Presentation is loading. Please wait.

Presentation is loading. Please wait.

Power Projection Systems Department Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002.

Published byAugustine Curtis Modified over 9 years ago

Similar presentations

Presentation on theme: "Power Projection Systems Department Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002."— Presentation transcript:

1 Power Projection Systems Department Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002

2 Power Projection Systems Department SubSeven Incident June 29, 2001 ~ 12:00 Shadow reveals massive scan Hundreds of hosts concurrently scan SubSeven port of Class B network Flood, DDoS, scan? Similar scan on July 2, 2001 ~ 16:00 June 26, 2001 SANS reports of W32.leave.worm –Windows hosts –Spread via hosts listening on port 27374 –Zombies used in DDoS attacks –Scans @Home and Earthlink for port 27374

3 Power Projection Systems Department Sample tcpdump Output 12:16:31.150575 ool-18bd69bb.dyn.optonline.net.4333 > 192.168.112.44.27374: S 542724472:542724472(0) win 16384 (DF) (ttl 117, id 13444) 12:16:31.160575 ool-18bd69bb.dyn.optonline.net.4334 > 192.168.112.45.27374: S 542768141:542768141(0) win 16384 (DF) (ttl 117, id 13445) 12:16:31.170575 24.3.50.252.1757 > 192.168.19.178.27374: S 681372183:681372183(0) win 16384 (DF) (ttl 117, id 54912) 12:16:31.170575 24-240-136-48.hsacorp.net.4939 >192.168.11.19.27374: S 3019773591:3019773591(0) win 16384 (DF) (ttl 117, id 39621) 12:16:31.170575 ool-18bd69bb.dyn.optonline.net.4335 > 192.168.112.46.27374: S 542804226:542804226(0) win 16384 (DF) (ttl 117, id 13446) 12:16:31.170575 cc18270-a.essx1.md.home.com.4658 > 192.168.5.88.27374: S 55455482:55455482(0) win 8192 (DF) (ttl 117, id 8953) 12:16:31.170575 24.3.50.252.1759 > 192.168.19.180.27374: S 681485650:681485650(0) win 16384 (DF) (ttl 117, id 54914) 12:16:31.170575 cc18270-a.essx1.md.home.com.4659 > 192.168.5.89.27374: S 55455483:55455483(0) win 8192 (DF) (ttl 117, id 9209) 12:16:31.170575 24.3.50.252.1760 > 192.168.19.181.27374: S 681550782:681550782(0) win 16384 (DF) (ttl 117, id 54915) 12:16:31.170575 cc18270-a.essx1.md.home.com.4660 > 192.168.5.90.27374: S 55455484:55455484(0) win 8192 (DF) (ttl 117, id 9465) 1 2 3 4

4 Power Projection Systems Department Source Hosts Total Packets Unique Source Hosts DNS Registered June 29 132,706314297** July 2 157,842295271** **Not spoofed source IP’s

5 Power Projection Systems Department Scanning Host Networks Cable/dial-in modem providers

6 Power Projection Systems Department Destination Hosts Target network Class B: 65,535 possible IP addresses –June 29: 32,367 unique destination IP’s scanned –July 2 : 36,638 unique destination IP’s scanned Prior reconnaissance of live destination hosts? –Missing Class C subnets Different for both scans –Many IP numbers not live hosts Zombies not active or responsive during scan

7 Power Projection Systems Department Number of Unique Scanning Hosts per Destination Host

8 Power Projection Systems Department Scanning Rates Sustained activity for 5 or 6 minutes Peak activity for 2 minutes June 29 scan: 7.2 Mbps maximum July 02 scan: 8.6 Mbps maximum Maximum volume not enough for DoS on our network

9 Power Projection Systems Department Packets Per Minute (hh:mm)

10 Power Projection Systems Department Temporal Variability of Zombie Scan

11 Power Projection Systems Department Initial Wave of TCP Packets

12 Power Projection Systems Department Initial SYN Packets

13 Power Projection Systems Department Initial SYNs and Retries

14 Power Projection Systems Department Scanning Conclusions Scanning hosts carefully synchronized Waves of initial SYNs and TCP retries result in highly variable bandwidth consumption SYN’s sent in waves 11.5 seconds apart “Thoughtful” scan –Each source host assigned a range of destination hosts –Assigned time frame and frequency to scan

15 Power Projection Systems Department Scanning Hosts Operating Systems Examine “passive” fingerprints –Arriving Time to Live (TTL) values –Scanning host TCP window size –Scanning host TCP options

16 Power Projection Systems Department Fingerprint Values by OS (courtesy Honeynet Project) OS VERSIONPLATFORMTTLWINDOW Windows 9x/NTIntel325000-9000 AIX 4.3.x IBM/RS6000 60 16000-16100 AIX 4.2.x IBM/RS6000 60 16000-16100 Cisco 11.2 7507 60 65535 IRIX 6.x SGI 60 61320 Linux2.2.xIntel64 32120 OpenBSD 2.xIntel64 17520 Solaris 8 Intel/Sparc 64 24820 Windows9x/NTIntel128 5000-9000 Windows 2000 Intel 128 17000-18000 Cisco12.025142553800-5000 Solaris2.xIntel/Sparc2558760

17 Power Projection Systems Department June 29 Arriving TTL Values 10 – 22 hops8 – 25 hops8 – 22 hops

18 Power Projection Systems Department July 2 Arriving TTL Values 12 – 22 hops12 – 21 hops8 – 27 hops

19 Power Projection Systems Department Scanning Host TCP Window Size Windows 9X/NT Windows 2K Unknown Solaris

20 Power Projection Systems Department Scanning Host Maximum Segment Size Ethernet PPP/ISDN PPPOE(DSL)

21 Power Projection Systems Department SubSeven Scan Conclusions Very efficient scan Conducted by zombie hosts –Most are Windows –Other operating systems involved –Representative of normal distribution on Internet? Thoughtful scan –Redundant scanners –Timing parameters –Ranges of destination hosts

Download ppt "Power Projection Systems Department Zombie Scan Judy Novak Vern Stark David Heinbuch June 12, 2002."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.

BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Examining IP Header Fields

Examining IP Header Fields
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.

Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Similar presentations

Ads by Google