Understand your enemy, and you'll know how to stop him. When I "discovered" the packet-crafting tool Hping, I gained real insight into precisely how the bad guys attack networks...and how to stop them cold.
Hping is a TCP/IP packet assembler/analyzer, running on most *nix versions. It supports various protocols, including TCP, UDP and ICMP. Good guys commonly use it to scan ports for holes that bad guys try to exploit. It's also useful for testing network machines by firing precompiled exploits at them.
But Hping's packet-crafting function is what really opened my eyes. As a network security analyst for a large organization, I thought I understood TCP/IP pretty well -- certainly enough to perform my day-to-day job. But actually getting under the hood and assembling packets gave me an in-depth understanding of the protocol. More importantly, I understood precisely how attackers -- the really skilled ones -- practice their craft.
This is more than just an academic exercise. Hping allows you to manipulate the various values in a TCP/IP header--window size, time to live (TTL), packet size, etc. Once I gained intimate knowledge of the TCP/IP packet metrics for various OSes, I could recognize imperfectly forged packets. The flaws gave away the forgery, and helped me spot scanning or attacks on my network.
Consider my real-life example. When I investigate an IDS alarm, I invariably look at the packet itself. Armed with my new knowledge, I can see if a specific window size doesn't match a TTL value. This is a hacker trick used to obfuscate his OS while scanning a network. Knowing this tells me I'm dealing with a crafted packet and, therefore, an attacker who has some real talent, not some script-kiddie flinging stuff he barely understands. I'll watch this fellow pretty closely, and exclude his IP address at the border gateway to deter him.
Before using Hping, I would see these mismatched values, but couldn't be sure what they meant. Now, I can peek over the shoulder of a black hat hacker and see how he goes about his business. I can actually see just how the pinpointed scans and attacks on networks are done.
I learned, for example, how hackers do "inverse mapping" to scan for live hosts and, therefore, how to spot it. Here's how it works: The attacker crafts a packet with the reset flag set and a specified range of ports to scan. If the hacker gets no response, he can assume the host is alive. If he receives a "icmp host unreachable" message, he knows the IP address is not in use. Now that I know how to spot these reset packets hitting my firewall and IDS, I know I'm being scanned and should brace for a possible attack.
Based on what I've learned, Hping can be an excellent tool for teaching students and junior analysts the inner workings of TCP/IP, the functions of various protocols, and what certain flag combinations signify.
For example, a rash of reset packets logged by an IDS is an indication of a scan by someone who knows the network's IP addresses or is spoofing addresses. I can use Hping to demonstrate exactly how this is done. Showing how an attack works rather than simply talking about it is a far more effective teaching method.
About the author:
Don Parker is a network security analyst working for a large Ottawa-based organization.