- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
TCPdump Output of Resolution
You can examine the traffic that this DNS request generated by observing the TCPdump output
that follows:
host.my.com.1716 > dns.my.com.53: 1+ (35) dns.my.com.53 > h.root-servers.net.53: 12420 (30) (DF)
h.root-servers.net.53 > dns.my.com.53: 12420- 0/3/3 (153) (DF) dns.my.com.53 > server1.sans.org.53: 12421+ (30) (DF)
server1.sans.org.53 > dns.my.com.53: 12421* 1/3/3 (172) dns.my.com.53 > host.my.com.1716: 1* 1/3/3
(197) (DF)
First, host.my.com (the client exchanges from host.my.com are in bold) issues the request to resolve www.sans.org to dns.my.com. TCPdump analyzes DNS at the application level, which
is why you don't see the word udp embedded in the output even though this is UDP. UDP is
the protocol selected for the transmission of the majority of DNS traffic because the queries and responses are often short and the application itself can tolerate lost data. When anticipated data is not received, the DNS query is reissued.
Next, dns.my.com attempts a connection to h.root-servers.net on port 53. Notice that both source and destination ports are 53. h.root-servers.net responds back to dns.my.com using source and destination ports 53 as well. A discussion of the numbers and notations found at the end of each TCPdump record is found in the next section, "Strange TCPdump Notation." h.rootservers.net does not have the answer to the query. It has a reference of another DNS server
that either has the answer or has a reference of who might have the answer. Querying name servers for the IP of www.sans.org is an iterative process that yields a reference of another
DNS server that might have the answer. This process repeats until contacting a name server that has the IP address answer.
Because h.root-servers referred dns.my.com to another DNS server, in the third line of the
preceding output, you see dns.my.com query this server, server1.sans.org, for the IP for www.sans.org. server1.sans.org happens to "own" the DNS record for www.sans.org and
can return the IP address associated with www.sans.org to dns.my.com. At long last,
dns.my.com delivers the response to host.my.com.
TCPdump has a unique format that contains necessary insight into what is happening between DNS connections. Look at the next section to help you decipher the TCPdump output.
Strange TCPdump Notation
Look at the exchange between dns.my.com and h.root-servers.net that follows: dns.my.com.53 > h.root-servers.net.53: 12420 (30) (DF)
h.root-servers.net.53 > dns.my.com.53: 12420- 0/3/3 (153) (DF)
The first line of TCPdump output is the query from dns.my.com to the root server. The first field that you have not seen before in conventional TCPdump output is the number 12420, following the colon after destination port 53. This is the DNS identification number. It is a unique identifying number that a DNS server or client uses to match a query and response. dns.my.com issues the request to the root server with the number 12420, and when it receives a response, it can pair it to the request. You have to be aware that a busy dns.my.com is probably doing a lot of other queries while it is doing yours, so it has to be able to match multiple queries with responses. The length of the UDP payload (not including the IP or UDP headers) is 30 bytes. And, the Don't Fragment (DF) flag is set so that this datagram won't be fragmented.
The response to query 12420 follows. A dash after 12420 signifies that recursion was not desired. This means that dns.my.com told the root server that it wanted a response that referenced where the next DNS server is—it did not want the root server to pursue finding the response itself.
Root servers are very busy computers, processing many initial DNS requests, and they cannot process queries in a recursive fashion like dns.my.com can. Root servers are only expected to give whatever knowledge they have about a good reference in pursuit of the answer. If you were hopelessly lost in a city somewhere and came across a policeman directing traffic at a busy intersection, you would know better than to ask him directions to Aunt Sadie's place. If you had the poor sense to ask, the best you could hope for is a general hasty reference to a gas station that could give you better directions.
In the response from the root server, you see some strange output in the format of 0/3/3. This says that there were zero answer records, meaning no IP address was found, but three authority records were found and three additional records were found. An authoritative server is one that "owns" and maintains records for a given domain. You don't see this in the TCPdump output, but the three authoritative servers (server1.sans.org, ns.BSDI.COM, and ns.DELOS.com) and the three additional records are shown with the pairing of the authoritative DNS servers with their IP addresses.
AUTHORITY RECORDS
sans.org |
nameserver = server1.sans.org |
sans.org |
nameserver = ns.BSDI.COM |
sans.org |
nameserver = ns.DELOS.COM |
ADDITIONAL RECORDS |
|
server1.sans.org |
Internet address = 167.216.198.40 |
ns.BSDI.COM |
Internet address = 206.196.44.241 |
ns.DELOS.COM |
Internet address = 65.102.83.117 |
The section, "Using DNS for Reconnaissance," shows you how to use the nslookup command to discover this information. By sending the IP addresses in additional records, when using the returned authoritative name servers, subsequent resolutions are unnecessary to translate those returned host names to IP addresses. Any one of those DNS servers has authority for the sans.org domain and can answer the query. As you saw, dns.my.com selects the first one, server1.sans.org, to use for the final resolution.
Finally, examine the remainder of the TCPdump output from the resolution process: dns.my.com.53 > server1.sans.org.53: 12421+ (30) (DF)
server1.sans.org.53 > dns.my.com.53: 12421* 1/3/3 (172) dns.my.com.53 > host.my.com.1716: 1* 1/3/3
(197) (DF)
dns.my.com has been informed that there are several authoritative servers, and it selects the first one, server1.sans.org, for resolution. It issues a new query 12421 and asks for recursion, noted by the plus sign. Essentially, dns.my.com has tasked server1.sans.org to find the IP
address. In this case, server1.sans.org is an authoritative name server for www.sans.org, so
it can answer the query itself. If it were not the authoritative name server, however, it would be asked to find the IP address by recursively issuing queries to other name servers until an IP address was found. Not all DNS servers are configured to perform recursive queries; so even though recursion might be desired, it is not necessarily done.
server1.sans.org responds to the query. The asterisk means that this is an authoritative response. This says that the record for www.sans.org is in the DNS database that
server1.sans.org maintains. One answer is returned—in this case, the IP address of www.sans.org, 12.33.247.6. You do not see the IP in the TCPdump output, but that is what
is in the payload of the UDP datagram. The three authority records and three additional records that were previously discussed are returned here too. Lastly, after dns.my.com has the
IP address, it returns it to host.my.com, the original querier.
Caching: Been There, Done That
This section briefly explains what happens to received responses. DNS servers cache or save responses that they receive. This makes the resolution process more efficient if the same DNS queries do not have to be repeated over and over again. This also potentially reduces the number of hits that other DNS servers take responding to queries. Chances are pretty good that the same host name to IP resolution that was requested once may be requested again soon thereafter. But, as you will soon see in the section, "Cache Poisoning," these savings, gained by caching responses, will open up some security risks if cached responses are not authentic
and valid.
If you were to ask for the www.sans.org web page again soon after the first request, the
resolution process would differ a little. Your host still issues a gethostbyname call to resolve the IP address for www.sans.org. When dns.my.com receives this request, however, it
checks its cache as usual before trying to resolve it. If everything is working correctly, dns.my.com finds the record residing in cache and returns the IP address to host.my.com. How long do cached records stay around on the DNS server? Well, it depends. Each cached record might have a different life span. It turns out that each response of a DNS resource record has a DNS time-to-live (TTL) value. Don't confuse this TTL value with the IP header TTL. They represent two very different and distinct functions. The DNS TTL value is set by the responding DNS server and cached by the receiving name server for the TTL time value. DNS servers that update records often are more likely to have lower TTL values than relatively static servers have.
Berkeley Internet Name Daemon
Berkeley Internet Name Daemon (BIND) is the de facto standard DNS implementation in use on the Internet today. Older versions of BIND are 4.x.x, whereas the more current versions are 8.x.x and 9.x.x. When you observe DNS servers that communicate with both source and destination ports of 53, it is usually indicative of the default behavior of BIND 4.x.x. By default, BIND versions 8 and later assign an ephemeral source port greater than 1023 in a querying DNS server datagram, similar to the behavior that you witnessed with other client applications, such as telnet.
However, BIND versions 8 and later can be configured to mimic version 4 behavior by using a default source port of 53. This is done using the query-source address * port 53 configuration file substatement. Some sites find that this configuration better suits existing firewall/router access rules.
Reverse Lookups
Occasionally, you will be given an IP address and want to see whether it resolves to a host name. This is done via a gethostbyaddr call by the client resolver.
Remember, DNS is a distributed hierarchy of responsibility, and resolution begins at the root
node and continues down in the DNS tree.You saw top-level domain nodes, such as .org, .mil,
.edu, and so forth. A special domain has been reserved for resolution of IP addresses to host names. At the top-level domain, this is the arpa suffix. A second-level domain follows, known
as in-addr. The tree expands outward beneath this for the legal first octets in the IP address, as you see in Figure 6.5. In the case of the IP for www.sans.org, for instance, the first octet is
12. Beneath this follows a subtree with the next node of 33, the second octet of the www.sans.org IP address. Continuing with this logic, the 247 and 6 nodes for the final two
octets fall below. Only this subtree is examined in this example, but this subtree spans all the possible IP addresses just as the other top-level domains begin the expansion of all the host names.
Figure 6.5. Reverse lookups, IP address to host name.
Resolutions of IP to host name are known as reverse lookups. When DNS attempts a reverse lookup for 12.33.247.6, the application software reformats this as a query to 6.247.33.12.in-
addr.arpa. The order of the octets is reversed to conform to the host name notation. For name www.sans.org, the name is formulated by starting at the bottom of the DNS tree with node
www, moving up to node sans, and topping out at node org. Similarly, with the IP address,
you must move from the most specific to the most general.
Master and Slave Name Servers
Each domain must have a master server, upon which database records of names and IP addresses are maintained. Then, for redundancy sake, one or more slave servers are often created in case the master server ever goes down. If there is no redundancy built in and the only DNS server for a particular domain were to go down, no queries could be answered for hosts in that domain. Unless entries were cached at other DNS sites, resolution of hosts in the domain whose DNS server was down could not be accomplished. Slave servers can share the load of responding to queries with a fully functioning master name server.
DNS information is maintained on the master server in flat text files. The slave name servers periodically contact the master name server to see whether any updates have been made for a particular domain. If so, the slave servers with older versions of BIND download all information for that domain, even if only one record has been modified. Newer versions of BIND will allow incremental updates that will download only changed records.