black hat europe 2000: strategies for defeating distributed attacks simple nomad hacker nomad mobile...
Post on 23-Dec-2015
218 Views
Preview:
TRANSCRIPT
Black Hat Europe 2000:Strategies for Defeating Distributed Attacks
Simple Nomad
Hacker
Nomad Mobile Research Centre
Occam Theorist
RAZOR Security Team, BindView Corporation
About Myself
http://www.nmrc.org/ Currently Sr. Security Analyst for
BindView’s RAZOR Team, http://razor.bindview.com/
About This Presentation
Assume basics– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
Terminology A “Network” point of view
Background
Originally developed during early 1999 Concepts first discussed October 1999 Many concepts can be found in DDOS
software today
Attack Recognition Basics
Pattern Recognition– Examples:
• Byte sequence in RAM
• Packet content in a network transmission
• Half opens against a server within a certain time frame
– Considered “real-time”
Attack Recognition Basics Cont.
Effect Recognition– Examples
• Unscheduled server restart in logs
• Unexplainable CPU utilization
• System binaries altered
– Considered “non” real-time
Attack Recognition Problems
Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack
source
Attack Recognition Problems Cont. Current solutions are usually “pattern” or
“effect”, no real-time global solutions Existing large scale solutions can easily be
defeated
Common Thwarting Techniques
Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed
What Do We Do?
“Trickle Down Security”– Solutions for distributed attacks will introduce
good security overall
Off-the-shelf is not enough Learn about attack types Defensive techniques
Changing Attack Patterns
More large-scale attacks Better enumeration and assessment of the
target by the attacker
Two Basic Distributed Attack Models Attacks that do not require direct
observation of the results Attacks that require the attacker to directly
observe the results
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Fun with ICMP
Advanced ICMP enumeration– ICMP fingerprinting– Invalid header info to enumerate hosts
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
Addition Probes
Possible security devices– Using “bait” to fish out security mechanisms
Sweep for promiscuous devices– False hosts and DNS lookups
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel Extranetxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
Defensive Techniques
Good security policy Split DNS
– All public systems in one DNS server located in DMZ
– All internal systems using private addresses with separate DNS server internally
Drop/reject packets with a TTL of 1 or 0
Defensive Techniques Cont.
Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint
packets
DMZ Server Recommendations
Split services between servers Current patches Use trusted paths, anti-buffer overflow
settings and kernel patches Use any built-in firewalling software Make use of built-in state tables
Firewall Rules
Limit inbound to only necessary services Limit outbound via proxies to help control
access Block all outbound to only necessary traffic
Intrusion Detection Systems
Use only IDS’s that can be customized IDS should be capable of handling
fragmented packet reassembly IDS should handle high speeds
Spoofed Packet Defenses
Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the
suspected spoofed packet
Questions, etc.
For followup:– http://razor.bindview.com/– thegnome@razor.bindview.com
References:– David Dittrich’s web site http://staff.washington.edu/dittrich/ – "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org – "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org – NMap, http://www.insecure.org/nmap/ – Icmpenum, http://razor.bindview.com/tools/ – Martin Roesch’s web site http://www.clark.net/~roesch/security.html – “Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html – “Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html – Ofin Arkin, “ICMP Usage in Scanning”,
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.01.pdf
top related