MonitoringReflectiveDDoSwithHoneypots

Terrence"tuna"Gareau@kingtuna

Github.com/kingtuna&

Krassimir T.Tzvetanov

Introduction

Goals

“ReproducibledatasourceforDDoS targetsthatiseasytouseandsharecontent”

Summary

IntroductionProblemstoSolveArchitectureCode

Problem

Problem

Problem

Problem

Problem

Problem

2.1 / DDoS Attack Vectors / As shown in Figure 2-1, infrastructure attacks continue to dominate, increasing 2% from last quarter and accounting for 97% of all DDoS attack activity. The large increases at the infrastructure layer further diminished the percentage of application layer attacks, which have decreased slightly over time.

https://www.akamai.com/us/en/multimedia/documents/report/q4-2015-state-of-the-internet-security-report.pdf

• (AS) (Count)• 6939 7034 HURRICANE - Hurricane Electric, Inc.,US• 4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN• 7922 3447 COMCAST-7922 - Comcast Cable Communications, Inc.,US• 16276 3161 OVH OVH SAS,FR• 37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN• 200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA• 48347 2056 MTW-AS JSC MediaSoftEkspert,RU• 4837 1950 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN• 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN• 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US• 28573 1290 CLARO S.A.,BR• 701 1216 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business,US• 23650 981 CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone,CN• 5089 945 NTL Virgin Media Limited,GB• 24940 940 HETZNER-AS Hetzner Online GmbH,DE• 18881 936 Global Village Telecom,BR• 20115 931 CHARTER-NET-HKY-NC - Charter Communications,US• 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB• 13335 783 CLOUDFLARENET - CloudFlare, Inc.,US• 1221 723 ASN-TELSTRA Telstra Pty Ltd,AU

Ourresearchhaspointedsomethingout

DoSEvolution

Reflectionandamplification

S:191.236.103.221D:3.3.3.3Size:64bytes

S:3.3.3.3D:191.236.103.221Size:512bytes

Attacker

Victim

Victim

Attacker

Reflector

Reflector

20MillionOpen DNS Resolvers According to Open Resolver Project (10.15.2015)

NeedlesareNoLongerinHaystacks

Thereisabout3.7BillionActiveIPv4Addresses

Howmanyhavemisconfiguredservices?

Ittakesabout8hourstoscantheInternetforaparticularserviceona$10VPS

Scanners

AppearasaVictim,BecomeExploited,andLog

WhatServiceswesupport

PORT Service Provide19 CHARGEN x7 Echo x5353 MDNS x1434 Mssql5351 NAT-PMP x111 Portmapper x27960 Quake520 RIP5093 Sentinal x161 SNMP x1900 SSDP x

9987 TeamSpeak3, x

7778 UnrealTournament177 XDMCP x500 IKE x69 TFTP

Architecture

Sensors->MessageBus->DataStore->Visualize

Sensor AMQP Elasticsearch

UnderstandtheCurrentState

Collaborate

EMAIL

MessageBus

EvaluateDifferentRisks

Basics

• Ubuntu14.04LTS• InstallsviaBashScript• RunsXinetd,Bind9,NTPD,Emulators• LogswithBRO• Shipslogswithlogstash viaAMQP• Receiveandindexinelasticsearch withLogstash viaAMQP• VisualizewithKibana

SimpleSketch

SimpleSketch

SSL AMQP

Bro

Logstash

Logstash

Bro

ParsethisNiceandEasywiththis.

ParsethisNiceandEasywiththis.

input{

#ProductionLogs#############################file{type=>"BRO_connlog"path=>"/nsm/bro/logs/current/conn.log"}

#BRO_connlog######################if[type]=="BRO_connlog"{grok{

match=>["message","(?<ts>(.*?))\t(?<uid>(.*?))\t(?<id.orig_h>(.*?))\t(?<id.orig_p>(.*?))\t(?<id.resp_h>(.*?))\t(?<id.resp_p>(.*?))\t(?<proto>(.*?))\t(?<service>(.*?))\t(?<duration>(.*?))\t(?<orig_bytes>(.*?))\t(?<resp_bytes>(.*?))\t(?<conn_state>(.*?))\t(?<local_orig>(.*?))\t(?<missed_bytes>(.*?))\t(?<history>(.*?))\t(?<orig_pkts>(.*?))\t(?<orig_ip_bytes>(.*?))\t(?<resp_pkts>(.*?))\t(?<resp_ip_bytes>(.*?))\t(?<tunnel_parents>(.*?))" ]}}

ParsethisNiceandEasywiththis.

output {rabbitmq {

user => "USER"exchange_type => "direct"password => "PASSWORD"exchange => "amq.direct"vhost => "/amp"durable => truessl => trueport => 5671persistent => truehost => "hose_ip"

}}

SameontheOtherEnd

Ontheotherendofit,whereelasticsearch isbeinghosted, set the inputasamqpandsettheoutput tobeelasticsearch.Wefounditbesttouse thenodetypein logstash forinserting logs intoelasticsearch.FYIituses port9300.

SameontheOtherEnd

KOPF

SameontheOtherEnd

KOPF

SameontheOtherEnd

Don’t forget to click all the things

DailyCron

Everyday werunapythonscripttocreatethefeed.

Recap

SSL AMQP

Bro

Logstash

Logstash

Python Feed Data

MakeReports

API’s

AnnoyancesTLP:RED

Hosting Providers responding to abuse….

Code

ExtractDatafromtheStore

WeareextractingdataoutofElasticsearchwithPython.WelearnedthatmosterrorsarecomingfromElasticsearch.Forpythonweliketheofficiallibraryfromelasticsearchthemost.Wealsoincreasedourtimeoutto30fromthedefault10.

ExtractDatafromtheStore

Weusedkibanatohelpusbuildourqueries

Whathaveweseen?

99,859 Attacks Observed in

Q1 2016

Whathaveweseen?

(AS) (Count)6939 7034 HURRICANE - Hurricane Electric, Inc.,US4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN7922 3447 COMCAST-7922 - Comcast Cable Communications, 16276 3161 OVH OVH SAS,FR37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA48347 2056 MTW-AS JSC MediaSoft Ekspert,RU4837 1950 CHINA169-BACKBONE CNCGROUP China169 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US28573 1290 CLARO S.A.,BR701 1216 UUNET - MCI Communications Services, Inc23650 981 CHINANET-JS-AS-AP AS Number for CHINANET backbone,CN5089 945 NTL Virgin Media Limited,GB24940 940 HETZNER-AS Hetzner Online GmbH,DE18881 936 Global Village Telecom,BR20115 931 CHARTER-NET-HKY-NC - Charter Communications,US5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB13335 783 CLOUDFLARENET - CloudFlare, Inc.,US1221 723 ASN-TELSTRA Telstra PtyLtd,AU

Whathaveweseen?

Whathaveweseen?

Whathaveweseen?

Whathaveweseen?

Whathaveweseen?

Whathaveweseen?

Thesearethebestdudesintheworld

ZaneWitherspoon – SanFrancisco Acheleas Mustakis – Athens,Greece

Scienceshouldberepeatableandopen

RStudio Desktop

https://github.com/kingtuna/Hybrid-Darknet-ConceptSpecial thanksto- A10Networks,Nexusguard, fsi.io,andCari.net

Collaborators: ZaneWitherspoon,Acheleas Mustakis,andKrassimir

Scienceshouldberepeatableandopen

https://github.com/kingtuna/Hybrid-Darknet-ConceptTobeaddedtothelisttuna@nexusguard.com