1 / 19

“Hey, what does this button do?”

“Hey, what does this button do?”. - or - What NOT To Do During a DDoS Attack Presentation to CERT-Polska November 2001 Rob Thomas, robt@cymru.com. Thrill as Rob babbles about. Rules for DDoS survival. A look at a recent DoS attack. Know, know, or NO! Fun with providers.

riley-preston
Download Presentation

“Hey, what does this button do?”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Hey, what does this button do?” - or - What NOT To Do During a DDoS Attack Presentation to CERT-Polska November 2001 Rob Thomas, robt@cymru.com Rob Thomas - robt@cymru.com

  2. Thrill as Rob babbles about... • Rules for DDoS survival. • A look at a recent DoS attack. • Know, know, or NO! • Fun with providers. • What you can do to help! Rob Thomas - robt@cymru.com

  3. First Rule for DDoS Survival: • Don’t panic! • “Shut that box down NOW, mister!” The first idea may be the WORST idea. Rob Thomas - robt@cymru.com

  4. Other Rules for DDoS Survival: • Prepare your toolkit before you are DoS’d. • Verify, verify, verify. • Don’t finish what the miscreants started! Rob Thomas - robt@cymru.com

  5. Other Rules for DDoS Survival:Prepare your toolkit • Sniffer - hardware and/or software. • Don’t forget the cables! • IADS - Intrusion Attempt Detection System. • WHOIS, dig, NetFlow, MRTG, BGP tables, and your peers in FIRST. No doctor performs surgery without tools. Rob Thomas - robt@cymru.com

  6. Other Rules for DDoS Survival:Verify, verify, verify • “Millions of runts on every port! The sniffer says so!” • “The entire Internet is against us!” • “They are attacking TCP port 25!” Proper analysis is CRITICAL. Rob Thomas - robt@cymru.com

  7. Other Rules for DDoS Survival:Don’t finish the job the miscreants started! • The beauty and elegance of ACL logging. • SYN Defender - the hammer of DoS! • (Ab)using ndd against the miscreants. The bad guys don’t need our help! Rob Thomas - robt@cymru.com

  8. A look at a recent DoS attackDetails • Spoofed legitimate source addresses. • Small packets against an unused port. • Upwards of 195Kpps! Rob Thomas - robt@cymru.com

  9. A look at a recent DoS attackGoodness • NetFlow in place to track the source provider and IP addresses. • Sniffer in place to grab packet samples. • Active monitoring of the logs resulted in a quick discovery of the attack. Rob Thomas - robt@cymru.com

  10. A look at a recent DoS attackBadness • Upstream provider not contacted or asked to track the true source of the attack. • Alert mechanisms were not well rehearsed. A process is useless if no one knows how to use it. Rob Thomas - robt@cymru.com

  11. Know, Know, or NOKnow your topology • Have visual maps readily available, albeit secured. • Know the code levels and feature sets of your mission critical gateways. • Have configurations available off-line. Rob Thomas - robt@cymru.com

  12. Know, Know, or NOKnow your technology • What are the actual limits? Test them, document them. • Test new features in a lab first. A misunderstood feature is a bug-in-waiting. Rob Thomas - robt@cymru.com

  13. Know, Know, or NONO understanding • TCP send and receive spaces. • The joy of asymmetric data flows. • TCP Intercept, meet FireWall-1. Education and experience count; a decrease in training raises the cost of support. Rob Thomas - robt@cymru.com

  14. Know, Know, or NOThe key The key is not to understand the features in a vacuum, but to understand the interactions between the features of disparate technologies. Rob Thomas - robt@cymru.com

  15. Fun with providers • Trust everyone, but always cut the cards. • Routing the bogons. • “Why do we pay you again?” Be prepared to assume full responsibility for the defense of your site. Rob Thomas - robt@cymru.com

  16. What you can do to help! • Prepare a toolkit and IRT process now. • Be a polite netizen - implement ingress and egress filters. • Anti-bogon. • Anti-spoofing. • Apply for FIRST membership! Rob Thomas - robt@cymru.com

  17. Blatant Self Promotion;-) • A new addition to your bookmarks file – http://www.first.org • Articles that will help - http://www.cymru.com/~robt/Docs/Articles/ • Tools that will help - http://www.cymru.com/~robt/Tools/ Feedback is welcome and encouraged! Rob Thomas - robt@cymru.com

  18. Any questions? Rob Thomas - robt@cymru.com

  19. The number one rule for DDoS survival: Don’t panic! Thank you for your time today! Rob Thomas - robt@cymru.com

More Related