Transcript document

Portscans
Jonathon Giffin
[email protected]
April 25, 2001
In This Talk...







Why scan?
Anatomy of a portscan
Methods
Classical detection methods
Statistical packet anomaly detection
Responding to a portscan
Q&[maybe]A
2
Why Portscan: Black Hats

Locate exploitable machines
Say, FTP Servers:
cecil.cs.wisc.edu
bobby.cs.wisc.edu
ross.cs.wisc.edu
joyce.cs.wisc.edu

(128.105.175.17):
(128.105.175.18):
(128.105.175.19):
(128.105.175.20):
open
closed
closed
open
Fingerprint operating systems
3
Administrators


Monitor services running on own
networks
Test security policies
4
Anatomy of a Portscan

Scan footprint



Set of IPs and ports scanned
Defines attacker’s information gathering
requirements
Horizontal scan


Scan same port across multiple machines
Idea: attacker has an exploit for this
particular service
5
Scan Footprint

Vertical scan


Scan multiple ports on a single machine
Idea: looking for vulnerable services on a specific
machine
e3-16.foundry2.cs.wisc.edu (128.105.100.247):
23/tcp
open
telnet
25/tcp
filtered
smtp
111/tcp
filtered
sunrpc
515/tcp
filtered
printer
6
Scan Footprint

Block scan
Host
cygnet
cilantro
xena
bodik-soho
salsa
bobby
21 telnet
open
open
open
closed
open
closed
22 ssh
open
open
open
closed
open
closed
23 ftp
open
open
open
closed
open
closed
7
Anatomy of a Portscan

Scan script



Method of carrying out scan
Defines how a given footprint will be
scanned
Footprint and script together compose a
portscan
8
Methods

Scan tools available

Nmap



http://www.insecure.org/nmap/
Portscans, OS fingerprinting
QueSO


http://apostols.org/projectz/queso/
OS fingerprinting
9
Ping Scan

Reveals network topology
Host krishna.cs.wisc.edu (128.105.175.45) appears to be up.
Host ursula.cs.wisc.edu (128.105.175.51) appears to be up.
Host antipholus.cs.wisc.edu (128.105.175.111) appears to be up.
Host ferdinand.cs.wisc.edu (128.105.175.112) appears to be up.
Host wonderwoman.cs.wisc.edu (128.105.175.113) appears to be up.
Host thugbert.cs.wisc.edu (128.105.175.114) appears to be up.
Host paneer.cs.wisc.edu (128.105.175.115) appears to be up.
Host coral.cs.wisc.edu (128.105.175.116) appears to be up.
Host crow.cs.wisc.edu (128.105.175.118) appears to be up.
Host chef.cs.wisc.edu (128.105.175.120) appears to be up.
10
UDP Scan



Send any data to UDP port
Receive ICMP port unreachable: port
closed
No response: port open or blocked
11
Vanilla SYN Scan
Client
Server
socket
connect
SYN
socket
bind
listen
accept
SYNACK
connect returns
close
ACK
FIN
accept returns
12
Vanilla SYN Scan
crash10.cs.wisc.edu.42977 >
malakai.cs.wisc.edu.telnet: S
malakai.cs.wisc.edu.telnet >
crash10.cs.wisc.edu.42977: S ack
crash10.cs.wisc.edu.42977 >
malakai.cs.wisc.edu.telnet: . ack
crash10.cs.wisc.edu.42977 >
malakai.cs.wisc.edu.41212: F

Defense

Log completed connections that are immediately
closed
13
Half-Open SYN Scan
Client
Server
raw socket
bind
constructed
packet
SYN
socket
bind
listen
accept
SYNACK
constructed
packet
RES
14
Half-Open SYN Scan
crash10.cs.wisc.edu.42977 >
malakai.cs.wisc.edu.telnet: S
malakai.cs.wisc.edu.telnet >
crash10.cs.wisc.edu.42977: S ack
crash10.cs.wisc.edu.42977 >
malakai.cs.wisc.edu.telnet: R

Defense

Log all SYN packets received
15
Stealth Scans





Attempt to avoid server logging
Send invalid TCP packets
SYNFIN scan
XMAS scan
FIN scan


Windows avoids this scan because its stack
is broken (surprise)
Null scan
16
FTP Bounce Scan


RFC 959 defines FTP proxy
Run portscan via an FTP proxy
17
Other Possibilities

RFC 1413 defines ident protocol

Find services running as root
crash10.cs.wisc.edu:
Port
State
Service
23/tcp
open
telnet
25/tcp
open
smtp
79/tcp
open
finger
80/tcp
open
http
111/tcp
open
sunrpc
113/tcp
open
auth
Owner
root
root
root
apache
rpc
nobody
18
Other Possibilities

Insert decoy scans
microsoft.com.54177 >
malakai.cs.wisc.edu.352: S
malakai.cs.wisc.edu.660 >
crash10.cs.wisc.edu.54177: R
crash10.cs.wisc.edu.54177 >
malakai.cs.wisc.edu.128: S
19
OS Fingerprinting


Identification of the operating system
running on a remote machine
Different kernels perform differently




TCP options
Initial sequence number
ICMP error messages
IP fragment overlap
20
OS Fingerprinting
Machine
www
pub-nt2
malakai
e3-16.foundry2
dns
crash8
crash10
crash12
Operating System
Solaris 2.6-2.7, Solaris 7
WinNT4 / Win95 / Win98
Linux 2.1.122 - 2.2.14
No OS Match
Solaris 2.6-2.7, Solaris 7
Linux 2.1.122 - 2.2.14
Linux 2.1.122 - 2.2.14
No OS Match
openbsd.org
Solaris 2.6
21
Classical Detection

N events in time M



Typically measure hits on closed ports
Slow scan down to avoid detection
Heuristics

Hits on empty IP addresses
22
Statistical Packet Anomaly
Detection



Stuart Staniford, James Hoagland, and
Joseph McAlerny of Silicon Defense
“Practical Automated Detection of
Stealthy Portscans”
Conjecture

Traffic patterns characteristic of portscans
have low rates of occurrence
23
Statistical Packet Anomaly
Detection
Layer 2
Anomaly correlation engine
Layer 1
Anomaly detection engine
Layer 0
Packet collection;
Probability table construction
24
Layer 0

Build characteristic of expected traffic

Packet collection


Filtering
Probability table construction


Using header features, store probability of any
given packet entering the network
Adapt probabilities to changing network use
25
Layer 1

Anomaly detection


Rate the anomalousness of each incoming
packet
Pass any packet with anomalousness above
an anomaly threshold to the correlator
26
Layer 2

Anomaly correlation


Reconstruct portscans from anomalous
traffic
Find clusters of similar packets
27
Data Flows
Alarms
Anomaly correlation engine
Anomaly detection engine
Incoming
packets
Packet
collection
Prob table
construction
28
Implementation

Packet collection


Restricting to SYN packets
Probability tables



Relevant header fields
Joint probabilities
Bayes’ Net
29
Mutual Entropy
4.9 million SYN packets incoming to CS networks
H(
H(
H(
H(
H(
H(
H(
H(
H(
H(
H(
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
DestAddr
):
| SrcAddr ):
| DestPort ):
| SrcAddr, DestPort ):
| SrcPort ):
| SrcAddr, SrcPort ):
| DestPort, SrcPort ):
| Time ):
| SrcAddr, Time ):
| DestPort, Time ):
| SrcPort, Time ):
6.927819
2.091069
4.064494
1.274497
4.631317
1.075178
2.580522
5.348499
0.862256
1.540623
1.508940
30
Bayes’ Net
DestPort
SrcPort
Timestamp
SrcIP
DestIP
31
Anomaly Detection Engine


Staniford’s model: packets in isolation
Experiment: N size window
p1
Given packets pi , i  [1, N ]:
pN
N
Anomaly ( window)    log prob ( pi )
i 1
32
Anomaly Correlation Engine

Staniford’s algorithm: bond graph

ad hoc clustering method
s( p1 , p2 )  c1h1 ( p1 , p2 )   c j h j ( p1 , p2 )

Experiment: use established clustering
algorithms
33
Field Relationships in a Vertical
Scan Example
128.105.175.29:3776 >
128.105.175.29:3777 >
128.105.175.29:3778 >
128.105.175.29:3779 >
128.105.175.29:3780 >
128.105.175.29:3781 >
128.105.175.29:3782 >
128.105.175.29:3783 >
128.105.175.29:3784 >
128.105.175.29:3785 >
128.105.175.29:3786 >
146.151.62.116:224,TCP
146.151.62.116:662,TCP
146.151.62.116:768,TCP
146.151.62.116:789,TCP
146.151.62.116:2016,TCP
146.151.62.116:194,TCP
146.151.62.116:6009,TCP
146.151.62.116:570,TCP
146.151.62.116:493,TCP
146.151.62.116:1393,TCP
146.151.62.116:1007,TCP
34
Open Questions






Data set size necessary to establish
traffic characteristic
Relevant header fields
Manner of measuring probability
Threshold values
Malleability of traffic characteristic
Packet types captured
35
Advantages of Statistical
Packet Anomaly Detection



Adaptive to changing network topology
Encompasses classical detection
methods
Useful beyond port scans
36
Disadvantages





Learning curve may be slow
Anomalous packets skew expected
traffic characteristic
Does not evaluate payload
Few relevant header fields
Correlator must handle many false
positives
37
Responding to a Port Scan

What is appropriate action?


No legal recourse
Block at firewall? Set up for DoS:
microsoft.com > malakai.cs.wisc.edu:
icmp: echo request


Log for later legal purposes?
Tighten network security?
38
Recap

Purposes





Exploration of remote services
OS fingerprinting
Port scans have evolved to counter
detection methods
Classical detection methods inadequate
Statistical packet anomaly detection
offers an adaptive scan identifier
39
Questions?


Maybe I’ll know the answer
But hey, I do know slides are posted at
http://www.cs.wisc.edu/~giffin
40
References






Fyodor. “The Art of Port Scanning.” Phrack 51, volume 7.
September 1, 1997.
Fyodor. “Remote OS detection via TCP/IP Stack Fingerprinting.”
Phrack 54, volume 8. December 25, 1998.
Maimon, Uriel. “Port Scanning Without the SYN Flag.” Phrack
49, volume 7.
Man pages, nmap.
Solar Designer. “Designing and Attacking Port Scan Detection
Tools.” Phrack 53, volume 8. July 8, 1998.
Staniford, Stuart, James A. Hoagland, Joseph M. McAlerny.
“Practical Automated Detection of Stealthy Portscans.”
41