1 / 45

Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks

Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks. Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team, BindView Corporation. About Myself. http://www.nmrc.org/

kellsie
Download Presentation

Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Black Hat Briefings 2000:Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team, BindView Corporation

  2. About Myself • http://www.nmrc.org/ • Currently Sr. Security Analyst for BindView’s RAZOR Team, http://razor.bindview.com/

  3. About This Presentation • Assume basics • Understand IP addressing • Understand basic system administration • Tools • Where to find them • Basic usage • Terminology • A “Network” point of view

  4. Background • Originally developed during 1999 • Concepts first discussed last October • Many concepts can be found in DDOS software today

  5. Attack Recognition Basics • Pattern Recognition • Examples: • Byte sequence in RAM • Packet content in a network transmission • Half opens against a server within a certain time frame • Considered “real-time”

  6. Attack Recognition Basics Cont. • Effect Recognition • Examples • Unscheduled server restart in logs • Unexplainable CPU utilization • System binaries altered • Considered “non” real-time

  7. Attack Recognition Problems • Blended “pattern” and “effect” attacks • Sniffing attacks • Decoys and false identification of attack source

  8. Attack Recognition Problems Cont. • Current solutions are usually “pattern” or “effect”, no real-time global solutions • Existing large scale solutions can easily be defeated

  9. Common Thwarting Techniques • Rule-based systems can be tricked • Log watchers can be deceived • Time-based rules can be bypassed

  10. What is Needed • The “Overall Behavior Network/Host Monitoring Tool” (which doesn’t exist)

  11. What Do We Do? • “Trickle Down Security” • Solutions for distributed attacks will introduce good security overall • Off-the-shelf is not enough • Learn about attack types • Defensive techniques

  12. Changing Attack Patterns • More large-scale attacks • Better enumeration and assessment of the target by the attacker

  13. Two Basic Distributed Attack Models • Attacks that do not require direct observation of the results • Attacks that require the attacker to directly observe the results

  14. Basic Model Client Server Agent Issue commands Processes commands to agents Carries out commands

  15. More Advanced Model Forged ICMP Timestamp Requests Attacker Target Sniffed Replies ICMP Timestamp Replies

  16. Even More Advanced Model F i r e w a l l Target

  17. Even More Advanced Model F i r e w a l l Target Upstream Host

  18. Even More Advanced Model Attack Node F i r e w a l l Attack Node Target Master Node Attack Node Upstream Host

  19. Even More Advanced Model Attack Node F i r e w a l l Attack Node Attacks or Probes Target Master Node Attack Node Upstream Host

  20. Even More Advanced Model Attack Node F i r e w a l l Attack Node Attacks or Probes Target Master Node Attack Node Replies Upstream Host

  21. Even More Advanced Model Attack Node F i r e w a l l Attack Node Attacks or Probes Target Master Node Attack Node Sniffed Replies Replies Upstream Host

  22. Even More Advanced Model Attack Node F i r e w a l l Attack Node Attacks or Probes Target Master Node Attack Node Sniffed Replies Replies Upstream Host

  23. ICMP • Sweeping a network with Echo • Typical alternates to ping • Timestamp • Info Request

  24. Fun with ICMP • Advanced ICMP enumeration

  25. Host Enumeration # ./icmpenum -i 2 -c xxx.xx.218.0 xxx.xx.218.23 is up xxx.xx.218.26 is up xxx.xx.218.52 is up xxx.xx.218.53 is up xxx.xx.218.58 is up xxx.xx.218.63 is up xxx.xx.218.82 is up xxx.xx.218.90 is up xxx.xx.218.92 is up xxx.xx.218.96 is up xxx.xx.218.118 is up xxx.xx.218.123 is up xxx.xx.218.126 is up xxx.xx.218.130 is up xxx.xx.218.187 is up xxx.xx.218.189 is up xxx.xx.218.215 is up xxx.xx.218.253 is up

  26. Nmap • Ping sweeps • Port scanning • TCP fingerprinting

  27. Fun with Nmap • Additional features

  28. Addition Probes • Possible security devices • Sweep for promiscuous devices

  29. Network Mapping • Determine network layout • Traceroute

  30. Network Mapping cw swb Internet Routers

  31. Network Mapping cw swb Internet Routers

  32. Network Mapping VPN cw Firewall swb DMZ Internet Routers

  33. Network Mapping VPN cw Firewall www swb ftp DMZ Internet Routers

  34. Network Mapping VPN cw Firewall www swb ftp DMZ Internet Routers

  35. Network Mapping VPN NT cw Firewall Linux www Sun swb ftp Hosts Inside DMZ Internet Routers

  36. Network Mapping Checkpoint Firewall-1 Nortel Extranet xxx.xx.22. 7 VPN NT cw Nortel CVX1800 151.164.x.xxx Firewall Linux IDS? Checkpoint Firewall-1 Solaris 2.7 xxx.xx.49.17 www AIX 4.2.1 xxx.xx.48.1 Sun swb ftp Cisco 7206 204.70.xxx.xxx Linux 2.0.38 xxx.xx.48.2 Hosts Inside DMZ Internet Routers

  37. Defensive Techniques • Good security policy • Split DNS • All public systems in one DNS server located in DMZ • All internal systems using private addresses with separate DNS server internally • Drop/reject packets with a TTL of 1 or 0

  38. Defensive Techniques Cont. • Minimal ports open • Stateful inspection firewalls • Modified kernels/IDS to look for fingerprint packets

  39. Defensive Techniques Cont. • Limit ICMP inbound to host/destination unreachable • Limit outbound ICMP

  40. DMZ Server Recommendations • Split services between servers • Current patches • Use trusted paths, anti-buffer overflow settings and kernel patches • Use any built-in firewalling software • Make use of built-in state tables

  41. Firewall Rules • Limit inbound to only necessary services • Limit outbound via proxies to help control access • Block all outbound to only necessary traffic

  42. Intrusion Detection Systems • Use only IDS’s that can be customized • IDS should be capable of handling fragmented packet reassembly • IDS should handle high speeds

  43. Spoofed Packet Defenses • Get TTL of suspected spoofed packet • Probe the source address in the packet • Compare the probe reply’s TTL to the suspected spoofed packet

  44. Questions, etc. • For followup: • http://razor.bindview.com/ • thegnome@razor.bindview.com • References: • David Dittrich’s web site http://staff.washington.edu/dittrich/ • "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation, http://www.sans.org • "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org • NMap, http://www.insecure.org/nmap/ • Icmpenum, http://razor.bindview.com/tools/ • Martin Roesch’s web site http://www.clark.net/~roesch/security.html • “Strategies for Defeating Distributed Attacks”, http://razor.bindview.com/publish/papers/strategies.html • “Distributed Denial of Service Defense Tactics”, http://razor.bindview.com/publish/papers/DDSA_Defense.html

  45. Late Breaking News • HackerShield RapidFire Update 208 • With SANS Top Ten checks, including comprehensive CGI scanner • http://www.bindview.com/products/hackershield/index.html • VLAD the Scanner • Freeware open-source security scanner, including same CGI checks as HackerShield • Focuses only on SANS Top Ten • http://razor.bindview.com/tools/index.shtml • Despoof • Detects possible spoofed packets through active queries against suspected spoofed IP address • http://razor.bindview.com/tools/index.shtml

More Related