Identifying hosts with natfilterd                         A TCP timestamp analysis based solution                         ...
Motivation        SNAT      1   makes individual host identification hard               All hosts behind the same SNAT gate...
TCP Timestamps       The TCP protocol allows for options in the header (RFC 793)       TCP timestamps are such an extensio...
TCP Timestamps       The TCP protocol allows for options in the header (RFC 793)       TCP timestamps are such an extensio...
Timestamp GenerationRFC 1323 – 3.3 The RTTM Mechanism       The timestamp value to be sent in TSval is to be obtained from...
Timestamp GenerationRFC 1323 – 3.3 The RTTM Mechanism       The timestamp value to be sent in TSval is to be obtained from...
Fingerprinting HostsFirst documented in Phrack #63 0x03-2: “TCP Timestamp To countHosts behind NAT”       Track TCP connec...
Fingerprinting HostsFirst documented in Phrack #63 0x03-2: “TCP Timestamp To countHosts behind NAT”       Track TCP connec...
Introducing “Rate Classes”                  TSval = (wallclock − boottime ) ∗         tickscale                           ...
Optimizations by “Rate Classes”                                                      x2 − x1                              ...
Optimizations by “Rate Classes”                                                      x2 − x1                              ...
Optimizations by “Rate Classes” (contd.)Algorithm for matching single packets                                O(log2 n)    ...
natfilterd DEMOWicherski (RWTH Aachen University)   natfilterd   2011-02-14   9/9
natfilterd DEMO                                     Questions?Wicherski (RWTH Aachen University)      natfilterd   2011-02...
Upcoming SlideShare
Loading in...5
×

Identifying hosts with natfilterd

2,251
-1

Published on

natfilterd identifies unique hosts behind a NAT. It monitors TCP packets
by hooking into netfilter using the netfilter_queue extension and parses
TCP headers for the TCP Timestamps extension options. TCP timestamps are
generated by the OS based on `ticks' since boot time. Collecting per
connection (timestamp, wall clock) tuples allows identifying unique
hosts sharing the same IP with some math in realtime.
This allows natfilterd to drop packets of specific hosts sharing the
same source IP. Also, a fancy webinterface is provided.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,251
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Identifying hosts with natfilterd

  1. 1. Identifying hosts with natfilterd A TCP timestamp analysis based solution Georg Wicherski UMIC LuFG IT-Security, RWTH Aachen University 2011-02-14Wicherski (RWTH Aachen University) natfilterd 2011-02-14 1/9
  2. 2. Motivation SNAT 1 makes individual host identification hard All hosts behind the same SNAT gateway appear to have the same IP address In Capture-the-Flag contests2 , SNAT is used to mix other teams’ hosts and the gameserver to prevent trivial traffic filtering of opponent teams’ attacks We need to identify individual attacking hosts and drop their traffic Some people use botnet sinkholing3 to estimate the size of a threat Hosts behind SNAT are counted as a single infection if no application layer ID is available 1 Source Network Address Translation 2 http://www.cipher-ctf.org/CaptureTheFlag.php 3 e.g. http://www.cs.ucsb.edu/~kemm/courses/cs177/torpig.pdfWicherski (RWTH Aachen University) natfilterd 2011-02-14 2/9
  3. 3. TCP Timestamps The TCP protocol allows for options in the header (RFC 793) TCP timestamps are such an extension option to optimize performance (RFC 1323)Wicherski (RWTH Aachen University) natfilterd 2011-02-14 3/9
  4. 4. TCP Timestamps The TCP protocol allows for options in the header (RFC 793) TCP timestamps are such an extension option to optimize performance (RFC 1323) Support is indicated by supplying a timestamp option header with zero timestamp If both hosts support it, timestamps are exchangedWicherski (RWTH Aachen University) natfilterd 2011-02-14 3/9
  5. 5. Timestamp GenerationRFC 1323 – 3.3 The RTTM Mechanism The timestamp value to be sent in TSval is to be obtained from a (virtual) clock that we call the ”timestamp clock”. Its values must be at least approximately proportional to real time, in order to measure actual RTT.Wicherski (RWTH Aachen University) natfilterd 2011-02-14 4/9
  6. 6. Timestamp GenerationRFC 1323 – 3.3 The RTTM Mechanism The timestamp value to be sent in TSval is to be obtained from a (virtual) clock that we call the ”timestamp clock”. Its values must be at least approximately proportional to real time, in order to measure actual RTT. TSval = (wallclock − boottime ) ∗ tickscale host specific kernel specificWicherski (RWTH Aachen University) natfilterd 2011-02-14 4/9
  7. 7. Fingerprinting HostsFirst documented in Phrack #63 0x03-2: “TCP Timestamp To countHosts behind NAT” Track TCP connections: each packet belongs to the same host Approximate linear regression equation y = c0 + x ∗ c1 from set of points (wallclock, TSval) If distance to next host equation below threshold, update old equation Otherwise add new host to database Once a host is in the database, try to match new packets against it in realtimeWicherski (RWTH Aachen University) natfilterd 2011-02-14 5/9
  8. 8. Fingerprinting HostsFirst documented in Phrack #63 0x03-2: “TCP Timestamp To countHosts behind NAT” Track TCP connections: each packet belongs to the same host Approximate linear regression equation y = c0 + x ∗ c1 from set of points (wallclock, TSval) If distance to next host equation below threshold, update old equation Otherwise add new host to database Once a host is in the database, try to match new packets against it in realtime Without optimizations: O(n2 ) for adding n hosts with significant c for distance calculation O(n) for matching one packet against n host with significant cWicherski (RWTH Aachen University) natfilterd 2011-02-14 5/9
  9. 9. Introducing “Rate Classes” TSval = (wallclock − boottime ) ∗ tickscale host specific kernel specific Windows: Apparently uses kernel equivalent of GetTickCount() 1 Linux: Uses jiffies, incremented every HZ seconds Common values for HZ are 100, 250, 1000 OpenBSD, FreeBSD, NetBSD: Did not test Finite and sufficiently small set of r different values for tickscale Round value to 0.01ms granularity / resolutionWicherski (RWTH Aachen University) natfilterd 2011-02-14 6/9
  10. 10. Optimizations by “Rate Classes” x2 − x1 dist = sin (tan−1 (tickscale))Wicherski (RWTH Aachen University) natfilterd 2011-02-14 7/9
  11. 11. Optimizations by “Rate Classes” x2 − x1 dist = sin (tan−1 (tickscale))Algorithm for finding host for connection O(log2 n) min ← ∞ rateclass ← rateclasses.hashlookup(round(tickscale)) neighbours ← rateclass.btree(xnormalized ) {O(log2 n)} for all neighbour ∈ neighbours do if dist(neighbour .x, xnormalized , rateclass.rate) < min then min ← neighbour , dist end if end for return minWicherski (RWTH Aachen University) natfilterd 2011-02-14 7/9
  12. 12. Optimizations by “Rate Classes” (contd.)Algorithm for matching single packets O(log2 n) min ← ∞ for all rateclass ∈ rateclasses do neighbours ← rateclass.btree(xnormalized ) {O(log2 n)} for all neighbour ∈ neighbours do if dist(neighbour .x, xnormalized , rateclass.rate) < min then min ← neighbour , dist end if end for end for return minWicherski (RWTH Aachen University) natfilterd 2011-02-14 8/9
  13. 13. natfilterd DEMOWicherski (RWTH Aachen University) natfilterd 2011-02-14 9/9
  14. 14. natfilterd DEMO Questions?Wicherski (RWTH Aachen University) natfilterd 2011-02-14 9/9
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×