• Save


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!




60 Days of Basic Naughtiness

60 Days of Basic Naughtiness



Total Views
Views on SlideShare
Embed Views



2 Embeds 2

http://localhost:3000 1
http://www.slideshare.net 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • This is part of a larger project – to analyze and track attack and probe methods and sources. A holistic view of site probes and attacks. To create an early warning and verification/validation system/site for others to use. To track particularly popular source netblocks and assist the netblock owners with proper defense and mitigation.

networking networking Presentation Transcript

  • 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001
  • 60 Days of Basic Naughtiness
    • Statistical analysis of log and IDS files.
    • Statistical analysis of a two-day DDoS attack.
    • Methods of mitigation.
    • Questions.
  • About the Site
    • Production site for several (> 4) years.
    • Largely static content.
    • No e-commerce.
    • Layers of defense – more on that later!
  • About the Data
    • Data from router logs.
    • Data from IDS logs.
    • Snapshot taken from 60 days of combined data.
    • Data processed by several home-brew tools (mostly Perl and awk).
  • Definition of “Naughty”
    • Any traffic that is logged by a specific “deny” ACL.
    • Any traffic that presents a pattern detected by the IDS software.
    • The two log sources are not necessarily synchronized.
  • Daily Probes and Attacks
    • TCP and UDP Probes and Attacks – ICMP not counted.
    • Average – 529.00
    • Standard deviation – 644.10!
    • 60 Day Low – 83.00
    • 60 Day High – 4355.00
  • Daily Probes and Attacks
  • Weekly Probes and Attacks
    • There is no steady-state.
    • Attacks come in waves, generally on the heels of a new exploit and scan.
    • Certain types of scans (e.g. Netbios) tend to run 24x7x365.
    • Proactive monitoring, based on underground and public alerts, will result in significant data capture.
  • Weekly Probes and Attacks Trend Analysis
  • Hourly Probes and Attacks
    • Myth: “Most attacks occur at night.”
    • An attacker’s evening may be a victim’s day – the nature of a global network.
    • Truth: Don’t plan based on the clock.
  • Hourly Probes and Attacks Trend Analysis
  • UDP Probes and Attacks Top Five Destination Ports
    • First – 137 NETBIOS
    • Second – 53 DNS
    • Third – 27960
    • Fourth – 500 ISAKMP
    • Fifth – 33480 (likely UNIX traceroute)
  • UDP Probes and Attacks Trend Analysis
  • TCP Probes and Attacks Top Five Destination Ports
    • First – 3663 (DDoS Attack)
    • Second – 0 Reserved (DDoS Attack)
    • Third – 6667 IRC (DDoS Attack)
    • Fourth – 81 (DDoS Attack)
    • Fifth – 21 FTP-control
  • TCP Probes and Attacks Trend Analysis
  • Source Address of Probes and Attacks
  • Source Address of Probes and Attacks
  • Source Address of Probes and Attacks
    • Bogon source attacks still common.
    • Of all source addresses, 53.39% were in the Class D and Class E space.
    • Percentage of bogons, all classes – 66.85%!
    • This is good news – prefix-list, ACL defense, and uRPF will block 66.85% of these nasties!
  • Source Region of the Naughty A dangerously misleading slide
  • Intrusion (attempt) Detection
    • IDS is not foolproof!
    • Incorrect fingerprinting does occur.
    • You can not identify that which you can not see.
  • Top Five IDS Detected Probes
  • Top Five Detected IDS Probes
  • Top Five IDS Detected Attacks
  • Top Five IDS Detected Sources
  • Top Five IDS Detected Sources
  • Match a Source with a Scan
  • Two Days of DDoS
    • Attack that resulted in 10295 hits on day one and 77466 hits on day two.
    • Attack lasted 25 hours, 25 minutes, and 44 seconds.
    • Quasi-random UDP high ports (source and destination), small packets.
  • Two Days of DDoS
    • Perhaps as many as 2000 hosts used by the attackers.
    • 23 unique organizations.
    • 9 different nations located in the Americas, Europe, and Asia.
    • Source netblocks all legitimate.
  • Two Days of DDoS
  • Two Days of DDoS
  • Site Defense and Attack Mitigation
    • While you can not prevent an attack, you can choose how to react to an attack.
    • Layers of defense that use multiple tools.
    • Layers of monitoring and alert mechanisms.
    • Know how to respond before the attack begins.
  • Site Defense and Attack Mitigation
    • Border router
      • Protocol shaping and filtering.
      • Anti-bogon and anti-spoofing defense (uRPF), ingress and egress filtering.
      • NetFlow.
    • IDS device(s)
      • Attack and probe signatures.
      • Alerts.
  • Site Defense and Attack Mitigation
    • Border firewall
      • Port filtering.
      • Logging.
      • Some IDS capability.
    • End systems
      • Tuned kernel.
      • TCP wrappers, disable services, etc.
      • Crunchy through and through!
  • Site Defense and Attack Mitigation
    • Don’t panic!
    • Collect data!
    • The good news - you can survive!
  • References and shameless self advertisements 
    • RFC 2267 - http://rfc.net/rfc2267.html
    • Secure IOS Template – http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html
    • Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html
    • UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
  • Any questions?
  • Thank you for your time!
    • Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today.
    • Thanks to Surfnet/CERT-NL for picking up the travel.
    • Thanks for all of the coffee! 