North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: moved to

  • From: vern
  • Date: Tue Sep 12 19:06:02 2000

> Anyway, apart from the questionable practice of using these IPs for
> access-lists, this information is useful for some of us in the
> measurement community to write detectors that are less likely to get
> false hits, such as might happen when counting Napster traffic based
> solely on TCP port numbers.

You might find the following paper interesting:

	Detecting Backdoors

	Yin Zhang (Cornell) & Vern Paxson (ACIRI)

	Proc. USENIX Security Symposium, August 2000

Along with security-oriented backdoors such as Telnet & SSH, we also
developed backdoor detectors for Napster and Gnutella.  We developed
general detectors that run on reconstructed TCP streams (implemented in
 the Bro intrusion detection system) and also fast-cheap-and-definite-hack
detectors that use just tcpdump filters.

The tcpdump detector for Napster is:

	   # look for "SEND" or "GET" in a
	   # packet by itself (so payload of
	   # 4 or 3 bytes, respectively)
	   ((ip[2:2] - ((ip[0]&0x0f)<<2) -
	     (tcp[12]>>2)) = 4 and
	    tcp[(tcp[12]>>2):4] = 0x53454e44) or
	   ((ip[2:2] - ((ip[0]&0x0f)<<2) -
	     (tcp[12]>>2)) = 3 and
	    tcp[(tcp[12]>>2):2] = 0x4745 and

and the one for Gnutella is:

	    # look for "GNUTELLA " as first
	    # 9 characters of payload
	    tcp[(tcp[12]>>2):4] = 0x474e5554 and
	    tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41
	    and tcp[8+(tcp[12]>>2)] = 0x20

Another fun one to run (a total hack) is a root backdoor detector:

	    # look for '# ' in a packet with
	    # exactly 2 bytes of payload
	    tcp[(tcp[12]>>2):2] = 0x2320 and
	    (ip[2:2] - ((ip[0]&0x0f)<<2) -
	    (tcp[12]>>2)) == 2

All of these work surprisingly well, and with kernel BPF can run at
Gbps speeds.