- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
number of bytes exchanged can come in handy in assessing the severity of what might have transpired. You might not be able to see the actual data bytes or payload, but numbers can be telling. Lengthy individual exchanges and the number of exchanges in aggregate can readily indicate potential damage by an intruder.
●Who began and/or ended the connection? By determining which host initiated and terminated the connection, you get an idea of who is in control. Typically, the client requests the connection and the server responds (as you have already seen). Either host can end the conversation, so observe which one initiates the termination with a RESET or FIN.
Damage Assessment
Using TCPdump as a detective tool to analyze an attempted computer break-in is like investigating a burglary attempt or actual burglary. The first step in damage assessment is determining whether the perpetrator actually got into the computer system (or in the case of a burglary, into the house). Repeated SYN attempts to a system without a reply might be the equivalent of jimmying a door without successful entry. The completion of the three-way handshake is the equivalent of entry; it might just be through the garage door, which also requires a key to get into the house, but it is indicative of some kind of entry. The three-way handshake is the evidence equivalent of finding a previous locked door now unlocked or finding strange fingerprints inside the locked door.
The server port number can indicate the intruder's interest. The use of a conventional port, such as telnet, means that perhaps the burglar might be doing a serious raid of goods (password files, trusted host relationships, and so on), the equivalent of a thief's interest in jewelry and appliances. What about the unconventional port numbers that don't support a known service? Is that the sign of some kind of a joyride through your system just to prove it can be done—kind of like coming home to find that someone drank all the milk in the refrigerator, threw the empty carton on the floor, and did or took nothing else?
Whereas the house burglary damage might be assessed by determining what is blatantly gone (the big-screen TV, for example), what about a burglar who broke into a big, fully stocked warehouse that didn't keep good inventory records? How would you make an assessment of stolen goods? Perhaps a neighbor saw a strange vehicle in the driveway. Was it a moving van or was it a motorcycle? When you examine the number of bytes exchanged in the TCPdump output, you are in effect determining what kind of haul the burglar made off with. You are making best-guess efforts based on the little evidence that you have.
TCP Gone Awry
In subsequent chapters, you will read many examples of the malicious attacks that employ TCP. Appendix A, "Exploits and Scans to Apply Exploits," and Appendix C, "Detection of Intelligence Gathering," discuss scanning methods that use different and sometimes unexpected combinations of TCP flags to perform reconnaissance on networks and circumvent detection or bypass filtering attempts. The following sections introduce some other anomalous TCP activity, such as an ACK scan, a telnet scan, and TCP session hijacking.
An ACK Scan
Scans of ports are done for a variety of reasons, but they usually are used to discover whether a host or hosts are offering a particular service. If a host is found to be offering a service that might be exploitable, the hacker might try to break in using some vulnerability. Often, scans are blatant; the hacker makes no attempt to hide his reconnaissance of your network, except that the computer from which the scans originate might be compromised. The hacker assumes that either no one is monitoring the scanning activity or that by using the compromised host, no one can identify the hacker with the scan. Most likely there will be no attribution because no one can associate the hacker with the scan.
At times, however, the scanner attempts to be more furtive about the reconnaissance efforts in an attempt to evade notice. Examine the following activity, which is TCPdump output of many related connections. The prober can identify live hosts by those responding to the ACK
scan. The deletion of time stamps makes it more readable: ack.com.23 > 192.168.2.112.23: . ack 778483003 win 1028
ack.com.23 > 192.168.31.4.23: . ack 778483003 win 1028 ack.com.143 > 192.168.2.112.143: . ack 778483003 win 1028 ack.com.143 > 192.168.31.4.143: . ack 778483003 win 1028 ack.com.110 > 192.168.2.112.110: . ack 778483003 win 1028 ack.com.110 > 192.168.31.4.110: . ack 778483003 win 1028 ack.com.23 > 192.168.14.19.23: . ack 778483003 win 1028 ack.com.143 > 192.168.14.19.143: . ack 778483003 win 1028 ack.com.110 > 192.168.14.19.110: . ack 778483003 win 1028 ack.com.23 > 192.168.33.53.23: . ack 778483003 win 1028 ack.com.23 > 192.168.37.3.23: . ack 914633252 win 1028 ack.com.23 > 192.168.14.49.23: . ack 3631132968 win 1028
The preceding scan from ack.com sends an ACK flag to various different hosts on the internal 192.168 network. A lone ACK should be found only as the final transmission of the three-way handshake, an acknowledgement of received data, an acknowledgement of a received FIN, or data that is transmitted where the entire sending buffer has not been emptied. This is not the case in this scan because no other traffic is found from ack.com to indicate that this is a reaction to some natural catalyst.
This might be an attempt to find live hosts, somewhat akin to the function of ping. If a live host receives an ACK for either an open or closed port, it should respond with a RESET. Also, filtering routers that allow only "established" connections into the network (in other words, the ACK bit is set) will not filter this kind of scan. As sites become more security conscious and begin to block more traffic into the network, those who want to do reconnaissance have to become more clever and stealthy in the manner in which they scan, as shown in this example. Note that the source ports are the same as the destination ports. This is not the expected behavior of the client selecting an ephemeral port with a value greater than 1023. This is another signature that helps to identify this scan. With the lone ACK flag set and identical source and destination ports, we can assume that this traffic has been "crafted." Someone has written a program to execute this particular scan; it is not the result of normal TCP/IP stack traffic generation.
Reserved Private Networks
Throughout the text, you will see references of networks 192.168 and 172.16 as examples. These particular address spaces are part of what the governing body of the Internet, the Internet Address Numbers Authority (IANA), has deemed to be reserved private networks per RFC 1918. In other words, these are address spaces that should be used for internal networks and traffic should not be sent to or from these networks. These address spaces are often used so that a site will not exhaust its actual assigned addresses.
Traffic to these networks is not routable because these are private address spaces. When you see these address spaces used in examples, understand that they are being used to disguise the real address spaces that were scanned or probed. The intent is not to imply that traffic can be routed to theses networks via the Internet.
A Telnet Scan?
Look carefully at the next scan. Short of finding Waldo in the output, do you see anything
amiss?
scanner.se.45820 > 192.168.209.5.23: S 4195942931:4195942935(4) win 4096 scanner.se.45820 > 192.168.216.5.23: S 4195944723:4195944727(4) win 4096 scanner.se.52526 > 172.16.68.5.23: S 357331986:357331990(4) win 4096 scanner.se.45820 > 192.168.183.5.23: S 4196001810:4196001814(4) win 4096 scanner.se.52526 > 172.16.248.5.23: S 357312531:357312535(4) win 4096 scanner.se.45820 > 192.168.205.5.23: S 4196007442:4196007446(4) win 4096 scanner.se.52526 > 172.16.250.5.23: S 357313043:357313047(4) win 4096 scanner.se.52526 > 172.16.198.5.23: S 357365266:357365270(4) win 4096 scanner.se.52526 > 172.16.161.5.23: S 357355794:357355798(4) win 4096
To the naked eye, it is a scan from scanner.se of destination hosts on the 192.168 and 172.16 subnets—specifically to destination port 23, or telnet. You might conclude that this is an attempt to find all hosts on the destination subnets that offer telnet, and that would be mostly correct. A subtle signature might indicate potentially evasive behavior, however. A SYN request usually sends no data bytes, but this scan sends 4 bytes, as you can tell by looking at the number in the parentheses.
You might imagine that the 4 bytes of data sent before the completion of the three-way handshake would be discarded. However, this is not the case. The 4 bytes should be included in the data after the handshake has been completed as noted by RFC 793. Any payload bytes that are sent during the handshake become part of the data stream after the completion of the handshake according to the RFC. This could be a good way to circumvent detection by an intrusion-detection system (IDS) that examines data sent only after the three-way handshake. If you see 64 data bytes sent on a SYN connection to your DNS server to the DNS port 53, this might indicate a different issue altogether. Software known as 3DNS attempts to give users the quickest response time to web requests. One way that this is done is by attempting to measure the response time to your DNS server from one or more web servers that might be used to respond to the user's request. As a representative size of a typical web request, 64 bytes are used. If you see this activity, it should not be considered stealthy; perhaps you might deem it invasive or annoying, or even ineffective because many sites block inbound
activity to TCP port 53, but the intent is not malicious.
TCP Session Hijacking
Although TCP appears to be a fairly safe protocol because of all the negotiation involved in session establishment and all the protocol and precision involved in data exchange, don't get complacent. Evil sniffers can be set up on an unsuspecting host to capture TCP or other data that crosses the sniffers' path. Sniffers that are placed on networks that are not switched can snoop clear-text data such as user IDs and passwords that are not encrypted in any way. Session hijacking software, such as Hunt, uses another approach to exploit an existing TCP session. These attempt to intercept an established TCP session and hijack one end of the