Storming the Castle: DDos and Active Network Defenses - 11:30 - 12:15 November 8. Slide 3) Harlech Castle's Gatehouse. A reasobably secure router interface. Built in 1239 in Wales under Edward I. Withstood a seige during a Welsh rebellion in 1294, and fell during another in 1404 when the garrison was reduced to a mere 21 men threatened by starvation. In 1408 fell after an eight month siege. Was the last stronghold of the Lancasterians during the War of the Roses and didn't fall until 1468, withstanding a seven year siege. During the English Civil War it was the last royalist stronghold to fall, holding out for two years after the King himself had been caught. Slide 4) Secure Castles, Insecure Roads Castles began with hill forts in Neolithic times (between 8500 BC-2500 BC) through to the Roman era. Medieval castles are evident from the Carolingan era, with construction primarily for frontiers. However, the right to fortify was almost invariably a Royal privilege. They are very good at protecting! But as raiders (such as Magyars, Vikings and Saracens) found their way around frontier castles, there was greater political pressure to decentralise. Siege of castles was primarily a war of attrition (from the Latin for "sitting"). The fortification cannot be easily defeated and will not surrender. The advent of gunpowder in the Middle Ages signalled a change in the purpose of a castle; from being purely a military building, it became increasingly a residential one. Slide 5) Protect the Castle, Protect the Roads The Southern Song Chinese held out against the enormous barrage of attacks, first the Khitans, the Tanguts, the Jurchens, and finally the Mongols. They had technological superiority in the form gunpowder (ie. early flamethrowers, grenades, firearms, cannons, and land mines). That's one path to protection - technological superiority. A second path is to move from an attrition warfare model to maneuver warfare. In attrition warfare the enemy is a collection of targets to be found and destroyed. In contrast maneuver warfare advocates strategic movement and the destruction of certain enemy targets (command and control centers, logistical bases, fire support assets, etc.) combined with isolation of enemy forces and the exploitation by movement of enemy weaknesses. - Bypass enemy strongpoints (e.g., Maginot Line) - Use firepower for suppression or breakthrough points rather than destroying large numbers of the enemy. - Use infiltration and special operations forces to cause chaos behind enemy lines. Obey the Clausewitzian Center of Gravity (COG) concept. Is a COG the source of strength or the critical vulnerability? Leonhard summarizes maneuver warfare theory as: preempt, dislocate, and disrupt the enemy as alternatives to destruction of enemy mass through attrition warfare. Slide 6) 'Bots: The Enemy Is Within! A Botnet is a term used for a collection of software robots (zombies) which run autonomously on groups computers (castles) infected (breached) controlled remotely by crackers (evil wizards). A botnet's originator controls the group remotely (typically managed through an IRC server or a specific channel on a public IRC network). Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, remote procedure calls. Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet. It has been estimated that up to one quarter of all personal computers connected to the internet are part of a botnet. Dutch Example, October 21, 2005. http://www.techweb.com/wire/security/172303160 The three suspects, ages 19, 22, and 27, were arrested Oct. 6 on charges of threatening a U.S. firm with denial-of-service (DoS) extortion. 25% Figure: Thursday, 25 January 2007, http://news.bbc.co.uk/2/hi/business/6298641.stm "Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets, said Vint Cerf. The panel of leading experts was discussing the future of the internet at the World Economic Forum in Davos." Slide 7) Wikipedias Informative Illustration This example (thank you Wikipedia) illustrates how a botnet is created and used to send email spam. 1. A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a trojan application. 2. The bot on the infected PC logs into a particular IRC server (or in some cases a web server). That server is known as the command-and-control server (C&C). 3. A spammer purchases access to the botnet from the operator. 4. The spammer sends instructions via the IRC server to the infected PCs, causing them to send out spam messages to mail servers. Or, in the medieval-fantasy metaphor, the roads are full of Zombies trying to sell you penis growth pills! Legitimate trade is disrupted, the castle is under siege and starving. Slide 8) The Coming Storm The Storm Botnet was identified in mid-January. It exploits holes MS-Windows operating systems and pretty much every version of Windows, except Windows2003 (cf., Kevin Spiess - Friday, September 7th, 2007 http://www.neoseeker.com/news/story/7103/). In late January spamhaus.org was attacked by the Storm Worm DDoS, although it seemed to have been an unintended target (c.f., http://www.secureworks.com/research/threats/storm-worm/?threat=storm-worm) The Storm botnet and its variants employ a variety of attack vectors, and an equally wide variety of defensive steps exist as well. The DDoS attacks makes massed parallel network calls to target IP addresses, overloading the servers. Mail security company Postini recently said that the during the most recent Storm Worm flood, it saw 120 million attack e-mails in the span of five days. August 2, 2007 http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virulence.html (British Computer Society) At its height the virus accounted for 8% of all infections globally; over 1.2 billion virus messages have been sent including a record 57 million on August 22 alone. http://ieet.org/index.php/IEET/more/dvorsky20070927/, Posted: Sep 24, 2007 (Institute for Ethics and Emerging Technologies) On September 25th, a Microsoft update to the Windows Malicious Software Removal Tool removed Storm from approximately 274,372 infected systems out of 2.6 million scanned Windows systems. On October 21, Brandon Enright, a network security analyst at UC San Diego, claimed the Worm has been shrinking steadily and is presently a shadow (c10%) of its former self. (http://www.pcworld.com/article/id,138721-c,virusesworms/article.html) But.... Around October 15, 2007 it was uncovered that portions of the Storm botnet and its variants were for sale by using unique security keys in the encryption which will allow each segment, or sub-section of the Storm botnet, to communicate with a section that has a matching security key. If Storm is broken up for the malware market, in the form of a "ready-to-use botnet-making spam kit", the world could see a sharp rise in the number of Storm related infections and compromised computer systems. (c.f., Storm Worm botnet up for sale http://tech.blorge.com/Structure:%20/2007/10/15/researcher-storm-worm-botnet-up-for-sale/ and The balkanization of Storm Worm botnets http://www.channelregister.co.uk/2007/10/15/storm_trojan_balkanization/) Slide 9) Storm 'Bots Internals Back-end servers automatically re-encode their distributed infection software twice an hour. The location of the remote servers which control the botnet are hidden behind the 'fast flux' DNS technique, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. The Fast Flux DNS technique uses ever-changing network of compromised hosts acting as proxies. It is used to refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. Joe Stewart has detailed the process by which compromised machines join the botnet: attempts are made by launching a series of EXE file, named in a sequence from game0.exe through game5.exe, or similar. They typically perform the following: 1. game0.exe - Backdoor/downloader 2. game1.exe - SMTP relay 3. game2.exe - Email address stealer 4. game3.exe - Email virus spreader 5. game4.exe - DDoS attack tool 6. game5.exe - Updated copy of Storm Worm dropper This code is run from %windir%\system32\wincom32.sys on a Windows system, via a kernel rootkit, and all connections back to the botnet are sent through a modified version of the eDonkey/Overnet (eMule) communications protocol The DDoS attack receives the target IP address and attack type by downloading a configuration file from a hard-coded website in the body of the trojan. Attacks can be a port 80 TCP syn flood, or an ICMP ping flood, or both. (cf., Stewart, Joe. "Storm Worm DDoS Attack", Secure Works, February 2, 2007. February 8, 2007 http://www.secureworks.com/research/threats/view.html?threat=storm-worm) Slide 10) Active Network Defenses: Sally Forth! If a machine receives a denial-of-service attack from a botnet, few choices exist under the Attrition Warfare model. There is geographic dispersal, limited pattern-matching, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. So what options are available? Normal models are an attrition and defensive warfare approach from within a secure location; the castle. An alternative, maneuver-based, "Active Network Defense" method is needed. Entertaining example from Enno Davids, at the AUUG 2007 Conference; tired of portscans on three known vulnerbilities early version of Apache, he automated a response that caused a BSOD on certain operating systems. He never received the third port scan again (example cited with permission). Such "counterattacking" is described as "irresponsible" by Neil Rowe of the US Naval Postgraduate School; prefers deception such as honeypots. Zaki and Sobh (Journal of Network and Computer Applications, November 2004) recommended cooperative active network defenses with an Active Security Mechanism. TCP/IP stack fingerprinting is an infiltration Active Network Defense which determines the exact operating system used by the remote target and thus allowing firewalls to be configured for the best possible defense. Passive OS fingerprinting can identity botnet attacks. Botnets typically use free DNS hosting services to an IRC server that will harbour the bots. If a botnet server structure lacks redundancy, disconnection of one server will cause the entire botnet to collapse. Host-based anti-bot techniques use heuristics to try to identify bot behavior that has bypassed conventional antivirus. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing (re-directing) DNS entries, or completely shutting down IRC servers.