Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Строим ханипот и выявляем DDoS-атаки

1,932 views

Published on

Ведущий: Терренс Гаро

В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.

Published in: Technology
  • Be the first to comment

Строим ханипот и выявляем DDoS-атаки

  1. 1. Monitoring Reflective DDoS with Honeypots Terrence "tuna" Gareau @kingtuna Github.com/kingtuna & Krassimir T. Tzvetanov
  2. 2. Introduction
  3. 3. Goals “Reproducible data source for DDoS targets that is easy to use and share content”
  4. 4. Summary Introduction Problems to Solve Architecture Code
  5. 5. Problem
  6. 6. Problem
  7. 7. Problem
  8. 8. Problem
  9. 9. Problem
  10. 10. Problem 2.1 / DDoS Attack Vectors / As shown in Figure 2-1, infrastructure attacks continue to dominate, increasing 2% from last quarter and accounting for 97% of all DDoS attack activity. The large increases at the infrastructure layer further diminished the percentage of application layer attacks, which have decreased slightly over time. https://www.akamai.com/us/en/multimedia/documents/report/q4-2015-state-of-the-internet-security-report.pdf
  11. 11. • (AS) (Count) • 6939 7034 HURRICANE - Hurricane Electric,Inc.,US • 4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN • 7922 3447 COMCAST-7922 - ComcastCable Communications,Inc.,US • 16276 3161 OVH OVH SAS,FR • 37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN • 200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA • 48347 2056 MTW-AS JSC MediaSoftEkspert,RU • 4837 1950 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN • 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN • 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US • 28573 1290 CLAROS.A.,BR • 701 1216 UUNET - MCI Communications Services,Inc.d/b/a Verizon Business,US • 23650 981 CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone,CN • 5089 945 NTL Virgin Media Limited,GB • 24940 940 HETZNER-AS Hetzner Online GmbH,DE • 18881 936 Global Village Telecom,BR • 20115 931 CHARTER-NET-HKY-NC - Charter Communications,US • 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB • 13335 783 CLOUDFLARENET- CloudFlare,Inc.,US • 1221 723 ASN-TELSTRA Telstra Pty Ltd,AU Our research has pointed something out
  12. 12. DoS Evolution
  13. 13. Reflection and amplification S: 191.236.103.221 D: 3.3.3.3 Size: 64 bytes S: 3.3.3.3 D: 191.236.103.221 Size: 512 bytes Attacker Victim Victim Attacker Reflector Reflector
  14. 14. 20 Million Open DNS Resolvers According to Open Resolver Project (10.15.2015)
  15. 15. Needles are No Longer in Haystacks There is about 3.7 Billion Active IPv4 Addresses How many have misconfigured services? It takes about 8 hours to scan the Internet for a particular service on a $10 VPS
  16. 16. Scanners
  17. 17. Appear as a Victim, Become Exploited, and Log
  18. 18. What Services we support PORT Service Provide 19 CHARGEN x 7 Echo x 5353 MDNS x 1434 Mssql 5351 NAT-PMP x 111 Portmapper x 27960 Quake 520 RIP 5093 Sentinal x 161 SNMP x 1900 SSDP x 9987 TeamSpeak3, x 7778 UnrealTournament 177 XDMCP x 500 IKE x 69 TFTP
  19. 19. Architecture
  20. 20. Sensors -> Message Bus -> Data Store -> Visualize Sensor AMQP Elasticsearch
  21. 21. Understand the Current State
  22. 22. Collaborate EMAIL Message Bus
  23. 23. Evaluate Different Risks
  24. 24. Basics • Ubuntu 14.04LTS • Installs via Bash Script • Runs Xinetd, Bind9, NTPD, Emulators • Logs with BRO • Ships logs with logstash via AMQP • Receive and index in elasticsearch with Logstash via AMQP • Visualize with Kibana
  25. 25. Simple Sketch
  26. 26. Simple Sketch SSL AMQP Bro Logstash Logstash
  27. 27. Bro
  28. 28. Parse this Nice and Easy with this.
  29. 29. Parse this Nice and Easy with this. input { #Production Logs############################# file { type => "BRO_connlog" path => "/nsm/bro/logs/current/conn.log" } # BRO_connlog ###################### if [type] == "BRO_connlog" { grok { match => [ "message", "(?<ts>(.*?))t(?<uid>(.*?))t(?<id.orig_h>(.*?))t(?<id.orig_p>(.*?))t(?<id.resp_h>(.*?))t(?<id.resp_p>(.*?))t(?<proto>(.*?))t(?<service>(. *?))t(?<duration>(.*?))t(?<orig_bytes>(.*?))t(?<resp_bytes>(.*?))t(?<conn_state>(.*?))t(?<local_orig>(.*?))t(?<missed_bytes>(.*?))t( ?<history>(.*?))t(?<orig_pkts>(.*?))t(?<orig_ip_bytes>(.*?))t(?<resp_pkts>(.*?))t(?<resp_ip_bytes>(.*?))t(?<tunnel_parents>(.*?))" ] } }
  30. 30. Parse this Nice and Easy with this. output { rabbitmq { user => "USER" exchange_type => "direct" password => "PASSWORD" exchange => "amq.direct" vhost => "/amp" durable => true ssl => true port => 5671 persistent => true host => "hose_ip" } }
  31. 31. Same on the Other End On the other end of it, where elasticsearch is being hosted, set the input as amqp and set the output to be elasticsearch. We found it best to use the node type in logstash for inserting logs into elasticsearch. FYI it uses port 9300.
  32. 32. Same on the Other End KOPF
  33. 33. Same on the Other End KOPF
  34. 34. Same on the Other End Don’t forget to click all the things
  35. 35. Daily Cron Everyday we run a python script to create the feed.
  36. 36. Recap SSL AMQP Bro Logstash Logstash Python Feed Data
  37. 37. Make Reports API’s
  38. 38. Annoyances TLP:RED Hosting Providers responding to abuse….
  39. 39. Code
  40. 40. Extract Data from the Store We are extracting data out of Elasticsearch with Python. We learned that most errors are coming from Elasticsearch. For python we like the official library from elasticsearch the most. We also increased our timeout to 30 from the default 10.
  41. 41. Extract Data from the Store We used kibana to help us build our queries
  42. 42. What have we seen? 99,859 Attacks Observed in Q1 2016
  43. 43. What have we seen? (AS) (Count) 6939 7034 HURRICANE - Hurricane Electric, Inc.,US 4134 6663 CHINANET-BACKBONENo.31,Jin-rong Stre 7922 3447 COMCAST-7922 - Comcast Cable Communic 16276 3161 OVH OVH SAS,FR 37963 2989 CNNIC-ALIBABA-CN-NET-APHangzhouAlib 200000 2272 UKRAINE-AS HostingUkraine LTD,UA 48347 2056 MTW-AS JSC MediaSoft Ekspert,RU 4837 1950 CHINA169-BACKBONE CNCGROUP China1 58543 1940 CHINATELECOM-GUANGDONG-IDC Guang 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US 28573 1290 CLARO S.A.,BR 701 1216 UUNET - MCI CommunicationsServices,Inc 23650 981 CHINANET-JS-AS-AP AS Number for CHINA backbone,CN 5089 945 NTL Virgin Media Limited,GB 24940 940 HETZNER-AS Hetzner OnlineGmbH,DE 18881 936 Global Village Telecom,BR 20115 931 CHARTER-NET-HKY-NC - Charter Communi 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB 13335 783 CLOUDFLARENET - CloudFlare, Inc.,US 1221 723 ASN-TELSTRA Telstra PtyLtd,AU
  44. 44. What have we seen?
  45. 45. What have we seen?
  46. 46. What have we seen?
  47. 47. What have we seen?
  48. 48. What have we seen?
  49. 49. What have we seen?
  50. 50. These are the best dudes in the world Zane Witherspoon – San Francisco Acheleas Mustakis – Athens, Greece
  51. 51. Science should be repeatable and open RStudio Desktop https://github.com/kingtuna/Hybrid-Darknet-Concept Special thanks to - A10 Networks, Nexusguard, fsi.io, and Cari.net Collaborators: Zane Witherspoon, Acheleas Mustakis, and Krassimir
  52. 52. Science should be repeatable and open https://github.com/kingtuna/Hybrid-Darknet-Concept To be added to the list tuna@nexusguard.com

×