rob thomas [email protected] robt 60 days of basic naughtiness probes and attacks endured by an active...
TRANSCRIPT
Rob Thomas [email protected]://www.cymru.com/~robt
60 Days of Basic Naughtiness
Probes and Attacks Endured by an Active Web Site
16 March 2001
Rob Thomas [email protected]://www.cymru.com/~robt
60 Days of Basic Naughtiness
• Statistical analysis of log and IDS files.
• Statistical analysis of a two-day DDoS attack.
• Methods of mitigation.
• Questions.
Rob Thomas [email protected]://www.cymru.com/~robt
About the Site
• Production site for several (> 4) years.
• Largely static content.
• No e-commerce.
• Layers of defense – more on that later!
Rob Thomas [email protected]://www.cymru.com/~robt
About the Data
• Data from router logs.
• Data from IDS logs.
• Snapshot taken from 60 days of combined data.
• Data processed by several home-brew tools (mostly Perl and awk).
Rob Thomas [email protected]://www.cymru.com/~robt
Definition of “Naughty”
• Any traffic that is logged by a specific “deny” ACL.
• Any traffic that presents a pattern detected by the IDS software.
• The two log sources are not necessarily synchronized.
Rob Thomas [email protected]://www.cymru.com/~robt
Daily Probes and Attacks
• TCP and UDP Probes and Attacks – ICMP not counted.
• Average – 529.00
• Standard deviation – 644.10!
• 60 Day Low – 83.00
• 60 Day High – 4355.00
Rob Thomas [email protected]://www.cymru.com/~robt
Daily Probes and AttacksDaily Probes and Attacks
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
11/1
7/00
11/2
2/00
11/2
7/00
12/2
/00
12/7
/00
12/1
2/00
12/1
7/00
12/2
2/00
12/2
7/00
1/1/
01
1/6/
01
1/11
/01
Day
Hit
s TCP
UDP
Rob Thomas [email protected]://www.cymru.com/~robt
Weekly Probes and Attacks
• There is no steady-state.• Attacks come in waves, generally on the
heels of a new exploit and scan.• Certain types of scans (e.g. Netbios) tend to
run 24x7x365. • Proactive monitoring, based on
underground and public alerts, will result in significant data capture.
Rob Thomas [email protected]://www.cymru.com/~robt
Weekly Probes and AttacksTrend Analysis
Weekly Probes and Attacks
0
1000
2000
3000
4000
5000
6000
7000
8000
11/12 -11/18
11/19 -11/25
11/26 -12/02
12/03 -12/09
12/10 -12/16
12/17 -12/23
12/24 -12/30
12/31 -01/06
01/07 -01/13
01/14 -01/20
Week
Hit
s
Hits
Rob Thomas [email protected]://www.cymru.com/~robt
Hourly Probes and Attacks
• Myth: “Most attacks occur at night.”
• An attacker’s evening may be a victim’s day – the nature of a global network.
• Truth: Don’t plan based on the clock.
Rob Thomas [email protected]://www.cymru.com/~robt
Hourly Probes and AttacksTrend Analysis
Hourly Probes and Attacks
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
24 Hour Clock
Hit
s
Rob Thomas [email protected]://www.cymru.com/~robt
UDP Probes and AttacksTop Five Destination Ports
• First – 137 NETBIOS
• Second – 53 DNS
• Third – 27960
• Fourth – 500 ISAKMP
• Fifth – 33480 (likely UNIX traceroute)
Rob Thomas [email protected]://www.cymru.com/~robt
UDP Probes and AttacksTrend Analysis
UDP Probes and Attacks
0
50
100
150
200
250
300
350
11/1
7/00
11/2
4/00
12/1
/00
12/8
/00
12/1
5/00
12/2
2/00
12/2
9/00
1/5/
01
1/12
/01
Day
Nu
mb
er
of
Hit
s
Port 137 Hits
Port 53 Hits
Rob Thomas [email protected]://www.cymru.com/~robt
TCP Probes and AttacksTop Five Destination Ports
• First – 3663 (DDoS Attack)
• Second – 0 Reserved (DDoS Attack)
• Third – 6667 IRC (DDoS Attack)
• Fourth – 81 (DDoS Attack)
• Fifth – 21 FTP-control
Rob Thomas [email protected]://www.cymru.com/~robt
TCP Probes and AttacksTrend Analysis
TCP Probes and Attacks
0
20
40
60
80
100
120
11/1
7/00
11/2
4/00
12/1
/00
12/8
/00
12/1
5/00
12/2
2/00
12/2
9/00
1/5/
01
1/12
/01
Date
Hit
s Port 0 Hits
Port 21 Hits
Rob Thomas [email protected]://www.cymru.com/~robt
Source Address of Probes and Attacks
Classful Sources of Probes and Attacks
0
500
1000
1500
2000
2500
3000
3500
A B C D E
IP Netblock Class
Nu
mb
er
of
Un
iqu
e IP
Ad
dre
ss
es
Se
en
Source Address Class Percentage
20%
7%
20%
26%
27%
A
B
C
D
E
Rob Thomas [email protected]://www.cymru.com/~robt
Source Address of Probes and AttacksBogon Source Percentages
2346
803
2275
1128
167
270
0
500
1000
1500
2000
2500
3000
3500
4000
A B C
IP Netblock Class
Un
iqu
e I
P A
dd
ress
es
Bogon Addresses
Total Addresses
Rob Thomas [email protected]://www.cymru.com/~robt
Source Address of Probes and Attacks
• Bogon source attacks still common.• Of all source addresses, 53.39% were in the
Class D and Class E space.• Percentage of bogons, all classes –
66.85%!• This is good news – prefix-list, ACL
defense, and uRPF will block 66.85% of these nasties!
Rob Thomas [email protected]://www.cymru.com/~robt
Source Region of the NaughtyA dangerously misleading slide
RIR for Source Addresses
58%
37%
5%
ARIN
RIPE
APNIC
Rob Thomas [email protected]://www.cymru.com/~robt
Intrusion (attempt) Detection
• IDS is not foolproof!
• Incorrect fingerprinting does occur.
• You can not identify that which you can not see.
Rob Thomas [email protected]://www.cymru.com/~robt
Top Five IDS Detected ProbesIDS Detected Probes
0
200
400
600
800
1000
1200
1400
NetBus Backorifice TFTP IDENT Deep Throat
Type
Hits
Rob Thomas [email protected]://www.cymru.com/~robt
Top Five Detected IDS ProbesIDS Detected Probes - Trend Analysis
0
20
40
60
80
100
120
140
160
180
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52
Date
Hits
NetBus
Backorifice
TFTP
IDENT
Deep Throat
Rob Thomas [email protected]://www.cymru.com/~robt
Top Five IDS Detected AttacksIDS Detected Attacks
0
50
100
150
200
250
300
350
400
450
500
TCP Port 0 FIN flood Fragments ICMP flood RST flood
Type
Hits Number
Rob Thomas [email protected]://www.cymru.com/~robt
Top Five IDS Detected SourcesIDS Detected Source Netblocks
0
20
40
60
80
100
120
140
160
180
200
Azerbaijan USA 01 South Korea USA 02 Canada
Netblock Location
Hit
s
Count
Rob Thomas [email protected]://www.cymru.com/~robt
Top Five IDS Detected SourcesIDS Detected Attacks - Trend Analysis
0
20
40
60
80
100
120
140
160
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49
Day
Hits
A
B
C
D
E
Rob Thomas [email protected]://www.cymru.com/~robt
Match a Source with a ScanSource to Hit Matching
0
20
40
60
80
100
120
140
160
1 2 3 4 5 6 7
Day
Hit
s
B
NetBus
Backorifice
TFTP
IDENT
Deep Throat
Rob Thomas [email protected]://www.cymru.com/~robt
Two Days of DDoS
• Attack that resulted in 10295 hits on day one and 77466 hits on day two.
• Attack lasted 25 hours, 25 minutes, and 44 seconds.
• Quasi-random UDP high ports (source and destination), small packets.
Rob Thomas [email protected]://www.cymru.com/~robt
Two Days of DDoS
• Perhaps as many as 2000 hosts used by the attackers.
• 23 unique organizations.
• 9 different nations located in the Americas, Europe, and Asia.
• Source netblocks all legitimate.
Rob Thomas [email protected]://www.cymru.com/~robt
Two Days of DDoSPackets per minute
0
10
20
30
40
50
60
70
24
:21
:13
24
:22
:03
24
:22
:53
24
:23
:46
25
:00
:36
25
:01
:26
25
:02
:16
25
:03
:06
25
:03
:56
25
:04
:46
25
:05
:36
25
:06
:26
25
:07
:16
25
:08
:06
25
:08
:56
25
:09
:46
25
:10
:36
25
:11
:26
25
:12
:16
25
:13
:06
25
:13
:56
25
:14
:46
25
:15
:36
25
:16
:26
25
:17
:16
25
:18
:06
25
:18
:57
25
:19
:48
25
:20
:39
25
:21
:37
25
:22
:29
DATE:HOUR:MINUTE
Pa
ck
ets
Rob Thomas [email protected]://www.cymru.com/~robt
Two Days of DDoSDDoS Sources
0
500
1000
1500
2000
2500
3000
3500
4000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Hour
Pa
ck
ets
Rob Thomas [email protected]://www.cymru.com/~robt
Site Defense and Attack Mitigation
• While you can not prevent an attack, you can choose how to react to an attack.
• Layers of defense that use multiple tools.
• Layers of monitoring and alert mechanisms.
• Know how to respond before the attack begins.
Rob Thomas [email protected]://www.cymru.com/~robt
Site Defense and Attack Mitigation
• Border router– Protocol shaping and filtering.– Anti-bogon and anti-spoofing defense (uRPF),
ingress and egress filtering.– NetFlow.
• IDS device(s)– Attack and probe signatures.– Alerts.
Rob Thomas [email protected]://www.cymru.com/~robt
Site Defense and Attack Mitigation
• Border firewall– Port filtering.– Logging.– Some IDS capability.
• End systems– Tuned kernel.– TCP wrappers, disable services, etc.– Crunchy through and through!
Rob Thomas [email protected]://www.cymru.com/~robt
Site Defense and Attack Mitigation
• Don’t panic!
• Collect data!
• The good news - you can survive!
Rob Thomas [email protected]://www.cymru.com/~robt
References and shameless self advertisements
• RFC 2267 - http://rfc.net/rfc2267.html• Secure IOS Template –
http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html
• Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html
• UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
Rob Thomas [email protected]://www.cymru.com/~robt
Any questions?
Rob Thomas [email protected]://www.cymru.com/~robt
Thank you for your time!
• Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today.
• Thanks to Surfnet/CERT-NL for picking up the travel.
• Thanks for all of the coffee!