- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
209.67.78.200.3411 > mydns.com.33434: udp 36 [ttl 1] 209.67.78.200.3412 > mydns.com.33434: udp 36 (ttl 2)
This output is much like you might see with a UNIX traceroute. Traceroute has the signature of attempting a UDP connection to a high-numbered port in the 33000+ range, such as seen here. This is slightly different because the standard implementation of traceroute uses incrementing destination ports. These are to static UDP destination port of 33434. The anticipated response will be a port unreachable error, in which case response time can be computed when the 3DNS software receives the response. The incrementing TTL values can also be a signature of
Traceroute, if the DNS server is inside the sensor that captured this activity.
3DNS to TCP Port 53
A final attempt to establish a connection to TCP port 53 is made if all others fail. This attempt differs from most SYN connections because you will see that 64 bytes have been included in the payload. Normal traffic has no payload until after the three-way handshake has been completed. The 64 data bytes are sent to approximate a reasonable-sized payload, one that is neither too small nor too large. The anticipated response will be either a SYN/ACK from a
listening server or a RST/ACK from one that is not listening:
209.67.78.202.2202 > mydns.com.53: S 997788921:997788985(64) win 2048 209.67.78.202.2200 > mydns.com.53: S 869896644:869896708(64) win 2048 209.67.78.202.2201 > mydns.com.53: S 1386586413:1386586477(64) win 2048 216.32.68.11.3102 > mydns.com.53: S 765045139:765045203(64) win 2048 216.32.68.11.3100 > mydns.com.53: S 865977968:865978032(64) win 2048 216.32.68.11.3101 > mydns.com.53: S 565178644:565178708(64) win 2048
This approach seems destined to fail for many sites, especially if this is the final attempt when all others have failed because of blocked access to the other methods. The problem is that most security-conscious sites block access to TCP destination port 53 because that can be used to download the DNS maps that contain all registered hosts and their IP numbers. Therefore, if traffic is blocked, perhaps they could do the measurements from an ICMP unreachable received from the router blocking the access. What if the block was done by a router that has been silenced from delivering host unreachable errors? This is just as fruitless as the other failed attempts.
Worms as Information Gatherers
If all users at your site share a common mail server, and it is configured to examine mail for viruses that have been identified, many might be eliminated before they can infect the target host. But, users might not all use the same mail server; they might not run virus eradication software; and if they do, they might not update it frequently. This increases the risk of infection.
Viruses and worms have not been viewed conventionally as information gatherers. We are starting to see a new class of worm that acts as some kind of agent to harvest or seek information. This might involve attempting connections to other hosts after a host has been infected. If this is the case, and there is some kind of IDS at an egress point of the infected host, we can observe the activity. Two such worms are examined here: Pretty Park and RingZero.
Pretty Park Worm
I was reviewing an alert about outbound blocked activity at one of our sites and discovered that an internal host was attempting to connect to an Internet Relay Chat (IRC) port 6667 on many different destination IPs. This site had blocked outbound activity to many of the conventionally used IRC ports just because the site was hard pressed to find redeeming quality in many. I'm sure it can be argued that there are many reputable and upstanding chat rooms, but often times users gravitate to ones that aren't work related. And, every summer when the new crop of cyber-connected summer students arrived, this site usually saw a couple of them try to engage in IRC activity and fail.
It was late February, a Friday afternoon to be exact, and I was seeing this activity. I reported it to the appropriate contact, and he said that he had informed the owning administrator of the detected activity. I also dumped logs of the rejected outbound activity, but didn't give them much scrutiny. Had I been more thorough, I would have discovered that the host was attempting connections to IRC sites about five times a minute. This either reflects an obsessivecompulsive desire to connect or an automated program.
On the following Monday, I received another alert about outbound IRC activity—no big deal. I just thought it was the same host I had already identified trying once again. But, I searched the logs again and found four more hosts engaged in similar activity. The scary part was that they were all going to the same destination hosts, many of them in foreign countries. And, so the inevitable thought of horror arose in my paranoid analyst's brain: We had suffered multiple compromises using a common vulnerability, and the intruder was trying to contact her home base to report the triumph. Another, more comforting (compared to a compromise) thought occurred that maybe there was some kind of worm infection.
Sure enough, when my Windows-savvy coworker examined one of the infected hosts, he located some strange programs running (FILES32.VXD and PRETTY PARK.EXE) and identified this as the Pretty Park worm. Using netstat, he discovered that the host had sent a TCP SYN to destination port 6667. Apparently, Pretty Park is a worm that arrives via an email attachment and one of the duties of the worm is to go to these IRC sites in hopes of sending back information about the hosts—things such as passwords and details about the infected host. You can get a more thorough description of Pretty Park at http://vil.nai.com/vil/wm98500.asp.
Here is an excerpt of the activity captured by TCPdump. The destination port is 6667, and the destination hosts change:
09:30:34.470000 infected.com.1218 > ircnet.grolier.net.6667: S 662405:662405(0) Âwin 8192 (DF)
09:30:37.370000 infected.com.1218 > ircnet.grolier.net.6667: S 662405:662405(0) Âwin 8192 (DF)
09:30:43.370000 infected.com.1218 > ircnet.grolier.net.6667: S 662405:662405(0) Âwin 8192 (DF)
09:30:55.370000 infected.com.1218 > ircnet.grolier.net.6667: S 662405:662405(0) Âwin 8192 (DF)
09:31:04.050000 infected.com.1220 > irc.ncal.verio.net.6667: S 691990:691990(0) Âwin 8192 (DF)
09:31:06.970000 infected.com.1220 > irc.ncal.verio.net.6667: S 691990:691990(0) Âwin 8192 (DF)
09:31:12.970000 infected.com.1220 > irc.ncal.verio.net.6667: S 691990:691990(0) Âwin 8192 (DF)
09:31:24.970000 infected.com.1220 > irc.ncal.verio.net.6667: S 691990:691990(0) Âwin 8192 (DF)
09:32:34.130000 infected.com.1222 > mist.cifnet.com.6667: F 722101:722101(0) ack 1426589426 win 8680 (DF)
09:32:43.070000 infected.com.1224 > krameria.skybel.net.6667: S 782083:782083(0) Âwin 8192 (DF)
09:32:55.070000 infected.com.1224 > krameria.skybel.net.6667: S 782083:782083(0) Âwin 8192 (DF)
09:33:04.170000 infected.com.1226 > zafira.eurecom.fr.6667: S 812112:812112(0) Âwin 8192 (DF)
The lesson here is that the theory of fusing host-based and network-based software yields the best results.
On the host-based side, we would like to believe that worm-eradication software prevents infection, but this doesn't work for all hosts. Detection was network-based in this case because logging the denied traffic was what identified a possible problem.
RingZero
Another worm, a Trojan horse known as RingZero, that sent out network traffic was discovered in September 1999. The first identified traffic pattern associated with RingZero was a Shadow detect of a scan of many different hosts for TCP port 3128, the squid proxy server port. Here is a sample of the captured activity seen by Shadow:
12:29:48.230000 4.3.2.1.1049 > |
172.16.54.171.3128: S |
9779697:9779697(0) win |
8192 Â<mss 1460> (DF) (ttl 19, |
id 9072) |
9779697:9779697(0) win |
12:29:58.070000 4.3.2.1.1049 > |
172.16.54.171.3128: S |
|
8192 Â<mss 1460> (DF) (ttl 19, |
id 29552) |
9779697:9779697(0) win |
12:30:10.960000 4.3.2.1.1049 > |
172.16.54.171.3128: S |
|
8192 Â<mss 1460> (DF) (ttl 19, |
id 39792) |
356330349:356330349(0) |
12:44:54.9600001.2.3.4.3243 > 172.16.187.212.3128: S |
||
win Â8192 <mss 1460> (DF) (ttl |
242, id 962) |
|
12:44:57.930000 1.2.3.4.3243 > |
172.16.187.212.3128: S 356330349:356330349(0) |
|
win Â8192 <mss 1460> (DF) (ttl |
242, id 11714) |
|
12:45:03.930000 1.2.3.4.3243 > |
172.16.187.212.3128: S 356330349:356330349(0) |
|
win Â8192 <mss 1460> (DF) (ttl |
242, id 22466) |
|
12:45:15.930000 1.2.3.4.3243 > |
172.16.187.212.3128: S 356330349:356330349(0) |
|
win Â8192 <mss 1460> (DF) (ttl |
242, id 33218) |
20315949:20315949(0) win |
12:46:13.070000 1.1.1.1.2262 > |
172.16.99.110.3128: S |
|
Â8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 35676) |
||
12:46:16.080000 1.1.1.1.2262 > |
172.16.99.110.3128: S |
20315949:20315949(0) win |
Â8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 46428) |
||
12:46:22.070000 1.1.1.1.2262 > |
172.16.99.110.3128: S |
20315949:20315949(0) win |
Â8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 57180) |
||
12:46:34.080000 1.1.1.1.2262 > |
172.16.99.110.3128: S |
20315949:20315949(0) win |
Â8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 116, id 2397)
Three hostile hosts (1.1.1.1, 1.2.3.4, and 4.3.2.1) scanned different internal 172.16 hosts for port 3128. When an additional investigation was performed, it was discovered that the scanning host also attempted connections to destination ports 80 (HTTP) and 8080 (alternate HTTP). Shadow filters don't look for those destination ports because they are likely to trigger a lot of false positives. A lot of sites saw similar activity, and it appeared to be coming from many different source hosts from all over the world with as many as a half dozen different scans per hour. Most of these scans hit destination addresses that didn't exist, indicating that no prior