60 Days of Basic Naughtiness

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
CCENT Study Guide Chapter 12 Security.
Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing
Intrusion Detection Systems and Practices
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Department Of Computer Engineering
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IIT Indore © Neminath Hubballi
Step-by-Step Intrusion Detection using TCPdump SHADOW.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
MIS Week 4 Site:
Linux Networking and Security
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Chapter 5: Implementing Intrusion Prevention
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
ACCESS CONTROL LIST.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
DoS/DDoS attack and defense
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Proventia Network Intrusion Prevention System
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
CompTIA Security+ Study Guide (SY0-401)
Intrusion Detection Systems (IDS)
Lecture 3: Secure Network Architecture
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001 This is part of a larger project – to analyze and track attack and probe methods and sources. A holistic view of site probes and attacks. To create an early warning and verification/validation system/site for others to use. To track particularly popular source netblocks and assist the netblock owners with proper defense and mitigation. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

60 Days of Basic Naughtiness Statistical analysis of log and IDS files. Statistical analysis of a two-day DDoS attack. Methods of mitigation. Questions. The analysis was performed using copious amounts of Perl, sed, awk, and coffee.  The methods are still being honed – they are far from perfect. Started with a series of simple questions raised by a manager : “When did this attack start?” “Did it slowly gain speed? Should we have seen it coming?” “When will it end? Can we predict the end of the attack?” Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com About the Site Production site for several (> 4) years. Largely static content. No e-commerce. Layers of defense – more on that later! Agreed to keep the site name and related data confidential. I am always looking for more log files! Please feel free to share anything you have. Send it to my e-mail address. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com About the Data Data from router logs. Data from IDS logs. Snapshot taken from 60 days of combined data. Data processed by several home-brew tools (mostly Perl and awk). The router and IDS logs are not in sync, unfortunately. This is the first significant effort with copious amounts (942MB) of log data. Previous efforts utilized a significantly smaller sample size. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Definition of “Naughty” Any traffic that is logged by a specific “deny” ACL. Any traffic that presents a pattern detected by the IDS software. The two log sources are not necessarily synchronized. ACLs – deny and log RPC, bogon source addresses, etc. IDS – detect SYN floods, Backorifice probes, etc. The data files do not overlap perfectly. This would be ideal for a completely holistic view of site probes and attacks. Remember – NTP is your friend! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Daily Probes and Attacks TCP and UDP Probes and Attacks – ICMP not counted. Average – 529.00 Standard deviation – 644.10! 60 Day Low – 83.00 60 Day High – 4355.00 The standard deviation is higher than the mean! In other words, the ebb and flow of probes and attacks is of a greatly variable nature, and therefore difficult to model. Note the 60 day low figure of 83.00. This means that there is never a completely “safe” day! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Daily Probes and Attacks Note that never a day goes by without at least 83 probes and/or attacks! The miscreants hit the site 24 x 7 x 365. Why so many? Because the miscreants do NOT share data! Elucidate this point (IRC wars). Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Weekly Probes and Attacks There is no steady-state. Attacks come in waves, generally on the heels of a new exploit and scan. Certain types of scans (e.g. Netbios) tend to run 24x7x365. Proactive monitoring, based on underground and public alerts, will result in significant data capture. There is no “steady-state,” and there is no “normal” week or day. The vulnerability du jour (e.g. BIND hole, sendmail hole) tends to wane over a two to three month period. When an alert comes out – particularly one that lists a port or ports – fire up an ACL and watch the log entries grow.  Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Weekly Probes and Attacks Trend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Hourly Probes and Attacks Myth: “Most attacks occur at night.” An attacker’s evening may be a victim’s day – the nature of a global network. Truth: Don’t plan based on the clock. We are now part of a global network – a network that NEVER sleeps. The average DDoS attack lasts between 24 and 72 hours – the zombies don’t need a break. Take a guess – what hour of the day will be the most utilized by the miscreants to hit this site? Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Hourly Probes and Attacks Trend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

UDP Probes and Attacks Top Five Destination Ports First – 137 NETBIOS Second – 53 DNS Third – 27960 Fourth – 500 ISAKMP Fifth – 33480 (likely UNIX traceroute) Rob Thomas robt@cymru.com http://www.cymru.com/~robt

UDP Probes and Attacks Trend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

TCP Probes and Attacks Top Five Destination Ports First – 3663 (DDoS Attack) Second – 0 Reserved (DDoS Attack) Third – 6667 IRC (DDoS Attack) Fourth – 81 (DDoS Attack) Fifth – 21 FTP-control With the exception of TCP 21, all other listed ports were part of a DDoS attack attempt. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

TCP Probes and Attacks Trend Analysis TCP port zero remains very popular with those who target this site. TCP port 21 (FTP) probes have been supplanted by other probes, such as DNS. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Source Address of Probes and Attacks Note that Multicast and experimental source address packets account for 53% of the naughty packets. Thus 53% of the nasty packets are blocked at our border! What about the other classes? Are the sources therein all legitimate? Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Source Address of Probes and Attacks Class A bogon source percentage – 48.08%! Class B bogon source percentage – 20.80%. Class C bogon source percentage – 11.87%. Class D and E bogon source percentage – 100.00%. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Source Address of Probes and Attacks Bogon source attacks still common. Of all source addresses, 53.39% were in the Class D and Class E space. Percentage of bogons, all classes – 66.85%! This is good news – prefix-list, ACL defense, and uRPF will block 66.85% of these nasties! Block bogons, both inbound and outbound, at your border! Add anti-spoofing at your egress points so that only source addresses within your allocated netblocks may pass. Three attack types: Spoof the source using bogon addresses. Spoof the source using legitimate addresses. No spoofing. If all networks performed these basic steps, how successful would spoof attacks be? Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Source Region of the Naughty A dangerously misleading slide The location of the miscreant is difficult to determine because of: Spoof attacks. Zombies. Legacy netblock assignments. Key point – the RIR or netblock does not necessarily indicate the location of the miscreant(s)! Statistics can be misleading. Proper analysis requires a certain degree of “clue.” Latest groups are from Brasil and Romania. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Intrusion (attempt) Detection IDS is not foolproof! Incorrect fingerprinting does occur. You can not identify that which you can not see. IDS is really a misnomer – it should be Intrusion Attempt Detection System, or IADS. Intrusion Detection is easy – you will know your hull has been breached when your web page reads “Hackers love Ramen!”  IDS can be overwhelmed. Stick is nothing new – we have likely all seen it before. Keep your IDS database current! Place your IDS tool where it will provide the best detection and analysis. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Top Five IDS Detected Probes NetBus – TCP 12345 Backorifice – UDP 31337 TFTP – UDP 70 IDENT – TCP 113 Deep Throat – TCP/UDP 2140 Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Top Five Detected IDS Probes Notice how the probes converge around day 13 and particularly days 26 and 27. This is not likely to be a coincidence! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Top Five IDS Detected Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Top Five IDS Detected Sources Azerbaijan – ISP USA 01 – Consulting Company South Korea – ISP USA 02 – ISP dialup pool Canada – Cable modem Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Top Five IDS Detected Sources Notice how netblock B (USA 01) trends sharply upward around days 24 through 25. In the raw data spreadsheet, the sudden appearance of netblock B coincides with the sharp increase in probe activity as seen in the Top Five Probes slide. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Match a Source with a Scan Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com Two Days of DDoS Attack that resulted in 10295 hits on day one and 77466 hits on day two. Attack lasted 25 hours, 25 minutes, and 44 seconds. Quasi-random UDP high ports (source and destination), small packets. This was a relatively mild attack, and this makes for simple analysis. However, the analysis steps are the same regardless of attack intensity. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com Two Days of DDoS Perhaps as many as 2000 hosts used by the attackers. 23 unique organizations. 9 different nations located in the Americas, Europe, and Asia. Source netblocks all legitimate. The use of legitimate source addresses makes defense that much more difficult. This was an extremely mild DDoS – perhaps a test of things to come. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com Two Days of DDoS As with all DDoS attacks, the ramp up time was quite fast – on the order of several seconds. The end came just as suddenly. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com Two Days of DDoS Note the rise and fall of myriad sources. This is not uncommon during even the most intense DDoS attacks, and can be due to several factors, such as: Congestion at the attacker site(s) Reactionary filtering (local and intermediate) during the attacks Zombie control issues Insert the IRC “out of control zombie story” here. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Site Defense and Attack Mitigation While you can not prevent an attack, you can choose how to react to an attack. Layers of defense that use multiple tools. Layers of monitoring and alert mechanisms. Know how to respond before the attack begins. Each layer should protect the layer beyond. Each layer should integrate with the layers on either side. Each layer should be untrusted by the next site-facing layer. Funnel the traffic, filtering at an ever more granular level of detail. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Site Defense and Attack Mitigation Border router Protocol shaping and filtering. Anti-bogon and anti-spoofing defense (uRPF), ingress and egress filtering. NetFlow. IDS device(s) Attack and probe signatures. Alerts. Block bogons and prevent spoofing! The presence of an IDS device does not obviate the need to have the other filtering devices logging (ACL logs, rule base logs, NetFlow, etc.). Compare log entries often – remember, NTP is your friend. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Site Defense and Attack Mitigation Border firewall Port filtering. Logging. Some IDS capability. End systems Tuned kernel. TCP wrappers, disable services, etc. Crunchy through and through! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Site Defense and Attack Mitigation Don’t panic! Collect data! The good news - you can survive! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

References and shameless self advertisements  RFC 2267 - http://rfc.net/rfc2267.html Secure IOS Template – http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com Any questions? Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Rob Thomas robt@cymru.com Thank you for your time! Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today. Thanks to Surfnet/CERT-NL for picking up the travel. Thanks for all of the coffee!  Rob Thomas robt@cymru.com http://www.cymru.com/~robt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.