SANS Internet Storm Center - FIRST

2y ago
18 Views
2 Downloads
574.72 KB
27 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Aliana Wahl
Transcription

SANS Internet Storm CenterJohannes Ullrich, Ph.D.Chief Research OfficerSANS Institute SANS Institute 2004http://isc.sans.org

OutlineInternet Storm Center and DShieldGlobal Collaborative Incident Handling: DNSPoisoning.Outlook / Future ThreatsQ&A SANS Institute 2004http://isc.sans.org

Internet Storm Center & rge global firewall logdatabase.Used to disseminateresults and collectindividual reports.Automated datacollection andreporting.Tool to detect long termtrends as well as fastmoving outbreaks. SANS Institute 2004Analysis of reports(from ISC readers aswell as DShield)performed by 40volunteer “handlers”.http://isc.sans.org

DShield.orgSensors worldwide covering about 500,000routable IP addresses.data load approaching 1 Billion reports / month.We only collect simple header information(source/target IP and port, time stamp, flags.)System designed for fast detection of new trendsand used as a aid to focus handler's attention tonew traffic patterns. SANS Institute 2004http://isc.sans.org

Information Flow SANS Institute 2004http://isc.sans.org

DShield Reports DemoPublic Page:http://www.dshield.orgReports for Submitters:https://secure.dshield.orge-mail: demo@dshield.orguserid: 11111 SANS Institute 2004http://isc.sans.org

Sign Up!http://www.dshield.org/howto.php8Signs Firewall Agnitum Outpost AnalogX PortBlockerAsante FriendlyNET, D-Link, U.S. Robotics, and SMC Barricade routers using RouterLog BlackIce DefendereSoft Instagate Firewall Kerio (formerly Tiny) Personal FirewallKerio (formerly Tiny) Software WinRoute Pro Asante FriendlyNet VR2004AC, VR2004C Billion BintecBuffalo Checkpoint VPN-1 Edge Cisco ACL (IOS) Cisco PIX Clavister Firewall D-Link Fortigte GentekIPChains IPTables Level One Linksys Router m0n0wall Firewall Netgear Router Netscreen Netopia SMCSmoothwall Sonicwall WatchGuard Zyxel Zywall Linksys Etherfast Cable / DSL router Microsoft ISAMcAfee Firewall Norton Personal Firewall Snort Sygate Personal Firewall Symantec VelociRaptor FirewallTiny Personal Firewall 4.0 and 5.0 Vicom Internet Gateway Trend Micro PC-CillinVisNetic (formerlly Ambra) Firewall Wingate Proxy Server Windows XP Internet Connection Firewall (ICF)ZoneAlarm Cisco PX Firewall DIDSyslog SonicWall Syslog Daemon Link Logger (Linksys,Prestige/Netgear, and ZyXel ZyWall routers) US Robotics 8000 routerVisualZone Report Utility for ZoneAlarm(ZoneAlarm) Wallwatcher (2Wire, Cisco PIX, D-Link DFL-80, DI804HV, IPTables, Linksys, Netgear FR114P, Netscreen 5GT, ZyxelP334 routers) Watchguard FireboxZoneLog (For ZoneAlarm) Firewalls that send logs by email SonicWall (But see DIDSyslog,above.)Dlink DI614 Kernel packet logs as generated by Linux 2.2.x and ipchainsKernel packet logs as generated by Linux 2.4.x and iptables Checkpoint Firewall-1 User AlertsCheckpoint Firewall-1 Version 4.1 Cisco ACL Cisco PIX DLink DI-640 FreescoFoundry Networks ServerIron Kerio (formally Tiny) Firewall Syslog Gauntlet firewall Gnatbox firewallLinux Etherfast Cable / DSL router Open BSD ipf logs Open BSD Packet Filter logs Psionic Portsentry logsSnort and Snort Portscan logs Zyxel Prestige 650, 310/314 and Netgear RT310/314User contributed Linux and UNIX clients ipchains and iptables client written in Python IPCop Firewall LaBreaCompatible Systems Microrouter Netscreen Firewalls Nexland Router FreeBSD ipf(4) and ipmon(8) logsIPFW logs Solaris ipf logs Symantec Firewall/VPN Appliance ulogd Watchguard Firebox SANS Institute 2004http://isc.sans.org

Port Infohttp://isc.sans.org/port details.php?port 445Customizable Graph of past activity. Respective data in numeric form. Common uses for each port. User comments. SANS Institute 2004http://isc.sans.org

Internet Storm Center40 “Handlers”each day, a particular handler volunteers as“handler of the day”.Handler of the day is coordinating response.Handlers are selected to represent differentindustries and geographic areas.Information is disseminated expeditiously to notonly provide the earliest possible warning, but alsoto obtain more detailed information from readers. SANS Institute 2004http://isc.sans.org

Incident handling processISCReportsDShield Data SANS Institute 2004Reports from ISC readersare used to explainfeatures found in DShielddata. If unexplainedfeatures are found, thediary is used to solicitobservations from readers.http://isc.sans.org

ISC FeaturesDiaryTop Ports / IPs ListIP / Port InfoSome ASN based reportsTrendsContact Form SANS Institute 2004http://isc.sans.org

DiaryWritten by “Handler of the Day” (HOD).Updated at least once a day, more frequently ifrequired.Summarizes events reported to ISC.NOT a news summary.Reflects priorities / opinions of the HOD.Usually written with input from other handlers.GOAL: When reading the diary, you shouldrecognize an event you dealt with that day (orwill deal with). SANS Institute 2004http://isc.sans.org

Global Incident HandlingSample Event: DNS Poisoning.Basic event handling flow chart:Initial ReportSanity CheckDiary EntryMore ReportsMitigation / Resolution SANS Institute 2004http://isc.sans.org

DNS Poisoning“We are beginning to see a widespread browser hijackingwithin our corporate enterprise. . it has all the looksof a DNS poisoning, but we can't find anything on ourINTERNAL network which indicates we have an internalproblem. There is no commonality in sites (other thanbeing well known sites), and there is no indication of aninternal worm. But the hijack has infected a number ofdifferent workstations who didn't access any of the samesites. One example was: get www.weather.com, followed bythe get "download" html to the same ip address, then a GETto what appears to be he REAL www.weather.com. Some ofthe hijacked sites are: www.7sir7.com, www.abx4.com,etc. This looks like a regular spyware thing, but theproblem is is that it's propagated within our enterpriselike a worm.Gary, (March 3rd 2005) SANS Institute 2004http://isc.sans.org

Initial Screening“hosts” file? (Gary: no)are non-browser DNS lookups (e.g. nslookup)affected? (Gary: nslookup provides bad results)Preliminary conclusion: This could be DNSpoisoning.Action: Add note to diary SANS Institute 2004http://isc.sans.org

Reaction to DiaryVarious other reports. Sample:Hi SANS! Had an issue today where it appears ourDNS cache was poisoned somehow. Alot of siteswere being redirected towww.123xxl.com/index2.php. The IP addresses thatthis was being resolved to were 217.160.169.87,216.127.88.131, 207.44.240.79. This site thentried to download an Active-X control of somekind. I did not allow it to download, but I washoping one of you could check it out in a lab tosee what it does. I'll continue to research, andlet you know if I find out anything.John (3/3/2005) SANS Institute 2004http://isc.sans.org

Refined responseAsk users to check DNS cache content.Offer help by publishing command lines to dumpcache.Offer advice about how to flush the cache.Request blocking of access to target web servers. Users report that problem goes away after cache iscleared.IP Address keeps changingMalware distributing site associated with 7sir7.comand abx4.com SANS Institute 2004http://isc.sans.org

Symantec Gateway ProductsMarch 4th:Number of affected users report that they are using Symantecfirewall appliances, which provide DNS caching.Possibly related to vulnerability/patch from June 2004.March 6th:Symantec releases a hotfix for its Gateway Security andEnterprise Firewall products. SANS Institute 2004http://isc.sans.org

Additional Reports come inMarch 13th:7sir7 exploit is planted on a large number of sites using exploited“web site motels”.More reports about cache poisoning from sites not using Symantecproducts.March 30th:reports of cache poisoning pick up again. SANS Institute 2004http://isc.sans.org

Sample 'dig' output; DiG 9.2.4 www.cnn.com @218.38.13.108;; global options: printcmd;; Got answer:;; - HEADER - opcode: QUERY, status: NOERROR, id: 59667;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1,ADDITIONAL: 1;; QUESTION SECTION:;www.cnn.com.INA;; ANSWER 5.162.201.11217.16.26.148;; AUTHORITY SECTION:com.99999INNSbesthost.co.kr.;; ADDITIONAL ;Query time: 236 msecSERVER: 218.38.13.108#53(218.38.13.108)WHEN: Thu Mar 31 16:01:07 2005MSG SIZE rcvd: 105 SANS Institute 2004http://isc.sans.org

DNS poisoning statsFrom a web server that hosted the malware site on March 3rd, wereceived logs showing the following “success numbers” for thisattack:1,304 different domain names got redirected to the site.8 Million HTTP GET attempts.966 unique IP addresses.75 thousand incoming e-mail messages.7,500 failed ftp login attempts7,700 failed imap login attempts2000 logins to 82 different webmail systems. SANS Institute 2004http://isc.sans.org

Moving to YellowApril 4th:One month after initial reports, the problem still persists. Weraise the infocon level to “Yellow” to solicit more information.April 5th:Information that some MSFT products may be vulnerable. SANS Institute 2004http://isc.sans.org

MSFT – BIND InteractionLANMSFT DNS Server(configured to forward queries)BIND 8 DNS ServerInternet SANS Institute 2004http://isc.sans.org

MSFT – BIND Part 2MSFT DNS server configured to forward queries totrusted external DNS server.Isolates internal DNS server from attacks.May increase performance.Simplifies firewall setup.BIND 8 will not clean responses it passes to theinternal (MSFT) DNS Server.The MSFT DNS server will now trust the responsesit receives, even though they still include themalicious content. SANS Institute 2004http://isc.sans.org

DNS Poisoning – ResolutionSolution: Upgrade to BIND 9.Further analysis: One of our handlers did manageto get a hold of the DNS server which was theorigin of the poisoning. The poisoning wasachieved using a standard configuration of BIND:Configure a .com zone, and make the DNS serverauthoritative.Setup wildcard records for the .com zone.Based on old zone files / comments we see that ateach time, two IP addresses where used. Thesewhere changed frequently. SANS Institute 2004http://isc.sans.org

Future Outlook / TrendsClient Exploits.Cognitive exploits (phishing)Web browser Exploits.(malware spiders, “honey monkey”)Commercialization.Secondary server application exploits.PHPBB.awstats.(collecting web logs)AV is dead. There is no new malware, just newpackers. (malware analysis effort, automated patternmatching for packers) SANS Institute 2004http://isc.sans.org

Q&AURLs of interest:Internet Storm Center: http://isc.sans.orgDShield: http://www.dshield.orgHow to send logs: http://www.dshield.org/howto.phpSANS Webcasts: http://www.sans.org/webcasts.php! THANKS !¡GRACIAS! SANS Institute 2004http://isc.sans.org

ZoneAlarm Cisco PX Firewall DIDSyslog SonicWall Syslog Daemon Link Logger (Linksys, Prestige/Netgear, and ZyXel ZyWall routers) US Robotics 8000 router VisualZone Report Utility for ZoneAlarm(ZoneAlarm) Wallwatcher (2Wire, Cisco PIX, D-Link DFL-80, DI-804HV, IPTables, Linksys, Netgear FR1

Related Documents:

SANS 1200 A General SANS 1200 C Site Clearance SANS 1200 DB Earthworks (Pipe Trenches) SANS 1200 G Concrete Works SANS 1200 L Medium-Pressure Pipelines SANS 1200 LB Bedding (Pipes) SANS 1200 MJ Segmented Paving SANS 1200 MK Kerbing and Channeling SANS 1200 MM Ancillary Roadworks These standardised specifications are available from the South .

SANS 10400: Part W - 2011 SANS 10087: Part 1 - 2013 SANS 10087: Part 3 - 2008 SANS 10087: Part 7 - 2013 SANS 10087: Part 10 - 2012 SANS 10089: Part 1 - 2008 SANS 10089: Part 2 - 2007 SANS 10089: Part 3 - 2010 SANS

THE SANS PROMISE At the heart of everything we do is the SANS Promise: Students will be able to use their new skills as soon as they return to work. REGISTER FOR SANS TRAINING Learn more about SANS courses, and register online, at sans.org Test drive 45 SANS courses For those new to SANS or unsure of the subject area or skill level

SABS 767-1 SANS 767-1 rl1: Fixed earth leakage protection cireu -breakers 1982 2 SABS 767-2 SANS 767-2 rt 2: Sing!e-phase,portable units 1983 2 SABS77D SANS 770 1982 1 SAB5776 SANS 776 valves -HeaVf duly 2000 3 SAB5777 SANS 777 1986 3 SABS778 SANS 718 2002 3,02 SABS779 SANS

SANS 1200 DB - Earthworks (pipe trenches) SANS 1200 L - Medium pressure pipe lines SANS 1200 LB - Bedding (pipes) SANS 1200 LD - Sewers SANS 1200 LE - Storm water drainage SANS 1200 LG - Pipe jacking 2.2.2. Pipe classes Non-pressure pipe Pipes are classified in terms of their crushing strength when subjected to a vertical knife-edge test-load. The

SANS 10160, SANS 10137, SANS 10400, SANS 204, SANS 613 and SANS 549 Southern African Institute of Steel Construction Southern African Steel Construction Handbook Verlag Stahleisen M.B.H. Düsseldorf Stahl im Hochbau Building Code Australia BCA 2007 Volume 1 & 2 W.W. Norton &a

THE “DEEMED TO SATISFY” SANS 10400 SANS 10400 IS MADE UP OF: 1 SANS 10400-A The application of the NBR Part A: General principles and requirements 2016 Ed 3.1 2 SANS 10400-B The application of the NBR Part B: Structural design 2012 Ed 3 3 SANS 10400-C

SANS 10160, SANS 10137, SANS 10400, SANS 204, SANS 613 and SANS 549 Southern African Institute of Steel Construction Southern African Steel Construction Handbook Verlag Stahleisen M.B.H. Düsseldorf Stahl im Hochbau Building Code Australia BCA 2007 Volume 1 & 2 W.W. Norton &a