Re: How do you fight an attack in progress?

["Marcus J. Ranum" <mjr () nfr net>]

> As the subject line suggests, I'm interested to find how do you fight an
> attack in progress. Let's say that your firewall keeps sending you
> messages about a scan in progress or something similar.

GOOD question!!

The first problem is defining an attack. Is being scanned an attack?
Is being telnetted to an attack? Is having your SMTP port telnetted 
to and the DEBUG command issued an attack? Is having IP spoofing
tools run against you an attack? I think that at each level the 
aggressive intent becomes clearer. At each level it is more resonable
to say you're under attack.

These days I consider myself to be under attack when 2 things occur:
1) there is some kind of potential attack analysis (a scan of some 
        sort, or other fact-gathering)
2) a follow-up is launched based on the previous fact-gathering.

When the second occurs, that means that someone has (usually)
gone to the effort to understand my defenses and then tailor a
mission against them. A simple scan isn't quite hostile enough to
justify breaking out the desert eagle and paying the travel costs
to go talk to the responsible party.

> You have the IP
> address. You look-up the domain, call the administrator that you found
> for that domain and get just a voice mail or a "number disconnected"
> message. Worst case: there is no domain associated with that IP address.

Or you get a university lab machine, or whatever. If there's no 
domain associated with the IP address then you're DEFINITELY in
an interesting situation. :)

> The firewall keeps paging you and your adrenaline level grows
> exponentially.

This is actually a comfort signal. Think about it this way: the 
firewall is telling you "someone is hitting me with something
I know how to deal with."  That's GOOD news. The time that
you should really inhale your seat cushion is when the firewall
is silent. Which, of course, is a problem, because by definition
then you don't KNOW you're under attack at all.

> So, how do you Wizards deal with such situations? 

1) Become a disciple of the dump. Do your backups
        religiously
2) Become a friend of the checksum. Identify things that
        shouldn't change on your system and set up
        things like tripwire to watch for changes
3) Install burglar alarms. Know what shouldn't happen
        on your network, set up things to look for it,
        and tell you when it happens.
4) Talk to your senior management and legal counsel
        about how much time they feel is appropriate
        for you to invest in backtracking incidents.
        Hunting an attack could eat a week of your
        time. Decide if you want to go there or not.
5) If you're under a successful attack and you want to try
        to catch the guy and prosecute DEFINITELY talk
        to legal counsel and get guidance about what
        constitutes admissable evidence.
6) Relax, have a home-brew.

If you're getting traffic from a known site, then you can
start picking up the phone and making calls. If you're
getting traffic from a nonexistent site then there's not
much you can do unless you start calling your ISP and
seeing if they're willing to track the packets off their
backbone. If they are, then you can try to walk back up
the 'net and find the source. That's a VERY hard thing
to do unless you have major clout.

mjr.
-----
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
<A HREF=http://www.clark.net/pub/mjr>Personal</A>
<A HREF=http://www.nfr.net>Work</A>
<A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>