Black Hat Europe 2000:Strategies for Defeating Distributed Attacks

Simple Nomad

Hacker

Nomad Mobile Research Centre

Occam Theorist

RAZOR Security Team, BindView Corporation

About Myself

http://www.nmrc.org/ Currently Sr. Security Analyst for

BindView’s RAZOR Team, http://razor.bindview.com/

About This Presentation

Assume basics– Understand IP addressing– Understand basic system administration

Tools– Where to find them– Basic usage

Terminology A “Network” point of view

Background

Originally developed during early 1999 Concepts first discussed October 1999 Many concepts can be found in DDOS

software today

Attack Recognition Basics

Pattern Recognition– Examples:

• Byte sequence in RAM

• Packet content in a network transmission

• Half opens against a server within a certain time frame

– Considered “real-time”

Attack Recognition Basics Cont.

Effect Recognition– Examples

• Unscheduled server restart in logs

• Unexplainable CPU utilization

• System binaries altered

– Considered “non” real-time

Attack Recognition Problems

Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack

source

Attack Recognition Problems Cont. Current solutions are usually “pattern” or

“effect”, no real-time global solutions Existing large scale solutions can easily be

defeated

Common Thwarting Techniques

Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed

What is Needed

The “Overall Behavior Network/Host Monitoring Tool” (which doesn’t exist)

What Do We Do?

“Trickle Down Security”– Solutions for distributed attacks will introduce

good security overall

Off-the-shelf is not enough Learn about attack types Defensive techniques

Changing Attack Patterns

More large-scale attacks Better enumeration and assessment of the

target by the attacker

Two Basic Distributed Attack Models Attacks that do not require direct

observation of the results Attacks that require the attacker to directly

observe the results

Basic Model

Server AgentClient

Issuecommands

Processescommandsto agents

Carriesout

commands

More Advanced Model

TargetAttacker

Forged ICMPTimestamp Requests

ICMP TimestampReplies

SniffedReplies

Even More Advanced Model

Target

Attack Node

SniffedReplies

Attack Node

Attack Node

Firewall

UpstreamHost

Attacksor

Probes

Replies

ICMP

Sweeping a network with Echo Typical alternates to ping

– Timestamp– Info Request

Fun with ICMP

Advanced ICMP enumeration– ICMP fingerprinting– Invalid header info to enumerate hosts

Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0

xxx.xx.218.23 is up

xxx.xx.218.26 is up

xxx.xx.218.52 is up

xxx.xx.218.53 is up

xxx.xx.218.58 is up

xxx.xx.218.63 is up

xxx.xx.218.82 is up

xxx.xx.218.90 is up

xxx.xx.218.92 is up

xxx.xx.218.96 is up

xxx.xx.218.118 is up

xxx.xx.218.123 is up

xxx.xx.218.126 is up

xxx.xx.218.130 is up

xxx.xx.218.187 is up

xxx.xx.218.189 is up

xxx.xx.218.215 is up

xxx.xx.218.253 is up

Nmap

Ping sweeps Port scanning TCP fingerprinting

Fun with Nmap

Additional features– “Same segment” sniffing

Addition Probes

Possible security devices– Using “bait” to fish out security mechanisms

Sweep for promiscuous devices– False hosts and DNS lookups

Network Mapping

Sun

LinuxFirewall

NT

Hosts Inside DMZ

www

ftp

cw

swb

VPN

Internet Routers

Linux 2.0.38xxx.xx.48.2

AIX 4.2.1xxx.xx.48.1

Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17

Checkpoint Firewall-1Nortel Extranetxxx.xx.22. 7

Cisco 7206204.70.xxx.xxx

Nortel CVX1800151.164.x.xxx

IDS?

Defensive Techniques

Good security policy Split DNS

– All public systems in one DNS server located in DMZ

– All internal systems using private addresses with separate DNS server internally

Drop/reject packets with a TTL of 1 or 0

Defensive Techniques Cont.

Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint

packets

Defensive Techniques Cont.

Limit ICMP inbound to host/destination unreachable

Limit outbound ICMP

DMZ Server Recommendations

Split services between servers Current patches Use trusted paths, anti-buffer overflow

settings and kernel patches Use any built-in firewalling software Make use of built-in state tables

Firewall Rules

Limit inbound to only necessary services Limit outbound via proxies to help control

access Block all outbound to only necessary traffic

Intrusion Detection Systems

Use only IDS’s that can be customized IDS should be capable of handling

fragmented packet reassembly IDS should handle high speeds

Spoofed Packet Defenses

Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the

suspected spoofed packet

Questions, etc.

For followup:– http://razor.bindview.com/– thegnome@razor.bindview.com

References:– David Dittrich’s web site http://staff.washington.edu/dittrich/ – "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,

http://www.sans.org – "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org – NMap, http://www.insecure.org/nmap/ – Icmpenum, http://razor.bindview.com/tools/ – Martin Roesch’s web site http://www.clark.net/~roesch/security.html – “Strategies for Defeating Distributed Attacks”,

http://razor.bindview.com/publish/papers/strategies.html – “Distributed Denial of Service Defense Tactics”,

http://razor.bindview.com/publish/papers/DDSA_Defense.html – Ofin Arkin, “ICMP Usage in Scanning”,

http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.01.pdf