Category Archives: Defense

A Good Lesson By Barracuda Labs

0
Posted by Skyler on April 28, 2011 – 4:11 pm
Filed under Defense, Fu (a.k.a Tips)

Barracuda Labs puts out many popular security devices and other defensive solutions. They have recently suffered a SQL injection attack on their site that compromised some of their email contacts. Here is their official posting and dissection of the attack.

The important lesson to be learned here is not necessarily how the attack was done or how it was detected. The important thing is identifying why the attack was able to happen at all. Many people would overlook a single fault like an unsanitized input field, or a misconfigured WAF, etc. On their own these issues may be dangerous for a smaller organization, but a larger organization may overlook the attack surface that each of these weaknesses creates when they are aggregated.

Detecting Intrusions That Spoof svchost.exe

2
Posted by Skyler on March 31, 2011 – 6:44 am
Filed under Defense, Fu (a.k.a Tips)

One of the common things an attacker may do once they are inside your machine is to rename the process they are running as. In many cases they will try to imitate or get very close to normal system process names. One common process to spoof is the svchost process.

What is svchost?

Microsoft states that “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. So when a piece of software starts a service from a dll, it will be found connected to an svchost instance.

So what?

Well, if that is the case then we can rest assured that any svchost process will also have some services running under it. The following command will show us the svchost instances and what services are under it:
C:\> tasklist /SVC

If we then notice any svchost.exe instances running without any services under it, then it is most likely another process that has renamed itself to look like svchost.

Crippling SlowLoris

0
Posted by Skyler on November 22, 2010 – 9:57 am
Filed under Defense, Fu (a.k.a Tips)

I received a great comment from a reader pertaining to SlowLoris. He asked why using Slowloris was viable in a Pen Test because of its effectiveness and apparent lack of countermeasure? Thanks for such a great question, and here my response:

I hope I didn’t make it seem as if SlowLoris was impervious to countermeasures. However, to clarify let me explain a bit more.

Layman’s Terms

To summarize SlowLoris into a few words, this is essentially how it works. It simulates numerous slow sending/receiving users that soak up the connection pool. Therefore, the web server thinks its servicing normal users who just happen to be very slow. This is what causes the DoS conditions; all connections are busy “communicating” with very slow, yet nonetheless, legitimate looking “clients”.

However, this condition is dependent upon the timeout value. A low enough timeout value will cause SlowLoris to increase its footprint by reducing its configured timeout value. This defeats one of the primary goals of SlowLoris; being stealthy.

Value to Pen Testers

A Penetration Tester is trying to locate all vulnerabilities that will impact the Confidentiality, Integrity and Availability of the client. A DoS is an example of a threat to Availability. It is easy enough to configure your IDS/IPS/FW to deal with SYN floods, or other DoS attacks that leave very large footprints. The danger of SlowLoris is not necessarily that it causes a DoS state (since other techniques do the same), but that its hard to detect until its already too late. As a Pen Tester, being able to exercise that test case upon a target of evaluation helps to inform the client of potential realization of a threat. A client running an e-commerce site pulling in 10,000 USD ever 5 minutes cant afford even the shortest downtime. Testing for SlowLoris is therefore quite pertinent.

Countermeasures

To discuss Controls/Countermeasures against slowloris, I have found a few methods proposed by professionals:

1) Andreas at Synflood.at released a patch for Apahce. It seems to work by manipulating the servers timeout value based upon the client load it is experiencing. Therefore, a SlowLoris attack would have to continuously reconfigure, and gradually increase its footprint. This would become quite easy to see when analyzing traffic consumption. It would give you enough time to stop the attack, or it may mitigate it completely on its own.

the patch can be found here: http://synflood.at/tmp/anti-slowloris.diff [Safe according to VirusTotal]

2) Use an application level firewall (aka, proxy firewall). This will analyze the packet before it gets to the server and may drop it if it seems suspicious.

3) Unconfirmed by myself, but some say using syncookies may work. I explain how to use syncookies here.

Conclusion

SlowLoris’ attack is very easy. It’s stealthiness is dangerous. Its simplicity makes it underestimated by those with little background in IT Security (namely the Senior Management of the organization you are auditing). Including it as a part of your test because essential in convincing the organization to implement a control.

HoneyPorts: homegrown IPS, dynamic firewall, DoS safe

1
Posted by Skyler on November 19, 2010 – 9:45 am
Filed under Defense, Fu (a.k.a Tips)

Sorry I have been busy for the past week or so. Hopefully things will calm down next week or the week after Thanksgiving. However, I wanted to share this quick bit of info, along with some CLI kung-fu (compliments of  John Strand).

IPS

In the world of network perimeter defense, the integration of an IPS is desired. There are a few reasons for this, primarily that it not only detects attacks, but can then STOP the attack from occurring. One of the possible ways to do this is by dynamically filtering an IP address that is launching attacks against you. I wont go into too much detail about how an IPS works, but for the context of this post I will outline some of the issues with Intrusion Protection Systems:

  1. Cost – a budget may not be available for an effective and efficient IPS that meets the needs of your system.
  2. Denial of Service – Depending on the IPS, a spoofed IP address may cause a dynamic filter to be created for a valid web page. This allows the attacker to use your defense against you and compromise your availability.

Enter HoneyPorts

This is where the idea of HoneyPorts comes in.

HoneyPorts (in this example a Windows implementation) utilizes netcat, and built in commands. The idea is like this:

You set up a listener which simulates an attractive open service for an attacker. Upon their connection, your script will execute netstat to locate the attackers IP. The script will then use netsh to add a firewall rule to block that IP. Pretty simple idea. Here are the benefits:

  1. Free!
  2. Will only filter a full connection, which (apparently due to initial seq. numbers) is very hard to do when spoofing. Thus reducing the likelihood of the previously described DoS.
  3. By utilizing a port that would only be queried by someone using a port scanner, you ensure that innocent people arn’t cut off.

here is the syntax (Found here at PaulDotCom; also includes full article):

.bat file:

@echo off
for /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":[port]^"') do
@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rule
name="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block

Start netcat listener (the actual port):

C:\>nc -L -p [port] -e [file].bat

Thats all there is to it! Try a port scan, connect the the port, and then rescan (using nmap of course). You will notice the prior to your connection the port is listed as ‘open’, and after your connection it is now seen as ‘filtered’.

enjoy!

Security via /proc/sys/net – IP

0
Posted by Skyler on October 30, 2010 – 11:41 am
Filed under Defense, Fu (a.k.a Tips)

Here is some more information about using /proc/sys/net to secure your linux box. The following commands help by hardening your IP stack.

Disabling IP Forwarding

I have already done a post about enabling the disabling IP forwarding, but ill include it again here. The reason for this is because having enabled IP forwarding can cause you some issues if someone manages to own your VM. Disabling the forwarding might help protect them from connecting back out.

echo "0" > /proc/sys/net/ipv4/ip_forward

Protect Against IP Spoofing

If you decide to have IP forwarding enabled, you will want to protect against spoofing (with this fix, internal address spoofing only). The following command will modify the rp_filter to reject packets if their source address doesn’t match for the interface that is receiving it. Beware, this will cause problems if you are a dual homed host, or have two different IPs on the machine.

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

Protect Against SYN Flood

this fix may be a little deprecated, but its a good last chance fix if your under attack and have no other choices. It works by sending back syncookies to a machine when the SYN queue is backed up.

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Disable Source Routing

Source routing allows an attacker to choose the path that their packets should take while navigating through your network. This is how to disable it.

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

Enjoy!

Security via /proc/sys/net – Secure ICMP

0
Posted by Skyler on October 27, 2010 – 8:40 am
Filed under Defense, Fu (a.k.a Tips)

There are some pretty basic attacks that any use can mitigate against without any special software. In fact, your linux kernel allows direct interaction via the /proc/sys file structure. For those unfamiliar with it, /proc/ contains a reference to processes running on your machine. /proc/sys obviously then references system processes. In this series we will discuss certain system processes that can toggled and configured to defend against basic attacks, and information gathering processes. This issue we will go over ICMP security.

Note: The commands themselves are very simple. It involves echoing on (“1″), or off (“0″) into a “folder” within /proc/sys/net.

Prevent Ping

Pinging is the basic way to test connectivity and the state of a target machine. It does this by using the ICMP protocol. The originating machine issues an ECHO REQUEST, and the target machine responds with an ECHO RESPONSE. If you disable ECHO RESPONSE, then an attacker could possibly give up by believing that your host is not even there.

Here are the commands relating to ECHO packets:

//disable

echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

//enable

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

Notice that I also ignored broadcasts. There is a reason for this. If you have been following my blog, you may recall a post I did a while ago about Smurf Attacks. Although it is best to defend you network from being used in a smurf attack by using the ‘no ip directed broadcast’ setting on your router, you can defend each host using the aforementioned commands.

ICMP Redirects

You may also want to prevent ICMP redirects. If you are acting as a router, you should probably avoid using this function. However, if you arn’t then this may be a good idea:

//disable

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

//enable

echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects

Prevent Log Attacks

In some scenarios an attacker may try to flood your logs to hinder your incident handling abilities. They may cause routers to send incorrect responses to broadcast frames. This can quickly fill up your logfile. You can disable this with the following command:

//disable

echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

//enable

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

I hope this is helpful! come back to see the rest of the series!

Bad Behavior has blocked 275 access attempts in the last 7 days.