Advanced Packet Technology Remote Internet Security Analysis Suite


Page last modified: May 28, 2010 at 14:05Developed by Steve Gibson

An Introduction to GRC's
NanoProbe Technology


by Steve Gibson

Starting out simple: The no-cost 24/7 availability and extreme ease-of-use of GRC's original ShieldsUP! facility made it the most popular and influential remote security testing system on the Internet. ShieldsUP! accomplished, and continues to accomplish, its goal of providing Internet users with an easily comprehensible "wake up call" about the need for seriously considering the security and privacy of their Internet-connected personal computers.

The fact that ShieldsUP! offered extremely simple tests was exactly the point: Its goal was to motivate security-unaware users to start thinking about Internet security and privacy. Its effect would have been diminished if it were any less straightforward, any more detailed, complex or confusing. ShieldsUP! was designed to be accurate, not sophisticated. This simple formula gained its fame.

But two years later the world had changed. Personal firewalls are becoming commonplace (even included in Windows XP) and, partially due to the early influence of ShieldsUP!, users are becoming far more aware and sophisticated about Internet security.

The time had come for more.
(Much more)


ShieldsUP!  vs  NanoProbe:

The ShieldsUP! tests have always been effective for their target audience, so those tests will remain largely unchanged. There is nothing we can do to improve on their existing message. However, on October 17th, 2001, when the NanoProbe Technology was brought online, those tests received an immediate and substantial performance boost. For example, the time to test the standard 12 ShieldsUP! ports, for a user with a stealthing-technology firewall or NAT router, was reduced from nine minutes (540 seconds) to just ten seconds. This dramatically increases the convenience of the occasional re-use of those tests.

The NanoProbe tests will be oriented toward the Internet security-aware user who already understands the many risks and responsibilities associated with placing a computer upon an open global network. Whereas ShieldsUP! will always be targeted at first time users, or those wanting a quick check-up on their system's operation, the NanoProbe system will offer many unique and advanced tests oriented toward sophisticated Internet users.

Beyond this, the NanoProbe Technology is a prerequisite for the deployment of many other related GRC initiatives such as the Spoofarino end-user source IP spoofing test, and several future editions of the LeakTest personal firewall testing tool. Thus, many of our future plans depend upon this technology.



What is the NanoProbe Technology?

The enhanced ShieldsUP! and NanoProbe tests require absolute control over the creation, formulation, generation and reception of individual Internet Protocol data packets. This required the design and implementation of a fully custom and complete TCP/IP protocol stack incorporating tightly integrated web services:

The Gibson Research NanoProbe Technology


This is the system now running at grc.com.   It works.

I started from scratch and wrote a complete, custom, TCP/IP protocol suite, including an integrated firewall (super-hardened TCP) and a lightweight web server. In the diagram above, the only components I did not write from scratch (in assembly language) are the two thick-outline boxes. The dark-gray box contains our web server enhancements which have been evolving steadily for several years.

I am particularly proud of the TCP protocol handler. I solved the problem of vulnerability to local resource depletion from denial of service (DoS) attack flooding by designing a "stateless connection opening" technology named "GENESIS". Unlike all traditional (and DoS vulnerable) TCP/IP stacks, GENESIS is able to accept and complete inbound connections without needing to keep any "state" information. Thus there are no resources to exhaust when gazillions of inbound connections are being spoofed and never completed, or completed but never used. A detailed explanation of the DoS problem and my GENESIS solution is available here.

This is our NanoProbe Technology.

It's cool.   It's running.   It works.



What can we do with our NanoProbe Technology?

Currently undergoing development, conceptually confirmed and proven, the NanoProbe Technology will demonstrate the following capabilities:

While you wait, real-time, operation.
Like our existing ShieldsUP! system, the NanoProbe Security Analyzer will use a web browser interface to immediately deliver its security vulnerability report.

We expect the analysis will be so comprehensive and to produce so much detail that we'll offer both "summary" and "detailed" display formats. If it turns out to be feasible, the detailed display may be able to summarize every NanoProbe packet sent and received as well as detailed NanoProbe statistics.
 
Continuous host-presence verification.
Internet security scanners exhibit the serious problem of "scanning blind". They can not, and do not, verify whether the scan target is online, connected, or even receiving their packets. This results in completely invalid reports of "no vulnerability" when, in fact, the target host was simply offline, disconnected, or unavailable to the scan.

Our NanoProbe Technology does not suffer from this serious shortcoming since it continuously and affirmatively induces NanoProbe reflections from the host system (even from hosts behind full stealth firewalls!) during security analysis to continuously re-confirm the host's real-time accessibility.
 
Comprehensive host IP address determination. — (with domain resolution)
The use of our NanoProbe Technology allows us to penetrate transparent web proxy servers and NAT (Network Address Translating) routers to directly probe the host machine's complete interconnection environment. This technology allows us to resolve the pre- and post- NAT router IPs, and the pre- and post- transparent web proxy IPs.

For example: The typical @Home cable modem user, using a Linksys IP-multiplexing NAT router, has three IP addresses associated with his connection. For this user the NanoProbe Technology would reveal his machine's TRUE local private-network IP address, his current cable modem and NAT router public IP address, and his transparent web proxying IP address.
 
Host stealth technology detection, penetration, and appraisal.
Our NanoProbe packets are able to (benignly) penetrate a user's stealth firewall to verify the presence of the system hidden behind. Since our NanoProbe packets are able to bypass stealthing, we are able to "grade" the level and quality of the user's stealthing technology.
 
True firewall, versus simple packet filter, discrimination.
The term "Firewall" is becoming so popular that everyone wants to be offering one. But the truth is, significant differences exist between a true firewall and much simpler "packet filters." For example, does the product in question "proxy" half open TCP connections to protect the host machine(s) from common Denial of Service attacks, or are qualifying SYN packets simply allowed to impact the user's unprotected protocol stack?

Our NanoProbe Technology will answer those questions by deliberately exercising any "firewalls" to determine exactly what protections it does, and does not, affirmatively provide to the machine(s) it is protecting.
 
Special "Half-Open" TCP connection "SYN" probing.
Our connection profiling NanoProbe packets establish and reset "Half-Open" TCP connections with the probe target. This is a far more economical and much cleaner means for testing connection-accepting host ports than the traditional TCP "Full-Open" and "Full-Close". It consumes less than half the network bandwidth (3 IP packets as opposed to 7) and leaves much less TCP stack residue in the tested host (no post-connection TIME_WAIT state endpoints). It is also a somewhat stealthful test, since low-technology "evil port monitors" will not sense that their monitored ports have been half-opened.
 
Advanced TCP non-connection "ACK" probing.
Simple, non-stateful "packet filtering" firewalls block connections by simply filtering "SYN packets". Since a SYN packet is the first and required stage of TCP connection initiation, blocking SYN's prevents connection establishment. However, unexpected "ACK" packets can be used to slip past simple "SYN" filters to probe the host machine behind non-stateful firewalls. Our NanoProbe packets slip through such firewalls to do this.
 
Fragmented and reordered packet filtering vulnerability assessment.
Single large packets travelling across the Internet must sometimes be broken into multiple smaller packets in order to cross packet-size-limited network links. The IP protocol therefore includes provisions for "fragmenting" and "reassembling" IP packets. These provisions can be deliberately subverted to slip dangerous packets through unsuspecting firewalls one piece at a time.

Our NanoProbe packets test the fragmented packet vulnerability of host firewalls by sending a series of three minimum size packets (of 224-, 224-, and 192- bits each) in place of one packet 352-bits long. Furthermore, these are delivered both in proper sequence and in deliberate reverse sequence to test the firewall's fragment buffering capability. (It must retain the last fragment that arrives first until it receives the first fragment that arrives last!)
 
UDP/ICMP reflection response probing.
Microsoft-based hosts make extensive use of UDP/IP protocol to offer highly insecure network services. The first phase of NanoProbe deployment will use UDP Nanoprobe packets to profile the probable presence of these insecurities.

The second phase will go further to implement protocol-specific client simulations in order to uncover and confirm additional vulnerabilities.
 
Differential source IP analysis.
Advanced stateful firewalls and NAT routers actively manage their host's connections by maintaining internal dynamic connection tables. From the standpoint of remote security analysis, this means that the source IP address of inbound packets can dramatically influence the analysis results — and the security of — the remote host.

Our NanoProbe Technology employs its "bit-level" hand crafted NanoProbe generation capability to launch IP packets carrying source IP addresses which are both deliberately known, and unknown, to the host's protective firewall and/or NAT router. By comparing the differential results obtained from known and unknown source IP addresses, our Technology creates much more detailed assessments of host security.
 
Personal Router vulnerability assessment.
The proliferation of home networking, coupled with the availability of broadband Internet access, has created an active market for "Personal NAT Routers" (such as my favorite two solutions from Linksys). These NAT (Network Address Translating) routers allow multiple host machines to transparently share a single broadband IP address.

Host machines running behind NAT routers enjoy an inherently higher degree of inbound attack security thanks to the fact that a NAT router shares many of the attributes of a high quality stateful firewall. However, though the hosts may be protected by the NAT router, the router's protocol interpreters themselves are necessarily continuously exposed to the Internet.

Since our NanoProbe Technology allows us to discriminate among and uniquely determine the user's web proxy server IP address (if any), the router's unique public IP address, and the address of the host machine behind the router, we target NanoProbe packets at the user's personal NAT router in order to independently assess its security and protocol vulnerabilities.
 
"Last-Hop" Router vulnerability assessment.
Corporate networks using blocks of public IP space, employ non-NAT "border gateway" routers. These routers often have commonly exploitable vulnerabilities such as open Telnet access and default administration logon. They depend upon security by obscurity, which is no security at all. These router IPs generally remain unknown because they are never the direct source or destination of IP traffic. However their security is of paramount importance.

Our NanoProbe Technology employs a number of tricks to uncover the non-published IP addresses of these corporate gateway routers — even in the presence of outbound ICMP (routing error message) suppression.

We are unsure what to do about discoveries of non-host network infrastructure vulnerabilities discovered at such locations, since we have no desire to empower a corporation's employees to exploit their employer's vulnerabilities. We may add technology to automatically send eMail to the administrators of any sub-nets containing such discovered problems.
 
Active protocol testing.
A continuously evolving aspect of our NanoProbe security assessment facility will be the development of "client protocol simulators" to exercise and evaluate the security of "necessarily exposed" protocols. Windows platforms are host to a virtual cornucopia of frighteningly insecure protocols — with new ones being silently foisted upon unsuspecting users every day. (Do you really need Windows ME?) Our initial exposure of Windows' NetBIOS protocol vulnerability, which did so much to raise this site's visibility, is just the tip of the iceberg.

Therefore, empowered by the inherent flexibility afforded by our low-level NanoProbe Technology, as this facility evolves we will be adding tests for such things as the use of default or common and insecure logon passwords and other known exploits to which the typical Windows user may be innocently and unwittingly exposed.
 
Packet round trip time (RTT) profiling.
Our NanoProbe's ability to penetrate stealth firewalls allows us to affirmatively profile the total round trip time (RTT) of host-reflected data. This information will be displayed to the user in the form of an RTT distribution graph during, and at the completion of, the analysis.
 
Absolutely spoof proof.
Several minor (but annoying) exploits of the first ShieldsUP! system have been developed to cause a "third-party probing" of an arbitrary IP. While these exploits have been clever in their design, the simplistic nature of the current ShieldsUP! port probe technology renders such exploits more interesting than useful or dangerous.

The NanoProbe Technology, which operates by creating and maintaining an active connection to the probe target throughout the testing, renders this new system absolutely spoof proof through the use of the RSVP Agent system.

'RSVP' - An Optional Client-Side Agent:

Throughout this disclosure I have worked to avoid all use of the term "scan" because our NanoProbe Technology is not any form of "Internet Scanner". Port scanning is a wasteful consumer of Internet bandwidth and time. When nothing is known about the remote host, there is little alternative to port scanning. But when the possibility exists to create a companion client-side agent working in concert with the remote security analyzer, it becomes possible to provide all of the benefits of an exhaustive 65,535 port scan with none of the wasted bandwidth or time.

The NanoProbe "RSVP Agent" technology provides these and other benefits.



So WHEN will it be completed and online?

I do not estimate development schedules (because that's something I'm really bad at.) This project is what I am working on full-time, so it will be completed as soon as I get it done. Now you know as much as I do.

You are invited to follow along in our newsgroups and to participate in the pre-release testing which our entire community will soon be doing. Or you can wait for the official unveiling announcement of the completed system. I will certainly announce it to GRC's Corporate News Blog subscribers.



An Acknowledgement of Debt to the World's Hackers

I wish to take a moment to acknowledge the enormous contribution that has been made to my knowledge and understanding by the unselfish work of the world's hacker community. These are not the malicious 'crackers' and 'script-kiddies' who break in, thieve, deface, and despoil by abusing the knowledge they have taken from others, but rather the true hackers — in the original meaning of the term — who pursue the knowledge, understanding, and power of technology for its own sake.

I Thank Them . . . and I sincerely hope they will be as pleased and enlightened by the results of my efforts, as I have been by theirs.

To return to the previous page, press your browser's BACK button.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 28, 2010 at 14:05 (2,251.68 days ago)Viewed 13 times per day