Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Intrusion Detection Systems mailing list archives

Re: Determining when something is NOT random (Dragon's mkicmp tool)
From: Ron Gula <rgula () network-defense com>
Date: Tue, 25 Jul 2000 07:32:18 -0400
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------


Are there any tools/techniques to determining when something
is NOT random.

For example, I have a system that was hit with ICMP_ECHO 
packets from 47 systems within two hours.  Based on the
packets, I can determine that the same tool was used
to generate them.  What I want to determine is if the 47
source systems were randomly generated by the tool (as 
often done by Syn Flooding tools) or if the 47 systems 
involved were not randomly generated.  If the 47 Src systems 
were NOT randomly gerenerated, this may indicate that all 47
systems are actuall systems used in the 'attack'.


If you can determine that the packets were from the same tool,
then you are probably dealing with spoofed packets which may
have random payloads, but is definitely not random. 

We have a utility with the Dragon Sensor which looks at all 
collected ICMP traffic and lists it based on its payload. Here
is an example output:

01:09:18  199.129.36.1    199.156.49.17      8   0 RPT BIN [E]x32 
01:09:18  199.156.49.17   199.129.36.1       0   0 RPT BIN [E]x32 
01:21:00  166.3.72.1      199.128.159.70     8   0 RPT BIN [00]x49 
01:24:55  199.131.126.33  199.128.159.70     8   0 RPT BIN [00]x49 
01:33:33  166.2.214.10    199.128.159.70     8   0 RPT BIN [00]x49 
01:33:33  166.2.214.10    199.128.159.70     8   0 RPT BIN [00]x49 
01:35:24  199.129.36.1    199.156.49.27      8   0 RPT BIN [E]x32 
01:35:25  199.156.49.27   199.129.36.1       0   0 RPT BIN [E]x32 
01:39:58  199.131.126.33  199.128.159.70     8   0 RPT BIN [00]x49 
01:51:20  166.3.72.1      199.128.159.70     8   0 RPT BIN [00]x49 
01:54:33  199.129.209.201 206.239.164.14     8   0 INC BIN "ASCII-PATTERN"
01:54:36  199.129.209.201 206.239.164.14     8   0 INC BIN "ASCII-PATTERN"
01:54:38  199.129.209.201 206.239.164.14     8   0 INC BIN "ASCII-PATTERN"
01:56:50  199.128.156.53  204.71.200.75      8   0 INC ASC "NUMBERS"
01:57:20  199.128.156.53  204.71.200.75      8   0 INC ASC "NUMBERS"
01:57:50  199.128.156.53  204.71.200.75      8   0 INC ASC "NUMBERS"
01:58:20  199.128.156.53  204.71.200.75      8   0 INC ASC "NUMBERS"
01:59:20  199.128.156.53  204.71.200.75      8   0 INC ASC "NUMBERS"
01:59:50  199.128.156.53  204.71.200.75      8   0 INC ASC "NUMBERS"
02:04:44  199.147.28.252  141.232.1.11       8   0 RPT BIN [CD]x52 
02:04:47  199.147.28.252  141.232.1.11       8   0 RPT BIN [CD]x52 
02:04:51  199.147.28.252  141.232.1.11       8   0 RPT BIN [CD]x52 
02:04:54  199.147.28.252  141.232.1.11       8   0 RPT BIN [CD]x52 
02:04:57  199.147.28.252  141.232.1.11       8   0 RPT BIN [CD]x52 

The first five fields are time, source IP, dest IP, icmp type and icmp
code. The next field evaluates the payload. If the data is incrementing
or decrementing (like 'ABCDEFGHI' or '987654321') it gets a 'DEC' or
'INC' tag. If the data is repeating, then it gets a 'RPT' tag and 
finally, if the data has a certain level of randomness, then it gets
a 'RND' tag. The next field tags if the data is all ASCII or has any
binary data. The last field prints out the repeating value or if the
payload matches that of a known ICMP payload pattern. 

We wrote this tool because the Dragon Sensor has a lot of statistical
profiling of ICMP traffic which looks for backdoors, i.e. ping conversations
where the sequence number never changes and imbalanced icmp ping request
and ping reply counts per IP. There are lots of false positives with 
these types of tests, and the mkicmp tool helps to quickly analyze the 
events that are recorded. 

If you have read this far then you may be interested to know that at
NSW, we have run into lots of ICMP backdoors besides Loki, BO2K and
TFN stuff. There are many simple ICMP backdoors available and it is
trivial to write you own. There are tools available that can encrypt
traffic in an ICMP 'channel'. We've even seen SSH v1 ported to use
ICMP as a transport layer. 

Ron Gula
Network Security Wizards
http://www.securitywizards.com

  By Date           By Thread  

Current thread:
  • Re: Determining when something is NOT random (Dragon's mkicmp tool) Ron Gula (Jul 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]