black hat briefings 2000: strategies for defeating distributed attacks
DESCRIPTION
Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks. Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team, BindView Corporation. About Myself. http://www.nmrc.org/ - PowerPoint PPT PresentationTRANSCRIPT
Black Hat Briefings 2000:Strategies for Defeating Distributed AttacksSimple NomadHackerNomad Mobile Research Centre
Occam TheoristRAZOR Security Team, BindView Corporation
About Myself http://www.nmrc.org/ Currently Sr. Security Analyst for
BindView’s RAZOR Team, http://razor.bindview.com/
About This Presentation Assume basics
– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
Terminology A “Network” point of view
Background Originally developed during 1999 Concepts first discussed last October Many concepts can be found in DDOS
software today
Attack Recognition Basics Pattern Recognition
– Examples: • Byte sequence in RAM• Packet content in a network transmission• Half opens against a server within a certain time
frame– Considered “real-time”
Attack Recognition Basics Cont. Effect Recognition
– Examples• Unscheduled server restart in logs• Unexplainable CPU utilization• System binaries altered
– Considered “non” real-time
Attack Recognition Problems Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack
source
Attack Recognition Problems Cont. Current solutions are usually “pattern” or
“effect”, no real-time global solutions Existing large scale solutions can easily be
defeated
Common Thwarting Techniques Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed
What Do We Do? “Trickle Down Security”
– Solutions for distributed attacks will introduce good security overall
Off-the-shelf is not enough Learn about attack types Defensive techniques
Changing Attack Patterns More large-scale attacks Better enumeration and assessment of the
target by the attacker
Two Basic Distributed Attack Models Attacks that do not require direct
observation of the results Attacks that require the attacker to directly
observe the results
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Master Node
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0xxx.xx.218.23 is upxxx.xx.218.26 is upxxx.xx.218.52 is upxxx.xx.218.53 is upxxx.xx.218.58 is upxxx.xx.218.63 is upxxx.xx.218.82 is upxxx.xx.218.90 is upxxx.xx.218.92 is upxxx.xx.218.96 is upxxx.xx.218.118 is upxxx.xx.218.123 is upxxx.xx.218.126 is upxxx.xx.218.130 is upxxx.xx.218.187 is upxxx.xx.218.189 is upxxx.xx.218.215 is upxxx.xx.218.253 is up
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel Extranetxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
Defensive Techniques Good security policy Split DNS
– All public systems in one DNS server located in DMZ
– All internal systems using private addresses with separate DNS server internally
Drop/reject packets with a TTL of 1 or 0
Defensive Techniques Cont. Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint
packets
DMZ Server Recommendations Split services between servers Current patches Use trusted paths, anti-buffer overflow
settings and kernel patches Use any built-in firewalling software Make use of built-in state tables
Firewall Rules Limit inbound to only necessary services Limit outbound via proxies to help control
access Block all outbound to only necessary traffic
Intrusion Detection Systems Use only IDS’s that can be customized IDS should be capable of handling
fragmented packet reassembly IDS should handle high speeds
Spoofed Packet Defenses Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the
suspected spoofed packet
Questions, etc. For followup:
– http://razor.bindview.com/– [email protected]
References:– David Dittrich’s web site http://staff.washington.edu/dittrich/ – "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org – "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org – NMap, http://www.insecure.org/nmap/ – Icmpenum, http://razor.bindview.com/tools/ – Martin Roesch’s web site http://www.clark.net/~roesch/security.html – “Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html – “Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html
Late Breaking News HackerShield RapidFire Update 208
– With SANS Top Ten checks, including comprehensive CGI scanner– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner– Freeware open-source security scanner, including same CGI checks as
HackerShield– Focuses only on SANS Top Ten– http://razor.bindview.com/tools/index.shtml
Despoof– Detects possible spoofed packets through active queries against suspected
spoofed IP address– http://razor.bindview.com/tools/index.shtml