Silence on the Wire. A Field Guide to Passive Reconnaissance and Indirect Attacks
by Michal Zalewski
No Starch Press 2005.
ISBN 1-59327-046-1. LoC TK105.59.Z35. 281 pages. $39.95. Index. Bibliographic references endnotes.
Reviewed by Robert Bruen March 14, 2005
Silence on the Wire is an unusual and greatly interesting security book. Though written in a narrative form, unlike other security books, it does not fit into the category of Kevin Mitnik (The Art of Deception and The Art of Intrusion) and Ira Winkler (Spies Among Us). The discovery of a technical book in this style is cool. Zalewski builds on his passive OS fingerprinting work to provide us with a framework for looking at network security. It feels like we are listening in on his thoughts as he observes and analyzes the way TCP works. Most of us in the security universe have analyzed TCP packet structure, payloads and the misuse of the format, but here we see someone watching as the traffic flows. The net is a living entity that behaves in a global sense which reflects the cumulative behaviors of local events, something akin to the sound of a highway as the individual automobiles drive by. Listening to that highway sound tells you something about the highway which is different from what just one car is doing.
When a competent thief breaks into a place, steals something, and then disappears into the darkness, there is no disturbance, no trace is left - the opposite of a gang bursting into a bank in broad daylight. Quietly gathering small bits of information which gain meaning when aggregated is the preferred method of reconnaissance. Listening for loud noises is not so hard, but knowing when those one or two unusual packets are a precursor to an attack is much more difficult.
Successful exploits require deep understanding as well as patience. It is not enough to find some bad line of code that allows a buffer overflow. There is a creative side which watches how things happen as a sea of activity gives up a hint of a weakness, followed by a careful crafting of a method to take advantage of it. This approach is not the usual attack on a victim. Instead, we encounter a watchful eye on a complex environment which seeks out the details overlooked by a noisy attacker.
"Under the radar" is an apt phrase to describe passive reconnaissance. Getting in the head of someone who knows how to do it can be a challenge unless they choose to reveal how they think and observe. This book is one of the rare opportunities to peek inside. I am not sure if we can all learn how to this well because it is a not a technique which can mastered. It may very well be something you get at birth. In any case, understanding what it is all about is still worthwhile, especially from the author of this book. Zalewski's perspective on network attacks is unique and valuable. I recommend Silence on the Wire to anyone who wants to broaden their own view.