- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
Yet, you can see how this test can be used to distinguish Windows hosts from all others. As a new analyst, it is often difficult to distinguish between what appears to be malicious behavior and TCP/IP stacks that don't conform to the RFC specifications. It is hard to
understand the intent when a response isn't as you expect. Many times, even an experienced analyst does not know if abnormal TCP flag settings are an indication of some wayward TCP/IP stack or someone up to no good.
Retransmissions
What if an initial TCP connection is attempted, yet the host attempting the connection doesn't receive a response from the destination host? A destination host might not respond because it might not be up or might not exist. A router might attempt to deliver an ICMP message about the destination host being unreachable, but if the router has been silenced from delivering unreachable messages, the sending host will never know that there is a problem. A destination host might be sitting behind some kind of packet-filtering device that blocks the connection inbound, yet silently drops the connection without informing the sending host.
It is also possible that the destination host responds positively (SYN/ACK) or negatively (RESET/ACK), yet for some reason the sending host doesn't receive these replies.
Additional attempts or retransmissions are made to contact the host in situations like this. The number of retransmissions and the time intervals in which they are attempted varies by TCP/IP stack. Eventually, the sending host ceases the connection attempts.
How can you distinguish retransmissions or retries from separate new TCP connections to a destination host? The source ports remain the same, and the TCP sequence numbers don't change for retransmissions. This is not a fail-safe detection method. It is also possible that the sender is crafting packets that use the same source ports and TCP sequence numbers. Examine the following set of retries—specifically, look at the time and the IP identification number changes. The IP identification numbers should change on a retry as well as a set of unique connections. The sending host generates an entirely new packet for the retry so the IP
identification number should increment or wrap:
17:14:18.726864 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0) win 8192 <mss 1380>(DF) (ttl 17, id 15697)
17:14:21.781140 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0) win 8192 <mss 1380> (DF) (ttl 17, id 33873)
17:14:27.776662 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0) win 8192 <mss 1380> (DF) (ttl 17, id 46113)
17:14:39.775929 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0) win 8192 <mss 1380> (DF) (ttl 17, id 54353)
Now, look at the time changes between attempted retries. Between the first and second connection attempts, the wait is approximately 3 seconds. This doubles to 6 seconds between the second and third connections. And, finally, this doubles again to 12 seconds between the third and fourth attempts. This doubling of the backoff time might not always be witnessed—different TCP/IP stacks use different retry-time algorithms for the subsequent retries.
Often, analysts not familiar with the concept of retries misread what is happening here. They erroneously believe that an attacker is attempting multiple connections to the destination host. Instead, the retries are automatically generated by TCP.
Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
A very clever defender against the Code Red worm scans of web servers, Tom Liston, wrote a program that "tarpits" scanners looking for unassigned IP numbers. Typically, when you see activity to an unassigned IP address, it might mean someone is scanning hosts on your network. He named his code LaBrea after the La Brea Tar Pit.
Here is how LaBrea works. It is installed on a local host and first listens for ARP requests to unassigned IP numbers. Usually, a router generates this ARP request for the unknown IP number. When no ARP reply is generated by a real host after three seconds, the LaBrea host fakes a response to an ARP reply.
If a SYN follows from the scanning host (in this case, usually an infected Code Red host), the LaBrea host fakes a SYN/ACK response. LaBrea does not examine the destination port, so this program could be used against any TCP scan or attempted TCP connection to an unassigned IP number. The scanning host then completes the three-way handshake and attempts to send some data. The LaBrea host now deliberately fails to respond by never ACKing the data sent by the scanning host. Thus, the scanning host is tarpitted in retransmissions until it times out. This consumes resources on the scanning host and slows its capability to scan, especially if it waits for a response to proceed with further scanning.
Let's examine what happens step by step in the LaBrea tarpit:
ARP request for unassigned IP 192.168.143.236
18:34:32.757821 arp who-has 192.168.143.236 tell 192.168.143.1 18:34:35.743528 arp who-has 192.168.143.236 tell 192.168.143.1
After 3 seconds and no ARP reply, LaBrea host fakes reply
18:34:35.743591 arp reply 192.168.143.236 (0:0:f:ff:ff:ff) is-at 0:0:f:ff:ff:ff
First, LaBrea looks for ARP requests on the local network. These usually come from the local routing device. If it sees no ARP reply after three seconds (this is the default wait time, however it can be changed by a command line option), it fakes an ARP reply. In this case, we see an ARP request for host 192.168.143.236 from the local router 192.168.143.1. This is an unassigned IP number. No ARP reply is seen and another ARP request is generated three seconds after the initial one.
After three seconds, the LaBrea host fakes an ARP reply and tells 192.168.143.1 that the MAC address for 192.168.143.236 is a bogus 0:0:f:ff:ff:ff. Neither the 192.168.143.236 address nor the MAC address is real. This is a way to allow the routing device to respond to the scanner without generating an ICMP unreachable error. Now, the LaBrea host will look for any traffic destined for the bogus MAC address going across the network.
After the bogus MAC address is generated by LaBrea, the scanning host's SYN attempt is
answered by the LaBrea host simulating a listening host and port as shown.
Infected Code Red host requests SYN
18:34:35.743817 codered.victim.com.1113 > 192.168.143.236.www: S
301190748:301190748(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
LaBrea host spoofs ACK
18:34:35.743940 192.168.143.236.www > codered.victim.com.1113: S 2516582400:2516582400(0) ack 301190749 win 10
Infected Code Red host completes three-way handshake
18:34:35.744190 codered.victim.com.1113 > 192.168.143.236.www: . ack 1 win 8576 (DF)
In the previous output, you see the codered.victim.com host attempt a SYN connection to the unassigned destination IP address 192.168.143.236 destination port 80 (www). LaBrea then generates a response to this connection with a SYN/ACK from the non-existent IP address 192.168.143.236. And, as expected, the codered.victim.com host completes the three-way handshake. The connection is now "established."
Next, the codered.victim.com host attempts to send 10 bytes of data to fill the receive buffer of
the bogus web server 192.168.143.236 as can be seen in the following output:
Code Red host sends 10 bytes of data
18:34:35.745555 codered.victim.com.1113 > 192.168.143.236.www: . 1:11(10) ack
1 win 8576 (DF)
Retransmission at +6 seconds
18:34:41.746643 codered.victim.com.1113 > 192.168.143.236.www: . 1:11(10) ack
1 win 8576 (DF)
Retransmission at +12 seconds
18:34:53.743027 codered.victim.com.1113 > 192.168.143.236.www: . 1:11(10) ack
1 win 8576 (DF)
Retransmission at +24 seconds
18:35:17.735734 codered.victim.com.1113 > 192.168.143.236.www: . 1:11(10) ack
1 win 8576 (DF)
Retransmission at +48 seconds
18:36:05.741181 codered.victim.com.1113 > 192.168.143.236.www: . 1:11(10) ack
1 win 8576 (DF)
Retransmission at +96 seconds
18:37:41.911995 codered.victim.com.1113 > 192.168.143.236.www: . 1:11(10) ack 1 win 8576 (DF)
3 minutes 6 seconds later retransmissions stop
There is no PUSH flag set as you are used to seeing because the PUSH flag is only set when the sending host empties its sending buffer. But, because codered.victim.com's send buffer is greater than 10 bytes, the only flag you see is the ACK flag acknowledging receipt of the bogus initial SYN connection from 192.168.143.236.
Now, here comes the tarpit. There is no acknowledgement of the data sent by codered.victim.com. So, it must retransmit the data. The retransmission timer for this particular host has an exponential backoff where it doubles the time between retries. Of the several runs of LaBrea attempted, the first retry varied in wait time from three to twelve seconds after the initial try. Several attempts used the six-second wait as manifested in the previous output.
Five retries and three minutes and six seconds after the initial attempt to send data, the codered.victim.com host gives up. But it has expended resources and been delayed in its scanning for this duration. If the scanning host waits for the response from the LaBrea host before continuing the scan, it has been slowed down in its efforts. This is more effective if the scanning host is tarpitted over and over again for all unassigned IPs on this network. Although it appears very tempting to use LaBrea, make sure that you understand the implications of doing so. First, as currently written, the tarpit is performed for any TCP connection for which there is no real destination IP, regardless of destination port number. If a real host in the network temporarily experiences problems and is unable to respond to an ARP request, legitimate connections might be erroneously tarpitted. Also, it appears that firewalls
that maintain state tables of connections can become encumbered by the tarpitted connections. LaBrea code can be found at www.hackbusters.net.
La Brea Tar Pit
La Brea Tar Pit is located in Los Angeles's Hancock Park. It was the site of a natural accumulation of tar that formed over oil. During the Early Pleistocene time (about 2.5 million years ago), animals became tarpitted and died when attempting to drink at the site or cross the tar formation.
TCP Window Size
The TCP window size is the method employed by a receiving host to inform the sending host of the current buffer size for data sent for that connection. This is a flow control mechanism because it is dynamic. The window size becomes smaller for all data that has been received, but not yet processed by the receiving host. If the receiving buffer ever becomes full, the window size becomes 0 informing the sending host to temporarily halt transmission of any more data. After the receiving host has processed some of the data in the buffer, it sends a window size update to the sending host to inform it to resume sending data.
As you can see, flow of control for TCP sessions is mostly done by the receiving host by use of the window size. We have a tendency to assume that the sender is really the one controlling the
flow of data across the network. But, for the most part, the receiver is the director of the data flow.
Initial window sizes are used by nmap to determine the operating system. Different TCP/IP stacks select different initial window sizes, which is used to help fingerprint the operating system.
LaBrea Version 2
If you recall, the original version of LaBrea was able to slow down a scanning or attacking host for the amount of time it took the attacker's TCP connection to time out from lack of a response after the three-way handshake. Depending on the attacker's TCP/IP stack implementation of the number of retries and the backoff time between timeouts, the attacker could be delayed several minutes.
LaBrea's author, Tom Liston, improved on his own concept using another technique known as the TCP persist timer. As we just learned, if a receiving host's TCP window is filled and it cannot accept any more data from the sender, it notifies the sender to cease sending data by setting the window size to 0. Ordinarily, when the receive buffer frees up space by sending the data to TCP, a TCP segment follows with a window size greater than 0. What if this new window advertisement is lost? Both sender and receiver would be frozen waiting for the other to act. There is a mechanism to deal with this known as a window probe. After a timer expires and the sender has not received any new window advertisement from the receiver, the sender transmits a TCP window probe that carries 1 byte of payload with the exclusive purpose of soliciting a response from the receiver to discover if the window size has been increased. The sender persists in sending window probes until the window size increases or until either of the end-host applications terminates.
The new version of LaBrea uses the persist timer to tarpit the attacker for an indefinite amount of time, as you can see from the following TCPdump output. It works exactly like the previous version of LaBrea up through the three-way handshake. Instead of not responding, LaBrea reacts to the sender's data with an acknowledgement, but with a window size of 0. It doesn't increase the window size via a window update forcing the scanner to send a window probe. The LaBrea host responds to the window probe, but again advertises the window size as 0. This pattern of window probe and a response of a window size of 0 continues indefinitely. This tarpits the attacker into a persistent connection with the LaBrea host if there is no intervention. Take a
look at the output:
19:28:07.577541 codered.victim.com.2045 > 10.10.10.155.www: S 882335286:882335286(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 19:28:07.577618 10.10.10.155.www > codered.victim.com.2045: S 998514038:998514038(0) ack 882335287 win 5
19:28:07.577879 codered.victim.com.2045 > 10.10.10.155.www: . ack 1 win 8576 (DF)
19:28:07.581366 codered.victim.com.2045 > 10.10.10.155.www: . 1:6(5) ack 1 win 8576 (DF)
19:28:07.581437 10.10.10.155.www > codered.victim.com.2045: . ack 6 win 0 19:28:09.820965 codered.victim.com.2045 > 10.10.10.155.www: . 6:7(1) ack 1 win 8576 (DF)
19:28:09.821041 10.10.10.155.www > codered.victim.com.2045: . ack 6 win 0 19:28:14.424567 codered.victim.com.2045 > 10.10.10.155.www: . 6:7(1) ack 1 win 8576(DF)
19:28:14.424646 10.10.10.155.www > codered.victim.com.2045: . ack 6 win 0 19:28:23.621770 codered.victim.com.2045 > 10.10.10.155.www: . 6:7(1) ack 1 win 8576 (DF)
19:28:23.621845 10.10.10.155.www > codered.victim.com.2045: . ack 6 win 0 19:28:42.016162 codered.victim.com.2045 > 10.10.10.155.www: . 6:7(1) ack 1 win 8576 (DF)