Rob Thomas [email protected] robt 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001.

Rob Thomas [email protected]://www.cymru.com/~robt

60 Days of Basic Naughtiness

Probes and Attacks Endured by an Active Web Site

16 March 2001


60 Days of Basic Naughtiness

• Statistical analysis of log and IDS files.

• Statistical analysis of a two-day DDoS attack.

• Methods of mitigation.

• Questions.


About the Site

• Production site for several (> 4) years.

• Largely static content.

• No e-commerce.

• Layers of defense – more on that later!


About the Data

• Data from router logs.

• Data from IDS logs.

• Snapshot taken from 60 days of combined data.

• Data processed by several home-brew tools (mostly Perl and awk).


Definition of “Naughty”

• Any traffic that is logged by a specific “deny” ACL.

• Any traffic that presents a pattern detected by the IDS software.

• The two log sources are not necessarily synchronized.


Daily Probes and Attacks

• TCP and UDP Probes and Attacks – ICMP not counted.

• Average – 529.00

• Standard deviation – 644.10!

• 60 Day Low – 83.00

• 60 Day High – 4355.00


Daily Probes and AttacksDaily Probes and Attacks

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

11/1

7/00

11/2

2/00

11/2

7/00

12/2

/00

12/7

/00

12/1

2/00

12/1

7/00

12/2

2/00

12/2

7/00

1/1/

01

1/6/

01

1/11

/01

Day

Hit

s TCP

UDP


Weekly Probes and Attacks

• There is no steady-state.• Attacks come in waves, generally on the

heels of a new exploit and scan.• Certain types of scans (e.g. Netbios) tend to

run 24x7x365. • Proactive monitoring, based on

underground and public alerts, will result in significant data capture.


Weekly Probes and AttacksTrend Analysis

Weekly Probes and Attacks

0

1000

2000

3000

4000

5000

6000

7000

8000

11/12 -11/18

11/19 -11/25

11/26 -12/02

12/03 -12/09

12/10 -12/16

12/17 -12/23

12/24 -12/30

12/31 -01/06

01/07 -01/13

01/14 -01/20

Week

Hit

s

Hits


Hourly Probes and Attacks

• Myth: “Most attacks occur at night.”

• An attacker’s evening may be a victim’s day – the nature of a global network.

• Truth: Don’t plan based on the clock.


Hourly Probes and AttacksTrend Analysis

Hourly Probes and Attacks

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

24 Hour Clock

Hit

s


UDP Probes and AttacksTop Five Destination Ports

• First – 137 NETBIOS

• Second – 53 DNS

• Third – 27960

• Fourth – 500 ISAKMP

• Fifth – 33480 (likely UNIX traceroute)


UDP Probes and AttacksTrend Analysis

UDP Probes and Attacks

0

50

100

150

200

250

300

350

11/1

7/00

11/2

4/00

12/1

/00

12/8

/00

12/1

5/00

12/2

2/00

12/2

9/00

1/5/

01

1/12

/01

Day

Nu

mb

er

of

Hit

s

Port 137 Hits

Port 53 Hits


TCP Probes and AttacksTop Five Destination Ports

• First – 3663 (DDoS Attack)

• Second – 0 Reserved (DDoS Attack)

• Third – 6667 IRC (DDoS Attack)

• Fourth – 81 (DDoS Attack)

• Fifth – 21 FTP-control


TCP Probes and AttacksTrend Analysis

TCP Probes and Attacks

0

20

40

60

80

100

120

11/1

7/00

11/2

4/00

12/1

/00

12/8

/00

12/1

5/00

12/2

2/00

12/2

9/00

1/5/

01

1/12

/01

Date

Hit

s Port 0 Hits

Port 21 Hits


Source Address of Probes and Attacks

Classful Sources of Probes and Attacks

0

500

1000

1500

2000

2500

3000

3500

A B C D E

IP Netblock Class

Nu

mb

er

of

Un

iqu

e IP

Ad

dre

ss

es

Se

en

Source Address Class Percentage

20%

7%

20%

26%

27%

A

B

C

D

E


Source Address of Probes and AttacksBogon Source Percentages

2346

803

2275

1128

167

270

0

500

1000

1500

2000

2500

3000

3500

4000

A B C

IP Netblock Class

Un

iqu

e I

P A

dd

ress

es

Bogon Addresses

Total Addresses


Source Address of Probes and Attacks

• Bogon source attacks still common.• Of all source addresses, 53.39% were in the

Class D and Class E space.• Percentage of bogons, all classes –

66.85%!• This is good news – prefix-list, ACL

defense, and uRPF will block 66.85% of these nasties!


Source Region of the NaughtyA dangerously misleading slide

RIR for Source Addresses

58%

37%

5%

ARIN

RIPE

APNIC


Intrusion (attempt) Detection

• IDS is not foolproof!

• Incorrect fingerprinting does occur.

• You can not identify that which you can not see.


Top Five IDS Detected ProbesIDS Detected Probes

0

200

400

600

800

1000

1200

1400

NetBus Backorifice TFTP IDENT Deep Throat

Type

Hits


Top Five Detected IDS ProbesIDS Detected Probes - Trend Analysis

0

20

40

60

80

100

120

140

160

180

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52

Date

Hits

NetBus

Backorifice

TFTP

IDENT

Deep Throat


Top Five IDS Detected AttacksIDS Detected Attacks

0

50

100

150

200

250

300

350

400

450

500

TCP Port 0 FIN flood Fragments ICMP flood RST flood

Type

Hits Number


Top Five IDS Detected SourcesIDS Detected Source Netblocks

0

20

40

60

80

100

120

140

160

180

200

Azerbaijan USA 01 South Korea USA 02 Canada

Netblock Location

Hit

s

Count


Top Five IDS Detected SourcesIDS Detected Attacks - Trend Analysis

0

20

40

60

80

100

120

140

160

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49

Day

Hits

A

B

C

D

E


Match a Source with a ScanSource to Hit Matching

0

20

40

60

80

100

120

140

160

1 2 3 4 5 6 7

Day

Hit

s

B

NetBus

Backorifice

TFTP

IDENT

Deep Throat


Two Days of DDoS

• Attack that resulted in 10295 hits on day one and 77466 hits on day two.

• Attack lasted 25 hours, 25 minutes, and 44 seconds.

• Quasi-random UDP high ports (source and destination), small packets.


Two Days of DDoS

• Perhaps as many as 2000 hosts used by the attackers.

• 23 unique organizations.

• 9 different nations located in the Americas, Europe, and Asia.

• Source netblocks all legitimate.


Two Days of DDoSPackets per minute

0

10

20

30

40

50

60

70

24

:21

:13

24

:22

:03

24

:22

:53

24

:23

:46

25

:00

:36

25

:01

:26

25

:02

:16

25

:03

:06

25

:03

:56

25

:04

:46

25

:05

:36

25

:06

:26

25

:07

:16

25

:08

:06

25

:08

:56

25

:09

:46

25

:10

:36

25

:11

:26

25

:12

:16

25

:13

:06

25

:13

:56

25

:14

:46

25

:15

:36

25

:16

:26

25

:17

:16

25

:18

:06

25

:18

:57

25

:19

:48

25

:20

:39

25

:21

:37

25

:22

:29

DATE:HOUR:MINUTE

Pa

ck

ets


Two Days of DDoSDDoS Sources

0

500

1000

1500

2000

2500

3000

3500

4000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Hour

Pa

ck

ets


Site Defense and Attack Mitigation

• While you can not prevent an attack, you can choose how to react to an attack.

• Layers of defense that use multiple tools.

• Layers of monitoring and alert mechanisms.

• Know how to respond before the attack begins.



• Border router– Protocol shaping and filtering.– Anti-bogon and anti-spoofing defense (uRPF),

ingress and egress filtering.– NetFlow.

• IDS device(s)– Attack and probe signatures.– Alerts.



• Border firewall– Port filtering.– Logging.– Some IDS capability.

• End systems– Tuned kernel.– TCP wrappers, disable services, etc.– Crunchy through and through!



• Don’t panic!

• Collect data!

• The good news - you can survive!


References and shameless self advertisements

• RFC 2267 - http://rfc.net/rfc2267.html• Secure IOS Template –

http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html

• Secure BGP Template – http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html

• UNIX IP Stack Tuning Guide – http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html


Any questions?


Thank you for your time!

• Thanks to Jan, Luuk, and Jacques for inviting me to speak with you today.

• Thanks to Surfnet/CERT-NL for picking up the travel.

• Thanks for all of the coffee!

Rob Thomas [email protected] robt 60 Days of Basic Naughtiness Probes and Attacks Endured by an Active Web Site 16 March 2001.

Documents

rob thomas

misleading slide slide

scan slide

days of ddos slide

attacks trend analysis

attacks bogon source

ftpcontrol slide

attacks tcp