black hat briefings 2000: strategies for defeating distributed attacks
DESCRIPTION
Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks. Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team, BindView Corporation. About Myself. http://www.nmrc.org/ - PowerPoint PPT PresentationTRANSCRIPT
Black Hat Briefings 2000:Strategies for Defeating Distributed AttacksSimple NomadHackerNomad Mobile Research Centre
Occam TheoristRAZOR Security Team, BindView Corporation
About Myself http://www.nmrc.org/ Currently Sr. Security Analyst for
BindView’s RAZOR Team, http://razor.bindview.com/
About This Presentation Assume basics
– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
Terminology A “Network” point of view
Background Originally developed during 1999 Concepts first discussed last October Many concepts can be found in DDOS
software today
Attack Recognition Basics Pattern Recognition
– Examples: • Byte sequence in RAM• Packet content in a network transmission• Half opens against a server within a certain time
frame– Considered “real-time”
Attack Recognition Basics Cont. Effect Recognition
– Examples• Unscheduled server restart in logs• Unexplainable CPU utilization• System binaries altered
– Considered “non” real-time
Attack Recognition Problems Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack
source
Attack Recognition Problems Cont. Current solutions are usually “pattern” or
“effect”, no real-time global solutions Existing large scale solutions can easily be
defeated
Common Thwarting Techniques Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed
What is Needed The “Overall Behavior Network/Host
Monitoring Tool” (which doesn’t exist)
What Do We Do? “Trickle Down Security”
– Solutions for distributed attacks will introduce good security overall
Off-the-shelf is not enough Learn about attack types Defensive techniques
Changing Attack Patterns More large-scale attacks Better enumeration and assessment of the
target by the attacker
Two Basic Distributed Attack Models Attacks that do not require direct
observation of the results Attacks that require the attacker to directly
observe the results
Basic Model
Server AgentClient
Issuecommands
Processescommandsto agents
Carriesout
commands
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
Even More Advanced Model
Target
Firewall
Even More Advanced Model
Target
Firewall
UpstreamHost
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
ICMP Sweeping a network with Echo Typical alternates to ping
– Timestamp– Info Request
Fun with ICMP Advanced ICMP enumeration
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0xxx.xx.218.23 is upxxx.xx.218.26 is upxxx.xx.218.52 is upxxx.xx.218.53 is upxxx.xx.218.58 is upxxx.xx.218.63 is upxxx.xx.218.82 is upxxx.xx.218.90 is upxxx.xx.218.92 is upxxx.xx.218.96 is upxxx.xx.218.118 is upxxx.xx.218.123 is upxxx.xx.218.126 is upxxx.xx.218.130 is upxxx.xx.218.187 is upxxx.xx.218.189 is upxxx.xx.218.215 is upxxx.xx.218.253 is up
Nmap Ping sweeps Port scanning TCP fingerprinting
Fun with Nmap Additional features
Addition Probes Possible security devices Sweep for promiscuous devices
Network Mapping Determine network layout Traceroute
Network Mapping
cw
swb
Internet Routers
Network Mapping
cw
swb
Internet Routers
Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel Extranetxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
Defensive Techniques Good security policy Split DNS
– All public systems in one DNS server located in DMZ
– All internal systems using private addresses with separate DNS server internally
Drop/reject packets with a TTL of 1 or 0
Defensive Techniques Cont. Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint
packets
Defensive Techniques Cont. Limit ICMP inbound to host/destination
unreachable Limit outbound ICMP
DMZ Server Recommendations Split services between servers Current patches Use trusted paths, anti-buffer overflow
settings and kernel patches Use any built-in firewalling software Make use of built-in state tables
Firewall Rules Limit inbound to only necessary services Limit outbound via proxies to help control
access Block all outbound to only necessary traffic
Intrusion Detection Systems Use only IDS’s that can be customized IDS should be capable of handling
fragmented packet reassembly IDS should handle high speeds
Spoofed Packet Defenses Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the
suspected spoofed packet
Questions, etc. For followup:
– http://razor.bindview.com/– [email protected]
References:– David Dittrich’s web site http://staff.washington.edu/dittrich/ – "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org – "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org – NMap, http://www.insecure.org/nmap/ – Icmpenum, http://razor.bindview.com/tools/ – Martin Roesch’s web site http://www.clark.net/~roesch/security.html – “Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html – “Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html
Late Breaking News HackerShield RapidFire Update 208
– With SANS Top Ten checks, including comprehensive CGI scanner– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner– Freeware open-source security scanner, including same CGI checks as
HackerShield– Focuses only on SANS Top Ten– http://razor.bindview.com/tools/index.shtml
Despoof– Detects possible spoofed packets through active queries against suspected
spoofed IP address– http://razor.bindview.com/tools/index.shtml