An Open Source Approach - National Chiao Tung...
72
2001/9/28 1 Modern Computer Networks An Open Source Approach Appendix B: Development Tools Appendix C: Network Experiment Tools Ming-Wei Wu
Transcript of An Open Source Approach - National Chiao Tung...
2001/9/28 1
Modern Computer NetworksAn Open Source Approach
Appendix B: Development ToolsAppendix C: Network Experiment Tools
Ming-Wei Wu
2001/9/28 2
OutlineI. Development Tools
1. Programming (vim, gcc, make)2. Debugging (gdb, ddd, kgdb)3. Maintaining (cvs, rpm)
II. Network Experiment Tools1. Name-Addressing (host, arp)2. Perimeter-Probing (ping, traceroute)3. Traffic-Monitoring (tcpdump, netstat)4. Benchmarking (ttcp, WebStone)5. Simulating/Emulating (ns, NIST Net)6. Hacking (nessus, ethereal, tfn2k)
III. Further readings
2001/9/28 3
Style of Introducing Each Tool
Roadmap (if possible)I. Overview:
1. Design goal2. and/or Features3. and/or Brief history
II. Operating concepts1. Protocol2. and/or Architecture
III. Hands-on1. How-To2. and/or screenshots3. and/or examples
Scenario (if possible)
2001/9/28 4
(I. Development Tools) Programming
? How to begin writing your first piece of code…? Text Editing, Visual Improved: vim
? Then compile that piece of code…? Compiling, GNU C Compiler: gcc
? Try to recompile several pieces of code smartly…? make/makefile
2001/9/28 5
(I. Development Tools, Programming) vim
? Visual Improved? The prevailing UNIX text editor? Friendly
? Easier than emacs? Way feature-rich than pico-related? gvim for windoze
? Extensible syntax dictionary? Powerful
? Almost nothing can’t be done by vim? Compile (e.g. jump to error line)? Macro (e.g. even a tic-tac-toe game)? File browser
2001/9/28 6
(I. Development Tools, Programming, vim) How-To
? 1. Getting Started with vim ? 1.1 Special characters:
? ESC, switch to command line mode? CR, return key? DEL, send an interrupt
? 1.2 Getting in & out:? vim xxx , to edit xxx? ZZ , to save and quit? q!CR , to quit without save? wq!CR, to quit with save
2001/9/28 7
(I. Development Tools, Programming, vim) How-To
? 2. Moving around? 2.1 Scrolling & paging
ctrl+D , scroll down; ctrl+U , scroll upctrl+F , page forward; ctrl+B , page backward
? 2.2 Searching, goto, and previous context/ , forward search; ? , backward search; n, next search* , next forward search (current focused string)# , next backward search (current focused string)1G , goto line 1 ; #G , goto line #; G , goto the end of filectrl+G , show state of current file'' , previous position
? 2.3 Moving around on the screenh,j,k,l , arrow keys^, beginning of the line; $, ending of the line
2001/9/28 8
(I. Development Tools, Programming) gcc
Linker(ld, the GNU linker)
Preprocessor(cpp, The C Preprocessor)
Compiler(gcc, GNU C Compiler)
Assembler(gas, the portable GNU assembler)
.c
.C
.cc
.s
.o
.a
a.out
2001/9/28 9
(I. Development Tools, Programming, gcc) How-To? -c, compile
? e.g. gcc –c test.c
? -o, specify object filename? e.g. gcc –o test test.o
? -g, compile for debug purpose, compiled size is larger than -c? e.g. gcc –g test.c
? -O, optimization? e.g. gcc –O test.c
2001/9/28 10
(I. Development Tools, Programming) make? Make, a utility that reads the makefile data base (and the last
modification time of each source file) to determine which piece of a large program needs to be recompile (updated) and issue corresponding commands.
? Makefile, a text-based data file that describes the relationships among files in a large program, and the states the commands for updating each file.
2001/9/28 11
(I. Development Tools, Programming, make) Kernel compiling? Kernel compiling
? Download the up-to-date kernel source code from Internet? Place it in /usr/src
? Unzip it using tar
? Rename it (default is “linux”) accordingly (e.g. linux-x.y.z, where x,y and z refer to the version number of linux kernel)
? Create an symbolic link linux for linux-x.y.z using ln? Change (cd) the current directory to linux
? Run kernel configuration (make menuconfig), then clean up the source tree and generate dependency files (make dep; make clean)
? Create a kernel image using bzip2 compression format (make bzImage)
2001/9/28 12
(I. Development Tools, Programming, make) Kernel compiling? Kernel compiling (cont.)
? Compile and install modules that have been enabled in the kernelconfiguration (make modules; make modules_install)
? Copy the image file from /usr/src/linux-x.y.z/arch/i386/boot/bzImage to /boot/linux-x.y.z
? Edit /etc/lilo.conf to add a new image? Run lilo -v to reconfigure the LILO boot manager with this new kernel
2001/9/28 13
(I. Development Tools) Debugging? Begin debugging your program…
? GNU Debugger: gdb
? Let’s debug in a GUI fashion? Data Display Debugger: ddd
? How about debug deep inside the kernel…? Remote Kernel GNU Debugger: kgdb
2001/9/28 14
(I. Development Tools, Debugging) Road Map
gdb
Linux kernel kgdb Linux kernel
gdb
DDD
Target host Local host
RS-232
DDD (See Appendix B.1.2.)
kgdb (See Appendix B.1.3.)
gdb (See Appendix B.1.1.) Development Tools:Debugging
1.3 Remote kernel
debugging
1.2 GUIedkernel
debugging
1.1 Source- level debugging
2001/9/28 15
(I. Development Tools, Debugging) gdbPrerequisite: gcc –g –o test test.cFirst…? gdb test /* Get in gdb with target program “test”*/help running? run /* Start debugged program */? next /* Step program */? continue /* Continue program being debugged */help breakpoints? break # /* Set breakpoint at line # */help stack? backtrace [full] /* Print backtrace of all stack frames (& full local
variables) */
2001/9/28 16
(I. Development Tools, Debugging) gdbhelp data? whatis EXP /* Print data type of expression EXP*At the end? quit /* Get out of gdb */
2001/9/28 17
(I. Development Tools, Debugging) ddd
Argument field
Source Window
Debugger Console
Status Line
Command Tool
Scroll Bar
2001/9/28 18
(I. Development Tools, Debugging) kgdb
? kgdb? a kernel patch for remote kernel debugging? source level debugger (with the help of gdb) for linux kernel? possible to place breakpoints in kernel code, step through it and
observe its variables. ? two machines are required, one is a development machine (where gdb
runs) and the other is a test machine (target kernel).? patch the following components to a kernel
? gdb stub, handles requests comming from gdb on the developementmachine.
? modifications to fault handlers, allow kernel developers to analyze unexpected faults.
? serial communication, offers an interface to gdb stub in the kernel to send and receive data/control from a serial line.
2001/9/28 19
(I. Development Tools, Debugging) kgdb
? Connecting to a debug patched kernel (refer kgdb project website for details about patching a new kernel)? On development machine:
? Set appropriate speed for serial line? e.g. stty ispeed 115200 ospeed 115200 < /dev/ttyS1
? Start gdb.? e.g. gdbmod your_image_label
? On test machine: ? Select kgdb kernel from lilo prompt. It will then wait for connection from
remote gdb.? E.g. LILO: linux gdb [gdbttyS=2] [gdbbaud=38400]
2001/9/28 20
(I. Development Tools, Debugging) kgdb
? Cont.? On developement machine:
? Connect to the test machine using gdb command "target" ? (gdb) target remote /dev/ttyS1
Remote debugging using /dev/ttyS1 breakpoint () at gdbstub.c:1153 1153 } (gdb)
? Now gdb is connected to the kernel. It is waiting for a command. Use the continue command to let the test kernel proceed.
? (gdb) c Continuing.
2001/9/28 21
(I. Development Tools) Maintaining
? Learn to program collaboratively…? Version Control - Concurrent Version System: cvs
? Hat your program? Packaging - Red Hat Package Manager: rpm
2001/9/28 22
(I. Development Tools, Maintaining) cvs
? Design concept: “copy-modify-merge”style of version control
? Short history? Dick Grune improves RCS to CVS (1986).? Brian Berliner rewrote it again using C.? Jim Kingdon made CVS to support networking.
2001/9/28 23
(I. Development Tools, Maintaining, cvs) An OSSD Process
Initiate a project
Look for any similar projects
No
Join that project
Use mailing list for announcement and bug tracing. Use OpenPGP
CVS Version Control
Yes
Accept patches and modifications (vote or dictatorship)
A personal itch
Do little document writingWrite documents and manuals
Vote for a license modelDecide a license model
Release official version in the foreseeable future
2001/9/28 24
(I. Development Tools, Maintaining, cvs) How-To
? Setup a repository (under sh and bash shells)? CVSROOT=/usr/local/cvs (or wherever you desire)? export
? Starting a new project? cvs import -m “log message”project_name vendor_tag release_tag? e.g cvs import -m “my first cvs project”myproject jrandom start
? Revisions? Check (co), e.g. cvs checkout myproject
? Update (up), e.g. cvs update project.c
? Commit (ci), e.g. cvs commit project.c
? Diff, e.g. cvs diff project.c
2001/9/28 25
(I. Development Tools, Maintaining, cvs) How-To
? History browsing? Status, e.g. cvs status project.c
? Log messages, e.g. cvs log project.c
? Release? Release (delete), e.g. cvs release –d myproject
? Refer cvs --help-commands for a list of commands.
2001/9/28 26
? Design concept: transparent software dependency
? One line means all? RPM style: rpm -Uvh nessus-1.1.2.src.rpm? Traditional tar-ball style:
1. tar zxvf nessus-libraries-1.0.9.tar.gz2. tar zxvf libnasl-1.0.9.tar.gz3. tar zxvf nessus-core-1.0.9.tar.gz4. tar zxvf nessus-plugins-1.0.9.tar.gz5. ./configure ; make && make install
(I. Development Tools, Maintaining) rpm
2001/9/28 27
(I. Development Tools, Maintaining, rpm) How-To
? rpm? -ivh, install and dump some information? -Uvh, update? -qa, list all installed rpms (query all)
? e.g. rpm -qa | grep bind-util
? -qf, query (which rpm does this) file (belongs)? rpm -qf /usr/bin/perl
? -qpi, query package information? rpm -qpi /mnt/cdrom/RedHat/RPMS/*.rpm | grep -A 12 nslookup
? -qpl, list queried package? rpm -qpl /mnt/cdrom/RedHat/RPMS/bind-8.2.2_P3-1.i386.rpm
2001/9/28 28
(II. Network Experiment Tools) Name-Addressing
? Internet’s who is who…? DNS Querying - host
? LAN’s who is who? Peer Querying - arp
2001/9/28 29
(II. Network Experiment Tools, Name-Addressing) host? Internet’s who is who…
? DNS Querying – host
? Query name server for the mapping of ? host-to-IP? or IP-to-host? even the zone information (zone transfer)
? e.g. host -l -v -t any eic.nctu.edu.tw
? another similar well-known tool: nslookup
2001/9/28 30
(II. Network Experiment Tools, Name-Addressing, host) How-To
? host [-l] [-v] [-w] [-r] [-d] [-t querytype] [-a] host [server]? -l, list a complete domain? -v, verbose? -w, waits forever for a response? -r, turn off recursion in the request? -d, turn on debugging? -t querytype, specify a particular querytype to be looked up? -a, all, it is equivalent to -v –t any
2001/9/28 31
(II. Network Experiment Tools, Name-Addressing) arp
? To manipulate the ARP table realizing LAN’s who is who? Peer Querying – arp
2001/9/28 32
(II. Network Experiment Tools, Name-Addressing, arp) Inside arp
? Some files used by arp command? /proc/net/arp, where the arp table is actually stored for referencing? /etc/hosts, where a listing of name-to-address mapping of current hosts
is stored.
? Use arp request/reply
2001/9/28 33
(II. Network Experiment Tools, Name-Addressing, arp) How-To
? arp [-v] [-n] [-i] [-H type] [-a hostname] [-d hostname] [-s hostname hw_addr]? -v, verbose? -n, displays contents without resolving hostnames? -a, display all information in the ARP cache? -d, deletes an arp entry? -s, enters (sets) an arp entry? -H, the hardware type being used; default is ether
2001/9/28 34
(II. Network Experiment Tools) Perimeter-Probing
? Ping for living…? Verifying availability: ping
? Find your way…? Determining the path – Trace Route: traceroute
2001/9/28 35
(II. Network Experiment Tools, Perimeter-Probing) ping
? Ping for living…? Verifying availability: ping, which is actually taken from a
scientific operation carried out to locate objects using sonar.? However, with the increased usage of firewall and other access
control lists, it doesn’t always hold true when you ping a particular host: no answer = the host is not alive.
? Uses ICMP echo request/reply
2001/9/28 36
(II. Network Experiment Tools, Perimeter-Probing, ping) How-To
? ping [-dfnqrvR] [-c count] [-i wait] [-s packetsize]? -f, sends the packets as fast as possible (flood)? -n, doesn’t resolve hostnames; just give IP addresses (numeric)? -q, outputs only summary lines (quiet)? -R, sets the Record Route option? -c count, stops pinging after count packets? -i wait, sets an interval of wait seconds between packets? -s packetsize, sets the number of data bytes sent to packetsize
2001/9/28 37
(II. Network Experiment Tools, Perimeter-Probing) traceroute
? Find your way…? Determining the path – Trace Route: traceroute
? Uses ICMP TTL(Time-to-Live) field? Originally, TTL is used to avoid infinite loop? Controls (time exceeded)? Initially, TTL=1
? For every time exceeds, increment TTL.? For destination unreachable, done.
? UDP port > 30,000
2001/9/28 38
(II. Network Experiment Tools, Perimeter-Probing, traceroute) How-To
? traceroute [-dFInrvx] [ -f first_ttl ] [-g gateway ] [-i iface ] [-m max_ttl ] [-p port ] [-q nqueries ] [-s src_addr ] [-t tos ] [-w waittime ] host [ packetlen ]? -f, sets the initial TTL? -F, sets the “don’t fragment” bit? -I, uses ICMP ECHO instead of UDP datagrams? -m, set the maximum TTL (default: 30 hops)? -n, print hop addresses numerically? -p, sets the base UDP port number used in probes (default: 33434)? -r, bypasses the normal routing tables and sends directly to a particular host
2001/9/28 39
(II. Network Experiment Tools) Traffic-Monitoring
? Dump data passing in and out of the interface…? tcpdump
? Observe data passing in and out of the host? Network Status: netstat
2001/9/28 40
(II. Network Experiment Tools, Traffic-Monitoring) tcpdump? Dump data passing in and out of the interface…
? Tcpdump
Cooperate with the packet capture system within kernel? Originally only with BPF (Berkeley Packet Filter)? Now with pcap (Packet Capture Library), which also includes BPF
? Examples? Collecting Ethernet frames? Observing TCP handshakes
2001/9/28 41
(II. Network Experiment Tools, Traffic-Monitoring, tcpdump)
Operating ConceptsUser space
Kernel space
Filter 1 Filter 2 Filter 3
Ethernet
Device driver 1
Device driver 2
BPF
ProtocolStack
Buffer Buffer Buffer
tcpdump
T i m e s t a m pT i m e s t a m p
Other processes
2001/9/28 42
(II. Network Experiment Tools, Traffic-Monitoring, tcpdump) How-To
? tcpdump [-v] [-n] [ -i ] [ -c count ] [-t] [ -s snaplen ] [ expression ]? -v, verbose output? -n, use IP addresses (numeric) instead of resolving hostnames ? -i, listen on interface? -c, exit after receiving count packets ? -t, don't print a timestamp on each dump line ? -s, snarf snaplen bytes of data from each packet rather than the default of 68
? expression, selects which packets will be dumped
2001/9/28 43
(II. Network Experiment Tools, Traffic-Monitoring) netstat
? Observe data passing in and out of the host? Network Status: netstat
? Another popular usage of netstat? Look for any suspicious port, probably a trojan or backdoor
? e.g. Two classic trojans: Port 12345(TCP) Netbus and Port 31337(UDP) Back office
2001/9/28 44
(II. Network Experiment Tools, Traffic-Monitoring, netstat) How-To
? netstat [-v] [-n] [-a] [-i] [-s] [-A family] [-r]? -v, Tell the user what is going on? -a, show both listening and non-listening sockets? -n, Show numerical addresses instead of trying to resolve? -i, Display a table of network interfaces? -s, Display summary statistics for each protocol? -A, Specifies the address families? -r, Display the kernel routing tables
2001/9/28 45
(II. Network Experiment Tools, Perimeter-Probing)
Sample Scenario
ethernet driverethernet driver
ethernet driver
3. IP
Ethernet
4. ARP request (broadcast)
4. ARP (arp)
5. ARP (arp)
5. ARP reply(unicast, corresponding
ethernet address)
Destination
1. ping clientDNS (host)
hostname
IP address
2. ICMP
ICMP request
IP datagram
7. ping server6. ICMP
routing table (route/netstat)BPF (tcpdump)
copy of in/out packets
Source
2001/9/28 46
(II. Network Experiment Tools) Benchmarking
? Host-to-Host throughput analysis? Test TCP: ttcp
? Web Server performance analysis? The Benchmark for Web Server: webstone
2001/9/28 47
(II. Network Experiment Tools, Benchmarking) ttcp
? Host-to-Host throughput analysis? Test TCP: ttcp, which tests network TCP and UDP throughput. A
separate use of this tool is to create network pipes for transferring user data. Cisco routers now incorporate a version of this tool,enabling you to easily evaluate network performance.
2001/9/28 48
(II. Network Experiment Tools, Benchmarking, ttcp) How-To? Start the receiver (router or remote server with discard port)
? ttcp -r [-options > out] //see ttcp --help for options? [benson@sgw ttcp]# ttcp -r
ttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp
ttcp-r: socket
? Start the transmitter? ttcp -t [-options] host [ < in ]
? [benson@sgw ttcp]$ ttcp -t sgw.cis.nctu.edu.tw < test
ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp -> sgw.cis.nctu.w
ttcp-t: socket
ttcp-t: connect
2001/9/28 49
(II. Network Experiment Tools, Benchmarking, ttcp) How-To? Statistics output at receiver/transmitter
? Receiver side:? ttcp-r: accept from source_host
This is a ttcp test!
ttcp-r: 22 bytes in 0.00 real seconds = 13.55 KB/sec +++
ttcp-r: 2 I/O calls, msec/call = 0.81, calls/sec = 1261.83
ttcp-r: 0.0user 0.0sys 0:00real 0% 0i+0d 0maxrss 0+1pf 0+0csw
? Transmitter side:? ttcp-t: 22 bytes in 0.00 real seconds = 120.70 KB/sec +++
ttcp-t: 1 I/O calls, msec/call = 0.18, calls/sec = 5617.98
ttcp-t: 0.0user 0.0sys 0:00real 0% 0i+0d 0maxrss 0+1pf 0+0csw
? Throughput analysis
2001/9/28 50
(II. Network Experiment Tools, Benchmarking) WebStone? Web Server performance analysis
? The Benchmark for Web Server: WebStone
? Operating concepts:? How to generate large load?
? Multiple simulated Web clients (web browsers) on each client computer? Then further distributes these Web clients among Client computers.
? Who is in charge of everything?? Webmaster controls all the testing done by WebStone? Webmaster distributes the Web client software and test configuration files to the
client computers.? then starts a benchmark run and waits for the Web clients to report back the
performance they measured.? combines the performance results from all the Web clients into a single summary
report
2001/9/28 51
(II. Network Experiment Tools, Benchmarking, WebStone)
Client-Server Architecture? Several Web clients running on one client computer? Several Client computer controlled by one webmaster? Target: Web server
2001/9/28 52
(II. Network Experiment Tools, Benchmarking, WebStone) How-To? Configuration parameters? Workload configuration? Load generation? Benchmark results
? Refer on-line manual for details.
2001/9/28 53
(II. Network Experiment Tools) Simulating/Emulating? Simulating the network
? Network Simulator: ns? Pros: cheap (less real infrastructure) and quick (available modules) to
assemble, large-scale (given sufficient computing resources) and reproducible (everything is coded) test
? Cons: redo code for simulation environment, implementation and environment may considerably differ from and poorly represent the real one.
? Emulating the network? Network Emulator: NIST Net
? Pros: an intermediate solution between real one and simulated one, and any degree of network conditions in a reproducible test
? Cons: scalability would be bounded by real-time timer/computation and limited statistics for further analysis
2001/9/28 54
(II. Network Experiment Tools, Simulating) ns
? Design concept:? A collaborative simulation platform that provide common references
and test suites, which simulates packet-level, discrete events within link layer and up of both wired and wireless network conditions.
? Features:? Emulation, certain platforms (e.g. FreeBSD)? Scenario generation, generate customized simulation environment? Visualization, with aid of nam (Network Animation)? Extensibility, implemented by C++ (ns core) and OTcl (ns
configuration), a leverage between run-time and iteration time.
2001/9/28 55
(II. Network Experiment Tools, Simulating, ns) Background
? Background: ? 1989, Ns began as a variant of the REAL (Realistic and Large)
network simulator? 1995, supported by DARPA through the VINT (Virtual InterNetwork
Testbed ) project? Currently, supported by DARPA through SAMAN (Simulation
Augmented by Measurement and Analysis for Networks) and CONSER (Collaborative Simulation for Education and Research
2001/9/28 56
(II. Network Experiment Tools, Simulating, ns) Typical Steps? Build Network model
? Create (1) ns object, (2) nodes, (3) links, and then into (4) LAN (if PPP, then skip (4))
? Build traffic model? Create (1) connection: either TCP or UDP? Generate (2) traffic: e.g. FTP of TCP or CBR of UDP? (3) error model? (4) scheduler
? Tracing? Output data in nam format for analysis
2001/9/28 57
(II. Network Experiment Tools, Emulating) NIST Net? Design concept:
? A network emulator that provides simple (parameters are typed, rather than coded, by user) user entry of network parameter (e.g. delay, loss, jitter) for emulating a wide range of network typeswith a small lab setup.
? Cnistnet (Command-line interface) or Xnistnet (GUI interface)
2001/9/28 58
(II. Network Experiment Tools, Emulating) NIST Net? What does it emulate?
? Packet delay? Fixed/variable
? Packet reordering? Delay variances
? Packet loss? Packet duplication? Bandwidth limitation
2001/9/28 59
(II. Network Experiment Tools) Hacking? Searching for holes
? Exploits scanning: nessus
? Eavesdropping? Sniffing: ettercap
? Storm of lethal attacks? DDoS: TFN-style (Tribe Flood Network)
2001/9/28 60
(II. Network Experiment Tools, Hacking) nessus? Searching for holes
? Exploits (risky services/ports) scanning: nessus
? Features:? Plugin-based
? Customized security checks can be written? in C? or in NASL (Nessus’Scripting Language)
? Knowledge-based? All plugins can share their knowledge
2001/9/28 61
(II. Network Experiment Tools, Hacking, nessus)
Client-Server Architecture
? nessusd (server) is in charge of the attacks? Multi-user, with ACLs for each user
? nessus (client) is the front-end to configure the server? ciphered communication between server and client
2001/9/28 62
(II. Network Experiment Tools , Hacking) ethereal? Eavesdropping
? Sniffing, “recording”, interpret, and save for analysis all the packets being sent across the network. For example, ethereal.
2001/9/28 63
(II. Network Experiment Tools , Hacking, ethereal)
How it works?? An Ethernet-based sniffer (including tcpdump) works together with
NIC? Set NIC to a special state called promiscuous mode? Capture any packet traversing across local Ethernet segment.
? Limitation? Cannot capture packets traversing beyond routers, switches,
segmenting devices, etc.
2001/9/28 64
(II. Network Experiment Tools , Hacking, ethereal) How-To? Command-line options
? -i <interface>, sets the interface that ethereal will capture from.? -k, causes ethereal to begin capturing packets immediately upon
startup. It must be used with the xs-i option.? -s, causes ethereal to display packets as they are captured.? -c <count>, causes ethereal to capture only count packets before
stopping. It is only useful with the -k option.? -D, causes ethereal to treat the TOS field of IP as the original TOS,
not like Differentiated Services.? -f <capture filter>, allows you to set a libpcap style capture filter.
libpcap filter syntax is covered in the ngrep section of this chapter.? -n, diables name resolution, all packets will be displayed with numeric
IP addresses, TCP ports, and UDP ports.
2001/9/28 65
(II. Network Experiment Tools , Hacking, ethereal) How-To? Options (cont.)
? -r <infile>, causes ethereal to read packets in from a saved file instead of an interface. Using previous captures is covered in the section called Viewing Saved Captures.
? -R <Read Filter>, allows you to set a read filter. Read filters are discussed in the section called Filtering Packets to be Displayed.
? -t <Time Stamp Format>, changes the format of the packet timestamps. The three possible formats are:
? r relative to the first packet (the default)? a actual date and time of the packet? d relative to the previous packet
? -w <savefile>This option sets the name of the file the capture will be saved to. Working with saved captures is covered in the section called Viewing Saved Captures.
2001/9/28 66
(II. Network Experiment Tools) Hacking? DoS Attacks
? Resource starvation? TCP SYN flooding, incomplete TCP/IP handshaking, (still works)
? Lots of SYN packets (bad source IP address)? Target system queues them up until receiving ACK message (e.g. netstat -a
seeing lots of connection in a SYN_RECV state)? Eventually, uses up resources and memory
? Land attack, infinite loopback handshaking, (might works)? Similar to SYN attacks, but use the IP of the target system itself, instead of a
bad IP address
? UDP flooding, infinite non-stopping loop, (might works)? Source system uses forged packets to connect the chargen UDP service to the
echo UDP service at target system.
2001/9/28 67
(II. Network Experiment Tools) Hacking? DoS Attacks
? Bandwidth consumption? Smurf attacks, send huge number of ping requests to a system (normally
the router) with spoofed IP addresses from within the target network, (still works unless the firewall is set to deny)
? Programming flaw? Ping of death, oversized ping packet, (no longer works, will get dropped)
? e.g. ping -l 65540
? Teardrop, overlapped (incorrect offset) IP fragmentation (no longer works, new overlapping packet replaces old packet)
? refer ip_fragment.c for the countermeasure in linux
2001/9/28 68
(II. Network Experiment Tools, Hacking) TFNxK(a cocktail approach of DoS attack)
? Random protocols (from the master to the agent)? Commands are sent via TCP, UDP, ICMP, or all three at random.? Packet headers (except ICMP) are randomized
? Random attacking styles (from agent to target)? May be TCP/SYN, UDP, ICMP/PING, or BROADCAST PING (SMURF) packet flood.
? Minimum exposure (between the master and the agent)? daemon is completely silent without acknowledging any command it receives, instead
relying on the probability. (client will issue each command many times, e.g. 20)? daemon would disguise itself by altering the contents of argv[0], thereby changing the
process name on some platforms and hence masquerading as a normal process on the agent.
? The filenames of both daemon and client might be renamed as well.? False incrimination (from the master to the agent)
? The command packets may be interspersed with any number of decoy packets sent to random IP addresses.
? All packets originating from either client or daemon can be (and are, by default) spoofed.
2001/9/28 69
(II. Network Experiment Tools, Hacking) TFNxK
? Cunning communication (between the master and the agent)? Not string-based (as they are in TFN and Stacheldraht). Instead, commands are of the
form "+<id>+<data>" where <id> is a single byte denoting a particular command and <data> represents the command’s parameters.
? Commands are encrypted using a key-based CAST-256 algorithm (RFC 2612). The key is defined at compile time and is used as a password when running the TFN2K client.
? All encrypted data is Base 64 encoded before it is sent, which means the payload should be comprised entirely of ASCII printable characters, and hence the TFN2K daemon uses this fact as a sanity-test when decrypting incoming packets.
? Multiple attacks? The daemon spawns a child for each attack against a target.
2001/9/28 70
(II. Network Experiment Tools, Hacking, TFN-style)
Countermeasures? Prevention
? Use a firewall that exclusively employs application proxies.? Disallow unnecessary TCP, UDP, ICMP traffic.
? Detection? Scan for the client/daemon files by name (default is tfn and td, respectively)? Scan all executable files on a host system for particular patterns (virus scanning)? Scan the process list for the presence of suspicious daemon processes? Examine incoming traffic that contains special TFN2K signature, which is probably a bug
using the Base64 encoding that leaves a telltale fingerprint at the end of every TFN2K packet.
? Watch for a series of packets with identical payloads (since each command is issued 20 times)
2001/9/28 71
(II. Network Experiment Tools , Hacking)
Integrated Scenario? Search for holes
? Nessus scanning
? If same LAN segment, ? Ethereal sniffing
? If can’t compromised? TFN-style DDoS
2001/9/28 72
III. Further Readings1. The VIM (Vi IMproved) Home Page, http://www.vim.org/2. The GCC home page, http://gcc.gnu.org/3. GNU Make, http://www.gnu.org/software/make/make.html4. GDB, http://sources.redhat.com/gdb/5. DDD, http://www.gnu.org/manual/ddd/6. kgdb, http://kgdb.sourceforge.net/7. CVS Home, http://www.cvshome.org/8. RPM, http://www.rpm.org/9. Webstone, http://www.mindcraft.com/webstone/10. Ns-2, http://www.isi.edu/nsnam/ns/index.html11. NIST Net, http://snad.ncsl.nist.gov/itg/nistnet/usage.html12. Nessus, http://www.nessus.org/13. Ethereal, http://www.ethereal.com/14. Karl Fogel, "Open Source Development with CVS”, The Coriolis Group, 1999
