Rob Thomas [email protected] robt 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active...

Rob Thomas [email protected]://www.cymru.com/~robt

60 Days of Basic Naughtiness

Probes and Attacks Endured by an Active Web Site

16 March 2001


60 Days of Basic Naughtiness

• Statistical analysis of log and IDS files.

• Statistical analysis of a two-day DDoS attack.

• Methods of mitigation.

• Questions.


About the Site

• Production site for several (> 4) years.

• Largely static content.

• No e-commerce.

• Layers of defense – more on that later!


About the Data

• Data from router logs.

• Data from IDS logs.

• Snapshot taken from 60 days of combined data.

• Data processed by several home-brew tools (mostly Perl and awk).


Definition of “Naughty”

• Any traffic that is logged by a specific “deny” ACL.

• Any traffic that presents a pattern detected by the IDS software.

• The two log sources are not necessarily synchronized.


Daily Probes and Attacks

• TCP and UDP Probes and Attacks – ICMP not counted.

• Average – 529.00

• Standard deviation – 644.10!

• 60 Day Low – 83.00

• 60 Day High – 4355.00


Daily Probes and AttacksDaily Probes and Attacks

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

11/1

7/00

11/2

2/00

11/2

7/00

12/2

/00

12/7

/00

12/1

2/00

12/1

7/00

12/2

2/00

12/2

7/00

1/1/

01

1/6/

01

1/11

/01

Day

Hit

s TCP

UDP


Weekly Probes and Attacks

• There is no steady-state.• Attacks come in waves, generally on the

heels of a new exploit and scan.• Certain types of scans (e.g. Netbios) tend to

run 24x7x365. • Proactive monitoring, based on

underground and public alerts, will result in significant data capture.


Weekly Probes and AttacksTrend Analysis

Weekly Probes and Attacks

0

1000

2000

3000

4000

5000

6000

7000

8000

11/12 -11/18

11/19 -11/25

11/26 -12/02

12/03 -12/09

12/10 -12/16

12/17 -12/23

12/24 -12/30

12/31 -01/06

01/07 -01/13

01/14 -01/20

Week

Hit

s

Hits


Hourly Probes and Attacks

• Myth: “Most attacks occur at night.”

• An attacker’s evening may be a victim’s day – the nature of a global network.

• Truth: Don’t plan based on the clock.


Hourly Probes and AttacksTrend Analysis

Hourly Probes and Attacks

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

24 Hour Clock

Hit

s


UDP Probes and AttacksTop Five Destination Ports

• First – 137 NETBIOS

• Second – 53 DNS

• Third – 27960

• Fourth – 500 ISAKMP

• Fifth – 33480 (likely UNIX traceroute)


UDP Probes and AttacksTrend Analysis

UDP Probes and Attacks

0

50

100

150

200

250

300

350

11/1

7/00

11/2

4/00

12/1

/00

12/8

/00

12/1

5/00

12/2

2/00

12/2

9/00

1/5/

01

1/12

/01

Day

Nu

mb

er

of

Hit

s

Port 137 Hits

Port 53 Hits


TCP Probes and AttacksTop Five Destination Ports

• First – 3663 (DDoS Attack)

• Second – 0 Reserved (DDoS Attack)

• Third – 6667 IRC (DDoS Attack)

• Fourth – 81 (DDoS Attack)

• Fifth – 21 FTP-control


TCP Probes and AttacksTrend Analysis

TCP Probes and Attacks

0

20

40

60

80

100

120

11/1

7/00

11/2

4/00

12/1

/00

12/8

/00

12/1

5/00

12/2

2/00

12/2

9/00

1/5/

01

1/12

/01

Date

Hit

s Port 0 Hits

Port 21 Hits


Source Address of Probes and Attacks

Classful Sources of Probes and Attacks

0

500

1000

1500

2000

2500

3000

3500

A B C D E

IP Netblock Class

Nu

mb

er

of

Un

iqu

e IP

Ad

dre

ss

es

Se

en

Source Address Class Percentage

20%

7%

20%

26%

27%

A

B

C

D

E


Source Address of Probes and AttacksBogon Source Percentages

2346

803

2275

1128

167

270

0

500

1000

1500

2000

2500

3000

3500

4000

A B C

IP Netblock Class

Un

iqu

e I

P A

dd

ress

es

Bogon Addresses

Total Addresses


Source Address of Probes and Attacks

• Bogon source attacks still common.• Of all source addresses, 53.39% were in the

Class D and Class E space.• Percentage of bogons, all classes –

66.85%!• This is good news – prefix-list, ACL

defense, and uRPF will block 66.85% of these nasties!


Source Region of the NaughtyA dangerously misleading slide

RIR for Source Addresses

58%

37%

5%

ARIN

RIPE

APNIC


Intrusion (attempt) Detection

• IDS is not foolproof!

• Incorrect fingerprinting does occur.

• You can not identify that which you can not see.


Top Five IDS Detected ProbesIDS Detected Probes

0

200

400

600

800

1000

1200

1400

NetBus Backorifice TFTP IDENT Deep Throat

Type

Hits


Top Five Detected IDS ProbesIDS Detected Probes - Trend Analysis

0

20

40

60

80

100

120

140

160

180

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52

Date

Hits

NetBus

Backorifice

TFTP

IDENT

Deep Throat


Top Five IDS Detected AttacksIDS Detected Attacks

0

50

100

150

200

250

300

350

400

450

500

TCP Port 0 FIN flood Fragments ICMP flood RST flood

Type

Hits Number


Top Five IDS Detected SourcesIDS Detected Source Netblocks

0

20

40

60

80

100

120

140

160

180

200

Azerbaijan USA 01 South Korea USA 02 Canada

Netblock Location

Hit

s

Count


Top Five IDS Detected SourcesIDS Detected Attacks - Trend Analysis

0

20

40

60

80

100

120

140

160

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49

Day

Hits

A

B

C

D

E


Match a Source with a ScanSource to Hit Matching

0

20

40

60

80

100

120

140

160

1 2 3 4 5 6 7

Day

Hit

s

B

NetBus

Backorifice

TFTP

IDENT

Deep Throat


Two Days of DDoS

• Attack that resulted in 10295 hits on day one and 77466 hits on day two.

• Attack lasted 25 hours, 25 minutes, and 44 seconds.

• Quasi-random UDP high ports (source and destination), small packets.


Two Days of DDoS

• Perhaps as many as 2000 hosts used by the attackers.

• 23 unique organizations.

• 9 different nations located in the Americas, Europe, and Asia.

• Source netblocks all legitimate.


Two Days of DDoSPackets per minute

0

10

20

30

40

50

60

70

24

:21

:13

24

:22

:03

24

:22

:53

24

:23

:46

25

:00

:36

25

:01

:26

25

:02

:16

25

:03

:06

25

:03

:56

25

:04

:46

25

:05

:36

25

:06

:26

25

:07

:16

25

:08

:06

25

:08

:56

25

:09

:46

25

:10

:36

25

:11

:26

25

:12

:16

25

:13

:06

25

:13

:56

25

:14

:46

25

:15

:36

25

:16

:26

25

:17

:16

25

:18

:06

25

:18

:57

25

:19

:48

25

:20

:39

25

:21

:37

25

:22

:29

DATE:HOUR:MINUTE

Pa

ck

ets


Two Days of DDoSDDoS Sources

0

500

1000

1500

2000

2500

3000

3500

4000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Hour

Pa

ck

ets


Site Defense and Attack Mitigation

• While you can not prevent an attack, you can choose how to react to an attack.

• Layers of defense that use multiple tools.

• Layers of monitoring and alert mechanisms.

• Know how to respond before the attack begins.



• Border router– Protocol shaping and filtering.– Anti-bogon and anti-spoofing defense (uRPF),

ingress and egress filtering.– NetFlow.

• IDS device(s)– Attack and probe signatures.– Alerts.



• Border firewall– Port filtering.– Logging.– Some IDS capability.

• End systems– Tuned kernel.– TCP wrappers, disable services, etc.– Crunchy through and through!



• Don’t panic!

• Collect data!

• The good news - you can survive!


References and shameless self advertisements

• RFC 2267 - http://rfc.net/rfc2267.html• Secure IOS Template –

http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html

• Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html

• UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html


Any questions?


Thank you for your time!

• Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today.

• Thanks to Surfnet/CERT-NL for picking up the travel.

• Thanks for all of the coffee!

Rob Thomas [email protected] robt 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active...

Documents

Transcript of Rob Thomas [email protected] robt 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active...