Anyone interested Underground Research Labs
Whitepaper: 1 January 2000
A Study of Distributed Network Sniffing and Attacks, otherwise known as “Echelon.”
Status of This Memo
This is an informational memo for the Internet community, and a request for discussion and suggestions for improvements. This memo does not specify an Internet standard. Distribution of this memo is unlimited.
Abstract
The recent developments in network sniffing and strong encryption allow adept programmers to implement remote sniffers that are able communicate to logging daemons on outside servers. Most of these sniffers are detectable, but a few use strong encryption, secure protocols, and/or promiscuous mode packet filtering which make them very hard to detect. Some of these sniffers use advanced techniques to filter through your Internet traffic in search of passwords, or anything else the programmer desires. Such “echelon” sniffers are a real threat to user who does not use encryption to secure transfers of information of the Internet. Since packet sniffing is, in essence, spying, many states have laws against sniffing; but these laws do not seem to stop the few who are sniffing today.
A Background on Ethernet and Internet Protocols
The Internet uses many different protocols to transfer information from one source to another. Examples of such protocols, or standards, are IP, ICMP, UDP, and TCP. Most of these protocols are acronyms for other things. For instance, IP means (I)nternet (P)rotocol, and UDP means (U)ser (D)atagram (P)rotocol. All of these protocols are transmitted over the net in Ethernet protocol. Abstractions of Ethernet, Internet, and Transfer Control Protocol follow.
Ethernet Protocol
+--+--+--+--+--+--+
| DEST MAC ADDRESS|
+--+--+--+--+--+--+
| SRC MAC ADDRESS |
+--+--+--+--+--+--+
|08 00| ß——————- Indicates ethertype 800, destination process this frame (2 bytes, 16 bits)
+--+--+-----------+
| |
. IP PACKET .
. .
. .
| |
+--+--+--+--+-----+
| CHECKSUM |
+--+--+--+--+
Internet Protocol (IP)
+--+--+--+--+
| Ver | Len | ß————- 4 bits each, this len is header length
+--+--+--+--+--+--+--+--+
| Type of Service | ß—- one byte (8 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Total Length of Entire IP Packet | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP PACKET ID | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Offset to data? | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Time to Live | Protocol Used | ß——- 1 byte each (8 bits each)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Checksum | ß——- 2 bytes
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP Source Address (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP Destination Address (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Transfer Control Protocol
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Source Port | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Destination Port | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| SEQuence Number (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ACKnowledment Number (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| OFF | FLG | ß—– Offset to data (?) and x2 flag (means what?)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Window | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Checksum | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Urgent? | ß——- 2 bytes (16 bits)
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
An Entire Ethernet Frame from Across the Internet
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Dest MAC
Address (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Source MAC
Address (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| 0 8 |
0 0 | Ver | Len | Type of Service | Total Length of
Entire IP Packet |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP PACKET ID | Offset to data? |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Time to Live | Protocol Used |
Checksum
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP Source
Address (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| IP Destination
Address (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Source Port | Destination Port |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| SEQuence Number (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ACKnowledment
Number (4 bytes) |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| OFF | FLG | Window | Checksum
{
} CRC cont. |
Urgent? | TCP DATA
{
}
{
}
{
.
.
. TCP DATA .
. .
}
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Ethernet Header
IP Header
TCP Header
TCP Data
The Inner Workings of a Basic Sniffer
A basic Ethernet sniffer works at the Ethernet level, not the socket level as opposed to popular belief. The way an Ethernet adapter works is by filtering out all the packets to different sources. But, the sniffer runs a function to look at all packets crossing the wire, regardless of destination. Some sniffers put the adapter into promiscuous mode, in which they see all and know all traffic crossing the line, yet are still undetectable. Then, the sniffer filters out all unreadable, unusable, and uninteresting data, and logs the packets that are interesting to disk. This is just a VERY basic sniffer analysis; some are much more complicated and employ a myriad of very effective stealth techniques. But, since most basic sniffers log to disk, you can very easily discover the existence of a sniffer on your computer by watching file access. Further techniques will be outlined later on.
Where Echelon Comes into Play
This is where Echelon comes into play. After the sniffer captures a packet, it chops off all data preceding the IP header. After that, it checks the IP header for the protocol type. If the type matches a list of types to filter, it records what protocol was used, and chops the IP header off. Once all this is done, the sniffer records the packet and sends it to the logging daemon, if it passes an information filter. The most advanced of these sniffers use strong encryption. Echelon -4- Dummies, the case in point, uses 256-bit CAST encryption and base 64 encoding BEFORE sending data off to the logging daemon. After this, the sniffer lets the TCP/IP stack handle the data, making the sniffer close to unperceivable.
The Logging Daemon
When the captured and encoded packet reaches the logging daemon, it is base 64 decoded, unencrypted, and logged to a disk file. The logging daemon is usually very basic. However, more sophisticated programmers implement a random protocol daemon. What this means is that the daemon listens on multiple ports, known by the sniffers, with different protocols. In addition, the sniffer chooses a random protocol and sends the packet to the logging daemon. This keeps things very unpredictable for the administrator trying to prevent sniffing on a network.
The Distributed Attack
The distributed attack is just like the above, except that the sniffers become Trojan Horses, and the logging daemon becomes the administrator program. From this administrator program, the user can talk to all of the Trojan Horses at the same time, I think. With the Trojan Horses, from the administrator program, the user can start remote DoS (Denial of Service) attacks on a target that can be specified at run-time. This posses a real threat to businesses since a user can start a 10-system DoS attack on a web-storefront. The Tribe Flood Network 2000, a good example of the distributed attack, uses all of these techniques, and the ones mentioned above: secure encryption, random protocols, and base 64 encoding. From the administrator program, the user can start remote exploit floods. Some of these floods are the TCP SYN flood, a UDP flood, a basic ping flood, and a flood called TARGA 3. I don’t know much about TARGA 3, but you can probably look it up online.
How to Defend your Network from Sniffing
While one can configure a network to make sniffing very difficult, he is powerless to stop people out on the Internet from sniffing your network. The best defense, in this case, is to encrypt your data. This insures that, while they can sniff it, they cannot read it. Some techniques for encryption are: SSL, PGP and S/MIME, SSH, and VPNs (Virtual Private Networking). SSL is Secure Sockets Layer, built into popular web browsers and servers, allowing for encrypted web browsing and other things. PGP and S/MIME are techniques for securing email. PGP and S/MIME both encrypt the plaintext email, making it impossible to read by sniffing parties. SSH is a secure shell program for Telnet, making telnet connections impossible to sniff. VPNs provide encrypted traffic across the Internet. However, if someone compromises the end-points of a VPN connection, they can still sniff traffic. A typical scenario is a user who surfs the Internet normally and gets compromised with a Trojan Horse that contains sniffing code. When the user establishes the VPN connection, the sniffer is able to both the encrypted traffic that can be seen on the Internet and the unencrypted traffic before it gets sent through the stack to the VPN.
How to Detect Sniffers
Ping Method 1
Most sniffers run on normal machines with a normal TCP/IP stack, meaning that if you send an echo-request (ping) to these machines, they will respond. The technique is to send a request to the IP address of the machine, but not to its Ethernet address. No body should see this packet, since the Ethernet address does not exist, so the Ethernet adapter should ignore the packet and pass it on. But, if a sniffer is running, a response will be received because the sniffer turns off the Ethernet address filter when it goes into promiscuous mode.
Ping Method 2
Instead of using ICMP, any protocol that generates a response, and therefore an error, can be used. Just send a “directed broadcast”, like 10.0.0.255, to bypass IP address filtering, and put an error in the headers. This will probably cause an ICMP error. If you get no error, you might have a sniffer on your network.
ARP Method
This is just like the ping method, except with an ARP packet. If a machine responds to an ARP request with its IP address, it must be in promiscuous mode. This is an indication of a running sniffer.
Other Methods
Many other methods are outlined online at the website http://www.robertgraham.com/pubs/sniffing-faq.html. Many programs that try to detect sniffers are available online at this site, also.
Conclusion
Many users on the Internet make us of network sniffers. This posses a major security threat to people who do not run secure connections to their ISPs/Hosts. Everything that is sent over the net unencrypted can be captured and logged to an attacker’s hard disk for future use. This can be used for anything from stealing email, passwords, network connections, and even ISP accounts. In conclusion, I recommend that everyone implement as much 128-bit or greater encryption as possible on their computers.