Educause Security Discussion mailing list archives

Re: Domain Controller Attacks

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Fri, 14 Oct 2005 15:12:18 -0400

Wayne Bullock wrote:

I'm trying to catch this thing in a bottle and maybe develop some type of signature we
can feed into an IPS.

Does anybody already have such a signature?


Not for this specific ratware [yet], but you may be able to find infected hosts with some traffic analysis.

If it's "attacking" your DC by usual means (139/445) just key on that by thresholding SYNs on those ports.  Snort[1], 
with the Bleedingsnort[2] sids 2001569 and 2001579 do this, though you may wish to tailor the threshold values it comes with by 
default.

If the attack is crossing subnets, and there's a Cisco switch/router in between with CEF/flow switching turned on, you 
can find sources of 135/137/139/445 scanners by doing remote commands from a linux/unix box, bearing in mind you need hex 
values of those ports, similar to:

rsh myrouter -l netadmin "show ip cache flow | incl 0087"|sort -k2|uniq -c -f1 -w40
rsh myrouter -l netadmin "show ip cache flow | incl 0089"|sort -k2|uniq -c -f1 -w40
rsh myrouter -l netadmin "show ip cache flow | incl 008b"|sort -k2|uniq -c -f1 -w40
rsh myrouter -l netadmin "show ip cache flow | incl 01bd"|sort -k2|uniq -c -f1 -w40

This will spit out something similar to:

1 Gi3/2         10.xx.xx.18     Null          192.239.44.12   11 0089 0089     3
1 Vl488         172.xx.xx.250   Null          172.xx.xx.255   11 0089 0089     3
1 Vl605         199.xx.xx.104   Null          199.xx.xx.255   11 0089 0089  1070

The relevant lines of interest from the "show" command are listed, followed by a connection count in the last column for the 
associated source IP.  There we see 199.xx.xx.104 "blasting away" udp/137 broadcasts (not a good sign).

This won't help find the brute-force attacks on a single host, but will find those "spraying" away in the usual worm-ish 
manner.  It also doesn't help finding the newer bots, which insert varying delays between their scans and can evade the flow cache 
timeouts.

Jeff

[1] http://www.snort.org
[2] http://www.bleedingsnort.com/

Current thread:

Domain Controller Attacks Wayne Bullock (Oct 14)
- <Possible follow-ups>
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)