60 Days of Naughtiness

60 Days of Basic Naughtiness
Probes and Attacks Endured by an

Active Web Site
16 March 2001
Rob Thomas robt@cymru.com
http://www.cymru.com/~robt
60 Days of Basic Naughtiness
• Statistical analysis of log and IDS files.
• Statistical analysis of a two-day DDoS
attack.
• Methods of mitigation.
• Questions.

About the Site
• Production site for several (> 4) years.
• Largely static content.
• No e-commerce.
• Layers of defense – more on that later!

About the Data
• Data from router logs.
• Data from IDS logs.
• Snapshot taken from 60 days of combined
data.
• Data processed by several home-brew tools
(mostly Perl and awk).

Definition of “Naughty”
• Any traffic that is logged by a specific
“deny” ACL.
• Any traffic that presents a pattern detected
by the IDS software.
• The two log sources are not necessarily
synchronized.

Daily Probes and Attacks
• TCP and UDP Probes and Attacks – ICMP
not counted.
• Average – 529.00
• Standard deviation – 644.10!
• 60 Day Low – 83.00
• 60 Day High – 4355.00

5000
4500
4000
3500
3000
TCP
Hits
2500
UDP
2000
1500
1000
500
0
/0
0
/0
0
/0
0 00 00 /0
0
/0
0
/0
0
/0
0 01 01 /0
1
7 2 7 /2/ /7/ 2 7 2 7 /1/ /6/ 11
/1 /2 /2 12 12 /1 /1 /2 /2 1 1 1/
11 11 11 12 12 12 12
Day

Weekly Probes and Attacks
• There is no steady-state.
• Attacks come in waves, generally on the
heels of a new exploit and scan.
• Certain types of scans (e.g. Netbios) tend to
run 24x7x365.
• Proactive monitoring, based on
underground and public alerts, will result in
significant data capture.
Trend Analysis
8000
7000
6000
5000
Hits
4000 Hits
3000
2000
1000
0
11/12 - 11/19 - 11/26 - 12/03 - 12/10 - 12/17 - 12/24 - 12/31 - 01/07 - 01/14 -
11/18 11/25 12/02 12/09 12/16 12/23 12/30 01/06 01/13 01/20
Week

Hourly Probes and Attacks
• Myth: “Most attacks occur at night.”
• An attacker’s evening may be a victim’s day
– the nature of a global network.
• Truth: Don’t plan based on the clock.

Trend Analysis
10000
9000
8000
7000
6000
Hits
5000
4000
3000
2000
1000
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
24 Hour Clock

UDP Probes and Attacks
Top Five Destination Ports
• First – 137 NETBIOS
• Second – 53 DNS
• Third – 27960
• Fourth – 500 ISAKMP
• Fifth – 33480 (likely UNIX traceroute)

Trend Analysis
350
300
Number of Hits
250
200 Port 137 Hits

150 Port 53 Hits
100
50
/0
0
/0
0 00 00 /0
0
/0
0
/0
0 01 /0
1
7 4 / 1/ / 8/ 5 2 9 / 5/ 12
/1 /2 12 12 /1 /2 /2 1 1/
11 11 12 12 12
Day

TCP Probes and Attacks
Top Five Destination Ports
• First – 3663 (DDoS Attack)
• Second – 0 Reserved (DDoS Attack)
• Third – 6667 IRC (DDoS Attack)
• Fourth – 81 (DDoS Attack)
• Fifth – 21 FTP-control

Trend Analysis
120
100
80
Port 0 Hits
Hits
60
Port 21 Hits
40
20
1/5/01
12/1/00
12/8/00
1/12/01
11/17/00
11/24/00
12/15/00
12/22/00
12/29/00
Date

Source Address of Probes and
Attacks
Classful Sources of Probes and Attacks Source Address Class Percentage
3500
Num ber of Unique IP Addresses Seen
20%
3000
27%
2500
2000 A
B
7%
1500 C
D
1000
E
500
0 20%
A B C D E 26%
IP Netblock Class

Attacks
Bogon Source Percentages
4000
3500
Unique IP Addresses
3000 1128
2500 270
Bogon Addresses
2000
Total Addresses
1500
2346 2275
1000 167
500 803
0
A B C
IP Netblock Class

Attacks
• Bogon source attacks still common.
• Of all source addresses, 53.39% were in the
Class D and Class E space.
• Percentage of bogons, all classes –
66.85%!
• This is good news – prefix-list, ACL
defense, and uRPF will block 66.85% of
these nasties!
Source Region of the Naughty
A dangerously misleading slide
RIR for Source Addresses
5%
ARIN
37%
RIPE
58% APNIC

Intrusion (attempt) Detection
• IDS is not foolproof!
• Incorrect fingerprinting does occur.
• You can not identify that which you can not
see.

Top Five IDS Detected Probes
IDS Detected Probes
1400
1200
1000
800
Hits
600
400
200
0
NetBus Backorifice TFTP IDENT Deep Throat
Type

Top Five Detected IDS Probes
IDS Detected Probes - Trend Analysis
180
160
140
120 NetBus
Backorifice
100
Hits
TFTP
80
IDENT
60 Deep Throat
40
20
0
1
10
13
16
19
22
25
28
31
34
37
40
43
46
49
52
Date

Top Five IDS Detected Attacks
IDS Detected Attacks
500
450
400
350
300
Hits
250 Number
200
150
100
50
0
TCP Port 0 FIN flood Fragments ICMP flood RST flood
Type

Top Five IDS Detected Sources
IDS Detected Source Netblocks
200
180
160
140
120
Hits
100 Count
80
60
40
20
0
Azerbaijan USA 01 South Korea USA 02 Canada
Netblock Location

Top Five IDS Detected Sources
IDS Detected Attacks - Trend Analysis
160
140
120
A
100
B
Hits
80 C
D
60
E
40
20
0
1
3
5
7
9
11
13
15
17
19
21
23
25
27
29
31
33
35
37
39
41
43
45
47
49
Day

Match a Source with a Scan
Source to Hit Matching
160
140
120 B
100 NetBus
Backorifice
Hits
80
TFTP
60 IDENT
40 Deep Throat
20
0
1 2 3 4 5 6 7
Day

Two Days of DDoS
• Attack that resulted in 10295 hits on day
one and 77466 hits on day two.
• Attack lasted 25 hours, 25 minutes, and 44
seconds.
• Quasi-random UDP high ports (source and
destination), small packets.

Two Days of DDoS
• Perhaps as many as 2000 hosts used by the
attackers.
• 23 unique organizations.
• 9 different nations located in the Americas,
Europe, and Asia.
• Source netblocks all legitimate.

Packets
0
10
20
30
40
50
60
70
24:21:13
24:22:03
24:22:53
24:23:46
25:00:36
25:01:26
25:02:16
25:03:06
25:03:56
25:04:46
25:05:36
25:06:26
25:07:16
25:08:06
25:08:56
25:09:46
25:10:36
Packets per minute
25:11:26
DATE:HOUR:MINUTE

25:12:16
25:13:06
25:13:56
25:14:46
25:15:36
Two Days of DDoS
25:16:26
25:17:16
25:18:06
25:18:57
25:19:48
25:20:39
25:21:37
25:22:29
Two Days of DDoS
DDoS Sources
4000
3500
3000
2500
Packets
2000
1500
1000
500
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Hour

Site Defense and Attack
Mitigation
• While you can not prevent an attack, you
can choose how to react to an attack.
• Layers of defense that use multiple tools.
• Layers of monitoring and alert mechanisms.
• Know how to respond before the attack
begins.

Mitigation
• Border router
– Protocol shaping and filtering.
– Anti-bogon and anti-spoofing defense (uRPF),
ingress and egress filtering.
– NetFlow.
• IDS device(s)
– Attack and probe signatures.
– Alerts.

Mitigation
• Border firewall
– Port filtering.
– Logging.
– Some IDS capability.
• End systems
– Tuned kernel.
– TCP wrappers, disable services, etc.
– Crunchy through and through!

Mitigation
• Don’t panic!
• Collect data!
• The good news - you can survive!

References and shameless self
advertisements 
• RFC 2267 - http://rfc.net/rfc2267.html
• Secure IOS Template –
http://www.cymru.com/~robt/Docs/Articles/secure-ios-
template.html
• Secure BGP Template –
http://www.cymru.com/~robt/Docs/Articles/secure-bgp-
template.html
• UNIX IP Stack Tuning Guide –
http://www.cymru.com/~robt/Docs/Articles/ip-stack-
tuning.html

Any questions?

Thank you for your time!
• Thanks to Jan, Luuk, and Jacques for
inviting me to speak with you today.
• Thanks to Surfnet/CERT-NL for picking up
the travel.
• Thanks for all of the coffee! 


60 Days of Naughtiness

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

60 Days of Naughtiness

Enviado por

Direitos autorais:

Formatos disponíveis

60 Days of Basic Naughtiness

Probes and Attacks Endured by an

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

200 Port 137 Hits

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Rob Thomas robt@cymru.com

Você também pode gostar