Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

60 Days of Basic Naughtiness

advertisement 
60 Days of Basic Naughtiness
Probes and Attacks Endured by an
Active Web Site
16 March 2001
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
60 Days of Basic Naughtiness
• Statistical analysis of log and IDS files.
• Statistical analysis of a two-day DDoS
attack.
• Methods of mitigation.
• Questions.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
About the Site
•
•
•
•
Production site for several (> 4) years.
Largely static content.
No e-commerce.
Layers of defense – more on that later!
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
About the Data
• Data from router logs.
• Data from IDS logs.
• Snapshot taken from 60 days of combined
data.
• Data processed by several home-brew tools
(mostly Perl and awk).
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Definition of “Naughty”
• Any traffic that is logged by a specific
“deny” ACL.
• Any traffic that presents a pattern detected
by the IDS software.
• The two log sources are not necessarily
synchronized.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Daily Probes and Attacks
• TCP and UDP Probes and Attacks – ICMP
not counted.
• Average – 529.00
• Standard deviation – 644.10!
• 60 Day Low – 83.00
• 60 Day High – 4355.00
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Daily Probes and Attacks
Daily Probes and Attacks
5000
4500
4000
Hits
3500
3000
TCP
2500
UDP
2000
1500
1000
500
0
0
0
0
/0
/0
/0
7
2
7
/1
/2
/2
11
11
11
0
0
0
0
00
00
/0
/0
/0
/0
2/
7/
2
7
2
7
/
/
/1
/1
/2
/2
12
12
12
12
12
12
Day
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
01
1/
/
1
01
6/
/
1
1
/0
1
1
1/
Weekly Probes and Attacks
• There is no steady-state.
• Attacks come in waves, generally on the
heels of a new exploit and scan.
• Certain types of scans (e.g. Netbios) tend to
run 24x7x365.
• Proactive monitoring, based on
underground and public alerts, will result in
significant data capture.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Weekly Probes and Attacks
Trend Analysis
Weekly Probes and Attacks
8000
7000
6000
Hits
5000
4000
Hits
3000
2000
1000
0
11/12 11/18
11/19 11/25
11/26 12/02
12/03 12/09
12/10 12/16
12/17 12/23
12/24 12/30
Week
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
12/31 01/06
01/07 01/13
01/14 01/20
Hourly Probes and Attacks
• Myth: “Most attacks occur at night.”
• An attacker’s evening may be a victim’s day
– the nature of a global network.
• Truth: Don’t plan based on the clock.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Hourly Probes and Attacks
Trend Analysis
Hourly Probes and Attacks
10000
9000
8000
7000
Hits
6000
5000
4000
3000
2000
1000
0
1
2
3
4
5
6
7
8
9
10 11
12 13
14 15
24 Hour Clock
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
16 17
18 19 20
21 22
23 24
UDP Probes and Attacks
Top Five Destination Ports
•
•
•
•
•
First – 137 NETBIOS
Second – 53 DNS
Third – 27960
Fourth – 500 ISAKMP
Fifth – 33480 (likely UNIX traceroute)
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
UDP Probes and Attacks
Trend Analysis
UDP Probes and Attacks
350
Number of Hits
300
250
200
Port 137 Hits
150
Port 53 Hits
100
50
0
0
/0
7
/1
11
0
/0
4
/2
11
00
1/
/
12
00
8/
/
12
0
/0
5
/1
12
0
/0
2
/2
12
0
/0
9
/2
12
Day
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
01
5/
/
1
1
/0
2
1
1/
TCP Probes and Attacks
Top Five Destination Ports
•
•
•
•
•
First – 3663 (DDoS Attack)
Second – 0 Reserved (DDoS Attack)
Third – 6667 IRC (DDoS Attack)
Fourth – 81 (DDoS Attack)
Fifth – 21 FTP-control
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
TCP Probes and Attacks
Trend Analysis
TCP Probes and Attacks
120
100
Port 0 Hits
60
Port 21 Hits
40
20
Date
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
1/12/01
1/5/01
12/29/00
12/22/00
12/15/00
12/8/00
12/1/00
11/24/00
0
11/17/00
Hits
80
Source Address of Probes and
Attacks
Classful Sources of Probes and Attacks
Source Address Class Percentage
Num ber of Unique IP Addresses Seen
3500
20%
3000
27%
2500
A
2000
7%
1500
B
C
D
1000
E
500
0
20%
A
B
C
D
E
26%
IP Netblock Class
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Source Address of Probes and
Attacks
Bogon Source Percentages
4000
Unique IP Addresses
3500
3000
1128
2500
270
Bogon Addresses
2000
Total Addresses
1500
1000
2346
2275
167
500
803
0
A
B
IP Netblock Class
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
C
Source Address of Probes and
Attacks
• Bogon source attacks still common.
• Of all source addresses, 53.39% were in the
Class D and Class E space.
• Percentage of bogons, all classes –
66.85%!
• This is good news – prefix-list, ACL
defense, and uRPF will block 66.85% of
these nasties!
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Source Region of the Naughty
A dangerously misleading slide
RIR for Source Addresses
5%
ARIN
37%
RIPE
58%
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
APNIC
Intrusion (attempt) Detection
• IDS is not foolproof!
• Incorrect fingerprinting does occur.
• You can not identify that which you can not
see.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Top Five IDS Detected Probes
IDS Detected Probes
1400
1200
Hits
1000
800
600
400
200
0
NetBus
Backorifice
TFTP
Type
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
IDENT
Deep Throat
Top Five Detected IDS Probes
IDS Detected Probes - Trend Analysis
180
160
140
NetBus
Backorifice
100
TFTP
80
IDENT
60
Deep Throat
40
20
Date
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
52
49
46
43
40
37
34
31
28
25
22
19
16
13
10
7
4
0
1
Hits
120
Top Five IDS Detected Attacks
IDS Detected Attacks
500
450
400
350
Hits
300
250
Number
200
150
100
50
0
TCP Port 0
FIN flood
Fragments
ICMP flood
Type
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
RST flood
Top Five IDS Detected Sources
IDS Detected Source Netblocks
200
180
160
140
Hits
120
100
Count
80
60
40
20
0
Azerbaijan
USA 01
South Korea
USA 02
Netblock Location
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Canada
Top Five IDS Detected Sources
IDS Detected Attacks - Trend Analysis
160
140
120
A
B
80
C
D
60
E
40
20
Day
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
49
47
45
43
41
39
37
35
33
31
29
27
25
23
21
19
17
15
13
11
9
7
5
3
0
1
Hits
100
Match a Source with a Scan
Source to Hit Matching
160
Hits
140
120
B
100
NetBus
Backorifice
80
TFTP
60
IDENT
40
Deep Throat
20
0
1
2
3
4
5
Day
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
6
7
Two Days of DDoS
• Attack that resulted in 10295 hits on day
one and 77466 hits on day two.
• Attack lasted 25 hours, 25 minutes, and 44
seconds.
• Quasi-random UDP high ports (source and
destination), small packets.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Two Days of DDoS
• Perhaps as many as 2000 hosts used by the
attackers.
• 23 unique organizations.
• 9 different nations located in the Americas,
Europe, and Asia.
• Source netblocks all legitimate.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
DATE:HOUR:MINUTE
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
25:22:29
25:21:37
25:20:39
25:19:48
25:18:57
25:18:06
25:17:16
25:16:26
25:15:36
25:14:46
25:13:56
25:13:06
25:12:16
25:11:26
25:10:36
25:09:46
25:08:56
25:08:06
25:07:16
25:06:26
25:05:36
25:04:46
25:03:56
25:03:06
25:02:16
25:01:26
25:00:36
24:23:46
24:22:53
24:22:03
24:21:13
Packets
Two Days of DDoS
Packets per minute
70
60
50
40
30
20
10
0
Two Days of DDoS
DDoS Sources
4000
3500
Packets
3000
2500
2000
1500
1000
500
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Hour
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Site Defense and Attack
Mitigation
• While you can not prevent an attack, you
can choose how to react to an attack.
• Layers of defense that use multiple tools.
• Layers of monitoring and alert mechanisms.
• Know how to respond before the attack
begins.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Site Defense and Attack
Mitigation
• Border router
– Protocol shaping and filtering.
– Anti-bogon and anti-spoofing defense (uRPF),
ingress and egress filtering.
– NetFlow.
• IDS device(s)
– Attack and probe signatures.
– Alerts.
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Site Defense and Attack
Mitigation
• Border firewall
– Port filtering.
– Logging.
– Some IDS capability.
• End systems
– Tuned kernel.
– TCP wrappers, disable services, etc.
– Crunchy through and through!
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Site Defense and Attack
Mitigation
• Don’t panic!
• Collect data!
• The good news - you can survive!
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
References and shameless self
advertisements 
• RFC 2267 - http://rfc.net/rfc2267.html
• Secure IOS Template –
http://www.cymru.com/~robt/Docs/Articles/secure-iostemplate.html
• Secure BGP Template –
http://www.cymru.com/~robt/Docs/Articles/secure-bgptemplate.html
• UNIX IP Stack Tuning Guide –
http://www.cymru.com/~robt/Docs/Articles/ip-stacktuning.html
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Any questions?
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Thank you for your time!
• Thanks to Jan, Luuk, and Jacques for
inviting me to speak with you today.
• Thanks to Surfnet/CERT-NL for picking up
the travel.
• Thanks for all of the coffee! 
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
Related documents
For further details please contact:
For further details please contact:
PROMOTING INDEPENDENCE AWARDS
PROMOTING INDEPENDENCE AWARDS
Who gets the Quality Award?
Who gets the Quality Award?
Production and Technical Manager details
Production and Technical Manager details
The Visitor Printable story
The Visitor Printable story
Are we all in this together?
Are we all in this together?
Clybiau Plant Cymru Kids' Clubs are delighted to present a FREE
Clybiau Plant Cymru Kids' Clubs are delighted to present a FREE
Download
advertisement