RE: Traces

[Meidinger Chris <chris.meidinger () badenit de>]

Coorelating TTL is how the hunt for timex.0 at sans was set up. It was
unsuccesful. There is a great writeup in Stephen Northcutt's 'Network
Intrusion Detection: An Analysts's Handbook' and i think there are (or were)
materials at www.sans.org/y2k about their attempts to triangulate TTL.

But back to the question at hand: Can i find an attacker based on TTL?
(and secondly: even assuming it could work, what would it tell me?)

 Let's say, you have:
1) 10 friends (like any of us have that many ;), 
2) a perfect map of the internet (ok, so you can freeze time too), 
3) and you all have incoming ping floods from the same guy (you know this
because the packet payloads are all the same) 
4) from various spoofed IP's (like each others' IP's, so you can be sure
they are spoofed), and you also have
5) reason to believe that the original TTL was a constant (say, for the sake
of argument, one person is getting packets with a TTL of 254, even though
this would mess up the rest of the argument. we we will also let this person
be one hop from hundreds of routers) 

Using TTL and the perfect Internet map you can figure out a set of routers
which are n hops away from you. For each friend that is getting the same
stuff, he can map a subset of your router set that are routers n hops from
you *and* m hops from him. 

For each additional friend, you get more accurate, (or your set of possible
routers gets smaller) Thus: as your number of friends/co-victims approaches
infinity, the number of possible routers approaches 1. So you can
(theoretically) figure out which router he is behind. 

You would then need heavy cooperation from the operators of the router or
from the ISP to which it belongs to find a person. By which point the script
kiddy's mother has probably called him to dinner, and he's logged off
anyway. This forces you to unfreeze time and let him eat dinner and come
back to his computer, then log back into a different ISP...

Given the vagaries of teh internet that shawn mentioned, any TTL-correlation
approach would likely prove absolutely unpracticable. If someone else has a
suggestion how it could work, by all means post it: it would be a great
weapon against spoofing.

Cheers,

Chris

-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com]
Sent: Thursday, January 01, 2004 1:06 AM
To: Fernando Gont; Gerson Sampaio; security-basics () securityfocus com
Subject: RE: Traces



        Okdokie. Let's say I am pinging anything.org and its 5 hops
away. Let's also say that through a status route change (a BGP peer goes
down, etc) I'm being router through a different backbone, now
anything.org is 8 hops away due to that change. Great it's 8 hops away.

        Now, you have a DOS attack against two networks, your friends
and yours. Your friend detects that the attacker is 12 hops away. You
are suffering from the same attack and detect that it is 7 hops away.
Let's also assume that we've stripped the dynamic properties of the
Internet away and you know for a FACT that 11 hops away from him and 6
hops away from you is a SBC ATM Core. The last hop is unknown because
you can't garner that information without, at least, a netblock. The ATM
core can be connected to thousands of networks, using that information
you can only have a meager guess at which backbone provider the attack
is coming from.

        Now 20 hops away from me could be almost anywhere in the western
half of the world thanks to AT&T. The dynamic state of routes is what
complicates this technique. 12 hops for me can be 30 hops to you. The
all of a sudden it's 30 hops for me and 33 hops for you. Using the above
example say your ISP had to route though its backup Tier 1 connection
due to traffic load which leaves the backbone network in another state,
now instead of 7 hops you're up to 9. 

        TTL is not like miles it can't be efficiently measured. Routers
can be hundreds of miles apart, or a few feet. I can reach the Easter
half of the US in less hops then it takes me to get to Mexico, does that
means its closer, nope. Could I take a look at a TTL and say what state
it's in, nope.

        Can you give me an example of it in action? How would you use it
to trace the source of an attack where the originating IP Address has
been faked? IMHO I still think is useless, but that's because I can't
see it working or giving me useful information.


Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Fernando Gont [mailto:fernando () gont com ar] 
Sent: Wednesday, December 31, 2003 1:00 PM
To: Shawn Jackson; Gerson Sampaio; security-basics () securityfocus com
Subject: RE: Traces

At 12:18 31/12/2003 -0800, Shawn Jackson wrote:

>         Eh' kinda. The TTL is decremented when the packet travels over
a
> router. If they don't set the TTL to a random number you know, "hey
he's
> eight hops away", but that's it. In a confined corporate network that
> might work better, but on a network as dynamic as the internet, not all
> paths have the same TTL so it's almost worthless, IMHO.

What do you mean by "not all paths have the same TTL"?
If the TTL has not been intentionaly set to some random value, even when

routes may be change, you can still say "it's X hops away".

So the dynamic nature of routes doesn't make this technique useless.

Furthermore, if somehow you can correlate an attack to your site with
any 
other attack to some other sites, you will have a better idea of where
the 
attacker is.

Of course, this will work if and only if the TTL field is not set to a 
random value.


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------