Zombie Scan

Power Projection Systems Department

Zombie Scan

Judy Novak

Vern Stark

David Heinbuch

June 12, 2002


SubSeven Incident

• June 29, 2001 ~ 12:00 Shadow reveals massive scan

• Hundreds of hosts concurrently scan SubSeven port of Class B network

• Flood, DDoS, scan?

• Similar scan on July 2, 2001 ~ 16:00

• June 26, 2001 SANS reports of W32.leave.worm

– Windows hosts

– Spread via hosts listening on port 27374

– Zombies used in DDoS attacks

– Scans @Home and Earthlink for port 27374


Sample tcpdump Output

12:16:31.150575 ool-18bd69bb.dyn.optonline.net.4333 > 192.168.112.44.27374: S 542724472:542724472(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 13444)


12:16:31.170575 24.3.50.252.1757 > 192.168.19.178.27374: S 681372183:681372183(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 54912)

12:16:31.170575 24-240-136-48.hsacorp.net.4939 >192.168.11.19.27374: S 3019773591:3019773591(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 39621)


12:16:31.170575 cc18270-a.essx1.md.home.com.4658 > 192.168.5.88.27374: S 55455482:55455482(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 117, id 8953)





1

2

3

4


Source Hosts

Total Packets

Unique Source Hosts

DNS Registered

June 29 132,706 314 297**

July 2 157,842 295 271**

**Not spoofed source IP’s


Scanning Host Networks

Top Five Scanning Networks

05

10

152025

home.com

sympatico.ca

rr.com

videotron.ca

aol.com

Per

cen

tag

e T

raff

ic

June 29

July 02

Cable/dial-in modem providers


Destination Hosts

• Target network Class B: 65,535 possible IP addresses

– June 29: 32,367 unique destination IP’s scanned

– July 2 : 36,638 unique destination IP’s scanned

• Prior reconnaissance of live destination hosts?

– Missing Class C subnets

• Different for both scans

– Many IP numbers not live hosts

• Zombies not active or responsive during scan


Number of Unique Scanning Hosts per Destination Host

Unique Scanning Source Hosts per Destination Host

59

8777

241152

7194

23962

1334

26503

0

5000

10000

15000

20000

25000

30000

1 2 3 4

Number of Scanning Source Hosts

Nu

mb

er

De

sti

nat

ion

H

os

ts June 29

July 02


Scanning Rates

• Sustained activity for 5 or 6 minutes

• Peak activity for 2 minutes

• June 29 scan: 7.2 Mbps maximum

• July 02 scan: 8.6 Mbps maximum

• Maximum volume not enough for DoS on our network


Packets Per Minute

June 29, 2001 Packets per Minute

0

20000

40000

60000

80000

100000

12:16 12:17 12:18 12:19 12:20 12:21

Time of Day

Pack

ets

July 02, 2001 Packets per Minute

0

20000

40000

60000

80000

100000

16:43 16:44 16:45 16:46 16:47

Time of Day

Pack

ets

(hh:mm) (hh:mm)


Temporal Variability of Zombie Scan


Initial Wave of TCP Packets


Initial SYN Packets


Initial SYNs and Retries


Scanning Conclusions

• Scanning hosts carefully synchronized

• Waves of initial SYNs and TCP retries result in highly variable bandwidth consumption

• SYN’s sent in waves 11.5 seconds apart

• “Thoughtful” scan

– Each source host assigned a range of destination hosts

– Assigned time frame and frequency to scan


Scanning Hosts Operating Systems

• Examine “passive” fingerprints

– Arriving Time to Live (TTL) values

– Scanning host TCP window size

– Scanning host TCP options


Fingerprint Values by OS(courtesy Honeynet Project)

OS VERSION PLATFORM TTL WINDOW

Windows 9x/NT Intel 32 5000-9000 AIX 4.3.x IBM/RS6000 60 16000-16100AIX 4.2.x IBM/RS6000 60 16000-16100Cisco 11.2 7507 60 65535IRIX 6.x SGI 60 61320Linux 2.2.x Intel 64 32120OpenBSD 2.x Intel 64 17520Solaris 8 Intel/Sparc 64 24820Windows 9x/NT Intel 128 5000-9000Windows 2000 Intel 128 17000-18000Cisco 12.0 2514 255 3800-5000Solaris 2.x Intel/Sparc 255 8760


June 29 Arriving TTL Values

June 29, 2001 Arriving TTL Values

040008000

120001600020000

Arriving TTL Values

Pack

ets

Initial TTL 32 (Windows)

2.66%

Initial TTL 64 (Unix)

5.2%


92.13%

10 – 22 hops 8 – 25 hops8 – 22 hops


July 2 Arriving TTL Values

July 2, 2001 Arriving TTL Values

040008000

120001600020000

Arriving TTL Values

Pack

ets


2.36%

Initial TTL 64 (Unix)

5.35%


92.29%

12 – 22 hops 12 – 21 hops 8 – 27 hops


Scanning Host TCP Window Size

TCP Window Size

0204060

8192 16384 65535 8760 Other

Window Size

Perc

enta

ge o

f So

urce

Hos

ts June 29

July 02

Windows 9X/NT Windows 2K Unknown Solaris


Scanning Host Maximum Segment Size

TCP Maximum Segment Size

0

50

100

1460 536 1414 Other

MSS

Perc

enta

ge o

f So

urce

Hos

ts June 29

July 02

Ethernet PPP/ISDN PPPOE(DSL)


SubSeven Scan Conclusions

• Very efficient scan

• Conducted by zombie hosts

– Most are Windows

– Other operating systems involved

– Representative of normal distribution on Internet?

• Thoughtful scan

– Redundant scanners

– Timing parameters

– Ranges of destination hosts

Zombie Scan

Documents

df ttl

scanning networkssheet1home

massive scanhundreds

similar scan

live hostszombies

subseven incidentjune

ddos attacksscans

scansmany ip numbers