1 / 37

60 Days of Basic Naughtiness

60 Days of Basic Naughtiness. Probes and Attacks Endured by an Active Web Site 16 March 2001. 60 Days of Basic Naughtiness. Statistical analysis of log and IDS files. Statistical analysis of a two-day DDoS attack. Methods of mitigation. Questions. About the Site.

coty
Download Presentation

60 Days of Basic Naughtiness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001 Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  2. 60 Days of Basic Naughtiness • Statistical analysis of log and IDS files. • Statistical analysis of a two-day DDoS attack. • Methods of mitigation. • Questions. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  3. About the Site • Production site for several (> 4) years. • Largely static content. • No e-commerce. • Layers of defense – more on that later! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  4. About the Data • Data from router logs. • Data from IDS logs. • Snapshot taken from 60 days of combined data. • Data processed by several home-brew tools (mostly Perl and awk). Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  5. Definition of “Naughty” • Any traffic that is logged by a specific “deny” ACL. • Any traffic that presents a pattern detected by the IDS software. • The two log sources are not necessarily synchronized. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  6. Daily Probes and Attacks • TCP and UDP Probes and Attacks – ICMP not counted. • Average – 529.00 • Standard deviation – 644.10! • 60 Day Low – 83.00 • 60 Day High – 4355.00 Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  7. Daily Probes and Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  8. Weekly Probes and Attacks • There is no steady-state. • Attacks come in waves, generally on the heels of a new exploit and scan. • Certain types of scans (e.g. Netbios) tend to run 24x7x365. • Proactive monitoring, based on underground and public alerts, will result in significant data capture. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  9. Weekly Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  10. Hourly Probes and Attacks • Myth: “Most attacks occur at night.” • An attacker’s evening may be a victim’s day – the nature of a global network. • Truth: Don’t plan based on the clock. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  11. Hourly Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  12. UDP Probes and AttacksTop Five Destination Ports • First – 137 NETBIOS • Second – 53 DNS • Third – 27960 • Fourth – 500 ISAKMP • Fifth – 33480 (likely UNIX traceroute) Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  13. UDP Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  14. TCP Probes and AttacksTop Five Destination Ports • First – 3663 (DDoS Attack) • Second – 0 Reserved (DDoS Attack) • Third – 6667 IRC (DDoS Attack) • Fourth – 81 (DDoS Attack) • Fifth – 21 FTP-control Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  15. TCP Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  16. Source Address of Probes and Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  17. Source Address of Probes and Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  18. Source Address of Probes and Attacks • Bogon source attacks still common. • Of all source addresses, 53.39% were in the Class D and Class E space. • Percentage of bogons, all classes – 66.85%! • This is good news – prefix-list, ACL defense, and uRPF will block 66.85% of these nasties! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  19. Source Region of the NaughtyA dangerously misleading slide Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  20. Intrusion (attempt) Detection • IDS is not foolproof! • Incorrect fingerprinting does occur. • You can not identify that which you can not see. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  21. Top Five IDS Detected Probes Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  22. Top Five Detected IDS Probes Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  23. Top Five IDS Detected Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  24. Top Five IDS Detected Sources Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  25. Top Five IDS Detected Sources Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  26. Match a Source with a Scan Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  27. Two Days of DDoS • Attack that resulted in 10295 hits on day one and 77466 hits on day two. • Attack lasted 25 hours, 25 minutes, and 44 seconds. • Quasi-random UDP high ports (source and destination), small packets. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  28. Two Days of DDoS • Perhaps as many as 2000 hosts used by the attackers. • 23 unique organizations. • 9 different nations located in the Americas, Europe, and Asia. • Source netblocks all legitimate. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  29. Two Days of DDoS Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  30. Two Days of DDoS Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  31. Site Defense and Attack Mitigation • While you can not prevent an attack, you can choose how to react to an attack. • Layers of defense that use multiple tools. • Layers of monitoring and alert mechanisms. • Know how to respond before the attack begins. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  32. Site Defense and Attack Mitigation • Border router • Protocol shaping and filtering. • Anti-bogon and anti-spoofing defense (uRPF), ingress and egress filtering. • NetFlow. • IDS device(s) • Attack and probe signatures. • Alerts. Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  33. Site Defense and Attack Mitigation • Border firewall • Port filtering. • Logging. • Some IDS capability. • End systems • Tuned kernel. • TCP wrappers, disable services, etc. • Crunchy through and through! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  34. Site Defense and Attack Mitigation • Don’t panic! • Collect data! • The good news - you can survive! Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  35. References and shameless self advertisements  • RFC 2267 - http://rfc.net/rfc2267.html • Secure IOS Template – http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html • Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html • UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  36. Any questions? Rob Thomas robt@cymru.com http://www.cymru.com/~robt

  37. Thank you for your time! • Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today. • Thanks to Surfnet/CERT-NL for picking up the travel. • Thanks for all of the coffee!  Rob Thomas robt@cymru.com http://www.cymru.com/~robt

More Related