Strategies for Defeating Distributed Attacks
Download
Report
Transcript Strategies for Defeating Distributed Attacks
Black Hat Briefings 2000:
Strategies for Defeating
Distributed Attacks
Simple Nomad
Hacker
Nomad Mobile Research Centre
Occam Theorist
RAZOR Security Team, BindView Corporation
About Myself
http://www.nmrc.org/
Currently Sr. Security Analyst for
BindView’s RAZOR Team,
http://razor.bindview.com/
About This Presentation
Assume basics
– Understand IP addressing
– Understand basic system administration
Tools
– Where to find them
– Basic usage
Terminology
A “Network” point of view
Background
Originally developed during 1999
Concepts first discussed last October
Many concepts can be found in DDOS
software today
Attack Recognition Basics
Pattern Recognition
– Examples:
• Byte sequence in RAM
• Packet content in a network transmission
• Half opens against a server within a certain time
frame
– Considered “real-time”
Attack Recognition Basics Cont.
Effect Recognition
– Examples
• Unscheduled server restart in logs
• Unexplainable CPU utilization
• System binaries altered
– Considered “non” real-time
Attack Recognition Problems
Blended “pattern” and “effect” attacks
Sniffing attacks
Decoys and false identification of attack
source
Attack Recognition Problems
Cont.
Current solutions are usually “pattern” or
“effect”, no real-time global solutions
Existing large scale solutions can easily be
defeated
Common Thwarting Techniques
Rule-based systems can be tricked
Log watchers can be deceived
Time-based rules can be bypassed
What is Needed
The “Overall Behavior Network/Host
Monitoring Tool” (which doesn’t exist)
What Do We Do?
“Trickle Down Security”
– Solutions for distributed attacks will introduce
good security overall
Off-the-shelf is not enough
Learn about attack types
Defensive techniques
Changing Attack Patterns
More large-scale attacks
Better enumeration and assessment of the
target by the attacker
Two Basic Distributed Attack
Models
Attacks that do not require direct
observation of the results
Attacks that require the attacker to directly
observe the results
Basic Model
Client
Server
Agent
Issue
commands
Processes
commands
to agents
Carries
out
commands
More Advanced Model
Attacker
Sniffed
Replies
Forged ICMP
Timestamp Requests
ICMP Timestamp
Replies
Target
Even More Advanced Model
F
i
r
e
w
a
l
l
Target
Even More Advanced Model
F
i
r
e
w
a
l
l
Upstream
Host
Target
Even More Advanced Model
Attack Node
Attack Node
Master Node
Attack Node
Upstream
Host
F
i
r
e
w
a
l
l
Target
Even More Advanced Model
Attack Node
Attack Node
Master Node
Attacks
or
Probes
Attack Node
Upstream
Host
F
i
r
e
w
a
l
l
Target
Even More Advanced Model
Attack Node
Attack Node
Master Node
Replies
Attacks
or
Probes
Attack Node
Upstream
Host
F
i
r
e
w
a
l
l
Target
Even More Advanced Model
Attack Node
Attack Node
Master Node
Attacks
or
Probes
Attack Node
Sniffed
Replies
Replies
Upstream
Host
F
i
r
e
w
a
l
l
Target
Even More Advanced Model
Attack Node
Attack Node
Master Node
Attacks
or
Probes
Attack Node
Sniffed
Replies
Replies
Upstream
Host
F
i
r
e
w
a
l
l
Target
ICMP
Sweeping a network with Echo
Typical alternates to ping
– Timestamp
– Info Request
Fun with ICMP
Advanced ICMP enumeration
Host Enumeration
# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
Nmap
Ping sweeps
Port scanning
TCP fingerprinting
Fun with Nmap
Additional features
Addition Probes
Possible security devices
Sweep for promiscuous devices
Network Mapping
Determine network layout
Traceroute
Network Mapping
cw
swb
Internet Routers
Network Mapping
cw
swb
Internet Routers
Network Mapping
VPN
cw
Firewall
swb
DMZ
Internet Routers
Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
Network Mapping
VPN
cw
Firewall
www
swb
ftp
DMZ
Internet Routers
Network Mapping
VPN
NT
cw
Firewall
Linux
www
Sun
swb
ftp
Hosts Inside
DMZ
Internet Routers
Network Mapping
VPN
Checkpoint Firewall-1
Nortel Extranet
xxx.xx.22. 7
NT
cw
Nortel CVX1800
151.164.x.xxx
Firewall
Linux
www
Sun
Checkpoint Firewall-1
Solaris 2.7
xxx.xx.49.17
AIX 4.2.1
xxx.xx.48.1
IDS?
swb
Cisco 7206
204.70.xxx.xxx
ftp
Linux 2.0.38
xxx.xx.48.2
Hosts Inside
DMZ
Internet Routers
Defensive Techniques
Good security policy
Split DNS
– All public systems in one DNS server located
in DMZ
– All internal systems using private addresses
with separate DNS server internally
Drop/reject packets with a TTL of 1 or 0
Defensive Techniques Cont.
Minimal ports open
Stateful inspection firewalls
Modified kernels/IDS to look for fingerprint
packets
Defensive Techniques Cont.
Limit ICMP inbound to host/destination
unreachable
Limit outbound ICMP
DMZ Server Recommendations
Split services between servers
Current patches
Use trusted paths, anti-buffer overflow
settings and kernel patches
Use any built-in firewalling software
Make use of built-in state tables
Firewall Rules
Limit inbound to only necessary services
Limit outbound via proxies to help control
access
Block all outbound to only necessary traffic
Intrusion Detection Systems
Use only IDS’s that can be customized
IDS should be capable of handling
fragmented packet reassembly
IDS should handle high speeds
Spoofed Packet Defenses
Get TTL of suspected spoofed packet
Probe the source address in the packet
Compare the probe reply’s TTL to the
suspected spoofed packet
Questions, etc.
For followup:
– http://razor.bindview.com/
– [email protected]
References:
–
–
–
–
–
–
–
–
David Dittrich’s web site http://staff.washington.edu/dittrich/
"Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org
"The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org
NMap, http://www.insecure.org/nmap/
Icmpenum, http://razor.bindview.com/tools/
Martin Roesch’s web site http://www.clark.net/~roesch/security.html
“Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html
“Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html
Late Breaking News
HackerShield RapidFire Update 208
– With SANS Top Ten checks, including comprehensive CGI scanner
– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner
– Freeware open-source security scanner, including same CGI checks as
HackerShield
– Focuses only on SANS Top Ten
– http://razor.bindview.com/tools/index.shtml
Despoof
– Detects possible spoofed packets through active queries against suspected
spoofed IP address
– http://razor.bindview.com/tools/index.shtml