SLIDE 1
Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks
Roya Ensafi October 2013
Advanced Network Inference Techniques Based on Network Protocol - - PowerPoint PPT Presentation
Advanced Network Inference Techniques Based on Network Protocol - - PowerPoint PPT Presentation
Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya Ensafi October 2013 Still A Peach Attacker Still A Peach Attacker Zombie Victim Attacker What if we could? Scan a firewall port or a hidden
SLIDE 2
SLIDE 3
Still A Peach Attacker
Attacker Zombie Victim
SLIDE 4
ة Scan a firewall port or a hidden machine ة Infer IPbased trust relationships ة Infer communication constraints ة Infer imposed geographical (dis)connectivity ة Infer intentional packet drops ة…
What if we could?
Attacker Zombie Victim
SLIDE 5
Outline
ة Background knowledge ة Brief overview of USENIX’10 paper ء Idle Port Scanning and Noninterference Analysis of Network Protocol Stacks ء SYN backlog idle scan Overview PAM’13(Submitted) paper ء Detecting BiDirectional Intentional Packet Drops Using Idle Scans ء Real Data examples ة Future work
SLIDE 6
Model checking network stack
- Is there a way we automate finding
inference attacks...
- Create transition system of network protocol
stack
- Check all possible scenarios for non
interference property
SLIDE 7
Shared (limited) resources
➔Global IPID variable ➔ Global counter that incremented by one any time
packet is sent out.
➔ Unique numbers used for fragmentations. ➔ At anytime, it shows number of packets has sent to other
destinations.
➔RST rate limiting counter ➔ A machine limits the number of RST packets that it will send in a
given time period.
➔SYN backlog/cache ➔ A cache for holding halfopen TCP connections ➔ Waiting for proper ACK or RST to drop it
SLIDE 8
Port & port scanning
Host1 Host 2
SYN cache = 0 RST counter = 1 SYN cache = 0 RST counter = 1
Port is open Port is open
SLIDE 9
Port & port scanning
Host1 Host 2
SYN cache = 1 SYN Packet RST counter = 1 SYN cache = 0 RST counter = 1
Port is open Port is open
SLIDE 10
Port & port scanning
Host1 Host 2
SYN cache = 1 RST counter = 1 SYN cache = 0 RST counter = 1
port is open
SYN Packet
Port is open
SLIDE 11
Port & port scanning
Host1 Host 2
SYN cache = 1 RST counter = 1 SYN/ACK Packet SYN cache = 0 RST counter = 1 SYN Packet
Port is open Port is open
SLIDE 12
Host1 Host 2
SYN cache = 0 RST counter = 1 SYN/ACK Packet ACK Packet SYN cache = 0 RST counter = 1
Port is open
SYN Packet
TCP hand shake
SLIDE 13
Idle scanning
Server1 Client 1 Attacker Client 2 Server2 Attacker
Port is open Port is closed
Senario1 Senario 2
SLIDE 14
Idle scanning
Server1 Client 1 Attacker Client 2 Server2 Attacker
Port is open Port is closed
Senario1 Senario 2
SLIDE 15
IPID idle scanning
Server1 Client 1 Attacker Client 2 Server2 Attacker
IPID is 3177 SYN/ACK Packet
Attacker
IPID is 3177 SYN/ACK Packet SYN/ACK Packet Port is open Port is closed Spoofed SYN Packet Spoofed SYN Packet RST Packet IPID = 3178 RST Packet IPID=3177 3178 IPID=3177
SLIDE 16
IPID idle scanning
Server1 Client 1 Attacker Client 2 Server2 Attacker
IPID is 3178 SYN/ACK Packet
Attacker
IPID is 3179 SYN/ACK Packet Port is open Port is closed IPID=3179 IPID=3178
SLIDE 17
Idle scanning with brick wall
First idle scan that allows an attacker to scan firewalled networks and ports and infer trust relationships without routing any packets to the victim
SLIDE 18
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker
SYN cache = 0 SYN cache = 0
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SLIDE 19
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker
SYN cache = 0 SYN cache = 0
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SLIDE 20
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker
SYN cache = 1 SYN cache = 1
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
Spoofed SYN packet Spoofed SYN packet
SLIDE 21
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SYN cache = 1 SYN cache = 1 Spoofed SYN packet SYN/ACK Packet SYN/ACK Packet Spoofed SYN packet
SLIDE 22
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SYN cache = 1 Spoofed SYN packet SYN/ACK Packet Spoofed SYN packet RST Packet SYN cache = 1
SLIDE 23
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SYN cache = 0 Spoofed SYN packet SYN/ACK Packet Spoofed SYN packet RST Packet SYN cache = 1
SLIDE 24
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SYN cache = 0 Spoofed SYN packet SYN/ACK Packet Spoofed SYN packet RST Packet SYN cache = 1
SLIDE 25
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker
SYN cache = 0 SYN cache = 1
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SYN Packet SYN Packet
SLIDE 26
SYN backlog idle scanning
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is closed
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Zombie2 Victim2 Attacker
SYN cache = 1 SYN cache = 1
Victim2 Victim1 Attacker
Port is open
Zombie1 Victim1 Attacker
Port is open
Victim2 Victim1 Attacker
Port is open
Server1 Client1 Attacker
Port is open
Victim2 Victim1 Attacker Zombie1 Victim1 Attacker Victim2 Victim1 Attacker Server2 Client2 Attacker
SYN Packet SYN Packet SYN Cookie Packet SYN ACK Packet
SLIDE 27
Can we combine idle scans?
- Is there a way that the combination of IPID and
SYN backlog idle scan can give us more information?
- Can we use our idle scans to figure intentional
packet drops?
– YES, we can.
SLIDE 28
Can we detect censorship?
SLIDE 29
Can we connect to Server?
SLIDE 30
No Direction Blocked
SLIDE 31
Server to Client Blocked
00
SLIDE 32
Client to Server Blocked
SLIDE 33
Simple, Effective, Unobtrusive
- Requirements:
- 1. A global IPID machine in the area of target
- 2. A server IP that has open port and SYN backlog
- Based on our experience, sending 5 spoofed SYN packets for
120 seconds is more than enough to detect different cases.
SLIDE 34
Real Data
SLIDE 35
Real Data
1
SLIDE 36
Real Data
SLIDE 37
No Direction Blocked Then Client to Server Blocked
SLIDE 38
No Direction Blocked Then Client to Server Blocked
SLIDE 39
Global IPID Machine Selection
SLIDE 40