"One approach to intrusions research behind a personal firewall"

In the form of an email to intrusions@incidents.org/ 08/10/02


Date: Sat, 10 Aug 2002 13:35:28 -0700
From: John Sage 
To: _@_.org
Subject: One approach to intrusions research behind a personal firewall


All:

For well over a year now I have been frustrated by the fact that the
very thing which keeps my home systems safe also prevents any real
research into intrusion signatures and their evolution.

Since my Linux 2.2.14-based ipchains firewall DENY's all connection
attempts to ports that I have closed to the outside world (which is to
say, almost all of them) I see a lot of TCP:SYN packets that obviously
represent intrusion attempts, but because my firewall is doing its
job, the initial SYN is DENY'ed, and I never see anything more than
that.

What to do, what to do? How to join in on the fun?

Tom Liston's LaBrea isn't an option since at home I'm a dialup, and
there is no ARP request on a Point-to-Point link; I'm not willing to
turn my firewall into a true honeypot because I do need its integrity
uncompromised.

What I envisioned is what I'm currently calling an ACK_hole: a process
that sits on a port (or ports..) and accepts connections, silently
discarding the contents of all packets received, all the while snort
1.8.7 is logging the entire transaction.

For a brief time I hacked inetd to run the UNIX discard server on an
interesting port, and this worked, but discard is limited to listening
to one TCP and one UDP port only.

My next attempt was a lightly modified version of trafficrcvc.c, from:

http://www.psc.edu/~web100/pathprobe/

trafficrcv is billed as a "network data sink": it accepts TCP
connections, receives packets, and drops them on the floor.

trafficrcv kinda worked, but the authors *do* label the code as alpha,
and trafficrcv would leave a zombie child process running after a
socket CLOSE, and also leave the local socket open in the CLOSE_WAIT
state, forever (or until I rebooted my firewall :-/ ).

I hacked at it a little and was able to prevent the zombied children,
but after fiddling a while I still couldn't eliminate the local socket
hung in the CLOSE_WAIT state, so I decided to start all over from
scratch.

I am currently reading W. Richard Steven's "UNIX Network Programming";
I decided to use as a starting point tcpserv04.c, p.128, modifying it
to accept a specific port on the command line, and adding a couple
other little tweaks.

I call the resulting program "ACK_hole01.c".

Selecting the top six most active TCP ports being probed recently (80
http, 1433 MS SQL, 27374 SubSeven et al, 12345 NetBus et al, 22 ssh,
17300 Kuang2), I open those six ports in the script that sets up my
ipchains-based firewall, start up six instances of ACK_hole01, one
listening on each of those ports, and sit back to wait.

And it works.

I now get an entire exploit attempt, logged by snort 1.8.7, from the
initial SYN to the final ACK.

A recent example to TCP:1433 MS SQL:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:13.442818 211.201.134.178:4594 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:56102 IpLen:20 DgmLen:48 DF
******S* Seq: 0xA509D205  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:13.453882 12.82.142.89:1433 -> 211.201.134.178:4594
TCP TTL:64 TOS:0x0 ID:57345 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x890637D8  Ack: 0xA509D206  Win: 0x77C4  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:13.892817 211.201.134.178:4594 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:56125 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA509D206  Ack: 0x890637D9  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:13.902854 211.201.134.178:4594 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:56126 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xA509D206  Ack: 0x890637D9  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:13.903606 12.82.142.89:1433 -> 211.201.134.178:4594
TCP TTL:64 TOS:0x0 ID:57357 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x890637D9  Ack: 0xA509D207  Win: 0x77C4  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:13.957772 12.82.142.89:1433 -> 211.201.134.178:4594
TCP TTL:64 TOS:0x0 ID:57365 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x890637D9  Ack: 0xA509D207  Win: 0x7D78  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-08:29:14.372930 211.201.134.178:4594 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:56153 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xA509D207  Ack: 0x890637DA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

So I'm probed once, and ACK_hole01 responds, so he think's there's a
MS SQL server listening on that port.

And 45 minutes later, he comes back:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:25.614152 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58825 IpLen:20 DgmLen:48 DF
******S* Seq: 0x33E7845D  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:25.625203 12.82.142.89:1433 -> 211.201.134.178:4147
TCP TTL:64 TOS:0x0 ID:58173 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x3EB687B8  Ack: 0x33E7845E  Win: 0x77C4  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.074172 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58842 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x33E7845E  Ack: 0x3EB687B9  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.084189 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58843 IpLen:20 DgmLen:92 DF
***AP*** Seq: 0x33E7845E  Ack: 0x3EB687B9  Win: 0x4470  TcpLen: 20
12 01 00 34 00 00 00 00 00 00 15 00 06 01 00 1B  ...4............
00 01 02 00 1C 00 0C 03 00 28 00 04 FF 08 00 01  .........(......
55 00 00 00 4D 53 53 51 4C 53 65 72 76 65 72 00  U...MSSQLServer.
80 05 00 00                                      .... 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.084632 12.82.142.89:1433 -> 211.201.134.178:4147
TCP TTL:64 TOS:0x0 ID:58185 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3EB687B9  Ack: 0x33E78492  Win: 0x77C4  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.144272 12.82.142.89:1433 -> 211.201.134.178:4147
TCP TTL:64 TOS:0x0 ID:58194 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x3EB687B9  Ack: 0x33E78492  Win: 0x7D78  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.564260 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58856 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.644265 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58857 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.646113 12.82.142.89:1433 -> 211.201.134.178:4147
TCP TTL:64 TOS:0x0 ID:58200 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3EB687BA  Ack: 0x33E78493  Win: 0x7D77  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

Whatever he's running reconnects from a second socket on his end:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.654336 211.201.134.178:4152 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58858 IpLen:20 DgmLen:48 DF
******S* Seq: 0x33EF4E38  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:26.654748 12.82.142.89:1433 -> 211.201.134.178:4152
TCP TTL:64 TOS:0x0 ID:58202 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x3F466ED3  Ack: 0x33EF4E39  Win: 0x77C4  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.104238 211.201.134.178:4152 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58871 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x33EF4E39  Ack: 0x3F466ED4  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.144281 211.201.134.178:4152 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58872 IpLen:20 DgmLen:244 DF
***AP*** Seq: 0x33EF4E39  Ack: 0x3F466ED4  Win: 0x4470  TcpLen: 20
10 01 00 CC 00 00 01 00 C4 00 00 00 01 00 00 71  ...............q
00 10 00 00 00 00 00 07 10 0B 00 00 00 00 00 00  ................
E0 03 10 00 E4 FD FF FF 12 04 00 00 56 00 03 00  ............V...
5C 00 02 00 00 00 00 00 60 00 21 00 A2 00 0C 00  \.......`.!.....
00 00 00 00 BA 00 05 00 C4 00 00 00 C4 00 00 00  ................
00 04 75 99 3E 63 00 00 00 00 C4 00 00 00 53 00  ..u.>c........S.
55 00 48 00 73 00 61 00 4D 00 69 00 63 00 72 00  U.H.s.a.M.i.c.r.
6F 00 73 00 6F 00 66 00 74 00 20 00 28 00 72 00  o.s.o.f.t. .(.r.
29 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00  ). .W.i.n.d.o.w.
73 00 20 00 53 00 63 00 72 00 69 00 70 00 74 00  s. .S.c.r.i.p.t.
20 00 48 00 6F 00 73 00 74 00 31 00 32 00 2E 00   .H.o.s.t.1.2...
38 00 32 00 2E 00 31 00 34 00 32 00 2E 00 38 00  8.2...1.4.2...8.
39 00 4F 00 4C 00 45 00 44 00 42 00              9.O.L.E.D.B. 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.154563 12.82.142.89:1433 -> 211.201.134.178:4152
TCP TTL:64 TOS:0x0 ID:58220 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3F466ED4  Ack: 0x33EF4F05  Win: 0x77C4  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.194556 12.82.142.89:1433 -> 211.201.134.178:4152
TCP TTL:64 TOS:0x0 ID:58227 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x3F466ED4  Ack: 0x33EF4F05  Win: 0x7D78  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.604368 211.201.134.178:4152 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58891 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x33EF4F05  Ack: 0x3F466ED5  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.614379 211.201.134.178:4152 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58892 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33EF4F05  Ack: 0x3F466ED5  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:27.614862 12.82.142.89:1433 -> 211.201.134.178:4152
TCP TTL:64 TOS:0x0 ID:58231 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3F466ED5  Ack: 0x33EF4F06  Win: 0x7D77  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:29.384472 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:58932 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:35.005092 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:59000 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:17:46.306257 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:59207 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:18:08.808629 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:59580 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

08/10-09:18:53.873345 211.201.134.178:4147 -> 12.82.142.89:1433
TCP TTL:116 TOS:0x0 ID:60345 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x33E78492  Ack: 0x3EB687BA  Win: 0x4470  TcpLen: 20 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

Snort processed 30 packets.
Breakdown by protocol:                
Action Stats:  
    TCP: 30       (100.000%)          ALERTS: 0        
    UDP: 0          (0.000%)          LOGGED: 0        
   ICMP: 0          (0.000%)          PASSED: 0        
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================

This, of course, is as far as it goes, because there's really no
server of any kind listening on my TCP:1433 - just an ACK_hole,
swallowing anything sent to it.


Source code available, peer review of source code eagerly accepted.


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


This page last preened by Webmaster jsage@finchhaven.com on:
Last modified: Sat Aug 10 14:12:55 2002