Solved

Track down attacks

Posted on 2014-04-07
8
611 Views
Last Modified: 2014-04-09
Hi,

Can anyone point us in the direction of expertise to help us track down sources of recent syn flood attacks.  We seem to be unusual in that we are getting persistent attacks and we need to understand whether this is one source or several.

Any advice would be most welcome

Many thanks
Chris
0
Comment
Question by:Chris_Ryan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39983151
hardware based firewall, it is probably being logged. I suggest reviewing those logs. I also suggest having those logs sent to a system admin by email as the log fills up so they can be reviewed anytime. Without sending those logs, the old logged events get  over written as new logs are created.

We use a Sonicwall firewall for this. It works very well. Cisco and other brands should work well also.

You might also try contacting your ISP, although most of the time, adding a firewall is the best first step.

Hope this helps.
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39983684
Next time it happens run tcpdump and filter out certain ports (22 etc) that are not being attacked. Save the .pcap file and examine it for the offending ips and report them.
0
 
LVL 63

Accepted Solution

by:
btan earned 300 total points
ID: 39986164
Couple of means and if you have FW at the perimeter, it should already recorded the IP addresses and you simple can do a robtex or domain dossier to enter the IP for the whois - registered owner of the origin.

But do not be surprised that those IPes may lead to ISP fronting them or even some open proxy or anonymiser, that is their intent to deter you from blacklisting as it can create false positive by blocking the "ISP". Making the situation worse is it can be IP spoofed and comes in multiple making the effort to attribute if tougher.

If need to you may also check the IP for TOR exit or open relay then possibly worth blocking it as blacklist. Can easily google on the IP as well for its "reputation online.

Nonetheless, via IP will not be foolproof for attribution or even blacklisting but it can help to establish as backup option if the rate limiting of that IP source does not stop the impact or even try to sinkhole that particular source. We can then block it as given the situation did not fare better.

there are Cisco FW and Juniper FW sharing their fair share of source identification to limit the damage or even prevent it

Filtering: The most basic network-level defense is application of the filtering techniques described in RFC 2827 [7]. Using ingress filtering, an ISP refuses to further route packets coming from an end site with IP source addresses that do not belong to that end site. Ingress filtering would be highly effective at preventing SYN flooding attacks that rely on spoofed IP packets. However, it is not currently reliable because ingress filtering policies are not universally deployed. Ingress filtering is also wholly ineffective against SYN flooding attacks that use a distributed army of controlled hosts that each directly attack. Ingress filtering is also a mechanism that an end site wishing to defend itself most often has no control over, because it has no influence upon the policies employed by ISPs around the world.

Source Threshold: This option allows you to specify the number of SYN segments received per second from a single source IP address—regardless of the destination IP address and port number—before JUNOS Software begins dropping connection requests from that source.

user@host# set security screen zone-syn-flood tcp syn-flood source-threshold <number>

user@host# set security zones security-zone zone screen zone-syn-flood
Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address and destination port number. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.

Other minor pointer is you may also want to monitor at server end, in the case of internal IP source coming with DoS symptom and not with FW fronting (somehow), may be can consider using netstat to sieve out some details about the origin of your attacker by outputting source IPs with the most connections. I saw in the open sharing some command such as below

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

also if you find that there is a massive amount of different IP addresses in the list, it’s possible that your are experiencing not a DoS but a DDoS attack on your dedicated server. Assuming a web server which is likely candidate due to public access and exposure, you can try to identify the target IP address on your dedicated server using the following command.

netstat -n -p TCP | grep SYN_RECV | grep :80

This basically just looks at all TCP traffic in the SYN_RECV state that’s going to port 80, which is the webserver port.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 39987208
If you know it's a SYN floood, you probably know the IP's it's coming from, you can GEO-IP them to see where. Again like in the last question you will probably have to work with your ISP, or pay some extra fee if you want DDOS protect from an attack, most large ISP's offer this service for a charge. Here is cisco's take on it:
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
If you can't narrow it down to a few dozen IP's then it's probably spoofed, and it doesn't matter where the attacker is. Even if you do ID them, it often falls on deaf ears:
http://arstechnica.com/security/2012/10/meet-the-network-operators-helping-fuel-the-spike-in-big-ddos-attacks/
DJB proposed syn-cookies: http://cr.yp.to/syncookies.html
The hope is we can avoid a lot of these items in IPv6, but some are already there :(
-rich
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 75 total points
ID: 39987366
Chances are you will not be able to track an attack down to a site that you can do much about except have your ISP block for you. A good firewall will detect that traffic and drop the traffic so it doesn't hit your network. I have received notifications from our firewall of that traffic being detected and dropped with no human interaction needed. That's probably your best bet.
0
 
LVL 63

Expert Comment

by:btan
ID: 39987574
further to add, those network security device deployed at the perimeter likely have access to some (need to subscribed or open) online intelligence on reputation services you may even want to subscribe (from the provider themselves) to help in the attribution but as (all say), it is tough to accurate pinpoint the source and it can be just another infected bot host that (probably) not even aware it is been doing wrong stuff.

Also website can be waterholed and causing redirected calls to the victim itself also such as pingback case in Wordpress or other CMS possibly. In this case it is more of SYN flood so it should be easily handled by the network perimeter devices already, the focus is during that period of flooding any other anomalies detected or sensed in the traffic and any other egress or ingress points.
0
 

Author Comment

by:Chris_Ryan
ID: 39988391
Thank you for all your comments and postings

The SynFlood attack was from a whole bunch of ipaddresses so we have no realistic chance of chasing them down

We have moved to CloudFlare for the time being, but are investigating other options.

It has been a real eye opener for us after almost 20 years of running without any problems.

Once again many thanks
0
 
LVL 63

Expert Comment

by:btan
ID: 39988499
Just a note, managed service for such incident should also actively surfaced and attribute the rate threshold customised to your asset and ensure comms to your asset only allow cloudflare (in this case) forwarding the "clean" traffic to the actual origin server (your server). This is to limit the bypass as attacker can still direct via IP (though it is very deterring as most time DNS is more the way to go, but that  will already be fronted by Cloudflare). Likewise do note the source IP addresses can comes from fast fluxes type that keep on changing and also to make sure the attempt to source trace back is fruitless.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is my Machine open to hackers 3 116
"There is a problem with this website's certificate" 6 70
Safe with VPN on fake "free wifi" at airport? 8 124
shd and spl analysis 3 143
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question