Security Incidents mailing list archives
Re: ddos
From: dbrumley () RTFM STANFORD EDU (David Brumley)
Date: Thu, 17 Feb 2000 09:22:44 -0800
Right, In the short run, use the IDS and remote detectors to make sure your systems are clean. In the medium run, implement a security policy. In the long run, implement an effective plan that makes security easy so everyone buys in. We did this w/ SULINUX at stanford, and though it only addresses one platform, the number of incidents we've had went significantly down. I've started porting the work to something less "stanford-ized" and will be releasing it on theorygroup.com/Software. (I think I even have a beta up there now...too much work, not enough time to update "outside" projects). I'm also working on a solaris hardening script. One thing I think we can all do to help security in the long run is badger the various vendors not just to fix holes, but to provide ways to automatically distribute fixes. Right now LINUX leads the pack, since it offers remote FTP install, you can set things up right from the get-go. Solaris requires you to be on the same net (since it's automagic install requires bootp, methinks). Anywho, system security is the only way to assure a protected environments. The way I see it, a firewall mitigates risk for the short term, but for the long term it's not a good plan. Instead, firewall's should be put in place to but time to implmenet good host security. (i.e. don't just rely on the moat in front of your castle, have locks on the doors inside too). -david On Wed, 16 Feb 2000, Miller, Toby wrote:
All, IDS signatures are fine IF the attacker uses default settings on tools like TFN and Trinoo. With all of these tools being open source, an attacker can change any or all ports he/she wants. This will ensure communications with the compromised systems will not be detected by IDS. Therefore, we really can not always trust our IDS systems when it comes to attacks such as these. In my opinion there is really no easy answer on how to detect and protect. Knowing and reviewing your systems(including logs and binaries) along with commerical products like firewalls, IDS systems along with a solid security policy will be the one true way of protecting ourselves against attacks like tfn or trinoo.-----Original Message----- From: Ron Gula [SMTP:rgula () SECURITYWIZARDS COM] Sent: Tuesday, February 15, 2000 7:26 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: ddos At 10:50 PM 2/14/00 -0000, you wrote:I wrote tests to detect trinoo, strat., and tfn about 2 months ago. They were going to be released with our security analyzer for the next build, but in light of the problems as of late we have them available for download.As long as people are talking about detecting these ddos attacks, it may be useful to tell you what we have been seeing with Dragon. We've been running signatures since Thanksgiving which look for tfn,trinno, tfn2k and a few other ddos attacks. We have seen a lot of people use the free tools which "discover" platforms that may have been compromised. Here is an example: bash-2.03# sum_event -n | grep TRINOO [TRINOO:CMD] 6553 bash-2.03# mklog -l -e TRINOO:CMD | more ** Make Logs Tool - Copyright 1999 Network Security Wizards ** http://www.securitywizards.com ** Printing 'dragon.log' style data ** Printing events of type [TRINOO:CMD ** Date: Thursday February 10 2000 17:26:36 [I] 105.152.72.114 105.152.72.1 [TRINOO:CMD] (udp,dp=27444,sp=2209) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.2 [TRINOO:CMD] (udp,dp=27444,sp=2210) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.3 [TRINOO:CMD] (udp,dp=27444,sp=2211) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.5 [TRINOO:CMD] (udp,dp=27444,sp=2213) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.8 [TRINOO:CMD] (udp,dp=27444,sp=2216) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.10 [TRINOO:CMD] (udp,dp=27444,sp=2218) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.11 [TRINOO:CMD] (udp,dp=27444,sp=2219) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.12 [TRINOO:CMD] (udp,dp=27444,sp=2220) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.13 [TRINOO:CMD] (udp,dp=27444,sp=2221) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.23 [TRINOO:CMD] (udp,dp=27444,sp=2231) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.31 [TRINOO:CMD] (udp,dp=27444,sp=2239) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.32 [TRINOO:CMD] (udp,dp=27444,sp=2240) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.33 [TRINOO:CMD] (udp,dp=27444,sp=2241) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.34 [TRINOO:CMD] (udp,dp=27444,sp=2242) (bass.gula.net) 17:26:36 [I] 105.152.72.114 105.152.72.35 [TRINOO:CMD] (udp,dp=27444,sp=2243) (bass.gula.net) The sweep goes on for several Class C addresses. For TFN2K, several signatures have been deployed to look for TFN2K traffic on TCP, UDP and ICMP. Strangley enough, the game Halflife tends to false positive the UDP signature somewhat. Ron Gula, CTO Network Security Wizards, Inc. http://www.securitywizards.com
-- #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley () Stanford EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp () sunset Stanford EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not."