5. What are some typical signatures of well-known programs?

Therefore, each router decrements (subtracts 1) from the TTL field. When each reaches zero, the router who currently has the packet will simply "drop" it (not forward it on). When a router drops a packet, it sends a message back to the sender informing for this. This message is called an ICMP "TLL Exceeded in Transit".

The nifty thing about this is that the router uses its own IP address as the source address of the ICMP message. Therefore, if you send a packet to a target but with a TTL of only 1, the first router will receive the packet, decrement the field to 0, drop it, then send back the ICMP notification. This informs you of the first router along the route (which you probably knew anyway).

The same goes for an initial TTL of 2. The first router gets it, decrements to 1, then forwards to the second router along the route. This router then decrements to 0, drops the packet, and sends back and error ICMP message.

By continuing this process, you eventually end up with the list of routers between yourself and the target.

Versions of traceroute

There are various versions of the traceroute program. In particular, the Windows program "tracert.exe" uses pings as the packet it sends to the target. Therefore, you might see ICMP Echoes on your firewall.

The most popular "traceroute" program for UNIX programs sends UDP datagrams to port 33434 for the first packet sent, then increases this port number by one for each successive packet. This means that you will never see port 33434 on your firewall, but you will start to see successive ones starting at higher port numbers. Traceroute programs typically send 3 packets for each hop (in case some get dropped). Therefore, if somebody is 10 hops away, the first port you will see is 33434 + 3*10 = 33464.

Symptoms

Firewall administrators should learn the symptoms of traceroute activity.

port scans in 33434-33600

A brief sequential "port scan" in this range usually indicates a traceroute for a UNIX machine, as explained in this section.

incoming TTL exceeded

If someone inside the network is attempting a traceroute, then you'll see these incoming packets. Many admins allow these through the firewall.

outgoing TTL exceeded

This indicates that somebody is tracerouting you. This doesn't necessarily indicate hostile activity, but somebody is scanning you. These should be blocked by the firewall.

outgoing ICMP port unreachable

When a traceroute successfully hits a target, it will generate back-to-back "ICMP port unreachable" messages (probably 3 in a row).

Other

Some traceroutes are designed to bypass firewalls. See http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html for more information.

A sscan goes through several phases:

TCP ACK pings

The program will attempt to see if the host is reachable by scanning for the most common services, namely ports 23/telnet, 25/smtp, 110/pop3, 143/imap4, 80/http. This phase is easily detected because both the source and destination port are the same.

connection attempts

Connection attempts are made to several services in order to see if they are available. This is highly configurable. Typically configured probes are those above, as well as 111/rpc, 6000/x-windows, 79/finger, 53/dns, 31337/elite, 139/netbios,smb, 21/ftp, 1114/msql, 1/tcpmux

OS fingerprint

sscan contains a basic OS fingerprinting technique, easily detected because it uses source ports 1-5. The fingerprinting is not as complete as the techniques used by Queso or nmap.

vulnerability assessment

It then looks at the ports that are open and checks the banners that might indicate a vulnerable version of one of the services. It also scans for a range of known vulnerable CGI scripts.

script execution

Depending upon what it finds, it can further launch configured scripts against the system.

Example

The following is a record pulled from an intrusion detection system.

ports=1 22 23 25 53 79 110 111 143 1114 2766 6000 31337

Unfortunately, the system consolidates alerts, discards duplicates, and keeps the port numbers in sort order. In a real scan, several of the ports would have duplicate connection attempts, and port 1/tcpmux would be one of the last probes, not one of the first.

More info

[IN-99-01]

In late summer of 1999, probes for ports 80/8080/3128 were particularly noticed. These came from all over the Internet and were fairly disjoint. These came from a Trojan Horse called "Ring0" (RingZero). It would infect PCs, then scan random IP addresses for proxy servers. The SANS Institute (a security training/conference organization) coordinated an effort to track down exactly what was happening from reports from many of their customers. A common symptom of this Trojan is 3 probes spaced within a minute from the same IP address from this Trojan. More information can be found at: http://www.sans.org/newlook/resources/ringzero.htm. A news article by CMP can be found at: http://www.techweb.com/wire/story/TWB19991013S0018

A list of open proxies can be found at: http://freebooks.hypermart.net/proxy/proxies.htm

Ports with variations of the "80" them (81, 88, 8000, 8080, 8888, etc) are most commonly used for proxies. In addition, a popular free proxy server called "squid" runs at port 3128.

A smurf is a ping (ICMP Echo Request) whereas a fraggle is a UDP port 7/echo. These are named after the programs/scripts that first implemented them.

These packets are sent to broadcast addresses. In IP, a directed broadcast has all the "host" bits set to either one or zero. This means an address that looks something like 192.0.2.0 or 192.0.2.255 is likely a broadcast. The key thing to remember is that such addresses are only broadcasts if the router on that subnet chooses to interpret it as a broadcast. If that router has this configured as a broadcast in its routing tables, it will forward the single IP packet as broadcast on that (Ethernet) segment, causing all systems on that (Ethernet) segment to receive the packet.

Therefore, there are two configuration problems:

• Routers forwarding directed broadcasts.
• Systems responding to broadcasts.

Both can be fixed.

Some questions that have been asked about this are:

Q: Why are these only aimed at strategic points like broadcast addresses?
A: Because if a single packet is sent to a broadcast, then it generates lots of responses to the spoofed address of the victim.

Q: I monitor multiple networks. Why is only this network being attacked this way?
A: Your network isn't being attacked; instead it is the third party in a fraggle attack. Your network is being used to attack somebody else (the source address of the packets, which is spoofed). Either your other networks aren't nearly as effective as fraggle amplifiers, or they have been registered in smurf/fraggle registries yet. Hackers rarely look for their own amplifiers, but instead simply look up good amplifiers in such directories. If you get registered, then multiple hackers will use/abuse your network.

Q: Why port UDP 7 only?
A: There are a number of reasons. The first is that script-kiddies aren't too bright. If they only scripts available use port 7, then that is all they can use. Secondly, the service has to respond to broadcast requests. Therefore, you cannot use TCP (which will only respond to directed queries). Many other UDP services only respond to directed queries. Finally, when fraggle was first developed, many firewalls allowed Echos to pass through (because they were used for performance monitoring). More dangerous protocols like NetBIOS (port 137) are already blocked by firewalls.

More