Educause Security Discussion mailing list archives
[REN-ISAC] Storm Worm DDoS Threat to the EDU Sector
From: "Pearson, Douglas D" <dodpears () INDIANA EDU>
Date: Thu, 9 Aug 2007 10:41:50 -0400
Regarding: Storm Worm DDoS Threat to the EDU Sector August 09,2007 ISSUE: Scanning certain Storm Worm[1]-infected machines with a security vulnerability scanner can result in a DDoS[2] against the scanning machine. This behavior is encountered with Storm-infected machines operating as "distribution nodes" in the botnet hierarchy. During the past month we've observed and notified involved parties regarding numerous such Storm-related DDoS attacks. The attacks have been ICMP, can last more than a day, involve a large number of sources scattered globally, and can yield very significant attack traffic. With the impending return of students for fall classes, the DDoS-the-scanner-when-scanned behavior represents a significant risk for the EDU sector. PREVENTION: (1) If possible, move security vulnerability scanners to RFC1918 (private) address space - make the scanner IP address unroutable from attacker networks. Make sure the scanner IP doesn't get NATed to a public source address when reaching out to scanned hosts. If the scanner must be seen by external networks, such as for vendor updates, consider dual network interfaces - a public management interface and a private scanning interface. (2) Although opinions differ regarding the practice of blocking ports at network borders, we note that -at least for now- dropping inbound TCP/80 to residential networks will forestall the elevation of Storm-infected residential machines to distribution node status, and therefore attack trigger sensitivity. This should NOT be interpreted as a recommendation by REN-ISAC to block residential inbound TCP/80 - each site must evaluate that locally. MITIGATION: (1) Respond quickly to notifications of infected hosts on your network. Infected machines can become distribution nodes, which may become attack triggers. (2) Monitor inbound network utilization. Identify suspicious increases, and take action to determine causes. (3) Have an emergency plan in place for contacting your Internet service provider -by phone- for assistance when being DDoS'd. Many commercial ISPs accept null route advertisements tagged with a BGP community value. Contact your ISP IN ADVANCE to know what your opportunities and procedures are for DDoS mitigation. (4) Similarly, if you're connected to the Internet2 Network, have an emergency plan to leverage Internet2 null route mitigation. See: http://abilene.internet2.edu/security/ddos-attacks.html (5) Have a plan to contact the REN-ISAC 24x7 Watch Desk (ren-isac () ren-isac net, +1(317)278-6630) for assistance and to share your experience if attacked. REN-ISAC is monitoring and analyzing attacks within the sector. Sharing your experience is critical to the evolution of security in the EDU sector. WE RECOMMEND THAT YOU DON'T: (1) Don't block all ICMP at your network border. That breaks certain network things like path MTU discovery and network problem diagnostics, and it doesn't protect the DDoS chokepoint between your network and your ISP. For ICMP rate limiting and filtering recommendations see the Team Cymru ICMP Packet Filtering guide: http://www.cymru.com/Documents/icmp-messages.html. (2) Don't count on firewalls to protect you during a DDoS. Similar to #1, the chokepoint between you and your network provider is still vulnerable. If you have questions or concerns, please contact us. On behalf of the REN-ISAC staff and Technical Advisory Group, Doug Pearson Technical Director, REN-ISAC http://www.ren-isac.net 24x7 Watch Desk +1(317)278-6630 REN-ISAC membership: http://www.ren-isac.net/membership.html References: [1] Storm Worm aka Peacomm, Zhelatin, references: http://www.symantec.com/enterprise/security_response/weblog/2007/01/troj anpeacomm_building_a_peert.html http://www.secureworks.com/research/threats/view.html?threat=storm-worm http://vil.nai.com/vil/Content/v_142621.htm http://msmvps.com/blogs/harrywaldron/archive/2007/08/04/storm-worm-botne t-of-1-7m-could-create-large-ddos-attack.aspx http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virul ence.html [2] Distributed Denial of Service Attacks http://www.uoregon.edu/~joe/ddos-exec/ddos-exec.ppt -o0o-
Current thread:
- [REN-ISAC] Storm Worm DDoS Threat to the EDU Sector Pearson, Douglas D (Aug 09)