1 IDIC – SANS GIAC LevelTwo ©2000, 2001 1 Hacking from a network SYN flood and TCP Sequence number prediction attacks Greetings. This is the oldie, but goody section of the course. This next section is important for a number of reasons. If you think about it, attacks occur in stages. In general the attacker has to perform reconnaissance to hone in on the target, to find the weaknesses. Then there will be an initial attack, this is often minimal, in the book Network Intrusion Detection we referred to this as the “grappling hook”. Finally, the attacker completes the kill. This attack shows each of these stages. This attack took 16 seconds to complete. When we were discussing automated response, we used 16 seconds as a measuring rod. How fast can you run? How fast can you type? Finally, you really can’t run around in intrusion detection circles if you are not familiar with the so- called Mitnick attack. 2 IDIC - SANS GIAC LevelTwo ©2000, 2001 2 What we will cover •TCP SYN –Review of TCP –Theory of attack –Implementation • IP SPOOF –Theory of attack – Implementation details –Tsutomu Shimomura example The information on the Mitnick attack is drawn primarily from Shimomura’s post on the subject. The initial header of the news posting is shown below. Source: tsutomu@ariel.sdsc.edu (Tsutomu Shimomura), comp.security.misc Date: 25 Jan 1995 ************************************************************************** There seems to be a lot of confusion about the IP address spoofing and connection hijacking attacks described by John Markoff's 1/23/95 NYT article, and CERT advisory CA-95:01. Here are some technical details from my presentation on 1/11/95 at CMAD 3 in Sonoma, California. 3 IDIC – SANS GIAC LevelTwo ©2000, 2001 3 It’s a SYN! SYN attacks, theory and implementation We want to introduce the notion of an “elegant” SYN flood. The basic approach here is to take advantage of an engineering decision to have a fixed resource allocation and to use more of the resource than the designers expected, and/or to take advantage of consequences from using more of the resource. During this section of the course we are going to make several references to layering. Please consider this refresher from your TCP section in the trace shown below starting with an IP header: 4500 0030 dddf 0000 3406 b94c a63e 5cd7 C0A8 0101 12e8 0438 0387 1f33 0000 0000 7002 2000 3d45 0000 0204 0218 0101 0402 As you know the IP header is 20 bytes, the second digit as a 5 tell us there are no options set for this header. The IP header: 4500 0030 dddf 0000 3406 b94c a63e 5cd7 C0A8 0101 Has no idea how to interpret the higher layer, the TCP header. It doesn’t know the DEST port is 1080 (socks or wingate) as shown by the 0x0438. If something goes wrong at this layer, at most, the IP layer will encapsulate part of the message in an ICMP packet and return it. 4 IDIC - SANS GIAC LevelTwo ©2000, 2001 4 TCP Header - SYN Flag Data Frame Header IP Datagram Header Data Data TCP Header Source Port Sequence No. Destination Port ACK No. HDR Length Flags A C K Window Size Check- sum Urgent Offset Options U R G P S H S Y N R S T F I N 20 Bytes We may also refer to a SYN packet as an active open As you know, the SYN is located on byte 13 of the TCP Header, the pattern we see for byte 13 in our sample trace is 0x02 in the block 0x7002. 4500 0030 dddf 0000 3406 b94c a63e 5cd7 C0A8 0101 12e8 0438 0387 1f33 0000 0000 7002 2000 3d45 0000 0204 0218 0101 0402 Again as we move forward in this section, it will be important to establish that the IP header will never care that a higher level protocol is sending a SYN. TCP cares though in a big way and as you know would respond with a SYN/ACK if it was an open port and it was willing to talk on that port. Once the server sends the SYN/ACK, the server is committed to the connection, and the connection is considered established. 5 IDIC - SANS GIAC LevelTwo ©2000, 2001 5 Server Memory • TCP is stateful, so the server must keep track of all these various condition states and sequence numbers, in BSD: – Socket stuff (program interface to networking) – IP stuff – TCP stuff For the server to commit to the connection it has to allocate memory since this is a stateful connection. When was TCP invented? How much memory could you buy on a system in 1982? The protocol designers felt they had to set limits. /* Optional Sidebar http://www.ie.cuhk.edu.hk/~shlam/cstdi/history.html "The Internet is an outgrowth of a project from the 1970's by the US Department of Defense Advanced Research Projects Agency (ARPA). The ARPANET, as it was then called, was designed to be a non-reliable network service for computer communications on over wide area. In 1973 and 1974, a standard networking protocol, a communications protocol for exchanging data between computers on a network, emerged from the various research and educational efforts involved in this project. This became known as TCP/IP or the IP suite of protocols. The TCP/IP protocols enabled ARPANET computers to communicate irrespective of their computer operating system or their computer hardware. */ 6 IDIC - SANS GIAC LevelTwo ©2000, 2001 6 Structure struct ip { #if defined(bsd) u_char ip_hl:4, /* header length */ ip_v:4; /* version */ #endif #if defined(powerpc) u_char ip_v:4, /* version */ ip_hl:4; /* header length */ #endif u_char ip_tos; /* type of service */ short ip_len; /* total length */ u_short ip_id; /* identification */ short ip_off; /* fragment offset field */ #define IP_DF 0x3000 /* dont fragment flag */ #define IP_MF 0x4000 /* more fragments flag */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* checksum */ struct in_addr ip_src, ip_dst; /* source and dest address */ }; All it takes is memory (and plenty of it) If you aren’t a C programmer, don’t worry. A struct, in this case struct ip, can be thought of as a database record and the items inside as fields for that record. Every time a new connection is processed, these structs have to be created for socket, ip, and other protocol information. That takes memory. Since memory is finite and was particularly limited during the early days of IP network implementation, limits had to be set. The SYN flood attack exploits the limit of the number of connections that are waiting to be established. 7 IDIC - SANS GIAC LevelTwo ©2000, 2001 7 Resources are finite • Either the system would continue to allocate memory each time a TCP connection is established, (SYN packet is received), OR • Establish a finite number of concurrent connections with a waiting queue of stuff still in the 3 way handshake phase, (not yet established connections). This queue is fairly small (5 - 10). The designers of TCP protocol stacks had a decision to make and they chose to make a small number of connections waiting to happen. I wanted to remind you of the three-way hand shake in hopes of getting you to think about all the things that have to happen. If you consider the struct on the previous slide, think about the resources required, there are 12 fields in an IP header alone. The TCP header has options set so it has more than a minimum number of 15. This is one reason a server is never committed to a connection simply because it receives a SYN! Back then, believe it or not the Internet was not 100% reliable as it is today ☺ and they decided to prioritize established connections over connections waiting to be established. That was perfectly reasonable. 8 IDIC - SANS GIAC LevelTwo ©2000, 2001 8 More on state Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 gumby.3064 nntp.nntp ESTABLISHED tcp 0 0 gumby.3049 192.215.107.72.http CLOSE_WAIT tcp 0 0 gumby.3047 192.215.107.72.http CLOSE_WAIT tcp 0 0 gumby.1019 joatmon.login ESTABLISHED tcp 56 0 gumby.3386 128.10.17.72.ftp CLOSE_WAIT tcp 0 0 gumby.1022 mmm.login ESTABLISHED tcp 0 0 gumby.1423 el98.telnet ESTABLISHED tcp 0 0 gumby.1023 vicegrep.login ESTABLISHED tcp 0 0 *.6000 *.* LISTEN tcp 0 0 *.2000 *.* LISTEN tcp 0 0 *.domain *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.login *.* LISTEN tcp 0 0 *.shell *.* LISTEN tcp 0 0 *.telnet *.* LISTEN tcp 0 0 *.ftp *.* LISTEN tcp 0 0 *.730 *.* LISTEN tcp 0 0 *.sunrpc *.* LISTEN NOTE: queues, state, think memory As we continue to set the stage we see a system with connections in a variety of states. See the CLOSE_WAIT? That is waiting for an acknowledgement of a FIN. The LISTENS are active ports or services waiting for an incoming packet This is the output of netstat -a on a Unix system though you can type the same command on Windows and we recommend you try it from time to time, it can be very educational. This is to demonstrate that a connected system may have multiple active connections at one time, each requiring memory. NOTE: some security professionals do not fully trust the output from Windows netstat. There is a replacement netstat on securify.packetstorm.com that you might want to evaluate. 9 IDIC - SANS GIAC LevelTwo ©2000, 2001 9 Getting down to it Data Listening service SYN socket{} ip{} tcp{} Data SYN/ACK Until timeout When an attacker sets up a SYN flood, he has no intention of completing the three-way handshake and actually establishing the connection. Rather, the goal is to exceed the limits that are set for the number of connections waiting to be established. This can cause the system under attack to be unable to establish any additional connections until the number of waiting connections drops below the threshold. Until the threshold limit is met, each SYN packet generates a SYN/ACK that stays in the queue, which is generally between five and ten total connections waiting to be established. There is a timer for each connection, a limit to how long the system will wait for the connection to be established. The hourglass in your slide represents the timer that is usually set for about a minute. When the time limit is exceeded, the memory that holds the state for that connection is released and the queue is decremented by one. Once the limit has been reached, the queue can be kept full, preventing the system from establishing new connections with about ten packets per minute. 10 IDIC - SANS GIAC LevelTwo ©2000, 2001 10 Basics of the SYN attack • SYN, but do not complete 3 Way handshake • Make server believe a non existent host is the client (host unreachable) by IP Spoofing, so the SYN/ACKs go nowhere. • Only takes a few (5 - 10) SYNs to seal off a service for the period of the timer, 60 - 100 seconds Now we are down to the close, the attacker is taking advantage of the engineering tradeoff of limiting the number of active queues. Older operating systems react very poorly to this condition and are rendered unable to communicate. Yup, that is right, if their queue filled up because of incoming packets they were unable to process outgoing packets on that service. This particular problem is fixed on most modern operating systems. [...]...Duration of attack 6 - 10 SYNs every minute or so will disable a service until the attacker decides to: go away and SYN no more IDIC - SANS GIAC LevelTwo ©2000, 2001 This was an elegant attack, for a small number of packets an attacker could freeze a particular service on a host computer 11 11 IP Spoof Handwaving • How do we spoof the target so that the sender appears to be an unreachable host?... 24 The cartoon view on this page summarizes what we have developed so far • The attacker shown below has determined the trust relationship between A and B • B is now out of the picture, it cannot speak on the port that it was SYN flooded on, login •The attacker has stimulated A with SYN packets on a live port When A replied with a SYN/ ACK the attacker has assessed A s Initial Sequence Numbers and determined... there is a pattern • The attacker now knows that if he stimulates A again, A will respond with an ISN 128K higher than the last one with the SYN/ ACK This means the attacker has the ability to complete the 3-way handshake by acknowledging A s SYN/ ACK even if he never sees it 24 Its Very Simplex, Really 2 A SYNACKs B with SEQ# ++128,000 A B 1 Attacker is opening B sees the ACK, wants a connection to A, to... Initial Sequence Number This is the information we are looking for if we are attacking Finally a RST to prevent the system from SYN flooding [Narrator, please pause for a minute to allow the student to evaluate the slide.] 23 Ready for the kill A B Attacker can now predict the sequence number A will expect (add 128,000) SYN Attack to B has rendered B unable to reply to A Attacker IDIC - SANS GIAC LevelTwo... IP address This is often called spoofing The characteristics of this IP address are that it is valid, routable to, and not active or reachable Many sites have a large number of unused IP addresses and do not employ network address translation They tend to be the stars of this particular show 12 Build the packet /* Packet assembly begins here */ /* Fill in all the TCP header information */ packet .tcp. source=sport;... packets that are assembled for the purpose of attacking and probing can be called crafted packets Quite often, the authors of software to craft packets make a small error at some point, or take a shortcut, and this gives the packet a unique signature We have shown two of them in this code, the sequence number and the IPID We can use these signatures in intrusion detection so that if such a crafted packet... physical address 0 16 31 HARDWARE TYPE HLEN PLEN SOURCE MAC SOURCE MAC SOURCE IP TARGET MAC PROTOCOL TYPE OPERATION SOURCE MAC SOURCE IP TARGET MAC TARGET MAC TARGET IP TARGET IP There is a protocol to match a MAC address to an IP address IDIC - SANS GIAC LevelTwo ©2000, 2001 17 As we consider how we will employ a denial of service as part of a larger attack, we need to rethink layers If you think IP and. .. rshell packet open A to attack A B 3 Attacker sends expected ACK with fake SRC IP ADDRESS to establish rshell Attacker IDIC - SANS GIAC LevelTwo ©2000, 2001 26 Because calculating the sequence numbers for both sides of a connection is going to get really complicated really fast, the attacker sends a very simple attack In essence, he directs his target to lower his shields and does it in a single command... shouldn’t have to be bothered with these lower level issues Now, there are cases when the layers have information about each other One example is with IP and TCP A TCP connection is (usually) an ephemeral port to a well known port and these ports are never reused for any IP address pair So we have an example where layers are communicating However, in general they don’t and this opens a potential window... packet .tcp. source=sport; /* packet .tcp. dest=htons(dport); /* packet .tcp. seq=49358353+getpid(); packet .tcp. ack_seq=0; /* packet .tcp. doff=5; /* packet .tcp. res1=0; /* packet .tcp. res2=0; /* packet .tcp. urg=0; /* packet .tcp. ack=0; /* packet .tcp. psh=0; /* packet .tcp. rst=0; /* packet .tcp .syn= 1; /* packet .tcp. fin=0; /* packet .tcp. window=htons(242); /* packet .tcp. check=0; /* packet .tcp. urg_ptr=0; /* 16-bit Source port number */ . encapsulate part of the message in an ICMP packet and return it. 4 IDIC - SANS GIAC LevelTwo ©2000, 2001 4 TCP Header - SYN Flag Data Frame Header IP Datagram. sending a SYN. TCP cares though in a big way and as you know would respond with a SYN/ ACK if it was an open port and it was willing to talk on that port.