MYSTERY TRAFFIC

1
MYSTERY TRAFFIC
2
Objective

• To analyze strange traffic that is directed to a
  certain part of a network

3
What is mystery traffic?

• Some unexplainable, weird traffic that catches
  attention of security analyst
• Author explains example at a site where
  unexplained activity was directed at TCP
  destination port 27374.

4

• The sheer volume of the traffic was interesting
  enough
• Use Shadow (a technology) to analyze different
  fields
• Curious to know if traffic is harmful or not

5
More on the event

• Shadow sensor detected large number of source
  hosts scanning the sites class B address space
  for TCP destination port 27374.
• Normally, TCP destination port 27374 is
  associated with Trojan Sub Seven that allow full
  access to system.

6

• The author describes the activity and traffic in
  the next slide.
• The graphic shows source and destination hosts.
  Weirdly, the time increases by 10ms instead of
  per micro-second.

7
(No Transcript)
8
DDoS? Scan?

• First glance, unsure if it is DDoS or Scan.
• Study the individual fields after second scan.
• Additional information used to determine attack.

9
Source hosts

• Detect the source hosts to determine the attack
• In the authors case
• 1st scan
• 132706 packets - 314 unique source hosts
• of 314, 17 had no DNS registered host names

10

• 2nd scan
• 157842 packets - 295 unique source hosts, 24 had
  no DNS registered host names
• What does this mean?
• Either do or do not reflect the real sender
• If actual sender, no subterfuge (deception) is
  used in sending packet
• Else, then a spoofed IP address is placed in
  packet.
• However, for this case
• It appears that in this case, sources are REAL
  since it is unlikely that randomly generated IP
  numbers will resolve to host names 91.9-94.6 off
  the time.

11
Destination Hosts

• provide more evidence of a scan
• the scanned network is Class B, with 65535 IP
  numbers to scan first scan32367 unique
  destination hosts and second scan 36638 unique
  destination hosts.
• the more plausible explanation for the missing
  destination subnets and destination hosts, its
  perhaps the zombies were assigned the mission of
  the scanning those subnets were somehow not
  active or responsive during the scanning.
• one unique source host scanned most destination
  hosts.
• the scanner appears to have some redundancy of
  scanned hosts to ensure a response.

12
Scanning Rates

• scanning rate of the source hosts its a
  indications of scan versus a flood.
• Scans sustained some kind of activity for 5-6
  mins, ramp-up time was fast and there was burst
  of activity for the first two mins.
• The bandwidth consumption where each packet
  (a.k.a SYN packet) with TCP options and no
  payload.

13
continued

• Most packet with length 48 bytes, few had more
  and few had 4 bytes lesser, depend on the number
  and types of TCP option used.
• A standard packet has 20-byte IP header with no
  IP options.
• Majority packets had a length of 48 bytes used as
  packet length for the computation of bandwidth
  consumption.
• The bandwidth measure in bps, therefore the
  packet length was 384(488) bits.

14

• the peak activity indicated some kind of
  coordination by the commander who allocated
  scanning assignments and rates for the zombies.
• its might be due to there ware more scanning
  hosts during that second or the number of packets
  sent by hosts increased.
• further scrutiny of the data revealed that the
  peaks and valleys correlated with an increased
  number of scanning hosts.

15
21 Second Mystery

• Its use to examine the SubSeven traffic.
• It preceding the peak activity for the two scans
  and later a third, its to make sure that its not
  a mere coincidence because it occurred three
  times.
• The easy way to ponder mystery is combined
  backoff times for retries, then plotted the
  traffic separately for initial SYN and retries.
• Its to allow to discover the 21-second peak rate
  was overlap of retries from different initial
  waves of SYN activity.

16
Fingerprinting Participant Hosts

• Assuming now that zombie hosts have been infect
  with some malware, is there a specific OS that it
  exploit making it into a zombie host?
• Passive fingerprinting categorizes OS by looking
  at unique field values
• Others like Type of Service and dont fragment
  field can also be looked at.

17
TTL Values

• Used to identify the scanning hosts operating
  system.
• TTP values are helpful in estimating initial TTL
  values.
• For instance, if an arriving TTL is 50,it is
  assumed to have an initial TTL value of 64 and
  not 128,although either initial TTL value would
  not be valid.

18
TCP Window size

• A given operating system has a default value for
  the TCP window size, and the window size can
  change dynamically as data is received and
  processed.
• The initial window size can be used to
  fingerprint the operating system.
• The user or administrator can customize this but
  commonly the default is used.

19
TCP Options

• Maximum Segment Size (MSS) represents the maximum
  amount of payload that a TCP segment can carry.
• Maximum Transmission Unit (MTU) is used to
  determined the media on which the sending host
  resides.
• MSS might reflect the path of MTU.

20
Sender
The sender might send a discovery packet that
looks for the smallest MTU from source to
destination by setting the DF flag on the packet
ICMP Error Messages unreachable need to
frag(MTU) are returned
No ICMP Error Messages are returned
IF
It contains the MTU size () of the link that
is smaller than the size of the local MTU.
The size of the local MTU for packaging packets
will not cause fragmentation.
The sender can decrease the size of the packets
to avoid fragmentation. The point is that it is
possible that MSS might not reflect the local MTU.
21

• Figure above reveals the greatest percentage of
  scanning host resided on a link with a MTU of
  1500.
• Although MSS of 536 is associated with PPP and
  dial-up modems, it is suppose that the most of
  the hosts resides on ISDN, which use the same
  MSS.
• The Scenario is that these are all zombie hosts
  that are directed to do some types of activity at
  a given time.
• Zombie is associated with a dial-up connection,
  this might not be a sustain connection unless is
  some kind of dedicated phone line for the
  traffic.

22

• Many dial-up connections are at the mercy of DHCP
  with at leased IP number for a certain period of
  time.
• How would the commander direct a zombie with
  changing IP number to launch activity?
• Zombie report home to the commander periodically.
  Therefore, only ones that are active and online
  just before the attack are directed to
  participate in the attack.

23
TCP Retries

• When a source host attempts a TCP connection to a
  destination host and is unsuccessful, yet get no
  indication of the failure. It attempts one or
  more retires.
• A source host is not notified of a failure if the
  connection packet never gets to the destination
  or destination host response doesnt get back to
  the source.

Attempts TCP Connection
Destination
Source Host
Same source and Destination hosts, ports,
and TCP sequence number as the initial attempt.
24

• The number of successive retries and the backoff
  time between retires is TCP/IP stack dependent.
• Retries are associated with source code that uses
  socket connections. The socket uses the TCP and
  IP layers to form the appropriate headers and
  values of those headers.

25
Summary

• Very efficient scan
• Scan conducted by Zombie hosts, mostly Windows
  host
• Perhaps scan was to determine other Zombie hosts
• An efficient way to maximize a scan
• Shows a number of vulnerable hosts that can be
  taken over for malicious purposes