File: udp-backoff-fingerprinting-paper.txt

package info (click to toggle)
ike-scan 1.9.4-2
  • links: PTS
  • area: main
  • in suites: buster
  • size: 5,104 kB
  • sloc: ansic: 10,991; sh: 884; perl: 148; makefile: 22
file content (263 lines) | stat: -rw-r--r-- 12,374 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
NTA MONITOR UDP BACKOFF PATTERN FINGERPRINTING WHITE PAPER

Author:	Roy Hills
Date:	17 January 2003

This paper may be freely distributed providing that the contents are not
altered in any way.  The latest version is available at:
http://www.nta-monitor.com/tools/ike-scan/

1.  ABSTRACT

This paper discusses how it is possible to determine which implementation of
a UDP service is being used from the retransmission backoff pattern.  It
uses IKE (Internet Key Exchange) as an example UDP service which can be
identified in this way, although the technique may also be applicable to
other UDP services.

The paper also describes an example program called "ike-scan" which is able
to discover and identify IPsec VPN systems running IKE.  This program is
publicly available under the GNU Public License (GPL).  See
http://www.nta-monitor.com/tools/ike-scan/ for details.

2.  OVERVIEW

Although most services on the Internet use the TCP transport, some use UDP
instead.  Because UDP is not a reliable transport, it is up to the application
to provide the reliability itself if needed.  The main technique used to
ensure reliability is retransmission with backoff which allows the application
to tolerate lost or damaged packets.

Retransmission backoff involves re-sending a packet if a response is not
received from the peer within a given time, the assumption being that
the original packet must have been lost or damaged in transit.  There are
several variables involved with the retransmission strategy, including:

a) How long to wait before re-sending the packet?

b) How should the re-send delay change for subsequent packets, e.g. should
   the delay remain constant, or should it increase with each re-send.
   If the delay is to increase, what algorithm should be used (e.g. linear
   or exponential) and what parameters should be used?

c) How many packets should be sent before giving up?

Often, the exact retransmission strategy is not specified by the relevant
standard which means that each developer will typically choose their own
scheme.  Because there are a number of variables involved, and there is no
"obviously correct" choice of strategy, this results in most implementations
having distinct backoff patterns or "fingerprints".  This distinctive
fingerprint could be used to determine which vendor's implementation is
being used.

Potentially any UDP based service which needs to implement reliable data
transfer and does not have the retransmission strategy defined by the
appropriate standard may be subject to identification through this
backoff fingerprinting method.  The specific UDP service which has been
investigated in detail is IKE.

For IKE, the use of retransmission is mandated by RFC 2408 (ISAKMP - the
protocol framework used by IKE) Section 5.1 but the exact backoff strategy is
not defined.  RFC 2408 suggests basing the retransmission times on measured
round-trip times.  However this is not practical for the first transmitted
packet because there are no previous round-trip times to use.  It is first
packets transmitted by the VPN server which are used by the "ike-scan" program
to determine the backoff fingerprint.

The retransmission and backoff strategy for various different IKE
implementations has been studied, and it has been found that:

a) Most, if not all, IPsec VPN vendor implementations have different
   IKE retransmission and backoff strategies; and

b) It is possible to reliably match these patterns to determine which
   IKE implementation a particular host is using.

Sometimes the backoff pattern changes from one version of a product to
another which provides more information and allows different versions of
a particular implementation to be distinguished from each other.

3.  ISSUES

Although just being able to discover an IPsec VPN system running IKE
and determine which IKE implementation it is using is not a vulnerability
in itself, this information can be valuable to a potential attacker.

For example, knowing that there is an XYZ brand of VPN server at a
given address could prompt an attacker to download the appropriate VPN
client and try some username/password guessing.  Alternatively, the
attacker could search for known vulnerabilities associated with the XYZ
VPN server.

Some IKE implementations don't log IKE activity if the handshake does
not complete.  Because it is not necessary to complete the IKE handshake
to discover and fingerprint the system, these systems will not log the
scanning activity and their owners will not be aware that their system has
been scanned.  "ike-scan" does not complete the IKE handshake and can therefore
be used to check if a given implementation will log this sort of scanning.

This choice not to log if the handshake doesn't complete, and particularly
if the initial cookie exchange does not complete, may be based on the
recommendation in RFC 2408 section 1.7.1 that "A 'cookie' ... is aimed at
protecting the computing resources from attack without spending excessive
CPU resources ..." i.e. nothing "expensive" should be done until the cookie
exchange completes.  Although this is normally taken to apply to the
CPU-intensive cryptographic functions, it could also be applied to logging
if log storage were considered expensive.  On the other hand, RFC 2408
section 5.1 says that "If the retry counter reaches zero (0), the event,
RETRY LIMIT REACHED, MAY be logged in the appropriate system audit file".
This would also apply when a system is scanned.  In summary, the RFC seems
to leave the choice to log or not up to the implementation.

In the course of performing many security assessments and penetration
tests for customers, we have found that VPN systems often provide full
access to the internal network which makes them tempting targets to an
attacker.  In addition, many people assume that their VPN servers are
invisible and impenetrable which is a dangerous assumption given that
the "ike-scan" program shows that IPsec VPN systems can be discovered and
identified.  When this potential for discovery and identification is combined
with the fact that several VPN vulnerabilities have been discovered in the
past few months, it would seem to be only a matter of time before hackers
start to target VPN systems.

The aim of this white paper and the associated "ike-scan" program is to
demonstrate the problem so that it is understood by the security community
and VPN vendors.  The program also allows organisations to test their own
networks to see what information a hacker could discover and close any
holes before they can be exploited.

4.  EXAMPLE PROGRAM

The program "ike-scan" demonstrates detection and identification of IPsec
VPN systems.  The backoff patterns are stored in a text file which makes
it easy to add new patterns as they are discovered.

This program is available for free download from:
http://www.nta-monitor.com/tools/ike-scan/

ike-scan sends an initial IKE main-mode packet to each of the specified
hosts and records all the responses returned.  It will display the responses
received which discovers which hosts are running IKE and will return a
response (most IKE implementations will respond in the default configuration,
but not all).  It can also record and display the retransmission backoff
pattern for each responding host and attempt to match this pattern against
a database of known patterns to "fingerprint" the IKE implementation.

The program handles retry and retransmission with backoff to cope with packet
loss.  It also limits the amount of bandwidth used by the outbound IKE packets.

The IKE packet exchange between ike-scan and a VPN server which returns a
handshake response is shown below:

Packet No.	ike-scan		VPN Server
----------	--------		----------

      1		Header, SA 	--->
      2				<---	Header, SA
      3				<---	Header, SA
      4				<---	Header, SA

In this packet exchange, the ike-scan program sends a packet containing
a Header and an SA (Security Association) to the VPN server.  The VPN server
then responds with a Header and SA.  ike-scan records the time of this
response packet for later fingerprinting, but it does not respond to it.
Because the VPN server does not receive a response from ike-scan, it assumes
that the packet must have been lost, so it re-sends the packet after a
delay.  As the VPN server never received any response from ike-scan, it keeps
resending the same packet using its retransmission strategy until it gives
up.

When the last packet has been received from the VPN server, ike-scan has
the receive times for all of the packets.  These receive times can be used
to display the retransmission strategy and also attempt to match this
strategy against known strategies.

An example run of the program is shown below:

$ ike-scan --showbackoff 172.16.2.2 10.0.1.98
Starting ike-scan v1.0 with 3 hosts (http://www.nta-monitor.com/ike-scan/)
172.16.2.2	IKE Handshake returned (1 transforms)
10.0.1.98	IKE Handshake returned (1 transforms)

IKE Backoff Patterns:

IP Address	No.	Recv time		Delta Time
172.16.2.2	1	1042797936.905288	0.000000
172.16.2.2	2	1042797938.901378	1.996090
172.16.2.2	3	1042797940.904158	2.002780
172.16.2.2	4	1042797942.906987	2.002829
172.16.2.2	5	1042797944.909644	2.002657
172.16.2.2	6	1042797946.912480	2.002836
172.16.2.2	7	1042797948.915286	2.002806
172.16.2.2	8	1042797952.920635	4.005349
172.16.2.2	9	1042797956.926155	4.005520
172.16.2.2	10	1042797960.931677	4.005522
172.16.2.2	11	1042797964.937201	4.005524
172.16.2.2	12	1042797968.942691	4.005490
172.16.2.2	Implementation guess: Firewall-1 4.1/NG

10.0.1.98	1	1042797937.070152	0.000000
10.0.1.98	2	1042797952.061102	14.990950
10.0.1.98	3	1042797967.064137	15.003035
10.0.1.98	Implementation guess: Cisco IOS / PIX

In the above example, the ike-scan program was run with the --showbackoff
option against the two hosts 172.16.2.2 and 10.0.1.98.  The program first
discovers that both hosts are running IKE and that both of them will return
an IKE handshake response as shown by the "IKE Handshake returned". lines.

The program then records and displays the retransmission backoff pattern that
the VPN servers use when re-sending its response to the IKE packet sent by
ike-scan.  The pattern responses contain the following four columns:

IP Address	The IP address of the VPN server that this pattern relates to.

No.		The number of the response packet from this host with the
		first response packet being 1.

Recv time	The time when this response packet was received.  This time
		is shown as the number of seconds and microseconds since
		midnight on Jan 1, 1970 (the Epoch used by Unix systems).

Delta Time	The difference between the time when this response packet was
		received and the time when the previous response packet was
		received.  This is always zero for the first response packet.
		The difference is shown in seconds and microseconds.

5.  CONTACT ADDRESS

Please send any questions or comments to ike-scan@nta-monitor.com
See the ike-scan homepage at: http://www.nta-monitor.com/tools/ike-scan/

6.  GLOSSARY OF TERMS

IKE	Internet Key Exchange.  The protocol used by IPsec to exchange keys
	and authenticate the users or devices at either end of the VPN.  IKE
	is defined in RFC 2409.

IPsec	Internet Protocol SECurity, security functions (authentication and
	encryption) implemented at the IP level of the protocol stack.  Most
	VPN implementations use IPsec.

TCP	Transmission Control Protocol.  The most common transport protocol in
	the TCP/IP protocol suite.  TCP is a reliable protocol.  TCP is
	defined in RFC 761.

UDP	User Datagram Protocol.  One of the transport protocols in the TCP/IP
	protocol suite.  UDP is an unreliable protocol, that is UDP does not
	guarantee data delivery.  UDP is defined in RFC 768.

VPN	Virtual Private Network.  Allows local area networks to communicate
	across public networks such as the Internet, typically over an
	encrypted channel.

RFC	Request for Comments.  The standards documents for Internet protocols.
	RFCs are available from http://www.ietf.org/rfc.
	The RFCs relating to IKE are:
	RFC 2407 - The Internet IP Security Domain of Interpretation for ISAKMP
	RFC 2408 - Internet Security Association and Key Management Protocol
	RFC 2409 - The Internet Key Exchange (IKE)

Cookie	A unique 64-bit value used by IKE to identify peers and prevent some
	Denial of service attacks.