- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
Part IV: Intrusion Infrastructure
15 Mitnick Attack
16 Architectural Issues
17 Organizational Issues
18 Automated and Manual Response
19 Business Case for Intrusion Detection
20 Future Directions
Chapter 15. Mitnick Attack
In the final section of the book, we will look at automated and manual responses, and architectural and organizational issues. We will use this chapter on the Mitnick attack to serve as a transition between this higher-level material and the more fundamental material that we have already covered. The Mitnick attack is one of the most famous intrusion cases to ever occur. If you are in the intrusion business, you should be aware of the techniques used by Mitnick to attack Tsutomu Shimomura's systems. In this chapter, we will also introduce many important issues, including reconnaissance and scanning for trust relationships. We will also consider perimeter and host defenses that are related to intrusion detection for our future discussions.
A primary source for this information is drawn from Shimomura's post on the Mitnick attack. If you want more information on the subject, or to get expanded versions of the quotations you see here, refer to tsutomu@ariel.sdsc.edu (Tsutomu Shimomura), comp.security.misc (date: 25 Jan 1995).
Exploiting TCP
The techniques Mr. Mitnick used were technical in nature and exploited weaknesses in TCP that were well known in academic circles, but not considered by system developers. The attack used two techniques: SYN flooding and TCP hijacking. Although SYN floods today can disable systems, the operating systems at the time of the attack, 1994, were far more susceptible to attack. The SYN flood kept one system from being able to transmit. Although it was in a mute state, the attacker assumed its apparent identity and hijacked the TCP connection. Mitnick detected a trust relationship between two computers and exploited that relationship. Surprisingly, few things have changed since then; for instance, computer systems are still set
up to be overly trusting, often as a convenience to the system administrators or users.
IP Weaknesses
A number of reconnaissance, exploit, and denial-of-service attacks take advantage of flaws in the architecture or implementation of the Internet Protocol stacks. In Chapter 4, "ICMP," we discussed the use of broadcast ICMP in both network mapping and denial of service with Smurf. In Chapter 3, "Fragmentation," we discussed penetration of perimeters with fragments as well as
malicious fragmentation with gaps and illegal offsets.
Some of these are older techniques, but new attacks based on programming flaws in IP implementations are being developed all the time. The following TCPdump trace is from the
SNMP test tool PROTOS, released in February 2002:
18:49:54.519006 10.0.0.1.59108 > 10.0.0.2.161: GetRequest(33)
.1.3.6.1.2.1.1.5.0[len3<asnlen4294967295] (DF) 0x0000 4500 004c 0000 4000 4011 269f 0a00 0001 0x0010 0a00 0002 e6e4 00a1 0038 0efc 302e 0201 0x0020 0004 0670 7562 6c69 63a0 2102 0206 9202 0x0030 0100 0201 0030 1530 1306 082b 0601 0201 0x0040 0105 0044 84ff ffff ff02 0100
When we first ran this test against a Red Hat Linux 7.0 box, two interesting things happened: The SNMP server application on the Linux box crashed, and the Ethereal network analyzer also crashed. Why did they crash? If you notice the ASN.1 length in the square brackets at the top of the trace, you will notice it is four billion some odd bytes. That is a lot of free memory to try to allocate, and attempting to do so crashed the SNMP and Ethereal applications. As we work our way into the Mitnick attack, we will see that available memory was a major issue in that attack. One simple way to exhaust memory that is used every day is intentionally not completing the three-way handshake. The weakness of TCP that Mitnick exploited comes from a design flaw in the early implementations of TCP stacks; however, this approach still does harm to some IP stacks.
TCP's Roots
When TCP was being developed, you couldn't purchase much memory for machines. If you could get 4 megabytes on a server, you were doing quite well. Therefore, the implementers of IP protocol stacks were very conservative.
The Internet is an outgrowth of a project from the 1970's by the US Department of Defense Advanced Research Projects Agency (ARPA). The ARPANET, as it was then called, was designed to be a non-reliable network service for computer communications over wide areas. In 1973 and 1974, a standard networking protocol, a communications protocol for exchanging data between computers on a network, emerged from the various research and educational efforts involved in this project. This became known as TCP/IP or the IP suite of protocols. The TCP/IP protocols enabled ARPANET computers to communicate irrespective of their computer operating system or their computer hardware.
For further information and the source of this quotation, see
www.ie.cuhk.edu.hk/~shlam/cstdi/history.html.
Let's take a closer look at this memory exhaustion problem. To an application program such as ftp or telnet, sockets are the lowest layer, a programming interface to networking hardware. IP is another layer and is above sockets. TCP sits on top of IP. Because TCP is connection oriented, it has to keep state information, including window and sequence number information. A typical Internet protocol stack contains information relating to sockets. TCP is connection oriented (or stateful), so the server must keep track of all condition states and sequence numbers.
The C code below came from my Unix workstation. It can be thought of as a database record |
|
with a number of fields. The key point is that each of these fields consumes memory. |
|
struct ip { |
|
#if defined(bsd) |
/* header length */ |
u_char ip_hl:4, |
|
ip_v:4; |
/* version */ |
#endif |
|
#if defined(powerpc) |
/* version */ |
u_char ip_v:4, |
|
ip_hl:4; |
/* header length */ |
#endif |
|
u_char |
ip_tos; |
|
/* type of service */ |
short |
ip_len; |
ip_id; |
/* total length */ |
|
u_short |
/* identification */ |
|
field */ |
short |
ip_off; |
/* fragment offset |
|
|
/* dont fragment flag */ |
|
#define IP_DF 0x3000 |
|
||
#define IP_MF 0x4000 |
ip_ttl; |
/* more fragments flag */ |
|
|
u_char |
/* time to live */ |
|
|
u_char |
ip_p; |
/* protocol */ |
|
u_short |
ip_sum; |
/* checksum */ |
*/ |
struct |
in_addr ip_src, ip_dst; /* source and dest address |
|
|
|
|
|
}; |
|
|
|
The preceding header file fragment is taken from an IP header file on a SunOS 4.1.3 system. A struct—in this case, struct ip—can be thought of as a database record and the items inside
as fields for that record. Every time a new connection is processed, these structs have to be created for socket, ip, and other protocol information. That takes memory, and lots of it. After a server replies to a SYN, it has committed memory and must keep it committed until the timer, usually set at about sixty seconds, allows the memory to be released if the connection is never established. Because memory is finite, the designers of stacks have set limits. The SYN flood attack exploits the queue size limit of the number of connections that can be simultaneously waiting to be established for a particular service. Though some modern operating systems are more resistant to these SYN flood attacks today, many are not. An unpatched Solaris 2.5 with a
GB of memory will still be DoSed after 32 SYNs.
SYN Flooding
In a modern SYN flood, the goal is simply to throw hundreds or thousands of packets per second at a server to exhaust either system resources, as we have discussed, or even network resources when the rate is high enough.
When an attacker sets up a SYN flood, he has no intention to complete the three-way handshake and establish the connection. Rather, the goal is to exceed the limits set for the number of connections waiting to be established for a given service. This caused IP stacks in the 1994 era to be unable to establish any additional connections for that service until the number of waiting connections dropped below the threshold. Until the threshold limit is met, each SYN packet generates a SYN/ACK that stays in the queue (which was generally between 5 and 10 total connections), waiting to be established. Today, queues can be much larger; ranges between 100 and 1000 are reasonable.
SYN Floods Five Years Later
SYN flooding was in the news in February 2000 with the famous DDoS attacks that were used against Yahoo! and other high-profile Internet sites. In the intervening years since the Mitnick attack, there have been some improvements in system networking stacks and perimeter defenses. The answer of the attackers has been simple: raise the number of SYNs by several orders of magnitude. The SYN flood described here is fairly elegant; the ones common to the Internet today are pure brute force.
Each connection has a timer, a limit to how long the system waits for connection establishment. The hourglass in Figure 15.1 represents the timer, which tends to be set for about a minute. After the time limit has been exceeded, the memory that holds the state for that connection is released and the service queue count is decremented by one. After the limit has been reached, the service queue can be kept full, preventing the system from establishing new connections on that port with about 10 new SYN packets per minute.
Figure 15.1. Getting down to it.
Covering His Tracks
Because the only purpose of the technique is to perform a denial-of-service attack, it doesn't make sense to use the attacker's actual Internet address. The attacker is not establishing a connection; he is flooding a queue, so there is no point in having the SYN/ACKs return to the attacker. The attacker doesn't want to make it easy for folks to track the connection back to
him. Therefore, the source address of the packet is generally spoofed. The following IP header is from actual attack code for a SYN flood. At the very bottom, notice the dadd and sadd for
destination and source address, respectively:
/* Fill in all the IP header information */
packet.ip.version=4; |
/* 4-bit Version */ |
packet.ip.ihl=5; |
/* 4-bit Header Length */ |
packet.ip.tos=0; |
/* 8-bit Type of service */ |
packet.ip.tot_len=htons(40); |
/* 16-bit Total length */ |
packet.ip.id=getpid(); |
/* 16-bit ID field */ |
packet.ip.frag_off=0; |
/* 13-bit Fragment offset */ |
packet.ip.ttl=255; |
/* 8-bit Time To Live */ |
packet.ip.protocol=IPPROTO_TCP; |
/* 8-bit Protocol */ |
packet.ip.check=0; |
/* 16-bit Header checksum (filled in |
below) */ |
/* 32-bit Source Address */ |
packet.ip.saddr=sadd; |
|
packet.ip.daddr=dadd; |
/* 32-bit Destination Address */ |
As the following code fragment shows, this technique even uses an error-checking routine to
make sure the address chosen is routable, but not active. When the attacker enters an address, the attack code pings the address (notice the slickping line in the following code fragment)
to ensure it meets these requirements. If the address is active, it sends a RESET when it receives the SYN/ACK for the system under attack. When the target system receives the RESET, it releases the memory and decrements the service queue counter, rendering the attack ineffective. From an intrusion-detection standpoint, these bogus packets assembled for the purpose of attacking and probing can be called crafted packets. Quite often, the authors of software that craft packets make a small error at some point, or take a shortcut, and this gives the packet a unique signature. You can use these signatures in intrusion detection. When you