1 / 21

Zombie Scan

Zombie Scan. Judy Novak Vern Stark David Heinbuch. June 12, 2002. SubSeven Incident. June 29, 2001 ~ 12:00 Shadow reveals massive scan Hundreds of hosts concurrently scan SubSeven port of Class B network Flood, DDoS, scan? Similar scan on July 2, 2001 ~ 16:00

truman
Download Presentation

Zombie Scan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002

  2. SubSeven Incident • June 29, 2001 ~ 12:00 Shadow reveals massive scan • Hundreds of hosts concurrently scan SubSeven port of Class B network • Flood, DDoS, scan? • Similar scan on July 2, 2001 ~ 16:00 • June 26, 2001 SANS reports of W32.leave.worm • Windows hosts • Spread via hosts listening on port 27374 • Zombies used in DDoS attacks • Scans @Home and Earthlink for port 27374

  3. Sample tcpdump Output 12:16:31.150575 ool-18bd69bb.dyn.optonline.net.4333 > 192.168.112.44.27374: S 542724472:542724472(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13444) 12:16:31.160575 ool-18bd69bb.dyn.optonline.net.4334 > 192.168.112.45.27374: S 542768141:542768141(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13445) 12:16:31.170575 24.3.50.252.1757 > 192.168.19.178.27374: S 681372183:681372183(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54912) 12:16:31.170575 24-240-136-48.hsacorp.net.4939 >192.168.11.19.27374: S 3019773591:3019773591(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 39621) 12:16:31.170575 ool-18bd69bb.dyn.optonline.net.4335 > 192.168.112.46.27374: S 542804226:542804226(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13446) 12:16:31.170575 cc18270-a.essx1.md.home.com.4658 > 192.168.5.88.27374: S 55455482:55455482(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 8953) 12:16:31.170575 24.3.50.252.1759 > 192.168.19.180.27374: S 681485650:681485650(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54914) 12:16:31.170575 cc18270-a.essx1.md.home.com.4659 > 192.168.5.89.27374: S 55455483:55455483(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 9209) 12:16:31.170575 24.3.50.252.1760 > 192.168.19.181.27374: S 681550782:681550782(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54915) 12:16:31.170575 cc18270-a.essx1.md.home.com.4660 > 192.168.5.90.27374: S 55455484:55455484(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 9465) 1 2 3 4

  4. Source Hosts **Not spoofed source IP’s

  5. Scanning Host Networks Cable/dial-in modem providers

  6. Destination Hosts • Target network Class B: 65,535 possible IP addresses • June 29: 32,367 unique destination IP’s scanned • July 2 : 36,638 unique destination IP’s scanned • Prior reconnaissance of live destination hosts? • Missing Class C subnets • Different for both scans • Many IP numbers not live hosts • Zombies not active or responsive during scan

  7. Number of Unique Scanning Hosts per Destination Host

  8. Scanning Rates • Sustained activity for 5 or 6 minutes • Peak activity for 2 minutes • June 29 scan: 7.2 Mbps maximum • July 02 scan: 8.6 Mbps maximum • Maximum volume not enough for DoS on our network

  9. Packets Per Minute (hh:mm) (hh:mm)

  10. Temporal Variability of Zombie Scan

  11. Initial Wave of TCP Packets

  12. Initial SYN Packets

  13. Initial SYNs and Retries

  14. Scanning Conclusions • Scanning hosts carefully synchronized • Waves of initial SYNs and TCP retries result in highly variable bandwidth consumption • SYN’s sent in waves 11.5 seconds apart • “Thoughtful” scan • Each source host assigned a range of destination hosts • Assigned time frame and frequency to scan

  15. Scanning Hosts Operating Systems • Examine “passive” fingerprints • Arriving Time to Live (TTL) values • Scanning host TCP window size • Scanning host TCP options

  16. Fingerprint Values by OS(courtesy Honeynet Project) OSVERSIONPLATFORMTTLWINDOW Windows 9x/NT Intel 32 5000-9000 AIX 4.3.x IBM/RS6000 60 16000-16100 AIX 4.2.x IBM/RS6000 60 16000-16100 Cisco 11.2 7507 60 65535 IRIX 6.x SGI 60 61320 Linux 2.2.x Intel 64 32120 OpenBSD 2.x Intel 64 17520 Solaris 8 Intel/Sparc 64 24820 Windows 9x/NT Intel 128 5000-9000 Windows 2000 Intel 128 17000-18000 Cisco 12.0 2514 255 3800-5000 Solaris 2.x Intel/Sparc 255 8760

  17. June 29 Arriving TTL Values 10 – 22 hops 8 – 22 hops 8 – 25 hops

  18. July 2 Arriving TTL Values 12 – 22 hops 12 – 21 hops 8 – 27 hops

  19. Scanning Host TCP Window Size Windows 9X/NT Windows 2K Unknown Solaris

  20. Scanning Host Maximum Segment Size Ethernet PPP/ISDN PPPOE(DSL)

  21. SubSeven Scan Conclusions • Very efficient scan • Conducted by zombie hosts • Most are Windows • Other operating systems involved • Representative of normal distribution on Internet? • Thoughtful scan • Redundant scanners • Timing parameters • Ranges of destination hosts

More Related