Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rob Thomas 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001.

Similar presentations


Presentation on theme: "Rob Thomas 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001."— Presentation transcript:

1 Rob Thomas robt@cymru.com http://www.cymru.com/~robt 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001

2 Rob Thomas robt@cymru.com http://www.cymru.com/~robt 60 Days of Basic Naughtiness Statistical analysis of log and IDS files. Statistical analysis of a two-day DDoS attack. Methods of mitigation. Questions.

3 Rob Thomas robt@cymru.com http://www.cymru.com/~robt About the Site Production site for several (> 4) years. Largely static content. No e-commerce. Layers of defense – more on that later!

4 Rob Thomas robt@cymru.com http://www.cymru.com/~robt About the Data Data from router logs. Data from IDS logs. Snapshot taken from 60 days of combined data. Data processed by several home-brew tools (mostly Perl and awk).

5 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Definition of Naughty Any traffic that is logged by a specific deny ACL. Any traffic that presents a pattern detected by the IDS software. The two log sources are not necessarily synchronized.

6 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Daily Probes and Attacks TCP and UDP Probes and Attacks – ICMP not counted. Average – 529.00 Standard deviation – 644.10! 60 Day Low – 83.00 60 Day High – 4355.00

7 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Daily Probes and Attacks

8 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Weekly Probes and Attacks There is no steady-state. Attacks come in waves, generally on the heels of a new exploit and scan. Certain types of scans (e.g. Netbios) tend to run 24x7x365. Proactive monitoring, based on underground and public alerts, will result in significant data capture.

9 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Weekly Probes and Attacks Trend Analysis

10 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Hourly Probes and Attacks Myth: Most attacks occur at night. An attackers evening may be a victims day – the nature of a global network. Truth: Dont plan based on the clock.

11 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Hourly Probes and Attacks Trend Analysis

12 Rob Thomas robt@cymru.com http://www.cymru.com/~robt UDP Probes and Attacks Top Five Destination Ports First – 137 NETBIOS Second – 53 DNS Third – 27960 Fourth – 500 ISAKMP Fifth – 33480 (likely UNIX traceroute)

13 Rob Thomas robt@cymru.com http://www.cymru.com/~robt UDP Probes and Attacks Trend Analysis

14 Rob Thomas robt@cymru.com http://www.cymru.com/~robt TCP Probes and Attacks Top Five Destination Ports First – 3663 (DDoS Attack) Second – 0 Reserved (DDoS Attack) Third – 6667 IRC (DDoS Attack) Fourth – 81 (DDoS Attack) Fifth – 21 FTP-control

15 Rob Thomas robt@cymru.com http://www.cymru.com/~robt TCP Probes and Attacks Trend Analysis

16 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Source Address of Probes and Attacks

17 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Source Address of Probes and Attacks

18 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Source Address of Probes and Attacks Bogon source attacks still common. Of all source addresses, 53.39% were in the Class D and Class E space. Percentage of bogons, all classes – 66.85%! This is good news – prefix-list, ACL defense, and uRPF will block 66.85% of these nasties!

19 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Source Region of the Naughty A dangerously misleading slide

20 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Intrusion (attempt) Detection IDS is not foolproof! Incorrect fingerprinting does occur. You can not identify that which you can not see.

21 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Top Five IDS Detected Probes

22 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Top Five Detected IDS Probes

23 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Top Five IDS Detected Attacks

24 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Top Five IDS Detected Sources

25 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Top Five IDS Detected Sources

26 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Match a Source with a Scan

27 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Two Days of DDoS Attack that resulted in 10295 hits on day one and 77466 hits on day two. Attack lasted 25 hours, 25 minutes, and 44 seconds. Quasi-random UDP high ports (source and destination), small packets.

28 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Two Days of DDoS Perhaps as many as 2000 hosts used by the attackers. 23 unique organizations. 9 different nations located in the Americas, Europe, and Asia. Source netblocks all legitimate.

29 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Two Days of DDoS

30 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Two Days of DDoS

31 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Site Defense and Attack Mitigation While you can not prevent an attack, you can choose how to react to an attack. Layers of defense that use multiple tools. Layers of monitoring and alert mechanisms. Know how to respond before the attack begins.

32 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Site Defense and Attack Mitigation Border router –Protocol shaping and filtering. –Anti-bogon and anti-spoofing defense (uRPF), ingress and egress filtering. –NetFlow. IDS device(s) –Attack and probe signatures. –Alerts.

33 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Site Defense and Attack Mitigation Border firewall –Port filtering. –Logging. –Some IDS capability. End systems –Tuned kernel. –TCP wrappers, disable services, etc. –Crunchy through and through!

34 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Site Defense and Attack Mitigation Dont panic! Collect data! The good news - you can survive!

35 Rob Thomas robt@cymru.com http://www.cymru.com/~robt References and shameless self advertisements RFC 2267 - http://rfc.net/rfc2267.html Secure IOS Template – http://www.cymru.com/~robt/Docs/Articles/secure-ios- template.html Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp- template.html UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack- tuning.html

36 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Any questions?

37 Rob Thomas robt@cymru.com http://www.cymru.com/~robt Thank you for your time! Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today. Thanks to Surfnet/CERT-NL for picking up the travel. Thanks for all of the coffee!


Download ppt "Rob Thomas 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001."

Similar presentations


Ads by Google