Power Projection Systems Department Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002.

Slides:

Advertisements

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

1 Reading Log Files. 2 Segment Format

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -

BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.

Network Attacks Mark Shtern.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Examining IP Header Fields

Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

Introduction to Honeypot, Botnet, and Security Measurement

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

FIREWALL Mạng máy tính nâng cao-V1.

The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.

Advanced Intrusion Defense Joel Snyder Opus One. Acknowledgements Massive Support from Marty Roesch, Ron Gula,

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Examining TCP/IP.

This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

 Socket  The combination of an IP address and a port number. (RFC 793 original TCP specification)  The name of the Berkeley-derived application programming.

CIS 450 – Network Security Chapter 3 – Information Gathering.

© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5 Darren Shaver – Modified Fall.

--Harish Reddy Vemula Distributed Denial of Service.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Basic Switch Concept Prepared by: Akhyari Nasir Resources form Internet.

Chapter 2 Scanning Last modified Determining If The System Is Alive.

ICMP (Internet Control Message Protocol) w.lilakiatsakun.

TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.

1 Version 3.1 Module 10 Intermediate TCP/IP (Layer 4)

Footprinting/Scanning/ Enumeration Lesson 9. Footprinting External attack: Enables attackers to create a profile of an organization’s security posture.

© 2002, Cisco Systems, Inc. All rights reserved..

 Router Configurations part2 2 nd semester

Final Examination of Internet Communication Protocol.

Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.

DCN286 Introduction to Data Communication Technology Session 11.

An Introduction To ARP Spoofing & Other Attacks

Port Scanning James Tate II

Footprinting (definition 1)

TCP/IP Internetworking

TCP/IP Internetworking

Chapter 6: Network Layer

Lab 2: TCP IP Attacks ( Indirect)

A Distributed DoS in Action

Statistical based IDS background introduction

EVAPI - Enumeration Auburn Hacking club

TCP Connection Management

Presentation transcript:

Power Projection Systems Department Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002

Power Projection Systems Department SubSeven Incident June 29, 2001 ~ 12:00 Shadow reveals massive scan Hundreds of hosts concurrently scan SubSeven port of Class B network Flood, DDoS, scan? Similar scan on July 2, 2001 ~ 16:00 June 26, 2001 SANS reports of W32.leave.worm –Windows hosts –Spread via hosts listening on port –Zombies used in DDoS attacks and Earthlink for port 27374

Power Projection Systems Department Sample tcpdump Output 12:16: ool-18bd69bb.dyn.optonline.net.4333 > : S : (0) win (DF) (ttl 117, id 13444) 12:16: ool-18bd69bb.dyn.optonline.net.4334 > : S : (0) win (DF) (ttl 117, id 13445) 12:16: > : S : (0) win (DF) (ttl 117, id 54912) 12:16: hsacorp.net.4939 > : S : (0) win (DF) (ttl 117, id 39621) 12:16: ool-18bd69bb.dyn.optonline.net.4335 > : S : (0) win (DF) (ttl 117, id 13446) 12:16: cc18270-a.essx1.md.home.com.4658 > : S : (0) win 8192 (DF) (ttl 117, id 8953) 12:16: > : S : (0) win (DF) (ttl 117, id 54914) 12:16: cc18270-a.essx1.md.home.com.4659 > : S : (0) win 8192 (DF) (ttl 117, id 9209) 12:16: > : S : (0) win (DF) (ttl 117, id 54915) 12:16: cc18270-a.essx1.md.home.com.4660 > : S : (0) win 8192 (DF) (ttl 117, id 9465)

Power Projection Systems Department Source Hosts Total Packets Unique Source Hosts DNS Registered June , ** July 2 157, ** **Not spoofed source IP’s

Power Projection Systems Department Scanning Host Networks Cable/dial-in modem providers

Power Projection Systems Department Destination Hosts Target network Class B: 65,535 possible IP addresses –June 29: 32,367 unique destination IP’s scanned –July 2 : 36,638 unique destination IP’s scanned Prior reconnaissance of live destination hosts? –Missing Class C subnets Different for both scans –Many IP numbers not live hosts Zombies not active or responsive during scan

Power Projection Systems Department Number of Unique Scanning Hosts per Destination Host

Power Projection Systems Department Scanning Rates Sustained activity for 5 or 6 minutes Peak activity for 2 minutes June 29 scan: 7.2 Mbps maximum July 02 scan: 8.6 Mbps maximum Maximum volume not enough for DoS on our network

Power Projection Systems Department Packets Per Minute (hh:mm)

Power Projection Systems Department Temporal Variability of Zombie Scan

Power Projection Systems Department Initial Wave of TCP Packets

Power Projection Systems Department Initial SYN Packets

Power Projection Systems Department Initial SYNs and Retries

Power Projection Systems Department Scanning Conclusions Scanning hosts carefully synchronized Waves of initial SYNs and TCP retries result in highly variable bandwidth consumption SYN’s sent in waves 11.5 seconds apart “Thoughtful” scan –Each source host assigned a range of destination hosts –Assigned time frame and frequency to scan

Power Projection Systems Department Scanning Hosts Operating Systems Examine “passive” fingerprints –Arriving Time to Live (TTL) values –Scanning host TCP window size –Scanning host TCP options

Power Projection Systems Department Fingerprint Values by OS (courtesy Honeynet Project) OS VERSIONPLATFORMTTLWINDOW Windows 9x/NTIntel AIX 4.3.x IBM/RS AIX 4.2.x IBM/RS Cisco IRIX 6.x SGI Linux2.2.xIntel OpenBSD 2.xIntel Solaris 8 Intel/Sparc Windows9x/NTIntel Windows 2000 Intel Cisco Solaris2.xIntel/Sparc

Power Projection Systems Department June 29 Arriving TTL Values 10 – 22 hops8 – 25 hops8 – 22 hops

Power Projection Systems Department July 2 Arriving TTL Values 12 – 22 hops12 – 21 hops8 – 27 hops

Power Projection Systems Department Scanning Host TCP Window Size Windows 9X/NT Windows 2K Unknown Solaris

Power Projection Systems Department Scanning Host Maximum Segment Size Ethernet PPP/ISDN PPPOE(DSL)

Power Projection Systems Department SubSeven Scan Conclusions Very efficient scan Conducted by zombie hosts –Most are Windows –Other operating systems involved –Representative of normal distribution on Internet? Thoughtful scan –Redundant scanners –Timing parameters –Ranges of destination hosts