Кгхм... Та якраз в тій ідеї і була основна передумова - підерів треба мочити всім гуртом. Тільки прослідкувавши ланцюжок атаки. А як інакше?... І, думається, що SP вже давно доросли до такої думки і надають посильну допомогу колегам.
-----Original Message----- From: owner-uanog-outgoing@uanog.kiev.ua [mailto:owner-uanog-outgoing@uanog.kiev.ua] On Behalf Of Dmitry Cherkasov Sent: Friday, January 20, 2006 11:38 AM To: uanog@uanog.kiev.ua Subject: [uanog] Re: RE: DoS SMTP
On Thu, Jan 19, 2006 at 01:17:20PM +0200, Oleh Hrynchuk wrote: OH> OH> Доброго дня. OH> OH> Не для Фрюхи, але ідея повинна бути зрозуміла. OH> Див. аттач.
Нормальна ідея, звичайно, але:
... Second, router access must be available. This can be a hurdle both technically (no access to the routers) and politically (the routers are owned by another entity). However, this can be a coordinated effort, with multiple teams handing off the tracing as each autonomous system boundary is crossed. If the trace is done completely within a single AS, however, many of the political and technical issues may not exist.
Third, the attack must be of a duration that allows for a trace. Short, bursty attacks may not allow for a full trace. While a partial trace may help to narrow the scope of the search, it will not find the culprit. ...
Якщо зловмисник десь поряд, особливих проблем немає. Та чи часто буває таке. Людина добре подумає перед тим, як шкодити своєму ІСП чи його клієнтам..
OH> OH> OH> > -----Original Message----- OH> > From: owner-uanog-outgoing@uanog.kiev.ua OH> > [mailto:owner-uanog-outgoing@uanog.kiev.ua] On Behalf Of > OH> Andrey Nikolaev > Sent: Thursday, January 19, 2006 12:16 PM > To: OH> uanog@uanog.kiev.ua > Subject: [uanog] DoS SMTP > > > Hi! OH> > OH> > тут возникла проблемка, атакуют машинку под freebsd 5.4 smtp > OH> service ... OH> > адреса атаки рассыпаются, тюнинг фри ограничился этим: OH> > net.inet.tcp.msl=7500 OH> > net.inet.tcp.blackhole=2 OH> > net.inet.udp.blackhole=1 OH> > net.inet.icmp.icmplim=100 OH> > OH> > чтото посоветуете ? OH> > как можно все таки найти источник? OH> > OH> > -- OH> > andy@cris.net AN1035-RIPE OH> > OH> =================================================================== OH> > uanog mailing list. OH> > To Unsubscribe: send mail to majordomo@uanog.kiev.ua with > OH> "unsubscribe uanog" in the body of the message
OH> Date: Thu, 24 Apr 2003 08:44:23 +0300 OH> From: яНУПЮМЕМНMicrosoftInternetExplorer5 OH> Subject: Tracking Spoofed IP Addresses Version 2.0 OH> OH> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> OH> <HTML><HEAD><TITLE>Tracking Spoofed IP Addresses Version 2.0</TITLE> OH> <META content="text/html; charset=iso-8859-1" OH> http-equiv=Content-Type> <META content="MSHTML 5.00.3504.2500" OH> name=GENERATOR></HEAD> <BODY> <CENTER> <H1>Tracking Spoofed IP OH> Addresses Version 2.0</H1></CENTER> <CENTER> <H3>By Rob Thomas, <A OH> href="mailto:robt@cymru.com">robt@cymru.com</A>, 08 FEB OH> 2001</H3></CENTER> <CENTER>[ <A OH> href="http://www.cymru.com/Documents/index.html">Documents</A> OH> ] [ <A OH> href="http://www.cymru.com/index.html">Home</A> ] <P><IMG OH> src="http://www.cymru.com/Images/divider.gif"></CENTER> OH> <H2>Introduction</H2>Tracking spoofed IP addresses back to the OH> source can be quite a difficult task. For myriad reasons, such as OH> limited router access, attacks of a short duration, and the manual OH> nature of spoofed address tracking, finding the actual generator of OH> the spoofed packets can be very difficult. For this reason, OH> attackers often use the bogon address ranges, where a bogon address range is any unassigned and likely unrouted (by BGP4 in the Internet) netblock. OH> This includes the RFC1918 addresses as well as a collection of OH> other address spaces, such as 1/8, 169.254/16, and the like. OH> <P>However, with a certain combination of features enabled on a OH> Cisco router, it is possible to determine the source of the spoofed OH> packets. Further, this can be done without the laborious and CPU OH> intensive task of adding ACLs to filter the spoofed packets. The key features are CEF and NetFlow. OH> <P><B>NOTE:</B> Please be aware that router resources are never OH> infinite. Both CEF and NetFlow require resources from the router, OH> and therefore are not entirely immune to issues. NetFlow exports, OH> in particular, may heavily load both the router and the export OH> interface. Please take the time to test your configuration prior to deploying it in production. OH> <P>While this document details a method for tracking the source of OH> a DDoS attack that utilizes spoofed IP addresses, there are several OH> other documents that detail methods of mitigating DDoS attacks. You OH> can view my <A OH> href="http://www.cymru.com/Documents/secure-ios-template.html">Secur OH> e IOS Template</A> and my <A OH> href="http://www.cymru.com/Documents/secure-bgp-template.html">Secur OH> e BGP Template</A> to enhance your router and peering security. OH> There are also several efforts currently underway to block DDoS attacks. Here are a few informative links (thanks to John Kristoff for passing these along): OH> <P>Pushback<BR><A OH> OH> href="http://www.research.att.com/~smb/talks/pushback-dodcert.pdf">h OH> ttp://www.research.att.com/~smb/talks/pushback-dodcert.pdf</A><BR><A OH> OH> href="http://www.aciri.org/floyd/talks/pushback-Nov00.pdf">http://ww OH> w.aciri.org/floyd/talks/pushback-Nov00.pdf</A><BR> OH> <P>Traceback<BR><A OH> OH> href="http://www.cs.washington.edu/homes/savage/traceback.html">http OH> ://www.cs.washington.edu/homes/savage/traceback.html</A><BR><A OH> OH> href="http://www.research.att.com/lists/ietf-itrace/">http://www.res OH> earch.att.com/lists/ietf-itrace/</A><BR> OH> <P>CenterTrack<BR><A OH> OH> href="http://www.nanog.org/mtg-9910/ppt/robert/index.htm">http://www OH> .nanog.org/mtg-9910/ppt/robert/index.htm</A><BR><A OH> OH> href="http://www.us.uu.net/gfx/projects/security/centertrack.pdf">ht OH> tp://www.us.uu.net/gfx/projects/security/centertrack.pdf</A><BR> OH> <P> OH> <H2>Router Configuration</H2>Most high-end Cisco routers on the OH> Internet run either CEF or dCEF. This is because of the large OH> performance gains to be realized with CEF, which stands for Cisco OH> Express Forwarding. CEF has many benefits over fast switching, OH> including a more reliable and sturdy method for building the OH> forwarding table. CEF also offers some security benefits, such as OH> RPF (Reverse Path Forwarding). RPF provides a means of blocking OH> packets that claim to originate from within your network, but OH> present themselves on an external interface. Keep in mind that CEF OH> can be a bit tricky to configure in an environment that has OH> asymmetric data flows. You may wish to review the <A OH> href="http://www.cisco.com/warp/public/cc/pd/iosw/iore/tech/cef_wp.h OH> tm">Cisco CEF White Paper</A>. CEF is, therefore, a wise choice for OH> reasons of performance and security. CEF is enabled on a global OH> basis with the command ip cef. To enable dCEF (Distributed CEF), OH> the global command is ip cef distributed. OH> <P>NetFlow provides a means of mapping traffic flows through a OH> router. This can be of great use for capacity planning, statistical OH> analysis of traffic patterns, and security reviews. Here is a sample of the output from NetFlow: OH> <P><TT>router1#sh ip cache flow</TT> <BR><TT>IP packet size OH> distribution (11319 total packets):</TT> <BR><TT> OH> 1-32 64 96 128 160 OH> 192 224 256 288 320 352 OH> 384 416 448 480</TT> <BR><TT> .000 OH> .016 OH> .002 .002 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 OH> .000</TT><TT></TT> <P><TT> 512 544 OH> 576 1024 1536 2048 2560 3072 3584 OH> 4096 4608</TT> <BR><TT> .000 .000 .000 .000 .976 .000 OH> .000 .000 .000 .000 .000</TT><TT></TT> <P><TT>IP Flow Switching OH> Cache, 278544 bytes</TT> <BR><TT> 1 active, 4095 inactive, 19 OH> added</TT> <BR><TT> 1909 ager polls, 0 flow alloc OH> failures</TT> <BR><TT> last clearing of statistics never</TT> OH> <BR><TT>Protocol OH> Total Flows Packets Bytes OH> Packets OH> Active(Sec) Idle(Sec)</TT> OH> <BR><TT>-------- OH> Flows /Sec OH> /Flow /Pkt OH> /Sec /Flow OH> /Flow</TT> OH> <BR><TT>TCP-Telnet &n OH> bsp; 1 OH> 0.0 OH> 204 47 OH> 0.0 OH> 71.5 OH> 1.3</TT> OH> OH> <BR><TT>UDP-other &nb OH> sp; OH> 7 OH> 0.0 3 OH> 627 OH> 0.0 OH> 8.4 15.3</TT> OH> <BR><TT>ICMP &n OH> bsp; OH> 10 OH> 0.0 OH> 5 91 OH> 0.0 OH> 4.1 15.4</TT> OH> <BR><TT>Total: OH> 18 OH> 0.0 OH> 15 103 OH> 0.0 OH> 9.5 14.6</TT><TT></TT> OH> <P><TT>SrcIf OH> SrcIPaddress OH> DstIf OH> DstIPaddress Pr SrcP DstP Pkts</TT> OH> <BR><TT>Se1 &nb OH> sp; OH> 192.168.88.5 OH> Et0 OH> 192.168.77.2 11 0013 0007 OH> 31</TT> <P>From NetFlow, we can determine our packet distribution, OH> protocol distribution, and current flows. Clearly this is valuable OH> data. Enabling NetFlow is done on a per interface basis with the command: <B>ip route-cache flow</B>. OH> <P>Once both CEF (or dCEF) and NetFlow are enabled on the router, OH> we are ready to begin hunting the source of a spoofed IP address OH> attack. It is recommended that the routers run Cisco IOS 12.0 or better. OH> <H2>Test Topology</H2>In the example scenario, a malicious user on OH> the host sweatpants, IP address 192.168.97.2/24, wishes to flood OH> the host spanky, IP address 192.168.77.2/24, with copious amounts OH> of bogus UDP traffic. To avoid being caught, the miscreant on OH> sweatpants has decided to spoof his address to be 96.170.4.8. The OH> miscreant knows that the entire 96/8 netblock is unassigned, and OH> therefore any packets destined for this network will not arrive at OH> an actual site. The spoofed packets are all destined for UDP port 7, the echo port. The source port is UDP port 19, the chargen port. OH> <P>The network topology is: OH> <P><TT> -----------------</TT> OH> <BR><TT> | spanky SPARC5 OH> |</TT> <BR><TT> | 192.168.77.2/24 OH> |</TT> <BR><TT> OH> -----------------</TT> OH> <BR><TT> OH> OH> | Ethernet</TT> OH> OH> <BR><TT> OH> | e0</TT> <BR><TT> OH> -----------------</TT> <BR><TT> | OH> 192.168.77.1/24 |</TT> <BR><TT> | OH> router1 |</TT> OH> <BR><TT> | 10.10.10.1/30 OH> |</TT> <BR><TT> OH> -----------------</TT> OH> <BR><TT> OH> OH> | s1</TT> OH> OH> <BR><TT> OH> OH> | Serial 64Kb</TT> OH> OH> <BR><TT> OH> | s1</TT> <BR><TT> OH> -----------------</TT> <BR><TT> | OH> 10.10.10.2/30 |</TT> OH> <BR><TT> | OH> router2 |</TT> OH> <BR><TT> | 172.17.50.2/30 |</TT> OH> <BR><TT> -----------------</TT> OH> <BR><TT> OH> OH> | s0</TT> OH> OH> <BR><TT> OH> OH> | Serial 64Kb</TT> OH> OH> <BR><TT> OH> OH> | OH> OH> s0 OH> OH> Ethernet</TT> <BR><TT> OH> --------------------------------- OH> -------------------------</TT> OH> <BR><TT> | OH> 172.17.50.1/30 OH> OH> | OH> OH> | & OH> nbsp; &nb OH> sp; |</TT> <BR><TT> | OH> router3 OH> 10.222.88.1/25 |---| 10.222.88.73/25 router5 |</TT> OH> <BR><TT> | OH> 10.222.88.129/25 &nbs OH> p; OH> | OH> OH> | & OH> nbsp; &nb OH> sp; |</TT> <BR><TT> OH> --------------------------------- OH> -------------------------</TT> OH> OH> <BR><TT> OH> OH> | OH> OH> e1 OH> OH> e0 e0</TT> OH> OH> <BR><TT> OH> OH> | Ethernet</TT> OH> OH> <BR><TT> OH> | e0</TT> <BR><TT> OH> ------------------</TT> <BR><TT> | OH> 10.222.88.144/25 |</TT> <BR><TT> | OH> router4 |</TT> OH> <BR><TT> | 192.168.97.1/24 OH> |</TT> <BR><TT> OH> -----------------</TT> OH> <BR><TT> OH> OH> | e1</TT> OH> OH> <BR><TT> OH> | Ethernet</TT> OH> <BR><TT> OH> ------------------</TT> <BR><TT> | OH> 192.168.97.2/24 |</TT> <BR><TT> OH> | sweatpants Linux |</TT> OH> <BR><TT> OH> ------------------</TT> OH> <P>The routing is configured thusly: OH> <P>spanky <BR> Default route, gateway OH> 192.168.77.1 (router1) OH> <BR>router1 <BR> Default route, gateway OH> 10.10.10.2 (router2) OH> <BR>router2 <BR> Static route 192.168.77.0/24, OH> gateway OH> 10.10.10.1 (router1) <BR> Static route OH> 192.168.97.0/24, gateway 172.17.50.1 (router3) <BR>router3 OH> <BR> Default route, gateway 172.17.50.2 (router2) OH> <BR> Static route 192.168.97.0/24, gateway OH> 10.222.88.144 (router4) <BR>router4 <BR> Default OH> route, gateway 10.222.88.129 (router3) OH> <BR>router5 <BR> Default route, gateway OH> 10.222.88.1 (router3) <BR>sweatpants <BR> Default OH> route, gateway 192.168.97.1 OH> (router4) OH> <P>While static routing was used for this experiment, the OH> experiment is not fundamentally changed by the use of a dynamic OH> routing protocol, such as OSPF or EIGRP. While the responses, to OH> the spoofed address, from spanky might be dropped sooner in the OH> path, the result is the same -- the spoofed packets never make it OH> back to sweatpants, the source of the malevolent data stream. It is OH> not uncommon to find the use of default routes for networks that are singly attached to the Internet. OH> <H2>The Game Begins</H2>Using a packet generator, the attack is OH> launched from sweatpants against spanky. A steady stream of spoofed OH> packets now present themselves on the network interface of spanky. OH> Due to the interrupt saturation and higher than normal CPU load, OH> the attack is detected by the system administrator. The use of the OH> snoop tool (Solaris specific packet sniffer) determines the source OH> IP of the attack, 96.170.4.8. The network and security teams are OH> alerted. Once the source IP address (96.170.4.8) and source port OH> (UDP OH> 19) are noted from the output of snoop, the first step is to login OH> to the border router, router1, and take a look. OH> <P>In this topology, it may seem quite obvious that the source of OH> the spoofed packets, from the perspective of router1, must be the OH> serial interface leading to router2. However, it is wise to OH> validate this assumption to ensure that the source of the spoofed attack is not a host within the same subnet as spanky. OH> First, the NetFlow cache is queried thusly: OH> <P><TT>router1#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Se1 &nb OH> sp; 96.170.4.8 OH> Et0 OH> 192.168.77.2 11 0013 0007 159</TT> OH> <P>Here we see that the source interface of the flow, which is OH> listed in column one, is serial1. So it has been determined that OH> the source is somewhere beyond the border router. Next, CEF is OH> queried. CEF inserts all active sources, on a per interface basis, in its tables. OH> <P><TT>router1#sh ip cef se1</TT> OH> OH> <BR><TT>Prefix OH> Next OH> Hop OH> ; OH> Interface</TT> OH> OH> <BR><TT>0.0.0.0/0 &nb OH> sp; OH> 10.10.10.2 &nbs OH> p; Serial1</TT> OH> <BR><TT>10.10.10.0/30 OH> OH> attached OH> OH> Serial1</TT> OH> <P>Here it is seen that the only next hop, according to the CEF OH> cache, is 10.10.10.2. Consulting the topology above, it is noted OH> that the next hop IP address is router2. The search moves one hop further, to router2. OH> <P>The process is repeated on router2. First, a check of the NetFlow cache: OH> <P><TT>router2#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Se0 &nb OH> sp; 96.170.4.8 OH> Se1 OH> 192.168.77.2 11 0013 0007 299</TT> OH> <P>The source interface of the flow is serial0. Now for a check of OH> the CEF OH> tables: OH> <P><TT>router2#sh ip cef se0</TT> OH> OH> <BR><TT>Prefix OH> Next OH> Hop OH> ; Interface</TT> OH> <BR><TT>172.17.50.0/30 OH> OH> attached OH> Serial0</TT> OH> <BR><TT>192.168.97.0/24 OH> 172.17.50.1 OH> Serial0</TT> <P>Once again, the topology is consulted and it is OH> determined that the next hop listed in the CEF tables, 172.17.50.1, is router3. OH> <P>On router3, the NetFlow tables are examined: OH> <P><TT>router3#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Et1 &nb OH> sp; 96.170.4.8 OH> Se0 OH> 192.168.77.2 11 0013 0007 3235</TT> <P>Ah, OH> perhaps the end is near! The source interface for the flow is Ethernet1. OH> Is the source station directly attached to this router? A check of OH> the CEF tables reveals: OH> <P><TT>router3#sh ip cef et1</TT> OH> OH> <BR><TT>Prefix OH> Next OH> Hop OH> ; Interface</TT> <BR><TT>10.222.88.128/25 OH> OH> attached OH> Ethernet1</TT> OH> <BR><TT>10.222.88.144/32 OH> 10.222.88.144 OH> Ethernet1</TT> <BR><TT>192.168.97.0/24 OH> 10.222.88.144 OH> Ethernet1</TT> <BR><TT>10.222.88.73/32 OH> 10.222.88.73 OH> Ethernet1</TT> <P>This presents a bit of a conundrum; there are two OH> possible sources. It may be necessary to check both IP addresses. First, a check of router5, 10.222.88.73. OH> <P><TT>router5#sh ip cache flow | include 96.170</TT> OH> <BR><TT>router5#</TT> <P>This command returns nothing. After OH> verifying that the attack is still underway, it is obvious that the OH> attacker's data flow does not pass through this router. Moving on to router4 reveals: OH> <P><TT>router4#sh ip cache flow | include 96.170</TT> OH> <BR><TT>Et1 &nb OH> sp; 96.170.4.8 OH> Et0 OH> 192.168.77.2 11 0013 0007 6673</TT> <P>Ah, OH> this looks promising. A quick check of the CEF tables finds: OH> <P><TT>router4#sh ip cef et1</TT> OH> OH> <BR><TT>Prefix OH> Next OH> Hop OH> ; Interface</TT> OH> <BR><TT>192.168.97.0/24 OH> OH> attached OH> Ethernet1</TT> OH> <BR><TT>192.168.97.2/32 OH> 192.168.97.2 OH> Ethernet1</TT> <P>So the only active IP address is 192.168.97.2. OH> Since a quick check of either the MAC address (with sh arp) or OH> other means reveals that this is not a Cisco router, this IP OH> address begins to look more suspect. At this point, network OH> sniffing can be performed to verify that the source IP of the OH> attack, 96.170.4.8, is tied to the MAC address of 192.168.97.2. The source of the spoofed IP addresses has been found. OH> <H2>Limitations</H2>While this method is fast and presents very OH> little impact on the routers, it is not without certain limitations. OH> <P>First, NetFlow must be running on the interfaces. NetFlow can be OH> configured, in real-time, during an attack. The NetFlow data is the key to this method. OH> <P>Second, router access must be available. This can be a hurdle OH> both technically (no access to the routers) and politically (the OH> routers are owned by another entity). However, this can be a OH> coordinated effort, with multiple teams handing off the tracing as OH> each autonomous system boundary is crossed. If the trace is done OH> completely within a single AS, however, many of the political and technical issues may not exist. OH> <P>Third, the attack must be of a duration that allows for a trace. OH> Short, bursty attacks may not allow for a full trace. While a OH> partial trace may help to narrow the scope of the search, it will not find the culprit. OH> <P>Fourth, this method is obviously limited to the Cisco IOS OH> platform. Other platforms, such as a Check Point FireWall-1 OH> firewall, will provide similar tracing capabilities through the OH> rule base or tools such as tcpdump, snoop, and iptrace. However, some platforms may provide no trace method at all. OH> <H2>Conclusion</H2>Uncovering the source of a spoofed IP attack can OH> assure that the attacking host is removed as a threat to all OH> networks. With a few relatively simple and quick steps, the source of such an attack can be revealed. OH> <CENTER> OH> <P><IMG src="http://www.cymru.com/Images/divider.gif"> OH> <P>[ <A OH> href="http://www.cymru.com/Documents/index.html">Documents</A> OH> ] [ <A OH> href="http://www.cymru.com/index.html">Home</A> ] <P>Rob Thomas, <A OH> href="mailto:robt@cymru.com">robt@cymru.com</A>, <A OH> href="http://www.cymru.com/">http://www.cymru.com/</A></CENTER></P>< OH> /BODY></HTML>
-- ------------------------------------------------------- Dmitry Cherkasov ISP "Intercom" (380)44 251-12-88 http://www.intercom.net.ua DC1-UANIC CHD1-RIPE =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
=================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message