X.25 network tracing for Internet users
Dennis Jackson
JANET-CERT Coordinator
UKERNA, Atlas Centre,
Chilton, Didcot, Oxfordshire OX11 0QS, UK
Tel: +44 235 445375 Fax: +44 235 445125
D.Jackson@ukerna.ac.uk
Abstract
Hackers use X.25 networks to attack computer systems around the world. In
The Cuckoo's Egg Clifford Stoll describes many difficulties in tracing attackers
coming across the public X.25 network. There are techniques a system
administrator can use to identify the origin of the attacks and follow the actions
of the intruders. This paper will describe some of these techniques - techniques
that have been used to trace and apprehend computer criminals.
Introduction
Many Internet users seem to view X.25 networks as mysterious. They view X.25
networks as an alien invention and only used by telecommunications carriers to achieve
international connectivity. It is true that X.25 technology has been used to construct the
most pervasive data network. The global public data network formed by the PTTs
connects at least 95 different countries.
Internet administrators may assume that tracing attackers across an X.25 network is
almost impossible. The descriptions given in Clifford Stoll's book The Cuckoo's Egg
reinforce this impression. In chapter 29 he describes the process of contacting Ron
Vivier at Telenet who then contacts Steve White and so on back to Hannover in
Germany.
In reality, tracing attacks across an X.25 network is as easy (or difficult) as on a
TCP/IP network.
It should be remembered that it is not just the global public data network that uses
X.25. There are many private and corporate networks that also use X.25. Some of the
techniques described here are equally applicable to private networks.
Dealing with attacks that take place across an X.25 network needs the ability to
� monitor the traffic
� check the system logs
� identify the origin and target of calls
The Hidden Origin
Public X.25 network addresses are treated as �ex-directory�. That is, there is no
published list of subscribers and their corresponding network numbers. This creates the
problem that the origin or target of attacks cannot be readily identified. The network
provider can translate numbers to names but they will not divulge this information to an
ordinary system administrator - especially a system administrator in another country.
Law enforcement officers can usually obtain such information for connections in their
own area. But, a single intrusion can yield dozens of numbers that may need
identifying. Translating international numbers can be almost impossible. It is known
that hackers maintain lists of names and network addresses. They use these to choose
new victims. Anything that can be done to simplify the translation of numbers to names
will speed the work of someone investigating an attack.
Technical Background
Both TCP/IP and X.25 networks use packet switching techniques to transmit data
between end systems. The major difference between these systems is architectural.
TCP/IP networks are usually described as connectionless, while X.25 networks
provide a connection-mode service. Connectionless communication can be likened to
the postal service where each packet is independent of all others.1 Connection-mode
networks are similar to the telephone system where an initial dialogue (with the
network) establishes a connection to the remote party.
This difference has important consequences for the carriage of addressing information
within the network. Every IP packet carries the source and destination address. In
contrast, in X.25 only the initial packet carries the addressing information.2
Subsequent X.25 packets carry a channel number assigned at the start of the
connection. This logical channel number (LCN) is similar to the port number chosen by
the user�s end and carried in the TCP header.
Another difference between X.25 and TCP/IP is that every X.25 data packet carries a
sequence number. The X.25 sequence numbers are used to ensure that the remote
system receives the packets in the same order that they were sent.
Channel Numbers
The logical channel number assigned at the start of the connection is local to each link in
the network. Thus the channel number used between the originating system and the
network will be different from the LCN used between the network and the target
computer. As an example, in a typical situation, the logical channel numbers used will
be
Figure 1
One benefit of channel numbers is that it is relatively easy to identify all the packets that
make up a particular session. Once the call has connected and the logical channel
number assigned, all subsequent packets in that call will have the same channel
number. Use of the channel number and packet sequence number will ensure that a
complete transcript of a session can be extracted from the X.25 data stream.
Monitoring
The use of channel numbers rather than addresses presents an obvious problem.
Simply tapping the wires and monitoring the session of the hacker will not identify the
victim nor the origin of the perpetrator. The individual packets passing back and forth
will only contain the logical channel number. It is necessary to monitor the call being
established to obtain the two network addresses.
Many devices are available that can monitor, record and display data from a line
carrying X.25 traffic. Some of these protocol analysers are dedicated devices, while
others are add-on boards and software for personal computers. These devices exist to
aid the analysis and resolution of faults. As a result some are not suited to the extraction
of a session transcript from the data stream. An example of the basic output from a
protocol analyser is shown in Appendix C.
Computer systems often have the potential for recording a transcript of every packet
sent or received on the network interface. Obviously, recording all packets like this will
collect huge amounts of data. Such techniques must be used with care to ensure that the
filestore is not exhausted.
Digital VAX/VMS
VMS includes extensive facilities for recording and analysing packets sent and received
on the network connections. The command
$ TRACE /PSI3
starts collection of a trace of the data on a link to an X.25 network.To avoid the tracing
being made too obvious the process name should be set with the /PROCESS_NAME
option. Similarly, the name of the output file should be changed with /OUTPUT.
Collection of the trace data is terminated by the command
$ TRACE STOP
Display of the trace data is performed by the command
$ TRACE ANALYSE
This command expands the data into individual packets and decodes their contents. An
example of the output from this command is given in Appendix D.
SunOS
The X.25 software from Sun Microsystems can record all packets sent and received on
the network interface. The command to start collection of this log is
% /usr.sunlink/x25/x25trace4
The trace is stopped by interrupting the command or killing the process.
When monitoring a hacker the name and path for the command need to be changed to
avoid ps(1).
DG/UX
On Data General systems the command
% /usr/bin/x25trace
obtains the raw trace data. Although the information is readable it is not decoded and is
just produced as hexadecimal text. The command
% /usr/bin/x25decode
can be used to translate the hexadecimal trace data into individual packet types.
Network Records
The network equipment has the potential for recording details of all calls across the
network. For a public data network, records will be kept to enable bills to be produced
and customers charged for their usage. However, the information gathered for billing
purposes is not needed in real time. Not all equipment has the potential for displaying
details of active calls. Thus it may be necessary to tap the wires and use a line monitor
to gather real time information.
The target computer also has the potential for recording details of all calls it sends and
receives. However, in common with other records, computers are often installed with
this logging disabled.
Digital VAX/VMS
As an example, the software for VMS to connect it to an X.25 network is PSI
(Packetnet System Interface). The PSI log records details of all activity on the link to
the X.25 network - incoming and outgoing, bulk and interactive. By default, the log of
PSI activity is switched off. The command
$ @SYS$MANAGER:PSIACCOUNTING ON
needs to be issued by the system manager to activate collection of this log. Once
collected the details are displayed by the command
$ ACCOUNTING /PSI5
An example of the output from this command is shown in Appendix E.
Like other VMS logs the PSI records are held in a structured file and the information
stored as binary data. The command ACCOUNTING /PSI can also act as a filter and
thereby edit out the data of interest.
SunOS
Sun Microsystem�s X.25 software records the different types of activity in separate
logs.6 Records of incoming interactive calls are held in /var/adm/x29serverlog. If the
system is used as a staging point and outgoing interactive calls are made then the details
are recorded in /usr/tmp/x29userlog.
Both x29serverlog and x29userlog are simple text files. The data can be browsed,
edited, and printed using standard utilities. Examples of these logs are given in
Appendix E & F.
Network Addresses
A common task when investigating attacks on an X.25 network is identifying the
source and target of the activity.
IP networks use a 32-bit field to carry addressing information. This field is treated as
four binary octets, and written as four decimal numbers separated by periods. X.25
packets have an address field that can hold a maximum of 15 decimal digits.7 In the
packet each digit is binary encoded and held in a semi-octet.
International Numbers
The X.25 standard places no limitation on how many of the address digits are used or
how they are allocated. However, for public data networks the CCITT
Recommendation X.121 provides some definitions. X.25 addresses on the public
networks are limited to a maximum of 14 digits. X.121 also defines the first four digits
as the Data Network Identification Code (DNIC). Of these four digits, the first three
identify the country while the fourth digit distinguishes a specific network within the
country. The use of any subsequent digits is left to the discretion of the network
administration in each country. Details of all country codes and known DNICs are
given in Appendix A.
In Clifford Stoll�s case the calls were coming in from the address 26245421042148.
The first four digits, 2624, indicate the Datex-P network in Germany. However, the
contact in Telenet International was unable to translate the rest of the digits and identify
the town as Hannover.
National Numbers
Although not necessary, most networks define a fixed number of digits to identify each
connection point. It would be possible to use a variable number of digits with large
organisations identified by a small number of digits and vice versa. Any additional
digits up to the maximum being dealt with by the attached equipment. This arrangement
would be similar to the Class A, B, and C networks on the Internet.
Fortunately, most public X.25 network use a fixed number of digits to identify
customer connections. For example, in the USA Telenet uses 12, in Germany Datex-P
uses 13, Datapac in Canada 12, etc. Where known, the length of network addresses is
detailed in Appendix B.
Area Codes
Each network will need a mechanism for assigning X.25 addresses to subscribers.
They could allocate 000001 to the first customer, 000002 to the second, and so on.
However, this will cause technical problems - each switch in the network will need to
know how to route calls for every number.
Most networks around the world have chosen to allocate numbers on a regional basis.
That is, some portion of the number identifies a physical area. Customers in the same
geographical region will have similar numbers. This is the same technique as that used
to assign telephone numbers.
If details of these area codes are known then it enables network addresses to be
narrowed down to individual towns. Experience has shown that many X.25 network
providers have chosen to use exactly the same area codes as the telephone network.
Details of the area codes (including real examples) are listed in Appendix B.
As an example, Clifford Stoll�s number 2624542104214 can be translated as
262 Germany (formerly known as Federal Republic of Germany or West
Germany)
4 Datex-P (operated by Bundespost)
5 Permanent connection (in contrast to a dial-up account)
42 Hannover area code
104214 subscriber number
Bibliography
Recommendation X.121 International Numbering Plan for Public Data Networks,
CCITT, 1988.
Clifford Stoll, The Cuckoo�s Egg, Doubleday, 1989, ISBN 0-370-31433-6.
VAX PSI Volume 1 Problem Solving Guide, Digital Equipment Corporation.
Appendix A
The list of country codes is taken from the latest (1988) revision of CCITT
Recommendation X.121; political events around the world will probably result in
changes during the 1992 study period.
1111 Atlantic Ocean (INMARSAT Mobile satellite data transmission system)
1112 Pacific Ocean (INMARSAT Mobile satellite data transmission system)
1113 Indian Ocean (INMARSAT Mobile satellite data transmission system)
Country or geographical areas
Non-zoned systems
202 Greece
2022 Helpac
2023 -
204 Netherlands
2041 Datanet 1
2043 Euronet (ceased)
206 Belgium
2062 DCS
2063 Euronet (ceased)
208 France
2080 Transpac
2080 Dompac (French Antilles)
2080 Dompac (French Guiana)
2080 Transpac (Reunion)
212 Monaco
2120 -
214 Spain
2141 TIDA
2145 Iberpac
216 Hungarian People�s Republic
2160 Datex-L
2161 -
218 German Democratic Republic
220 Yugoslavia
2201 Yupac
222 Italy
2222 Itapac
2223 Euronet (ceased)
2227 Italcable
226 Romania
228 Switzerland
2283 Euronet (ceased)
2284 Telepac
2289 Data-Link
230 Czechoslovak Socialist Republic
232 Austria
2322 Datex-P
2329 Radio Austria
234 United Kingdom of Great Britain and
Northern Ireland
2341 -
2342 PSS (British Telecom)
2343 Euronet (ceased)
2348 gateway to BT�s telex
network
235 United Kingdom of Great Britain and
Northern Ireland
2350
2351 MDNS (Mercury)
2352 (Hull Telephone Company)
236 United Kingdom
237 United Kingdom
238 Denmark
2382 Datapak
2383 Datapak
240 Sweden
2402 Datapak
2403 -
2405 Telepak
242 Norway
2422 Datapak
244 Finland
2442 Datapak
2443 Digipak
250 Union of Soviet Socialist Republics
2502 Iasnet
260 Poland
262 Germany
2623 Euronet (ceased)
2624 Datex-P
266 Gibraltar
268 Portugal
2680 Telepac
270 Luxembourg
2703 Euronet (ceased)
2704 Luxpac
272 Ireland
2723 Euronet (ceased)
2724 Eirpac
274 Iceland
2740 Icepac
276 Albania
278 Malta
2782 Maltapac
280 Cyprus
2802 Cytapac
284 Bulgaria
2841 -
286 Turkey
2862 -
2863 Turpac
288 Faroe Islands
2882 Faroepac
290 Greenland
292 San Marino
2922 X-Net SMR
302 Canada
3020 Datapac
3025 Globedat
3028 Infoswitch
308 St. Pierre and Miquelon
310 United States of America
3100 -
3101 WUTCO
3103 ITT-UDTS
3104 MCII-Impacs
3106 Tymnet
3107 ITT-UDTS
311 United States of America
3110 Telenet
3113 RCA-LSDS
3119 TRT-Datapak
312 United States of America
3124 FTCC
3125 Telenet
3126 Autonet
313 United States of America
3132 Compuserve
3134 Accunet
3135 Alaskanet
3136 Marknet
314 United States of America
3140 SNET
3141 PDN (Bell Atlantic)
3142 Pulselink (Bellsouth)
3143 PSN (Ameritech)
3144 Infopath (Nynex)
3145 PPS (Pacific Telesis)
3146 Microlink II (Southwestern
Bell)
3147 Digipac (USWest)
3148 Pulsenet (Cincinnati Bell)
3149 Wangpac
315 United States of America
3150 Globenet
3152 Hawaii
316 United States of America
330 Puerto Rico
3300 -
332 Virgin Islands
334 Mexico
3340 Telepac
338 Jamaica
- -
340 French Antilles
3400 Dompac
342 Barbados
3420 -
344 Antigua and Barbuda
- -
346 Cayman Islands
- C and W
348 British Virgin Islands
350 Bermuda
3503 Bermudanet
352 Grenada
354 Montserrat
356 St. Kitts
358 St. Lucia
360 St. Vincent and the Grenadines
362 Netherlands Antilles
364 Bahamas
- IDAS
366 Dominica
368 Cuba
- -
370 Dominican Republic
3701 -
372 Haiti
374 Trinidad and Tobago
3740 Datanett
3745 Texdat
376 Turks and Calcos Islands
404 India
4042 GPSS
410 Pakistan
412 Afghanistan
413 Sri Lanka
414 Burma
415 Lebanon
416 Jordan
417 Syrian Arab Republic
418 Iraq
419 Kuwait
- -
420 Saudi Arabia
4201 Alwaseet
421 Yemen Arab Republic
422 Oman
- -
423 Yemen
424 United Arab Emirates
4243 Emdan
425 Israel
4251 Isranet
426 Bahrain
4263 Bahnet
427 Qatar
- Dohpak
428 Mongolian People�s Republic
429 Nepal
430 United Arab Emirates (Abu Dhabi)
431 United Arab Emirates (Dubai)
4310 -
432 Iran
440 Japan
4400 Global VAN
4401 DDX-P
4403 ENS
4406 Network Info Service
4408 Venus-P
441 Japan
4410 NI+C International
4411 K-Net
450 Korea
4501 Dacom-Net
452 Viet Nam
454 Hong Kong
4542 IDAS
4545 Datapak
455 Macao
456 Democratic Kampuchea
457 Lao People�s Democratic Republic
460 China
- -
467 Democratic People�s Republic of Korea
470 Bangladesh
472 Maldives
487 Taiwan
4872 Pacnet
4877 UDAS
502 Malaysia
5021 Maypac
505 Australia
5052 Austpac
5053 Data Access
510 Indonesia
5101 SKDP
515 Philippines
5151 Capwire
5156 ETPI
- GMCR
- Philcom
520 Thailand
- IDARC
525 Singapore
5252 Telepac
528 Brunei Darussalam
530 New Zealand
5301 Pacnet
535 Guam
-
536 Nauru
537 Papua
- PNGpac
539 Tonga
540 Solomon Islands
541 Vanuatu
5410 ViaPac
542 Fiji
543 Wallis and Futuna Islands
544 American Samoa
545 Kiribati
546 New Caledonia and Dependencies
5460 Tompac
547 French Polynesia
5470 Tompac
548 Cook Islands
549 Western Samoa
602 Egypt
- Arento
603 Algeria
604 Morocco
605 Tunisia
6050 Red25
606 Libya
607 Gambia
608 Senegal
6081 Senpac
609 Mauritania
610 Mali
611 Guinea
612 Cote d�Ivoire
6122 Sytranpac
613 Burkina Faso
614 Niger
6142 Nigerpac
615 Togolese Republic
6152 Togopac
616 Benin
617 Mauritius
6170 Mauridata
6171 Mauridata
618 Liberia
619 Sierra Leone
620 Ghana
621 Nigeria
622 Chad
623 Central African Republic
624 Cameroon
625 Cape Verde
626 Sao Tome and Principe
627 Equitorial Guinea
628 Gabonese Republic
6282 Gabonpac
629 Congo
630 Zaire
631 Angola
632 Guinea-Bissau
633 Seychelles
634 Sudan
635 Rwandese
636 Ethiopia
637 Somali Democratic Republic
638 Djibouti
6382 Djipac
639 Kenya
640 Tanzania
641 Uganda
642 Burundi
643 Mozambique
645 Zambia
646 Madagascar
647 Reunion
648 Zimbabwe
6482 Zimnet
649 Namibia
6490 Swanet
650 Malawi
651 Lesotho
652 Botswana
653 Swaziland
654 Comoros
655 South Africa
6550 Saponet
702 Belize
704 Guatemala
- Guatel
706 El Salvador
708 Honduras
- -
710 Nicaragua
712 Costa Rica
- Radiografica
714 Panama
- Intelpaq
716 Peru
7160 Perunet
722 Argentine Republic
7222 Arpac
724 Brazil
7240 Interdata
7241 Renpac
730 Chile
7302 Entel
7303 Chilepac
7305 Tomnet
732 Colombia
- Dapaq
734 Venezuela
736 Bolivia
738 Guyana
740 Ecuador
742 Guiana
744 Paraguay
746 Suriname
748 Uruguay
7482 Urupac
933 France
9330 Transpac
9339 Transpac
Appendix B
These details of area codes as part of X.121 numbers are based on empirical evidence
.... the numbers allocated to real users and organisations.
Netherlands Datanet-1 11 digits
2041a...... a = telephone area code
20412900433
2 Amsterdam
Belgium DCS 10 digits
2062a..... a = telephone area code
2062221012
2 Brussels
France Transpac 12 digits
2080nn...... nn = administrative department code
208034020258
34 Montpelier(
Yugoslavia Yupak 12 digits
2201aa...... aa = telephone area code
220161140001
61 Ljubljana
Switzerland Telepac 11 digits
2284.......
United Kingdom PSS 12 digits
2342aaa..... aaa = telephone area code
234219200100
1920 London, Waterloo
234231300102
31 Edinburgh
234253300124
533 Leicester
USSR Iasnet 10 digits
2502......
Federal Republic of Germany Datex-P 13 digits
26244........ dial-up connection
26245aaa..... aaa = telephone area code
26245221040006
221 Cologne
26245300040023
30 Berlin
Portugal Telepac 12 digits
2680........
Luxembourg Luxpac 11 digits
2704.......
Irish Republic Eirpac 12 digits
2724........
Canada Datapac 12 digits
3020........
United States of America Telenet 12 digits
3110aaa..... aaa = telephone area code
311041200670
412 Pittsburgh(Pa)
United States of America Uninet
3125aaa aaa = telephone area code
312530300007
303 Boulder(Colo)
United States of America Accunet 12 digits
3134........
United States of America Hawaii
3152aaa aaa = telephone area code
Japan DDX-P 11 digits
4401.......
Japan Venus-P 12 digits
4408........
Australia Austpac 12 digits
5052a....... a = telephone area code
505233422000
3 Melbourne
New Zealand Pacnet 12 digits
5301........
South Africa Saponet 12 digits
6550........
United Kingdom PSS
2342aaaabbbbxx
aaaa is the area code and uses the same numbers as telephone dialing codes
(without the leading zero)
bbbb allocated according to the type of service provided to the customer
<400 a fixed line to a computer
234219200100 Gateway to JANET at ULCC
234253200103 VAX 6310 at Maxwell Institute
�400 an account used for dial-up access
23421890042200 ICL General Information Systems dial-up account
xx optional sub-address digits, for an account used for dial-up access xx is
always set to 00
subscribers of fixed lines to PSS soon after the service started were allocated
numbers with repeated or easily remembered sequences of digits
234223519191 Gateway to JANET at Rutherford Laboratory
234246240240 ICL at Letchworth
recently allocated accounts for dial-up access do not have an area code, the fifth
digit is set to zero
1 TCP provides some connection-mode functions. The TCP header includes a sequence number and a
field for acknowledging previous packets. Higher level functions such as telnet and ftp provide true
connection-mode services.
2 Strictly speaking other control packet types can carry the same addressing information but in practice
many implementations leave out these optional fields. The full list of packet types that have address
fields is: call request, incoming call, call accepted, call connected, clear request, clear indication, clear
confirmation, registration request, registration confirmation.
3 Details of the TRACE /PSI command are in the VMS help system under the entry TRACE. The
TRACE function is described in the manual VAX PSI Volume 1 Problem Solving Guide, chapter 4 -
the TRACE utility.
4 Details of the x25trace command are in SunNet X.25 System Administration Manual, chapter 9.
5 Details of the ACCOUNTING/PSI command are in the VMS help system under the entry P.S.I.
6 Details of the log file are in the manual SunNet X.25 Application Guide The PAD (User) and X.29
(Server) Programs, chapter 2.
7 The 1988 revision of the X.25 standard increased the address field to a maximum of 17 decimal digits.
8 The Cuckoo�s Egg, chapter 30.