APPENDIX 1. DDoS RULES



Similar documents
CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Denial Of Service. Types of attacks

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CIAC. Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC Paul J.

Strategies to Protect Against Distributed Denial of Service (DD

Firewalls and Intrusion Detection

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Detecting Attacks. Signature-based Intrusion Detection. Signature-based Detection. Signature-based Detection. Problems

Introduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network

Analysis of Network Packets. C DAC Bangalore Electronics City

Intrusion Detection and Prevention

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Network Forensics (DDoS/Distributed Denial of Service Attack)

Denial of Service (DoS) Technical Primer

Denial of Service. Tom Chen SMU

Exercise 7 Network Forensics

Yahoo Attack. Is DDoS a Real Problem?

EZ Snort Rules Find the Truffles, Leave the Dirt. David J. Bianco Vorant Network Security, Inc. 2006, Vorant Network Security, Inc.

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Gaurav Gupta CMSC 681

Distributed Denial of Service Attack Tools

Firewall Firewall August, 2003

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Secure Software Programming and Vulnerability Analysis

Classification of DDoS Attacks and their Defense Techniques using Intrusion Prevention System

Working with Snort Rules

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?

Denial of Service (DoS)

: SENIOR DESIGN PROJECT: DDOS ATTACK, DETECTION AND DEFENSE SIMULATION

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Deployment of Snort IDS in SIP based VoIP environments

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures

Implementing Secure Converged Wide Area Networks (ISCW)

Distributed Denial of Service

A Senior Design Project on Network Security

SECURING APACHE : DOS & DDOS ATTACKS - II

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Modern Denial of Service Protection

JOOMLA REFLECTION DDOS-FOR-HIRE

Analysis of a DDoS Attack

Firewall Defaults and Some Basic Rules

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Setting Up Scan to SMB on TaskALFA series MFP s.

Lesson 5: Network perimeter security

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

How To - Implement Clientless Single Sign On Authentication with Active Directory

CS 356 Lecture 16 Denial of Service. Spring 2013

Lab Conducting a Network Capture with Wireshark

Classification of Distributed Denial of Service Attacks Architecture, Taxonomy and Tools

Snort ids. Alert (file) Fig. 1 Working of Snort

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

[ X OR DDoS T h r e a t A d v i sory] akamai.com

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Stop that Big Hack Attack Protecting Your Network from Hackers.

AN INFRASTRUCTURE TO DEFEND AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK. Wan, Kwok Kin Kalman

Attack Detection and Response with Linux Firewalls

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

How To Classify A Dnet Attack

IDS and Penetration Testing Lab III Snort Lab

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Network Security, ISA 656, Angelos Stavrou. Snort Lab

Lab Objectives & Turn In

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

Appendix D Firewall Log Formats

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Seminar Computer Security

Introduction of Intrusion Detection Systems

+ iptables. packet filtering && firewall

Securing Cisco Network Devices (SND)

NB6 Series Quality of Service (QoS) Setup (NB6Plus4, NB6Plus4W Rev1)

Queuing Algorithms Performance against Buffer Size and Attack Intensities

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

How To Prevent DoS and DDoS Attacks using Cyberoam

Efficacy of Live DDoS Detection with Hadoop

TROUBLESHOOTING GUIDE

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Denial of Service Attacks

Attack Lab: Attacks on TCP/IP Protocols

Configuring Snort as a Firewall on Windows 7 Environment

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

FIREWALL AND NAT Lecture 7a

Transcription:

139 APPENDIX 1 DDoS RULES 1. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:" DDoS TFN Probe"; id: 678; itype: 8; content: "1234";reference:arachnids,443; classtype:attempted-recon; sid:221; 2. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ddos tfn2k icmp possible communication"; itype: 0; icmp_id: 0; content: "AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; 3. alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"ddos Trin00\:DaemontoMaster(PONGdetected)"; content: "PONG";reference:arachnids,187;classtype:attempted-recon; sid:223; 4. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ddos TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0; reference:arachnids,184; classtype:attempted-dos; sid:228; 5. alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"ddos shaft client to handler"; flow:established; reference:arachnids,254; classtype:attempted-dos; sid:230; rev:2;) 6. alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"ddos Trin00\:DaemontoMaster(messagedetected)"; content: "l44";reference:arachnids,186; classtype:attempted-dos; sid:231;

140 7. alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"ddostrin00\:daemontomaster(*hello*detected); content: "*HELLO*"; reference:arachnids,185; reference:url, www.sans. org/newlook/resources/idfaq/trinoo.htm; classtype:attempted-dos; sid:232; rev:2;) 8. alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"ddos Trin00\:Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference: arachnids,197; classtype:attempted-dos; sid:233; rev:2;) 9. alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"ddos Trin00 Attacker to Master default password"; flow:established,to_server; content:"gorave"; classtype:attempteddos; sid:234; rev:2;) 10. alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"ddos Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) 11. alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"ddostrin00\:mastertodaemon(defaultpassdetected!)"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; 12. alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ddos TFN server response"; itype:0; icmp_id:123; icmp_seq:0; content: "shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:4;) 13. alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"ddos shaft handler to agent"; content: "alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; 14. alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"ddos shaft agent to handler"; content: "alive"; reference:arachnids,256; classtype:attempted-dos; sid:240;

141 15. alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ddos shaft synflood"; flags: S,12; seq: 674711609; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:3;) 16. alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"ddos mstream agent to handler"; content: "newserver"; classtype:attempted-dos; sid:243; 17. alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"ddos mstream handler to agent"; content: "stream/"; reference:cve,can-2000-0138; classtype:attempted-dos; sid:244; 18. alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"ddos mstream handler ping to agent" ; content:"ping"; reference:cve,can-2000-0138; classtype:attempted-dos; sid:245; 19. alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"ddos mstream agent pong to handler" ; content: "pong"; classtype:attempted-dos; sid:246; 20. alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"ddos mstream client to handler"; content: ">"; flow:to_server,established; reference:cve,can-2000-0138; classtype:attempted-dos; sid:247; rev:2;) 21. alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"ddos mstream handler to client"; content: ">"; flow:to_client,established; reference:cve,can-2000-0138; classtype:attempted-dos; sid:248; rev:2;) 22. alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"ddos mstream client to handler"; flags: S,12; reference:arachnids,111; reference:cve,can-2000-0138; classtype:attempted-dos; sid:249; rev:2;) 23. alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"ddos mstream handler to client"; flow:from_server,established; content: ">"; reference:cve,can-2000-0138; classtype:attempted-dos; sid:250; rev:2;)

142 24. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ddos - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0; reference:arachnids,183; classtype:attempted-dos; sid:251; 25. alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"ddos Stacheldraht server spoof"; itype: 0; icmp_id: 666; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:2;) 26. alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ddos Stacheldraht gag server response"; content: "sicken"; itype: 0; icmp_id: 669; reference:arachnids,195; classtype:attempteddos; sid:225; rev:3;) 27. alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ddos Stacheldraht server response"; content: "ficken"; itype: 0; icmp_id: 667; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:3;) 28. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ddos Stacheldraht client spoofworks"; content: "spoofworks"; itype: 0; icmp_id: 1000; reference:arachnids,192; classtype:attempteddos; sid:227; rev:3;) 29. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ddos Stacheldraht client check gag"; content: "gesundheit!"; itype: 0; icmp_id: 668; reference:arachnids,194; classtype:attempteddos; sid:236; rev:3;) 30. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ddos Stacheldraht client check skillz"; content: "skillz"; itype: 0; icmp_id: 666; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:2;) 31. alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"ddos Stacheldraht handler->agent (niggahbitch)"; content:"niggahbitch"; itype:0; icmp_id:9015; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:2;)

143 32. alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"ddos Stacheldraht agent->handler (skillz)"; content:"skillz"; itype:0; icmp_id:6666; reference:url,staff.washington. edu/dittrich/ misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:2;) 33. alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"ddos Stacheldraht handler->agent (ficken)"; content:"ficken"; itype:0; icmp_id:6667; reference:url,staff. washington. edu/dittrich/misc/stacheldraht.analysis; classtype: attempted- dos; sid:1856; rev:2;)

144 APPENDIX 2 STACHELDRAHT Stacheldraht is more stable and sophisticated than Trin00, TFN, TFN2K and mstream DDoS tools. It is capable of launching attacks in ICMP, UDP and TCP protocols. The attack traffic generated in the testbed is a mixture of TCP SYN flood, ICMP_ECHO flood and UDP flood packets. A.2.1 STACHELDRAHT SOURCE FILES DDoS tools can be easily located in the Internet. Each tool contains different files but the file structures are similar among DDoS tools. Users need to identify the files for client (Source attack machine), handler and agents of their chosen tools. For StacheldrahtV4, the source files are in the main folder reside directly under the Two additional folders master server client files are stored under the source files for agents while the The main files for master server client, handler and agents are executable filenames after compilation.

145 Table A 2.1 Stacheldrahtv4 Files Client Handler Agent Encryption Stacheldrahtv4 Stacheldrahtv4 Stacheldrahtv4 Stacheldrahtv4 /telnetc/ / /leaf/ / bf_tab.h telnetc bf:tab.h blowfish.c client.c bf_tab.h config.h blowfish.h makefile config.h config.h.in makefile control.h mserv.c icmp.c tubby.h makefile sysn.c td.c tubby.h udp.c Executables client mserv td A.2.2 ATTACK TRAFFIC GENERATION The Stacheldraht tool can be freely downloaded from the internet and slightly modified for testbed conditions as below: 1. The communication port between client machine (the MASTERSERVERPORT in client.c) and handler machine (MSERVERPORT in mserv.c) were set to the same port number. 2. The IP address of the handler (LOCALIP value in the mserv.c) and handler address of agent (MSERVER1 value in td.c) were set to the same IP address.

146 3. The communication port between agent and handler (COMMANPORT in both mserv.c and td.c) were set to the same value. 4. A password was encrypted using blowfish.c. The handler password (SALT in mserv.c) was set to this encrypted value and is used for the communication between the agents and handler. 5. The three executables client for attack source, mserv for handler and td for agent are created and placed in the appropriate machines. Start the client, handler and agent programs. Check if the handler is running or not. (Command : ps -e grep mserv). The handler checks the number of alive and dead agents. Launch attack against target machine using UDP flooding attack (Command :.mudp <target address>), ICMP flooding attack (Command :.micmp <target address>) and TCP SYN attack (Command :.msyn <target address>). To end attack execute stop command at all the agent machines (Command :.mstop all) and exit Stacheldraht (Command :.quit).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information