black hat briefings 2000: strategies for defeating distributed attacks simple nomad hacker nomad...
TRANSCRIPT
![Page 1: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/1.jpg)
Black Hat Briefings 2000:Strategies for Defeating Distributed Attacks
Simple Nomad
Hacker
Nomad Mobile Research Centre
Occam Theorist
RAZOR Security Team, BindView Corporation
![Page 2: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/2.jpg)
About Myself
http://www.nmrc.org/ Currently Sr. Security Analyst for
BindView’s RAZOR Team, http://razor.bindview.com/
![Page 3: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/3.jpg)
About This Presentation
Assume basics– Understand IP addressing– Understand basic system administration
Tools– Where to find them– Basic usage
Terminology A “Network” point of view
![Page 4: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/4.jpg)
Background
Originally developed during 1999 Concepts first discussed last October Many concepts can be found in DDOS
software today
![Page 5: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/5.jpg)
Attack Recognition Basics
Pattern Recognition– Examples:
• Byte sequence in RAM
• Packet content in a network transmission
• Half opens against a server within a certain time frame
– Considered “real-time”
![Page 6: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/6.jpg)
Attack Recognition Basics Cont.
Effect Recognition– Examples
• Unscheduled server restart in logs
• Unexplainable CPU utilization
• System binaries altered
– Considered “non” real-time
![Page 7: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/7.jpg)
Attack Recognition Problems
Blended “pattern” and “effect” attacks Sniffing attacks Decoys and false identification of attack
source
![Page 8: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/8.jpg)
Attack Recognition Problems Cont. Current solutions are usually “pattern” or
“effect”, no real-time global solutions Existing large scale solutions can easily be
defeated
![Page 9: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/9.jpg)
Common Thwarting Techniques
Rule-based systems can be tricked Log watchers can be deceived Time-based rules can be bypassed
![Page 10: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/10.jpg)
What is Needed
The “Overall Behavior Network/Host Monitoring Tool” (which doesn’t exist)
![Page 11: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/11.jpg)
What Do We Do?
“Trickle Down Security”– Solutions for distributed attacks will introduce
good security overall
Off-the-shelf is not enough Learn about attack types Defensive techniques
![Page 12: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/12.jpg)
Changing Attack Patterns
More large-scale attacks Better enumeration and assessment of the
target by the attacker
![Page 13: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/13.jpg)
Two Basic Distributed Attack Models Attacks that do not require direct
observation of the results Attacks that require the attacker to directly
observe the results
![Page 14: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/14.jpg)
Basic Model
Server AgentClient
Issuecommands
Processescommandsto agents
Carriesout
commands
![Page 15: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/15.jpg)
More Advanced Model
TargetAttacker
Forged ICMPTimestamp Requests
ICMP TimestampReplies
SniffedReplies
![Page 16: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/16.jpg)
Even More Advanced Model
Target
Firewall
![Page 17: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/17.jpg)
Even More Advanced Model
Target
Firewall
UpstreamHost
![Page 18: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/18.jpg)
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Master Node
![Page 19: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/19.jpg)
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Master Node
![Page 20: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/20.jpg)
Even More Advanced Model
Target
Attack Node
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
![Page 21: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/21.jpg)
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
![Page 22: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/22.jpg)
Even More Advanced Model
Target
Attack Node
SniffedReplies
Attack Node
Attack Node
Firewall
UpstreamHost
Attacksor
Probes
Replies
Master Node
![Page 23: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/23.jpg)
ICMP
Sweeping a network with Echo Typical alternates to ping
– Timestamp– Info Request
![Page 24: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/24.jpg)
Fun with ICMP
Advanced ICMP enumeration
![Page 25: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/25.jpg)
Host Enumeration# ./icmpenum -i 2 -c xxx.xx.218.0
xxx.xx.218.23 is up
xxx.xx.218.26 is up
xxx.xx.218.52 is up
xxx.xx.218.53 is up
xxx.xx.218.58 is up
xxx.xx.218.63 is up
xxx.xx.218.82 is up
xxx.xx.218.90 is up
xxx.xx.218.92 is up
xxx.xx.218.96 is up
xxx.xx.218.118 is up
xxx.xx.218.123 is up
xxx.xx.218.126 is up
xxx.xx.218.130 is up
xxx.xx.218.187 is up
xxx.xx.218.189 is up
xxx.xx.218.215 is up
xxx.xx.218.253 is up
![Page 26: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/26.jpg)
Nmap
Ping sweeps Port scanning TCP fingerprinting
![Page 27: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/27.jpg)
Fun with Nmap
Additional features
![Page 28: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/28.jpg)
Addition Probes
Possible security devices Sweep for promiscuous devices
![Page 29: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/29.jpg)
Network Mapping
Determine network layout Traceroute
![Page 30: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/30.jpg)
Network Mapping
cw
swb
Internet Routers
![Page 31: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/31.jpg)
Network Mapping
cw
swb
Internet Routers
![Page 32: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/32.jpg)
Network Mapping
Firewall
DMZ
cw
swb
VPN
Internet Routers
![Page 33: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/33.jpg)
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
![Page 34: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/34.jpg)
Network Mapping
Firewall
DMZ
www
ftp
cw
swb
VPN
Internet Routers
![Page 35: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/35.jpg)
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
![Page 36: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/36.jpg)
Network Mapping
Sun
LinuxFirewall
NT
Hosts Inside DMZ
www
ftp
cw
swb
VPN
Internet Routers
Linux 2.0.38xxx.xx.48.2
AIX 4.2.1xxx.xx.48.1
Checkpoint Firewall-1Solaris 2.7xxx.xx.49.17
Checkpoint Firewall-1Nortel Extranetxxx.xx.22. 7
Cisco 7206204.70.xxx.xxx
Nortel CVX1800151.164.x.xxx
IDS?
![Page 37: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/37.jpg)
Defensive Techniques
Good security policy Split DNS
– All public systems in one DNS server located in DMZ
– All internal systems using private addresses with separate DNS server internally
Drop/reject packets with a TTL of 1 or 0
![Page 38: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/38.jpg)
Defensive Techniques Cont.
Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint
packets
![Page 39: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/39.jpg)
Defensive Techniques Cont.
Limit ICMP inbound to host/destination unreachable
Limit outbound ICMP
![Page 40: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/40.jpg)
DMZ Server Recommendations
Split services between servers Current patches Use trusted paths, anti-buffer overflow
settings and kernel patches Use any built-in firewalling software Make use of built-in state tables
![Page 41: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/41.jpg)
Firewall Rules
Limit inbound to only necessary services Limit outbound via proxies to help control
access Block all outbound to only necessary traffic
![Page 42: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/42.jpg)
Intrusion Detection Systems
Use only IDS’s that can be customized IDS should be capable of handling
fragmented packet reassembly IDS should handle high speeds
![Page 43: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/43.jpg)
Spoofed Packet Defenses
Get TTL of suspected spoofed packet Probe the source address in the packet Compare the probe reply’s TTL to the
suspected spoofed packet
![Page 44: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/44.jpg)
Questions, etc.
For followup:– http://razor.bindview.com/– [email protected]
References:– David Dittrich’s web site http://staff.washington.edu/dittrich/ – "Network Cat and Mouse", SANS Network Security '99, New Orleans; security presentation,
http://www.sans.org – "The Paranoid Network", SANS 2000, Orlando; security presentation, http://www.sans.org – NMap, http://www.insecure.org/nmap/ – Icmpenum, http://razor.bindview.com/tools/ – Martin Roesch’s web site http://www.clark.net/~roesch/security.html – “Strategies for Defeating Distributed Attacks”,
http://razor.bindview.com/publish/papers/strategies.html – “Distributed Denial of Service Defense Tactics”,
http://razor.bindview.com/publish/papers/DDSA_Defense.html
![Page 45: Black Hat Briefings 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,](https://reader036.vdocuments.site/reader036/viewer/2022070308/551b8a4b550346d6338b5b88/html5/thumbnails/45.jpg)
Late Breaking News
HackerShield RapidFire Update 208– With SANS Top Ten checks, including comprehensive CGI scanner– http://www.bindview.com/products/hackershield/index.html
VLAD the Scanner– Freeware open-source security scanner, including same CGI checks as
HackerShield– Focuses only on SANS Top Ten– http://razor.bindview.com/tools/index.shtml
Despoof– Detects possible spoofed packets through active queries against suspected
spoofed IP address– http://razor.bindview.com/tools/index.shtml