- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
●DNS servers can provide a lot of reconnaissance information about hosts in preparation for launching an attack of a targeted network.
●DNS is used to resolve host names and IP addresses; so if a hacker can dupe a DNS server or actually seize control of a DNS server, she can manipulate name or address translations for malicious purposes. Often, weak methods of authentication rely on a host having a particular host name or IP address. If normal translations can be subverted, authentications can be corrupted.
●DNS servers are accessible and information sharing entities. The port commonly associated with DNS traffic, UDP port 53, is often left open on packet-filtering devices so that internal name servers can function.
This chapter covers these topics along with DNS theory and practical applications. You learn how DNS queries are answered, how DNS servers interact with other DNS servers, how DNS can be used to discover information about a site, and ways that DNS can be used for exploit purposes. In short, this information will aid you in applying network security and analyzing the nature of DNS traffic seen on the network.
Back to Basics: DNS Theory
Again, TCPdump is enlisted to help explain and visualize what occurs with different types of DNS transactions. Specifically, this section examines how a DNS query is issued and answered. DNS differs from a normal client/server application, such as telnet, where the client requests a connection to a desired server and the interaction is between those two hosts. For DNS, however, when a client issues a DNS query, a DNS server accepts the query, perhaps interacts with one or more additional DNS servers, and then returns the response to the client.
This section looks at the structure of DNS as a distributed system, and it examines host name to IP address resolution. It also discusses the role of master (formerly known as primary) and slave (formerly known as secondary) name servers and discusses the interaction between them. You learn that unlike other services, DNS can switch between UDP and TCP protocols,
depending on the kind of DNS activity.
The Structure of DNS
DNS is a globally distributed system that depends on the cooperative interaction of many DNS servers to store records about "domains" and to communicate with each other. A domain is a subset of DNS records associated with a logical grouping. For instance, sans.org is a collection of records containing IP addresses, host names, name servers, and more associated with the sans.org domain. Figure 6.1 depicts the hierarchical nature of DNS.
Figure 6.1. DNS, the pyramid scheme.
Logically, the top node of the DNS tree is known as root—designated by the period (.). Functionally, this is represented by root servers that can act as the starting point for DNS resolutions. These servers just point to other DNS servers that might have dominion over the DNS records being sought. You are probably familiar with the top-level domains, those falling directly under the root servers (the long-established .edu, .org, .com, .net, .mil, and .gov; and the recently established .aero, .biz, .coop, .info, .museum, .name, and .pro, to name the domestic domains). There are additional top-level domains for foreign countries, such as .jp
for Japan.
Steppin' Out on the Internet
Suppose that you want to visit www.sans.org, which is the home page for the System Administration, Networking, and Security (SANS) Institute. You enter www.sans.org in your browser, and seconds later you see the www.sans.org page.
Now, remember that IP datagrams use IP addresses for all source and destination addresses. IP knows nothing about host names. The human mind is more likely to remember that the capital of Florida is Tallahassee, than it is to remember the value of pi to 10 fractional digits is 3.1415926536, even though both take 11 characters (excluding the decimal) to represent. Names have more order and less randomness than numbers, so you tend to remember them better. This is why you speak in host names rather than IP addresses. It is apparent that some kind of translation mechanism is required between the way you reference hosts (via host
names) and the way TCP/IP must reference hosts (via IP addresses).
So, how did this translation from www.sans.org to an IP address mysteriously occur behind the scenes? Before you could even send out a request to www.sans.org, your host had to
know an IP address. Your host needs this IP address to insert into the datagram when it sends the connection request to www.sans.org out on the network. The following section unveils
this somewhat transparent process.
Recursive Versus Iterative Queries
DNS queries come in two different varieties: recursive and iterative. A recursive query requires a name server to find the answer to the query itself. In other words, it might query name servers, such as root name servers that do not know the answer to the query but know references of name servers that possibly have the answer to the query. The name server must follow all the references until it finds a name server that has the answer. The bottom line is that a recursive query asks the queried DNS server to be the workhorse and finds an answer while the querying DNS server waits for the answer or performs unrelated queries.
An iterative query asks a name server to fetch the answer to a query. If the name server doesn't have the answer, it returns to the querying name server a reference of another name server that possibly has the answer to the query. The queried name server does not pursue finding the answer; the querying name server must pursue finding the answer to the query itself.
DNS Resolution Process
Figure 6.2 shows the beginning of the process of resolution from host name www.sans.org to IP
address.
Figure 6.2. Client resolver, the handoff.
You see your browser is on host.my.com and it attempts resolution of www.sans.org.
Assuming that your host is not a name server, it is mostly passive throughout the resolution
process. It just fires off the request for the translation and resumes the process of connecting to the www.sans.org page after it receives a resolution of the IP address. The workhorse
behind the resolution process is the DNS server that is queried (in this case, dns.my.com). Generally, a default name server is chosen at the time the operating system is installed on a given client machine. On UNIX machines, the information is stored in the file /etc/resolv.conf. The DNS server is set as a TCP/IP property in the Network portion of the Control Panel for Windows hosts. This default DNS server typically is managed locally and is located somewhere on your organization's intranet. dns.my.com is this site's DNS server.
On the client host, the TCP/IP applications, such as telnet, FTP, Netscape, or Internet Explorer, call "resolver" library routines to obtain DNS resolution. When you requested www.sans.org,
application software issued a call to resolve the host name to an IP address. In this case, a
gethostbyname call is sent from host.my.com to the DNS server. This requests host name translation of www.sans.org to an IP address. The DNS server receives this request,
processes it, and returns it to host.my.com.
Figure 6.3 shows the second part of the resolution journey after leaving host.my.com. You see dns.my.com assumes the actual task of finding the answer of the IP of www.sans.org. For
simplicity of theory (although this might be perceived as adding complexity to the actual resolution process), assume that dns.my.com knows nothing about www.sans.org or any
other host in the .org domain. dns.my.com begins its search with a DNS root server to find the resolution.
Figure 6.3. DNS server resolution, the cry for help.
If a DNS server has to resolve an unknown external host name and it has no knowledge of the host's associated domains, it must contact a root name server. Root name servers are more than just a starting point—they maintain a mapping between domain names (sans.org) and the authoritative name servers—DNS servers that maintain DNS records for those domains.
When the local name server, dns.my.com, asks a root name server for the IP address of www.sans.org, it gets back a referral to the name servers for sans.org. You might ask how
dns.my.com knows the names and IP addresses of the root servers to contact. Obviously, the local name server must be preconfigured with a list of known root name servers. This information is maintained by the InterNIC and may be downloaded from
ftp://ftp.rs.internic.net/domain/named.ca.
Continuing the resolution adventure, the root server lets dns.my.com know where to continue
its search. The root server has returned a referral to the name server server1.sans.org as an authoritative name server for www.sans.org. Figure 6.4 depicts dns.my.com querying
server1.sans.org and receiving an authoritative answer, the IP address of 12.33.247.6.
Figure 6.4. DNS server resolution, from the horse's mouth