Rob Thomas robt@cymru.com - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Rob Thomas robt@cymru.com

Description:

Trend Analysis. Rob Thomas robt_at_cymru.com. http://www.cymru.com/~robt. UDP Probes and Attacks ... Trend Analysis. Rob Thomas robt_at_cymru.com. http://www.cymru.com/~robt ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 38
Provided by: robthomasr
Category:
Tags: com | cymru | rob | robt | thomas | trend

less

Transcript and Presenter's Notes

Title: Rob Thomas robt@cymru.com


1
60 Days of Basic Naughtiness
  • Probes and Attacks Endured by an Active Web Site
  • 16 March 2001

2
60 Days of Basic Naughtiness
  • Statistical analysis of log and IDS files.
  • Statistical analysis of a two-day DDoS attack.
  • Methods of mitigation.
  • Questions.

3
About the Site
  • Production site for several (gt 4) years.
  • Largely static content.
  • No e-commerce.
  • Layers of defense more on that later!

4
About the Data
  • Data from router logs.
  • Data from IDS logs.
  • Snapshot taken from 60 days of combined data.
  • Data processed by several home-brew tools (mostly
    Perl and awk).

5
Definition of Naughty
  • Any traffic that is logged by a specific deny
    ACL.
  • Any traffic that presents a pattern detected by
    the IDS software.
  • The two log sources are not necessarily
    synchronized.

6
Daily Probes and Attacks
  • TCP and UDP Probes and Attacks ICMP not
    counted.
  • Average 529.00
  • Standard deviation 644.10!
  • 60 Day Low 83.00
  • 60 Day High 4355.00

7
Daily Probes and Attacks
8
Weekly Probes and Attacks
  • There is no steady-state.
  • Attacks come in waves, generally on the heels of
    a new exploit and scan.
  • Certain types of scans (e.g. Netbios) tend to run
    24x7x365.
  • Proactive monitoring, based on underground and
    public alerts, will result in significant data
    capture.

9
Weekly Probes and AttacksTrend Analysis
10
Hourly Probes and Attacks
  • Myth Most attacks occur at night.
  • An attackers evening may be a victims day the
    nature of a global network.
  • Truth Dont plan based on the clock.

11
Hourly Probes and AttacksTrend Analysis
12
UDP Probes and AttacksTop Five Destination Ports
  • First 137 NETBIOS
  • Second 53 DNS
  • Third 27960
  • Fourth 500 ISAKMP
  • Fifth 33480 (likely UNIX traceroute)

13
UDP Probes and AttacksTrend Analysis
14
TCP Probes and AttacksTop Five Destination Ports
  • First 3663 (DDoS Attack)
  • Second 0 Reserved (DDoS Attack)
  • Third 6667 IRC (DDoS Attack)
  • Fourth 81 (DDoS Attack)
  • Fifth 21 FTP-control

15
TCP Probes and AttacksTrend Analysis
16
Source Address of Probes and Attacks
17
Source Address of Probes and Attacks
18
Source Address of Probes and Attacks
  • Bogon source attacks still common.
  • Of all source addresses, 53.39 were in the Class
    D and Class E space.
  • Percentage of bogons, all classes 66.85!
  • This is good news prefix-list, ACL defense, and
    uRPF will block 66.85 of these nasties!

19
Source Region of the NaughtyA dangerously
misleading slide
20
Intrusion (attempt) Detection
  • IDS is not foolproof!
  • Incorrect fingerprinting does occur.
  • You can not identify that which you can not see.

21
Top Five IDS Detected Probes
22
Top Five Detected IDS Probes
23
Top Five IDS Detected Attacks
24
Top Five IDS Detected Sources
25
Top Five IDS Detected Sources
26
Match a Source with a Scan
27
Two Days of DDoS
  • Attack that resulted in 10295 hits on day one and
    77466 hits on day two.
  • Attack lasted 25 hours, 25 minutes, and 44
    seconds.
  • Quasi-random UDP high ports (source and
    destination), small packets.

28
Two Days of DDoS
  • Perhaps as many as 2000 hosts used by the
    attackers.
  • 23 unique organizations.
  • 9 different nations located in the Americas,
    Europe, and Asia.
  • Source netblocks all legitimate.

29
Two Days of DDoS
30
Two Days of DDoS
31
Site Defense and Attack Mitigation
  • While you can not prevent an attack, you can
    choose how to react to an attack.
  • Layers of defense that use multiple tools.
  • Layers of monitoring and alert mechanisms.
  • Know how to respond before the attack begins.

32
Site Defense and Attack Mitigation
  • Border router
  • Protocol shaping and filtering.
  • Anti-bogon and anti-spoofing defense (uRPF),
    ingress and egress filtering.
  • NetFlow.
  • IDS device(s)
  • Attack and probe signatures.
  • Alerts.

33
Site Defense and Attack Mitigation
  • Border firewall
  • Port filtering.
  • Logging.
  • Some IDS capability.
  • End systems
  • Tuned kernel.
  • TCP wrappers, disable services, etc.
  • Crunchy through and through!

34
Site Defense and Attack Mitigation
  • Dont panic!
  • Collect data!
  • The good news - you can survive!

35
References and shameless self advertisements ?
  • RFC 2267 - http//rfc.net/rfc2267.html
  • Secure IOS Template http//www.cymru.com/robt/D
    ocs/Articles/secure-ios-template.html
  • Secure BGP Template http//www.cymru.com/robt/D
    ocs/Articles/secure-bgp-template.html
  • UNIX IP Stack Tuning Guide http//www.cymru.com/
    robt/Docs/Articles/ip-stack-tuning.html

36
Any questions?
37
Thank you for your time!
  • Thanks to Jan, Luuk, and Jacques for inviting me
    to speak with you today.
  • Thanks to Surfnet/CERT-NL for picking up the
    travel.
  • Thanks for all of the coffee! ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Rob Thomas robt@cymru.com" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!