Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Track down attacks

Posted on 2014-04-07
8
Medium Priority
?
681 Views
Last Modified: 2014-04-09
Hi,

Can anyone point us in the direction of expertise to help us track down sources of recent syn flood attacks.  We seem to be unusual in that we are getting persistent attacks and we need to understand whether this is one source or several.

Any advice would be most welcome

Many thanks
Chris
0
Comment
Question by:Chris_Ryan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39983151
hardware based firewall, it is probably being logged. I suggest reviewing those logs. I also suggest having those logs sent to a system admin by email as the log fills up so they can be reviewed anytime. Without sending those logs, the old logged events get  over written as new logs are created.

We use a Sonicwall firewall for this. It works very well. Cisco and other brands should work well also.

You might also try contacting your ISP, although most of the time, adding a firewall is the best first step.

Hope this helps.
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39983684
Next time it happens run tcpdump and filter out certain ports (22 etc) that are not being attacked. Save the .pcap file and examine it for the offending ips and report them.
0
 
LVL 65

Accepted Solution

by:
btan earned 1200 total points
ID: 39986164
Couple of means and if you have FW at the perimeter, it should already recorded the IP addresses and you simple can do a robtex or domain dossier to enter the IP for the whois - registered owner of the origin.

But do not be surprised that those IPes may lead to ISP fronting them or even some open proxy or anonymiser, that is their intent to deter you from blacklisting as it can create false positive by blocking the "ISP". Making the situation worse is it can be IP spoofed and comes in multiple making the effort to attribute if tougher.

If need to you may also check the IP for TOR exit or open relay then possibly worth blocking it as blacklist. Can easily google on the IP as well for its "reputation online.

Nonetheless, via IP will not be foolproof for attribution or even blacklisting but it can help to establish as backup option if the rate limiting of that IP source does not stop the impact or even try to sinkhole that particular source. We can then block it as given the situation did not fare better.

there are Cisco FW and Juniper FW sharing their fair share of source identification to limit the damage or even prevent it

Filtering: The most basic network-level defense is application of the filtering techniques described in RFC 2827 [7]. Using ingress filtering, an ISP refuses to further route packets coming from an end site with IP source addresses that do not belong to that end site. Ingress filtering would be highly effective at preventing SYN flooding attacks that rely on spoofed IP packets. However, it is not currently reliable because ingress filtering policies are not universally deployed. Ingress filtering is also wholly ineffective against SYN flooding attacks that use a distributed army of controlled hosts that each directly attack. Ingress filtering is also a mechanism that an end site wishing to defend itself most often has no control over, because it has no influence upon the policies employed by ISPs around the world.

Source Threshold: This option allows you to specify the number of SYN segments received per second from a single source IP address—regardless of the destination IP address and port number—before JUNOS Software begins dropping connection requests from that source.

user@host# set security screen zone-syn-flood tcp syn-flood source-threshold <number>

user@host# set security zones security-zone zone screen zone-syn-flood
Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address and destination port number. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.

Other minor pointer is you may also want to monitor at server end, in the case of internal IP source coming with DoS symptom and not with FW fronting (somehow), may be can consider using netstat to sieve out some details about the origin of your attacker by outputting source IPs with the most connections. I saw in the open sharing some command such as below

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

also if you find that there is a massive amount of different IP addresses in the list, it’s possible that your are experiencing not a DoS but a DDoS attack on your dedicated server. Assuming a web server which is likely candidate due to public access and exposure, you can try to identify the target IP address on your dedicated server using the following command.

netstat -n -p TCP | grep SYN_RECV | grep :80

This basically just looks at all TCP traffic in the SYN_RECV state that’s going to port 80, which is the webserver port.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 39987208
If you know it's a SYN floood, you probably know the IP's it's coming from, you can GEO-IP them to see where. Again like in the last question you will probably have to work with your ISP, or pay some extra fee if you want DDOS protect from an attack, most large ISP's offer this service for a charge. Here is cisco's take on it:
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
If you can't narrow it down to a few dozen IP's then it's probably spoofed, and it doesn't matter where the attacker is. Even if you do ID them, it often falls on deaf ears:
http://arstechnica.com/security/2012/10/meet-the-network-operators-helping-fuel-the-spike-in-big-ddos-attacks/
DJB proposed syn-cookies: http://cr.yp.to/syncookies.html
The hope is we can avoid a lot of these items in IPv6, but some are already there :(
-rich
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 300 total points
ID: 39987366
Chances are you will not be able to track an attack down to a site that you can do much about except have your ISP block for you. A good firewall will detect that traffic and drop the traffic so it doesn't hit your network. I have received notifications from our firewall of that traffic being detected and dropped with no human interaction needed. That's probably your best bet.
0
 
LVL 65

Expert Comment

by:btan
ID: 39987574
further to add, those network security device deployed at the perimeter likely have access to some (need to subscribed or open) online intelligence on reputation services you may even want to subscribe (from the provider themselves) to help in the attribution but as (all say), it is tough to accurate pinpoint the source and it can be just another infected bot host that (probably) not even aware it is been doing wrong stuff.

Also website can be waterholed and causing redirected calls to the victim itself also such as pingback case in Wordpress or other CMS possibly. In this case it is more of SYN flood so it should be easily handled by the network perimeter devices already, the focus is during that period of flooding any other anomalies detected or sensed in the traffic and any other egress or ingress points.
0
 

Author Comment

by:Chris_Ryan
ID: 39988391
Thank you for all your comments and postings

The SynFlood attack was from a whole bunch of ipaddresses so we have no realistic chance of chasing them down

We have moved to CloudFlare for the time being, but are investigating other options.

It has been a real eye opener for us after almost 20 years of running without any problems.

Once again many thanks
0
 
LVL 65

Expert Comment

by:btan
ID: 39988499
Just a note, managed service for such incident should also actively surfaced and attribute the rate threshold customised to your asset and ensure comms to your asset only allow cloudflare (in this case) forwarding the "clean" traffic to the actual origin server (your server). This is to limit the bypass as attacker can still direct via IP (though it is very deterring as most time DNS is more the way to go, but that  will already be fronted by Cloudflare). Likewise do note the source IP addresses can comes from fast fluxes type that keep on changing and also to make sure the attempt to source trace back is fruitless.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Screencast - Getting to Know the Pipeline

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question