IDLE PORT SCANNING AND

NON-INTERFERENCE ANALYSIS OF NETWORK PROTOCOL

STACKS USING MODEL CHECKING

Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. CrandallUniversity of New Mexico, Dept. of Computer Science

USENIX 2010

Advanced Defense Lab 2

Outline Introduction Related Work Formalizing Non-interference Analysis Finding Idle Scan Experimental confirmation of

counterexamples

Advanced Defense Lab 3

Introduction Network reconnaissance is the

important first step of virtually all network attacks. [Link]

Idle scans were introduced by Antirez in a 1998. [Link]Based on non-random, sequential IPIDs of

older network stacks

Advanced Defense Lab 4

Introduction - Idle Scan

Advanced Defense Lab 5

Introduction - Idle Scan IPID-based idle scans have been implemented

in nmap [Link]

But modern network stacks randomize the IPID [Link]

FTP bounce scans are currently the only known way to port scan a victim host or network without routing forged packets to that host or network from the attacker [Link]This paper proposes another one

Advanced Defense Lab 6

Related Work Staniford et al. use simulated annealing to

detect stealthy scans. [Link]

Leckie and Kotagiri present a probabilistic approach

Gates and Kang et al. consider the problem of stealth port scans based on using many distributed hosts (e.g., a botnet) to perform the scan.

Advanced Defense Lab 7

Related Work(cont.) Non-interference [Link] is a widely used

concept of information flow security

Non-interference proved to be a very useful property because it can be specified with Linear Temporal Logic (LTL [Link]).

Advanced Defense Lab 8

Formalizing Non-interference Analysis A host is viewed to be at the end of the

network, i.e., an end host.

Advanced Defense Lab 9

SYN Cache [Link] The SYN cache is a cache for pending

SYN packets for which a SYN/ACK has been sent and the host is waiting for an ACK.

In our model packets are only removed from the SYN cache when a TCP RST is received from the source IP address and port of the original SYN packet

Advanced Defense Lab 10

Idel Scan model

Advanced Defense Lab 11

Non-interference Analysis Model

Advanced Defense Lab 12

Formalizing Non-interference Analysis Using SAL [Link] for modeling

SAT-based [Link] bounded model checker

Advanced Defense Lab 13

Advanced Defense Lab 14

Advanced Defense Lab 15

Formalizing Non-interference Analysis -- Assumptions A major abstraction is that we consider

the proper reply to SYN/ACK packets to be “drop” for open ports and RST for closed ports.

Another major abstraction is that each of the two buffers in our split SYN cache has only a single entry.

Advanced Defense Lab 16

Port Status

Advanced Defense Lab 17

Finding Idle Scan RST rate limit

Advanced Defense Lab 18

Finding Idle Scan SYN cache

Advanced Defense Lab 19

Experimental confirmation of counterexamples Setup

VirtualBoxTUN/TAP [Link]Zombie

○ kernel 2.4 host (Fedora Core 1)○ Windows XP host with no service packs○ Linux kernel 2.6 host (CentOS 5.2)○ FreeBSD 7.1.1 host

Advanced Defense Lab 20

Experimental confirmation of counterexamples - RST rate For a real FreeBSD system, RSTs are

limited to a default of 200 per second

Our implementation sends 2000 each of two different types of packets, each at a rate of 180 per second, to the victim and FreeBSD zombie, respectively

Advanced Defense Lab 21

Experimental confirmation of counterexamples - RST rate

Advanced Defense Lab 22

Experimental confirmation of counterexamples – SYN cache Linux kernel 2.4 uses a simple buffer for the SYN

cache, with between 128 and 1024 entries depending on the memory available on the system.

our implementation50 forged SYNs, then 50 each of forged SYNs and SYNs

where the attacker uses their own return IP (1000 per second)

200 more forged SYNs (1000 per second)sends 200 each of forged SYNs and SYNs where the

attacker uses their own return IP address (400 per second)

Advanced Defense Lab 23

Experimental confirmation of counterexamples – SYN cache Result between different OSes

Advanced Defense Lab 24

Experimental confirmation of counterexamples – SYN cache Idle port scan

20,000 forged SYN packets (with random return ports that are closed on the zombie)

At half the rate, alternating forged SYNs with the target port on the victim as the source port and valid SYNs with the return address of the attacker

Advanced Defense Lab 25

Experimental confirmation of counterexamples – SYN cache Result for idle port scan