- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
of the data carried in this fragment is stored as the fragment length—in this fragment, the length is 1480. This is the 8-byte ICMP header followed by the first 1472 bytes of the ICMP data.
The Fragment Dining Car
Take a look at Figure 3.6 to focus on the next fragment in the fragment train. An IP header is cloned from the "original" header with an identical fragment identification number, and most of the other data in the IP header (such as the source and destination numbers) is replicated for the new header. Embedded after this new IP header is 1480 ICMP data bytes. As you can see, the second fragment has an offset of 1480 and a length of 1480 bytes; and because one more fragment follows, the More Fragments flag is set.
Figure 3.6. The fragment dining car.
Continuing with fragmentation in Figure 3.7, you can examine the IP datagram carrying the second fragment. As with all fragments in this fragment train, it requires a 20-byte IP header. Again, the protocol in the header indicates ICMP. The fragment identification number remains 21223. And, the More Fragments flag is turned on because another fragment follows. The offset is 1480 bytes into the data portion of the original ICMP message data. The preceding fragment occupied the first 1480 bytes. This fragment is 1480 bytes long as well, and it is composed entirely of ICMP data bytes.
Figure 3.7. The guts of the fragment dining car.
It is worth repeating that the ICMP header in the first fragment does not get cloned along with the ICMP data. This means that if you were to examine this fragment alone, you could not tell the type of the ICMP message—in this case, an ICMP echo request. This becomes an important issue with regard to packet-filtering devices (as discussed later in this chapter).
The Fragment Caboose
Examine the final fragment in the fragment train in Figure 3.8. Again, an IP header is cloned from the "original" header with an identical fragment identification number, and other fields are replicated for the new header. The final 1048 ICMP data bytes are embedded in this new IP datagram. You see the third fragment has an offset of 2960 and a length of 1048 bytes; and because no more fragments follow, the More Fragments flag is 0.
Figure 3.8. The fragment caboose.
Figure 3.9 depicts the last fragment in the fragment train. Again, 20 bytes are reserved for the IP header. The remaining ICMP data bytes are carried in the data portion of this fragment. The fragment ID is 21223, and the More Fragments flag is not set because this is the last fragment. The offset is 2960 (the sum of the two 1480-byte previous fragments). Only 1048 data bytes are carried in this fragment comprised entirely of the remaining ICMP message bytes. This fragment, like the second one, has no ICMP header and therefore no ICMP message type to reflect that this is an ICMP echo request.
Figure 3.9. The guts of the fragment caboose.
Viewing Fragmentation Using TCPdump
Take a look at the following TCPdump output. As you can see, the three different records represent the three fragments discussed earlier. This means that the host running TCPdump
has collected the ICMP echo request after the fragmentation occurred. Here are the records: ping.com > myhost.com: icmp: echo request (frag 21223:1480@0+)
ping.com > myhost.com: (frag 21223:1480@1480+) ping.com > myhost.com: (frag 21223:1048@2960
The first line shows ping.com sending an ICMP echo request to myhost.com. The reason that TCPdump can identify this as an ICMP echo request is because the first fragment contains the 8-byte ICMP header that identifies this as an ICMP echo request. Now, look at the fragmentation notation at the right side of the record. TCPdump convention for displaying fragmented output is that the word frag appears, followed by the fragment ID (21223, in this example), followed by a colon. The length of data in the current fragment follows, 1480, followed by an at (@) sign, and then you see the offset into the data (0, because this is the first fragment). The plus (+) sign indicates that the More Fragments flag is set. This fragment knows the purpose of the traffic, knows it is the first fragment, knows that more fragments follow, but doesn't know what or how many follow.
The second record differs somewhat. Notice that there is no ICMP echo request label. This is because there is no ICMP header to tell what kind of ICMP traffic this is. The IP header will still have the protocol field set to ICMP, but that is all you can tell looking at this fragment alone. You see the TCPdump output lists the fragment ID of 21223, the current data length of 1480, and the offset of 1480. The plus sign signifies that the More Fragments flag is set. This fragment has an affiliation, a follower, and a sense of placement, but is essentially clueless about its purpose—sounds like freshman year at college.
The last line is very similar to the second one in format. It shows the same fragment ID of 21223, it has a length of 1048, and a displacement of 2960. No More Fragments flag appears in the final record, however, as you would expect. This fragment has an affiliation, no sense of purpose, and no followers.
How the Fragment Offset Is Stored
Although TCPdump nicely computes the fragment offset for you, it is stored in the packet differently. Be forewarned that if you ever examine a fragment offset in a packet—perhaps from a TCPdump hex dump—you will need to do some manipulation before arriving at the actual byte offset.
The fragment offset is found in part of the sixth byte and the entire seventh byte offset of the IP header. It is a 13-bit field that can represent a maximum value of 8191 (213 – 1). Yet, theoretically, though rarely indicative of normal fragmentation, the offset can be greater than 8191 because the maximum datagram size is 65,535 (216 – 1) bytes. To represent the offset value found in the packet as bytes, multiply it by 8. For those of you who want to know the mathematical origin of this, 65,536 (216) divided by 8192 (213) is 8.
Fragmentation and Packet-Filtering Devices
This section covers fragmentation and how a packet-filtering device, such as a router or firewall, might deal with it. The problem arises when such a device attempts to block fragmented traffic.
Because only the first fragment of a fragment train will contain any kind of protocol header such as TCP, UDP, or ICMP, only this fragment is prevented from entry into the network guarded by a packet-filtering device incapable of examining state of a header field. What I mean by state is it appears obvious to you that any fragment sharing the fragment ID of the blocked one should also be blocked. But, some packet-filtering devices don't maintain this information. They myopically look at each fragment as an individual entity and don't connect it with previous or subsequent packets. Intuitively enough, this is not a particularly good architecture, so why is it used? Think about the overhead required to maintain state. It means
that each fragment must be examined and stored; this is expensive in terms of time, processing, and memory. Eventually, fragments must be allowed or rejected access and that too consumes more resources. It is far simpler to have an atomic architecture that scrutinizes on a per-packet basis.
If a particular packet doesn't match the blocking criteria, in this instance, because of the absence of a protocol header, it is allowed into the network. Fragmented TCP or UDP datagrams might contain their respective header information in the first fragment only. Blocking decisions are often based on header information, such as TCP or UDP destination ports. This means that fragmented TCP and UDP are susceptible to the same shortcomings of a stateless packet-filtering device.
One final point to remember is that IP is not a reliable protocol, and it is very possible for the first fragment that contains the protocol header information to be lost. When this occurs, the packet-filtering device has an even more difficult job of allowing or denying traffic. In fact, if
one of the fragments does not arrive at the destination, all must be resent.
The Don't Fragment Flag
In some of the TCPdump output you have looked at, you might have seen the letters DF in parentheses. This means the Don't Fragment flag is set. No sur-prises here; as the name implies, if this flag is set, fragmentation will not be done on the datagram. If this flag is set and the datagram crosses a network where fragmentation is required, the router discovers this, discards the datagram, and sends an ICMP "unreachable—need to frag" error message back to the sending host.
The ICMP error message contains the MTU of the network that required fragmentation. Some hosts intentionally send an initial datagram across the network with the DF flag set as a way to discover the path MTU for a particular source to destination host. If the ICMP error message is returned with the smaller MTU, the host then packages all datagrams bound for that destination in small enough units to avoid fragmentation. This is often used with TCP because TCP requires a lot of overhead. Fragmentation can introduce ineffi-ciency because if one fragment is lost, all must be sent again; that is one reason it is desirable to avoid fragmentation. As you can surmise, a malicious user also can use this mechanism to discover the MTU of a segment of your network to be used later for fragmentation exploits. The user could craft datagrams with different lengths and the DF flag set and observe when an ICMP error message is received. This assumes that the targeted network doesn't disable the ICMP error message from being sent. The following TCPdump output shows an ICMP message in which a router discovered that fragmentation was necessary, but the Don't Fragment flag was
set.
router.ru > mail.mysite.com: icmp: host.ru unreachable - need to frag (mtu 308) (DF)
The stimulus for this reply was that mail.mysite.com attempted to send a datagram larger than 308 bytes to host.ru with the DF flag set before this packet was sent. router.ru finds that the datagram must traverse a smaller network with an MTU of 308 bytes and fragmentation is necessary.
When router.ru examines the record, it finds that the Don't Fragment flag is set and an ICMP message is sent back to mail.mysite.com informing it of the problem. Now, mail.mysite.com either must package the datagrams to be smaller than the MTU of 308 so that fragmentation doesn't occur or it must remove the DF flag so that fragmentation can occur and then resend the datagram.