Solved

Track down attacks

Posted on 2014-04-07
8
566 Views
Last Modified: 2014-04-09
Hi,

Can anyone point us in the direction of expertise to help us track down sources of recent syn flood attacks.  We seem to be unusual in that we are getting persistent attacks and we need to understand whether this is one source or several.

Any advice would be most welcome

Many thanks
Chris
0
Comment
Question by:Chris_Ryan
8 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39983151
hardware based firewall, it is probably being logged. I suggest reviewing those logs. I also suggest having those logs sent to a system admin by email as the log fills up so they can be reviewed anytime. Without sending those logs, the old logged events get  over written as new logs are created.

We use a Sonicwall firewall for this. It works very well. Cisco and other brands should work well also.

You might also try contacting your ISP, although most of the time, adding a firewall is the best first step.

Hope this helps.
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39983684
Next time it happens run tcpdump and filter out certain ports (22 etc) that are not being attacked. Save the .pcap file and examine it for the offending ips and report them.
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
ID: 39986164
Couple of means and if you have FW at the perimeter, it should already recorded the IP addresses and you simple can do a robtex or domain dossier to enter the IP for the whois - registered owner of the origin.

But do not be surprised that those IPes may lead to ISP fronting them or even some open proxy or anonymiser, that is their intent to deter you from blacklisting as it can create false positive by blocking the "ISP". Making the situation worse is it can be IP spoofed and comes in multiple making the effort to attribute if tougher.

If need to you may also check the IP for TOR exit or open relay then possibly worth blocking it as blacklist. Can easily google on the IP as well for its "reputation online.

Nonetheless, via IP will not be foolproof for attribution or even blacklisting but it can help to establish as backup option if the rate limiting of that IP source does not stop the impact or even try to sinkhole that particular source. We can then block it as given the situation did not fare better.

there are Cisco FW and Juniper FW sharing their fair share of source identification to limit the damage or even prevent it

Filtering: The most basic network-level defense is application of the filtering techniques described in RFC 2827 [7]. Using ingress filtering, an ISP refuses to further route packets coming from an end site with IP source addresses that do not belong to that end site. Ingress filtering would be highly effective at preventing SYN flooding attacks that rely on spoofed IP packets. However, it is not currently reliable because ingress filtering policies are not universally deployed. Ingress filtering is also wholly ineffective against SYN flooding attacks that use a distributed army of controlled hosts that each directly attack. Ingress filtering is also a mechanism that an end site wishing to defend itself most often has no control over, because it has no influence upon the policies employed by ISPs around the world.

Source Threshold: This option allows you to specify the number of SYN segments received per second from a single source IP address—regardless of the destination IP address and port number—before JUNOS Software begins dropping connection requests from that source.

user@host# set security screen zone-syn-flood tcp syn-flood source-threshold <number>

user@host# set security zones security-zone zone screen zone-syn-flood
Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address and destination port number. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.

Other minor pointer is you may also want to monitor at server end, in the case of internal IP source coming with DoS symptom and not with FW fronting (somehow), may be can consider using netstat to sieve out some details about the origin of your attacker by outputting source IPs with the most connections. I saw in the open sharing some command such as below

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

also if you find that there is a massive amount of different IP addresses in the list, it’s possible that your are experiencing not a DoS but a DDoS attack on your dedicated server. Assuming a web server which is likely candidate due to public access and exposure, you can try to identify the target IP address on your dedicated server using the following command.

netstat -n -p TCP | grep SYN_RECV | grep :80

This basically just looks at all TCP traffic in the SYN_RECV state that’s going to port 80, which is the webserver port.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 39987208
If you know it's a SYN floood, you probably know the IP's it's coming from, you can GEO-IP them to see where. Again like in the last question you will probably have to work with your ISP, or pay some extra fee if you want DDOS protect from an attack, most large ISP's offer this service for a charge. Here is cisco's take on it:
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
If you can't narrow it down to a few dozen IP's then it's probably spoofed, and it doesn't matter where the attacker is. Even if you do ID them, it often falls on deaf ears:
http://arstechnica.com/security/2012/10/meet-the-network-operators-helping-fuel-the-spike-in-big-ddos-attacks/
DJB proposed syn-cookies: http://cr.yp.to/syncookies.html
The hope is we can avoid a lot of these items in IPv6, but some are already there :(
-rich
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 75 total points
ID: 39987366
Chances are you will not be able to track an attack down to a site that you can do much about except have your ISP block for you. A good firewall will detect that traffic and drop the traffic so it doesn't hit your network. I have received notifications from our firewall of that traffic being detected and dropped with no human interaction needed. That's probably your best bet.
0
 
LVL 61

Expert Comment

by:btan
ID: 39987574
further to add, those network security device deployed at the perimeter likely have access to some (need to subscribed or open) online intelligence on reputation services you may even want to subscribe (from the provider themselves) to help in the attribution but as (all say), it is tough to accurate pinpoint the source and it can be just another infected bot host that (probably) not even aware it is been doing wrong stuff.

Also website can be waterholed and causing redirected calls to the victim itself also such as pingback case in Wordpress or other CMS possibly. In this case it is more of SYN flood so it should be easily handled by the network perimeter devices already, the focus is during that period of flooding any other anomalies detected or sensed in the traffic and any other egress or ingress points.
0
 

Author Comment

by:Chris_Ryan
ID: 39988391
Thank you for all your comments and postings

The SynFlood attack was from a whole bunch of ipaddresses so we have no realistic chance of chasing them down

We have moved to CloudFlare for the time being, but are investigating other options.

It has been a real eye opener for us after almost 20 years of running without any problems.

Once again many thanks
0
 
LVL 61

Expert Comment

by:btan
ID: 39988499
Just a note, managed service for such incident should also actively surfaced and attribute the rate threshold customised to your asset and ensure comms to your asset only allow cloudflare (in this case) forwarding the "clean" traffic to the actual origin server (your server). This is to limit the bypass as attacker can still direct via IP (though it is very deterring as most time DNS is more the way to go, but that  will already be fronted by Cloudflare). Likewise do note the source IP addresses can comes from fast fluxes type that keep on changing and also to make sure the attempt to source trace back is fruitless.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now