roya ensafi, jong chun park, deepak kapur, and jedidiah r. crandall university of new mexico, dept....
TRANSCRIPT
![Page 1: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/1.jpg)
IDLE PORT SCANNING AND
NON-INTERFERENCE ANALYSIS OF NETWORK PROTOCOL
STACKS USING MODEL CHECKING
Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall
University of New Mexico, Dept. of Computer Science
USENIX 2010
![Page 2: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/2.jpg)
Advanced Defense Lab 2
Outline
Introduction Related Work Formalizing Non-interference Analysis Finding Idle Scan Experimental confirmation of
counterexamples
![Page 3: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/3.jpg)
Advanced Defense Lab 3
Introduction
Network reconnaissance is the important first step of virtually all network attacks. [Link]
Idle scans were introduced by Antirez in a 1998. [Link]Based on non-random, sequential IPIDs of
older network stacks
![Page 4: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/4.jpg)
Advanced Defense Lab 4
Introduction - Idle Scan
![Page 5: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/5.jpg)
Advanced Defense Lab 5
Introduction - Idle Scan IPID-based idle scans have been implemented
in nmap [Link]
But modern network stacks randomize the IPID [Link]
FTP bounce scans are currently the only known way to port scan a victim host or network without routing forged packets to that host or network from the attacker [Link]This paper proposes another one
![Page 6: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/6.jpg)
Advanced Defense Lab 6
Related Work Staniford et al. use simulated annealing to
detect stealthy scans. [Link]
Leckie and Kotagiri present a probabilistic approach
Gates and Kang et al. consider the problem of stealth port scans based on using many distributed hosts (e.g., a botnet) to perform the scan.
![Page 7: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/7.jpg)
Advanced Defense Lab 7
Related Work(cont.)
Non-interference [Link] is a widely used concept of information flow security
Non-interference proved to be a very useful property because it can be specified with Linear Temporal Logic (LTL [Link]).
![Page 8: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/8.jpg)
Advanced Defense Lab 8
Formalizing Non-interference Analysis
A host is viewed to be at the end of the network, i.e., an end host.
![Page 9: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/9.jpg)
Advanced Defense Lab 9
SYN Cache [Link]
The SYN cache is a cache for pending SYN packets for which a SYN/ACK has been sent and the host is waiting for an ACK.
In our model packets are only removed from the SYN cache when a TCP RST is received from the source IP address and port of the original SYN packet
![Page 10: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/10.jpg)
Advanced Defense Lab 10
Idel Scan model
![Page 11: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/11.jpg)
Advanced Defense Lab 11
Non-interference Analysis Model
![Page 12: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/12.jpg)
Advanced Defense Lab 12
Formalizing Non-interference Analysis
Using SAL [Link] for modelingSAT-based [Link] bounded model checker
![Page 13: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/13.jpg)
Advanced Defense Lab 13
![Page 14: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/14.jpg)
Advanced Defense Lab 14
![Page 15: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/15.jpg)
Advanced Defense Lab 15
Formalizing Non-interference Analysis -- Assumptions
A major abstraction is that we consider the proper reply to SYN/ACK packets to be “drop” for open ports and RST for closed ports.
Another major abstraction is that each of the two buffers in our split SYN cache has only a single entry.
![Page 16: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/16.jpg)
Advanced Defense Lab 16
Port Status
![Page 17: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/17.jpg)
Advanced Defense Lab 17
Finding Idle Scan
RST rate limit
![Page 18: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/18.jpg)
Advanced Defense Lab 18
Finding Idle Scan
SYN cache
![Page 19: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/19.jpg)
Advanced Defense Lab 19
Experimental confirmation of counterexamples
SetupVirtualBoxTUN/TAP [Link]Zombie
○ kernel 2.4 host (Fedora Core 1)○ Windows XP host with no service packs○ Linux kernel 2.6 host (CentOS 5.2)○ FreeBSD 7.1.1 host
![Page 20: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/20.jpg)
Advanced Defense Lab 20
Experimental confirmation of counterexamples - RST rate
For a real FreeBSD system, RSTs are limited to a default of 200 per second
Our implementation sends 2000 each of two different types of packets, each at a rate of 180 per second, to the victim and FreeBSD zombie, respectively
![Page 21: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/21.jpg)
Advanced Defense Lab 21
Experimental confirmation of counterexamples - RST rate
![Page 22: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/22.jpg)
Advanced Defense Lab 22
Experimental confirmation of counterexamples – SYN cache Linux kernel 2.4 uses a simple buffer for the SYN
cache, with between 128 and 1024 entries depending on the memory available on the system.
our implementation50 forged SYNs, then 50 each of forged SYNs and
SYNs where the attacker uses their own return IP (1000 per second)
200 more forged SYNs (1000 per second)sends 200 each of forged SYNs and SYNs where the
attacker uses their own return IP address (400 per second)
![Page 23: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/23.jpg)
Advanced Defense Lab 23
Experimental confirmation of counterexamples – SYN cache
Result between different OSes
![Page 24: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/24.jpg)
Advanced Defense Lab 24
Experimental confirmation of counterexamples – SYN cache
Idle port scan20,000 forged SYN packets (with random
return ports that are closed on the zombie)
At half the rate, alternating forged SYNs with the target port on the victim as the source port and valid SYNs with the return address of the attacker
![Page 25: Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e605503460f94b5b76e/html5/thumbnails/25.jpg)
Advanced Defense Lab 25
Experimental confirmation of counterexamples – SYN cache
Result for idle port scan