InfoSec News

While I was on Wikipedia doing some vital research (I was right: Plastic Man has no internal organs), I reminded myself that 2011 is an important anniversary for the two Apple products that made Apple what it is today—most essentially, not a subsidiary of Sony or Adobe. That’s right, folks: Mac OS X and the iPod were both released ten years ago.
We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet Storm Center, we're often limited to consultation roles and and can only recommend possible courses of action for the client. We don't have a canned response or top-three recommendations that will work in all cases; instead we have a process. Hopefully it can keep pace with the evolution of attacks.
Process Overview:

Gather Information

Get a list of attacking IPs from the client

whois/geoip profiling

description of the attack traffic

SYN only
complete session
special request or execution

pcaps are nice

allow additional fingerprinting
spoofed or not?

attack analysis

identify the weakness in the target
identify the weakness in the attack

formulate recommendations

remiediate target weakness
exploit attack weakness

An Example:
In the initial report we got a sample of source IPs and a description of the type of attack (e.g. SYN only.) Our initial response is to request a pcap sample of the attack. While that is underway we take look at the IP addresses from the first report. First there's a random sampling of IPs that we put through whois or geolocate to get an initial feel. In my random choice, it was Kazakhstan. A simple country code distribution of the full list had a heavy bias in Russia and the Ukraine.
Looking at the attack style, it was reported as SYNs-only. That kind of attack is easy to spoof, so I'm not so confident that the source IP addresses are accurate. I await the pcap.
Once it arrives we take a look at it in wireshark or other equivalent just to get a feel for the data. Just by eyeballing it we confirm that the SYN-only report was accurate. Next we begin a more in-depth analysis explore any theories that we may have. In my case, I'm interested in the validity of the source IPs. My approach is to build netflow data from the pcap and use that to filter out attackers from any legitimate customers that may have got through. I rely on argus to build the flow data and use a horrible combination of ra and awk to pull out the source IPs with flows that timed-out or had 0 bytes returned from the target. I can then feed that list of IPs into the geo-locator to get a distribution of the attackers. Another data-source is to passively fingerprint the attacking IPs and examine that distribution. I'm still using p0f for lack of a better alternative (although I did take Satori for a spin while writing this up.)

Is it uniform? Or does it have the feel of a exponential distribution? I admit that this process is far from rigorous (my apologies to all who have real statistics backgrounds.) The pcap itself is only a sample, so we're just looking to see if it's too random. In this case the distribution doesn't appear to be either uniform, nor clumped. So these IP addresses may be valid. Next we perform a similar plot of OS fingerprints.

Based on these observations we can get a feel if the source IPs are accurate or obviously-spoofed. In this case it still appears that these are legitimate IP addresses.
In addition to analyzing the source IPs, we give a similar treatment to the destination addresses. In this case, the stand-out is that it's only one IP that is targeted. This will play a factor in our recommendations below.
What does the attack look like? We've noted the SYN-only behavior, but are there other factors that could be leveraged? Things like TTL, and Byte-size? Perhaps the source port of the attacks has a pattern? In this case the source port had a uniformly random distribution. The estimated distance of the attackers ranged from 6 to 30 hops with most between 20 and 24 hops.
Now we have enough information to begin recommendations. Given that the attack is SYN-only, there are a number of SYN-flood defenses available at the server and the ISP-level. Additionally, if there is evidence that the attack is coordinated by IP address, we can exploit this weakness in the attack by moving the service over to a new IP and seeing how the attacker reacts.
Additional intelligence may be gained by paying extra attention to the outliers identified in the fingerprinting stage (for example the lone OpenBSD system or the handful of Linux systems.) These could be the systems that are monitoring the effect of the attack.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
What's your worst-case scenario? Maybe you simply can't bear the thought of your Internet access getting cut (and by extension, your 24/7 stream of on-demand cat videos). Maybe you're actually on the run, leaving a trail of disposable prepaid cell phones and encrypted communications in your wake. Or maybe you've survived a war that makes Fallout look like a walk in the park, and you're holding the last bootable laptop on Earth. Well, don't just sit there and wait for it to happen--read on and prepare accordingly.
It's hard to remember now, but there was a time when Finland was at the center of the cell phone universe. No more. And partnering with Microsoft won't save them.

Internet Storm Center Infocon Status