ANATOMY OF A CODE RED II ATTACK



Similar documents
Network Management and Monitoring Software

Network Instruments white paper

Security Toolsets for ISP Defense

THE VALUE OF NETWORK MONITORING

How To Protect Your Network From Attack From A Hacker On A University Server

Introduction of Intrusion Detection Systems

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Fifty Critical Alerts for Monitoring Windows Servers Best practices

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

INTRUSION DETECTION SYSTEMS and Network Security

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Monitoring Microsoft Exchange to Improve Performance and Availability

Using Application Response to Monitor Microsoft Outlook

Second-generation (GenII) honeypots

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Data Security Incident Response Plan. [Insert Organization Name]

5 Steps to Avoid Network Alert Overload

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

How To Prevent Hacker Attacks With Network Behavior Analysis

1. Thwart attacks on your network.

HoneyBOT User Guide A Windows based honeypot solution

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

technical brief Optimizing Performance in HP Web Jetadmin Web Jetadmin Overview Performance HP Web Jetadmin CPU Utilization utilization.

Firewalls, Tunnels, and Network Intrusion Detection

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Endpoint Security Console. Version 3.0 User Guide

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Stephen Coty Director, Threat Research

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Network Security Policy

Firewalls Overview and Best Practices. White Paper

Taxonomy of Intrusion Detection System

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

PROFESSIONAL SECURITY SYSTEMS

pc resource monitoring and performance advisor

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

1. Firewall Configuration

Signal Customized Helpdesk Course

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

10 Configuring Packet Filtering and Routing Rules

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

FIREWALL CLEANUP WHITE PAPER

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Firewall Firewall August, 2003

Lab Configure IOS Firewall IDS

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

WHITE PAPER WHAT HAPPENED?

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.4 REVIEWER S GUIDE. (Updated April 14, 2008)

Ohio Supercomputer Center

The Evolution of Information Security at Wayne State University

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

TNT SOFTWARE White Paper Series

Understand Troubleshooting Methodology

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

How To Manage Your Information Systems At Aerosoft.Com

Breach Found. Did It Hurt?

SERVICE LEVEL AGREEMENT

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Building Your Firewall Rulebase Lance Spitzner Last Modified: January 26, 2000

Firewalls & Intrusion Detection

Banking Security using Honeypot

Zoo Atlanta installs an IBM Proventia Network Multi-Function Security system to guard against Internet threats and spam.

GFI White Paper PCI-DSS compliance and GFI Software products

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

74% 96 Action Items. Compliance

IBM. Vulnerability scanning and best practices

Cisco IPS Tuning Overview

Network- vs. Host-based Intrusion Detection

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Monitoring Web Applications with Application Response

Windows 7, Enterprise Desktop Support Technician

Secure Software Programming and Vulnerability Analysis

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Name. Description. Rationale

Global Partner Management Notice

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Using a Firewall General Configuration Guide

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

always on meet the it department PROPHET managed services ebook Business Group Meet the Always On IT Department

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

Information Technology Services

CSCI 4250/6250 Fall 2015 Computer and Networks Security

PATROL From a Database Administrator s Perspective

TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS

ABB s approach concerning IS Security for Automation Systems

Transcription:

ANATOMY OF A CODE RED II ATTACK IMPROVING FIREWALL SECURITY USING PATROL FOR CHECK POINT FIREWALL-1 BILL KENNON, SENIOR SOFTWARE CONSULTANT BMC SOFTWARE, INC 1

The Surprise Attack As the NT Systems Administrator for the XYZ Widget Corporation, you ve had a typically busy week. In between the numerous phone calls, staff/status/planning meetings, assisting the DBA staff with a database upgrades, testing changes to the DNS server, installing additional user account licenses for a Sales support application, and assisting the Network Administrator with remote dialup email access to the Web site, you re still tuning the new Web-based Commerce application and server environment to handle a steady rise in widget sales. You noticed that the primary IIS Web Server is operating a little slower than usual today. However, since the new Commerce site went live, Web Server transaction volume normally peaks in the early afternoon and slower CPU and memory performance isn t unusual during this time period. You make a mental note to take a closer look after lunch, just to be sure. It s 2:50 PM and you ve finally taken a moment to eat your lunch when your phone rings again. Only this time it s the Vice President of Sales wanting to know why the new Commerce site suddenly can t be accessed for the customer demonstration that is going to take place in exactly 10 minutes! You have to put her on hold to check your beeper it s the Chief Security Officer and no sooner do you promise the Vice President that you ll get right on it than who should appear at your door but your boss wanting to know What s wrong with the Web site?. Together, you conference in the Chief Security Officer only to find that the Firewall Administrator is reporting a significant spike in log entries affecting memory and CPU consumption on the firewall node protecting the primary IIS Server. Within the past 15 minutes, the Network Administrator detected router problems including a large number of ARPs/ARP storms in the network, excessive ARP Input memory use, and high CPU utilization. An urgent call from Operations confirms that the primary IIS server is rapidly grinding to a halt, and two other IIS servers are quickly reaching critical CPU and memory saturation levels. It appears that somehow a virus is resident within your secure perimeter and your new Commerce system is under hostile attack. How could this be? XYZ Widget Corporation takes security very seriously. The latest firewall and virus detection technologies are deployed and regularly maintained. You know that attacks can t be prevented, but XYZ Widget Corporation has been able to fend off previous intrusion attempts (from script kiddies as they re known within the industry) with little to no negative impact. Is it possible that this attack may have been carried out by a professional, known within the industry as a blackhat? More importantly, how do detect and stop this attack? It s at that moment that you recall this morning s warning about a brand new Denial of Server (DoS) attack called Code Red II. In fact, your To-Do list includes a new entry to search for patches from Microsoft. A quick scan of the Code Red II warning gives you several options to prevent the attack, such as blocking all traffic to port 80, the well known WWW port, but it will take precious time to locate the infected device(s), build the access-list to deny IP packet access to port 80, and apply it inbound on the interface 1

facing the infection source. Every minute that it takes to identify and respond means another minute of downtime, unhappy customers, distressed Vice Presidents, and lost business. Regardless of your reaction time and the resultant level of impact to XYZ s bottom line, this is an event you won t soon forget. This time the attacker wins, and you ll resign yourself to learning a painful, timeconsuming, expensive lesson. But you resolve that next time you ll be ready. You realize that budget constraints and the pressure to bring critical systems back online as quickly as possible will make it tough to diagnose hacker attacks. But if you could only understand how this attack occurred and, even better, if you could track the violator s actions as they happened, you could develop the forensics to prevent this scenario in the future 2

PATROL Detecting Code Red II Code Red II represents one of the latest in a series of increasingly devious and malicious threats to systems and networks worldwide. Simply perform an Internet search for Code Red II or Nimda to view a list of various organizations that were affected by these two recent attacks despite significant investments in firewall and related security protection. In today s climate of rapid technical evolution, constant environment changes, and malicious hackers, Code Red II, Nimda, and similar threats are successful despite the most stringent measures. These measures include enterprise Security Policies, the latest firewall technology, and strictest adherence to test, upgrade, and maintenance procedures. Although attacks cannot be prevented, technology is available that provides the detection, notification, and recovery capabilities not only to reduce Code Red II (and similar) threats but to also gather knowledge about the attack that can be used to frustrate and/or trap attackers in the future. PATROL for Check Point FireWall-1 from BMC Software, Inc., provides comprehensive firewall health management, detection and notification of unusual activity and problems, as well as the ability to automatically recover from detected impacts. BMC recently released PATROL for Check Point FireWall-1 v1.3 containing enhanced Denial of Service (DoS) capabilities to notify administrators of early DoS symptoms and help administrators prevent these attacks from causing network and system problems. The following is a real-life example of BMC Software, Inc. s PATROL performance in a network environment that was threatened by Code Red II. The Setting On Friday, August 3, 2001, one or more computers inserts the Code Red II virus into the internal network of a large corporation. Kennon2.xyz.com is the NT server where the Check Point FireWall-1 v4.1 management module and PATROL for Check Point FireWall-1 v1.3 are installed. This server is a 300mhz Pentium II processor with 128mb of memory and 16gb IDE hard drive, and runs NT 4.0 service pack 6. It is triple homed, with 172.23.5.36 defined as the external / real IP address and 192.168.15.1 defined as an internal / NAT address range (SCDEMO and 2815A domains). 10.0.0.1 is the second internal / NAT address range and is largely idle. What is unique about this firewall is that it performs as a honeypot, positioned inside the network to look at the corporate network as the outside or untrusted Internet zone. The remainder of this paper presents the attack in total as witnessed and documented by PATROL. There are numerous points during the attack where unusual activity is detected, normally leading to immediate preventive action. However, the attack was allowed to complete its activities for the purpose of documenting the entire procedure. The SCDEMO domain comprises a test lab of roughly 20 servers including Web servers that is used for testing and education. It is typically never accessed by any outside/external contacts and is not published as an available resource. Normally, the 3

SCDEMO Web servers are very lightly loaded except for programmed tests, which were not taking place during the attack. The Attack Begins Based on traffic analysis, at approximately 2:30PM, the virus initiates port scans and intrusion attempts on specific networked machines. Normally kennon2.bmc.com runs at about 10% CPU utilization, 70mb memory free, and about 200 log entries (Firewall events) per minute. Refer to Chart 1 below. During normal activity the log entries appear rhythmic, with predictable peaks and valleys reflecting business activity levels and traffic patterns on the network. Most networks display a similar rhythmic activity cycle, making it possible to extrapolate the baselines needed to understand variances from normal behavior. Chart 1: Normal Activity, average of 200 log entries per minute 4

On Saturday morning August 4, the log entries spike to over 200,000 per minute in about 20 minutes. This indicator alone is enough to warn an administrator of attack. In addition, for the next several days kennon2.xyz.com continues to report unusually high levels of log activities, occasional spikes in port scan attacks, and abnormally high levels of accepted and dropped packets to port 80. Chart 2: Anomalous Log Entry Behavior begins Saturday morning 5

Chart 3. The firewall anomaly tracks with Port 80 activity Web Servers are Probed While there are web servers in the SCDEMO domain, there is no reason for Port 80 traffic to be going to those servers from the other side of the firewall (the XYZ corporate network). Clients accessing the Web servers in the SCDEMO domain normally originate within that domain, so no URLs in the domain are explicitly published for external use. During the attack, port 80 inbound activities increases from 0 to about 50 packets dropped (Refer to Chart 3). There are no firewall policy rules stating that port 80 traffic should be dropped except for traffic directed at the firewall itself. The firewall explicitly drops all traffic defined to its own IP address (172.23.5.36) except for that originating from certain management workstations, so the excessive amount of traffic directed at port 80 is highly suspect. During the same period the firewall shows several thousand port 80 packets accepted per discovery cycle. So, while it appears that the high volume of port 80 traffic directed at the firewall represents attempts to breach the firewall host itself, the accepted port 80 6

traffic indicates the same sort of scanning against the hosts inside the firewall. In Charts 5 and 6, we see the accepted port 80 packets correlating well with the log entries, and showing an activity level well above average. Again, port 80 packets are generally near zero for this network, so settings for each network should be baselined in order to detect what type of activity would be considered abnormal. Chart 4: These are port 80 packets accepted 7

Chart 5: Chart of port 80 inbound (accepted) and log entries show perfect correlation Chart 5 shows both the port 80 inbound (accepted) and log entries. The correlation in the time line is perfect and indicates that port 80 was the targeted port in this particular case. Note that log entries indicate an increase of 400% to 500% of actual port 80 traffic during peak periods probably machines scanning for servers to attack. After the ferocious period of scanning, the log entries and port 80 traffic merge (Refer to Chart 6). 8

Chart 6: Activity during worm activity merge of log entries and port 80 inbound Chart 6 shows a time slice from a period of less activity. It is possible to see the sawtooth pattern of the port activity and log activity which at this time is a perfect 1 to 1 correlation. Apparently scans have all but ceased and now infected machines are trying to insert the worm into other servers. Attempts to infect three patched machines behind the firewall fail but apparently continue for some time. This is one persistent worm. Finding the Culprits Interestingly, when the first attack hit on Saturday morning, only a few directed port scans were recorded by the firewall as such. As Chart 7 indicates, the attacks occurred in singular fashion, and were destined to specific ports inside the firewall. However, any port scan by a machine on the inside should be considered cause for alarm. Several scans are by the same machine an absolute cause for alarm. 9

Chart 7: DoS attacks for timeline (Port Scan) The annotated datapoints in Chart 8 show how PATROL traps and displays specific IP addresses that originate the port scan. If XYZ Corporation had installed PATROL on the firewall management machine, PATROL would have detected this activity, alerted on it, and issued a recovery action, such as turning off a segment on a switch that owned the attacking machine. This action alone could have thwarted or at least delayed the attack. 10

Chart 8 Chart 9 To maximize the forensic capability of PATROL, it is important to be able to analyze history of at least 4 days, so that an attack over a period of time (a weekend) can be dissected. With the use of annotation and an effective notification system, such as PATROL Event Manager, operations support staff can receive immediate detailed notification of anomalous activity during off hours. Chart 9 shows the first machine that committed a port scan, in this case a spoof attack where a machine in the external (172.x.x.x) network uses an internal (192.168.158.99) IP address to call itself. 11

Chart 10: Infected machine inside SCDEMO 192.168.15 network Chart 10 shows an infected machine behind the firewall. PATROL detection demonstrates that a machine inside the network is attempting an outbound scan. Again, this represents a point where a recovery action could shut down the attack. This is obviously an infected machine. Summary As noted previously, there is no method to prevent attacks like Code Red II. However, had the XYZ security management personnel deployed PATROL in a honeypot implementation as described in this paper, this attack could have been detected and stopped before it could run its course. When the DoS attack started, the honeypot would attract packets sent at the abnormally high level. PATROL would have satisfied critical security management requirements quickly notify and identify the attacking source, and immediately identify the location of the attack. By setting alarm thresholds to trigger notification, and utilizing annotation to trap source/location information, PATROL would have provided rapid assistance to determine the addresses and networks of the attackers. With this information in hand, administrators could isolate the internal machine/s that are sending packets, or, if they are coming from the Internet, to program the router to drop those packets from the networks where the attacks were originating. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information