Educause Security Discussion mailing list archives
Re: Domain Controller Attacks
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Fri, 14 Oct 2005 15:12:18 -0400
Wayne Bullock wrote:
I'm trying to catch this thing in a bottle and maybe develop some type of signature we can feed into an IPS. Does anybody already have such a signature?
Not for this specific ratware [yet], but you may be able to find infected hosts with some traffic analysis. If it's "attacking" your DC by usual means (139/445) just key on that by thresholding SYNs on those ports. Snort[1], with the Bleedingsnort[2] sids 2001569 and 2001579 do this, though you may wish to tailor the threshold values it comes with by default. If the attack is crossing subnets, and there's a Cisco switch/router in between with CEF/flow switching turned on, you can find sources of 135/137/139/445 scanners by doing remote commands from a linux/unix box, bearing in mind you need hex values of those ports, similar to: rsh myrouter -l netadmin "show ip cache flow | incl 0087"|sort -k2|uniq -c -f1 -w40 rsh myrouter -l netadmin "show ip cache flow | incl 0089"|sort -k2|uniq -c -f1 -w40 rsh myrouter -l netadmin "show ip cache flow | incl 008b"|sort -k2|uniq -c -f1 -w40 rsh myrouter -l netadmin "show ip cache flow | incl 01bd"|sort -k2|uniq -c -f1 -w40 This will spit out something similar to: 1 Gi3/2 10.xx.xx.18 Null 192.239.44.12 11 0089 0089 3 1 Vl488 172.xx.xx.250 Null 172.xx.xx.255 11 0089 0089 3 1 Vl605 199.xx.xx.104 Null 199.xx.xx.255 11 0089 0089 1070 The relevant lines of interest from the "show" command are listed, followed by a connection count in the last column for the associated source IP. There we see 199.xx.xx.104 "blasting away" udp/137 broadcasts (not a good sign). This won't help find the brute-force attacks on a single host, but will find those "spraying" away in the usual worm-ish manner. It also doesn't help finding the newer bots, which insert varying delays between their scans and can evade the flow cache timeouts. Jeff [1] http://www.snort.org [2] http://www.bleedingsnort.com/
Current thread:
- Domain Controller Attacks Wayne Bullock (Oct 14)
- <Possible follow-ups>
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)