Ведущий: Терренс Гаро В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.

1. Monitoring Reflective DDoS
with Honeypots
Terrence "tuna" Gareau
@kingtuna
Github.com/kingtuna
&
Krassimir T. Tzvetanov

2. Introduction

3. Goals
“Reproducible data source for
DDoS targets that is easy to
use and share content”

4. Summary
Introduction
Problems to Solve
Architecture
Code

5. Problem

6. Problem

7. Problem

8. Problem

9. Problem

10. Problem
2.1 / DDoS Attack Vectors / As shown in Figure 2-1,
infrastructure attacks continue to dominate, increasing
2% from last quarter and accounting for 97% of all
DDoS attack activity. The large increases at the
infrastructure layer further diminished the percentage
of application layer attacks, which have decreased
slightly over time.
https://www.akamai.com/us/en/multimedia/documents/report/q4-2015-state-of-the-internet-security-report.pdf

11. • (AS) (Count)
• 6939 7034 HURRICANE - Hurricane Electric,Inc.,US
• 4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN
• 7922 3447 COMCAST-7922 - ComcastCable Communications,Inc.,US
• 16276 3161 OVH OVH SAS,FR
• 37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN
• 200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA
• 48347 2056 MTW-AS JSC MediaSoftEkspert,RU
• 4837 1950 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN
• 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN
• 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US
• 28573 1290 CLAROS.A.,BR
• 701 1216 UUNET - MCI Communications Services,Inc.d/b/a Verizon Business,US
• 23650 981 CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone,CN
• 5089 945 NTL Virgin Media Limited,GB
• 24940 940 HETZNER-AS Hetzner Online GmbH,DE
• 18881 936 Global Village Telecom,BR
• 20115 931 CHARTER-NET-HKY-NC - Charter Communications,US
• 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB
• 13335 783 CLOUDFLARENET- CloudFlare,Inc.,US
• 1221 723 ASN-TELSTRA Telstra Pty Ltd,AU
Our research has pointed something out

12. DoS Evolution

13. Reflection and amplification
S: 191.236.103.221 D: 3.3.3.3
Size: 64 bytes
S: 3.3.3.3 D: 191.236.103.221
Size: 512 bytes
Attacker
Victim
Victim
Attacker
Reflector
Reflector

14. 20 Million
Open DNS Resolvers According to Open Resolver Project (10.15.2015)

15. Needles are No Longer in Haystacks
There is about 3.7 Billion Active IPv4
Addresses
How many have misconfigured
services?
It takes about 8 hours to scan the
Internet for a particular service on a
$10 VPS

16. Scanners

17. Appear as a Victim, Become Exploited, and Log

18. What Services we support
PORT Service Provide
19 CHARGEN x
7 Echo x
5353 MDNS x
1434 Mssql
5351 NAT-PMP x
111 Portmapper x
27960 Quake
520 RIP
5093 Sentinal x
161 SNMP x
1900 SSDP x
9987 TeamSpeak3, x
7778 UnrealTournament
177 XDMCP x
500 IKE x
69 TFTP

19. Architecture

20. Sensors -> Message Bus -> Data Store ->
Visualize
Sensor AMQP Elasticsearch

21. Understand the Current State

22. Collaborate
EMAIL
Message
Bus

23. Evaluate Different Risks

24. Basics
• Ubuntu 14.04LTS
• Installs via Bash Script
• Runs Xinetd, Bind9, NTPD, Emulators
• Logs with BRO
• Ships logs with logstash via AMQP
• Receive and index in elasticsearch with Logstash via AMQP
• Visualize with Kibana

25. Simple Sketch

26. Simple Sketch
SSL AMQP
Bro
Logstash
Logstash

27. Bro

28. Parse this Nice and Easy with this.

29. Parse this Nice and Easy with this.
input {
#Production Logs#############################
file {
type => "BRO_connlog"
path => "/nsm/bro/logs/current/conn.log"
}
# BRO_connlog ######################
if [type] == "BRO_connlog" {
grok {
match => [ "message",
"(?<ts>(.*?))t(?<uid>(.*?))t(?<id.orig_h>(.*?))t(?<id.orig_p>(.*?))t(?<id.resp_h>(.*?))t(?<id.resp_p>(.*?))t(?<proto>(.*?))t(?<service>(.
*?))t(?<duration>(.*?))t(?<orig_bytes>(.*?))t(?<resp_bytes>(.*?))t(?<conn_state>(.*?))t(?<local_orig>(.*?))t(?<missed_bytes>(.*?))t(
?<history>(.*?))t(?<orig_pkts>(.*?))t(?<orig_ip_bytes>(.*?))t(?<resp_pkts>(.*?))t(?<resp_ip_bytes>(.*?))t(?<tunnel_parents>(.*?))" ]
}
}

30. Parse this Nice and Easy with this.
output {
rabbitmq {
user => "USER"
exchange_type => "direct"
password => "PASSWORD"
exchange => "amq.direct"
vhost => "/amp"
durable => true
ssl => true
port => 5671
persistent => true
host => "hose_ip"
}
}

31. Same on the Other End
On the other end of it, where elasticsearch is being hosted, set the input as amqp and
set the output to be elasticsearch.
We found it best to use the node type in logstash for inserting logs into elasticsearch.
FYI it uses port 9300.

32. Same on the Other End
KOPF

33. Same on the Other End
KOPF

34. Same on the Other End
Don’t forget
to click all
the things

35. Daily Cron
Everyday we run a python script to create the feed.

36. Recap
SSL AMQP
Bro
Logstash
Logstash
Python Feed Data

37. Make Reports
API’s

38. Annoyances TLP:RED
Hosting Providers responding to abuse….

39. Code

40. Extract Data from the Store
We are extracting data out of Elasticsearch with Python. We
learned that most errors are coming from Elasticsearch. For
python we like the official library from elasticsearch the most.
We also increased our timeout to 30 from the default 10.

41. Extract Data from the Store
We used kibana to help us build our queries

42. What have we seen?
99,859 Attacks Observed
in
Q1 2016

43. What have we seen?
(AS) (Count)
6939 7034 HURRICANE - Hurricane Electric, Inc.,US
4134 6663 CHINANET-BACKBONENo.31,Jin-rong Stre
7922 3447 COMCAST-7922 - Comcast Cable Communic
16276 3161 OVH OVH SAS,FR
37963 2989 CNNIC-ALIBABA-CN-NET-APHangzhouAlib
200000 2272 UKRAINE-AS HostingUkraine LTD,UA
48347 2056 MTW-AS JSC MediaSoft Ekspert,RU
4837 1950 CHINA169-BACKBONE CNCGROUP China1
58543 1940 CHINATELECOM-GUANGDONG-IDC Guang
7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US
28573 1290 CLARO S.A.,BR
701 1216 UUNET - MCI CommunicationsServices,Inc
23650 981 CHINANET-JS-AS-AP AS Number for CHINA
backbone,CN
5089 945 NTL Virgin Media Limited,GB
24940 940 HETZNER-AS Hetzner OnlineGmbH,DE
18881 936 Global Village Telecom,BR
20115 931 CHARTER-NET-HKY-NC - Charter Communi
5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB
13335 783 CLOUDFLARENET - CloudFlare, Inc.,US
1221 723 ASN-TELSTRA Telstra PtyLtd,AU

44. What have we seen?

45. What have we seen?

46. What have we seen?

47. What have we seen?

48. What have we seen?

49. What have we seen?

50. These are the best dudes in the world
Zane Witherspoon – San Francisco Acheleas Mustakis – Athens, Greece

51. Science should be repeatable and open
RStudio Desktop
https://github.com/kingtuna/Hybrid-Darknet-Concept
Special thanks to - A10 Networks, Nexusguard, fsi.io, and Cari.net
Collaborators: Zane Witherspoon, Acheleas Mustakis, and Krassimir

52. Science should be repeatable and open
https://github.com/kingtuna/Hybrid-Darknet-Concept
To be added to the list
tuna@nexusguard.com