zombie scan
DESCRIPTION
Zombie Scan. Judy Novak Vern Stark David Heinbuch. June 12, 2002. SubSeven Incident. June 29, 2001 ~ 12:00 Shadow reveals massive scan Hundreds of hosts concurrently scan SubSeven port of Class B network Flood, DDoS, scan? Similar scan on July 2, 2001 ~ 16:00 - PowerPoint PPT PresentationTRANSCRIPT
Power Projection Systems Department
Zombie Scan
Judy Novak
Vern Stark
David Heinbuch
June 12, 2002
Power Projection Systems Department
SubSeven Incident
• June 29, 2001 ~ 12:00 Shadow reveals massive scan
• Hundreds of hosts concurrently scan SubSeven port of Class B network
• Flood, DDoS, scan?
• Similar scan on July 2, 2001 ~ 16:00
• June 26, 2001 SANS reports of W32.leave.worm
– Windows hosts
– Spread via hosts listening on port 27374
– Zombies used in DDoS attacks
– Scans @Home and Earthlink for port 27374
Power Projection Systems Department
Sample tcpdump Output
12:16:31.150575 ool-18bd69bb.dyn.optonline.net.4333 > 192.168.112.44.27374: S 542724472:542724472(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13444)
12:16:31.160575 ool-18bd69bb.dyn.optonline.net.4334 > 192.168.112.45.27374: S 542768141:542768141(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13445)
12:16:31.170575 24.3.50.252.1757 > 192.168.19.178.27374: S 681372183:681372183(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54912)
12:16:31.170575 24-240-136-48.hsacorp.net.4939 >192.168.11.19.27374: S 3019773591:3019773591(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 39621)
12:16:31.170575 ool-18bd69bb.dyn.optonline.net.4335 > 192.168.112.46.27374: S 542804226:542804226(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13446)
12:16:31.170575 cc18270-a.essx1.md.home.com.4658 > 192.168.5.88.27374: S 55455482:55455482(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 8953)
12:16:31.170575 24.3.50.252.1759 > 192.168.19.180.27374: S 681485650:681485650(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54914)
12:16:31.170575 cc18270-a.essx1.md.home.com.4659 > 192.168.5.89.27374: S 55455483:55455483(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 9209)
12:16:31.170575 24.3.50.252.1760 > 192.168.19.181.27374: S 681550782:681550782(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54915)
12:16:31.170575 cc18270-a.essx1.md.home.com.4660 > 192.168.5.90.27374: S 55455484:55455484(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 9465)
1
2
3
4
Power Projection Systems Department
Source Hosts
Total Packets
Unique Source Hosts
DNS Registered
June 29 132,706 314 297**
July 2 157,842 295 271**
**Not spoofed source IP’s
Power Projection Systems Department
Scanning Host Networks
Top Five Scanning Networks
05
10
152025
home.com
sympatico.ca
rr.com
videotron.ca
aol.com
Per
cen
tag
e T
raff
ic
June 29
July 02
Cable/dial-in modem providers
Power Projection Systems Department
Destination Hosts
• Target network Class B: 65,535 possible IP addresses
– June 29: 32,367 unique destination IP’s scanned
– July 2 : 36,638 unique destination IP’s scanned
• Prior reconnaissance of live destination hosts?
– Missing Class C subnets
• Different for both scans
– Many IP numbers not live hosts
• Zombies not active or responsive during scan
Power Projection Systems Department
Number of Unique Scanning Hosts per Destination Host
Unique Scanning Source Hosts per Destination Host
59
8777
241152
7194
23962
1334
26503
0
5000
10000
15000
20000
25000
30000
1 2 3 4
Number of Scanning Source Hosts
Nu
mb
er
De
sti
nat
ion
H
os
ts June 29
July 02
Power Projection Systems Department
Scanning Rates
• Sustained activity for 5 or 6 minutes
• Peak activity for 2 minutes
• June 29 scan: 7.2 Mbps maximum
• July 02 scan: 8.6 Mbps maximum
• Maximum volume not enough for DoS on our network
Power Projection Systems Department
Packets Per Minute
June 29, 2001 Packets per Minute
0
20000
40000
60000
80000
100000
12:16 12:17 12:18 12:19 12:20 12:21
Time of Day
Pack
ets
July 02, 2001 Packets per Minute
0
20000
40000
60000
80000
100000
16:43 16:44 16:45 16:46 16:47
Time of Day
Pack
ets
(hh:mm) (hh:mm)
Power Projection Systems Department
Temporal Variability of Zombie Scan
Power Projection Systems Department
Initial Wave of TCP Packets
Power Projection Systems Department
Initial SYN Packets
Power Projection Systems Department
Initial SYNs and Retries
Power Projection Systems Department
Scanning Conclusions
• Scanning hosts carefully synchronized
• Waves of initial SYNs and TCP retries result in highly variable bandwidth consumption
• SYN’s sent in waves 11.5 seconds apart
• “Thoughtful” scan
– Each source host assigned a range of destination hosts
– Assigned time frame and frequency to scan
Power Projection Systems Department
Scanning Hosts Operating Systems
• Examine “passive” fingerprints
– Arriving Time to Live (TTL) values
– Scanning host TCP window size
– Scanning host TCP options
Power Projection Systems Department
Fingerprint Values by OS(courtesy Honeynet Project)
OS VERSION PLATFORM TTL WINDOW
Windows 9x/NT Intel 32 5000-9000 AIX 4.3.x IBM/RS6000 60 16000-16100AIX 4.2.x IBM/RS6000 60 16000-16100Cisco 11.2 7507 60 65535IRIX 6.x SGI 60 61320Linux 2.2.x Intel 64 32120OpenBSD 2.x Intel 64 17520Solaris 8 Intel/Sparc 64 24820Windows 9x/NT Intel 128 5000-9000Windows 2000 Intel 128 17000-18000Cisco 12.0 2514 255 3800-5000Solaris 2.x Intel/Sparc 255 8760
Power Projection Systems Department
June 29 Arriving TTL Values
June 29, 2001 Arriving TTL Values
040008000
120001600020000
Arriving TTL Values
Pack
ets
Initial TTL 32 (Windows)
2.66%
Initial TTL 64 (Unix)
5.2%
Initial TTL 128 (Windows)
92.13%
10 – 22 hops 8 – 25 hops8 – 22 hops
Power Projection Systems Department
July 2 Arriving TTL Values
July 2, 2001 Arriving TTL Values
040008000
120001600020000
Arriving TTL Values
Pack
ets
Initial TTL 32 (Windows)
2.36%
Initial TTL 64 (Unix)
5.35%
Initial TTL 128 (Windows)
92.29%
12 – 22 hops 12 – 21 hops 8 – 27 hops
Power Projection Systems Department
Scanning Host TCP Window Size
TCP Window Size
0204060
8192 16384 65535 8760 Other
Window Size
Perc
enta
ge o
f So
urce
Hos
ts June 29
July 02
Windows 9X/NT Windows 2K Unknown Solaris
Power Projection Systems Department
Scanning Host Maximum Segment Size
TCP Maximum Segment Size
0
50
100
1460 536 1414 Other
MSS
Perc
enta
ge o
f So
urce
Hos
ts June 29
July 02
Ethernet PPP/ISDN PPPOE(DSL)
Power Projection Systems Department
SubSeven Scan Conclusions
• Very efficient scan
• Conducted by zombie hosts
– Most are Windows
– Other operating systems involved
– Representative of normal distribution on Internet?
• Thoughtful scan
– Redundant scanners
– Timing parameters
– Ranges of destination hosts