Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Traffic Analysis

May 16th, 2007
By Stephen Northcutt
Traffic analysis is a special type of inference attack technique that looks at communication patterns between entities in a system. "Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security."[1] Knowing who's talking to whom, when, and for how long, can sometimes clue an attacker in to information of which you'd rather she not be aware.

The size of packets being exchanged between two hosts can also be valuable information for an attacker, even if they aren't able to view the contents of the traffic (being encrypted or otherwise unavailable). Seeing a short flurry of single-byte payload packets with consistent pauses between each packet might indicate an interactive session between two hosts, where each packet indicates a single keystroke. Large packets sustained over time tend to indicate file transfers between hosts, also indicating which host is sending and which host is receiving the file. By itself, this information might not be terribly damaging to the security of the network, but a creative attacker will be able to combine this information with other information to bypass intended security mechanisms.

SecurityFocus ran an article on a "method based on traffic behavior that helps identify P2P users, and even helps to distinguish what type of P2P applications are being used."[2] In this case the focus was on the default port numbers these tools use, though there are more sophisticated methods using flows.[3]

TCP/IP lends itself to traffic analysis to the point that it is possible to "fingerprint" (determine the host operating system by looking at packets on the network) systems. Fyodor's NMAP site has a tutorial[4] that explains this in detail, but NMAP works by sending packets to stimulate the host. It is also possible to passively fingerprint; commercial tools to passively fingerprint include SourceFire's RNA[5] and Tenable's Passive Vulnerability Scanner.[6] A powerful free tool call P0f[7] is also available. According to the Honeynet project, the following fields are crucial in OS fingerprinting.[8]

• TTL - What the operating system sets the Time To Live on the outbound packet
• Window Size - What the operating system sets the Window Size at.
• DF - Does the operating system set the Don't Fragment bit.
• TOS - Does the operating system set the Type of Service, and if so, at what.

Attackers would commonly use traffic analysis in addition to some other method of attack, it is most useful for reconnaissance, to find vulnerable hosts for instance, or potentially in competitive intelligence to determine characteristics of someone else's system. However, in the case of insiders or authorized users you have the "inference problem, wherein authorized users are able to make valid deductions, based only on data they are authorized to access, about data they are not authorized to access."[9]

Fortunately, traffic analysis can also be used as a defensive technique by identifying anomalies in traffic patterns. Using traffic analysis, administrators can baseline the traffic to and from hosts on the network over time, in a graphical format (line charts or other graphs). As a daily routine, the administrator can review these charts and see patterns in network activity to and from hosts and networks, including packet quantity, packet sizes, bandwidth utilization, connections per hour, etc. After becoming familiar with the baseline utilization of the network, an administrator will be able to quickly spot anomalies in connections between hosts and networks such as port-scans, DoS attacks, significant increases in bandwidth utilization, and other factors that might indicate hosts that are under attack or have become compromised.

These days there are a number of freeware and commercial tools that can perform passive operating system fingerprinting. Not only can they identify the OS, but they are often able to track the versions of operating systems.

===
1. http://en.wikipedia.org/wiki/Traffic_analysis
2. http://www.securityfocus.com/infocus/1843
3. http://www.cert.org/flocon/2005/presentations/Wagner-HeavyHitters-FloCon2005.pdf
4. http://insecure.org/nmap/osdetect/
5. https://www.sourcefire.com/products/3D/rna
6. http://www.tenablesecurity.com/products/pvs.shtml
7. http://lcamtuf.coredump.cx/p0f.shtml
8. http://www.honeynet.org/papers/finger/
9. http://www.cip.umd.edu/reports/ISOO_report_final.pdf