New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Network Security

by: Theodora Daniel I

Network Security CSE 5636

Theodora Daniel I
Florida Tech
GPA 3.9

Gerald Marin

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Gerald Marin
Class Notes
25 ?




Popular in Course

Popular in ComputerScienence

This 122 page Class Notes was uploaded by Theodora Daniel I on Monday October 12, 2015. The Class Notes belongs to CSE 5636 at Florida Institute of Technology taught by Gerald Marin in Fall. Since its upload, it has received 45 views. For similar materials see /class/221679/cse-5636-florida-institute-of-technology in ComputerScienence at Florida Institute of Technology.

Similar to CSE 5636 at Florida Tech

Popular in ComputerScienence


Reviews for Network Security


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/12/15
Traffic Analysis Dr39 G A Mar39in Traffic Analysis 31 Packe r Dissec rion wi rh TCPDUMP CI TCPDUMP gives mos r informa rion and thereal also buf somefimes you wanf To look of The Hex dafa direcfly 0 Example in Chap rer 7 sides rep program CI Basics 0 Need righ r forma rs IP TCP ICMP e rc 0 Use rcpdump X To ob rain Hex or E rhereal 0 E rherne r header usually appears as firs r 14 by res in E rhereal Ou rpu r 0 E rherne r header mus r be reques red from rcpdump wi rh e flag Traffic Analysis 32 39 Two bytes 00 00quot have 3 biTs for frag One by re 80quot 128 TTL 39 One by re 01quot 39 Two by res 5d d8quot for checksum 39 32 bi rs co a8 00 64quot 1921680100 for source address 39 32 bi rs 84 aa 6c 8cquot 132170108140 for desTinaTion address 39 Then ICMP Type 8 and Code p READ TEXT CHAPTER 7 FOR OTHER EXAMPLES AND S Em Capluve Display Tunis on so 15 06 9c Fe on 02 2a 4a 3 27 as 00 4s 00 00 3c 2a as on on so 01 5a as O as 00 e4 54 aa 02 on 61 a2 a a4 65 as 1 67 7o 71 72 7 74 75 76 g as 69 wabcde 6c ac as no 45 5c a 39 39 39 39 39 67 as 69 ea 6b 6c 6d 62 77 e1 a2 a 64 as ea 67 Eli 55352355 Fg m 39 FirsT six by res afTer line number are desTinaTion mac 39 Nex r six bytes are source mac 39 The 15 byTe begins IP header 45 Type 4 and header length 20 by res 39 IP header described in rfc 791 39 Nex r byTe 00quot is ToS 39 Nex r Two by res 003c is Total length 60 39 Two by res 2a a6quot 10918 for packet ID flags and 13 biTs for offset ICMP for proTocol 0 implies echo requesT ing UGGESTIONS A R2521 Appiylme ltcapluvegt Dvups n NIDS Inser rion A r rack El Idea Inser39f an extra packe r NIDS receives bu r far39ge r does no r ro confuse pa r rer39nma rching algor39i rhms on The IDS 0 Do if in such a way Tha r The Tar ge r hos r won39f see The ex rr39a packe rs El Good example in rex r Suppose hacker39 has es rablished a backdoor accoun r REWT on far ge r machine IDS sys rem knows To look for39 affemp red login ro REWT on por39f 23 relne r El Bu r hacker39 sends R in cor39r39ec rly for39ma r red packe r followed by O wi rh invalid TCP checksum This accep red b IDS and no r by far ge r hos r Hacker39 rhen follows wi rh EWT which IDS does no r defec r because ROEWT is ok Bu r hos r sees a connec rion r ro REWT Traffic Analysis 34 NIDS Evasion A r rack CI Same idea bu r inser r an ex rra packe r Tha r Targe r hos r sees bu r NIDS does no r CI For example if is possible To include da ra in The opening SYN packe r Nids migh r no r be programmed To accept i r Des rina rion hos r does CI In This case send R in SYN and EWT in firs r da ra packe r Traffic Analysis 35 InTerpreTing IP Header Fields CI Version number should be 4 or 6 CI PackeT should be silenle discardedquot RFC 1121 if invalid O Hacker won39T learn anyThing by sending anoTher value unless rouTer NIDS or TargeT does noT comply wiTh RFC 0 If one can deTermine ThaT NIDS forwards These To desTinaTion Then inserTion aTTack can use This Technique Traffic Analysis 36 Pro rocol Number CI Lis r available a r CI La rer39 we will cover39 use of nmap sO op rion CI No re Tha r nmap assumes pr39o rocol is lis rening if if does no r receive an ICMP pr39o rocol unreachable O Fir39ewall may block This Traffic Analysis 37 DF Flag El We39ve covered The funcTion El You may see parTicular TCPIP sTacks sending quotdiscoveryquot frames wiTh DF flag seT To new desTinaTion To Try To deTermine MTU along paTh El Some sTacks seT DF on parTicular packeTs and nmap uses This as a Technique for idenTifying operaTing sysTems El If packeT arrives aT a NIDS from a neTwork wiTh a larger MTU Then DF flag may prevenT NIDS from forwarding To TargeT hosT This Technique can be used for an inserTion aTTack Traffic Analysis 38 MFFMg CI We39ve covered the function CI One fingerprinting Technique is to send an incomplete fragmentation to a listening port CI Receipt of first fragment sets a timer Will eventually time out if no final packet is received CI Timeout response may characterize the stack Traffic Analysis 39 IP Address Considerations El An internal address entering your network from an external interface is probably spoofed Firewall should block El Should not see packets with private addresses arriving from outside the network CI The Internet Assigned Numbers Authority IANA has reserved the following three blocks of the IP address space for private internets 10000 10255255255 108 prefix 1721600 172312552551721612 prefix 19216800 192168255255 19216816 prefix We will refer to the first block as quot24bit blockquot the second as quot20bit blockquot and to the third as quot16 bitquot block Note that in preCIDR notation the first block is nothing but a single class A network number while the second block is a set of 16 contiguous class B network numbers and third block is a set of 256 contiguous class C network numbers Traffic Ana39YsiS 310 IP ID Number CI New number is genera red for each da ragram sen r 0 Usually i ncremen red by 1 bu r may be 254 0 Should wrap a r 65535 El If one observes packe rs from seemingly unrela red sources fha r are following a s randard incremen r procedure across The differen r sources This may be a sign of spoofing CI A s rring of packe rs wi rh iden rical ID also sugges rs an affack Traffic Analysis 311 Time To Live CI IniTial values depend on The TCPIP sTack used Values given in Tebeook CI InTeresTing To esTimaTe wheTher a suspicious looking packeT seems To be coming from righT disTance 0 EsTimaTe sTarTing value wiTh Table 81 and Then geT your own esTimaTe of hops wiTh TracerouTe CI Many differenT sources arriving wiTh same TTL value may be a sign of an aTTack CI Some Tools randomize TTL CI NOTE Read The TTLampIP ID case sTudy Traffic Analysis 312 Embedded Profocol Headers TCP CI Por rs 0 Two 16bi r fields ranging 165535 CI In a scan The source por r may incremen r regularly like by 1 Desfinafion por r may be randomized irregular 0 If see many SYNs wi rh cons ran r source por r This is also likely To be a scan nmap CI No re Tha r scans To por r O are immedia rely suspicious and likely To be looking for rese rs To defermine if hos r alive a r Traffic Analysis 313 TCP and UDP Checksums CI Compu red including The pseudoheader Tcp or UDP header plus da ra 0 No re pseudoheader in Figure 91 Source and desTinaTion IP 1 byTe zero pad 1 byTe proTocol field 2 byTes TCP lengTh TCP header plus daTa 0 Uses same 1s complemen r ari rhme ric as IP header on 16bit fields and includes pseudo header May caTch an IP desTinaTion address corrup rion ThaT occurs wiThin a rouTer Traffic Analysis 314 TCP Sequence Numbers CI Repr39esen r The fir39s r by re of da ra in a TCP segmen r excep r when zer39o by res wi rh ini rial sequence number39 CI Nmap a r remp rs To use for39 OS finger39pr39in ring s rar39Ting number39s incr39emen rs e rc 0 Newer39 05 versions rend To use random numbers 0 Recall Tha r guessing seq no needed for39 session hijacking Traffic Analysis 315 Acknowledgemen r numbers CI Have covered The func rion CI Value of zero wi rh flag se r is ex rremely unlikely 0 Ack flag se r and zero number may imply an nmap scan CI Ack flag se r may genera re a rese r from The hos r indica ring hos r is alive 0 Ge rs pas r rou rer fil rering because if looks like Traffic from ongoing TCP connec rion Traffic Analysis 316 TCP Flags CI We39ve covered The func rion CI Various mu ran r combina rions are used for fingerprin ring opera ring sys rems CI Packe rs some rimes ge r corrup red so an ou r of spec packe r does no r NECESSARILY imply an a r rack 0 Vern Paxson labels as crud The innocuous implementation errorsquot Tha r crea re Traffic pa r rern pa rhologies similar To genuine a r racks Traffic Analysis 317 TCP Conges rion Con rr39ol CI endend con rr39ol no neTwork assis rance CI Transmission raTe limiTed by congesTion window size Congwin over39 segmenTs sendbase nexfseqnum already usablelnof i i ack ed ye r serif lllllllllll li illi lasagna Congwin 5 El w segmen rs each wi rh MSS by res sen r in one RTT w M55 Throughpu r RT T By ressec Traffic Analysis 318 TCP congesTion conTrol El probing for usable bandwidTh o ideally TransmiT as fasT as possible Congwin as large as possible wiThouT loss 0 increase Congwin unTil loss congesTion 0 loss decrease Congwin Then begin probing increasing again El Two phases 0 slow sTarT exponenTial increase 0 congesTion avoidance hnearincrease On TimeouT Threshold seT To half congwin and congwin seT To 1 M55 imporTanT variables 0 Congwin 0 threshold defines Threshold beTween Two slow sTarT phases Traffic Analysis 319 TCP Slowstart 39Slowstart algorithm initialize Congwin 1 for each segment ACKed Congwin until loss event OR CongWin gt threshold fourse ments CI exponential increase per RTT in window size not so slow time CI loss event timeout Tahoe TCP andor or three duplicate ACKs Reno TCP Traffic Analysis 320 TCP Congestion Avoidance Congestion avoidance slowstart is over Congwin gt threshold Until loss event every w segments ACKed Congwin threshold Congwin2 Congwin 1 perform slowstart1 1 TCP Reno skips slowstart fast recovery after three duplicate ACKs Congestion window in segments 13 t p AN ll 10 HNwlhuwmm threshold threshold l ll 01234567 891011121314 Number of transmissions Traffic Analysis 321 ECN Flag Bi rs El Top rwo bi rs of TCP flag by re have been reserved bu r RFC 3168 defines Them for use in suppor ring ECN 0 Use is es rablished in 3way handshake El If a rou rer along The pa rh se rs ECN bi rs low order in T05 field of IP header rhen receiver se rs ECNecho bi r in TCP flag by re El Sender no res rhe ECNecho bi r se r and halves i rs curren r window size plus se rs Conges rion Window Reduced bi r El Danger rha r exis ring NIDs will begin To alarm on This new use of ECN header bi rs Traffic Analysis 3 22 TCP segmen r s rruc rure URG urgenT daTa generally noT used 32 biTs source por r I des r por r counTing ACK ACK sequence number by byTes of daTa valid angwledgemen r number noT segments PSH push daTa now generally noT used head no r sed P RS F Receive window sum Urg daTa pnTer byTes rcvr willing C RST st FINz op connecTion esTab W variable lengTh To accepT seTup Teardown commands InTerneT checksum as in UDP applica rion daTa variable lengTh Traffic Analysis 323 IP datagram format IP prOTOCOI Jami 32 biTS total datagram header length Type of length bytes bY63 er service lenglh for Type of dam 16bit identifier flgsl fragmem fragmentation max number Time To upper Imem reassembly remaining hops Iive layer Checksum decremented at each router 32 bit source IP address upper layer protocol 32 bit destination IP address to deliver payload to Options if any Eg timestamp or UDP data variable length typically a TCP segment record route taken specify list of routers to visit Traffic Analysis 324 OS Fingerprinting Example CI Ver39bo47322gtwin98ne rbiosssn SFP 861966446861066446O win 3072 urg O ltwscale 10nopmss 265 rimes ramp 1061109567Tcpgt CI win98neTbiosssngt Ver39bo47322 S 4990415049904150O ack 861966447 win 8215 ltmss 1460gt DF 0 Windows 98 responds wi rh Syn Ack even Though Syn reques r packe r was mu ran r CI Other examples in Tex r Traffic Analysis 325 Hos rile Re rr39ansmissions 171418726864111162555 gt19216844633128 s 20583734205837340 win 8192 ltmss 1380gt DF TTI 17 id 15697 171421z781140 111162555 gt19216844633128 s 2058373420583734O win 8192 ltmss 1380gt DF TTI 17 id 33873 171427776662 111162555 gt19216844633128 s 20583734205837340 win 8192 ltmss 1380gt DF TTI 17 id 46113 171439z775929 111162555 gt19216844633128 s 2058373420583734O win 8192 ltmss 1380gt DF TTI 17 id 54353 Looks like mulTiple aTTemst To connecT To a desTinaTion hosT SYNs Id39s seem To change appr39opr39iaTely for39 normal r39eTr39y ls rZnd aTTempT separ39aTed by 3 seconds 2nd 3rd aTTempT separ39aTed by 6 seconds 3rd 4 rh aTTempT separ39aTed by 12 seconds Looks ok Sour39ce por39T sTays The same TCP sequence number39 does noT change THIS IS NORMAL behavior for39 r39eTr39ies when desTinaTion does noT r39espond Traffic Analysis 326 Nif ry Defense LaBrea Tar Pi r El LaBrea is ins ralled on a local hos r and lis rens for for ARP reques rs from a rou rer fha r may have been hi r by a scan for ac rive IP addresses El If no hos r genera res an ARP response wi rhi n seconds LaBrea hos r fakes a response ARP reply El If a SYN follows LaBrea hos r fakes a SYNACK response 0 Scanning hosf now complefes handshake and begins sending dafa o LaBrea hosf never responds wifh an ACK To senf dafa 0 Scanning hosf is sfuck in The far pifquot unfil if Times OUT of all refransmission affempfs El Can be cri rical in delaying worm propaga rion El Code a r wwwhackbus rersne r Traffic Analysis 327 RFC 1122 section 41 The User Datagram Protocol offers only a minimal transport service nonguaranteed datagram delivery and gives applications direct access to the datagram service of the 1P layer UDP is used by applications that do not require the level of service of TCP or that wish to use communications services eg multicast or broadcast delivery not available from TCP UDP is almost a null protocol the only services it provides over IP are checksumming of data and multiplexing by port number Therefore an application program running over UDP must deal directly with endto end communication problems that a connectionoriented protocol would have handled eg retransmission for reliable delivery packetization and reassembly ow control congestion avoidance etc when these are required The fairly complex coupling betweean and TCP will be mirrored in the coupling between UDP and many applications using UDP Traffic Analysis 328 UDP Forma r Frame MAC header UDP header Data eader UDP header Source port 16 biTs Destination port 16 biTs Length 16 biTs Includes header daTa Header 8 byTes Checksum 16 biTs Traffic Analysis 329 Use of UDP Por rs CI Normal use does no r include por r 0 CI Valid range is 1To 65535 El Source hos r ini ria res wi rh a por r grea rer Than 1023 El Unlike TCP UDP does no r respond To ini rial connec rion 0 If hos r is alive however UDP will respond wi rh ICMP por r unreachable if por r is no r lis rening 0 Absence of por r unreachablequot means lis rening Traffic Analysis 330 Analyze This whatsupnet24997 gt dnsmyp1acecomsunrpc S 236871886123687188610 win 512 ltmss 1460gt whatsupnet25002 gt dnsmyplacecom139 S 4ee730257o406730257e0 win 512 ltmss 1460gt whatsupnet2575 gt dnsmyplacecomftp S 13687142891368714289 win 512 ltmss 1460gt dnsmyplacecomftp gt whatsupnet2575 R 000 ack 1368714290 win 0 OF whatsupnet25177 gt dnsmyp1acecom1114 S 323117548732311754870 win 512 ltmss 1460gt whatsupnet25189 gt dnsmyplacecomtcpmux S 3681463563681463560 win 512 ltmss 1460gt whatsupnet25118 gt dnsmyplacecom22 S 203582435620358243560 win 512 ltmss 1460gt Traffic Analysis 331 Resul rs CI Syn connec rion a r remp rs To various por rs on dnsmyplacecom CI Rese r from f rp only Perhaps o rher responses blocked by a firewall CI ther Than rese r no response from The firewall 0 Does no r appear DNS server was compromised Traffic Analysis 332 Ne rbus Trojan CI Looks for windows hos rs isTening on por r 12345 El Trojan aows remo re access and con rrol of a Windows hos r Through por r 12345 El Nex r page shows an excerp r of ac rual scan CI Scan hi r 65000 addresses in a class B ne rwork CI Only one hos r responded Turned ou r no r To be infec red Traffic Analysis 333 Ne rbus Scan bigscannet1737 gt 192168 ltmss 138sack0Ktimestamp bigscannet1739 gt 192168 ltmss 138sack0Ktimestamp bigscannet1741 gt 192168 ltmss 13803ack0Ktimestamp bigscannet1743 gt 192168 ltmss 1380sack0Ktimestamp bigscannet1745 gt 192168 ltmss 1380sack0Ktimestamp bigscannet1747 gt 192168 ltmss 138sack0Ktimestamp bigscannet1749 gt 192168 ltmss 1380sack0Ktimestamp 7 012345 5 229979433222997948320 win 32120 120377100tcpgt DF 72 12345 s 2299202490z229920249010 win 32120 120377100tcpgt DF 7412345 S 229316375022931637500 win 32120 120377100tcpgt DF 7612345 S 229852465122985246510 win 32120 120377100tcpgt DF 7812345 s 229713191722971319170 win 32120 120377100tcpgt DF 71012345 S 229175074322917507430 win 32120 120377100tcpgt DF 71212345 3 2287868521 22878685210 win 32120 120377100tcp1gt DF Traffic Analysis 334 Useful Linux Commands El netstat show network status SYNOPSIS netstat Aan f addressfam39M M core N system netstat bdghimnrs f addressfam39M M core N system netstat bdn inteface M core N system w wail netstat p protoco M core N system DESCRIPTION The netstat command symbolically displays the contents of various networkrelated data structures There are a number of output formats de pending on the options for the information presented The first form of the command displays a list of active sockets for each protocol The second form presents the contents of one of the other network data structures according to the option selected Using the third form with a waitinterval specified netstat will continuously display the informa tion regarding packet traffic on the configured network interfaces The fourth form displays statistics about the pgmeglysis HS protocol Fuser porttcp NAME fuser identify processes using a file or file structure SYNOPSIS fuserltclflkqu 763 H61 flkqu 763 DESCRIPTION fuseroutputs the process IDs of the processes that are using the fYes specified as arguments Each process ID is followed by one of these letter codes which identify how the process is using the file If Me has the form por proz ocolor hosz namep0r pr02 000 and names no file or directory fuserlists all processes using sockets bound or connected to the specified port This provides a process number that can be resolved with p5 command Traffic Analysis 336 For windows CI NeTsTaT usually works CI fporT reporTs all open TCPIP and UDP porTs and maps Them To The owning applicaTion wwwsecuriTyfocuscom This is The same informaTion you would see using The 39neTsTaT an39 command buT iT also maps Those porTs To running processes wiTh The PID process name and paTh FporT can be used To quickly idenTify unknown open porTs and Their associaTed applicaTions Usage CgtfporT FPorT v20 TCPIP Process To PorT Mapper CopyrighT 2000 by FoundsTone Inc hTTpwwwfoundsTonecom Traffic Analysis 337 Pid Process 392 svchost 8 System 8 System 508 MSTask 392 svchost 8 System 8 System 8 System 224 Isass 212 services Port Proto Path gt 135 TCP CWINNTsystem32svchostexe gt 139 TCP gt 445 TCP gt 1025 TCP CWINNTsystem32MSTaskexe gt 135 UDP CWINNTsystem32svchostexe gt 137 UDP gt 138 UDP gt 445 UDP gt 500 UDP CWINNTsystem32lsassexe gt 1026 UDP CWINNTsystem32servicesexe The program contains five 5 switches The switches may be utilized using either a 3939 or a 3939 preceding the switch The switches are Usage usage help p sort by port a sort by application i sort by pid ap sort by application path Traffic Analysis 338 Analyze 120112150572 doscom gt 1921681330z frag 5405014804440 120117560572 doscom gt 19216813302 frag 54051480296 120117570572 doscom gt 1921681330 frag 5405014804440 120122200572 doscom gt 1921681330 frag 5405014801480 120122210572 doscom gt 192168133 frag 5465014802960 120122220572 doscom gt 1921681330 frag 54514804440 120122230572 doscom gt 1921681330 frag 5405014805920 120127240572 doscom gt 1921681330 frag 540514802960 120127250572 doscom gt 1921681330z frag 5405014805920 120137230572 doscom gt 1921681330z frag 5405014801480 120137240572 doscom gt 1921681330z frag 54650148296 1213724572 doscom gt 192168133 frag 540501480444 120137250572 doscom gt 192168133 frag 5405014805920 120142300572 doscom gt 1921681330 frag 5405014801480 Traffic Analysis 339 Results CI Fragments closely spaced in time excerpt from large dataset CI No beginning fragment seen none was found so a firewall probably blocked initial fragment CI Repeated fragments for fragments in same fragment train CI No final fragment CI DoS attack against the router at 1921681330 Traffic Analysis 340 Analyze 122948230000 43211649 gt 17216541713128 s 977969797796978 win 8192 ltmss 1468gt DF ttl 19 id 9872 122958878668 43211849 gt 17216541713128 s 977969797796978 win 8192 ltmss 1468gt DF ttl 19 id 29552 12 38 18968888 43211649 gt 17216541713128 s 97796979779697o win 8192 ltmss 1460gt DF ttl 19 id 39792 124454966986 12343243 gt 172161872123128 s 3563383498563383498 win 8192 ltmss 1468gt DF 111 19 id 962 124457938888 12 343243 gt 172 16187 2123128 3 3563383493563383498 win 8192 ltmss 1468gt 0F ttl 19 id 11714 124593930686 12343243 gt 172161872123128 s 3563303493563303490 win 8192 ltmss 1468gt DF ttl 19 id 22466 12 4515930000 12343249 gt 172161872123128 s 3563303493563303490 win 8192 ltmss 1460gt DF ttl 19 id 33218 124613070000 11112262 gt17216991103128 S 20315949203159490 win 8192 ltmss 146nopnopsack0Kgt DF ttl 116 id 35676 12461608a000 11112262 gt 17216991103128 S 2031594920315949 win 8192 ltmss 1460nopnopsack0Kgt DF ttl 116 id 46428 124622070000 11112262 gt 17216991103128 S 2e31594923159490 win 8192 ltmss 146nopnopsack0Kgt DF ttl 116 id 57180 12463408000011112262 gt17216991103128 S 2031594920315949 win 8192 ltmss 1460nopnopsack0Kgt DF ttl 116 id 2397 Traffic Analysis 341 Resul rs wi rh vv El Thr39ee differ39en r source Ip39s affemp rin connec rions To Three differ39en r infer39na des rina rion IP39s El Source por39fs and seq number39s don39f change implies r39e rr39ies o Desfinafion is squid web proxy server 3128 El Spoofed o Can39f fell from IP ID incr39emen rs Too far39 apar39f in Time 0 Refries on differ39en r infer39vals o TCP op rions no r iden rical o Probably no r spoofed o TTL analysis showed mosf had Tr39acer39ou re hop counf cr39edibly close To indicafed hop coun r El Traffic fr39om Trojan called RingZer39o Traffic Analysis 342 Wri ring TCPdump Fil rers El General forma r o ltproTocol headergtoffseTlengTh ltrelaTiongt ltvaluegt El Example rcpdump ip9 139 will selec r all IP packe rs Tha r have pro rocol number 1 ICMP a r by re 9 of IP header Begin coun ring wi rh by re O 0 Single quoTe keeps UNIX shell from Trying To inTerpreT The filTer El You can also crea re a file such as rmpfil rer and pu r ip9 1 in if 0 Then enTer Tcpdump F TmpfilTer El No re Tha r ip124 specifies ip source address 0 DefaulT lengTh is 1 by re so ip1221 is ip12 Traffic Analysis 343 IP datagram format IP prOTOCOI Jami 32 biTS total datagram header length Type of length bytes bY63 er service lenglh for Type of dam 16bit identifier flgsl fragmem fragmentation max number Time To upper Imem reassembly remaining hops Iive layer Checksum decremented at each router 32 bit source IP address upper layer protocol 32 bit destination IP address to deliver payload to Options if any Eg timestamp or UDP data variable length typically a TCP segment record route taken specify list of routers to visit Traffic Analysis 3 44 TCP segmen r s rruc rure URG urgenT daTa generally noT used 32 biTs source por r I des r por r counTing ACK ACK sequence number by byTes of daTa valid angwledgemen r number noT segments PSH push daTa now generally noT used head no r sed P RS F Receive window sum Urg daTa pnTer byTes rcvr willing C RST st FINz op connecTion esTab W variable lengTh To accepT seTup Teardown commands InTerneT checksum as in UDP applica rion daTa variable lengTh Traffic Analysis 345 BiT Mask CI If you need To obTain values for fewer Than 8 biTs byTe you can amp wiTh biT mask 0 Example ipO amp OxOf will zero ouT The firsT 4 biTs of byTe O The IP version and yield The IP headerlengTh 0 Thus ipO amp OxOf 539 will selecT all daTagrams in which header lengTh is 5 32biT words or 20 byTes O ipO Sl OxOf gt 539 will selecT all daTagrams having IP opTions Traffic Analysis 3 46 Fil rer Examples CI Ca rch all packe rs T0 br39oadcas r address of 0 or 255 0 ip19 0x00 or39 ip19 Oxff39 0 Al rer39na rively ip19 O or39 ip19 25539 decimal 1 NOT sr39c ne r 192168 and ip19 0x00 0r39 ip19 Oxff will ca rch all br39oadcas r packe rs excep r Those fr39om 19216800 ne rwor39k 0 NOT is nega rion operator 0 Sr39c is a macro indica ring rr39affic fr39om specified source 0 Ne r is a macro indica ring subne r Traffic Analysis 347 Fil rer Examples confinued CI To specify Tha r more flagquot is se r so fragmen ra rion used wr39i re ei rher39 39Ip6 amp 0x20 l 039 or39 ip6 amp 0x20 3239 because ByTe 6 00mf00000 and mask will be 00100000 Cl Also 39udp and ds r por39f 31337 will r39e rr39ieve UDP packe rs wi rh des rina rion por39f 31337 0 has pointers on which por rs To examine CI If you need a range of values you mus r use The offse r no ra rion 0 udp22 gt 3300 and udp22 lt 34000 will find UDP packe rs for39 which des rina rion por r is in The specified range Traffic Analysis 348 Try These CI Defec r echo r39eply CI Defec r The r39ou rer39 r39eply des rina rion por39T unreachablequot 0 Use nex r slide Traffic Analysis 349 ICMP Internet Control Messaqe Protocol CI Note ICMP is often used for mapping used by hosts routers gatewa s to communication networ eve information 0 error reporting unreachable host network port protocol 0 echo reques r reply used by ping networklayer quotabovequot IP 0 ICMP msgs carried in IP datagrams More at wwwianaorgassignme ntsicmpparame rers Type Code description LOOOOOOOOOOOOO OVCDWM OO 00000 echo reply ping dest network unreachable dest host unreachable dest protocol unreachable dest port unreachable dest network unknown dest host unknown source quench congestion control not used echo request ping route advertisement router discovery TTL expired bad lP header Traffic Analysis 350 Answers CI An echo reply is ICMP Type 0 code 0 o icmp0 O and icmp1 0 CI Des rino rion por39T unreachable is Type 3 code 3 o icmp0 3 and icmp1 3 Traffic Analysis 351 TCP examples 13 rh byTe offset Resved ur39g ack psh r39sT syn fin CI Only SYN flag is se r Traffic Analysis 352 TCP examples 13 rh byTe offset Resved ur39g ack psh r39sT syn fin CI Only SYN flag is se r rcp13 amp Oxff 2 Or39 rcp13 2 because exac r numeric value Traffic Analysis 353 TCP examples 13 rh byTe offset Resved ur39g ack psh r39sT syn fin CI Bo rh SYN and FIN flags se r Traffic Analysis 354 TCP examples 13 rh byTe offset Resved ur39g ack psh r39sT syn fin CI Bo rh SYN and FIN flags se r Tcp13 3 NoTe you musT be cer39Tain ThaT The reserved biTs ar39e noT being used WhaT if you are noT Tcp13 amp Ox3f 3 Traffic Analysis 355 TCP examples 13 rh byTe offset Resved ur39g ack psh r39sT syn fin CI Ack flag se r bu r ack field is zero Traffic Analysis 356 TCP examples 13 rh byTe offseT Resved ur39g ack psh r39sT syn f i n CI Ack flag se r bu r ack field is zero Tcp13 amp Ox1016 and Tcp84 0 NoTe This cafches cer39Tain NMAP fingerprinfing scans Traffic Analysis 357 Look for39 legi rima re syn packe rs car39r39yinq da ra CI Firs r syn flag alone is se r rcp13 2 El Second ro ral leng rh of ip da ragr39am in by res ip22 El Third ip header leng rh in by res ip0amp0x0f4 Mul riply ro conver r from 4by re words To by res El Four rh TCP header leng rh in by res rcp12amp0xf04 mus r be divided by 16 because 4 bi rs are in upper39 nibble and Then mul riplied by 4 To conver r from words To bi rs ne r is divide by 4 El ReSul r rcp13 2 and ip22 ip0amp0x0f4 rcp12amp0xf04 I 0 Traffic Analysis 358 SNORT CI Mar39fy Roesch Sour39cefir39e developed SNORT 1998 To be a NIDS fha r 0 Works on mul riple opera ring sys rems 0 Includes a hex dump 0 Displays all ne rwor39k packe rs in same for39ma r 0 Includes flexible fil rer39 r39ules CI Now includes 75000 lines of code CI Suppor39fs Linux Fr39eeBSD Ne rBSD OpenBSD Windows Spar39c Solar39is Traffic Analysis 359 Snor r Archi rec rure El Packe r Sniffer El Preprocessor o IdenTifies packeT Types does iniTial screening 0 Preprocessor plugins can be added and deleTed El De rec rion Engine 0 Takes da ra from preprocessor and checks agains r rule seT 0 Rules updaTed frequenle by communi ry aT large and can be downloaded 0 Grouped Trojans Buffer Overflows Applica rion specific El Aler ring and Logging 0 Log files Transmi r red Windows Popups Da rabases Traffic Analysis 360 Output Description Viewer URL SnortSnarf wwwsilicondefensecom softwaresnortsnarf Snortplotphp www5nortorgdlcontrib dataianalysissnortplotpi Swatch httpswatchsourceforgehet AClD httpacidlabsourceforgenet Demarc wwwdemarccom Razorback wwwintersectalliancecom projectsRazorBackindexhtml Incidentpl Loghog httpsourceforgehet projectsloghog wwwcsefaueduvaankar incident A Snort analyzer by Silicon Defense used for diagnostics The output is in HTML A Perl script that will graphically plot your attacks A real time syslog monitor that also provides real time alerts via eema39 The Analysis Console for Intrusion Databases Provides logging analysis for Snort Requires PHP Apache and the Snort database plugain Since this information is usur ally sensitive it is strongly recommended that you encrypt this information by using modissl with Apache or ApacheSSL A commercial application that provides an interface similar to ACID39s It also requires Perl and it is also strongly recom mended that you encrypt the Demarc sessions as well A GNOMEXHbased real time log analysis program for In A Perl script used for creating incident reports from a Snort log ile A proactive Snort log analyzer that takes the output and can email alerts or block traffic by configuring IPTables rules Some of the available addons Traffic Analysis 361 Em mew Favantes feats Hep ark 9 g a aseareh grammes Mema 15 a a E 1 ma Lu m vglev Ln agsearehWeh er searehsre t 04 omens x We cume Lug In t create an Accnun t we r eeheeknneraaasu 39 pmaueeabsske El manEY ehh ma Snort 20 Intrusion Detection yMyCamDutev H t 2 0 110139 Intrusitm I39lclecliun v awommem onwde customer We e susmrt rasreercehtehts Samg echagtev Qur P ce 4995 523 Page features make rt ahe af the fastest gmwmg IDS wrthm earparate IT departments the th t m A Whtte by a member DfSnDrt arg Readers Wm reeewe vamahte msrght ta the Dude base af Smart and rheuepth tutahats nfcnmmex mstaHatmn Enn guratmn aha trauhteshaatmg seehahas Explure Snurt39s Features Master the three eare features that make Smart sa pawerfm packet smf ng packet Dggmg aha mtmsmn detecter m tamer Image t to theme Basic SNORT Sniffing Snor r dev v pu r snor r in packe r sniffing mode d include IP TCP UDP ICMP headers e include dafa link layer headers Formaf of ou rpu r similar To Tcpdump date time sourcehw address gt dest hw address type length sourceipaddressport gt destination ip addressport protocol TTL TOS ID IPlength datagram length payload length hex dump ASCII dump Traffic Analysis 363 Add Logging and aler rs CI SnorT dev loggingdirec rory h home subne rinslash no ra rion CI Ex snorT dev varadmsnorTlogs h 10101024 CI To collecT in binary mode fasTer snorT b L logfile 0 Can read wiTh SnorT or wiTh TCPDUMP or wiTh EThereal 0 Can filTer with any of These CI For example To ignore all Traffic coming from hosT 1010115 on por r 21 O SnorT vd r file noT hosT 1010115 and src porT 22 CI To creaTe a NIDS one adds rules in a configuraTion file 0 SnorT dev varadmsnorTlogs h 10101024 c varadmsnorTrulesconf Traffic Analysis 364 Posi rioning SNORT Internal Network HP Applicu un Server Server Server Traffic Analysis 365 SNORT Concerns El Snor r may miss packe rs El Snor r may genera re false posi rives or false nega rives El May be painful ro upgrade changes in forma r of rulese rs for example El Snor r may be The farge r of affacks o Sys rem on which Snor r resides may be vulnerable because of o rher applica rions like SSH HTTP HTTPS MySQLwhich are useful wiTh Snor r 0 Need good sys rem adminisTraTion El Snor r core code is rela rively secure Traffic Analysis 366 SnorT Rules CI AlerT Tcp l1011024 any gt 1011024 any flagsSF mSg SYNFIN scanquot39 0 Rule header followed by rule opTions o This rule Triggers when Tcp Traffic is noT from The 1011 neT any src porT and is desTined To 1011 neT any desT porT and has The SYN and FIN flags seT 0 If a maTch generaTes The message CI AlerT represenTs The acTion field OpTions include alerT log pass acTivaTe dynamic Traffic Analysis 367 Acfion Field El Aler f i ns rr39ucfs Snor39f ro cr39eafe an en rr39y in The aler39f file and cr39ea re enfr39y in The log file El Log insfr39uc rs Snor39f only To make a log enfr39y El Pass i ns rr39ucfs Snor39f fo dr39op any ma rching packef El Acfivafe ins rr39uc rs Snor39f ro aler39f on a ma rch and To Turn on dynamic r39ules El Dynamic i ns rr39ucfs Snor39f fha r rule is dor39manf unlessunfil Turned on by an acfiva re El If is also possible To define your39 own rules wwwsnorquotror39g Traffic Analysis 368 Pr39o rocol Field CI Snor39T cur39r39en rly suppor rs four39 pr39o rocols 0 IP V4 0 TCP 0 UDP 0 ICMP CI ARP RARP GRE OSPF RIP IPX being considered Traffic Analysis 369 SourceDestina rion IP Address CI May specify one or39 mul riple hos rs or39 subne rs CI Use CIDR no ra rion xyzwnn CI For39ma r addr39essne rmask or39 any or39 addr39essne rmaskaddr39essne rmask 0 No re leave no spaces in lis r CI Variables can be defined and cer39fain key variables exis r such as HOMENET used in exis ring Snor39f r39ules Traffic Analysis 370 Source lt8 des rina rion por rs CI Specific number39 range of numbers or39 keyword any CI Examples 0 S ra ric port 111 o All por39fs any 0 Range 3300034000 0 Nega rion 80 0 Less Than or39 equal 1023 O Grea rer39 or39 equal 1024 El Quir39k Mus r specify a por39f wi rh ICMP usually any Traffic Analysis 371 DirecTion IndicaTion CI gt MusT be Traveling from source To desTinaTion in order To Trigger on rule CI ltgt May be Traveling in eiTher direcTion To Trigger on rule Traffic Analysis 372 SelecTed rule opTions CI Msg assign an appropriaTe message To The ouTcome of a Triggered rule CI LogTo specify a fiename To which To log The acTiva 0 AlerT udp any any gt 1921685024 31335 mSg Trinoo porTquot logTo DDOS If The above rule is Triggered The oquuT on a Typical UNIX hosT will go To varogsnorTDDOS Traffic Analysis 373 Rule Op rions S rudy chap r 14 El T rl examines The fimeToIive field for a specific value El Id examines The identification field for a specific value El Dsize looks for da ra equalTo lessThan or greaterThan specified value El Sequence checks value of TCP sequence number for specific value El Ack checks value of ack number for specific value El Flags can check for specified flags CI Confen r look for specific payload confen r 0 Be careful because of performance implicaTions Traffic Analysis 374 TCPDump and WinDump Sec rion 2 of SWE59OO This ma rer39ial is in rended for39 s ruden rs of This course only No fur rher39 r39epr39oduc rion or39 distribution is au rhor39ized Ne rwor39k Securi ry 11 TCPDump CI UNIX Tool Tha r collec rs ne rwor39k da ra and displays if in specified for39ma r CI IT may be run live on a specified in rer39face bu r only if au rhor39ized CI IT may read da ra from a file Tha r has previously been saved using TCPDump CI IT offers a number of fil rer39ing capabili ries CI MUST be downloaded wi rh libcap or39 The windows equivalen r Do This by nex r class Ne rwor39k Securi ry 12 Mon Page CI If not on unix system go to CI NAME tcpdump dump traffic on a network SYNOPSIS tcpdump ade nNOpqStvx c count F file i interface r Me 3 snapen T type w 7e express0n DESCRIPTION Tcpo ump prints out the headers of packets on a network interface that match the boolean express0n Network Security 13 TCPDump Traffic Cap rur39e 88 80 88 88 88 88 88 88 88 88 88 88 DD 88 88 DU 88 88 881 NNNNNNNNN mmmmmmmmm NNNNNN 00000011703100 JNNNNN 0000001310000 28 24573652 16311823125319 gt hlackwidowse 245736T6 blackmidnwsefitedu33h gt 163118 24573796 hlackwidum33fitedu33h 3 163118 2453918 blackwidowsefitedu33h gt 163118 24573912 16311823125319 gt blackwi33333 2454U32 hlackmidow33fitedu33h gt 163118 2454143 163118231253193 gt blackwidow3e 24574166 hlackwidnw33fitedu33h gt 163118 2454276 blackmidnwsefitedu35h 3 163118 2457435 blackwiduw33fitedu33h gt 163118 2454392 16311823125319 gt blackwidowse 24574513 blackwidow33fitedu33h 3 163118 24574634 hlackwidnw33fitedu33h gt 163118 2454629 163118231253193 gt blackmidowse 24574758 blackwidowsefitedu33h gt 163118 28 2455888 blackwidow33fitedu33h 163118 2455099 hlackwid3333fitedu33h 163118 24575234 blackwidow5efitedu33h 3 163118 2457534D blackwiduw33fitedu33h gt 163118 24554D blackmidowsefitedu33h gt 163118 24575581 16311823125319 gt blackwi33333 24575713 hlackwidow33fitedu33h gt 163118 24573542 blackwidnwsefitedu33h 163118 24534868 16311823125319 3 hlackwiduwse 231253197 fitedu33h 231253197 253197 253191 edu33h 23125319T fitedu33h 253197 253191 253197 edu33h 23125319 253197 edussh 253197 edu53h 231253197 253197 25319 253197 253191 edu33h 231253197 P Huh quotU39TJ39 391 1 Fururuicl39u P 533734533912123 ask 7373 win 19372 ask 535912 win 53375 35 533912537372133 ask 7373 win 19372 537372537232153 ask 7373 win 19372 537232537392153 ask 7373 win 19372 ask 537232 win 33353 33 537392537523123 ask 7373 win 19372 ask 537523 win 34243 35 537523537533153 ask 7373 win 19372 537333537343153 ask 7373 win 19372 537343537933123 ask 7373 win 19372 ask 537343 win 53923 35 537933533123133 ask 7373 win 19372 533123533233153 ask 7373 win 19372 ask 533123 win 33532 35 533233533413123 ask 7373 win 19372 ask 533415 win 53344 37 533575533735133 ask 7373 win 19372 533735533354123 ask 7373 win 19372 533354539324153 ask 7373 win 19372 539324539134153 ask 7373 win 19372 539134539312123 ask 7373 win 19372 ask 539312 win 33952 33 539472539333123 ask 7373 win 19372 DFJ DFI D171 DFI DFI DF 35 DFI DFI DFI EDFI DFI DF DFJ EDFI DFI DH 333 t33 E33 C33 r I C33 E33 t33 533 33 t33 33 t33 33 33 t33 33 33 IVCI VVUI39I JCLUI39I I y 3313 3313 3313 3313 3313 3313 3313 3313 3313 3313 8318 3313 3313 3313 3313 3313 3313 4 1 Type of Service Field Bits 02 Precedence Bit 3 O Normal Delay 1 Low Delay Bit 4 O Normal Throughput 1 High Throughput Bit 5 O Normal Relibility 1 High Relibility Bits 67 Reserved for Future Use 0 1 2 3 4 5 6 7 Network Security 15 TCPDump Traffic CapTur39e conTm 00228224573542 blackwidowsefiTedussh gt163118231253197 P 536784536912128 ack 7073 win 19872 DF Tos 0x10 00000000 0 002824573542 Time packeT was received blackwidowsefiTedussh sour ce hosT and por T In This case The por T is SSH or 22 gt dir ecTion of The Traffic 163118231253197 desTinaTion IP and por T P flag seT in This case is P for push Pushes daTa from The sending hosT To The receiving hosT 536784536912 beginning and ending sequence numbers This is used To order The daTa ThaT is received 128 byTes in The packeT ack 7073 TCP flag ACK r epr esenTs The acknowledgemenT of daTa received The 7073 is The acknowledgemenT number Win 18872 This is The windows size This means ThaT The clienT has a window size or incoming buffer of 18872 byTes DF don39T fr agmenT This flag is used if and when The size of The daTagr am To be senT exceeds The maximum amounT allowed by The r ouTe Tos 0x10 Type of service This This case is 10 which sTands for minimize delay NeTwor39k SecuriTy 16 IP datagram format IP prOTOCOI Jami 32 biTS total datagram header length Type of length bytes bY63 er service lenglh for Type of dam 16bit identifier lgsl fragmem fragmentation max number Time To upper Imem reassembly remaining hops Iive layer Checksum decremented at each router 32 bit source IP address upper layer protocol 32 bit destination IP address to deliver payload to Options if any Eg timestamp or UDP data variable length typically a TCP segment record route taken specify list of routers to visit Network Security 17 TCP segment structure URG urgent data generally not used 32 bits source port I dest port counting ACK ACK sequence number by bytes of data valid c m gwledgement number not segments PSH push data now generally not used head not sed PRSF Receive window Urg data pnter bytes rcvr willing RST st FINz connection estab c OP W varia ble length to accept setup teardown commands Internet checksum as in UDP application data variable length Network Security 18 WELL KNOWN PORT NUMBERS The Well Known Ports are assigned by the IANA and on most systems can only be used by system or root processes or by programs executed by privileged users Ports are used in the TCP RFC793 to name the ends of logical connections which carry long term conversations For the purpose of providing services to unknown callers a service contact port is defined This list specifies the port used by the server process as its contact port The contact port is sometimes called the quotwellknown portquot To the extent possible these same port assignments are used with the UDP RFC768 The range for assigned ports managed by the IANA is 01 Network Security 19 Port Examples chargen 19th Character Generator chargen 19udp Character Generator ftpdata 20th File Transfer Default Data ftpdata 20udp File Transfer Default Data ftp 21th File Transfer Control ftp 21udp File Transfer Control ssh 22th SSH Remote Login Protocol ssh 22udp SSH Remote Login Protocol telnet 23th Telnet telnet 23udp Telnet 24th any private mail system 24udp any private mail system smtp 25tcp Simple Mail Transfer smtp 25udp Simple Mail Transfer 26tcp Unassigned 26udp Unassigned Network Security 110 Absolu re and Rela rive Seq Nos El Consider The following o clien rcom38060 gt Telnetcomfrelnet S 377495799037749579900 win 8760 ltmss 1460gt DF 0 Telnetcomfrelne r gt clienTcom38060 S 200960000020096000000 ack 3774957991 win 1024 ltmss 1460gt o clienTcom38060 gt Telne rcom rene r ack 1 win 8760 DF 0 clienTcom38060 gt TelneTcomTeneT P 122827 ack 1 win 8760 DF El No re use of rela rive sequence numbers beginning wi rh 3Pd packe r Ne rwork Securi ry 111 E rher39eal Traffic Cap rur39e 5 elp Eng Edit Eapture Eisplay Iouls Prulucal Info No 2 Source rJ 1 11 1 1 1 r 1 a c r r 2 2047481 16311823125 163u81341 mus Standard query PTR 11341181631nvaddrarpa 3 2049967 1631181341 16311823125 DNS Standard query r DrISE PTR redw39idnwse1139tedu 4 35 703787 16311813410 63118 231 25 NBSS NESS Continuation Message 5 35703850 16311823125 16311813410 TC 3 5 gt microsuft ds VACKT Seu2515682704 Ack3197936079 Win65394 Len l I Ecrame 1 60 ytes on w1r e 60 bytes captur ed Ar iv 1 me Oct 21 2003 011924324793000 Time de1ta from previous packet 0000000000 seconds e In first packet 0000000000 SECDn 60 bytes h 60 bytes 1cm 0 d a 2b53a Gigs Byt 02b53a 39 002052923100 FoundryN923100 IF oxosoo 5 ar 00000000000000000000 EIIntEr net Pr39DtDCD I r c Addr 16311813411 16311813411 Dst Addr 16311823125 16311823125 Ers1nn Header 1engt es EIDifferentiated Services quotve ld 0x00 DSCP 0x00 Defau lt ECN 0x00 0000 00 f arent iated Serviltas codepm nt Dafau lt 0x00 Ecwcapab le Transport EcT o ECN CE 0 Tota l Length 36 Identifiaaticm 0x3726 34598 39 0x0 126 Prntntn l um 0x11 0x0191 Curract tination 16311823125 16311823125 Sr lt Port 49015 49015 DSt F39Ur t 3023 3023 Destination part 3023 3023 Length 16 checksum Qxbasd currect Data 8 bytes 0000 45 00 0010 00 24 87 26 00 00 72 1 01 91 33 76 6 0b a3 76 amp 0020 E7 19 b1 77 0b Cf 00 10 ha 8d 50 28 b1 02 Ch Ad W 0030 19 77 00 00 00 00 00 00 00 00 00 00 W I A M Apply IElharne em 14 bytes lJ E rher39eal Traffic Cap rur39e 3 Ar a e o 21 2003 01192452679 00 Time de lta from previous packet 0000000000 seconds Time re39lative to First packet 0000000000 SECDndS Frame Number Packet Length 60 bytes pture Length 60 bytes ElEther net II src 00e052923100 Dst QOOd6102b53a Destination 0 d 2b533 GigarByt1ozzb5z3c l Source ooeo52 FoundryN1923Loo Type IP oxosoo quotIer oooooooocoaooooooooo src A r 16311813411 16311813411 Dst Addr version 4 163115 231 25 153118 231 25 ytes es Fie ld 0x00 DSCP 0x00 Defau1t ECN 0x00 D1 Fer entiated Services Cudepuint Defau lt 0x00 EcN capab le Transport EU 0 ECN CE O 0 Tuta39l Length 36 Identification 0x8725 34598 Er rags 0x00 Don t Fragment Not set 0 More fragments Not set Fragment offset Time to 1ive 1 E a Header heeksum 0x0191 urreCt Source 16311813411 16311813 1 Destination 16311823125 163118 23125 Eluser Datagram Frotocu l src Port 49015 49015 Dst Port 3023 3023 Source pDr t 49015 C 9015 Destination port 3023 3023 00 0d 61 02 b5 3a 00 e0 52 92 31 00 OS 00 45 00 01 91 a3 76 86 0b 33 76 28 b1 02 b 44 0030 f9 77 00 00 00 00 00 00 00 DO 00 00 Ne rwor39k Securi ry 113 TCP 3 way Handshake CI Tclien rne r39904 gt Telne rcom23 S 733381829733381829O win 8760 ltmss 1460gt DF CI Telne rcom23 gt Tclien rne r39904 S 11929306391192930639O ack 733381830 win 1024 ltmss 1460gt DF CI Tclien rne r39904 gt Telne rcom23 Ack 1 win 8760 DP Ne rwor39k Securi ry 114 TCP Takedown CI Tclien rne r39904 gt Telne rcom23 F 1414O ack 186 win 8760 DP CI Telne rcom23 gt Tclien rne r39904 ack 15 win 1024 DP CI Server nex r ini ria res a FIN and clien r acks To finally close The connec rion CI Abrup r version uses rese r 0 rclien rne r39904 gt relne rcom23 R 28280 ack 1 8760 DP Ne rwork Securi ry 115 Rudimentary Analysis CI Was The rhr39ee woy handshake comple red be rween rwo hos rs CI Wer39e do ro rr39onsmi r red CIWho began andor39 ended The connec rion CIRecoII Syn Flood Nep rune A r rock Ne rwor39k Securi ry 116 SYN Flood Nep rune CI Leverages TCP 3way Handshake CI A l racker sends opening SYN CI Targe r responds wi rh SYNACKquot and builds a record in a da ra s rruc rure To hold connecTion informa rion CI The a r rack consis rs of many SYN packe rs being sen r from unreachable sources non exis ren r so Tha r handshake is no r comple red and da ra s rruc rure overflows Ne rwork Securi ry 117 Observa rions CI No sure way To fil rer a r single packe r level CI Charac reris rics 0 Unusually large number of TCP SYNs direc red a r a single des rina rion address 0 Unusually large number of des rina rion unreachable responses ro SYNACKs 0 Unusual source address pa r rerns Ne rwork Securi ry 118 Ack Scan page 39 of NID CI Attacker sends lone ack to probe specific ports 0 Live hosts respond with reset to unexpected ack 0 May be used by hacker to determine location of live hosts CI Note that lone ack should be found as follows 0 Final transmission of 3way handshake 0 Acknowledgement of received data or data in progress 0 Acknowledgement of received FIN 0 Do you see evidence of any such normal use Network Security 119 TCP Session Hijacking CI Objective is to intercept on established TCP session and capture impersonate one end of the connection CI Nontriviol effort that must maintain 0 IP number 0 Established port numbers 0 Proper sequence number increments 0 Proper ock increments Network Security 120 Fragmentation CI Fragmentation allows an IPV4 datagram to cross a network that has an MTU smaller than the IP datagram 0 Recall that MTU is the max payload of the link layer frame 0 Fragment ID 0 Offset number 13 bits 0 Fragment Length 0 More Fragments Flag Network Security 121 IP datagram format IP prOTOCOI Jami 32 biTS total datagram header length Type of length bytes bY63 er service lenglh for Type of dam 16bit identifier lgsl fragmem fragmentation max number Time To upper Imem reassembly remaining hops Iive layer Checksum decremented at each router 32 bit source IP address upper layer protocol 32 bit destination IP address to deliver payload to Options if any Eg timestamp or UDP data variable length typically a TCP segment record route taken specify list of routers to visit Network Security 122 IP Fragmen ra rion amp Reassembly CI neTwork links have MTU maxTransfer size largesT possible linklevel frame 0 different link Types differenT MTUs l fragmenTaTion in one large daTagram CI large IP daTagram divided g 0 3 smaller dalagr ams fragmented wiThin neT X 0 one daTagram becomes several daTagrams O reassembled only aT final desTinaTion 0 IP header biTs used To idenTify order relaTed fragmenTs reassembly Ne rwork Securi ry 123 IP Fragmen ra rion and Reassembly l lengTh ID fragflag offseT 4ooo x 0 0 One large daTagram becomes several smaller daTagrams l lengTh ID fragflag offseT 1500 X 1 O l lengTh ID fragflag offseT 185 1500 x 1 1480 l lengTh ID fragflag offseT 1040 X 0 2960 ll II lH Ne rwork Securi ry 124 View Fragmen ra rion TCPDUMP CI Pingcom gt myhosmom icmp echo reques r frag 148O9 Dafa w no IP header incl CI Pingcom gt myhosTcom frag Does incl 8 byte ICMP hdr 21223148O1480MF1 CI Pingcom gt myhos rcom frag 21223110482960 MF0 Shows fragmenTaTion of an ICMP echo requesT seen in 1er fragmem only wiTh packeT ID 21223 and lengTh of original IP packeT equal To 1480148010484008 byTes daTa 20 byTes header Ne rwork Securi ry 125 Fraqmen ra rion amp Packe r Fil rerinq Devices CI If fil rering device is se r To rejec r ICMP echo reques rs if will rejec r firs r fragmen r 0 No ICMP header info in following fragmen rs CI Many devices do no r mai n rai n s ra re and so will no r know Tha r any fragmen rs wi rh ID21223 same sourcedes r should also be rejec red CI Same Thing may occur wi rh TCP or UDP packefs CI No re recall fha r if one fragmen r does no r arrive a r des rina rion all are resen r Ne rwork Securi ry 126 Don39T Fragmen r Flag DF CI Appears as DF in TCPDUMP ou rpu r CI If packe r wi rh This flag se r reaches a rou rer Tha r needs To fragmen r rou rer discards packe r and re rurns ICMP unreachable need To fragquot error message To sending hos r 0 Some rimes used by hos rs To discover The pa rh MTUquot and avoid fragmen ra rion 0 Can be used maliciously Ne rwork Securi ry 127 Ping O39 Dea rh CI ICMP Echo reques r is sen r wi rh an illegally long payload gr39ea rer39 Than 64k by res CI Older39 a r rack Tha r could cause oper39a ring sys rems To lock or39 reboot 0 Similar in effec r ro LAND a r rack CI Obser39va rion Look closely of any ICMP packe r Tha r has been fragmen red Ne rwor39k Securi ry 128 Analysis CI Malcom139 gt Targe rne r139 udp 28 frag 24236O CI Malcom139 gt Targe rne r139 frag 242424 NoTice 36 daTa byTes in firsT fragmenT beginning a1 0 NexT are 4 byTes beginning a1 24 Illegal overlap known as Teardrop aTTack Ne rwork Securi ry 129 Teardrog CI IPV4 packets support fragmentation but fragments not permitted to overlap CI In this attack packets are created with illegal overlap of fragments CI Older operating systems may crash upon receipt of such fragments CI Observation Can check all arriving packets for illegal fragmentation O Requires some state be maintained previous termination point for this srcdestID Network Security 130 Inferne r Confrol Message Pro rocol ICMP Ne rwor39k Securi ry 131 RFC 792 CI Occasionally a ga reway or des rina rion hos r will communica re wi rh a source hos r for example To repor r an error in da ragram processing For such purposes This pro rocol The Inferne r Con rrol Message Pro rocol ICMP is used ICMP uses The basic suppor r of IP as if if were a higher level pro rocol however ICMP is ac rually an in regral par r of IP and mus r be implemen red by every IP module Ne rwork Securi ry 132 RCF792 ConTinued El ICMP messages are senT in several siTuaTions for example when a daTagram cannoT reach iTs desTinaTion when The gaTeway does noT have The buffering capaciTy To forward a daTagram and when The gaTeway can direcT The hosT To send Traffic on a shorTer rouTe CI The ICMP messages Typically reporT errors in The processing of daTagrams To avoid The i nfiniTe regress of messages abouT messages eTc no ICMP messages are senT abouT ICMP messages Also ICMP messages are only senT abouT errors in handling fragmenT zero of fragemenTed daTagrams NeTwork SecuriTy 133 Typical ICMP Message Format IP Header with Protocol Number 1 8bit typeI8bit codeI16bit checksum Depending on type may include information such as the original IP header 64 bits of original datagram data Network Security 134 ICMP Internet Control Messoqe Protocol CI Note ICMP is often used for mapping used by hosts routers gotewo s to communication networ eve information 0 error reporting unreachable host network port protocol 0 echo reques r reply used by ping networklayer quotabovequot IP 0 ICMP msgs carried in IP dotogroms More at wwwionoorgossignme ntsicmpporome rers Type Code description LOOOOOOOOOOOOO OVCDWM OO 00000 echo reply ping dest network unreachable dest host unreachable dest protocol unreachable dest port unreachable dest network unknown dest host unknown source quench congestion control not used echo request ping route advertisement router discovery TTL expired bad lP header Network Security 135 Overview of Normal ICMP M595 CI Hos r Unreachable o RouTer gt sendinghosT icmp hosT Targe rhos r unreachable El Por r Unreachable o Targe rhos r gt sendinghos r icmp Targe rhos r udp por r nTp unreachable DF El Admin Prohibi red o RouTer gt sendinghosT icmp hosT Targe rhos r unreachable admin prohibiTed El Need To frag o RouTer gt sendinghosTneT icmp Targe rhos r unreachable need To frag mTu 1500 El O rhers Ne rwork Securi ry 136 Stealthy Trojan horse attempts to gather data on Web sites October 22 1999 Web posted at 1117 am EDT 1517 GMT by Sean M Dugan IDG In a scenario not unlike a story line from a Tom Clancy novel the Systems Administration Networking amp Security SANS Institute is reporting What appears to be a Widespread attempt to gather information on proxy servers and send that information to a Russian Web site Network Security 137 RingZer39o Trojan CNN online On Oct 7 SANS Institute members started to try to piece together what was happening They found what appears to be a Trojan horse application dubbed RingZero which systematically searches out and probes proxy servers from an infected machine and sends that information to a central Web server The RingZero Trojan horse which gets its name from a component called Ring0vxd first discovered at Vanderbilt University appears to be divided into two distinct parts both of which arrive on a system as compressed archives One component pstexe probes for proxy servers and has the proxy servers send port information and IP numbers to the Web site rusftpsearchcom The pstexe component apparently scans ports 80 8080 and 3128 and other 8000 series ports Network Security 138 SMURF A r rock CI A r rocker39 spoofs i rs IP address To be Tho r of Target CI Sends ICMP echo r39eques r To xy255255 CI Po ren riolly Thousands of machines in The xy des rino rion ne rwor39k may respond wi rh ICMP echo r39eplies CI Responses will all go To spoofed address of Target Ne rwor39k Securi ry 139 Observa rions CI No way To observe a r rack based on a single packeT CI Tar39ge r may suddenly observe all bandwid rh being consumed a r i rs ne rwor39k in rer39face CI Ne rwor39k moni ror39ing may observe an unusually large number39 of ICMP echo r39esponse packe rs especially dir39ec red of one Tar39ge r CI Some sys rems now block all ICMP packe rs or39 block all packe rs des rined To 255 address Ne rwor39k Securi ry 140 Distributed Denial Df Service Aget sf nml 39m Ne rwor39k Securi ry 141 Mus r Reading Distributed Reflection Denial of Service Description and analysis of a potent increasingly prevalent and worrisome Internet attack By Steve Gibson of GRC h r rpwwwgr39ccomdosdr39dosh rm Network Security 142 Distributed Denial of Service At 200 AM January 11th 2002 the GRCCOM site was blasted off the Internet by a new for us distributed denial of service attack Perhaps the most startling aspect of this attack was that the apparent source was hundreds of the Internet39s quotcore routersquot web servers belonging to yahoocom and even a machine with an IP resolving to quotgary7nsagovquot We appeared to be under attack by hundreds of very powerful and wellconnected machines Once we determined how to block this attack and returned to the Internet 1072519399 blocked packets were counted before the attack ended Ne rwork Security 143 Tribal Flood Ne rwork A r rack CI Requires mas rer39 and daemon hos rs To be es rablished CI Mas rer39 i ns rr39uc rs daemons by sending commands in ICMP echo replies 0 The ICMP iden rifica rion number39 field in The ICMP header39 of The ICMP echo reply is used To dir39ec r daemons wi rh ar39gs provided in ICMP da ra por rion Ne rwor39k Securi ry 144 WinFreeze A r rack El Takes advan rage of ICMP r39edir39ec r message which informs a sending hos r Tha r if has Tried To use a nonop rimal router and directs The adding of a more op rimal r39ou rer39 ro hos r39s rable El Rou rer gt vic rimcom icmp r39edir39ec r 2431481661 To hos r vic rimcom El Rou rer gt vic rimcom icmp r39edir39ec r 110161152156 To hos r vic rimcom El Rou rer39 gt vic rimcom icmp r39edir39ec r 24521187115 To hos r vic rimcom El Rou rer39 gt vic rimcom icmp r39edir39ec r 4913023315 To hos r vic rimcom CI hos r a r racks i rsehc Ne rwor39k Securi ry 145 Loki CI Prior To Loki ICMP used for Dos o r rocks and ne rwork mopping CI Loki uses ICMP as a Tunneling pro rocol for a cover r channel 0 Loki server mus r be i ns rolled in a compromised hosT 0 ICMP carries cover r messages To The Loki server CI More informo rion of issue 49 or ricle 6 Ne rwork Securi ry 146 Loki conTinued El Loki uses ICMP echorequesT and echoreply for communicaTion wiTh server El ICMP echorequesT o 20 byTes of IP header 0 8 byTes of ICMP header 0 arbiTrary amounT of daTa usually Timing informaTion for use by ping o No checks El Loki creaTes coverT channel by Tunneling informaTion inside The daTa porTions of ICMP echorequesT and echoreply packeTs El Can pass commands ThaT server can execuTe on compromised sysTem El ObservaTion and prevenTion NeTwork SecuriTy 147


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Amaris Trozzo George Washington University

"I made $350 in just two days after posting my first study guide."

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.