- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
Now that you have counted your way to the Protocol field, what is it and what does it do? The value in this field tells you what protocol is found in the embedded data. Suppose that the value you find in this byte is 17. You might find the protocol value expressed in hexadecimal. A hexadecimal 11 is the same as a decimal 17. This means that a UDP packet is embedded after the IP header. A value of 6 means that the embedded packet is TCP, and a value of 1 means that it is Internet Control Message Protocol (ICMP).
Base 16, Hexadecimal
Okay, so you have learned that binary is base 2 and is made up of 0s and 1s. This is the numbering system used by computers to represent data. So, why complicate the matter with another entirely new numbering system, base 16 (or hexadecimal)? The real dilemma is that it takes a lot of bits to represent any sizable number and, therefore, binary becomes very unwieldy very soon. Hexadecimal assists in referencing binary numbers in a more abbreviated notation. You can replace 4 binary bits with 1 hexadecimal character (24 = 16).
Consider, for example, the IP header protocol field; it is 8 bits. That can be converted into 2 hex characters. A decimal 17 in the protocol field, as mentioned earlier, means that the embedded protocol is UDP. How do you go from a decimal 17 to a hexadecimal 11?
27 |
26 |
25 |
24 |
23 |
22 |
21 |
20 |
0 |
0 |
0 |
1 |
0 |
0 |
0 |
1 |
The binary powers of the 8 bits are shown. To arrive at 17, you need to have the bit corresponding to 16 (or 24) set to 1, and the bit corresponding to 1 (20) set to 1—that is, 16 + 1 = 17. These have been grouped as two hex digits, two 4-bit clumps. The 4 bits (or hex character) that are leftmost (also known as high-order or most significant bits) have a value of 0001. Likewise, the 4 bits that are rightmost (also known as low-order or least significant bits) have a value of 0001. Each hex character represents values of 0 through 15. And each of these has a low-order bit of 1 set (20), and so we arrive at the value of 11 hexadecimal (also known as 0x11, in which the 0x distinguishes this as hex, not decimal).
Addresses
Most likely, you have heard the term IP address. But, what does it really represent and what does it really do? And, exactly how do hosts address each other? These are some of the topics
covered in this section.
Physical Addresses, Media Access Controller Addresses
You can scour the headers of IP packets looking for physical layer MAC addresses until you turn blue, and you will not find them. MAC addresses do not mean anything to IP, which uses logical addresses; they are not part of the protocol. For all intents and purposes, they may as well not exist.
By the same token, physical MAC addresses are how the Ethernet card interfaces with the network. The Ethernet card does not know a single thing about IP, IP headers, or logical IP addresses. So, you are faced with the signature line of Cool Hand Luke: "What we have here is a failure to communicate." Clearly, if things are going to work, an operation process is required that facilitates the correspondence between logical IP and physical MAC addresses.
Do you know the IP address of your desktop computer? If you don't, you are not really one down at all; it is absolutely normal not to know it. It is normal for several reasons, one being that in these days most of you don't even own or even get to keep the same IP address. IP address space is a precious commodity. When you connect to the network, many of you are loaned an address for that session, or possibly longer by an Internet service provider (ISP) or network service provider via applications, such as Dynamic Host Configuration Protocol (DHCP).
Leasing an IP Number: Dynamic Host Configuration Protocol
DHCP is a protocol that permits dynamic assignment of IP numbers. This replaces the labor-intensive process of IP address management, in which every host is configured with a static IP number assigned to it. DHCP allows the centralization and automation of the IP assignment process. Hosts are leased an IP number for a given amount of time, and this makes the process of managing and administering large networks more efficient. This is good for the network administrator, but makes the security administrator's job more complicated (for example, when some IP number and associated temporary owner have to be chased down for questionable activity).
Exactly how many possible IP numbers are there? The exact number is 232 (because the address is comprised of 32 bits), which is a number higher than 4 billion. But, every single IP number is not available; reserved ranges decrease the possible numbers. With the explosive growth of the Internet worldwide, the sad realization has dawned that the IP addresses are being rapidly depleted. What are some remedies for the address depletion?
First, a particular site can use DHCP and assign IP numbers temporarily for the duration of their use. This means that not all hosts will be active at any given time and a smaller pool of possible IP numbers is required. The other remedy is something known as reserved private addresses. The governing body of the Internet, the Internet Address Numbers Authority (IANA), has set aside blocks of IP addresses to be used for internal addresses only. For instance, the 192.168 and 172.16 subnets are to be used for hosts talking within a particular network. This traffic should not leave the site's gateway. This allows a site with an insufficient number of IP addresses to use these Class B network addresses for internal purposes and to save the assigned IP addresses for other purposes.
Okay, go ahead and smirk now; some of you did know your IP address. That is good. However, do you know your host's MAC address by heart? The answer would most likely be "no," because almost no one knows his MAC address. There are several reasons for this, but the primary one is that a 48-bit address with no provisions for human memorization is hard to lock into the brain.
The Address Resolution Protocol (ARP) enables you to resolve the translation of physical MAC addresses to logical IP addresses. ARP is not an IP protocol per se; it is the process of sending an Ethernet frame to all systems on the same network segment. This is known as a broadcast. If a message is a broadcast message, it is sent to all the machines on part of or the entire
network. A point worth emphasizing is that ARP is for locally attached hosts only on the same network; this cannot be done between hosts on different networks.
The source host broadcasts the ARP request, and then presumably the destination host picks it up and replies with its MAC address. During this transaction, both the source and destination host, and any listening hosts on the network, cache (or save) what they have learned about the other host, thereby storing the IP and MAC addresses. This storage cuts down on the number of new ARP requests required. Ultimately, on the same network segment, the communications will occur between MAC addresses and not IP addresses. They might begin as a TCP/IP transaction with two hosts communicating between the same layers of TCP/IP, but when the actual delivery occurs, communication is between two hosts' MAC addresses.
Why are MAC addresses so huge? After all, 48 bits is a lot of address space. The idea was that they would be unique for all time and space! That sounds good if you say it real fast, but future plans are to expand this value to 128 bits to accommodate its current limitations in
allowing each NIC manufacturer to have a unique vendor code embedded in the MAC address.
Logical Addresses, IP Addresses
An IP address has 32 allocated bits to identify a host. This 32-bit number is expressed as four decimal numbers separated by periods (for example, 192.168.5.5). These are not just random or sequential assignments. The initial portion of the IP number tells something about the size of the network on which the host resides. The remainder of the IP number distinguishes hosts on that network. Addresses are categorized by class; classes tell how many hosts are in a given network or how many bits in the IP address are assigned for the unique hosts in a network (see Table 1.1). A grouping known as Class A addresses assigns the initial 8 bits for a network portion of the address, for example, and the final 24 bits for the host portion of the address. Because 24 bits have been allocated for the hosts, more than 16 million (224-1) hosts can possibly be in the network. An example of a Class A network is the 18.0.0.0 through 18.255.255.255, IP space assigned to Massachusetts Institute of Technology.
|
|
Table 1.1. 32 Bits for IP Address Space |
||
|
Class |
Network Bits |
Host Bits |
Number of Hosts |
A |
8 |
|
24 |
16 million+ |
B |
16 |
|
16 |
65,000+ |
C |
24 |
|
8 |
255 |
The IP address classes range from Class A addresses to Class E. Classes A, B, and C are unicast addresses; when you send a packet to them, presumably you are addressing a single machine. Class D is known as a multicast address used to communicate with a designated set of hosts. Class E is reserved for experimental use. Table 1.2 shows the address range associated
with each class. |
|
|
|
|
|
Table 1.2. Address Classes and IP Ranges |
|
|
Class |
Beginning IP |
Ending IP |
A |
0.0.0.0 |
|
127.255.255.255 |
B |
128.0.0.0 |
|
191.255.255.255 |
C |
192.0.0.0 |
|
223.255.255.255 |
D |
224.0.0.0 |
|
239.255.255.255 |
E |
240.0.0.0 |
|
247.255.255.255 |