Analysis Sample
Home ] Contact ] Staff Biographies ] Downloads ] Links ]

 

Contact
Staff Biographies
Downloads
Links

NOTE: This report is based on the format used by GIAC, the Global Incident Analysis Center.

1.    Source of Network Trace:

These network traces come from one of our client networks with their permission.

2.    Detect was Generated by:

Cisco routers produced this network trace as a result of a catchall rule that logs denied traffic:

access-list 100 deny ip any any log

3.    Probability the source address was spoofed:

Is the source address spoofed?  It is unlikely but we cannot prove it.  This type of reconnaissance requires a successful return of information, however, it is possible that the individuals performing this scan have control of an intermediary system and are looking for the responses as they pass back to a spoofed host.  If an intermediary system has been compromised, to be effective, it is probably on a network very close to 210.178.9.1.  

4.    Description of Attack:

What follows is a reconnaissance scan of the DMZ of two entry points in the company’s network done in such a way that the potential hacker is willing to wait for weeks for the complete results.

Log Format:

Date | Router Hostname | Log Entry # | Protocol | Source IP | (Source Port) | -> | Destination IP | (Destination Port) | # of packets  

Log Information:

Data from the Dallas Cisco log:

Nov  4 20:52:59 dalroute 1127: denied tcp 210.178.9.1 (53) -> XXX.XXX.97.5 (111),1 packet

Nov  5 03:43:24 dalroute 1416: denied tcp 210.178.9.1 (53) -> XXX.XXX.97.6 (111),1 packet

Nov  5 09:11:28 dalroute 1656: denied tcp 210.178.9.1 (53) -> XXX.XXX.97.7 (111),1 packet

Nov  5 14:58:33 dalroute 1972: denied tcp 210.178.9.1 (53) -> XXX.XXX.97.8 (111),1 packet

Nov  5 21:20:51 dalroute 2224: denied tcp 210.178.9.1 (53) -> XXX.XXX.97.9 (111),1 packet

Here they are hitting Houston also:

Nov  4 03:43:12 houroute 57891: denied tcp 210.178.9.1(53) -> XXX.XXX.96.2 (111),1 packet

Nov  4 08:41:38 houroute 58277: denied tcp 210.178.9.1(53) -> XXX.XXX.96.3 (111),1 packet

Nov  4 13:54:55 houroute 58790: denied tcp 210.178.9.1(53) -> XXX.XXX.96.4 (111),1 packet

Nov  4 20:51:42 houroute 59486: denied tcp 210.178.9.1(53) -> XXX.XXX.96.5 (111),1 packet

Nov  5 03:41:50 houroute 60076: denied tcp 210.178.9.1(53) -> XXX.XXX.96.6 (111),1 packet

Nov  5 09:10:30 houroute 60562: denied tcp 210.178.9.1(53) -> XXX.XXX.96.7 (111),1 packet

Nov  5 14:57:02 houroute 61203: denied tcp 210.178.9.1(53) -> XXX.XXX.96.8 (111),1 packet

Nov  5 21:19:51 houroute 61852: denied tcp 210.178.9.1(53) -> XXX.XXX.96.9 (111),1 packet  

In this example someone has probed the Dallas and Houston DMZ for systems that are running the portmapper service.  These probes are spaced over 8 hours per packet.  At this rate, a complete mapping of one class C network will take about 7 weeks.

Portmapper has many known exploits that will give a malicious attacker root access to the system.  One document describing such attacks is available from CERT at http://www.cert.org/advisories/CA-2000-17.html.

While portmapper is the intended destination port, these packets are sent from the source port of 53.  The probable intent is to get past the outside routers that may filter traffic but allow DNS queries from other DNS servers, which typically occurs on a source port of 53.  This probe failed on the designated DNS servers because router access rules allow traffic to the DNS servers only from a source and destination ports of 53.

The producers of these packets are hitting multiple network blocks at the same time from the same host IP address.  For instance, on Nov 5 9:10 Houston is probed from 210.178.9.1 to a destination IP address ending in .7.  The Dallas DMZ receives a probe within the same minute to the same ending IP address.

While this method appears slow, what they lack in reconnaissance speed on one network is compensated by the fact that they are hitting more than one network at a time. 

5.    Attack Mechanism:

This scan, had it not been blocked by the router, would have produced a return packet from all hosts.  Those that were running the portmapper service would have returned a SYN-ACK to try to complete the 3-way handshake.  Those that were not running portmapper would return a “connection refused” message.

6.    Correlations:

Sorting the logs by source IP address led to the discovery this network trace.  No other occurrences of this IP address, or nearby IP addresses, appear in any of the other logs of the firewalls and routers.

So who are they?  Using the “whois” service of ARIN.NET point to a very large Asian network block.  Information from APNIC.NET points to a network in the Republic of Korea.  The Korean “whois” server names an elementary school.  I have sent some email to the administrator at this site to try and get this system looked at.

I tried contacting the administrators of the netblocks on either sides of our network in an attempt to verify that we were chosen solely by our IP address space.  Unfortunately, as of this writing I have had no response from them.  It would be nice to confirm that this scan of our address space is a random choice.

Traceroute Output:

This traceroute show the routers involved after leaving our ISP’s network. Lake Cowichan is in British Colombia, Canada.

 9  if-0-0.core1.Chicago3.Teleglobe.net (207.45.222.213)  63.029 ms  64.492 ms  65.565 ms

10  if-1-0.core1.Denver.Teleglobe.net (207.45.222.225) 104.129 ms  103.072 ms  102.865 ms

11  if-8-3.core1.PaloAlto.Teleglobe.net (207.45.222.233)135.143 ms 135.041 ms  134.016 ms

12  if-3-0.core1.Seattle.Teleglobe.net (207.45.223.74)  156.990 ms 154.210 ms  158.584 ms

13  if-3-0.core1.Burnaby.Teleglobe.net (207.45.222.86)  158.781 ms 157.856 ms  158.583 ms

14  if-1-0.core2.LakeCowichan.Teleglobe.net (207.45.223.174) 159.780 ms 160.151 ms 158.877 ms

15  if-11-0-0.bb3.LakeCowichan.Teleglobe.net (207.45.222.110)  163.353 ms  161.269 ms  160.206 ms

16  ix-4-0-0.bb3.LakeCowichan.Teleglobe.net (207.45.211.102)  726.052 ms  726.146 ms  725.976 ms

17  202.30.90.5 (202.30.90.5)  731.884 ms  732.118 ms  738.854 ms

18  202.30.90.9 (202.30.90.9)  520.533 ms  516.447 ms  514.232 ms

19  202.30.72.130 (202.30.72.130)  513.483 ms  517.476 ms  516.072 ms

20  202.30.94.69 (202.30.94.69)  617.309 ms  516.816 ms  513.884 ms

21  210.104.13.117 (210.104.13.117)  514.713 ms 520.215 ms 517.338 ms

22  210.104.101.134 (210.104.101.134)  524.181 ms  521.531 ms  525.448 ms

23  210.104.204.45 (210.104.204.45)  518.774 ms  521.387 ms  518.914 ms

24  210.178.9.62 (210.178.9.62)  523.131 ms  521.078 ms  543.075 ms

25  210.178.9.1 (210.178.9.1)  528.208 ms  529.208 ms  536.922 ms

 

This information comes from http://www.apnic.net

  

inetnum              210.178.0.0 - 210.183.255.255
netname              KRNIC-KR-15
descr                National Computerization Agency
descr                Korea Network Information Center
country              KR
admin-c              WK1-AP, inverse
tech-c               SH3-KR, inverse
tech-c               SL40-AP, inverse
remarks              KRNIC Allocation Block
remarks              Authoritative Information regarding assignments and allocations made from within this block can also be queried at whois.nic.or.kr
mnt-by               MNT-KRNIC-AP, inverse
mnt-lower            MNT-KRNIC-AP, inverse
changed              hostmaster@apnic.net 19981124
source               APNIC

 

Checking the service at http://www.whois.nic.or.kr provides the following:

Orgnization ID : ORG42378

Name           : Tandae Elementary School

State          : KYONGGI

Address        : 77 Tandae-dong Sujung-gu Sungnam-si

Zip Code       : 461-140

 

7.    Evidence of Active Targeting:

This appears to be a scan of these networks directly and not the result of other traffic and so can be considered evidence of active targeting.  This reconnaissance scan probably would have been followed by attacks to individual hosts if portmapper had been found to be running.

 

8.    Severity: (5 + 1) – (5 + 5) = -4

Criticality = 5

The systems being scanned are the main routers and firewalls.  Compromise to these systems can provide access to many more.

Lethality = 1

As a reconnaissance probe, this network trace is only a precursor to later lethal traffic.

System Countermeasures = 5

The entire scan is blocked at the router.

Network Countermeasures = 5

None of the systems inside the routers are running portmapper.

 

9.    Defensive Recommendation:

So what are our options?  TCP port 111 is already blocked at the router and this reconnaissance failed to produce the intended results.  Systems inside the routers should be checked for the portmapper service and should be removed as a second line defense.  This is a small example of "defense in depth" and good common sense.

 

10.    Sample test questions based on this network trace:

 

This is an example of what kind of scan:

 

a)    Search for DNS servers

b)    Search for portmapper service

c)    Search for POP3 servers

d)    None of the above

 

Or

 

What is the significance of the source port 53 on this scan?

 

a)    No significance

b)    These packets are from DNS servers

c)    These packets are sent to DNS servers

d)    Probe is trying to evade router access rules