Security Incidents mailing list archives

Re: ddos

From: TMiller () NCIINC COM (Miller, Toby)
Date: Thu, 17 Feb 2000 14:46:33 -0500


I agree completly with your statements. There is no one solution to this
problem(ddos attacks). Until companies and organizations realize this we
will always be faced with ddos and many other attacks. I am working on a
linux hardening script as well. The only problem with that is there are so
many different flavors of linux and neither two are the same. Right now my
script is geared for Open Linux 2.3. What I want to work on is a script that
goes out to a vendors website, scans for the latest patch, downloads it for
you and then installs it for you. There might be a product already out there
similar to this and I am not aware of it. This script would insure that
everyone could update the patches.
I also beleive that we (security professionals) have to become more creative
in our security solutions. Last weeks attacks are proof that there are alot
of admins out there who do not apply patches or take security seriously.
Because of this we need to try and make these steps more automated( I sound
like microsoft... please forgive me). Scripts like the solaris hardening
scripts are great be we need to take it a step further. If anyone has any
ideas on diffrent scripts please let me know. I would be interested in
hearing whats going on.
Thanks,

-----Original Message-----
From: David Brumley
To: Miller, Toby
Cc: INCIDENTS () SECURITYFOCUS COM
Sent: 2/17/00 12:22 PM
Subject: Re: ddos

Right,
In the short run, use the IDS and remote detectors to make sure your
systems are clean.  In the medium run, implement a security policy. In
the
long run, implement an effective plan that makes security easy so
everyone
buys in.

We did this w/ SULINUX at stanford, and though it only addresses one
platform, the number of incidents we've had went significantly down.
I've
started porting the work to something less "stanford-ized" and will be
releasing it on theorygroup.com/Software.  (I think I even have a beta
up
there now...too much work, not enough time to update "outside"
projects).

I'm also working on a solaris hardening script.  One thing I think we
can
all do to help security in the long run is badger the various vendors
not
just to fix holes, but to provide ways to automatically distribute
fixes.
Right now LINUX leads the pack, since it offers remote FTP install, you
can set things up right from the get-go.  Solaris requires you to be on
the same net (since it's automagic install requires bootp, methinks).

Anywho, system security is the only way to assure a protected
environments.  The way I see it, a firewall mitigates risk for the short
term, but for the long term it's not a good plan.  Instead, firewall's
should be put in place to but time to implmenet good host security.
(i.e.
don't just rely on the moat in front of your castle, have locks on the
doors inside too).

-david

On Wed, 16 Feb 2000, Miller, Toby wrote:

All,
      IDS signatures are fine IF the attacker uses default settings on
tools like TFN and Trinoo. With all of these tools being open source,

an

attacker can change any or all ports he/she wants. This will ensure
communications with the compromised systems will not be detected by

IDS.

Therefore, we really can not always trust our IDS systems when it

comes to

attacks such as these. In my opinion there is really no easy answer on

how

to detect and protect. Knowing and reviewing your systems(including

logs and

binaries) along with commerical products like firewalls, IDS systems

along

with a solid security policy will be the one true way of protecting
ourselves against attacks like tfn or trinoo.

-----Original Message-----
From:       Ron Gula [SMTP:rgula () SECURITYWIZARDS COM]
Sent:       Tuesday, February 15, 2000 7:26 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject:    Re: ddos

At 10:50 PM 2/14/00 -0000, you wrote:

I wrote tests to detect trinoo, strat., and tfn about 2
months ago. They were going to be released with our security
analyzer for the next build, but in light of the problems as
of late we have them available for download.


As long as people are talking about detecting these ddos attacks, it
may be useful to tell you what we have been seeing with Dragon.

We've

been running signatures since Thanksgiving which look for

tfn,trinno,

tfn2k and a few other ddos attacks. We have seen a lot of people use
the free tools which "discover" platforms that may have been

compromised.

Here is an example:

bash-2.03# sum_event -n | grep TRINOO
[TRINOO:CMD]              6553
bash-2.03# mklog -l -e TRINOO:CMD | more
** Make Logs Tool - Copyright 1999 Network Security Wizards
** http://www.securitywizards.com
** Printing 'dragon.log' style data
** Printing events of type [TRINOO:CMD
** Date: Thursday February 10 2000
17:26:36  [I]  105.152.72.114  105.152.72.1    [TRINOO:CMD]
(udp,dp=27444,sp=2209) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.2    [TRINOO:CMD]
(udp,dp=27444,sp=2210) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.3    [TRINOO:CMD]
(udp,dp=27444,sp=2211) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.5    [TRINOO:CMD]
(udp,dp=27444,sp=2213) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.8    [TRINOO:CMD]
(udp,dp=27444,sp=2216) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.10   [TRINOO:CMD]
(udp,dp=27444,sp=2218) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.11   [TRINOO:CMD]
(udp,dp=27444,sp=2219) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.12   [TRINOO:CMD]
(udp,dp=27444,sp=2220) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.13   [TRINOO:CMD]
(udp,dp=27444,sp=2221) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.23   [TRINOO:CMD]
(udp,dp=27444,sp=2231) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.31   [TRINOO:CMD]
(udp,dp=27444,sp=2239) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.32   [TRINOO:CMD]
(udp,dp=27444,sp=2240) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.33   [TRINOO:CMD]
(udp,dp=27444,sp=2241) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.34   [TRINOO:CMD]
(udp,dp=27444,sp=2242) (bass.gula.net)
17:26:36  [I]  105.152.72.114  105.152.72.35   [TRINOO:CMD]
(udp,dp=27444,sp=2243) (bass.gula.net)

The sweep goes on for several Class C addresses.

For TFN2K, several signatures have been deployed to look for TFN2K
traffic on TCP, UDP and ICMP. Strangley enough, the game Halflife
tends to false positive the UDP signature somewhat.

Ron Gula, CTO
Network Security Wizards, Inc.
http://www.securitywizards.com


--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."

Current thread:

DDoS intranet (Feb 09)
- <Possible follow-ups>
- ddos Daniel Avila (Feb 14)
  - Re: ddos Ron Gula (Feb 15)
  - Incident with ports: 4 and 8 Kenneth Duran (Feb 15)
- Re: ddos Miller, Toby (Feb 16)
  - Re: ddos David Brumley (Feb 17)
- Re: ddos Miller, Toby (Feb 17)