View
68
Download
1
Category
Tags:
Preview:
DESCRIPTION
60 Days of Basic Naughtiness. Probes and Attacks Endured by an Active Web Site 16 March 2001. 60 Days of Basic Naughtiness. Statistical analysis of log and IDS files. Statistical analysis of a two-day DDoS attack. Methods of mitigation. Questions. About the Site. - PowerPoint PPT Presentation
Citation preview
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
60 Days of Basic Naughtiness
Probes and Attacks Endured by an Active Web Site
16 March 2001
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
60 Days of Basic Naughtiness
• Statistical analysis of log and IDS files.
• Statistical analysis of a two-day DDoS attack.
• Methods of mitigation.
• Questions.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
About the Site
• Production site for several (> 4) years.
• Largely static content.
• No e-commerce.
• Layers of defense – more on that later!
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
About the Data
• Data from router logs.
• Data from IDS logs.
• Snapshot taken from 60 days of combined data.
• Data processed by several home-brew tools (mostly Perl and awk).
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Definition of “Naughty”
• Any traffic that is logged by a specific “deny” ACL.
• Any traffic that presents a pattern detected by the IDS software.
• The two log sources are not necessarily synchronized.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Daily Probes and Attacks
• TCP and UDP Probes and Attacks – ICMP not counted.
• Average – 529.00
• Standard deviation – 644.10!
• 60 Day Low – 83.00
• 60 Day High – 4355.00
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Daily Probes and AttacksDaily Probes and Attacks
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
11/1
7/00
11/2
2/00
11/2
7/00
12/2
/00
12/7
/00
12/1
2/00
12/1
7/00
12/2
2/00
12/2
7/00
1/1/
01
1/6/
01
1/11
/01
Day
Hit
s TCP
UDP
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Weekly Probes and Attacks
• There is no steady-state.• Attacks come in waves, generally on the
heels of a new exploit and scan.• Certain types of scans (e.g. Netbios) tend to
run 24x7x365. • Proactive monitoring, based on
underground and public alerts, will result in significant data capture.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Weekly Probes and AttacksTrend Analysis
Weekly Probes and Attacks
0
1000
2000
3000
4000
5000
6000
7000
8000
11/12 -11/18
11/19 -11/25
11/26 -12/02
12/03 -12/09
12/10 -12/16
12/17 -12/23
12/24 -12/30
12/31 -01/06
01/07 -01/13
01/14 -01/20
Week
Hit
s
Hits
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Hourly Probes and Attacks
• Myth: “Most attacks occur at night.”
• An attacker’s evening may be a victim’s day – the nature of a global network.
• Truth: Don’t plan based on the clock.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Hourly Probes and AttacksTrend Analysis
Hourly Probes and Attacks
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
24 Hour Clock
Hit
s
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
UDP Probes and AttacksTop Five Destination Ports
• First – 137 NETBIOS
• Second – 53 DNS
• Third – 27960
• Fourth – 500 ISAKMP
• Fifth – 33480 (likely UNIX traceroute)
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
UDP Probes and AttacksTrend Analysis
UDP Probes and Attacks
0
50
100
150
200
250
300
350
11/1
7/00
11/2
4/00
12/1
/00
12/8
/00
12/1
5/00
12/2
2/00
12/2
9/00
1/5/
01
1/12
/01
Day
Nu
mb
er
of
Hit
s
Port 137 Hits
Port 53 Hits
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
TCP Probes and AttacksTop Five Destination Ports
• First – 3663 (DDoS Attack)
• Second – 0 Reserved (DDoS Attack)
• Third – 6667 IRC (DDoS Attack)
• Fourth – 81 (DDoS Attack)
• Fifth – 21 FTP-control
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
TCP Probes and AttacksTrend Analysis
TCP Probes and Attacks
0
20
40
60
80
100
120
11/1
7/00
11/2
4/00
12/1
/00
12/8
/00
12/1
5/00
12/2
2/00
12/2
9/00
1/5/
01
1/12
/01
Date
Hit
s Port 0 Hits
Port 21 Hits
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Source Address of Probes and Attacks
Classful Sources of Probes and Attacks
0
500
1000
1500
2000
2500
3000
3500
A B C D E
IP Netblock Class
Nu
mb
er
of
Un
iqu
e IP
Ad
dre
ss
es
Se
en
Source Address Class Percentage
20%
7%
20%
26%
27%
A
B
C
D
E
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Source Address of Probes and AttacksBogon Source Percentages
2346
803
2275
1128
167
270
0
500
1000
1500
2000
2500
3000
3500
4000
A B C
IP Netblock Class
Un
iqu
e I
P A
dd
ress
es
Bogon Addresses
Total Addresses
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Source Address of Probes and Attacks
• Bogon source attacks still common.• Of all source addresses, 53.39% were in the
Class D and Class E space.• Percentage of bogons, all classes –
66.85%!• This is good news – prefix-list, ACL
defense, and uRPF will block 66.85% of these nasties!
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Source Region of the NaughtyA dangerously misleading slide
RIR for Source Addresses
58%
37%
5%
ARIN
RIPE
APNIC
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Intrusion (attempt) Detection
• IDS is not foolproof!
• Incorrect fingerprinting does occur.
• You can not identify that which you can not see.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Top Five IDS Detected ProbesIDS Detected Probes
0
200
400
600
800
1000
1200
1400
NetBus Backorifice TFTP IDENT Deep Throat
Type
Hits
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Top Five Detected IDS ProbesIDS Detected Probes - Trend Analysis
0
20
40
60
80
100
120
140
160
180
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52
Date
Hits
NetBus
Backorifice
TFTP
IDENT
Deep Throat
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Top Five IDS Detected AttacksIDS Detected Attacks
0
50
100
150
200
250
300
350
400
450
500
TCP Port 0 FIN flood Fragments ICMP flood RST flood
Type
Hits Number
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Top Five IDS Detected SourcesIDS Detected Source Netblocks
0
20
40
60
80
100
120
140
160
180
200
Azerbaijan USA 01 South Korea USA 02 Canada
Netblock Location
Hit
s
Count
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Top Five IDS Detected SourcesIDS Detected Attacks - Trend Analysis
0
20
40
60
80
100
120
140
160
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49
Day
Hits
A
B
C
D
E
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Match a Source with a ScanSource to Hit Matching
0
20
40
60
80
100
120
140
160
1 2 3 4 5 6 7
Day
Hit
s
B
NetBus
Backorifice
TFTP
IDENT
Deep Throat
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Two Days of DDoS
• Attack that resulted in 10295 hits on day one and 77466 hits on day two.
• Attack lasted 25 hours, 25 minutes, and 44 seconds.
• Quasi-random UDP high ports (source and destination), small packets.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Two Days of DDoS
• Perhaps as many as 2000 hosts used by the attackers.
• 23 unique organizations.
• 9 different nations located in the Americas, Europe, and Asia.
• Source netblocks all legitimate.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Two Days of DDoSPackets per minute
0
10
20
30
40
50
60
70
24
:21
:13
24
:22
:03
24
:22
:53
24
:23
:46
25
:00
:36
25
:01
:26
25
:02
:16
25
:03
:06
25
:03
:56
25
:04
:46
25
:05
:36
25
:06
:26
25
:07
:16
25
:08
:06
25
:08
:56
25
:09
:46
25
:10
:36
25
:11
:26
25
:12
:16
25
:13
:06
25
:13
:56
25
:14
:46
25
:15
:36
25
:16
:26
25
:17
:16
25
:18
:06
25
:18
:57
25
:19
:48
25
:20
:39
25
:21
:37
25
:22
:29
DATE:HOUR:MINUTE
Pa
ck
ets
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Two Days of DDoSDDoS Sources
0
500
1000
1500
2000
2500
3000
3500
4000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Hour
Pa
ck
ets
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Site Defense and Attack Mitigation
• While you can not prevent an attack, you can choose how to react to an attack.
• Layers of defense that use multiple tools.
• Layers of monitoring and alert mechanisms.
• Know how to respond before the attack begins.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Site Defense and Attack Mitigation
• Border router– Protocol shaping and filtering.– Anti-bogon and anti-spoofing defense (uRPF),
ingress and egress filtering.– NetFlow.
• IDS device(s)– Attack and probe signatures.– Alerts.
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Site Defense and Attack Mitigation
• Border firewall– Port filtering.– Logging.– Some IDS capability.
• End systems– Tuned kernel.– TCP wrappers, disable services, etc.– Crunchy through and through!
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Site Defense and Attack Mitigation
• Don’t panic!
• Collect data!
• The good news - you can survive!
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
References and shameless self advertisements
• RFC 2267 - http://rfc.net/rfc2267.html• Secure IOS Template –
http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html
• Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html
• UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Any questions?
Rob Thomas robt@cymru.comhttp://www.cymru.com/~robt
Thank you for your time!
• Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today.
• Thanks to Surfnet/CERT-NL for picking up the travel.
• Thanks for all of the coffee!
Recommended