the processing of datagrams. To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages. Also ICMP messages are only sent about errors in handling fragment zero of fragemented datagrams.


Typical ICMP Message Format

IP Header with Protocol Number = 1

8-bit type|8-bit code|16-bit checksum

Depending on type may include information such as the original IP header + 64 bits of original datagram data.


ICMP: Internet Control Message Protocolused by hosts, routers, gateways to communication network-level information

error reporting: unreachable host, network, port, protocolecho request/reply (used by ping)

network-layer “above” IP:ICMP msgs carried in IP datagrams

More at www.iana.org/assignments/icmp-parameters

Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion

control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header

Note: ICMP is often used for “mapping.”


Overview of Normal ICMP Msgs

Host UnreachableRouter > sending.host: icmp: host target.host unreachable

Port UnreachableTarget.host > sending.host: icmp: target.host udp port ntp unreachable (DF)

Admin ProhibitedRouter > sending.host: icmp: host target.host unreachable – admin prohibited

Need to fragRouter > sending.host.net: icmp: target.host unreachable – need to frag (mtu 1500)

Others…


From...

Stealthy Trojan horse attempts to gather data on Web sites

October 22, 1999Web posted at: 11:17 a.m. EDT (1517 GMT)by Sean M. Dugan

IDG) -- In a scenario not unlike a story line from a Tom Clancy novel, the Systems Administration Networking & Security (SANS) Institute is reporting what appears to be a widespread attempt to gather information on proxy servers and send that information to a Russian Web site.

http://www.idg.net/go.cgi?id=13181


RingZero Trojan (CNN online)“On Oct. 7, SANS Institute members started to try to piece together what was happening. They found what appears to be a Trojan horseapplication, dubbed RingZero, which systematically searches out and probes proxy servers from an infected machine and sends thatinformation to a central Web server. The RingZero Trojan horse, which gets its name from a component called Ring0.vxd first discovered at Vanderbilt University, appears to be divided into two distinct parts, both of which arrive on asystem as compressed archives. One component, pst.exe, probes for proxy servers and has the proxy servers send port information and IP numbers to the Web site rusftpsearch.com. The pst.exe component apparently scans ports 80, 8080 and 3128, and other 8000 series ports.”


SMURF Attack

Attacker spoofs its IP address to be that of target.Sends ICMP echo request to x.y.255.255Potentially thousands of machines in the x.y destination network may respond with ICMP echo repliesResponses will all go to spoofed address of target.


ObservationsNo way to observe attack based on a single packet.Target may suddenly observe all bandwidth being consumed at its network interface.Network monitoring may observe an unusually large number of ICMP echo response packets (especially directed at one target).Some systems now block all ICMP packets or block all packets destined to …255 address.


Must Reading

Distributed Reflection Denial of Service

Description and analysis of a potent, increasingly

prevalent, and worrisome Internet attack

By Steve Gibson of GRC• http://www.grc.com/dos/drdos.htm


Distributed Denial of Service

At 2:00 AM, January 11th, 2002, the GRC.COM sitewas blasted off the Internet by a new (for us)

distributed denial of service attack.

Perhaps the most startling aspect of this attack was that the apparent source was hundreds of the Internet's "core routers", web servers belonging to yahoo.com, and even a machine with

an IP resolving to "gary7.nsa.gov". We appeared to be under attack by hundreds of very powerful and well-connected machines.

Once we determined how to block this attack andreturned to the Internet, 1,072,519,399 blockedpackets were counted before the attack ended.


Tribal Flood Network Attack

Requires master and daemon hosts to be established. Master instructs daemons by sending commands in ICMP echo replies.

The ICMP identification number field in the ICMP header of the ICMP echo reply is used to direct daemons with args provided in ICMP data portion.


WinFreeze AttackTakes advantage of ICMP redirect message which informs a sending host that it has tried to use a non-optimal router and directs the adding of a more optimal router to host’s table.Router > victim.com: icmp: redirect 243.148.16.61 to host victim.comRouter > victim.com: icmp: redirect 110.161.152.156 to host victim.comRouter > victim.com: icmp: redirect 245.211.87.115 to host victim.comRouter > victim.com: icmp: redirect 49.130.233.15 to host victim.com…host attacks itself


Loki

Prior to Loki, ICMP used for DoS attacks and network mapping.Loki uses ICMP as a tunneling protocol for a covert channel.

Loki server must be installed in a compromised host.ICMP carries covert messages to the Loki server.

More information at www.phrack.com issue 49 article 6.

http://www.phrack.com/


Loki continuedLoki uses ICMP echo-request and echo-reply for communication with server. ICMP echo-request

20 bytes of IP header8 bytes of ICMP header…arbitrary amount of data usually timing information for use by ping No checks!

Loki creates covert channel by tunneling information inside the data portions of ICMP echo-request and echo-reply packets.Can pass commands that server can execute on compromised system.Observation and prevention??


Why not block ICMP?

You cannot then issue pings for your own diagnostic purposes. If you allow them outbound, then you still are vulnerable to echo-replies that are inbound. You cannot use the windows trace route utility. (But Unix uses UDP.) Don’t get any of the info messages that routers attempt to send with ICMP. Can’t use MTU discovery because won’t receive the “need to frag.”


TCP VariantsDestination host not listening

Tel_client.com.38060 > myhost.com.telnet: S 3774957990:3774957990(0) win 8760 <mss 1460> (DF)Myhost.com.telnet > tel_client.com.38060: R 0:0(0) ack 3774957991 win 0

Destination host does not existRouter.com > tel_client.com: icmp: host myhost.com unreachable

Destination port blockedRouter.com > tel_client.com: icmp: host myhost.com unreachable – admin prohibited filter

Destination port blocked and router does not respond

Will see multiple TCP connect requests until max no of retries.


UDP VariantsDestination host listening on requested port.

Nslookup.com.45070 > myhost.com.domain: 51007+ (31) (DF)Myhost.com.domain > nslookup.com.45070 51007 1/0/0 (193) (DF)

Destination host not listening Myhost.com > nslookup.com: icmp:myhost.com udp port domain unreachableNote: one can send a udp packet to a port x and receive the udp port x unreachable – normal behavior. NMAP uses this to determine that a port is listening if it does NOT receive this response.


Active and Passive FTP

TCP processes usually use two ports (client and server)FTP communicates using two different server ports. In Active FTP the server initiates a data connection to the user (in response to some FTP command from the client) on port 20.

Implies that firewalls must remain open to packets from any source IP/20.

In Passive FTP the client initiates the data connection to the server.


Active FTP Example (text)ftp.client.com.35955 > ftp.server.com.21: S 1884312222:1884312222(0)ftp.server.com.21 > ftp.client.com.35955: S 3113925437:3113925437(0) ack 1884312223ftp.client.com.35955 > ftp.server.com.21: . ack 1ftp.server.com.21 > ftp.client.com.35955: P 1:24(23) ack 1ftp.client.com.35955 > ftp.server.com.21: . ack 24

Dir command issued by user then:ftp.server.com.20 > ftp.client.com.35956: S 3558632705:3558632705(0) (client has informed server that it is listening on port 35956 using port command)ftp.client.com.35956 > ftp.server.com.20: S 1901007864:1901007864(0) ack 3558632706ftp.server.com.20 > ftp.client.com.35956: . ack 1


Passive FTP Exampleftp.client.com.44890 > ftp.server2.com.21: S 4276284026:4276284026(0) win 8760 <mss 1380> DFftp.server2.com.21 > ftp.client.com.44890: S 1669630260:1669630260(0) ack 4276284027 win 8280 <mss 1460> DFftp.client.com.44890 > ftp.server2.com.21: . ack 1 win 9660 (DF)

Dir command issued by user and thenftp.client.com.44891 > ftp.server2.com.3967: S 4282611109:4282611109(0)win 8760 <mss 1380> DF (ftp.server2.com has informed ftp.client.com that it is listening on port 3967)ftp.server2.com.3967 > ftp.client.com.44891: S 1669768808>1669768808(0) ack 4282611110 win 8280 <mss 1460> DFftp.client.com.44891 > ftp.server2.com.3967: . ack 1 win 9660 (DF)


TraceRoute

Traceroute (UNIX) or Tracert (Windows) is used to discover path that datagram takes from source to destination. Uses TTL header and responses. Illustrated here using NetScanPro from FIT w/s to UCF. Note…UCF blocks ICMP echo responses.


Hop IP Address Hostname Time Status

1 163.118.133.254 ? 4 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit



4 209.114.211.97 open.airwire.net 11 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

5 216.22.64.81 miamfllr1m6-ge-0-0-0-36.ip.epik.net 24 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

6 216.22.67.230 jcvlflnj2m6-so-4-0-0.ip.epik.net 29 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

7 216.22.67.254 atlngamq1m6-so-3-0-0.ip.epik.net 29 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

8 216.22.67.154 atlngamq2m6-so-6-0-0.ip.epik.net 36 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

9 205.198.2.149 ge3-13.as.sdatlga.aleron.net 33 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

10 205.198.2.73 ge6-0.ar.sdatlga.aleron.net 32 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

11 205.198.0.74 ge2-8.as.eqxashva.aleron.net 43 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

12 152.63.41.14 0.so-1-0-0.CL1.IAD8.ALTER.NET 47 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

13 152.63.41.14 0.so-1-0-0.CL1.IAD8.ALTER.NET 37 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

14 152.63.38.69 0.so-0-0-0.TL1.DCA6.ALTER.NET 42 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

15 152.63.38.62 0.so-3-0-0.TL1.ATL5.ALTER.NET 61 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

16 152.63.86.189 0.so-7-0-0.XL1.MIA4.ALTER.NET 82 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

17 152.63.84.129 0.so-6-0-0.GW8.MIA4.ALTER.NET 74 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

18 65.208.86.154 bs-mia-gw1.customer.alter.net 72 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

19 65.83.236.21 axr01mia-0-0-0.bellsouth.net 76 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit

20 65.83.237.49 ixc01mco-5-1-1.bellsouth.net 81 11:0:Time Exceeded:Time To Live (TTL) Exceeded in Transit



22 * * * No packet received from this hop.














TraceRoute Statistics: 32 data bytes to www.ucf.edu [132.170.240.131]

Start Time: Wed, 07 Jan 2004 14:58:37

ANALYSIS: Target not reached. ICMP packets may be blocked along the route

or Setup/Packet Timeout is too short.

35 packets transmitted, 21 packets received, 40% packet loss

round-trip (ms) min/avg/max = 3/43/96


Some of the Routers

163.118.133.254 is LAN router at FIT.163.118.152.42 campus edge router209.114.211.97 airwire.net216.22.67.154 epik.net205.198.0.74 aleron.com152.63.84.129 uunet (MCI Worldcom)65.83.237.49 BellSouth.net205.152.237.21 BellSouth.netBlocked?


Moral of the story

RFCs describe how TCP/IP is supposed to work.

Available at www.ietf.orgHackers know that different TCP/IP implementations react differently to protocol violations.Hackers can also use normal responses to find out which ports are listening (services are available to exploit).

http://www.ietf.org/


From RFC 793: TCP/IP

Reset Generation As a general rule, reset (RST) must be sent whenever a segment arrives which apparently is not intended for the current connection. A reset must not be sent if it is not clear that this is the case. There are three groups of states:

1. If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means. If the incoming segment has an ACK field, the reset takes its sequence number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the CLOSED state.

Review principal state diagram: Figure 6.Then…


TCP Connection Management (cont)

TCP clientlifecycle

TCP serverlifecycle


2. If the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), and the incoming segment acknowledges something not yet sent (the segment carries an unacceptable ACK), or if an incoming segment has a security level or compartment which does not exactly match the level and compartment requested for the connection, a reset is sent. If our SYN has not been acknowledged and the precedence level of the incoming segment is higher than the precedence level requested then either raise the local precedence level (if allowed by the user and the system) or send a reset; or if the precedence level of the incoming segment is lower than the precedence level requested then continue as if the precedence matched exactly (if the remote TCP cannot raise the precedence level to match ours this will bedetected in the next segment it sends, and the connection will be terminated then). If our SYN has been acknowledged (perhaps in this incoming segment) the precedence level of the incoming segment must match the local precedence level exactly, if it does not a reset must be sent. If the incoming segment has an ACK field, the reset takes its sequence number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to the sum of the sequence number and segment length of the incoming segment. The connection remains in the

t t


3. If the connection is in a synchronized state (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT), any unacceptable segment (out of window sequence number or unacceptible acknowledgment number) must elicit only an empty acknowledgment segment containing the current send-sequence number and an acknowledgment indicating the next sequence number expected to be received, and the connection remains in the same state. If an incoming segment has a security level, or compartment, or precedence which does not exactly match the level, and compartment, and precedence requested for the connection,a reset is sent and connection goes to the CLOSED state. The reset takes its sequence number from the ACK field of the incoming segment.


FIN ScanRFC 793 says:

Listening port should not respond to a FINNon-listening port should respond with RESET/ACKHackers can use this to map listening ports with FIN scan.

Sealthy.com.50141>victim.org.5: F 0:0(0) win4096 DFSealthy.com.50141>victim.org.3: F 0:0(0) win4096 DFSealthy.com.50141>victim.org.26: F 0:0(0) win4096 DFSealthy.com.50141>victim.org.45: F 0:0(0) win4096 DFSealthy.com.50141>victim.org.17: F 0:0(0) win4096 DFSealthy.com.50141>victim.org.80: F 0:0(0) win4096 DF…


Jolt2 DoS

Attack designed to consume memory in Windows boxes.Sends an endless stream of ICMP echo requests as fragments

Same fragment IDSame non-zero fragment offsets

Ex: verbo.com>win98.com: (frag 1109:9@65520)verbo.com>win98.com: (frag 1109:9@65520)…Receiver keeps trying to reassemble, find header, etc.


Analyze this

Router.com>1.2.10.72: icmp: time exceeded in-transit



Router.com>1.2.16.13: icmp: time exceeded in-transit…


Ex: Unexpected Responses

Router.com>1.2.10.72: icmp: time exceeded in-transitRouter.com>1.2.18.13: icmp: time exceeded in-transitRouter.com>1.2.11.67: icmp: time exceeded in-transitRouter.com>1.2.16.13: icmp: time exceeded in-transit…Note all “responses” from Router.com but no traffic sent from the 1.2. Network. Can’t be surveillance of 1.2 network because no responses to ICMP traffic.Most likely explanation is traffic sent to Router.com by someone spoofing the 1.2 network.

Sometimes such traffic is called “backscatter.”


READ: Ref: Inferring Internet DoS ActivityPaper by Moore, Voelker, and Savage in 2001 (www.cs.ucsd.edu/~savage/papers/UsenixSec01.pdf).

•Introduces “Backscatter Analysis” being used in a ClassA Network to project worldwide DoS attack numbers. •Observed more than 12,000 attacks against more than 5,000 targets.•Found that 90-94% of attacks are TCP based followed by UDP and ICMP. •Obtained many other characteristics including types, rates, durations of attacks.


DNS: Domain Name System

People: many identifiers:SSN, name, passport #

Internet hosts, routers:IP address (32 bit) -used for addressing datagrams“name”, e.g., gaia.cs.umass.edu - used by humans

Q: map between IP addresses and name ?

Domain Name System:distributed databaseimplemented in hierarchy of many name serversapplication-layer protocolhost, routers, name servers to communicate to resolve names (address/name translation)

note: core Internet function, implemented as application-layer protocolcomplexity at network’s “edge”


DNS name servers

no server has all name-to-IP address mappings

local name servers:each ISP, company has local (default) name serverhost DNS query first goes to local name server

authoritative name server:for a host: stores that host’s IP address, namecan perform name/address translation for that host’s name

Why not centralize DNS?single point of failuretraffic volumedistant centralized databasemaintenance

doesn’t scale!


DNS: Root name serverscontacted by local name server that can not resolve nameroot name server:

contacts authoritative name server if name mapping not knowngets mappingreturns mapping to local name server

b USC-ISI Marina del Rey, CAl ICANN Marina del Rey, CA

e NASA Mt View, CAf Internet Software C. Palo Alto, CA

i NORDUnet Stockholmk RIPE London

m WIDE Tokyo

a NSI Herndon, VAc PSInet Herndon, VAd U Maryland College Park, MDg DISA Vienna, VAh ARL Aberdeen, MDj NSI (TBD) Herndon, VA

13 root name servers worldwide


; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . <file>" ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC ; under anonymous FTP as ; file /domain/named.cache ; on server FTP.INTERNIC.NET ; ; last update: Nov 5, 2002 ; related version of root zone: 2002110501 ; ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET.

A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ; C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 ; ; K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; ; L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33


Simple DNS example

host surf.eurecom.frwants IP address of gaia.cs.umass.edu

1. contacts its local DNS server, dns.eurecom.fr

2. dns.eurecom.fr contacts root name server, if necessary

3. root name server contacts authoritative name server, dns.umass.edu, if necessary requesting host

surf.eurecom.frgaia.cs.umass.edu

root name server

authorititive name serverdns.umass.edu

local name serverdns.eurecom.fr

23

45

1 6


DNS example

Root name server:may not know authoritative name servermay know intermediate name server: whom to contact to find authoritative name server

requesting hostsurf.eurecom.fr

gaia.cs.umass.edu

root name server


23

4 5

6

1

authoritative name serverdns.cs.umass.edu

intermediate name serverdns.umass.edu

7

8


DNS: iterated queries

recursive query:puts burden of name resolution on contacted name serverheavy load?

iterated query:contacted server replies with name of server to contact“I don’t know this name, but ask this server”

requesting hostsurf.eurecom.fr

gaia.cs.umass.edu

root name server


23

4

5 61

authoritative name serverdns.cs.umass.edu

intermediate name serverdns.umass.edu

7

8

iterated query


DNS: caching and updating records

once (any) name server learns mapping, it cachesmapping

cache entries timeout (disappear) after some time

update/notify mechanisms under design by IETFRFC 2136http://www.ietf.org/html.charters/dnsind-charter.html


DNS recordsDNS: distributed db storing resource records (RR)

Type=NSname is domain (e.g. foo.com)value is IP address of authoritative name server for this domain

RR format: (name, value, type,ttl)

Type=Aname is hostnamevalue is IP address

Type=CNAMEname is alias name for some “cannonical” (the real) namewww.ibm.com is reallyservereast.backup2.ibm.com

value is cannonical name

Type=MXvalue is name of mailserverassociated with name


DNS protocol, messagesDNS protocol : query and reply messages, both with same

message format

msg headeridentification: 16 bit # for query, reply to query uses same #flags:

query or replyrecursion desired recursion availablereply is authoritative


DNS protocol, messages

Name, type fieldsfor a query

RRs in reponseto query

records forauthoritative servers

additional “helpful”info that may be used


DNS Example (lookup www.sans.org)

host.my.com.1716>dns.my.com.53: 1+ (35)dns.my.com.53>h.root-servers.net.53: 12420 (30) DFh.root-servers.net.53> dns.my.com.53: 12420- 0/3/3 (153) (DF)dns.my.com.53>server1.sans.org.53: 12421+ (30) (DF)server1.sans.org.53> dns.my.com.53: 12421* 1/3/3 (172)dns.my.com.53> host.my.com.1716: 1* 1/3/3 (197) (DF)

Notes:You might not see all traffic depending on your network.No acks appear because DNS apl is using UDP.The + indicates a “recursive” request (find the answer).The – indicates no recursive request was made.The * indicates an authoritative response. Local DNS server will cache response for time (TTL).


Reverse Lookups

DNS resolver actually issues a GetHostByName request to its local server. Reverse is available: GetHostByNumberWhen DNS attemps a reverse lookup for 12.33.247.6 the application software reformats to 6.247.33.12.in-addr.arpa

Arpa domain server available to handle• In-addr is sub-server

Search done from least specific to most specific (6 ..arpa).


The SANS PracticalsBased on work done by candidates for the Intrusion Detection Professional Certification from the Global Incident Analysis Center. See www.giac.org/GCIA.phpStandard Analysis Pattern:

Network or system log trace of event of interest.Source of the detect – such as SNORT.Probability that source address was spoofed.Description of attackAttack mechanismCorrelationEvidence of active targeting.

http://www.giac.org/GCIA.php


Big-3 FalsehoodsFalse Positives

Occurs when a filter matches traffic other than the attack traffic that it was designed to detec.

False NegativesOccurs when one fails to detect malicious traffic.

False InterpretationsOccurs when an analysis results in a mistaken impression of what really is occuring.

GIAC says current practical format is designed to mitigate these problems.


Source of the detection

SNORT, Shadow, Cisco PIX Firewall, …Version of the code

Do you have the filter or rule set being used?Do you have the access violation or filter that triggered the detection?Analyze the log file carefully.


Probability that Source was Spoofed.Attempt to sort into one of three:

Probably spoofedProbably not spoofedThird party or backscatter (someone uses your address space to attack elsewhere).

Note: reconnaissance does not usually work if source is spoofed (attacker could be listening nearby, however).TCP packets are not usually spoofed if the 3-way handshake complete. Despoof is a freeware opensource utility that attempts to determine spoofing using TTL (http://razor.bindview.com/tools/).

http://razor.bindview.com/tools/


Description of Attack

Intent of this is obviousNote many, many attacks already documented and various security web sites.Favorites according to insecure.org magazine subscribers include those on next slide. Top 53 listed athttp://seclists.org/lists/nmap-hackers/2003/Oct-Dec/0003.html


276 securityfocus.com 159 packetstormsecurity.nl 92 sans.org 86 cert.org 46 securiteam.com 38 linuxsecurity.com 37 phrack.org 30 neworder.box.sk 29 slashdot.org 24 google.com 18 securitynewsportal.com 17 infosyssec.com 15 snort.org 15 honeynet.org 15 dshield.org 15 astalavista.com 13 whitehats.com 13 incidents.org 12 microsoft.com 12 iss.net 11 cisecurity.org 10 networkintrusion.co.uk

10 isc.incidents.org 10 grc.com 10 foundstone.com 10 cve.mitre.org 10 atstake.com 10 astalavista.box.sk 9 security-forums.com 9 packetstorm.org 9 net-security.org 9 nessus.org 9 hack.co.za 9 deadly.org 9 attrition.org 8 samspade.org 7 zone-h.org 7 secureroot.com

7 packetfactory.net 7 openbsd.org 7 counterpane.com 7 2600.com 6 theregister.co.uk 6 thc.org 6 team-teso.net 6 symantec.com 6 securitytracker.com 6 phoneboy.com 6 ntbugtraq.com 6 netsys.com 6 neohapsis.com 6 heise.de 6 antionline.com 5 tlsecurity.net 5 sourceforge.net 5 icat.nist.gov 5 hackingexposed.com 5 eeye.com 5 cotse.com


Correlations

Idea is to correlate present activity to known attack or scanning patterns. Rare to find anything totally new (especially with SNORT!)If convinced it is new, you can report to SANS ([email protected]) or elsewhere.

mailto:[email protected]


Active Targeting

Are we really targeted or just receiving packets at random?Targeting a specific host? (Already have reonnaissance info?)General scan of your network? (Attack may be next.)Just a mis-addressed packet?


Attack Mechanism QuestionsStimulus or response?What service is targeted?Does the service have known vulnerabilities or exposures?Is this benign? An exploit? Denial of Service? Reconnaissance?What is this? User.somewhere.org:60000>me.at.home:2140 UDP TTL:50 TOS:0x0 ID:2320 Len: 10


Steps to identify - varied

Here port 60000 looks unique so check with google and quickly find it is associated with a trojan called “deepthroat.”Then go, for example to http://sh1204.sajthotellet.com/trojanhunter/portlist/ to determine that responses from the trojan usually appear on port 2140. Confirms!

http://sh1204.sajthotellet.com/trojanhunter/portlist/




Review Tadaaki Nagao Practical

tcpdump and windump - florida institute of technology

Documents