• Save

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

networking

on

  • 1,458 views

60 Days of Basic Naughtiness

60 Days of Basic Naughtiness

Statistics

Views

Total Views
1,458
Views on SlideShare
1,456
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 2

http://localhost:3000 1
http://www.slideshare.net 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This is part of a larger project – to analyze and track attack and probe methods and sources. A holistic view of site probes and attacks. To create an early warning and verification/validation system/site for others to use. To track particularly popular source netblocks and assist the netblock owners with proper defense and mitigation.

networking networking Presentation Transcript

  • 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001
  • 60 Days of Basic Naughtiness
    • Statistical analysis of log and IDS files.
    • Statistical analysis of a two-day DDoS attack.
    • Methods of mitigation.
    • Questions.
  • About the Site
    • Production site for several (> 4) years.
    • Largely static content.
    • No e-commerce.
    • Layers of defense – more on that later!
  • About the Data
    • Data from router logs.
    • Data from IDS logs.
    • Snapshot taken from 60 days of combined data.
    • Data processed by several home-brew tools (mostly Perl and awk).
  • Definition of “Naughty”
    • Any traffic that is logged by a specific “deny” ACL.
    • Any traffic that presents a pattern detected by the IDS software.
    • The two log sources are not necessarily synchronized.
  • Daily Probes and Attacks
    • TCP and UDP Probes and Attacks – ICMP not counted.
    • Average – 529.00
    • Standard deviation – 644.10!
    • 60 Day Low – 83.00
    • 60 Day High – 4355.00
  • Daily Probes and Attacks
  • Weekly Probes and Attacks
    • There is no steady-state.
    • Attacks come in waves, generally on the heels of a new exploit and scan.
    • Certain types of scans (e.g. Netbios) tend to run 24x7x365.
    • Proactive monitoring, based on underground and public alerts, will result in significant data capture.
  • Weekly Probes and Attacks Trend Analysis
  • Hourly Probes and Attacks
    • Myth: “Most attacks occur at night.”
    • An attacker’s evening may be a victim’s day – the nature of a global network.
    • Truth: Don’t plan based on the clock.
  • Hourly Probes and Attacks Trend Analysis
  • UDP Probes and Attacks Top Five Destination Ports
    • First – 137 NETBIOS
    • Second – 53 DNS
    • Third – 27960
    • Fourth – 500 ISAKMP
    • Fifth – 33480 (likely UNIX traceroute)
  • UDP Probes and Attacks Trend Analysis
  • TCP Probes and Attacks Top Five Destination Ports
    • First – 3663 (DDoS Attack)
    • Second – 0 Reserved (DDoS Attack)
    • Third – 6667 IRC (DDoS Attack)
    • Fourth – 81 (DDoS Attack)
    • Fifth – 21 FTP-control
  • TCP Probes and Attacks Trend Analysis
  • Source Address of Probes and Attacks
  • Source Address of Probes and Attacks
  • Source Address of Probes and Attacks
    • Bogon source attacks still common.
    • Of all source addresses, 53.39% were in the Class D and Class E space.
    • Percentage of bogons, all classes – 66.85%!
    • This is good news – prefix-list, ACL defense, and uRPF will block 66.85% of these nasties!
  • Source Region of the Naughty A dangerously misleading slide
  • Intrusion (attempt) Detection
    • IDS is not foolproof!
    • Incorrect fingerprinting does occur.
    • You can not identify that which you can not see.
  • Top Five IDS Detected Probes
  • Top Five Detected IDS Probes
  • Top Five IDS Detected Attacks
  • Top Five IDS Detected Sources
  • Top Five IDS Detected Sources
  • Match a Source with a Scan
  • Two Days of DDoS
    • Attack that resulted in 10295 hits on day one and 77466 hits on day two.
    • Attack lasted 25 hours, 25 minutes, and 44 seconds.
    • Quasi-random UDP high ports (source and destination), small packets.
  • Two Days of DDoS
    • Perhaps as many as 2000 hosts used by the attackers.
    • 23 unique organizations.
    • 9 different nations located in the Americas, Europe, and Asia.
    • Source netblocks all legitimate.
  • Two Days of DDoS
  • Two Days of DDoS
  • Site Defense and Attack Mitigation
    • While you can not prevent an attack, you can choose how to react to an attack.
    • Layers of defense that use multiple tools.
    • Layers of monitoring and alert mechanisms.
    • Know how to respond before the attack begins.
  • Site Defense and Attack Mitigation
    • Border router
      • Protocol shaping and filtering.
      • Anti-bogon and anti-spoofing defense (uRPF), ingress and egress filtering.
      • NetFlow.
    • IDS device(s)
      • Attack and probe signatures.
      • Alerts.
  • Site Defense and Attack Mitigation
    • Border firewall
      • Port filtering.
      • Logging.
      • Some IDS capability.
    • End systems
      • Tuned kernel.
      • TCP wrappers, disable services, etc.
      • Crunchy through and through!
  • Site Defense and Attack Mitigation
    • Don’t panic!
    • Collect data!
    • The good news - you can survive!
  • References and shameless self advertisements 
    • RFC 2267 - http://rfc.net/rfc2267.html
    • Secure IOS Template – http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html
    • Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html
    • UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
  • Any questions?
  • Thank you for your time!
    • Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today.
    • Thanks to Surfnet/CERT-NL for picking up the travel.
    • Thanks for all of the coffee! 