Embed Size (px)
Citation preview
Black Hat Briefings 2000:Strategies for Defeating Distributed Attacks
Simple Nomad
Hacker
Nomad Mobile Research Centre
Occam Theorist
RAZOR Security Team, BindView Corporation
About Myself
http://www.nmrc.org/ Currently Sr. Security Analyst for
BindView’s RAZOR Team, http://razor.bindview.com/
About This Presentation
Assume basics– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
Terminology A “Network” point of view
Background
Originally developed during 1999 Concepts first discussed last October Many concepts can be found in DDOS
software today
Attack Recognition Basics
Pattern Recognition– Examples:
• Byte sequence in RAM
• Packet content in a network transmission
• Half opens against a server within a certain time frame
– Considered “real-time”
Attack Recognition Basics Cont.
Effect Recognition– Examples
• Unscheduled server restart in logs
• Unexplainable CPU utilization
• System binaries altered
– Considered “non” real-time
Attack Recognition Problems
Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack
source
Attack Recognition Problems Cont. Current solutions are usually “pattern” or
“effect”, no real-time global solutions Existing large scale solutions can easily be
defeated
Common Thwarting Techniques
Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed
What is Needed
The “Overall Behavior Network/Host Monitoring Tool” (which doesn’t exist)
What Do We Do?
“Trickle Down Security”– Solutions for distributed attacks will introduce
good security overall
Off-the-shelf is not enough Learn about attack types Defensive techniques
Changing Attack Patterns
More large-scale attacks Better enumeration and assessment of the
target by the attacker
Two Basic Distributed Attack Models Attacks that do not require direct
observation of the results Attacks that require the attacker to directly
observe the results
Basic Model
Server AgentClient
Issuecommands
Processescommandsto agents
Carriesout
commands
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
Even More Advanced Model
Target
Firewall
Even More Advanced Model
Target
Firewall
UpstreamHost
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
ICMP
Sweeping a network with Echo Typical alternates to ping
– Timestamp– Info Request
Fun with ICMP
Advanced ICMP enumeration
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
Nmap
Ping sweeps Port scanning TCP fingerprinting
Fun with Nmap
Additional features
Addition Probes
Possible security devices Sweep for promiscuous devices
Network Mapping
Determine network layout Traceroute
Network Mapping
cw
swb
Internet Routers
Network Mapping
cw
swb
Internet Routers
Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel Extranetxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
Defensive Techniques
Good security policy Split DNS
– All public systems in one DNS server located in DMZ
– All internal systems using private addresses with separate DNS server internally
Drop/reject packets with a TTL of 1 or 0
Defensive Techniques Cont.
Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint
packets
Defensive Techniques Cont.
Limit ICMP inbound to host/destination unreachable
Limit outbound ICMP
DMZ Server Recommendations
Split services between servers Current patches Use trusted paths, anti-buffer overflow
settings and kernel patches Use any built-in firewalling software Make use of built-in state tables
Firewall Rules
Limit inbound to only necessary services Limit outbound via proxies to help control
access Block all outbound to only necessary traffic
Intrusion Detection Systems
Use only IDS’s that can be customized IDS should be capable of handling
fragmented packet reassembly IDS should handle high speeds
Spoofed Packet Defenses
Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the
suspected spoofed packet
Questions, etc.
For followup:– http://razor.bindview.com/– [email protected]
References:– David Dittrich’s web site http://staff.washington.edu/dittrich/ – "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org – "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org – NMap, http://www.insecure.org/nmap/ – Icmpenum, http://razor.bindview.com/tools/ – Martin Roesch’s web site http://www.clark.net/~roesch/security.html – “Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html – “Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html
Late Breaking News
HackerShield RapidFire Update 208– With SANS Top Ten checks, including comprehensive CGI scanner– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner– Freeware open-source security scanner, including same CGI checks as
HackerShield– Focuses only on SANS Top Ten– http://razor.bindview.com/tools/index.shtml
Despoof– Detects possible spoofed packets through active queries against suspected
spoofed IP address– http://razor.bindview.com/tools/index.shtml
