Traffic Analysis Techniques 1

Traffic Analysis Techniques 1 Traffic Analysis is a set of techniques for arranging and visualizing data so that patterns and relations can be identified, tagged or tracked. This course serves as a primer for taking logfiles of virtually any format, organizing the data and performing the analysis. IDIC – SANS GIAC LevelTwo ©2000, 2001 1 This section of the course will concentrate on externals, the fields in the packet header more than the content. The purpose of this section is to teach the analysis of packets based on their behavior and the fields. I hope that you find the material in this section to be something that you can use as you analyze network traffic. 1 Common External Dimensions • Date, time • To, From • Service, Service port numbers • Sequence numbers Four W’s : Who, What, Where, When Extra credit: Why IDIC - SANS GIAC LevelTwo ©2000, 2001 2 When we talk about columns and typing, we are approaching the subject of highly dimensional data. Consider the date field a dimension, time another and so forth. By highly dimensional we mean “lots of columns”. Just about any field in the headers can be used to create another dimension. Most of the time, many fields will contain normal non-descript values and will not add anything to our focus if we are trying to analyze traffic. However, there are times when a crafted unique value in an inherently uninteresting field may provide some kind of signature. For instance, sequence numbers when normally generated are not of much interest to us as analysts. However, if we spy a static sequence number or even a repeated acknowledgement number from what appears to be a reply from a static sequence number, we may begin to see a pattern of some sort which will ultimately assist in the analysis. The more clues that you can find in the data, the more help you have in possibly explaining why you are seeing what you are seeing. 2 From, To, Service Are Primary Events of Interest • Where do our “hits” come from? • Who/What are they targeting? • Can we find evidence of crafted packets? When we work without content we focus on “externals”. “From” turns out to be quite challenging and interesting. IDIC - SANS GIAC LevelTwo ©2000, 2001 3 In Geometry, height, length, and width are the three primary dimensions. In traffic analysis, the primary dimensions are To, From, and Service. These functional dimensions are part of the Traffic Analysis discipline. There are a large number of IP specific dimensions as well that are important to analysis of IP traffic. These include: ACK #’s SEQ #’s IP identification #’s Arriving TTL values Time Flags 3 Primary focus – destination port Secondary focus – source port, time We don’t know anything about port 17434, but what do we notice about this pattern? IDIC - SANS GIAC LevelTwo ©2000, 2001 4 Many times the analyst has fragmentary data. I checked my entire databank and these ports did not show up. There are programmable Trojans, but the prober appears to be looking for a service. Are these spoofed IP addresses? Really, we can’t say with fidelity because this firewall sensor does not record TCP flags. What we do see is the 4 attempt pattern, with repeated source ports; this is typical of a retry. This is NOT likely a denial of service; these source addresses do want to connect to a service. Here’s a simple example of traffic analysis. User report is shown below: Twice last week and again this week my network has been getting hit with some kind of what looks like a distributed attack. The number of hits is limited (100-200), but has always employed what appears to be a number of spoofed IPs, and usually aimed at a high numbered port, only one port to an attack, one attack a day. So far they`ve been after ports 23702, 17434, and today 20931. I`m enclosing a portion of my firewall logs. Can you advise what I`m seeing? I don`t believe I`ve been compromised yet, but this type of attack is highly unusual, and now coming almost every day. Sorry to bother you, but if you could help I`d sure appreciate it. Thanks in advance. 4 Primary focus – source host and port Secondary focus – acknowledgement #, TCP flags Collateral Damage (1) ircsrv.6666 > ourhost.1630: S 1234316212:1234316212(0) ack 674711610 win 4096 (DF) ircsrv.6666 > ourhost.1630: S 1306722499:1306722499(0) ack 674711610 win 4096 (DF) ircsrv.6666 > ourhost.1630: R 1:1(0) ack 1 win 4096 (DF) Key to understanding: Note IRC in the hostname. While 6666 is not the most common IRC port (6667 is), it is a fairly common IRC port. We see the packets coming from ircsrv. They think they are under attack from us, but aren’t. IDIC - SANS GIAC LevelTwo ©2000, 2001 5 This slide illustrates an important point; one of the important rules is where is the traffic coming from! Odds are this is collateral effects of a denial of service attack on the IRC server. This appears as if someone has earlier spoofed the source IP of ourhost with an initial sequence number of 674711609 and sent the traffic to ircsrv destination port 6666. In the first two records, you see that ircsrv was listening and able to respond and replied with the SYN and ACK flags set and an acknowledgement number of 674711610. We don’t have the timestamps to analyze how closely the third record is timewise to the first two records. But, it appears that ircsrv can no longer reply or is not listening on port 6666 and responds with a reset. It is possible that someone is engaged in a SYN flood of ircsrv using ourhost as one among many decoy source IP numbers. 5 ... - tailieumienphi.vn