nanog mailing list archives

Re: Security Guideance

From: "LaDerrick H." <nanog () lacutt com>
Date: Tue, 23 Feb 2010 14:45:05 -0600

On Tue, Feb 23, 2010 at 02:46:54PM -0500, Paul Stewart wrote:

Hi folks...



We have a strange series of events going on in the past while.... Brief
history here, looking for input from the community - especially some of
the security folks on here.



We provide web hosting services - one of our hosting boxes was found a
while back with root kits installed, un patched software and lots of
other "goodies".    With some staff changes in place (don't think I need
to elaborate on that) we are trying to clean up several issues including
this particular server.  A new server was provisioned, patched, and
deployed.  User data was moved over and now the same issue is coming
back....



The problem is that a user on this box appears to be launching high
traffic DOS attacks from it towards other sites.  These are UDP based
floods that move around from time to time - most of these attacks only
last a few minutes.


Counting outbound udp bytes and packets can help spot anomalies.
Something like this would help but may be unwieldy if you have thousands
of users on a single box:

WANIF=eth0
userlist="userA userB user..."
for i in ${userlist}
do
   iptables -N ${i}_UDP
   iptables -I OUTPUT -m owner -o ${WANIF} -p udp --uid-owner ${i} -j ${i}_UDP
done

Then look at counters with:
iptables -nvL OUTPUT | grep _UDP | sort.......

I wouldn't leave this in place full-time for thousands of accounts
though without attempting to measure the impact on network performance.




I've done tcpdumps within seconds of the attack starting and to date
been unable to find the source of this attack (we know the server,
just not sure which customer it is on the server that's been
compromised).  Several hours of scanning for php, cgi, pl type files
have been wasted and come up nowhere...



It's been suggested to dump IDS in front of this box and I know I'll
get some feedback positive and negative in that aspect.



What tools/practices do others use to resolve this issue?  It's  a
Centos 5.4 box running latest Plesk control panel.



Typically we have found it easy to track down the offending script or
program - this time hasn't been easy at all...



Thanks,



Paul












----------------------------------------------------------------------------

"The information transmitted is intended only for the person or entity
to which it is addressed and contains confidential and/or privileged
material. If you received this in error, please contact the sender
immediately and then destroy this transmission, including all
attachments, without copying, distributing or disclosing same. Thank
you."

Current thread:

Re: RE: Security Guideance, (continued)
- - - Message not available
    - Re: RE: Security Guideance Paul Bosworth (Feb 23)
    - Re: Security Guideance Michael Holstein (Feb 23)
    - Re: Security Guideance Chris Adams (Feb 23)
    - RE: Security Guideance Adam Stasiniewicz (Feb 23)
    - Re: Security Guideance Aaron L. Meehan (Feb 24)
  - Re: Security Guideance Dan White (Feb 23)
    - Re: Security Guideance acv (Feb 23)
    - Re: Security Guideance Nathan Ward (Feb 23)
    - RE: Security Guideance Joe (Feb 23)
    - Re: Security Guideance Curtis Maurand (Feb 24)
- Re: Security Guideance LaDerrick H. (Feb 23)
- Re: Security Guideance David Freedman (Feb 23)
- RE: Security Guideance Joe Conlin (Feb 23)
- Re: Security Guideance Nate Itkin (Feb 23)
  - Re: Security Guideance Valdis . Kletnieks (Feb 23)
    - Re: Security Guideance Joel Esler (Feb 23)
- RE: Security Guideance Express Web Systems (Feb 23)
- Re: Security Guideance Gadi Evron (Feb 23)
- Re: Security Guideance Laurens Vets (Feb 24)
- Re: Security Guideance Bill Stewart (Feb 24)