EM EA. D is trib u te d D e n ia l O f S e rv ic e

EM EA S e c u rity D e p lo y m e n t F o ru m D e n ia l o f S e rv ic e U p d a te P e te r P ro v a rt C o n s u ltin g S E p p ro v a rt@ c is c o.c o m 1

A g e n d a T h re a t U p d a te IO S Es s e n tia ls H A!!H A!! 2

T h re a t U p d a te A R e v ie w 3

T h re a t U p d a te T ro ja n D is trib u tio n G a ts la g T ro ja n s u s in g v a lid p o rts fo r R e tu rn p a th D e n ia l-o f-s e rv ic e A tta c k s D ire c te d a t C P Es 4

R e c e n t A c tiv ity P o rt 4 4 5 S c a n s c u rre n tly o n in c re a s e D e lo a d e r W o rm S c a n n in g fo r D e fa u lt P a s s w o rd s L o w R is k (A s s u m in g p ro p e r p a s s w o rd m a n a g e m e n t!!) S e e d in g T ro ja n s to la u n c h D O S a tta c k s. 5

In te rn e t S to rm C e n tre h ttp ://is c.s a n s.o rg 6

In te rn e t S to rm C e n tre 4 H rs la te r 7

T o d a y 8

D o s A tta c k U s e s IP P ro to c o l 0 W h a t d o e s th is m e a n? 9

H a c k e r S te p s D is trib u te T ro ja n C o lle c t B o ts B o tn e t L a u n c h A tta c k 10

D is trib u te T ro ja n 11

T ro ja n S e rv e r P ro g ra m s P e s t: M S N In s ta n t M e s s e n g e r C o n tro l P ro g ra m 12

B O T s!f L O O D ;< s iz e o f p a c k e ts > ;< s e c o n d s to flo o d > ;< IP to flo o d > IC M P F L o o d!s P IK E;< s iz e o f p a c k e ts > ;< s e c o n d s to flo o d > ;< IP to flo o d > ;< p o rt o n IP > IC M P + IG M P F lo o d!w EB G ET < U R L > 13

H a c k e rs A rm y G e t u s e r to e x e c u te c o d e S m a ll p ro g ra m to G ET la rg e r T ro ja n a n d in s ta ll In s ta lls T ro ja n s e rv e r K ill a n tiv iru s, k ill fire w a lls B a c k d o o r to P C C o n tro l P C D o w n lo a d /u p lo a d file s a n d e x e c u te R e b o o t P C s, c o n tro l lo ts o f s tu ff C D D riv e T ro ja n d o w n lo a d s B O T s H y b rid s e rv e r+ B O T R e g is te r to IR C, M S N c h a n n e ls 14

B o tn e ts : S e rio u s D a m a g e S e v e ra l B o tn e ts A ro u n d 1 4 0,0 0 0 B o ts : C ER T 1 G b p s /s e c 15

D D O S T h e M a s te r C o n s o le L o g in to B O T to C o n tro l It En c ry p te d K e y En s u re s O n ly O n e H a c k e r U s e L a u n c h P e p s i A tta c k L a u n c h P a c k e t A tta c k L a u n c h U D P F lo o d 16

D D O S R e fle c tiv e S p o o fe d IP! B ra n c h O ffic e S y n to S O wh wo w A.c n n.c o m R o u te r w w w.e b a y.c o m S p o o f w w w.fo o.c o m N e w s Em a il W e b T a rg e t w w w.fo o.c o m S P S h a re d N e tw o rk IP C o re N e tw o rk C o rp o ra te In tra n e t L o c a l o r D ire c t D ia l IS P S P 1 w w w.c n n.c o m C a b le /D S L / IS D N IS P S P 2 R o u te r V P N C w w w.e b a y.c o m R e m o te U s e rs S P 3 In te rn e t IR C S e rv e r 3 : B o s s s e n d s T ro ja n c o m m a n d s S y n to m u ltip le p o rts D e fin e d lis t o f p u b lic IP a d d re s s e s L o w v o lu m e R e fle c t s y n -a c k o r re s e t C u s to m e r C W in d o w s P C, Z o m b ie, B O T 17

D e n ia l-o f-s e rv ic e A tta c k s D ire c te d a t C u s to m e r s C P E R o u te rs 18

D O S th e C P E R is k In c re a s e s w ith D e n s ity POP Border POP Border POP Border OC48 POP Border OC12 OC12 1 2 3 4 5 6 7 10 11 8 9 12 13 14 15 Big Aggregation Box Big Aggregation Box Nine ChOC12 L o ts o f A g g re g a tio n s R o u te rs w ith 1 0 s to 1 0 0 s o f c u s to m e rs p e r ro u te r. F e w A g g re g a tio n s R o u te rs w ith 1 0 0 s to 1 0 0 0 s o f c u s to m e rs p e r ro u te r. It is all about # of Customers per RU 19

IO S Es s e n tia ls in 1 5 M in u te s 2 0

T e rm in o lo g y T h re e P la n e C o n c e p tu a l M o d e l: D a ta P la n e P a c k e ts g o in g th ro u g h th e ro u te r. C o n tro l P la n e T h e ro u tin g p ro to c o ls g lu in g th e n e tw o rk to g e th e r. M a n a g e m e n t P la n e T h e to o ls a n d p ro to c o ls u s e d to m a n a g e th e d e v ic e. 2 1

IS P S e c u rity In c id e n t R e s p o n s e IS P s O p e ra tio n s T e a m re s p o n s e to a s e c u rity in c id e n t c a n ty p ic a lly b e b ro k e n d o w n in to s ix p h a s e s : P re p a ra tio n Id e n tific a tio n C la s s ific a tio n T ra c e b a c k R e a c tio n P o s t M o rte m 2 2

P re p a ra tio n P re p a re P la n e s M a n a g e m e n t C o n tro l D a ta In c id e n t R e s p o n s e T e a m / C ER T W a rg a m e A n a ly s is T o o ls A C L s B la c k H o le R o u tin g S in k H o le s B a c k s c a tte r 2 3

Id e n tific a tio n T o o ls C u s to m e r P h o n e c a ll C P U L o a d o n R o u te r S N M P W a tc h in g th e b a s e lin e a n d tra c k in g v a ria tio n s /s u rg e s. A ls o lo o k in g fo r s p e c ific trig g e rs (C P U a n d in p u t b u ffe r d ro p s a re th e to p tw o ) S Y S L O G W a tc h in g th e b a s e lin e. L o o k in g fo r s p e c ific trig g e rs (S N M P A u th e n tic a tio n F a ilu re ). W a tc h in g th e A C L L o g s. N e tflo w A n o m a ly D e te c tio n T o o ls. T rig g e rs o n flo w ta b le o v e rlo a d s. S in k H o le s L o o k fo r B a c k s c a tte r 2 4

Id e n tify in g a n A tta c k th ro u g h C P U L o a d ro u te r> s h p ro c c p u C P U u tiliz a tio n fo r fiv e s e c o n d s : A % /B % ; o n e m in u te : C % ; fiv e m in u te s : D % C P U to ta l u tilis a tio n C P U a t in te rru p t le v e l A : T o ta l C P U lo a d B : C P U a t In te rru p t le v e l (n o te : B < = A ) A -B : P ro c e s s s w itc h e d tra ffic, C P U p ro c e s s e s (S e e : h ttp ://w w w.c is c o.c o m /w a rp /p u b lic /6 3 /h ig h c p u.h tm l) 2 5

C la s s ific a tio n T e c h n iq u e N e tflo w A C L w ith L o g g in g S in k H o le w ith A n a ly s is S h o w B u ffe rs D u m p s in p u t q u e u e a k a A tta c k 2 6

T ra c e b a c k R o u tin g T a b le, In te rn e t R o u tin g R e g is try N e tflo w : In c lu d e s S o u rc e a n d D e s tin a tio n In te rfa c e s A C L w ith L o g -In p u t : S h o w s s o u rc e in te rfa c e IC M P : B a c k s c a tte r te c h n iq u e ( U n re a c h a b le s ) H o p b y H o p b a s is fro m s o u rc e IP s o u rc e tra c k e r 2 7

R e a c tio n D O N o th in g. P u ll P lu g o n S e rv e r R a te L im it C A R D ro p a t Ed g e u R P F + R o u te -> N u ll0 + B G P T rig g e r M u s t b e F A S T!! 2 8

P o s t M o rte m A n a ly s e Ev e n t : L e a rn W h a t h a p p e n e d, H o w y o u re a c te d? H o w to d e fe n d a g a in? Ev id e n c e : P re p a re U p fro n t H o w to d o C a p tu re A n a y s is R e p o rtin g a n d T e s tify in g 2 9

P u ttin g it a ll to g e th e r 3 0

P u ttin g it a ll to g th e r!!! : P re p a ra tio n U p s tre a m A A B IX P -W A C L s : R F C 2 8 2 7 A C L : D e n y A cp ce e r s s A to C o re u R P F : L o opsee r B D S C P R e -C o lo u rin g R o u te N u ll0 R a te L im itin g U p s tre a m A C IX P -E D U p s tre a m B R F C 2 8 2 7 S tric t u R P F E U p s tre a m B T a rg e t F P O P G N O C 3 1

P u ttin g it a ll to g th e r!!! : A n a ly s is IX P -W P e e r A U p s tre a m A U p s tre a m B A B P e e r B T rig g e re d S h u n t to A n a ly s is B o x C la s s ific a tio n A C L N e tflo w S h o w B u ffe r U p s tre a m A C IX P -E S in k H o le R o u te r B a c k s c a tte r B G P T rig g e r R o u te r E D U p s tre a m B T a rg e t F P O P G N O C 3 2

P u ttin g it a ll to g th e r!!! : R e a c tio n IX P -W P e e r A U p s tre a m A A B P e e r B B la c k H o le : D e s tin a tio n u R P F : S o u rc e R a te L im it : C A R U p s tre a m A C IX P -E D U p s tre a m B A C L to B lo c k In c o m in g tra ffic R a te L im it : C A R U p s tre a m E B B G P T rig g e r R o u te r T a rg e t F P O P G N O C 3 3

S u m m a ry D e fe n c e In D e p th A c h ie v e d th ro u g h c o m p re h e n s iv e u s e o f A L L B C P s in a la y e re d a p p ro a c h. W o rk to g e th e r T ru s t T ra c e b a c k P o s t M o rte m 3 4

U _ Z S E 3 0 5 7 19 _ 0 7 _ 2 0 0 2 _ c 1 2 0 0 2, C is c o S y s te m s, In c. A ll rig h ts re s e rv e d. 3 5