Presentation is loading. Please wait.

Presentation is loading. Please wait.

Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

Published byKoby Masterman Modified over 10 years ago

Similar presentations

Presentation on theme: "Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,"— Presentation transcript:

1 Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team, BindView Corporation

2 About Myself  http://www.nmrc.org/ http://www.nmrc.org/  Currently Sr. Security Analyst for BindView’s RAZOR Team, http://razor.bindview.com/ http://razor.bindview.com/

3 About This Presentation  Assume basics –Understand IP addressing –Understand basic system administration  Tools –Where to find them –Basic usage  Terminology  A “Network” point of view

4 Background  Originally developed during 1999  Concepts first discussed last October  Many concepts can be found in DDOS software today

5 Attack Recognition Basics  Pattern Recognition –Examples: Byte sequence in RAM Packet content in a network transmission Half opens against a server within a certain time frame –Considered “real-time”

6 Attack Recognition Basics Cont.  Effect Recognition –Examples Unscheduled server restart in logs Unexplainable CPU utilization System binaries altered –Considered “non” real-time

7 Attack Recognition Problems  Blended “pattern” and “effect” attacks  Sniffing attacks  Decoys and false identification of attack source

8 Attack Recognition Problems Cont.  Current solutions are usually “pattern” or “effect”, no real-time global solutions  Existing large scale solutions can easily be defeated

9 Common Thwarting Techniques  Rule-based systems can be tricked  Log watchers can be deceived  Time-based rules can be bypassed

10 What is Needed  The “Overall Behavior Network/Host Monitoring Tool” (which doesn’t exist)

11 What Do We Do?  “Trickle Down Security” –Solutions for distributed attacks will introduce good security overall  Off-the-shelf is not enough  Learn about attack types  Defensive techniques

12 Changing Attack Patterns  More large-scale attacks  Better enumeration and assessment of the target by the attacker

13 Two Basic Distributed Attack Models  Attacks that do not require direct observation of the results  Attacks that require the attacker to directly observe the results

14 Basic Model ServerAgent Client Issue commands Processes commands to agents Carries out commands

15 More Advanced Model TargetAttacker Forged ICMP Timestamp Requests ICMP Timestamp Replies Sniffed Replies

16 Even More Advanced Model Target FirewallFirewall

17 Even More Advanced Model Target FirewallFirewall Upstream Host

18 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Master Node

19 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Master Node

20 Even More Advanced Model Target Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

21 Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

22 Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies Master Node

23 ICMP  Sweeping a network with Echo  Typical alternates to ping –Timestamp –Info Request

24 Fun with ICMP  Advanced ICMP enumeration

25 Host Enumeration #./icmpenum -i 2 -c xxx.xx.218.0 xxx.xx.218.23 is up xxx.xx.218.26 is up xxx.xx.218.52 is up xxx.xx.218.53 is up xxx.xx.218.58 is up xxx.xx.218.63 is up xxx.xx.218.82 is up xxx.xx.218.90 is up xxx.xx.218.92 is up xxx.xx.218.96 is up xxx.xx.218.118 is up xxx.xx.218.123 is up xxx.xx.218.126 is up xxx.xx.218.130 is up xxx.xx.218.187 is up xxx.xx.218.189 is up xxx.xx.218.215 is up xxx.xx.218.253 is up

26 Nmap  Ping sweeps  Port scanning  TCP fingerprinting

27 Fun with Nmap  Additional features

28 Addition Probes  Possible security devices  Sweep for promiscuous devices

29 Network Mapping  Determine network layout  Traceroute

30 Network Mapping cw swb Internet Routers

31 Network Mapping cw swb Internet Routers

32 Network Mapping Firewall DMZ cw swb VPN Internet Routers

33 Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

34 Network Mapping Firewall DMZ www ftp cw swb VPN Internet Routers

35 Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers

36 Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers Linux 2.0.38 xxx.xx.48.2 AIX 4.2.1 xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 Checkpoint Firewall-1 Nortel Extranet xxx.xx.22. 7 Cisco 7206 204.70.xxx.xxx Nortel CVX1800 151.164.x.xxx IDS?

37 Defensive Techniques  Good security policy  Split DNS –All public systems in one DNS server located in DMZ –All internal systems using private addresses with separate DNS server internally  Drop/reject packets with a TTL of 1 or 0

38 Defensive Techniques Cont.  Minimal ports open  Stateful inspection firewalls  Modified kernels/IDS to look for fingerprint packets

39 Defensive Techniques Cont.  Limit ICMP inbound to host/destination unreachable  Limit outbound ICMP

40 DMZ Server Recommendations  Split services between servers  Current patches  Use trusted paths, anti-buffer overflow settings and kernel patches  Use any built-in firewalling software  Make use of built-in state tables

41 Firewall Rules  Limit inbound to only necessary services  Limit outbound via proxies to help control access  Block all outbound to only necessary traffic

42 Intrusion Detection Systems  Use only IDS’s that can be customized  IDS should be capable of handling fragmented packet reassembly  IDS should handle high speeds

43 Spoofed Packet Defenses  Get TTL of suspected spoofed packet  Probe the source address in the packet  Compare the probe reply’s TTL to the suspected spoofed packet

44 Questions, etc.  For followup: –http://razor.bindview.com/http://razor.bindview.com/ –thegnome@razor.bindview.comthegnome@razor.bindview.com  References: –David Dittrich’s web site http://staff.washington.edu/dittrich/http://staff.washington.edu/dittrich/ –"Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation, http://www.sans.org http://www.sans.org –"The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.orghttp://www.sans.org –NMap, http://www.insecure.org/nmap/http://www.insecure.org/nmap/ –Icmpenum, http://razor.bindview.com/tools/http://razor.bindview.com/tools/ –Martin Roesch’s web site http://www.clark.net/~roesch/security.htmlhttp://www.clark.net/~roesch/security.html –“Strategies for Defeating Distributed Attacks”, http://razor.bindview.com/publish/papers/strategies.html http://razor.bindview.com/publish/papers/strategies.html –“Distributed Denial of Service Defense Tactics”, http://razor.bindview.com/publish/papers/DDSA_Defense.html http://razor.bindview.com/publish/papers/DDSA_Defense.html

45 Late Breaking News  HackerShield RapidFire Update 208 –With SANS Top Ten checks, including comprehensive CGI scanner –http://www.bindview.com/products/hackershield/index.html  VLAD the Scanner –Freeware open-source security scanner, including same CGI checks as HackerShield –Focuses only on SANS Top Ten –http://razor.bindview.com/tools/index.shtml  Despoof –Detects possible spoofed packets through active queries against suspected spoofed IP address –http://razor.bindview.com/tools/index.shtml

Download ppt "Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation.

DefCon: Network Mapping Techniques Simple Nomad Nomad Mobile Research Centre BindView Corporation.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Stealth Network Strategies: Offensive and Defensive Mark Loveless RAZOR Security BindView Corporation.

Stealth Network Strategies: Offensive and Defensive Mark Loveless RAZOR Security BindView Corporation.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google