Network Intrusion Detection

1
Network Intrusion Detection

• ICMP

2
ICMP

• Host Unreachable
• Port Unreachable
• Admin Prohibited
• Need to Frag

3
Tireless Mapper

• Use ICMP echo request to scan every address of a
  subnet

4
Efficient Mapper

• Send ICMP echo request to a natural broadcast
  address. All alive hosts on that subnet will
  reply.

5
Clever Mapper

• Send ICMP echo request to a broadcast address of
  a subnet.

6
Cerebral Mapper

• Send routers ICMP address mask requests to find
  the subnet masks.

7
traceroute
traceroute gaia.cs.umass.edu to www.eurecom.fr
Three delay measurements from gaia.cs.umass.edu
to cs-gw.cs.umass.edu
1 cs-gw (128.119.240.254) 1 ms 1 ms 2 ms 2
border1-rt-fa5-1-0.gw.umass.edu (128.119.3.145)
1 ms 1 ms 2 ms 3 cht-vbns.gw.umass.edu
(128.119.3.130) 6 ms 5 ms 5 ms 4
jn1-at1-0-0-19.wor.vbns.net (204.147.132.129) 16
ms 11 ms 13 ms 5 jn1-so7-0-0-0.wae.vbns.net
(204.147.136.136) 21 ms 18 ms 18 ms 6
abilene-vbns.abilene.ucaid.edu (198.32.11.9) 22
ms 18 ms 22 ms 7 nycm-wash.abilene.ucaid.edu
(198.32.8.46) 22 ms 22 ms 22 ms 8
62.40.103.253 (62.40.103.253) 104 ms 109 ms 106
ms 9 de2-1.de1.de.geant.net (62.40.96.129) 109
ms 102 ms 104 ms 10 de.fr1.fr.geant.net
(62.40.96.50) 113 ms 121 ms 114 ms 11
renater-gw.fr1.fr.geant.net (62.40.103.54) 112
ms 114 ms 112 ms 12 nio-n2.cssi.renater.fr
(193.51.206.13) 111 ms 114 ms 116 ms 13
nice.cssi.renater.fr (195.220.98.102) 123 ms
125 ms 124 ms 14 r3t2-nice.cssi.renater.fr
(195.220.98.110) 126 ms 126 ms 124 ms 15
eurecom-valbonne.r3t2.ft.net (193.48.50.54) 135
ms 128 ms 133 ms 16 194.214.211.25
(194.214.211.25) 126 ms 128 ms 126 ms 17
18 19 fantasia.eurecom.fr
(193.55.113.142) 132 ms 128 ms 136 ms
trans-oceanic link
means no response (probe lost, router not
replying)
8
Map of a Network

• Traceroute for router addresses
• Mask requests
• ICMP echo requests to broadcast addresses
• Port scan and application information

9
Smurf Attack
10
WinFreeze

• Using a large number of ICMP redirect messages to
  keep the victim host busy in updating its route
  table, achieving DoS

11
Loki

• A Loki server is installed on a compromised
  machine, listening to ICMP traffic.
• The attacker sends ICMP echo request to the Loki
  server, which transfers information over by ICMP
  echo reply (using the data portion).

12
Tribe Flood Network

• TFN, www.cert.org, IN99-07

13
Botnets

• Bots worms, Trojan horse, backdoor
• Command and Control IRC (Internet Relay Chat)

As of May 2009, the top 100 IRC networks served
more than half a million users at a time, with
hundreds of thousands of channels (the vast
majority of which stand mostly vacant),
operating on a total of roughly 1,500 servers
Worldwide Wikipedia
14
A Case Study

• What can it be?
• Spoofing
• TFN
• Loki

15
Reconnaissance by ICMP

• The following ICMP messages allow you to know
  that a host is alive.
• Protocol Unreachable
• Port Unreachable
• Parameter Problem
• Echo Reply
• Timestamp Reply
• Address Mask Reply

16
Identifying Routers by ICMP

• The following ICMP messages allow you to learn
  the routers.
• Fragmentation needed by dont-fragment bit set
• Admin prohibited
• Time exceeded in transit
• Network unreachable
• Host unreachable

17
Other ICMP-based Reconnaissance

• Admin prohibited can assist in examining what
  type of traffic the site blocks
• Address mask reply the subnet mask of the
  network on which the responding host resides
• Time exceeded in transit used in traceroute to
  discover routers and network topology
• Port unreachable can be used to inversely map a
  live hosts listening UDP ports

18
Block or Dont Block

• A firewall is typically configured to allow
  inbound echo replies and allow outbound echo
  requests.
• Why does TFN use echo replies?
• Block all inbound ICMP messages will prevent
  traceroute and tracert from being executed
  internally.
• Block all inbound ICMP messages will prevent TCP
  to automatically figure out MTU.