Zombie Scan
description
Transcript of Zombie Scan
![Page 1: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/1.jpg)
Power Projection Systems Department
Zombie Scan
Judy Novak
Vern Stark
David Heinbuch
June 12, 2002
![Page 2: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/2.jpg)
Power Projection Systems Department
SubSeven Incident
• June 29, 2001 ~ 12:00 Shadow reveals massive scan
• Hundreds of hosts concurrently scan SubSeven port of Class B network
• Flood, DDoS, scan?
• Similar scan on July 2, 2001 ~ 16:00
• June 26, 2001 SANS reports of W32.leave.worm
– Windows hosts
– Spread via hosts listening on port 27374
– Zombies used in DDoS attacks
– Scans @Home and Earthlink for port 27374
![Page 3: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/3.jpg)
Power Projection Systems Department
Sample tcpdump Output
12:16:31.150575 ool-18bd69bb.dyn.optonline.net.4333 > 192.168.112.44.27374: S 542724472:542724472(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13444)
12:16:31.160575 ool-18bd69bb.dyn.optonline.net.4334 > 192.168.112.45.27374: S 542768141:542768141(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13445)
12:16:31.170575 24.3.50.252.1757 > 192.168.19.178.27374: S 681372183:681372183(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54912)
12:16:31.170575 24-240-136-48.hsacorp.net.4939 >192.168.11.19.27374: S 3019773591:3019773591(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 39621)
12:16:31.170575 ool-18bd69bb.dyn.optonline.net.4335 > 192.168.112.46.27374: S 542804226:542804226(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13446)
12:16:31.170575 cc18270-a.essx1.md.home.com.4658 > 192.168.5.88.27374: S 55455482:55455482(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 8953)
12:16:31.170575 24.3.50.252.1759 > 192.168.19.180.27374: S 681485650:681485650(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54914)
12:16:31.170575 cc18270-a.essx1.md.home.com.4659 > 192.168.5.89.27374: S 55455483:55455483(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 9209)
12:16:31.170575 24.3.50.252.1760 > 192.168.19.181.27374: S 681550782:681550782(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54915)
12:16:31.170575 cc18270-a.essx1.md.home.com.4660 > 192.168.5.90.27374: S 55455484:55455484(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 9465)
1
2
3
4
![Page 4: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/4.jpg)
Power Projection Systems Department
Source Hosts
Total Packets
Unique Source Hosts
DNS Registered
June 29 132,706 314 297**
July 2 157,842 295 271**
**Not spoofed source IP’s
![Page 5: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/5.jpg)
Power Projection Systems Department
Scanning Host Networks
Top Five Scanning Networks
05
10
152025
home.com
sympatico.ca
rr.com
videotron.ca
aol.com
Per
cen
tag
e T
raff
ic
June 29
July 02
Cable/dial-in modem providers
![Page 6: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/6.jpg)
Power Projection Systems Department
Destination Hosts
• Target network Class B: 65,535 possible IP addresses
– June 29: 32,367 unique destination IP’s scanned
– July 2 : 36,638 unique destination IP’s scanned
• Prior reconnaissance of live destination hosts?
– Missing Class C subnets
• Different for both scans
– Many IP numbers not live hosts
• Zombies not active or responsive during scan
![Page 7: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/7.jpg)
Power Projection Systems Department
Number of Unique Scanning Hosts per Destination Host
Unique Scanning Source Hosts per Destination Host
59
8777
241152
7194
23962
1334
26503
0
5000
10000
15000
20000
25000
30000
1 2 3 4
Number of Scanning Source Hosts
Nu
mb
er
De
sti
nat
ion
H
os
ts June 29
July 02
![Page 8: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/8.jpg)
Power Projection Systems Department
Scanning Rates
• Sustained activity for 5 or 6 minutes
• Peak activity for 2 minutes
• June 29 scan: 7.2 Mbps maximum
• July 02 scan: 8.6 Mbps maximum
• Maximum volume not enough for DoS on our network
![Page 9: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/9.jpg)
Power Projection Systems Department
Packets Per Minute
June 29, 2001 Packets per Minute
0
20000
40000
60000
80000
100000
12:16 12:17 12:18 12:19 12:20 12:21
Time of Day
Pack
ets
July 02, 2001 Packets per Minute
0
20000
40000
60000
80000
100000
16:43 16:44 16:45 16:46 16:47
Time of Day
Pack
ets
(hh:mm) (hh:mm)
![Page 10: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/10.jpg)
Power Projection Systems Department
Temporal Variability of Zombie Scan
![Page 11: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/11.jpg)
Power Projection Systems Department
Initial Wave of TCP Packets
![Page 12: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/12.jpg)
Power Projection Systems Department
Initial SYN Packets
![Page 13: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/13.jpg)
Power Projection Systems Department
Initial SYNs and Retries
![Page 14: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/14.jpg)
Power Projection Systems Department
Scanning Conclusions
• Scanning hosts carefully synchronized
• Waves of initial SYNs and TCP retries result in highly variable bandwidth consumption
• SYN’s sent in waves 11.5 seconds apart
• “Thoughtful” scan
– Each source host assigned a range of destination hosts
– Assigned time frame and frequency to scan
![Page 15: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/15.jpg)
Power Projection Systems Department
Scanning Hosts Operating Systems
• Examine “passive” fingerprints
– Arriving Time to Live (TTL) values
– Scanning host TCP window size
– Scanning host TCP options
![Page 16: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/16.jpg)
Power Projection Systems Department
Fingerprint Values by OS(courtesy Honeynet Project)
OS VERSION PLATFORM TTL WINDOW
Windows 9x/NT Intel 32 5000-9000 AIX 4.3.x IBM/RS6000 60 16000-16100AIX 4.2.x IBM/RS6000 60 16000-16100Cisco 11.2 7507 60 65535IRIX 6.x SGI 60 61320Linux 2.2.x Intel 64 32120OpenBSD 2.x Intel 64 17520Solaris 8 Intel/Sparc 64 24820Windows 9x/NT Intel 128 5000-9000Windows 2000 Intel 128 17000-18000Cisco 12.0 2514 255 3800-5000Solaris 2.x Intel/Sparc 255 8760
![Page 17: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/17.jpg)
Power Projection Systems Department
June 29 Arriving TTL Values
June 29, 2001 Arriving TTL Values
040008000
120001600020000
Arriving TTL Values
Pack
ets
Initial TTL 32 (Windows)
2.66%
Initial TTL 64 (Unix)
5.2%
Initial TTL 128 (Windows)
92.13%
10 – 22 hops 8 – 25 hops8 – 22 hops
![Page 18: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/18.jpg)
Power Projection Systems Department
July 2 Arriving TTL Values
July 2, 2001 Arriving TTL Values
040008000
120001600020000
Arriving TTL Values
Pack
ets
Initial TTL 32 (Windows)
2.36%
Initial TTL 64 (Unix)
5.35%
Initial TTL 128 (Windows)
92.29%
12 – 22 hops 12 – 21 hops 8 – 27 hops
![Page 19: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/19.jpg)
Power Projection Systems Department
Scanning Host TCP Window Size
TCP Window Size
0204060
8192 16384 65535 8760 Other
Window Size
Perc
enta
ge o
f So
urce
Hos
ts June 29
July 02
Windows 9X/NT Windows 2K Unknown Solaris
![Page 20: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/20.jpg)
Power Projection Systems Department
Scanning Host Maximum Segment Size
TCP Maximum Segment Size
0
50
100
1460 536 1414 Other
MSS
Perc
enta
ge o
f So
urce
Hos
ts June 29
July 02
Ethernet PPP/ISDN PPPOE(DSL)
![Page 21: Zombie Scan](https://reader036.fdocuments.us/reader036/viewer/2022081505/5681592a550346895dc65383/html5/thumbnails/21.jpg)
Power Projection Systems Department
SubSeven Scan Conclusions
• Very efficient scan
• Conducted by zombie hosts
– Most are Windows
– Other operating systems involved
– Representative of normal distribution on Internet?
• Thoughtful scan
– Redundant scanners
– Timing parameters
– Ranges of destination hosts