- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
If a scanner can determine a subnet mask of a network, he knows exactly how many hosts need to be scanned. Although the subnet mask of a host usually can be determined from looking at the first octet of the IP number, this request might discover the networks that don't have a "natural" subnet mask. That type of knowledge cannot be obtained from looking at the
IP number alone. In this example, the scanned routers respond with subnet masks of a hexadecimal ffffff00. This translates to a decimal 255.255.255.0 subnet mask of the
network on which they reside. This means that these hosts all belong to a Class C network. Querying for address masks is another type of ICMP activity that should be disallowed into the network, for obvious reasons.
Summary of Mapping
Let's briefly recap the discussion about mapping. Mapping can be done using the following methods:
∙Sending individual ICMP echo requests to hosts in a network
∙Sending ICMP echo requests to the broadcast addresses of a network
∙Sending ICMP echo requests to network and broadcast addresses of subdivided networks
∙Sending an ICMP address mask request to a host on the network to determine the subnet mask to better understand how to map efficiently
Normal ICMP Activity
This section examines some of the expected uses of ICMP—specifically, several different error messages that ICMP sends to inform a host of some kind of problem situation. Looking at mutant ICMP activity is more intriguing, but you've got to be able to understand what's normal before you can recognize abnormal ICMP activity.
Host Unreachable
In the following ICMP output, you can see an error message to sending.host, which is attempting to send traffic to a target host:
router > sending.host: icmp: host target.host unreachable
For some reason, the target.host is unreachable—perhaps no host resides at the requested
IP address, perhaps the host is temporarily unavailable, or perhaps the host is suffering from some kind of misconfiguration that prevents it from responding.
In a situation such as this, the host obviously cannot send an error message, so the router
that oversees the target host's network intervenes to deliver the message. In this case, the router informs the sending host that the target host is unreachable. As you can probably guess, this gives a scanner valuable information that he can use to help him map the network. If a scanner is collecting information about live hosts in a network to later scan, those that have been identified as unreachable would likely not be scanned again. This makes any subsequent scans more focused.
The valuable reconnaissance information that can be gleaned from many of the ICMP
unreachable commands can be detrimental to the security of a given network. Cisco router access control lists have a statement no ip unreachables that can silence the router
interface from issuing the ICMP unreachable messages.
Port Unreachable
The ICMP output that follows demonstrates how a target host informs a sending host that a requested UDP port is not listening. In this example, the sending host attempts to send traffic to the target host on the UDP network time protocol (ntp) port:
target.host > sending.host: icmp: target.host udp port ntp unreachable (DF)
Therefore, the protocol used to deliver the error message is ICMP. Remember that when you examined TCP, that protocol had a different way of informing a sending host that a port was not active. It returned a packet with the TCP RESET flag set to indicate that the port was not listening. UDP has no built-in mechanism to report about this error, so it enlists ICMP to assist.
Again, you can see that valuable reconnaissance can be gained from this ICMP error message—namely that scanned UDP ports that do not respond with this message could be listening ports. But, it is also possible that scanned UDP ports that do not respond might never have received that scan due to packet loss. It is also possible that outbound port unreachable messages are blocked from leaving the network. So, you can see that the absence of a port unreachable message from a scanned UDP port is not a definitive confirmation that the port is listening.
Admin Prohibited
Take a look at another possible problem situation with the following output:
router > sending.host: icmp: host target.host unreachable - admin prohibited
In this scenario, a sending host is attempting to deliver traffic to a target host. A router is at the gateway of the target host network.
The router has an access control list that prohibits certain types of traffic from entering the network. This could be a port that is blocked, a protocol that is blocked, or possibly the source IP or subnet that is denied access, or the destination IP or subnet that is protected. A router might respond to this condition with an ICMP "unreachable - admin prohibited" message. Although this ICMP message does not indicate what is being blocked (a destination port, a source IP, or an IP protocol, for instance), an astute scanner can attempt different combinations of connections and figure out what is being disallowed into the network and possibly find other avenues into the network that are not blocked.
Need to Frag
Another ICMP message warns that a desired host is unreachable because of a problem with fragmenting a datagram:
router > sending.host.net: icmp: target.host unreachable - need to frag (mtu 1500)
The DF output in TCPdump means that the Don't Fragment flag is set. As the name implies, if this flag is set, fragmentation will not be done on the datagram. If this flag is set and the datagram crosses a network in which fragmentation is required, the router discovers this, discards the datagram, and sends an ICMP error message back to the sending host.
The ICMP error message contains the maximum transmission unit (MTU) of the network that required fragmentation. Some hosts conversing in TCP intentionally send an initial datagram across the network with the DF flag set as a way to discover the smallest MTU for a particular source-to-destination path. If the ICMP error message is returned with the smallest MTU, the host then packages all datagrams bound for that destination in small enough chunks to avoid fragmentation. The intent is to eliminate the overhead and inefficiencies in packet loss associated with fragmentation.
Time Exceeded In-Transit
This ICMP message informs a sending host that a datagram has overstayed its welcome on the Internet:
routerx > sending host: icmp: time exceeded in-transit
IP needs a way to flush a lost datagram from the Internet, perhaps one that is in some kind of routing loop in which it is bouncing aimlessly between routers. The means used to prevent wayward datagram activity involves a field in the IP header known as the time-to-live (TTL) value.
Different operating systems set different initial TTL values. To examine default initial TTL
values set by operating systems, go to http://project.honeynet.org/papers/finger/traces.txt.
When a datagram traverses a router on its travel from the source to destination, each router decrements the TTL value by 1. If the value ever becomes 0, the router discards the datagram and sends an ICMP "time exceeded in-transit" message back to the sending host. Chapter 5, "Stimulus and Response," shows how traceroute uses this ICMP "time exceeded in-transit" message along with incrementing TTL values to discover and record interim routers along the path from a given source to destination.
Embedded Information in ICMP Error Messages
It is helpful to understand that when an ICMP error message is returned, there is some additional information that is supplied in the datagram. Specifically, after the actual ICMP message, you will find the IP header followed by eight bytes of protocol header and data of the original datagram that caused the error, as seen in Figure 4.2. This information allows the receiving host to associate this error with the sending process and react appropriately. An external response to an ICMP error message is not expected because RFC 1122 describes this