1 IDIC – SANS GIAC LevelTwo ©2000, 2001 1 Traffic Analysis Techniques 2 Basic traffic characteristics: – To, From, Date, Time –Service, Type, or Class – Sequence numbers, Sets, Patterns – Weight or Severity – Size Welcome to the second half of our study of the fundamentals of traffic analysis. In the first part of this topic, we discussed some of the basic characteristics that we pay particular attention to when performing traffic analysis: To, From, Date, Time, Service, Type, Class, Sequence Numbers, Sets and Patterns. Now let’s build on that foundation by adding weight, severity and size to our list of analysis dimensions. 2 IDIC - SANS GIAC LevelTwo ©2000, 2001 2 Tiny Fragments 20:36:18.458174 [|tcp] (frag 44435:16@0+) 20:36:18.458793 142.165.206.93 > my.firewall.net: (frag 44435:4@16) 20:36:18.459620 [|tcp] (frag 61893:16@0+) 20:36:18.460280 142.165.206.93 > my.firewall.net: (frag 61893:4@16) Size does matter! Key to Understanding: Penetration technique by splitting the header into two parts. Detect and analysis by Brian Betterton, GCIA: “History: None previously observed. Techniques: This was a host port scan using tiny fragments. Targeting: Absolutely! This source has targeted my firewall specifically, null scanning using tiny fragmented packets. They are attempting to go unnoticed. Analysis: The intruder is probably using nmap, running a null scan, such as in Detect 3. The difference here is they are also using tiny fragmented packets to try to elude notice. It worked in this case, as my firewall did not log these. Severity Level: (Critical + Lethal) – (System Countermeasures + Net Countermeasures) = Severity Level This is a firewall (5), but the attack is unlikely to succeed (1). The firewall did not log these fragments, so I’ll use an average value for network countermeasures. (5 + 1) – (5 + 3) = < 0” When looking at fragmented traffic, some questions you should ask yourself are: •Are the fragments too small? •Do the fragments have the right offsets? Do the fragments overlap each other, or are there gaps between the fragments? •What is the purpose of the fragmentation? In this case, the fragments are extremely small. In fact, the first fragment has only 16 bytes, yet the TCP header itself should be at least 20 bytes long. So it would appear that this fragmentation has purposely been done in order to split the TCP header between two packets, probably to evade firewalls, packet filters or intrusion detection systems. 3 IDIC - SANS GIAC LevelTwo ©2000, 2001 3 20:10:49 172.16.82.11.6221 > hosta.1: S 20:10:49 172.16.82.11.6220 > 255.255.255.255.1: S 20:10:52 172.16.82.11.6222 > hostb.1: S 20:10:53 172.16.82.11.6289 > hostc.1: S 20:10:53 172.16.82.11.7300 > hostd.1: S Trace with complete header shown on notes pages Key to understanding: We tend to focus on destination ports, but here we see that source ports also have a story to tell. Scan for TCPMUX Indicator of a burst on system Here is another scan; all attempts are made to destination port 1, TCPMUX. What makes this scan interesting is the source ports. Look at the first three lines on the slide. According to the timestamps, they occur during a three-second period. The source port numbers are 6220, 6221 and 6222. This implies that no other connections were being initiated by the source system during that time. Now look at the fourth line. It was logged only a second after the third line, yet the source port has increased from 6222 to 6289. When we look at the fifth line, which was logged during the same second as the fourth line, we see that the source port has really jumped – from 6289 to 7300. This is evidence of a large burst of network activity on the source system – over 1000 ports issued during a second. 20:10:49 172.16.82.11.6221 > hosta.1: S 3072319638:3072319638(0) win 512 20:10:49 172.16.82.11.6220 > 255.255.255.255.1: S 2109566624:2109566624(0) win 512 20:10:52 172.16.82.11.6222 > hostb.1: S 1729073814:1729073814(0) win 32120 20:10:53 172.16.82.11.6289 > hostc.1: S 957786113:957786113(0) win 32120 20:10:53 172.16.82.11.7300 > hostd.1: S 4288288149:4288288149(0) win 32120 4 IDIC - SANS GIAC LevelTwo ©2000, 2001 4 NOTE: Slow arrival and two address families; this scan is probably interleaved across multiple addresses. 14:13:54 newbie.hacker.org.10143 > 192.168.1.1.143:S 14:24:58 newbie.hacker.org.10143 > 172.31.1.1.143:S 14:35:40 newbie.hacker.org.10143 > 192.168.1.2.143:S 14:43:55 newbie.hacker.org.10143 > 192.168.2.1.143:S 14:54:58 newbie.hacker.org.10143 > 172.31.2.1.143:S 15:05:41 newbie.hacker.org.10143 > 192.168.2.2.143:S 15:13:59 newbie.hacker.org.10143 > 192.168.3.1.143:S Your turn: What dimensions are displayed in this historic example? Original IMAP (TCP 143) Script This example shows a classic IMAP scan. What dimensions are shown here? Remember, the basic traffic external dimensions are: • To, From, Date, Time • Service, Type, or Class • Sequence numbers, Sets, Patterns • Weight or Severity •Size The static source port of 10143 introduces the notion of a signature attack. This is the source port that was used on the original IMAP exploit reported to Bugtraq. This makes it really easy to detect when this exploit script is used, which is becoming rare. Other dimensions in the example include: time, to, from, service, and patterns. Note both the destination network IDs and that only SYN packets were used. 5 IDIC - SANS GIAC LevelTwo ©2000, 2001 5 host.2822 > fw.53: S 37007:37007(0) win 512 fw.53> host.2822: S 12000:12000(0) ack 37008 win 32768 (DF) host.2822 > fw.53: . ack 1 win 16060 (DF) Key to understanding: No attack here. Window sizes can be negotiated during the TCP conversation; this was just one of the nicest examples of this I have ever seen. Negotiating Window Sizes Not every trace that we look at is an attack or a probe. The example in this slide shows two hosts negotiating the TCP window size. The window size is used to restrict the flow of packets by limiting the number of packets that have been sent but not yet acknowledged. This is perfectly normal behavior; however, if you are not familiar with window sizes, this may look suspicious to you. 6 IDIC - SANS GIAC LevelTwo ©2000, 2001 6 Sequential, Temporal, Service Dimensions • Sequence numbers as patterns • Sequence numbers as signatures • Time data for ordering • Time data for correlation • Service or application So far, we have studied traffic analysis through its external dimensions, such as To, From, and Service. Although dissecting the traffic using the external dimensions is certainly the heart of traffic analysis, there are other dimensions that can be used as well. First, there are sequential dimensions – thinking of sequence numbers as patterns or as signatures. We have already discussed this to some extent, but we will expand on this concept in the coming slides. Another way of analyzing data is by studying its temporal dimensions – using time data for ordering or for correlating events. A final way of examining the traffic is by using the service dimensions – focusing on a particular service or application. 7 IDIC - SANS GIAC LevelTwo ©2000, 2001 7 10:16:58.602949 scanr.1869 > 172.20.211.0.137: udp 50 10:16:58.603041 scanr.1869 > 172.20.211.0.137: udp 50 10:17:00.763690 scanr.1869 > 172.20.211.0.137: udp 50 10:17:02.175284 scanr.1750 > 172.20.211.0.echo:udp81 10:51:57.583558 scanr.1869 > 172.20.211.0.137: udp 50 10:51:58.624647 scanr.1869 > 172.20.211.0.137: udp 50 10:52:00.175124 scanr.1869 > 172.20.211.0.137: udp 50 10:52:01.942465 scanr.1382 > 172.20.211.0.echo:udp81 … Only echoes shown from here on in 10:55:22.696118 scanr.1385 > 172.20.211.0.echo: udp 81 10:59:12.389749 scanr.1104 > 172.20.211.0.echo: udp 81 11:04:12.879154 scanr.1041 > 172.20.211.0.echo: udp 81 11:10:39.223615 scanr.1539 > 172.20.211.0.echo: udp 81 NetBIOS and Echo This scan is a mixture of NetBIOS and UDP echo service connection attempts. The biggest anomaly here is that the scan is sent to the legacy broadcast address, 172.20.211.0. Windows systems will not answer these broadcasts, so it is not clear what the attacker’s intent is. Perhaps he or she is confused, looking for a router, or possibly looking for a SAMBA system. Since the source port for the NetBIOS attempts is not 137, this indicates that something other than NBTSTAT is being used by the scanning computer to generate this traffic. The pattern is stable across many packets – three NetBIOS-NS scans and then an echo. The source port on the NetBIOS attempts is always constant, while the source port on the echo attempts changes each time. So it appears that two separate processes are running. Note that the echo source port is descending until the final example, when it gets out of sequence. This might be the clue that allows an analyst to tie this pattern to some other piece of information, but it would be a long shot. 8 IDIC - SANS GIAC LevelTwo ©2000, 2001 8 Web (TCP 80) Example 15:05:15 surfer.1497 > server.http: S 28396544:28396544(0) win 8192 (DF) 15:05:16 server.http > surfer.1497: S 115698281:115698281(0) ack 28396545 win 8760 (DF) 15:05:46 server.1123 > surfer.1533: P 739781:741229(1448) ack 1823985720 win 8116 (DF) 15:06:09 surfer.http > server.1424: R 2572545643:2572545643(0) win 0 15:06:09 server.1348 > surfer.7777: SFR 3105729:3107161(1432) ack 688054539 win 8320 (DF) 15:06:29 surfer.1497 > webserver.http: F 340:340(0) ack 10221 win 8760 (DF) More of the transaction is shown in the notes Your turn: what is wrong with this picture? 15:05:15.880000 surfer.1497 > webserver.http: S 28396544:28396544(0) win 8192 (DF) 15:05:16.100000 webserver.http > surfer.1497: S 115698281:115698281(0) ack 28396545 win 8760 (DF) 15:05:16.13 surfer.1497 > webserver.http: P 1:340(339) ack 1 win 8760 (DF) 15:05:18.93 surfer.1496 > webserver.http: P 380:743(363) ack 73 win 8688 (DF) 15:05:19.27 surfer.1496 > webserver.http: F 743:743(0) ack 73 win 8688 (DF) 15:05:19.71 surfer.1496 > webserver.http: R 28354188:28354188(0) win 0 (DF) 15:05:22.65 surfer.1497 > webserver.http: P 1:340(339) ack 1 win 8760 (DF) 15:05:46.92 webserver.1123 > surfer.1533: P 739781:741229(1448) ack 1823985720 win 8116 (DF) 15:06:09.39 surfer.http > webserver.1424: R 2572545643:2572545643(0) win 0 15:06:09.55 webserver.1348 > surfer.7777: SFR 3105729:3107161(1432) ack 688054539 win 8320 (DF) 15:06:29.99 surfer.1497 > webserver.http: F 340:340(0) ack 10221 win 8760 (DF) 15:06:58.36 surfer.1497 > webserver.http: R 28396885:28396885(0) win 0 (DF) 15:07:45.93 surfer.1491 > webserver.http: R 27843570:27843570(0) win 0 (DF) 15:08:02.13 webserver.http > surfer.1490: F 5681:5681(0) ack 589 win 8173 (DF) So what is wrong with this picture? It starts out innocently enough, with a user and a web server. We see several different ports in use on the client’s machine, but that is typical of HTTP traffic, where different elements on a web page may each require their own connection. This trace gets weird in the middle, when webserver’s port 1123 sends a PUSH/ACK to the user’s port 1533, the user sends a RESET from their port 80 to webserver’s port 1424, and webserver’s port 1348 sends a SYN/FIN/RESET to the user’s port 7777. Although it’s hard to tell exactly what’s going on, it appears that the surfer may have come across a malicious web site. The web site could be probing the user’s machine, by attempting to contact it on common ports (HTTP, in this case) and by sending packets with odd flag combinations, such as SYN/FIN/RESET. 9 IDIC - SANS GIAC LevelTwo ©2000, 2001 9 NetBIOS (TCP 139) 06:49:55.47 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) 06:49:58.44 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) 06:50:04.44 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) 06:50:16.43 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF) 12:57:56.94 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF) 12:57:59.91 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF) 12:58:05.92 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF) 12:58:41.96 proberE.2039 > 172.20.216.29.139: S 294212415:294212415(0) win 8192 (DF) Your turn: pattern continues on notes pages. None of the hosts exist. What can we tell from this pattern? The pattern continued for weeks at multiple sites. 13:37:51.75 proberI.4186 > 172.20.215.205.139: S 22881687:22881687(0) win 8192 (DF) 13:37:54.96 proberI.4186 > 172.20.215.205.139: S 22881687:22881687(0) win 8192 (DF) 13:38:00.74 proberI.4186 > 172.20.215.205.139: S 22881687:22881687(0) win 8192 (DF) 13:38:12.89 proberI.4186 > 172.20.215.205.139: S 22881687:22881687(0) win 8192 (DF) 13:50:23.64 proberB.3293 > 172.20.53.123.139: S 355997160:355997160(0) win 8192 (DF) 13:50:26.55 proberB.3293 > 172.20.53.123.139: S 355997160:355997160(0) win 8192 (DF) 13:50:32.56 proberB.3293 > 172.20.53.123.139: S 355997160:355997160(0) win 8192 (DF) 13:50:44.54 proberB.3293 > 172.20.53.123.139: S 355997160:355997160(0) win 8192 (DF) 14:11:01.95 proberC.3491 > 172.20.245.182.139: S 57370977:57370977(0) win 8192 (DF) 14:11:04.88 proberC.3491 > 172.20.245.182.139: S 57370977:57370977(0) win 8192 (DF) 14:11:10.94 proberC.3491 > 172.20.245.182.139: S 57370977:57370977(0) win 8192 (DF) 14:11:23.06 proberC.3491 > 172.20.245.182.139: S 57370977:57370977(0) win 8192 (DF) 15:41:59.50 proberG.3278 > 172.20.252.141.139: S 266305199:266305199(0) win 8192 (DF) 15:42:02.70 proberG.3278 > 172.20.252.141.139: S 266305199:266305199(0) win 8192 (DF) 15:42:08.53 proberG.3278 > 172.20.252.141.139: S 266305199:266305199(0) win 8192 (DF) 15:42:21.09 proberG.3278 > 172.20.252.141.139: S 266305199:266305199(0) win 8192 (DF) 22:49:15.39 proberH.3658 > 172.20.124.23.139: S 14035939:14035939(0) win 8192 22:49:18.33 proberH.3658 > 172.20.124.23.139: S 14035939:14035939(0) win 8192 22:49:24.37 proberH.3658 > 172.20.124.23.139: S 14035939:14035939(0) win 8192 22:49:36.61 proberH.3658 > 172.20.124.23.139: S 14035939:14035939(0) win 8192 So what can we tell from this pattern? We can see that these are sets of 4 connection attempts. Within each set, the source and destination ports are the same, and the sequence numbers are fixed. However, among the various sets of attempts, all the source ports are different, and all the sequence numbers are different. So the signature is sets of 4 attempts with SYN only set to destination port 139; also, the window size is always set to 8192. These are most likely appearing in sets of 4 because of retries. Note that there is a clear pattern in the timestamps within each set of 4 – the gap between attempts is 3 seconds, then 6 seconds, then 12 seconds. Normally, when retries occur, the source ports and sequence numbers remain the same, as they do here. 10 IDIC - SANS GIAC LevelTwo ©2000, 2001 10 TTL • In the notes pages are the Time To Live fields from the traces in the previous slide. Notice how they cluster around 120. This is not expected behavior. This is also fixed in the nmap 2.08 release, which has a decoy function so that the decoy TTLs are random. Analysis credit to Army Research Lab Destination IP Address: 172.20.224.77 TTL: 118 Traceroute Back: Timeout occurred after 10/7/7 hops Expected Traceroute hops: 10 Destination IP Address: 172.20.204.154 TTL: 120 Traceroute Back: 12/12/10 hops Expected Traceroute hops: 8 Destination IP Address: 172.20.204.154 TTL: 120 Traceroute Back: 12/10/11 hops Expected Traceroute hops: 8 Destination IP Address: 192.168.212.123 TTL: one connection 115, 3 connections 116 Traceroute Back: 14/13/12 hops Expected Traceroute hops: 12-13 Destination IP Address: 172.20.122.157 TTL: 120 Traceroute Back: Timeout occurred after 12/11/11 hops Expected Traceroute hops: 8 [...]... adjusted so they are all in A-F range 25 00 20 00 1500 1000 500 0 A A B C D E F 20 20 20 51 20 20 20 1031 20 55 21 1 121 1 025 1 124 B 20 20 20 51 20 20 20 C 10 32 1031 21 1 122 1 026 1 124 20 20 20 51 20 20 20 D 1033 20 51 21 1 123 1 027 1 124 E 20 20 20 51 20 20 20 F 1034 1033 21 1 124 1 028 1 124 20 20 20 55 20 20 20 IDIC - SANS GIAC LevelTwo 20 00, 20 01 1035 1 124 21 1 125 1 029 1 124 20 Here’s a Microsoft Excel bar chart... Series 4 20 00 Series 5 1000 Series 6 Series 7 0 A B C D E F Series 8 Series 9 A B C D E F 20 20 20 51 20 20 20 1031 30 62 21 1 121 1 025 1 124 20 20 20 51 20 20 20 10 32 4466 21 1 122 1 026 1 124 20 20 20 51 20 20 20 1033 1363 21 1 123 1 027 1 124 20 20 20 51 20 20 20 1034 4814 21 1 124 1 028 1 124 20 20 20 55 20 20 20 1035 1183 21 1 125 1 029 1 124 B’s port scan is still obvious IDIC - SANS GIAC LevelTwo 20 00, 20 01 One... C 20 00 D 0 E 1 A B C D E F 20 20 20 51 20 20 20 2 1031 30 62 21 1 121 1 025 1 124 3 4 20 20 20 51 20 20 20 5 6 10 32 4466 21 1 122 1 026 1 124 20 20 20 51 20 20 20 7 8 1033 1363 21 1 123 1 027 1 124 9 20 20 20 51 20 20 20 10 1034 4814 21 1 124 1 028 1 124 F 20 20 20 55 20 20 20 1035 1183 21 1 125 1 029 1 124 This is the general pattern of a file transfer; large http transfers are very similar IDIC - SANS GIAC LevelTwo 20 00,... 01:53:44.049 125 request 01:53:44.649461 echo request 01:53:45.079945 request num dests 9 5 5 46 10 27 2 30 ATHM -20 9 -21 8-xxx -2. Home > 147.168 .25 5 .25 5: icmp: ATHM -20 9 -21 8-xxx -2. Home > 147.168.0.0: icmp: echo ATHM -20 9 -21 8-xxx -2. Home > 147.168 .25 5 .25 5: icmp: ATHM -20 9 -21 8-xxx -2. Home > 147.168.0.0: icmp: echo source ip 25 6.1 72. 1.43 25 6.0.14. 129 25 6.41.0 .21 25 6.93.1.190 25 6.115.155.1 32 256.147.90 .21 25 6.115. 125 .20 1... what is possible here 10/10-03: 42: 06.63 926 1 MY.NET .22 0.1 42: 3937 -> 20 7.1 72. 3.46:119 TCP TTL: 126 TOS:0x0 ID: 427 96 DF **SFR**U Seq: 0x510 Ack: 0xBAB17F78 Win: 0x5010 20 20 20 20 20 00 10/10-03:48:55.649195 MY.NET .22 0.1 42: 0 -> 20 7.1 72. 3.46:3937 TCP TTL: 126 TOS:0x0 ID:10535 DF *1SF***U Seq: 0x770510 Ack: 0xD0B1884D Win: 0x5010 TCP Options => Opt 32 ( 32) : 20 20 20 00 04 02 8496 82B0 0014 0000 0000 0000 0000... 1 92. 168.4 .2 1 92. 168.4 .2 1 92. 168.4 .2 2051 20 51 20 51 20 51 -> -> -> -> smtp-ftp.swc.navy.mil smtp-ftp.swc.navy.mil smtp-ftp.swc.navy.mil smtp-ftp.swc.navy.mil 21 21 21 21 09/04/97 09/04/97 09/04/97 09/04/97 05:50:55 05:50:58 05:51:04 05:51:16 1 92. 168.4 .2 1 92. 168.4 .2 1 92. 168.4 .2 1 92. 168.4 .2 2055 20 55 20 55 20 55 -> -> -> -> smtp-ftp.swc.navy.mil smtp-ftp.swc.navy.mil smtp-ftp.swc.navy.mil smtp-ftp.swc.navy.mil 21 ... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=10/10-04:33 :20 .634850 MY.NET .21 8.106: 122 6 -> 20 7.1 72. 3.46:119 TCP TTL: 126 TOS:0x0 ID :24 70 DF **SFR*A* Seq: 0x46000A Ack: 0x36D0DE63 Win: 0x5010 04 CA 00 77 00 46 00 0A 36 D0 DE 63 06 17 50 10 w.F 6 c P 22 02 3D A2 20 20 20 20 20 00 ".= 10/10-04:33:47.156693 MY.NET .21 8.106: 122 6 -> 20 7.1 72. 3.46:119 TCP TTL: 126 TOS:0x0 ID:11959 DF *1SF*PAU Seq: 0xA Ack: 0x3813DEEC Win: 0x5010 10/10-04:34:33.5 322 47 MY.NET .21 8.106: 122 6... their analysis at http://www.sans.org/giactc.htm 24 10/10-04:35:00.981 620 MY.NET .21 8.106 :25 5 -> 20 7.1 72. 3.46: 122 6 TCP TTL: 126 TOS:0x0 ID: 527 04 DF **SF*P** Seq: 0x77000A Ack: 0x3B10E031 Win: 0x5010 TCP Options => Opt 32 ( 32) : 20 20 20 00 080A 0005 F0 52 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 EOL EOL EOL EOL EOL EOL EOL EOL 10/10-04: 42: 19.551530 MY.NET .21 8.106:70 -> 20 7.1 72. 3.46: 122 6 TCP TTL: 126 ... FTP Cases Series 1 5000 Series 2 4000 Series 3 3000 Series 4 20 00 Series 5 1000 Series 6 Series 7 0 A B C Series 8 Series 9 A B C 20 1031 20 10 32 20 1033 20 1034 20 20 30 62 20 4466 20 1363 20 4814 20 20 51 21 20 51 21 20 51 21 20 51 21 20 55 IDIC - SANS GIAC LevelTwo 20 00, 20 01 This graph contains the data from the chart on the slide, which lists the source and destination port pairs from session A (successful... MY.NET .21 8.106: 122 6 -> 20 7.1 72. 3.46:119 TCP TTL: 126 TOS:0x0 ID:48081 DF 21 SFRPAU Seq: 0xA39EF Ack: 0xDFBA8D48 Win: 0x5010 04 CA 00 77 00 0A 39 EF DF BA 8D 48 00 FF 50 10 w 9 H P 22 38 B1 C4 20 20 20 20 20 00 "8 Link Analysis • One way data flow • No ephemeral ports in use • 122 6, 119 are dominant 122 6 70 119 85 25 5 166 IDIC – SANS GIAC LevelTwo 20 00, 20 01 25 As we look at a second snippet of the traffic . 20 4814 20 1183 C 20 51 21 20 51 21 20 51 21 20 51 21 20 55 21 D 20 1 121 20 1 122 20 1 123 20 1 124 20 1 125 E 20 1 025 20 1 026 20 1 027 20 1 028 20 1 029 F 20 1 124 20 1 124 20 1 124 . 20 10 32 201033 20 1034 20 1035 B 20 30 62 204466 20 1363 20 4814 20 1183 C 20 51 21 20 51 21 20 51 21 20 51 21 20 55 21 D 20 1 121 20 1 122 20 1 123 20 1 124 20 1 125 E 20 1 025 20 1 026