5. What are some typical signatures of well-known programs?
The program "traceroute" is based upon a very intelligent hack by Van Jacobson
(also famous for other nifty kludges). Every IP packet has a time-to-live (TTL)
field that indicates how many hops the packet can travel before being dropped. This field
is needed because routers sometimes get misconfigured and will forward packets in a
continuous: i.e. Alice forwards the packet to Bob who forwards it to Charlene who
mistakenly forwards it back to Alice.
Therefore, each router decrements (subtracts 1)
from the TTL field. When each reaches zero, the router who currently has the packet will
simply "drop" it (not forward it on). When a router drops a packet, it sends a
message back to the sender informing for this. This message is called an ICMP "TLL
Exceeded in Transit".
The nifty thing about this is that the router uses its own IP address as the source
address of the ICMP message. Therefore, if you send a packet to a target but with a TTL of
only 1, the first router will receive the packet, decrement the field to 0, drop it, then
send back the ICMP notification. This informs you of the first router along the route
(which you probably knew anyway).
The same goes for an initial TTL of 2. The first router gets it, decrements to 1, then
forwards to the second router along the route. This router then decrements to 0, drops the
packet, and sends back and error ICMP message.
By continuing this process, you eventually end up with the list of routers between
yourself and the target.
Versions of traceroute
There are various versions of the traceroute program. In particular, the Windows
program "tracert.exe" uses pings as the packet it sends to the target.
Therefore, you might see ICMP Echoes on your firewall.
The most popular "traceroute" program for UNIX programs sends UDP datagrams
to port 33434
for the first packet sent, then increases this port number by one for each successive
packet. This means that you will never see port 33434 on your firewall, but you will start
to see successive ones starting at higher port numbers. Traceroute programs typically send
3 packets for each hop (in case some get dropped). Therefore, if somebody is 10 hops away,
the first port you will see is 33434 + 3*10 = 33464.
Firewall administrators should learn the symptoms of traceroute activity.
- port scans in 33434-33600
- A brief sequential "port scan" in this range usually indicates a traceroute
for a UNIX machine, as explained in this section.
- If someone inside the network is attempting a traceroute, then you'll see these incoming
packets. Many admins allow these through the firewall.
- outgoing TTL exceeded
- This indicates that somebody is tracerouting you. This doesn't necessarily indicate
hostile activity, but somebody is scanning you. These should be blocked by the firewall.
ICMP port unreachable
- When a traceroute successfully hits a target, it will generate back-to-back "ICMP
port unreachable" messages (probably 3 in a row).
Some traceroutes are designed to bypass firewalls. See http://www.packetfactory.net/Projects/Firewalk/firewalk-final.html
for more information.
The 'sscan' tool has become a popular scanning tool on the Internet. It not only
"port scans" but attempts to discover some common vulnerabilities. There are
several versions of sscan, and it is very configurable, so matching an exact signature to
this program may be difficult. The 'sscan' program is derived from the older 'mscan' tool.
A sscan goes through several phases:
- TCP ACK pings
- The program will attempt to see if the host is reachable by scanning for the most common
services, namely ports 23/telnet, 25/smtp, 110/pop3, 143/imap4, 80/http. This phase
is easily detected because both the source and destination port are the same.
- connection attempts
- Connection attempts are made to several services in order to see if they are available.
This is highly configurable. Typically configured probes are those above, as well as 111/rpc, 6000/x-windows, 79/finger, 53/dns, 31337/elite, 139/netbios,smb, 21/ftp, 1114/msql, 1/tcpmux
- OS fingerprint
- sscan contains a basic OS fingerprinting technique, easily detected because it uses
source ports 1-5. The fingerprinting is not as complete as the techniques used by Queso or
- vulnerability assessment
- It then looks at the ports that are open and checks the banners that might indicate a
vulnerable version of one of the services. It also scans for a range of known vulnerable
- script execution
- Depending upon what it finds, it can further launch configured scripts against the
The following is a record pulled from an intrusion detection system.
ports=1 22 23 25 53 79 110 111 143 1114 2766 6000 31337
Unfortunately, the system consolidates alerts, discards duplicates, and keeps the port
numbers in sort order. In a real scan, several of the ports would have duplicate
connection attempts, and port 1/tcpmux would be one of the last probes, not one of the
5.3 Proxy scanners
One of the most common scans on the Internet looks for HTTP proxy servers. Normally, the
hackers aren't looking to compromise systems, they simply want the ability to
"anonymize" their connections. For example, most anonymous e-mail services (HotMail, Yahoo mail,
etc.) will store the IP address in the e-mail headers, making them not so anonymous (many
people have been caught this way). By bouncing HTTP traffic through a proxy server, the
hacker can complete erase his/her tracks.
In late summer of 1999, probes for ports
80/8080/3128 were particularly noticed. These came from all over the Internet and were
fairly disjoint. These came from a Trojan Horse called "Ring0"
(RingZero). It would infect PCs, then scan random IP addresses for
proxy servers. The SANS Institute (a security training/conference organization)
coordinated an effort to track down exactly what was happening from reports from many of
their customers. A common symptom of this Trojan is 3 probes spaced within a minute from
the same IP address from this Trojan. More information can be found at: http://www.sans.org/newlook/resources/ringzero.htm.
A news article by CMP can be found at: http://www.techweb.com/wire/story/TWB19991013S0018
A list of open proxies can be found at: http://freebooks.hypermart.net/proxy/proxies.htm
Ports with variations of the "80" them (81, 88, 8000, 8080, 8888, etc) are
most commonly used for proxies. In addition, a popular free proxy server called
"squid" runs at port 3128.
Smurf/fraggle programs send packets to broadcast addresses with a spoofed source address
of the victim. Everybody on that subnet then sends responses back to that address,
A smurf is a ping (ICMP Echo Request)
whereas a fraggle is a UDP port 7/echo.
These are named after the programs/scripts that first implemented them.
These packets are sent to broadcast addresses. In IP, a directed broadcast
has all the "host" bits set to either one or zero. This means an address that
looks something like 192.0.2.0 or 192.0.2.255 is likely a broadcast. The key thing to
remember is that such addresses are only broadcasts if the router on that subnet chooses
to interpret it as a broadcast. If that router has this configured as a broadcast in its
routing tables, it will forward the single IP packet as broadcast on that (Ethernet)
segment, causing all systems on that (Ethernet) segment to receive the packet.
Therefore, there are two configuration problems:
- Routers forwarding directed broadcasts.
- Systems responding to broadcasts.
Both can be fixed.
Somebody saw the following incident with millions of incoming packets. Below are some
examples of these packets:
Some questions that have been asked about this are:
Q: Why are these only aimed at strategic points like broadcast addresses?
A: Because if a single packet is sent to a broadcast, then it generates lots of
responses to the spoofed address of the victim.
Q: I monitor multiple networks. Why is only this network being attacked this
A: Your network isn't being attacked; instead it is the third party in a fraggle
attack. Your network is being used to attack somebody else (the source address of the
packets, which is spoofed). Either your other networks aren't nearly as effective as
fraggle amplifiers, or they have been registered in smurf/fraggle registries yet. Hackers
rarely look for their own amplifiers, but instead simply look up good amplifiers in such
directories. If you get registered, then multiple hackers will use/abuse your network.
Q: Why port UDP 7 only?
A: There are a number of reasons. The first is that script-kiddies
aren't too bright. If they only scripts available use port 7,
then that is all they can use. Secondly, the service has to respond
to broadcast requests. Therefore, you cannot use TCP (which will
only respond to directed queries). Many other UDP services only
respond to directed queries. Finally, when fraggle was first developed,
many firewalls allowed Echos to pass through (because they were
used for performance monitoring). More dangerous protocols like
NetBIOS (port 137) are already blocked by firewalls.