250 likes | 384 Views
MYSTERY TRAFFIC. Objective. To analyze strange traffic that is directed to a certain part of a network. What is mystery traffic?. Some unexplainable, weird traffic that catches attention of security analyst
E N D
Objective • To analyze strange traffic that is directed to a certain part of a network
What is mystery traffic? • Some unexplainable, weird traffic that catches attention of security analyst • Author explains example at a site where unexplained activity was directed at TCP destination port 27374.
The sheer volume of the traffic was interesting enough • Use Shadow (a technology) to analyze different fields • Curious to know if traffic is harmful or not
More on the event: • Shadow sensor detected large number of source hosts scanning the site’s class B address space for TCP destination port 27374. • Normally, TCP destination port 27374 is associated with Trojan Sub Seven that allow full access to system.
The author describes the activity and traffic in the next slide. • The graphic shows source and destination hosts. Weirdly, the time increases by 10ms instead of per micro-second.
DDoS? Scan? • First glance, unsure if it is DDoS or Scan. • Study the individual fields after second scan. • Additional information used to determine attack.
Source hosts • Detect the source hosts to determine the attack • In the author’s case: 1st scan: 132706 packets - 314 unique source hosts of 314, 17 had no DNS registered host names
2nd scan: 157842 packets - 295 unique source hosts, 24 had no DNS registered host names What does this mean? • Either do or do not reflect the real sender • If actual sender, no subterfuge (deception) is used in sending packet • Else, then a spoofed IP address is placed in packet. • However, for this case: • It appears that in this case, sources are REAL since it is unlikely that randomly generated IP numbers will resolve to host names 91.9-94.6% off the time.
Destination Hosts • provide more evidence of a scan • the scanned network is Class B, with 65535 IP numbers to scan; first scan:32367 unique destination hosts and second scan: 36638 unique destination hosts. • the more plausible explanation for the missing destination subnets and destination hosts, its perhaps the zombies were assigned the mission of the scanning those subnets were somehow not active or responsive during the scanning. • one unique source host scanned most destination hosts. • the scanner appears to have some redundancy of scanned hosts to ensure a response.
Scanning Rates • scanning rate of the source hosts it’s a indications of scan versus a flood. • Scans sustained some kind of activity for 5-6 mins, ramp-up time was fast and there was burst of activity for the first two mins. • The bandwidth consumption where each packet (a.k.a SYN packet) with TCP options and no payload.
continued • Most packet with length 48 bytes, few had more and few had 4 bytes lesser, depend on the number and types of TCP option used. • A standard packet has 20-byte IP header with no IP options. • Majority packets had a length of 48 bytes used as packet length for the computation of bandwidth consumption. • The bandwidth measure in bps, therefore the packet length was 384(48*8) bits.
the peak activity indicated some kind of coordination by the “commander” who allocated scanning assignments and rates for the zombies. • its might be due to there ware more scanning hosts during that second or the number of packets sent by hosts increased. • further scrutiny of the data revealed that the peaks and valleys correlated with an increased number of scanning hosts.
21 Second Mystery • Its use to examine the SubSeven traffic. • It preceding the peak activity for the two scans and later a third, its to make sure that its not a mere coincidence because it occurred three times. • The easy way to ponder mystery is combined backoff times for retries, then plotted the traffic separately for initial SYN and retries. • Its to allow to discover the 21-second peak rate was overlap of retries from different initial waves of SYN activity.
Fingerprinting Participant Hosts • Assuming now that zombie hosts have been infect with some malware, is there a specific OS that it exploit making it into a zombie host? • Passive fingerprinting categorizes OS by looking at unique field values • Others like Type of Service and don’t fragment field can also be looked at.
TTL Values • Used to identify the scanning host’s operating system. • TTP values are helpful in estimating initial TTL values. • For instance, if an arriving TTL is 50,it is assumed to have an initial TTL value of 64 and not 128,although either initial TTL value would not be valid.
TCP Window size • A given operating system has a default value for the TCP window size, and the window size can change dynamically as data is received and processed. • The initial window size can be used to fingerprint the operating system. • The user or administrator can customize this but commonly the default is used.
TCP Options • Maximum Segment Size (MSS) represents the maximum amount of payload that a TCP segment can carry. • Maximum Transmission Unit (MTU) is used to determined the media on which the sending host resides. • MSS might reflect the path of MTU.
Send “discovery” package Destination Sender The sender might send a “discovery” packet that looks for the smallest MTU from source to destination by setting the DF flag on the packet ICMP Error Messages “unreachable” need to frag(MTU###) are returned No ICMP Error Messages are returned IF It contains the MTU size (###) of the link that is smaller than the size of the local MTU. The size of the local MTU for packaging packets will not cause fragmentation. The sender can decrease the size of the packets to avoid fragmentation. The point is that it is possible that MSS might not reflect the local MTU.
Figure above reveals the greatest percentage of scanning host resided on a link with a MTU of 1500. • Although MSS of 536 is associated with PPP and dial-up modems, it is suppose that the most of the hosts resides on ISDN, which use the same MSS. • The Scenario is that these are all zombie hosts that are directed to do some types of activity at a given time. • Zombie is associated with a dial-up connection, this might not be a sustain connection unless is some kind of dedicated phone line for the traffic.
Many dial-up connections are at the mercy of DHCP with at leased IP number for a certain period of time. • How would the “commander” direct a zombie with changing IP number to launch activity? • Zombie report home to the commander periodically. Therefore, only ones that are active and online just before the attack are directed to participate in the attack.
TCP Retries • When a source host attempts a TCP connection to a destination host and is unsuccessful, yet get no indication of the failure. It attempts one or more retires. • A source host is not notified of a failure if the connection packet never gets to the destination or destination host response doesn’t get back to the source. Attempts TCP Connection Destination Source Host Same source and Destination hosts, ports, and TCP sequence number as the initial attempt.
The number of successive retries and the backoff time between retires is TCP/IP stack dependent. • Retries are associated with source code that uses socket connections. The socket uses the TCP and IP layers to form the appropriate headers and values of those headers.
Summary • Very efficient scan • Scan conducted by Zombie hosts, mostly Windows host • Perhaps scan was to determine other Zombie hosts • An efficient way to maximize a scan • Shows a number of vulnerable hosts that can be taken over for malicious purposes