View
1.497
Download
6
Category
Preview:
Citation preview
MonitoringReflectiveDDoSwithHoneypots
Terrence"tuna"Gareau@kingtuna
Github.com/kingtuna&
Krassimir T.Tzvetanov
Introduction
Goals
“ReproducibledatasourceforDDoS targetsthatiseasytouseandsharecontent”
Summary
IntroductionProblemstoSolveArchitectureCode
Problem
Problem
Problem
Problem
Problem
Problem
2.1 / DDoS Attack Vectors / As shown in Figure 2-1, infrastructure attacks continue to dominate, increasing 2% from last quarter and accounting for 97% of all DDoS attack activity. The large increases at the infrastructure layer further diminished the percentage of application layer attacks, which have decreased slightly over time.
https://www.akamai.com/us/en/multimedia/documents/report/q4-2015-state-of-the-internet-security-report.pdf
• (AS) (Count)• 6939 7034 HURRICANE - Hurricane Electric, Inc.,US• 4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN• 7922 3447 COMCAST-7922 - Comcast Cable Communications, Inc.,US• 16276 3161 OVH OVH SAS,FR• 37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN• 200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA• 48347 2056 MTW-AS JSC MediaSoftEkspert,RU• 4837 1950 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN• 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN• 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US• 28573 1290 CLARO S.A.,BR• 701 1216 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business,US• 23650 981 CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone,CN• 5089 945 NTL Virgin Media Limited,GB• 24940 940 HETZNER-AS Hetzner Online GmbH,DE• 18881 936 Global Village Telecom,BR• 20115 931 CHARTER-NET-HKY-NC - Charter Communications,US• 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB• 13335 783 CLOUDFLARENET - CloudFlare, Inc.,US• 1221 723 ASN-TELSTRA Telstra Pty Ltd,AU
Ourresearchhaspointedsomethingout
DoSEvolution
Reflectionandamplification
S:191.236.103.221D:3.3.3.3Size:64bytes
S:3.3.3.3D:191.236.103.221Size:512bytes
Attacker
Victim
Victim
Attacker
Reflector
Reflector
20MillionOpen DNS Resolvers According to Open Resolver Project (10.15.2015)
NeedlesareNoLongerinHaystacks
Thereisabout3.7BillionActiveIPv4Addresses
Howmanyhavemisconfiguredservices?
Ittakesabout8hourstoscantheInternetforaparticularserviceona$10VPS
Scanners
AppearasaVictim,BecomeExploited,andLog
WhatServiceswesupport
PORT Service Provide19 CHARGEN x7 Echo x5353 MDNS x1434 Mssql5351 NAT-PMP x111 Portmapper x27960 Quake520 RIP5093 Sentinal x161 SNMP x1900 SSDP x
9987 TeamSpeak3, x
7778 UnrealTournament177 XDMCP x500 IKE x69 TFTP
Architecture
Sensors->MessageBus->DataStore->Visualize
Sensor AMQP Elasticsearch
UnderstandtheCurrentState
Collaborate
MessageBus
EvaluateDifferentRisks
Basics
• Ubuntu14.04LTS• InstallsviaBashScript• RunsXinetd,Bind9,NTPD,Emulators• LogswithBRO• Shipslogswithlogstash viaAMQP• Receiveandindexinelasticsearch withLogstash viaAMQP• VisualizewithKibana
SimpleSketch
SimpleSketch
SSL AMQP
Bro
Logstash
Logstash
Bro
ParsethisNiceandEasywiththis.
ParsethisNiceandEasywiththis.
input{
#ProductionLogs#############################file{type=>"BRO_connlog"path=>"/nsm/bro/logs/current/conn.log"}
#BRO_connlog######################if[type]=="BRO_connlog"{grok{
match=>["message","(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_pkts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_pkts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tunnel_parents>(.*?))" ]}}
ParsethisNiceandEasywiththis.
output {rabbitmq {
user => "USER"exchange_type => "direct"password => "PASSWORD"exchange => "amq.direct"vhost => "/amp"durable => truessl => trueport => 5671persistent => truehost => "hose_ip"
}}
SameontheOtherEnd
Ontheotherendofit,whereelasticsearch isbeinghosted, set the inputasamqpandsettheoutput tobeelasticsearch.Wefounditbesttouse thenodetypein logstash forinserting logs intoelasticsearch.FYIituses port9300.
SameontheOtherEnd
KOPF
SameontheOtherEnd
KOPF
SameontheOtherEnd
Don’t forget to click all the things
DailyCron
Everyday werunapythonscripttocreatethefeed.
Recap
SSL AMQP
Bro
Logstash
Logstash
Python Feed Data
MakeReports
API’s
AnnoyancesTLP:RED
Hosting Providers responding to abuse….
Code
ExtractDatafromtheStore
WeareextractingdataoutofElasticsearchwithPython.WelearnedthatmosterrorsarecomingfromElasticsearch.Forpythonweliketheofficiallibraryfromelasticsearchthemost.Wealsoincreasedourtimeoutto30fromthedefault10.
ExtractDatafromtheStore
Weusedkibanatohelpusbuildourqueries
Whathaveweseen?
99,859 Attacks Observed in
Q1 2016
Whathaveweseen?
(AS) (Count)6939 7034 HURRICANE - Hurricane Electric, Inc.,US4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN7922 3447 COMCAST-7922 - Comcast Cable Communications, 16276 3161 OVH OVH SAS,FR37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA48347 2056 MTW-AS JSC MediaSoft Ekspert,RU4837 1950 CHINA169-BACKBONE CNCGROUP China169 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US28573 1290 CLARO S.A.,BR701 1216 UUNET - MCI Communications Services, Inc23650 981 CHINANET-JS-AS-AP AS Number for CHINANET backbone,CN5089 945 NTL Virgin Media Limited,GB24940 940 HETZNER-AS Hetzner Online GmbH,DE18881 936 Global Village Telecom,BR20115 931 CHARTER-NET-HKY-NC - Charter Communications,US5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB13335 783 CLOUDFLARENET - CloudFlare, Inc.,US1221 723 ASN-TELSTRA Telstra PtyLtd,AU
Whathaveweseen?
Whathaveweseen?
Whathaveweseen?
Whathaveweseen?
Whathaveweseen?
Whathaveweseen?
Thesearethebestdudesintheworld
ZaneWitherspoon – SanFrancisco Acheleas Mustakis – Athens,Greece
Scienceshouldberepeatableandopen
RStudio Desktop
https://github.com/kingtuna/Hybrid-Darknet-ConceptSpecial thanksto- A10Networks,Nexusguard, fsi.io,andCari.net
Collaborators: ZaneWitherspoon,Acheleas Mustakis,andKrassimir
Scienceshouldberepeatableandopen
https://github.com/kingtuna/Hybrid-Darknet-ConceptTobeaddedtothelisttuna@nexusguard.com
Recommended