370 likes | 492 Views
60 Days of Basic Naughtiness. Probes and Attacks Endured by an Active Web Site 16 March 2001. 60 Days of Basic Naughtiness. Statistical analysis of log and IDS files. Statistical analysis of a two-day DDoS attack. Methods of mitigation. Questions. About the Site.
E N D
60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001 Rob Thomas robt@cymru.com http://www.cymru.com/~robt
60 Days of Basic Naughtiness • Statistical analysis of log and IDS files. • Statistical analysis of a two-day DDoS attack. • Methods of mitigation. • Questions. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
About the Site • Production site for several (> 4) years. • Largely static content. • No e-commerce. • Layers of defense – more on that later! Rob Thomas robt@cymru.com http://www.cymru.com/~robt
About the Data • Data from router logs. • Data from IDS logs. • Snapshot taken from 60 days of combined data. • Data processed by several home-brew tools (mostly Perl and awk). Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Definition of “Naughty” • Any traffic that is logged by a specific “deny” ACL. • Any traffic that presents a pattern detected by the IDS software. • The two log sources are not necessarily synchronized. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Daily Probes and Attacks • TCP and UDP Probes and Attacks – ICMP not counted. • Average – 529.00 • Standard deviation – 644.10! • 60 Day Low – 83.00 • 60 Day High – 4355.00 Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Daily Probes and Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Weekly Probes and Attacks • There is no steady-state. • Attacks come in waves, generally on the heels of a new exploit and scan. • Certain types of scans (e.g. Netbios) tend to run 24x7x365. • Proactive monitoring, based on underground and public alerts, will result in significant data capture. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Weekly Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Hourly Probes and Attacks • Myth: “Most attacks occur at night.” • An attacker’s evening may be a victim’s day – the nature of a global network. • Truth: Don’t plan based on the clock. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Hourly Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt
UDP Probes and AttacksTop Five Destination Ports • First – 137 NETBIOS • Second – 53 DNS • Third – 27960 • Fourth – 500 ISAKMP • Fifth – 33480 (likely UNIX traceroute) Rob Thomas robt@cymru.com http://www.cymru.com/~robt
UDP Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt
TCP Probes and AttacksTop Five Destination Ports • First – 3663 (DDoS Attack) • Second – 0 Reserved (DDoS Attack) • Third – 6667 IRC (DDoS Attack) • Fourth – 81 (DDoS Attack) • Fifth – 21 FTP-control Rob Thomas robt@cymru.com http://www.cymru.com/~robt
TCP Probes and AttacksTrend Analysis Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Source Address of Probes and Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Source Address of Probes and Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Source Address of Probes and Attacks • Bogon source attacks still common. • Of all source addresses, 53.39% were in the Class D and Class E space. • Percentage of bogons, all classes – 66.85%! • This is good news – prefix-list, ACL defense, and uRPF will block 66.85% of these nasties! Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Source Region of the NaughtyA dangerously misleading slide Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Intrusion (attempt) Detection • IDS is not foolproof! • Incorrect fingerprinting does occur. • You can not identify that which you can not see. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Top Five IDS Detected Probes Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Top Five Detected IDS Probes Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Top Five IDS Detected Attacks Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Top Five IDS Detected Sources Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Top Five IDS Detected Sources Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Match a Source with a Scan Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Two Days of DDoS • Attack that resulted in 10295 hits on day one and 77466 hits on day two. • Attack lasted 25 hours, 25 minutes, and 44 seconds. • Quasi-random UDP high ports (source and destination), small packets. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Two Days of DDoS • Perhaps as many as 2000 hosts used by the attackers. • 23 unique organizations. • 9 different nations located in the Americas, Europe, and Asia. • Source netblocks all legitimate. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Two Days of DDoS Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Two Days of DDoS Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Site Defense and Attack Mitigation • While you can not prevent an attack, you can choose how to react to an attack. • Layers of defense that use multiple tools. • Layers of monitoring and alert mechanisms. • Know how to respond before the attack begins. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Site Defense and Attack Mitigation • Border router • Protocol shaping and filtering. • Anti-bogon and anti-spoofing defense (uRPF), ingress and egress filtering. • NetFlow. • IDS device(s) • Attack and probe signatures. • Alerts. Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Site Defense and Attack Mitigation • Border firewall • Port filtering. • Logging. • Some IDS capability. • End systems • Tuned kernel. • TCP wrappers, disable services, etc. • Crunchy through and through! Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Site Defense and Attack Mitigation • Don’t panic! • Collect data! • The good news - you can survive! Rob Thomas robt@cymru.com http://www.cymru.com/~robt
References and shameless self advertisements • RFC 2267 - http://rfc.net/rfc2267.html • Secure IOS Template – http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html • Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html • UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Any questions? Rob Thomas robt@cymru.com http://www.cymru.com/~robt
Thank you for your time! • Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today. • Thanks to Surfnet/CERT-NL for picking up the travel. • Thanks for all of the coffee! Rob Thomas robt@cymru.com http://www.cymru.com/~robt