- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
Summary
Let's summarize some of the ideas conveyed in this chapter. First, although your NIDS is a necessary tool for risk mitigation, it is not a panacea for detecting all malicious traffic. One reason for this is that insertion and evasion attacks can cause the NIDS to incorrectly scrutinize network traffic. There are many different attacks that can be used and it is simply impossible for a NIDS to know how every different target host on a network will react to a packet. A NIDS cannot know the nuances of each individual host's implementation of the TCP/IP stack. As well, the NIDS is not aware of network topology differences that can be used in some of the attacks such as packets with low TTL numbers that will never reach the target host. The use of hostbased IDS can be used to fortify the security provided by the NIDS.
A savvy analyst should be aware of the types of fields and possible values that are found in the IP header. This is valuable knowledge when examining packets for anomalous values. Recognizing mutant values might not explain the intended purpose of the packet, but it should draw your attention to the packet. From there, it might be possible to determine the nature of the traffic.
Chapter 9. Examining Embedded Protocol Header Fields
This second chapter on examining header fields discusses the fields in the headers found after the IP header, namely the TCP, UDP, and ICMP headers. As we discovered in the previous chapter, it is imperative that anyone performing traffic analysis be familiar with the purpose of the fields and expected values. This is the only way to unearth values that are not normal and might be a reflection of some kind of malicious activity.
Because this is a fairly extensive topic, the chapter addresses fields in each of the protocols individually. Hopefully, this will partition the protocols into more manageable chunks of learning.
TCP
Back in Chapter 2, "Introduction to TCPdump and TCP," we discussed that TCP is a reliable protocol. This means that TCP oversees the exchange of data and knows when there is a possible problem by using fields such as sequence and acknowledgement numbers to order and keep track of the exchanged data. There are many more fields in the TCP header than UDP and ICMP have because TCP needs to maintain state and provide optimal flow control between sender and receiver. We'll examine these fields and others in the context of normal and
abnormal use.
Ports
The port fields are two separate 16-bit fields in the TCP header, one for source (bytes 0 and 1 offset from the TCP header) and another for destination (bytes 2 and 3 offset from the TCP header) port. The valid range of values is between 1 and 65535. The use of port 0 is anomalous
and considered to be a unique "signature" of an improper port setting.
When a source host wishes to connect to a destination host, an ephemeral source port is typically selected in the range of ports greater than 1023. For each new connection that the host attempts that is not a retry, a different ephemeral port should be selected. The concept of TCP retries or retransmission will be covered later in this chapter in the section, "Retransmissions." In a scan scenario, you will likely see the source port value incrementing by 1 for each new connection.
One of the telltale signs of an nmap SYN scan to find open TCP ports is a static source port
retained over multiple new TCP connections. For example: nmap –sS sparky
09:40:43.964215 verbo.47247 > sparky.1548: S 2401927088:2401927088(0) win 2048
09:40:43.964412 verbo.47247 > sparky.24: S 2401927088:2401927088(0) win 2048 09:40:43.964465 verbo.47247 > sparky.1547: S 2401927088:2401927088(0) win 2048
09:40:43.964553 verbo.47247 > sparky.2564: S 2401927088:2401927088(0) win 2048
09:40:43.964604 verbo.47247 > sparky.1484: S 2401927088:2401927088(0) win 2048
09:40:43.964642 verbo.47247 > sparky.1460: S 2401927088:2401927088(0) win 2048
09:40:43.964695 verbo.47247 > sparky.628: S 2401927088:2401927088(0) win 2048 09:40:43.964748 verbo.47247 > sparky.1112: S 2401927088:2401927088(0) win 2048
Although we would expect the source port of scanner verbo to change for each new SYN connection to new ports of target host sparky, the source port number remains constant as 47247.
In contrast, look at the default behavior exhibited by another scanning tool known as hping2. The –S option of hping2 performs a different kind of SYN scan. It increments the source port as expected, yet it attempts to open destination port 0 of its target. The intent of this type of scan obviously is not to find a listening port. This type of scan is used to elicit a RESET response to see if a host is alive, because there should be no hosts listening at port 0. Here's the output
from hping2: hping2 –S sparky
09:44:13.882207 verbo.1788 > sparky.0: S 1553132317:1553132317(0) win 512 09:44:14.876837 verbo.1789 > sparky.0: S 1894028093:1894028093(0) win 512 09:44:15.876836 verbo.1790 > sparky.0: S 2032501562:2032501562(0) win 512 09:44:16.876832 verbo.1791 > sparky.0: S 851202745:851202745(0) win 512
TCP Checksums
As mentioned previously, the embedded protocols have checksums as well. These cover the embedded header and respective data for TCP, UDP, and ICMP. Unlike the IP checksum, these are end-to-end checksums calculated by the source and validated by the destination host-only. The TCP checksum has been chosen to represent the embedded protocol checksums. UDP does not require a checksum to be computed, unlike IP, TCP, and ICMP. However, it is highly recommended.
The embedded protocol checksums for TCP and UDP are computed using a pseudo-header in addition to the embedded protocol header and data. A pseudo-header consists of 12 bytes of data depicted in Figure 9.1: the source and destination IPs, the 8-bit protocol found in the IP header, and a repetition of the embedded protocol length (this is the protocol header length plus the number of data bytes). The zero-pad field found in the 8th byte offset is used to pad the 8-bit protocol field to 16 bits because checksums are performed on 16-bit blocks of data.
Figure 9.1. TCP checksum pseudo-header fields.
Why is the pseudo-header necessary? This is a double check that is used by the receiving host to validate that the IP layer has not accidentally accepted a datagram destined for another host or that IP has not accidentally tried to give TCP a datagram that is for another protocol. If there is some errant corruption that occurs in transit, the validation of the IP checksum may or may not discover this, but some fields from the IP header are included in the pseudo-header checksum computation to help protect against this.
Let's examine a very specific example of how the pseudo-header protects against delivering the packet to the wrong host. Figure 9.2 is offered to assist in visualizing the process. Assume that we have a host that sends a packet to destination IP 1.2.3.4. We will use TCP as the embedded protocol, but it really doesn't matter if the transport layer is TCP or UDP because both use the pseudo-header. The transport layer checksum includes the pseudo-header fields in the checksum computation. Therefore, for the destination IP, a value of 1.2.3.4 is used in the TCP checksum computation.
Figure 9.2. Pseudo-header checksum protection.
On its way from the sending host, the packet travels through a router that, as you remember,
must validate the IP checksum before forwarding it. Suppose the router validates the IP checksum, decrements the TTL, and then needs to recompute the new IP checksum. For some unforeseen reason, the IP layer of the router somehow corrupts the destination IP to be 1.2.3.5. The IP checksum is recomputed using the corrupted destination IP. The IP checksum is valid so the packet continues on towards the wrong destination, IP 1.2.3.5.
Assume that the IP 1.2.3.5 exists. The corrupted packet arrives at the wrong destination IP. The IP layer validates the checksum and it is correct because destination IP 1.2.3.5 was used in the IP checksum computation by the corrupting router. The packet is pushed up to the transport layer where TCP uses the pseudo-header fields in the checksum validation. But, the TCP checksum validation uses destination IP 1.2.3.5 in the corrupted packet IP header for validation comparison against the packet's actual TCP checksum. However, this does not match the TCP pseudo-header checksum from the sending host that used 1.2.3.4 as the destination IP in the pseudo-header checksum. Host 1.2.3.5 then discards the packet because the embedded protocol checksum does not match the computed checksum done by the destination host.
A Cry for Help
While reading literature on the purpose of the pseudo-header, it made perfect sense to me that it is used as an additional check to make sure that the packet isn't sent to the wrong host or protocol. Yet, for the life of me, I couldn't envision how this was done. I asked several colleagues, but they too shared my confusion when it came to giving an example. I ended up writing noted author and TCP/IP expert, Doug Comer, who shared the example of a router corrupting the destination IP number. I would like to extend many thanks to Mr. Comer for clearing up the confusion.
TCP Sequence Numbers
The TCP sequence numbers are used to uniquely identify the beginning byte of each TCP segment that is sent. This is a way to keep track of all the TCP data that is sent and received in a TCP stream. Most times, there is more TCP data than can be sent in one TCP segment. Or, some services such as rlogin might send a character at a time over a TCP stream requiring multiple streams per session. Because TCP is a reliable protocol, we must have a mechanism to account for data being sent and received. In part, that is done using TCP sequence numbers. These sequence numbers should not be repeated unless there is a retry of the same connection if an initial attempt fails and the sender receives no error from either the intended receiver or some kind of packet-filtering device. The initial sequence number (ISN) is the first sequence number that is used in the TCP exchange between the sending and receiving hosts. Each host in the exchange selects a unique initial sequence number when sending the initial SYN connection to the other host.
The formula that TCP/IP stacks use to select their initial sequence number is examined by nmap to help fingerprint the operating system. There is a file that comes with nmap, nmap-os- fingerprints, that has a list of many different operating systems and versions. Nmap performs a given set of tests against a target host. Nmap can categorize a particular operating system by matching the values in responses to different normal and abnormal stimuli sent by the scanning host with the expected values for a given operating system.
The first test executed by an operating system fingerprinting nmap scan is one that examines the initial sequence numbers generated by a receiving host from sent connections to a listening port. Different TCP/IP stacks use different formulas to generate the ISN. Some of the older operating systems used a predictable increment for the ISN for each new connection. But someone watching and sniffing could possibly predict and hijack a connection using this information, as was done in the infamous Mitnick attack. Other operating systems have a timedependent formula that predictably increases the ISN based on a given time change. This, too, is not considered very secure. The most secure formula for ISN generation is a random, unpredictable one. As a tidbit of information, the SYN that we refer to as the flag to start a TCP connection is actually an abbreviation for synchronize sequence numbers. The following execution of nmap using the operating system fingerprint scan option (-O) shows open ports,