00:32:50.286098 192.168.4.5 > prober: icmp:192.168.8.255 unreach
What is the origin of the ip-proto-191 notation? TCPdump tries to figure out the IP protocol by looking at the appropriate field in the IP header. TCPdump knows the common protocol translations. If it finds a 1 in this field, it labels it as ICMP in the output—6 is TCP, and 17 is UDP. If it is not a protocol that it knows about, however, it uses the ip-proto notation with the number that it discovered in the protocol field.
The preceding output also shows a response from 192.168.4.5. This response, in itself, supplies some reconnaissance about the network. Even if you do not get a protocol unreachable, you still have every chance of seeing a host unreachable.
Summary
Analysts make many common mistakes. These include SYN floods, misconfigured networks, and being too quick to match a signature. If possible, try to avoid sending false positives to your CIRT.
Some of the tricks attackers are using for either stealth or better penetration, such as setting both the SYN and FIN flag, allow these packets to be trivially detected.
Appendix B. Denial of Service
In February 2000, denial-of-service attacks were the hot topic. With a network of more than 2,000 compromised systems, most of them via a DNS buffer overflow, attackers shut down major high-profile Internet sites such as CNN and eBay. Although the end of this chapter covers these attacks, they are the exception and not the rule for denial of service. In general, denial-of- service attacks groan on and on, doing little harm besides wasting people's time and bandwidth and occasionally crashing a system. In the vast majority of these attacks, the source address is faked or "spoofed." Please be very slow to phone the owners of the address space that you think just hit you with a denial of service and read them the riot act! One day it might be your address that is spoofed. This is a short chapter divided into two sections. The first section deals with denial-of-service brute-force attacks that are widespread and regularly detected even if they are not all that well known. The second section includes additional well-known attacks, but these are more elegant; in fact, they tend to be one-packet kills—that is, a single attacker packet that can freeze or shut down a system.
Brute-Force Denial-of-Service Traces
These brute-force patterns have reached a point that they are known by almost all Internet institutions. The curious thing is that I still find sites and systems vulnerable to these attacks.
Keep in mind that one of the characteristics of many of the denial-of-service attacks is that the attacker can use one of your systems to cause harm to someone else. The fixes are well published and well understood; please implement them. Only you can prevent SYN floods, UDP
floods, Smurf, and Echo-Chargen!
Smurf
The Smurf attack has no effect except to consume bandwidth. The most important thing to consider with regard to the effectiveness of Smurf is that for your site's Internet connection to run smoothly, you depend on the security policy of other people's sites. This is a very old
attack, but you still see it deployed with the most current attack tools. Smurf is still deployed for exactly one reason: It still works. In the following case, spoofed.pound.me.net almost
certainly did not really send the echo request to 192.168.1.255. Instead, an outside computer interjects this into the network, as shown in Figure B.1. The poor spoofed addressee will potentially get hit with a large number of ICMP echo replies. If spoofed is on a slow Internet connection, this might be harmful; and if a large number of hosts reply to the Smurf, damage can be done to fast networks.
Figure B.1. ICMP denial of service.
Cisco published the following field notice titled "Minimizing the Effects of 'Smurfing' Denial of Service Attacks." The following quotation is from that document:
A Scenario: Assume a co-location switched network with 100 hosts, and that the attacker has a T1. The attacker sends, for example, a 768 kbps stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site." These ping packets hit the bounce site's broadcast network of 100 hosts. Each of them takes the packet and responds to it, creating 100 ping replies outbound. By multiplying the bandwidth, you see that 76.8 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets).1
1www.cisco.com/warp/public/707/5.html
I chose to reference a Cisco technical manual because Cisco routers—the most widely deployed routers in the world—are one of the primary keys to eliminating Smurf attacks. Let's examine
how the attack works and then the countermeasures:
00:00:05.327 spoofed.pound.me.net > 192.168.15.255: icmp: echo request 00:00:05.342 spoofed.pound.me.net > 192.168.1.255: icmp: echo request 00:00:14.154 spoofed.pound.me.net > 192.168.15.255: icmp: echo request
00:00:14.171 spoofed.pound.me.net > 192.168.1.255: icmp: echo request 00:00:19.055 spoofed.pound.me.net > 192.168.15.255: icmp: echo request 00:00:19.073 spoofed.pound.me.net > 192.168.1.255: icmp: echo request 00:00:23.873 spoofed.pound.me.net > 192.168.15.255: icmp: echo request
All for One
Many denial-of-service attacks and network-mapping probes use broadcasts, packets addressed to all members of a network, to accomplish their purposes. RFC 919 sets several standards for broadcasts, including the rule that 255.255.255.255 must not be forwarded by a router or routing host.
How did 255.255.255.255 come to be? The local network layer can always map an IP address into a data link layer address. Think about switched networks—that is exactly how they work. So, the choice of an IP "broadcast host number" is somewhat arbitrary. Something needed to be selected, and it seemed reasonable that it should be one that was not likely to be assigned to a real host. The number whose bits are all 1s had this property. Keep the idea of all 1s in mind; we will look at patterns where the broadcast is not 255.255.255.255 due to subnet masking, but the all 1s remains true.
The address 255.255.255.255 denotes a broadcast on a local hardware network, which must not be forwarded by a router or routing host. This address might be used, for example, by hosts that do not know their network number and are asking some server for it. A common case of this is a diskless workstation; as it is booting up, it broadcasts a request for help in finding its operating system. Its server hears the request and answers, providing the next step in the boot up process and then the customized files this system needs to do its job.
Therefore, a host on net 36, for example, might do the following:
●Broadcast to all of its immediate neighbors by using 255.255.255.255
●Broadcast to all of net 36 by using 36.255.255.255
(Note that unless the network has been broken up into subnets, these two methods have identical effects.)
If the use of "all 1s" in an octet of an IP address means "broadcast," using "all 0s"
could be viewed as meaning "unspecified." There is probably no reason for such addresses to appear anywhere but as the source address of a bootp. bootp is
one of the protocols used to help diskless systems and routers load their operating systems and configuration files. Although there is a legacy ICMP Information Request datagram, these are obsolete and should not occur in normal traffic. As a notational convention, however, we refer to networks (as opposed to hosts) by using addresses with 0 fields. For example, 36.0.0.0 means "network number 36," whereas 36.255.255.255 means "all hosts on network number 36."2
2 www.library.ucg.ie/Connected/RFC/919/7.htm
Directed Broadcast
If you detect a pattern such as the following 255.255.255.255, the odds are that it was sent as a simple broadcast and has been expanded by your router, as shown here:
1.A packet originally destined for 172.20.4.255 assumes a netmask of 255.255.255.0, the size of a Class C network. This broadcasts to all hosts of the 172.20.4 network.
2.A router, possibly in your organization, has the 172.20.4 interface. When it copies the packet from the Internet and rebuilds it on the 4 interface, it expands the broadcast, thereby referencing all hosts served by that interface. Therefore, it rewrites to broadcast as 255.255.255.255.
In the following trace, the broadcast has been expanded. The all 1s broadcast is as described
earlier, and the legacy all 0s broadcast has been expanded to the network portion of the netmask. Who answers these expanded pings? Every system that hears them! Therefore, one packet coming in from a spoofed address ends up being amplified to hundreds or thousands of packets. Sites that do not block incoming ICMP are known as Smurf amplifiers. You can find a listing of these, including the top 10, at www.powertech.no/smurf or www.netscan.org. (In this case, it is
not a great honor to be in the top 10.) Take a look at the trace: |
icmp: echo request |
05:20:48.261 spoofed.pound.me.net > 192.168.0.0: |
05:20:48.263 spoofed.pound.me.net > 255.255.255.255: icmp: echo request
05:21:35.792 spoofed.pound.me.net > 192.168.0.0: icmp: echo request 05:21:35.819 spoofed.pound.me.net > 255.255.255.255: icmp: echo request
05:22:16.909 spoofed.pound.me.net > 192.168.0.0: icmp: echo request 05:22:16.927 spoofed.pound.me.net > 255.255.255.255: icmp: echo request
05:22:58.046 |
spoofed.pound.me.net |
> |
192.168.0.0: |
icmp: |
echo |
request |
05:22:58.061 |
spoofed.pound.me.net |
> |
255.255.255.255: icmp: |
echo |
request |
|
In terms of countermeasures, you can build perimeter defenses that are denial-of-service resistant. Instead of connecting a proxy or application gateway firewall directly to your Internet connection, you might want to have a router first. After all, they are more efficient at blocking high-bandwidth attacks simply because they are designed to operate at "wire speeds." You should also block outgoing packets that have a source address not from your network; this is known as egress filtering. You can find examples of egress filtering for a large number of routers and firewalls in the GCFW practical assignments at www.giac.org/cert.php. Many denial-of- service attacks use spoofed source addresses. If you do not let them on the Internet, you are being a good net-neighbor. Needless to say, if one of your systems is sending out spoofed
addresses, that is a clue that this box might have been compromised.
Echo-Chargen
Echo-Chargen is another example of a classic brute-force attack that uses poorly defended sites and poorly configured systems as amplifiers. This attack mostly looks for UNIX systems as amplifiers, so it is not quite as potent as Smurf, which uses any system. You know how they depict the audiences of tennis matches on cartoons? Everybody's head goes back and forth following the ball. This pattern is just like that except that the heads would have to oscillate at just under the speed of light. Echo is UDP port 7; if it receives a packet it echoes back the payload. If you send echo an "a," it replies with an "a."
Chargen (character generator) is UDP port 19. If you send Chargen any characters, it replies with a pseudo random string of characters.
In the following trace, an outsider spoofs a number of connections to various hosts' Chargen ports. The hope here is that they will reply back to the echo port and a game of Echo <--> Chargen ping-pong will begin burning bandwidth and CPU cycles.
You can still detect this in actual use, but it is becoming more rare. You can help make it even more rare. There is no reason to allow packets addressed to these ports through your organization's firewall or filtering router. These services should be commented out of your UNIX
system's inetd.conf files:
08:08:16.155354 spoofed.pound.me.net.echo > 172.31.203.17.chargen: udp 08:21:48.891451 spoofed.pound.me.net.echo > 192.168.14.50.chargen: udp 08:25:12.968929 spoofed.pound.me.net.echo > 192.168.102.3.chargen: udp 08:42:22.605428 spoofed.pound.me.net.echo > 192.168.18.28.chargen: udp 08:47:21.450708 spoofed.pound.me.net.echo > 172.31.130.93.chargen: udp 08:51:27.491458 spoofed.pound.me.net.echo > 172.31.153.78.chargen: udp 08:53:13.530992 spoofed.pound.me.net.echo > 172.31.146.49.chargen: udp
I studied martial arts for many years and eventually became an instructor. Twice a year we would have a black belt test. The school's master would invite other masters to form a panel for the test. Of course, it is customary to bow to these masters, and they bow back. I have a mischievous streak, and from time to time I would bow, they would bow, I would bow again,