On Thu, Jan 19, 2006 at 01:17:20PM +0200, Oleh Hrynchuk wrote: OH> OH> Доброго дня. OH> OH> Не для Фрюхи, але ідея повинна бути зрозуміла. OH> Див. аттач. Нормальна ідея, звичайно, але: ... Second, router access must be available. This can be a hurdle both technically (no access to the routers) and politically (the routers are owned by another entity). However, this can be a coordinated effort, with multiple teams handing off the tracing as each autonomous system boundary is crossed. If the trace is done completely within a single AS, however, many of the political and technical issues may not exist. Third, the attack must be of a duration that allows for a trace. Short, bursty attacks may not allow for a full trace. While a partial trace may help to narrow the scope of the search, it will not find the culprit. ... Якщо зловмисник десь поряд, особливих проблем немає. Та чи часто буває таке. Людина добре подумає перед тим, як шкодити своєму ІСП чи його клієнтам.. OH> OH> OH> > -----Original Message----- OH> > From: owner-uanog-outgoing@uanog.kiev.ua OH> > [mailto:owner-uanog-outgoing@uanog.kiev.ua] On Behalf Of OH> > Andrey Nikolaev OH> > Sent: Thursday, January 19, 2006 12:16 PM OH> > To: uanog@uanog.kiev.ua OH> > Subject: [uanog] DoS SMTP OH> > OH> > OH> > Hi! OH> > OH> > тут возникла проблемка, атакуют машинку под freebsd 5.4 smtp OH> > service ... OH> > адреса атаки рассыпаются, тюнинг фри ограничился этим: OH> > net.inet.tcp.msl=7500 OH> > net.inet.tcp.blackhole=2 OH> > net.inet.udp.blackhole=1 OH> > net.inet.icmp.icmplim=100 OH> > OH> > чтото посоветуете ? OH> > как можно все таки найти источник? OH> > OH> > -- OH> > andy@cris.net AN1035-RIPE OH> > =================================================================== OH> > uanog mailing list. OH> > To Unsubscribe: send mail to majordomo@uanog.kiev.ua with OH> > "unsubscribe uanog" in the body of the message OH> Date: Thu, 24 Apr 2003 08:44:23 +0300 OH> From: яНУПЮМЕМНMicrosoftInternetExplorer5 OH> Subject: Tracking Spoofed IP Addresses Version 2.0 OH> OH> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> OH> <HTML><HEAD><TITLE>Tracking Spoofed IP Addresses Version 2.0</TITLE> OH> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> OH> <META content="MSHTML 5.00.3504.2500" name=GENERATOR></HEAD> OH> <BODY> OH> <CENTER> OH> <H1>Tracking Spoofed IP Addresses Version 2.0</H1></CENTER> OH> <CENTER> OH> <H3>By Rob Thomas, <A href="mailto:robt@cymru.com">robt@cymru.com</A>, 08 FEB OH> 2001</H3></CENTER> OH> <CENTER>[ <A href="http://www.cymru.com/Documents/index.html">Documents</A> OH> ] [ <A OH> href="http://www.cymru.com/index.html">Home</A> ] OH> <P><IMG src="http://www.cymru.com/Images/divider.gif"></CENTER> OH> <H2>Introduction</H2>Tracking spoofed IP addresses back to the source can be OH> quite a difficult task. For myriad reasons, such as limited router access, OH> attacks of a short duration, and the manual nature of spoofed address tracking, OH> finding the actual generator of the spoofed packets can be very difficult. For OH> this reason, attackers often use the bogon address ranges, where a bogon address OH> range is any unassigned and likely unrouted (by BGP4 in the Internet) netblock. OH> This includes the RFC1918 addresses as well as a collection of other address OH> spaces, such as 1/8, 169.254/16, and the like. OH> <P>However, with a certain combination of features enabled on a Cisco router, it OH> is possible to determine the source of the spoofed packets. Further, this can be OH> done without the laborious and CPU intensive task of adding ACLs to filter the OH> spoofed packets. The key features are CEF and NetFlow. OH> <P><B>NOTE:</B> Please be aware that router resources are never infinite. Both OH> CEF and NetFlow require resources from the router, and therefore are not OH> entirely immune to issues. NetFlow exports, in particular, may heavily load both OH> the router and the export interface. Please take the time to test your OH> configuration prior to deploying it in production. OH> <P>While this document details a method for tracking the source of a DDoS attack OH> that utilizes spoofed IP addresses, there are several other documents that OH> detail methods of mitigating DDoS attacks. You can view my <A OH> href="http://www.cymru.com/Documents/secure-ios-template.html">Secure IOS OH> Template</A> and my <A OH> href="http://www.cymru.com/Documents/secure-bgp-template.html">Secure BGP OH> Template</A> to enhance your router and peering security. There are also several OH> efforts currently underway to block DDoS attacks. Here are a few informative OH> links (thanks to John Kristoff for passing these along): OH> <P>Pushback<BR><A OH> href="http://www.research.att.com/~smb/talks/pushback-dodcert.pdf">http://www.research.att.com/~smb/talks/pushback-dodcert.pdf</A><BR><A OH> href="http://www.aciri.org/floyd/talks/pushback-Nov00.pdf">http://www.aciri.org/floyd/talks/pushback-Nov00.pdf</A><BR> OH> <P>Traceback<BR><A OH> href="http://www.cs.washington.edu/homes/savage/traceback.html">http://www.cs.washington.edu/homes/savage/traceback.html</A><BR><A OH> href="http://www.research.att.com/lists/ietf-itrace/">http://www.research.att.com/lists/ietf-itrace/</A><BR> OH> <P>CenterTrack<BR><A OH> href="http://www.nanog.org/mtg-9910/ppt/robert/index.htm">http://www.nanog.org/mtg-9910/ppt/robert/index.htm</A><BR><A OH> href="http://www.us.uu.net/gfx/projects/security/centertrack.pdf">http://www.us.uu.net/gfx/projects/security/centertrack.pdf</A><BR> OH> <P> OH> <H2>Router Configuration</H2>Most high-end Cisco routers on the Internet run OH> either CEF or dCEF. This is because of the large performance gains to be OH> realized with CEF, which stands for Cisco Express Forwarding. CEF has many OH> benefits over fast switching, including a more reliable and sturdy method for OH> building the forwarding table. CEF also offers some security benefits, such as OH> RPF (Reverse Path Forwarding). RPF provides a means of blocking packets that OH> claim to originate from within your network, but present themselves on an OH> external interface. Keep in mind that CEF can be a bit tricky to configure in an OH> environment that has asymmetric data flows. You may wish to review the <A OH> href="http://www.cisco.com/warp/public/cc/pd/iosw/iore/tech/cef_wp.htm">Cisco OH> CEF White Paper</A>. CEF is, therefore, a wise choice for reasons of performance OH> and security. CEF is enabled on a global basis with the command ip cef. To OH> enable dCEF (Distributed CEF), the global command is ip cef distributed. OH> <P>NetFlow provides a means of mapping traffic flows through a router. This can OH> be of great use for capacity planning, statistical analysis of traffic patterns, OH> and security reviews. Here is a sample of the output from NetFlow: OH> <P><TT>router1#sh ip cache flow</TT> <BR><TT>IP packet size distribution (11319 OH> total packets):</TT> <BR><TT> 1-32 64 OH> 96 128 160 192 224 256 288 320 OH> 352 384 416 448 480</TT> <BR><TT> .000 .016 OH> .002 .002 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000</TT><TT></TT> OH> <P><TT> 512 544 576 1024 1536 2048 2560 3072 3584 OH> 4096 4608</TT> <BR><TT> .000 .000 .000 .000 .976 .000 .000 .000 .000 OH> .000 .000</TT><TT></TT> OH> <P><TT>IP Flow Switching Cache, 278544 bytes</TT> <BR><TT> 1 active, 4095 OH> inactive, 19 added</TT> <BR><TT> 1909 ager polls, 0 flow alloc OH> failures</TT> <BR><TT> last clearing of statistics never</TT> OH> <BR><TT>Protocol OH> Total Flows Packets Bytes Packets OH> Active(Sec) Idle(Sec)</TT> OH> <BR><TT>-------- OH> Flows /Sec /Flow OH> /Pkt /Sec OH> /Flow /Flow</TT> OH> <BR><TT>TCP-Telnet OH> 1 0.0 OH> 204 47 OH> 0.0 71.5 OH> 1.3</TT> OH> <BR><TT>UDP-other OH> 7 OH> 0.0 3 OH> 627 0.0 OH> 8.4 15.3</TT> OH> <BR><TT>ICMP OH> 10 OH> 0.0 5 OH> 91 0.0 OH> 4.1 15.4</TT> OH> <BR><TT>Total: OH> 18 0.0 OH> 15 103 OH> 0.0 9.5 OH> 14.6</TT><TT></TT> OH> <P><TT>SrcIf OH> SrcIPaddress OH> DstIf OH> DstIPaddress Pr SrcP DstP Pkts</TT> OH> <BR><TT>Se1 OH> 192.168.88.5 OH> Et0 OH> 192.168.77.2 11 0013 0007 31</TT> OH> <P>From NetFlow, we can determine our packet distribution, protocol OH> distribution, and current flows. Clearly this is valuable data. Enabling NetFlow OH> is done on a per interface basis with the command: <B>ip route-cache flow</B>. OH> <P>Once both CEF (or dCEF) and NetFlow are enabled on the router, we are ready OH> to begin hunting the source of a spoofed IP address attack. It is recommended OH> that the routers run Cisco IOS 12.0 or better. OH> <H2>Test Topology</H2>In the example scenario, a malicious user on the host OH> sweatpants, IP address 192.168.97.2/24, wishes to flood the host spanky, IP OH> address 192.168.77.2/24, with copious amounts of bogus UDP traffic. To avoid OH> being caught, the miscreant on sweatpants has decided to spoof his address to be OH> 96.170.4.8. The miscreant knows that the entire 96/8 netblock is unassigned, and OH> therefore any packets destined for this network will not arrive at an actual OH> site. The spoofed packets are all destined for UDP port 7, the echo port. The OH> source port is UDP port 19, the chargen port. OH> <P>The network topology is: OH> <P><TT> -----------------</TT> OH> <BR><TT> | spanky SPARC5 |</TT> OH> <BR><TT> | 192.168.77.2/24 |</TT> OH> <BR><TT> -----------------</TT> OH> <BR><TT> OH> | Ethernet</TT> OH> <BR><TT> OH> | e0</TT> <BR><TT> -----------------</TT> OH> <BR><TT> | 192.168.77.1/24 |</TT> OH> <BR><TT> | OH> router1 |</TT> OH> <BR><TT> | 10.10.10.1/30 |</TT> OH> <BR><TT> -----------------</TT> OH> <BR><TT> OH> | s1</TT> OH> <BR><TT> OH> | Serial 64Kb</TT> OH> <BR><TT> OH> | s1</TT> <BR><TT> -----------------</TT> OH> <BR><TT> | 10.10.10.2/30 |</TT> OH> <BR><TT> | OH> router2 |</TT> OH> <BR><TT> | 172.17.50.2/30 |</TT> OH> <BR><TT> -----------------</TT> OH> <BR><TT> OH> | s0</TT> OH> <BR><TT> OH> | Serial 64Kb</TT> OH> <BR><TT> OH> | OH> s0 OH> Ethernet</TT> <BR><TT> OH> --------------------------------- OH> -------------------------</TT> <BR><TT> | OH> 172.17.50.1/30 OH> | OH> | OH> |</TT> <BR><TT> | OH> router3 10.222.88.1/25 OH> |---| 10.222.88.73/25 router5 |</TT> <BR><TT> | OH> 10.222.88.129/25 OH> | OH> | OH> |</TT> <BR><TT> OH> --------------------------------- OH> -------------------------</TT> OH> <BR><TT> OH> | OH> e1 OH> e0 e0</TT> OH> <BR><TT> OH> | Ethernet</TT> OH> <BR><TT> OH> | e0</TT> <BR><TT> ------------------</TT> OH> <BR><TT> | 10.222.88.144/25 |</TT> OH> <BR><TT> | OH> router4 |</TT> OH> <BR><TT> | 192.168.97.1/24 |</TT> OH> <BR><TT> -----------------</TT> OH> <BR><TT> OH> | e1</TT> OH> <BR><TT> OH> | Ethernet</TT> <BR><TT> OH> ------------------</TT> <BR><TT> | OH> 192.168.97.2/24 |</TT> <BR><TT> | sweatpants OH> Linux |</TT> <BR><TT> OH> ------------------</TT> OH> <P>The routing is configured thusly: OH> <P>spanky <BR> Default route, gateway 192.168.77.1 (router1) OH> <BR>router1 <BR> Default route, gateway 10.10.10.2 (router2) OH> <BR>router2 <BR> Static route 192.168.77.0/24, gateway OH> 10.10.10.1 (router1) <BR> Static route 192.168.97.0/24, OH> gateway 172.17.50.1 (router3) <BR>router3 <BR> Default route, OH> gateway 172.17.50.2 (router2) <BR> Static route OH> 192.168.97.0/24, gateway 10.222.88.144 (router4) <BR>router4 OH> <BR> Default route, gateway 10.222.88.129 (router3) OH> <BR>router5 <BR> Default route, gateway 10.222.88.1 (router3) OH> <BR>sweatpants <BR> Default route, gateway 192.168.97.1 OH> (router4) OH> <P>While static routing was used for this experiment, the experiment is not OH> fundamentally changed by the use of a dynamic routing protocol, such as OSPF or OH> EIGRP. While the responses, to the spoofed address, from spanky might be dropped OH> sooner in the path, the result is the same -- the spoofed packets never make it OH> back to sweatpants, the source of the malevolent data stream. It is not uncommon OH> to find the use of default routes for networks that are singly attached to the OH> Internet. OH> <H2>The Game Begins</H2>Using a packet generator, the attack is launched from OH> sweatpants against spanky. A steady stream of spoofed packets now present OH> themselves on the network interface of spanky. Due to the interrupt saturation OH> and higher than normal CPU load, the attack is detected by the system OH> administrator. The use of the snoop tool (Solaris specific packet sniffer) OH> determines the source IP of the attack, 96.170.4.8. The network and security OH> teams are alerted. Once the source IP address (96.170.4.8) and source port (UDP OH> 19) are noted from the output of snoop, the first step is to login to the border OH> router, router1, and take a look. OH> <P>In this topology, it may seem quite obvious that the source of the spoofed OH> packets, from the perspective of router1, must be the serial interface leading OH> to router2. However, it is wise to validate this assumption to ensure that the OH> source of the spoofed attack is not a host within the same subnet as spanky. OH> First, the NetFlow cache is queried thusly: OH> <P><TT>router1#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Se1 OH> 96.170.4.8 OH> Et0 OH> 192.168.77.2 11 0013 0007 159</TT> OH> <P>Here we see that the source interface of the flow, which is listed in column OH> one, is serial1. So it has been determined that the source is somewhere beyond OH> the border router. Next, CEF is queried. CEF inserts all active sources, on a OH> per interface basis, in its tables. OH> <P><TT>router1#sh ip cef se1</TT> OH> <BR><TT>Prefix OH> Next Hop OH> Interface</TT> OH> <BR><TT>0.0.0.0/0 OH> 10.10.10.2 OH> Serial1</TT> <BR><TT>10.10.10.0/30 OH> attached OH> Serial1</TT> OH> <P>Here it is seen that the only next hop, according to the CEF cache, is OH> 10.10.10.2. Consulting the topology above, it is noted that the next hop IP OH> address is router2. The search moves one hop further, to router2. OH> <P>The process is repeated on router2. First, a check of the NetFlow cache: OH> <P><TT>router2#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Se0 OH> 96.170.4.8 OH> Se1 OH> 192.168.77.2 11 0013 0007 299</TT> OH> <P>The source interface of the flow is serial0. Now for a check of the CEF OH> tables: OH> <P><TT>router2#sh ip cef se0</TT> OH> <BR><TT>Prefix OH> Next Hop OH> Interface</TT> <BR><TT>172.17.50.0/30 OH> attached OH> Serial0</TT> <BR><TT>192.168.97.0/24 OH> 172.17.50.1 Serial0</TT> OH> <P>Once again, the topology is consulted and it is determined that the next hop OH> listed in the CEF tables, 172.17.50.1, is router3. OH> <P>On router3, the NetFlow tables are examined: OH> <P><TT>router3#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Et1 OH> 96.170.4.8 OH> Se0 OH> 192.168.77.2 11 0013 0007 3235</TT> OH> <P>Ah, perhaps the end is near! The source interface for the flow is Ethernet1. OH> Is the source station directly attached to this router? A check of the CEF OH> tables reveals: OH> <P><TT>router3#sh ip cef et1</TT> OH> <BR><TT>Prefix OH> Next Hop OH> Interface</TT> <BR><TT>10.222.88.128/25 OH> attached OH> Ethernet1</TT> <BR><TT>10.222.88.144/32 OH> 10.222.88.144 Ethernet1</TT> OH> <BR><TT>192.168.97.0/24 OH> 10.222.88.144 Ethernet1</TT> OH> <BR><TT>10.222.88.73/32 OH> 10.222.88.73 Ethernet1</TT> OH> <P>This presents a bit of a conundrum; there are two possible sources. It may be OH> necessary to check both IP addresses. First, a check of router5, 10.222.88.73. OH> <P><TT>router5#sh ip cache flow | include 96.170</TT> <BR><TT>router5#</TT> OH> <P>This command returns nothing. After verifying that the attack is still OH> underway, it is obvious that the attacker's data flow does not pass through this OH> router. Moving on to router4 reveals: OH> <P><TT>router4#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Et1 OH> 96.170.4.8 OH> Et0 OH> 192.168.77.2 11 0013 0007 6673</TT> OH> <P>Ah, this looks promising. A quick check of the CEF tables finds: OH> <P><TT>router4#sh ip cef et1</TT> OH> <BR><TT>Prefix OH> Next Hop OH> Interface</TT> <BR><TT>192.168.97.0/24 OH> attached OH> Ethernet1</TT> <BR><TT>192.168.97.2/32 OH> 192.168.97.2 Ethernet1</TT> OH> <P>So the only active IP address is 192.168.97.2. Since a quick check of either OH> the MAC address (with sh arp) or other means reveals that this is not a Cisco OH> router, this IP address begins to look more suspect. At this point, network OH> sniffing can be performed to verify that the source IP of the attack, OH> 96.170.4.8, is tied to the MAC address of 192.168.97.2. The source of the OH> spoofed IP addresses has been found. OH> <H2>Limitations</H2>While this method is fast and presents very little impact on OH> the routers, it is not without certain limitations. OH> <P>First, NetFlow must be running on the interfaces. NetFlow can be configured, OH> in real-time, during an attack. The NetFlow data is the key to this method. OH> <P>Second, router access must be available. This can be a hurdle both OH> technically (no access to the routers) and politically (the routers are owned by OH> another entity). However, this can be a coordinated effort, with multiple teams OH> handing off the tracing as each autonomous system boundary is crossed. If the OH> trace is done completely within a single AS, however, many of the political and OH> technical issues may not exist. OH> <P>Third, the attack must be of a duration that allows for a trace. Short, OH> bursty attacks may not allow for a full trace. While a partial trace may help to OH> narrow the scope of the search, it will not find the culprit. OH> <P>Fourth, this method is obviously limited to the Cisco IOS platform. Other OH> platforms, such as a Check Point FireWall-1 firewall, will provide similar OH> tracing capabilities through the rule base or tools such as tcpdump, snoop, and OH> iptrace. However, some platforms may provide no trace method at all. OH> <H2>Conclusion</H2>Uncovering the source of a spoofed IP attack can assure that OH> the attacking host is removed as a threat to all networks. With a few relatively OH> simple and quick steps, the source of such an attack can be revealed. OH> <CENTER> OH> <P><IMG src="http://www.cymru.com/Images/divider.gif"> OH> <P>[ <A href="http://www.cymru.com/Documents/index.html">Documents</A> OH> ] [ <A OH> href="http://www.cymru.com/index.html">Home</A> ] OH> <P>Rob Thomas, <A href="mailto:robt@cymru.com">robt@cymru.com</A>, <A OH> href="http://www.cymru.com/">http://www.cymru.com/</A></CENTER></P></BODY></HTML> -- ------------------------------------------------------- Dmitry Cherkasov ISP "Intercom" (380)44 251-12-88 http://www.intercom.net.ua DC1-UANIC CHD1-RIPE =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message