Date: Mon, 4 Dec 1995 19:43:51 +0200 (EET) From: "Andrew V. Stesin" <stesin@elvisti.kiev.ua> To: security@freebsd.org Subject: Stealth Scanning - Bypassing Firewalls/SATAN Detectors (fwd) Message-ID: <199512041743.TAA14123@office.elvisti.kiev.ua>
next in thread | raw e-mail | index | archive | help
Forwarded message:
>From <@relay1.carrier.kiev.ua:kiae!demos!kremvax.demos.su!GreatCircle.COM!firewalls-owner> Mon Dec 4 11:22:54 1995
X-Sender: vin@shore.net
Message-Id: <v02130500ace83efd1f3a@[198.115.179.219]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 4 Dec 1995 01:21:11 -0500
To: firewalls@GreatCircle.COM
From: Christopher Klaus <cklaus@iss.net> (by way of vin@shore.net (Vin McLellan))
Subject: Stealth Scanning - Bypassing Firewalls/SATAN Detectors
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk
An interesting warning issued Friday to subscribers of Chris Klaus' new
"Alert" mailing list. -vbm
Stealth Scanning - Bypassing Firewalls and SATAN Detectors
----------------------------------------------------------
Administrators need tools to find out what is going on in their network.
Maybe an internal employee has installed a unauthorized web server and
put proprietary information online allowing anyone to access it, how
does an administrator find out that there is even a web server running on
their network? Many administrators use tools called TCP Port scanners.
These programs which try to connect to all possible ports on a machine
find which services are running. This information gives a network
administrator better ability to understand and be aware of how his or her
network is configured. Unfortunately, this technology is a double-edge
sword because intruders can scan other networks and be able to gather
information that helps better mount an attack. The intruder now knows
which machines are running and what services are available. TCP port
scanning is built into shareware auditing tools, such as
ISS (Internet Security Scanner) and SATAN. These tools were intended
to help administrators correct security risks in their network, but
unfortunately they are just as useful to the bad guys.
Because TCP port scanning is like knocking on the door of many services,
people have written tools like SATAN detectors which notify administrators
when outside people are knocking on their network. This has made the
administrator feel like they are getting a good alarm notice if a hacker
decides to attack their network.
Here is a problem that we want to educate people about and possibly
come up with some better solutions to addressing this problem.
Most of the TCP port scanning technology relies on making an established
connection with a port to determine if it is active or not. Many
of the SATAN/Port Scanning Detectors rely on this fact. They record
the connections and if a connection happens to a wrong port or the
number of connections within a certian time reaches a threshhold, an alarm
goes off. TCP_wrappers will also keep a record of any estblished
connection which helps administrators find where an intruder came from.
One problem which exists is that intruders can scan without establishing a
connection. There is a technique for doing a half-open scan. The intruder
can send a SYN packet that starts a connection, and if the port is active,
it will respond with a SYN|ACK and the intruder records these packets,
determining which ports were active now. In a typical established
connection, the host responds to the SYN|ACK to finish completing the
connection. The intruder can now send a reset packet removing from the
kernel that a connection was half open.
Here's the interesting information. ---- We do not even need to use
a SYN packet to scan. Many firewalls block outside networks from
sending in a SYN packet and that stops initiating a connection.
So even the half-open scan won't work past a firewall. But we have
tried other TCP flags and found many other packets will do the trick
just as good, and if not better.
Here's a table of the packets and response types to determine active ports.
Flag Active Port Response Non-active Port Response
SYN SYN|ACK Reset or Nothing
SYN|FIN ACK or SYN|ACK* Reset
ACK Nothing Reset
0 flag Nothing Reset
* Depends on the TCP implementation. Windows 95 returned SYN|ACK while most
Unix platforms return an ACK.
We have picked the most interesting flags. You can also add URG and PUSH
flags to any of the above flags and get the same response. The SYN|FIN
is an illegal type of flags that contradict themselves, but a few router based
firewalls that were blocking the other type packets allow this one through.
The 0 flag packets are packets that designate the packet type as 0, which
some packet filter based firewalls may allow through.
Some firewalls allow ACK packets through as well. Using these type
of packets, we called this a "stealth scan" because typically most
TCP port scan detectors do not catch this type of activity and the scan
enables you to bypass a firewall and see what services are running on
the inside machines.
Denial of Service Attacks
-------------------------
In coming up with developing this code, we are able to do 2 types of
denial of service attacks that people should be aware of and at some
point, we need to have vendors fix the problems.
1) By scanning with all these different types of packets, we were able
to crash a few popular type routers that could not handle these packets.
We reported the problem back to the vendors.
2) By scanning with half-opens and not sending a RESET, the kernel's
cache of half-open connections get full and will no longer accept any more
connection. This would be a quick and easy way to cause a high connection
rate machine to no longer provide any more connections, denying anyone
from access to a machine, including a Web server.
Solutions
---------
Do not rely completely on SATAN detectors. Most of them are designed
to only signal alarms if a full established connection is made.
Courtney.pl is the only SATAN detector that we found that actually looked
at the packets themselves looking for SYN packets. To detect a stealth
scan, we need to come up with some heuristics for detecting an anomly
of the number of reset packets generated as well.
For denial of service attacks, if a device can't handle the packets
it will be up to the vendor to provide a patch to fix this.
Vendors need to look at potential solutions for half open attacks
such as increasing in the kernel the number of half open connections
possible, decreasing the time that the cached half opens stay in the memory,
possibly logging when a particular host has filled up the half open
cache and ignoring further half open packets from the offending host.
Firewalls
---------
The more secure setup of firewalls tend to be a combination of both
packet filter / proxy server type firewalls that would prevent
scanning past the firewall if configured properly.
/---------------------------------------------------------------------------
-----------------\
To get on mailing list, Alert, send a message to alert-request@iss.net
and within the message, type: subscribe alert
\---------------------------------------------------------------------------
-----------------/
Copyright
This paper is Copyright (c) 1994, 1995
by Christopher Klaus of Internet Security Systems, Inc.
Permission is hereby granted to give away free copies electronically. You may
distribute, transfer, or spread this paper electronically. You may not pretend
that you wrote it. This copyright notice must be maintained in any copy made.
If you wish to reprint the whole or any part of this paper in any other medium
excluding electronic medium, please ask the author for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.
Address of Author
Please send suggestions, updates, and comments to:
Christopher Klaus <cklaus@iss.net>
of Internet Security Systems, Inc. <iss@iss.net>
Internet Security Systems, Inc.
Internet Security Systems, Inc, located in Atlanta, Ga., specializes in the
developement of security scanning software tools. Its flagship product,
Internet Scanner, is software that learns an organization's network and probes
every device on that network for security holes. It is the most comprehensive
"attack simulator" available, checking for over 100 security vulnerabilities.
--
Christopher William Klaus Voice: (770)441-2531. Fax: (770)441-2431
Internet Security Systems, Inc. "Internet Scanner lets you find
2000 Miller Court West, Norcross, GA 30071 your network security holes
Web: http://iss.net/ Email: cklaus@iss.net before the hackers do."
--
With best regards -- Andrew Stesin.
+380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560
An undocumented feature is a coding error.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512041743.TAA14123>