X.25 network tracing for Internet users Dennis Jackson JANET-CERT Coordinator UKERNA, Atlas Centre, Chilton, Didcot, Oxfordshire OX11 0QS, UK Tel: +44 235 445375 Fax: +44 235 445125 D.Jackson@ukerna.ac.uk Abstract Hackers use X.25 networks to attack computer systems around the world. In The Cuckoo's Egg Clifford Stoll describes many difficulties in tracing attackers coming across the public X.25 network. There are techniques a system administrator can use to identify the origin of the attacks and follow the actions of the intruders. This paper will describe some of these techniques - techniques that have been used to trace and apprehend computer criminals. Introduction Many Internet users seem to view X.25 networks as mysterious. They view X.25 networks as an alien invention and only used by telecommunications carriers to achieve international connectivity. It is true that X.25 technology has been used to construct the most pervasive data network. The global public data network formed by the PTTs connects at least 95 different countries. Internet administrators may assume that tracing attackers across an X.25 network is almost impossible. The descriptions given in Clifford Stoll's book The Cuckoo's Egg reinforce this impression. In chapter 29 he describes the process of contacting Ron Vivier at Telenet who then contacts Steve White and so on back to Hannover in Germany. In reality, tracing attacks across an X.25 network is as easy (or difficult) as on a TCP/IP network. It should be remembered that it is not just the global public data network that uses X.25. There are many private and corporate networks that also use X.25. Some of the techniques described here are equally applicable to private networks. Dealing with attacks that take place across an X.25 network needs the ability to � monitor the traffic � check the system logs � identify the origin and target of calls The Hidden Origin Public X.25 network addresses are treated as �ex-directory�. That is, there is no published list of subscribers and their corresponding network numbers. This creates the problem that the origin or target of attacks cannot be readily identified. The network provider can translate numbers to names but they will not divulge this information to an ordinary system administrator - especially a system administrator in another country. Law enforcement officers can usually obtain such information for connections in their own area. But, a single intrusion can yield dozens of numbers that may need identifying. Translating international numbers can be almost impossible. It is known that hackers maintain lists of names and network addresses. They use these to choose new victims. Anything that can be done to simplify the translation of numbers to names will speed the work of someone investigating an attack. Technical Background Both TCP/IP and X.25 networks use packet switching techniques to transmit data between end systems. The major difference between these systems is architectural. TCP/IP networks are usually described as connectionless, while X.25 networks provide a connection-mode service. Connectionless communication can be likened to the postal service where each packet is independent of all others.1 Connection-mode networks are similar to the telephone system where an initial dialogue (with the network) establishes a connection to the remote party. This difference has important consequences for the carriage of addressing information within the network. Every IP packet carries the source and destination address. In contrast, in X.25 only the initial packet carries the addressing information.2 Subsequent X.25 packets carry a channel number assigned at the start of the connection. This logical channel number (LCN) is similar to the port number chosen by the user�s end and carried in the TCP header. Another difference between X.25 and TCP/IP is that every X.25 data packet carries a sequence number. The X.25 sequence numbers are used to ensure that the remote system receives the packets in the same order that they were sent. Channel Numbers The logical channel number assigned at the start of the connection is local to each link in the network. Thus the channel number used between the originating system and the network will be different from the LCN used between the network and the target computer. As an example, in a typical situation, the logical channel numbers used will be Figure 1 One benefit of channel numbers is that it is relatively easy to identify all the packets that make up a particular session. Once the call has connected and the logical channel number assigned, all subsequent packets in that call will have the same channel number. Use of the channel number and packet sequence number will ensure that a complete transcript of a session can be extracted from the X.25 data stream. Monitoring The use of channel numbers rather than addresses presents an obvious problem. Simply tapping the wires and monitoring the session of the hacker will not identify the victim nor the origin of the perpetrator. The individual packets passing back and forth will only contain the logical channel number. It is necessary to monitor the call being established to obtain the two network addresses. Many devices are available that can monitor, record and display data from a line carrying X.25 traffic. Some of these protocol analysers are dedicated devices, while others are add-on boards and software for personal computers. These devices exist to aid the analysis and resolution of faults. As a result some are not suited to the extraction of a session transcript from the data stream. An example of the basic output from a protocol analyser is shown in Appendix C. Computer systems often have the potential for recording a transcript of every packet sent or received on the network interface. Obviously, recording all packets like this will collect huge amounts of data. Such techniques must be used with care to ensure that the filestore is not exhausted. Digital VAX/VMS VMS includes extensive facilities for recording and analysing packets sent and received on the network connections. The command $ TRACE /PSI3 starts collection of a trace of the data on a link to an X.25 network.To avoid the tracing being made too obvious the process name should be set with the /PROCESS_NAME option. Similarly, the name of the output file should be changed with /OUTPUT. Collection of the trace data is terminated by the command $ TRACE STOP Display of the trace data is performed by the command $ TRACE ANALYSE This command expands the data into individual packets and decodes their contents. An example of the output from this command is given in Appendix D. SunOS The X.25 software from Sun Microsystems can record all packets sent and received on the network interface. The command to start collection of this log is % /usr.sunlink/x25/x25trace4 The trace is stopped by interrupting the command or killing the process. When monitoring a hacker the name and path for the command need to be changed to avoid ps(1). DG/UX On Data General systems the command % /usr/bin/x25trace obtains the raw trace data. Although the information is readable it is not decoded and is just produced as hexadecimal text. The command % /usr/bin/x25decode can be used to translate the hexadecimal trace data into individual packet types. Network Records The network equipment has the potential for recording details of all calls across the network. For a public data network, records will be kept to enable bills to be produced and customers charged for their usage. However, the information gathered for billing purposes is not needed in real time. Not all equipment has the potential for displaying details of active calls. Thus it may be necessary to tap the wires and use a line monitor to gather real time information. The target computer also has the potential for recording details of all calls it sends and receives. However, in common with other records, computers are often installed with this logging disabled. Digital VAX/VMS As an example, the software for VMS to connect it to an X.25 network is PSI (Packetnet System Interface). The PSI log records details of all activity on the link to the X.25 network - incoming and outgoing, bulk and interactive. By default, the log of PSI activity is switched off. The command $ @SYS$MANAGER:PSIACCOUNTING ON needs to be issued by the system manager to activate collection of this log. Once collected the details are displayed by the command $ ACCOUNTING /PSI5 An example of the output from this command is shown in Appendix E. Like other VMS logs the PSI records are held in a structured file and the information stored as binary data. The command ACCOUNTING /PSI can also act as a filter and thereby edit out the data of interest. SunOS Sun Microsystem�s X.25 software records the different types of activity in separate logs.6 Records of incoming interactive calls are held in /var/adm/x29serverlog. If the system is used as a staging point and outgoing interactive calls are made then the details are recorded in /usr/tmp/x29userlog. Both x29serverlog and x29userlog are simple text files. The data can be browsed, edited, and printed using standard utilities. Examples of these logs are given in Appendix E & F. Network Addresses A common task when investigating attacks on an X.25 network is identifying the source and target of the activity. IP networks use a 32-bit field to carry addressing information. This field is treated as four binary octets, and written as four decimal numbers separated by periods. X.25 packets have an address field that can hold a maximum of 15 decimal digits.7 In the packet each digit is binary encoded and held in a semi-octet. International Numbers The X.25 standard places no limitation on how many of the address digits are used or how they are allocated. However, for public data networks the CCITT Recommendation X.121 provides some definitions. X.25 addresses on the public networks are limited to a maximum of 14 digits. X.121 also defines the first four digits as the Data Network Identification Code (DNIC). Of these four digits, the first three identify the country while the fourth digit distinguishes a specific network within the country. The use of any subsequent digits is left to the discretion of the network administration in each country. Details of all country codes and known DNICs are given in Appendix A. In Clifford Stoll�s case the calls were coming in from the address 26245421042148. The first four digits, 2624, indicate the Datex-P network in Germany. However, the contact in Telenet International was unable to translate the rest of the digits and identify the town as Hannover. National Numbers Although not necessary, most networks define a fixed number of digits to identify each connection point. It would be possible to use a variable number of digits with large organisations identified by a small number of digits and vice versa. Any additional digits up to the maximum being dealt with by the attached equipment. This arrangement would be similar to the Class A, B, and C networks on the Internet. Fortunately, most public X.25 network use a fixed number of digits to identify customer connections. For example, in the USA Telenet uses 12, in Germany Datex-P uses 13, Datapac in Canada 12, etc. Where known, the length of network addresses is detailed in Appendix B. Area Codes Each network will need a mechanism for assigning X.25 addresses to subscribers. They could allocate 000001 to the first customer, 000002 to the second, and so on. However, this will cause technical problems - each switch in the network will need to know how to route calls for every number. Most networks around the world have chosen to allocate numbers on a regional basis. That is, some portion of the number identifies a physical area. Customers in the same geographical region will have similar numbers. This is the same technique as that used to assign telephone numbers. If details of these area codes are known then it enables network addresses to be narrowed down to individual towns. Experience has shown that many X.25 network providers have chosen to use exactly the same area codes as the telephone network. Details of the area codes (including real examples) are listed in Appendix B. As an example, Clifford Stoll�s number 2624542104214 can be translated as 262 Germany (formerly known as Federal Republic of Germany or West Germany) 4 Datex-P (operated by Bundespost) 5 Permanent connection (in contrast to a dial-up account) 42 Hannover area code 104214 subscriber number Bibliography Recommendation X.121 International Numbering Plan for Public Data Networks, CCITT, 1988. Clifford Stoll, The Cuckoo�s Egg, Doubleday, 1989, ISBN 0-370-31433-6. VAX PSI Volume 1 Problem Solving Guide, Digital Equipment Corporation. Appendix A The list of country codes is taken from the latest (1988) revision of CCITT Recommendation X.121; political events around the world will probably result in changes during the 1992 study period. 1111 Atlantic Ocean (INMARSAT Mobile satellite data transmission system) 1112 Pacific Ocean (INMARSAT Mobile satellite data transmission system) 1113 Indian Ocean (INMARSAT Mobile satellite data transmission system) Country or geographical areas Non-zoned systems 202 Greece 2022 Helpac 2023 - 204 Netherlands 2041 Datanet 1 2043 Euronet (ceased) 206 Belgium 2062 DCS 2063 Euronet (ceased) 208 France 2080 Transpac 2080 Dompac (French Antilles) 2080 Dompac (French Guiana) 2080 Transpac (Reunion) 212 Monaco 2120 - 214 Spain 2141 TIDA 2145 Iberpac 216 Hungarian People�s Republic 2160 Datex-L 2161 - 218 German Democratic Republic 220 Yugoslavia 2201 Yupac 222 Italy 2222 Itapac 2223 Euronet (ceased) 2227 Italcable 226 Romania 228 Switzerland 2283 Euronet (ceased) 2284 Telepac 2289 Data-Link 230 Czechoslovak Socialist Republic 232 Austria 2322 Datex-P 2329 Radio Austria 234 United Kingdom of Great Britain and Northern Ireland 2341 - 2342 PSS (British Telecom) 2343 Euronet (ceased) 2348 gateway to BT�s telex network 235 United Kingdom of Great Britain and Northern Ireland 2350 2351 MDNS (Mercury) 2352 (Hull Telephone Company) 236 United Kingdom 237 United Kingdom 238 Denmark 2382 Datapak 2383 Datapak 240 Sweden 2402 Datapak 2403 - 2405 Telepak 242 Norway 2422 Datapak 244 Finland 2442 Datapak 2443 Digipak 250 Union of Soviet Socialist Republics 2502 Iasnet 260 Poland 262 Germany 2623 Euronet (ceased) 2624 Datex-P 266 Gibraltar 268 Portugal 2680 Telepac 270 Luxembourg 2703 Euronet (ceased) 2704 Luxpac 272 Ireland 2723 Euronet (ceased) 2724 Eirpac 274 Iceland 2740 Icepac 276 Albania 278 Malta 2782 Maltapac 280 Cyprus 2802 Cytapac 284 Bulgaria 2841 - 286 Turkey 2862 - 2863 Turpac 288 Faroe Islands 2882 Faroepac 290 Greenland 292 San Marino 2922 X-Net SMR 302 Canada 3020 Datapac 3025 Globedat 3028 Infoswitch 308 St. Pierre and Miquelon 310 United States of America 3100 - 3101 WUTCO 3103 ITT-UDTS 3104 MCII-Impacs 3106 Tymnet 3107 ITT-UDTS 311 United States of America 3110 Telenet 3113 RCA-LSDS 3119 TRT-Datapak 312 United States of America 3124 FTCC 3125 Telenet 3126 Autonet 313 United States of America 3132 Compuserve 3134 Accunet 3135 Alaskanet 3136 Marknet 314 United States of America 3140 SNET 3141 PDN (Bell Atlantic) 3142 Pulselink (Bellsouth) 3143 PSN (Ameritech) 3144 Infopath (Nynex) 3145 PPS (Pacific Telesis) 3146 Microlink II (Southwestern Bell) 3147 Digipac (USWest) 3148 Pulsenet (Cincinnati Bell) 3149 Wangpac 315 United States of America 3150 Globenet 3152 Hawaii 316 United States of America 330 Puerto Rico 3300 - 332 Virgin Islands 334 Mexico 3340 Telepac 338 Jamaica - - 340 French Antilles 3400 Dompac 342 Barbados 3420 - 344 Antigua and Barbuda - - 346 Cayman Islands - C and W 348 British Virgin Islands 350 Bermuda 3503 Bermudanet 352 Grenada 354 Montserrat 356 St. Kitts 358 St. Lucia 360 St. Vincent and the Grenadines 362 Netherlands Antilles 364 Bahamas - IDAS 366 Dominica 368 Cuba - - 370 Dominican Republic 3701 - 372 Haiti 374 Trinidad and Tobago 3740 Datanett 3745 Texdat 376 Turks and Calcos Islands 404 India 4042 GPSS 410 Pakistan 412 Afghanistan 413 Sri Lanka 414 Burma 415 Lebanon 416 Jordan 417 Syrian Arab Republic 418 Iraq 419 Kuwait - - 420 Saudi Arabia 4201 Alwaseet 421 Yemen Arab Republic 422 Oman - - 423 Yemen 424 United Arab Emirates 4243 Emdan 425 Israel 4251 Isranet 426 Bahrain 4263 Bahnet 427 Qatar - Dohpak 428 Mongolian People�s Republic 429 Nepal 430 United Arab Emirates (Abu Dhabi) 431 United Arab Emirates (Dubai) 4310 - 432 Iran 440 Japan 4400 Global VAN 4401 DDX-P 4403 ENS 4406 Network Info Service 4408 Venus-P 441 Japan 4410 NI+C International 4411 K-Net 450 Korea 4501 Dacom-Net 452 Viet Nam 454 Hong Kong 4542 IDAS 4545 Datapak 455 Macao 456 Democratic Kampuchea 457 Lao People�s Democratic Republic 460 China - - 467 Democratic People�s Republic of Korea 470 Bangladesh 472 Maldives 487 Taiwan 4872 Pacnet 4877 UDAS 502 Malaysia 5021 Maypac 505 Australia 5052 Austpac 5053 Data Access 510 Indonesia 5101 SKDP 515 Philippines 5151 Capwire 5156 ETPI - GMCR - Philcom 520 Thailand - IDARC 525 Singapore 5252 Telepac 528 Brunei Darussalam 530 New Zealand 5301 Pacnet 535 Guam - 536 Nauru 537 Papua - PNGpac 539 Tonga 540 Solomon Islands 541 Vanuatu 5410 ViaPac 542 Fiji 543 Wallis and Futuna Islands 544 American Samoa 545 Kiribati 546 New Caledonia and Dependencies 5460 Tompac 547 French Polynesia 5470 Tompac 548 Cook Islands 549 Western Samoa 602 Egypt - Arento 603 Algeria 604 Morocco 605 Tunisia 6050 Red25 606 Libya 607 Gambia 608 Senegal 6081 Senpac 609 Mauritania 610 Mali 611 Guinea 612 Cote d�Ivoire 6122 Sytranpac 613 Burkina Faso 614 Niger 6142 Nigerpac 615 Togolese Republic 6152 Togopac 616 Benin 617 Mauritius 6170 Mauridata 6171 Mauridata 618 Liberia 619 Sierra Leone 620 Ghana 621 Nigeria 622 Chad 623 Central African Republic 624 Cameroon 625 Cape Verde 626 Sao Tome and Principe 627 Equitorial Guinea 628 Gabonese Republic 6282 Gabonpac 629 Congo 630 Zaire 631 Angola 632 Guinea-Bissau 633 Seychelles 634 Sudan 635 Rwandese 636 Ethiopia 637 Somali Democratic Republic 638 Djibouti 6382 Djipac 639 Kenya 640 Tanzania 641 Uganda 642 Burundi 643 Mozambique 645 Zambia 646 Madagascar 647 Reunion 648 Zimbabwe 6482 Zimnet 649 Namibia 6490 Swanet 650 Malawi 651 Lesotho 652 Botswana 653 Swaziland 654 Comoros 655 South Africa 6550 Saponet 702 Belize 704 Guatemala - Guatel 706 El Salvador 708 Honduras - - 710 Nicaragua 712 Costa Rica - Radiografica 714 Panama - Intelpaq 716 Peru 7160 Perunet 722 Argentine Republic 7222 Arpac 724 Brazil 7240 Interdata 7241 Renpac 730 Chile 7302 Entel 7303 Chilepac 7305 Tomnet 732 Colombia - Dapaq 734 Venezuela 736 Bolivia 738 Guyana 740 Ecuador 742 Guiana 744 Paraguay 746 Suriname 748 Uruguay 7482 Urupac 933 France 9330 Transpac 9339 Transpac Appendix B These details of area codes as part of X.121 numbers are based on empirical evidence .... the numbers allocated to real users and organisations. Netherlands Datanet-1 11 digits 2041a...... a = telephone area code 20412900433 2 Amsterdam Belgium DCS 10 digits 2062a..... a = telephone area code 2062221012 2 Brussels France Transpac 12 digits 2080nn...... nn = administrative department code 208034020258 34 Montpelier( Yugoslavia Yupak 12 digits 2201aa...... aa = telephone area code 220161140001 61 Ljubljana Switzerland Telepac 11 digits 2284....... United Kingdom PSS 12 digits 2342aaa..... aaa = telephone area code 234219200100 1920 London, Waterloo 234231300102 31 Edinburgh 234253300124 533 Leicester USSR Iasnet 10 digits 2502...... Federal Republic of Germany Datex-P 13 digits 26244........ dial-up connection 26245aaa..... aaa = telephone area code 26245221040006 221 Cologne 26245300040023 30 Berlin Portugal Telepac 12 digits 2680........ Luxembourg Luxpac 11 digits 2704....... Irish Republic Eirpac 12 digits 2724........ Canada Datapac 12 digits 3020........ United States of America Telenet 12 digits 3110aaa..... aaa = telephone area code 311041200670 412 Pittsburgh(Pa) United States of America Uninet 3125aaa aaa = telephone area code 312530300007 303 Boulder(Colo) United States of America Accunet 12 digits 3134........ United States of America Hawaii 3152aaa aaa = telephone area code Japan DDX-P 11 digits 4401....... Japan Venus-P 12 digits 4408........ Australia Austpac 12 digits 5052a....... a = telephone area code 505233422000 3 Melbourne New Zealand Pacnet 12 digits 5301........ South Africa Saponet 12 digits 6550........ United Kingdom PSS 2342aaaabbbbxx aaaa is the area code and uses the same numbers as telephone dialing codes (without the leading zero) bbbb allocated according to the type of service provided to the customer <400 a fixed line to a computer 234219200100 Gateway to JANET at ULCC 234253200103 VAX 6310 at Maxwell Institute �400 an account used for dial-up access 23421890042200 ICL General Information Systems dial-up account xx optional sub-address digits, for an account used for dial-up access xx is always set to 00 subscribers of fixed lines to PSS soon after the service started were allocated numbers with repeated or easily remembered sequences of digits 234223519191 Gateway to JANET at Rutherford Laboratory 234246240240 ICL at Letchworth recently allocated accounts for dial-up access do not have an area code, the fifth digit is set to zero 1 TCP provides some connection-mode functions. The TCP header includes a sequence number and a field for acknowledging previous packets. Higher level functions such as telnet and ftp provide true connection-mode services. 2 Strictly speaking other control packet types can carry the same addressing information but in practice many implementations leave out these optional fields. The full list of packet types that have address fields is: call request, incoming call, call accepted, call connected, clear request, clear indication, clear confirmation, registration request, registration confirmation. 3 Details of the TRACE /PSI command are in the VMS help system under the entry TRACE. The TRACE function is described in the manual VAX PSI Volume 1 Problem Solving Guide, chapter 4 - the TRACE utility. 4 Details of the x25trace command are in SunNet X.25 System Administration Manual, chapter 9. 5 Details of the ACCOUNTING/PSI command are in the VMS help system under the entry P.S.I. 6 Details of the log file are in the manual SunNet X.25 Application Guide The PAD (User) and X.29 (Server) Programs, chapter 2. 7 The 1988 revision of the X.25 standard increased the address field to a maximum of 17 decimal digits. 8 The Cuckoo�s Egg, chapter 30.