- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
detect evidence of a crafted packet, you know the sender is up to something. Take a look: case 3:
if(!optflags[1]){
fprintf(stderr,"Um, enter a host first\n");
usleep(MENUSLEEP);
break;
}
/* Raw ICMP socket */
if((sock2=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP))<0){ perror("\nHmmm.... socket problems\n");
exit(1);
}
printf("[number of ICMP_ECHO's]-> "); fgets(tmp,MENUBUF,stdin); if(!(icmpAmt=atoi(tmp)))break; if(slickPing(icmpAmt,sock2,unreach)){
fprintf(stderr,"Host is reachable...
Pick a new one\n"); sleep(1);
Now you have a technique to use as a generic denial of service. You hit a target system with SYNs until it cannot speak (establish new connections). Systems vulnerable to this attack can be kept out of service until the attacker decides to go away and SYN no more. In the Mitnick attack, the goal was to silence one side of a TCP connection and masquerade as the silenced, trusted party.
What would attackers use today to accomplish the same thing? Any good current denial-of- service tool—for instance, an attack against Windows computers that has been pretty effective is jolt.c, based on malicious oversize ICMP messages.
Identifying Trust Relationships
So how did Mitnick identify which system to silence? How did he confirm a trust relationship existed? It turns out that many complex attacks are preceded by intelligence gathering techniques, or recon probes. Here are the recon probes detected by TCPdump, a networkmonitoring tool developed by the Department of Energy's Lawrence Livermore Lab and reported in Tsutomu's post.
"The IP spoofing attack started at about 14:09:32 PST on 12/25/94. The first probes were from
toad.com." (This information was derived from packet logs.)"
14:09:32 toad.com# finger -l @target 14:10:21 toad.com# finger -l @server 14:10:50 toad.com# finger -l root@server 14:11:07 toad.com# finger -l @x-terminal 14:11:38 toad.com# showmount -e x-terminal 14:11:49 toad.com# rpcinfo -p x-terminal 14:12:05 toad.com# finger -l root@x-terminal
Each of the commands shown—finger, showmount, and rpcinfo—can provide information
about UNIX systems. If you work in a UNIX environment and haven't experimented with these commands in a long while, it might be worthwhile to substitute some of your machine names for target, server, and x-terminal to see what you can learn. Here is the information you can glean from the following commands:
● finger tells you who is logged on to the system, when they logged on, when they last logged on, where they are logging on from, how long they have been idle, whether they
have mail, and when their birthday is (well, scratch the birthday). The analogous command for Microsoft Windows systems is NBTSTAT.
∙finger Example:
∙[root@toad /tmp]# finger @some.host.net
∙[some.host.net]
∙ |
Login |
Name |
TTY |
Idle |
When |
Where |
∙ |
chap |
Bill Chapman x1568 |
pts/6 |
3:11 Tue 17:26 |
picard |
|
∙ |
chap |
Bill Chapman x1568 |
console |
8:39 Mon 14:44 |
:0 |
[root@toad /tmp]#
● showmount -e provides information about the file systems mounted with Network File
System (NFS). Of particular interest to attackers are file systems that are mounted world readable or writable—that is, available to everyone.
∙showmount Example:
∙[root@toad /tmp]# showmount -e some.host.net
∙Export list for some.host.net:
∙/usr export-hosts
∙/usr/local export-hosts
∙/home export-hosts [root@toad /tmp]#
●rpcinfo provides information about the remote procedure call services available on a system. rpcinfo –p gives the ports where these services reside.
rpcinfo Example
[root@toad /tmp]# rpcinfo -p some.host.net
program vers proto |
port |
rpcbind |
||
100000 |
3 |
udp |
111 |
|
100000 |
2 |
udp |
111 |
rpcbind |
100003 |
2 |
udp |
2049 |
nfs |
100024 |
1 |
udp |
774 |
status |
100024 |
1 |
tcp |
776 |
status |
100021 |
1 |
tcp |
782 |
nlockmgr |
100021 |
1 |
udp |
784 |
nlockmgr |
100005 |
1 |
tcp |
1024 |
mountd |
100005 |
1 |
udp |
1025 |
mountd |
391004 |
1 |
tcp |
1025 |
|
391004 |
1 |
udp |
1026 |
rstatd |
100001 |
1 |
udp |
1027 |
|
100001 |
2 |
udp |
1027 |
rstatd |
100008 |
1 |
udp |
1028 |
walld |
100002 |
1 |
udp |
1029 |
rusersd |
100011 |
1 |
udp |
1030 |
rquotad |
100012 |
1 |
udp |
1031 |
sprayd |
100026 |
1 |
udp |
1032 |
bootparam |
These days, most sites block TCP port 79 (finger) at their firewall or filtering router, but it might be a good idea to try this from your home ISP account— get permission first! Again, hopefully
your site blocks TCP/UDP port 111 (portmapper), but this is worth testing as well. In recent years, so-called secure portmappers have become available either from vendors or as an external package developed by Wietse Venema, available from the Coast archive at
ftp://coast.cs.purdue.edu/pub.
Examining Network Traces
In the case of the Mitnick attack, however, none of these ports were blocked and toad.com acquired information that was used in the next phase of the attack. The following quotation is from Tsutomu's post:
We now see 20 connection attempts from apollo.it.luc.edu to x-terminal.shell. The purpose of these attempts is to determine the behavior of x-terminal's TCP sequence number generator. Note that the initial sequence numbers increment by one for each connection, indicating that the SYN packets are not being generated by the system's TCP implementation. This results in RSTs conveniently being generated in response to each unexpected SYN-ACK, so the connection queue on x-terminal does not fill up.
As you examine the following TCPdump trace, note how it is in sets of three packets—a SYN from apollo to x-terminal, a SYN/ACK (step two of the three-way handshake), and a RESET from apollo to x-terminal to keep from SYN flooding x-terminal.
How to Read TCPdump Traces
Timestamp |
Source host.Source Port |
> Dst host.Dst Port: TCP |
|
FLAG(s) |
|
|
> x-terminal.shell: S |
14:18:25.906002 apollo.it.luc.edu.1000 |
|||
SEQ NUM: ACK NUM |
TCP Window Size |
|
|
1382726990:1382726990(0) win 4096 |
|
The following traces begin "flooding" x-terminal. Note that the +++s have been added to
emphasize the packet triplets:
+++
14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S 1382726990:1382726990(0) win 4096
14:18:26.094731 x-terminal.shell > apollo.it.luc.edu.1000: S 2021824000:2021824000(0) ack 1382726991 win 4096
14:18:26.172394 apollo.it.luc.edu.1000 > x-terminal.shell: R 1382726991:1382726991(0) win 0
+++
+++
14:18:26.507560 apollo.it.luc.edu.999 > x-terminal.shell: S 1382726991:1382726991(0) win 4096
14:18:26.694691 x-terminal.shell > apollo.it.luc.edu.999: S 2021952000:2021952000(0) ack 1382726992 win 4096
14:18:26.775037 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0
+++
Notice the bolded value in the preceding trace. This is the sequence number if we take the second set of packets and focus on the sequence number in x-ter-minal's SYN/ACK; it is 2021952000. The sequence number in the preceding set's SYN/ACK is 2021824000. If you subtract 2021824000 from 2021952000, the remainder is 128,000. Does this represent any
value? Yes, if it is repeatable. Check one more set of packets:
+++
14:18:27.014050 apollo.it.luc.edu.998 > x-terminal.shell: S
1382726992:1382726992(0) win 4096
14:18:27.174846 x-terminal.shell > apollo.it.luc.edu.998: S 2022080000:2022080000(0) ack 1382726993 win 4096
14:18:27.251840 apollo.it.luc.edu.998 > x-terminal.shell: R 1382726993:1382726993(0) win 0
14:18:27.544069 apollo.it.luc.edu.997 > x-terminal.shell: S 1382726993:1382726993(0) win 4096 "
14:18:27.714932 x-terminal.shell > apollo.it.luc.edu.997: S 2022208000:2022208000(0) ack 1382726994 win 4096
14:18:27.794456 apollo.it.luc.edu.997 > x-terminal.shell: R 1382726994:1382726994(0) win 0
Again, 2022208000 – 2022080000 = 128,000. So it is repeatable, or perhaps a better word is predictable. We know that anytime we send a SYN to x-terminal, the SYN/ACK will come back 128,000 or higher, as long as it is the next connection. With the ability to silence one side of the TCP connection and trust relationship and the ability to determine what the sequence number will be, we are almost ready to take over the trust relationship and the connection.
shows the basic approach.
Figure 15.2. Ready for the kill.
Setting Up the System Compromise?
How can this attack on a trust relationship be possible? Surely the computers would notice that the attacker has the wrong IP address. Well, the IP address is spoofed, so there would be no chance of seeing that. The time-to-live (TTL) might be a bit odd, but that is in the IP layer, and all the work is occurring at the TCP layer. The route to the system changes, so potentially it would be possible to detect something is wrong at some point in the route. However, no one is using IP options like record route, so this would never be detected. Instead, the primary focus is the sequence number. If you send a packet with the wrong sequence number, the other side sends a RESET and breaks off the connection. This is why it mattered that in the Mitnick attack, x-terminal had a predictable sequence number. So, now we can silence one party (server) and make the other party (x-terminal) believe we are that party (server). What happens next? Again, we return to Tsutomu's post:
We now see a forged SYN (connection request), allegedly from server.login to x-terminal.shell. The assumption is that x-terminal probably trusts server, so x-terminal will do whatever server (or anything masquerading as server) asks. x-terminal then replies to server with a SYN-ACK, which must be ACK'd in order for the connection to be opened. As server is ignoring packets sent to server.login, the ACK must be forged as well.
Normally, the sequence number from the SYN/ACK is required to generate a valid ACK. However, the attacker can predict the sequence number contained in the SYN/ACK based on the known behavior of x-terminal's TCP sequence number generator, and therefore can ACK the SYN/ACK without seeing it.
You can see this in the section below. In the first line x-terminal is stimu-lated by server to open the connection. Server never sees the SYN/ACK so that is why it is missing from the trace. However, he knows to add 128,000 plus 1 to the initial sequence number that x-terminal
proposed when sending the SYN/ACK. After the lone ACK, the connection is open.
14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096
14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096
Here, Mitnick exploits the trust relationship between x-terminal and server. The SYN packet is sent with a spoofed source address. The attacker sends this packet blindly; there is no way for the attacker to see the reply (short of a snif-fer planted on x-terminal or server's network).
Because Mitnick has used a fake source address, that of server, the SYN/ACK is sent to server. Server knows that it never sent a SYN packet, a request to open a connection. The proper response for server is to send a RESET and break off the connection. However, that isn't going to happen. As shown here, 14 seconds before the main part of the attack, the server's
connection queue for the login port is filled with a SYN flood. The server cannot speak.
14:18:22.516699 130.92.6.97.600 > server.login: S 1382726960:1382726960(0) win 4096
14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096
14:18:22.744477 130.92.6.97.602 > server.login: S 1382726962:1382726962(0) win 4096
14:18:22.830111 130.92.6.97.603 > server.login: S 1382726963:1382726963(0) win 4096
14:18:22.886128 130.92.6.97.604 > server.login: S 1382726964:1382726964(0) win 4096
14:18:22.943514 130.92.6.97.605 > server.login: S 1382726965:1382726965(0) win 4096
The r-Utilities
You would think that both telnet and r-utilities would have been completely replaced by a secure shell by now, but this simply is not the case. Both are still in wide use. The login service is also known as rlogin, and shell as rshell. These remote "convenience services" allow access to systems without a pesky password, which can get old if you have to enter it often. On UNIX computers, you can generally create a trust relationship for all users except root, or super user, by adding the trusted system and possibly the trusted account in a file called /etc/hosts.equiv. A root trusted relationship requires a file called /.rhosts. The r-utilities are obsolete and should not be used anymore; the secure shell service is a far wiser choice because it is harder for the attacker to exploit. In either the /hosts.equiv or the /.rhosts file, the plus sign (+) has a special meaning, that of the wildcard. For instance, a /.rhosts file with a "+ +" means to trust all computers and all users on those computers.
With the real server disabled by the SYN flood, the trusted connection is used to execute the following UNIX command with rshell: rsh x-terminal "echo + + >>/.rhosts". The result of this causes x-terminal to trust, as root, all computers and all users on these computers (as already discussed). That trace is as follows: