Stealth Network Strategies: Offensive and Defensive

Mark Loveless

RAZOR Security

BindView Corporation

About Me

AKA Simple Nomad http://www.nmrc.org/ Currently Sr. Security Analyst for

BindView’s RAZOR Team http://razor.bindview.com/

About This Presentation

Assume basics– Understand IP addressing– Understand basic system administration

Tools– Where to find them– Basic usage

A “Network” point of view

Network Mapping

Active Passive

Active Mapping

Techniques– ICMP Sweeps– Firewalk– Nmap

Defenses– Tight firewall rules– Block most ICMP– Block packets with TTL of 0 or 1

Passive Mapping

Techniques– Manual via Public sources– Automated via Siphon

Defenses– Strong policy regarding publishing/posting– Egress filtering and decent ISP

Distributed Tools and Stealth Techniques Attack Models Good Guy Usage

Basic Distributed Attack Models

Attacks that do not require direct observation of the results

Attacks that require the attacker to directly observe the results

Basic Model

Server AgentClient

Issuecommands

Processescommandsto agents

Carriesout

commands

More Advanced Model

TargetAttacker

Forged ICMPTimestamp Requests

ICMP TimestampReplies

SniffedReplies

Even More Advanced Model

Target

Firewall

Even More Advanced Model

Target

Firewall

UpstreamHost

Even More Advanced Model

Target

Attack Node

Attack Node

Attack Node

Firewall

UpstreamHost

Master Node

Even More Advanced Model

Target

Attack Node

Attack Node

Attack Node

Firewall

UpstreamHost

Attacksor

Probes

Master Node

Even More Advanced Model

Target

Attack Node

Attack Node

Attack Node

Firewall

UpstreamHost

Attacksor

Probes

Replies

Master Node

Even More Advanced Model

Target

Attack Node

SniffedReplies

Attack Node

Attack Node

Firewall

UpstreamHost

Attacksor

Probes

Replies

Master Node

Even More Advanced Model

Target

Attack Node

SniffedReplies

Attack Node

Attack Node

Firewall

UpstreamHost

Attacksor

Probes

Replies

Master Node

Good Guy Usage

VPN technology Remote managed networks

The Hype of DDoS

What is DDoS? Stealth Techniques Used within DDoS

Defenses Against Distributed Attacks Ingress and Egress filtering Usage of IDS inside and out Analysis of network traffic and logs

Protocol Fun

Traffic Pattern Masking Network Stegnography

Traffic Pattern Masking

Techniques– SMTP patterns– DNS patterns– Web traffic

Defenses– Egress filtering– Logging– Study of logs and network dumps

Network Stegnography

Techniques– HTTP– SMTP– Packet combinations

Defenses– Egress filtering– More logging, etc

Questions….

For followup:– Work

• http://razor.bindview.com/

• thegnome@razor.bindview.com

– Play• http://www.nmrc.org/

• thegnome@nmrc.org