Black Hat Europe 2000:
Strategies for Defeating
Distributed Attacks
Simple Nomad
Hacker
Nomad Mobile Research Centre
Occam Theorist
RAZOR Security Team, BindView Corporation
About Myself
 http://www.nmrc.org/
 Currently Sr. Security Analyst for
BindView’s RAZOR Team,
http://razor.bindview.com/
About This Presentation
 Assume basics
– Understand IP addressing
– Understand basic system administration
 Tools
– Where to find them
– Basic usage
 Terminology
 A “Network” point of view
Background
 Originally developed during early 1999
 Concepts first discussed October 1999
 Many concepts can be found in DDOS
software today
Attack Recognition Basics
 Pattern Recognition
– Examples:
• Byte sequence in RAM
• Packet content in a network transmission
• Half opens against a server within a certain time
frame
– Considered “real-time”
Attack Recognition Basics Cont.
 Effect Recognition
– Examples
• Unscheduled server restart in logs
• Unexplainable CPU utilization
• System binaries altered
– Considered “non” real-time
Attack Recognition Problems
 Blended “pattern” and “effect” attacks
 Sniffing attacks
 Decoys and false identification of attack
source
Attack Recognition Problems
Cont.
 Current solutions are usually “pattern” or
“effect”, no real-time global solutions
 Existing large scale solutions can easily be
defeated
Common Thwarting Techniques
 Rule-based systems can be tricked
 Log watchers can be deceived
 Time-based rules can be bypassed
What is Needed
 The “Overall Behavior Network/Host
Monitoring Tool” (which doesn’t exist)
What Do We Do?
 “Trickle Down Security”
– Solutions for distributed attacks will introduce
good security overall
 Off-the-shelf is not enough
 Learn about attack types
 Defensive techniques
Changing Attack Patterns
 More large-scale attacks
 Better enumeration and assessment of the
target by the attacker
Two Basic Distributed Attack
Models
 Attacks that do not require direct
observation of the results
 Attacks that require the attacker to directly
observe the results
Basic Model
Client
Server
Agent
Issue
commands
Processes
commands
to agents
Carries
out
commands
More Advanced Model
Attacker
Sniffed
Replies
Forged ICMP
Timestamp Requests
ICMP Timestamp
Replies
Target
Even More Advanced Model
Attack Node
Attack Node
Attacks
or
Probes
Attack Node
Sniffed
Replies
Replies
Upstream
Host
F
i
r
e
w
a
l
l
Target
ICMP
 Sweeping a network with Echo
 Typical alternates to ping
– Timestamp
– Info Request
Fun with ICMP
 Advanced ICMP enumeration
– ICMP fingerprinting
– Invalid header info to enumerate hosts
Host Enumeration
# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
Nmap
 Ping sweeps
 Port scanning
 TCP fingerprinting
Fun with Nmap
 Additional features
– “Same segment” sniffing
Addition Probes
 Possible security devices
– Using “bait” to fish out security mechanisms
 Sweep for promiscuous devices
– False hosts and DNS lookups
Network Mapping
VPN
Checkpoint Firewall-1
Nortel Extranet
xxx.xx.22. 7
NT
cw
Nortel CVX1800
151.164.x.xxx
Firewall
Linux
www
Sun
Checkpoint Firewall-1
Solaris 2.7
xxx.xx.49.17
AIX 4.2.1
xxx.xx.48.1
IDS?
swb
Cisco 7206
204.70.xxx.xxx
ftp
Linux 2.0.38
xxx.xx.48.2
Hosts Inside
DMZ
Internet Routers
Defensive Techniques
 Good security policy
 Split DNS
– All public systems in one DNS server located
in DMZ
– All internal systems using private addresses
with separate DNS server internally
 Drop/reject packets with a TTL of 1 or 0
Defensive Techniques Cont.
 Minimal ports open
 Stateful inspection firewalls
 Modified kernels/IDS to look for fingerprint
packets
Defensive Techniques Cont.
 Limit ICMP inbound to host/destination
unreachable
 Limit outbound ICMP
DMZ Server Recommendations
 Split services between servers
 Current patches
 Use trusted paths, anti-buffer overflow
settings and kernel patches
 Use any built-in firewalling software
 Make use of built-in state tables
Firewall Rules
 Limit inbound to only necessary services
 Limit outbound via proxies to help control
access
 Block all outbound to only necessary traffic
Intrusion Detection Systems
 Use only IDS’s that can be customized
 IDS should be capable of handling
fragmented packet reassembly
 IDS should handle high speeds
Spoofed Packet Defenses
 Get TTL of suspected spoofed packet
 Probe the source address in the packet
 Compare the probe reply’s TTL to the
suspected spoofed packet
Questions, etc.
 For followup:
– http://razor.bindview.com/
– thegnome@razor.bindview.com
 References:
–
–
–
–
–
–
–
–
–
David Dittrich’s web site http://staff.washington.edu/dittrich/
"Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org
"The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org
NMap, http://www.insecure.org/nmap/
Icmpenum, http://razor.bindview.com/tools/
Martin Roesch’s web site http://www.clark.net/~roesch/security.html
“Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html
“Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html
Ofin Arkin, “ICMP Usage in Scanning”, http://www.syssecurity.com/archive/papers/ICMP_Scanning_v2.01.pdf