Download presentation
Presentation is loading. Please wait.
Published byKarin Fletcher Modified over 9 years ago
1
Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team, BindView Corporation
2
About Myself http://www.nmrc.org/ http://www.nmrc.org/ Currently Sr. Security Analyst for BindView’s RAZOR Team, http://razor.bindview.com/ http://razor.bindview.com/
3
About This Presentation Assume basics –Understand IP addressing –Understand basic system administration Tools –Where to find them –Basic usage Terminology A “Network” point of view
4
Background Originally developed during early 1999 Concepts first discussed October 1999 Many concepts can be found in DDOS software today
5
Attack Recognition Basics Pattern Recognition –Examples: Byte sequence in RAM Packet content in a network transmission Half opens against a server within a certain time frame –Considered “real-time”
6
Attack Recognition Basics Cont. Effect Recognition –Examples Unscheduled server restart in logs Unexplainable CPU utilization System binaries altered –Considered “non” real-time
7
Attack Recognition Problems Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack source
8
Attack Recognition Problems Cont. Current solutions are usually “pattern” or “effect”, no real-time global solutions Existing large scale solutions can easily be defeated
9
Common Thwarting Techniques Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed
10
What is Needed The “Overall Behavior Network/Host Monitoring Tool” (which doesn’t exist)
11
What Do We Do? “Trickle Down Security” –Solutions for distributed attacks will introduce good security overall Off-the-shelf is not enough Learn about attack types Defensive techniques
12
Changing Attack Patterns More large-scale attacks Better enumeration and assessment of the target by the attacker
13
Two Basic Distributed Attack Models Attacks that do not require direct observation of the results Attacks that require the attacker to directly observe the results
14
Basic Model ServerAgent Client Issue commands Processes commands to agents Carries out commands
15
More Advanced Model TargetAttacker Forged ICMP Timestamp Requests ICMP Timestamp Replies Sniffed Replies
16
Even More Advanced Model Target Attack Node Sniffed Replies Attack Node FirewallFirewall Upstream Host Attacks or Probes Replies
17
ICMP Sweeping a network with Echo Typical alternates to ping –Timestamp –Info Request
18
Fun with ICMP Advanced ICMP enumeration –ICMP fingerprinting –Invalid header info to enumerate hosts
19
Host Enumeration #./icmpenum -i 2 -c xxx.xx.218.0 xxx.xx.218.23 is up xxx.xx.218.26 is up xxx.xx.218.52 is up xxx.xx.218.53 is up xxx.xx.218.58 is up xxx.xx.218.63 is up xxx.xx.218.82 is up xxx.xx.218.90 is up xxx.xx.218.92 is up xxx.xx.218.96 is up xxx.xx.218.118 is up xxx.xx.218.123 is up xxx.xx.218.126 is up xxx.xx.218.130 is up xxx.xx.218.187 is up xxx.xx.218.189 is up xxx.xx.218.215 is up xxx.xx.218.253 is up
20
Nmap Ping sweeps Port scanning TCP fingerprinting
21
Fun with Nmap Additional features –“Same segment” sniffing
22
Addition Probes Possible security devices –Using “bait” to fish out security mechanisms Sweep for promiscuous devices –False hosts and DNS lookups
23
Network Mapping Sun Linux Firewall NT Hosts InsideDMZ www ftp cw swb VPN Internet Routers Linux 2.0.38 xxx.xx.48.2 AIX 4.2.1 xxx.xx.48.1 Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 Checkpoint Firewall-1 Nortel Extranet xxx.xx.22. 7 Cisco 7206 204.70.xxx.xxx Nortel CVX1800 151.164.x.xxx IDS?
24
Defensive Techniques Good security policy Split DNS –All public systems in one DNS server located in DMZ –All internal systems using private addresses with separate DNS server internally Drop/reject packets with a TTL of 1 or 0
25
Defensive Techniques Cont. Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint packets
26
Defensive Techniques Cont. Limit ICMP inbound to host/destination unreachable Limit outbound ICMP
27
DMZ Server Recommendations Split services between servers Current patches Use trusted paths, anti-buffer overflow settings and kernel patches Use any built-in firewalling software Make use of built-in state tables
28
Firewall Rules Limit inbound to only necessary services Limit outbound via proxies to help control access Block all outbound to only necessary traffic
29
Intrusion Detection Systems Use only IDS’s that can be customized IDS should be capable of handling fragmented packet reassembly IDS should handle high speeds
30
Spoofed Packet Defenses Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the suspected spoofed packet
31
Questions, etc. For followup: –http://razor.bindview.com/http://razor.bindview.com/ –thegnome@razor.bindview.comthegnome@razor.bindview.com References: –David Dittrich’s web site http://staff.washington.edu/dittrich/http://staff.washington.edu/dittrich/ –"Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation, http://www.sans.org http://www.sans.org –"The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.orghttp://www.sans.org –NMap, http://www.insecure.org/nmap/http://www.insecure.org/nmap/ –Icmpenum, http://razor.bindview.com/tools/http://razor.bindview.com/tools/ –Martin Roesch’s web site http://www.clark.net/~roesch/security.htmlhttp://www.clark.net/~roesch/security.html –“Strategies for Defeating Distributed Attacks”, http://razor.bindview.com/publish/papers/strategies.html http://razor.bindview.com/publish/papers/strategies.html –“Distributed Denial of Service Defense Tactics”, http://razor.bindview.com/publish/papers/DDSA_Defense.html http://razor.bindview.com/publish/papers/DDSA_Defense.html –Ofin Arkin, “ICMP Usage in Scanning”, http://www.sys- security.com/archive/papers/ICMP_Scanning_v2.01.pdfhttp://www.sys- security.com/archive/papers/ICMP_Scanning_v2.01.pdf
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.