Trilight Zone

digital8 · Second Lieutenant Joined: 29 Sep 2005 Posts: 1002

It's easy to recognize a DDoS attack: slow networks and servers crashing catch the eye of every administrator (or their users!). The first step in our defense is to identify and qualify what type of traffic is bombarding the network. Most DDoS attacks send a very specific type of traffic over and over: ICMP, UDP, TCP - albeit with forged source addresses. But an unusually large quantity of a certain packet type should be an accurate starting point for characterizing the attack and useful information for crafting filters in the future. The exception to this rule, to be addressed later, would be DDoS attacks directed at specific services, such as HTTP, using valid traffic and requests.

To identify and inspect the packets, we need to analyze the network traffic. This can be accomplished using two different methods depending on where the traffic is being examined. The first method can be used on a machine located on the target network. tcpdump is a widely available sniffer that works well for our purposes. Analyzing the output in real-time is impossible on a busy network, so the first step is to use the "-w" option to write the data to a file. Next, use a tool such as David Dittrich's modified version of tcpdstat or tcptrace to summarize the findings.

The output from a sample tcpdump file parsed using tcpdstat is below:

DumpFile: test
FileSize: 0.01MB
Id: 200212270001
StartTime: Fri Dec 27 00:01:51 2002
EndTime: Fri Dec 27 00:02:15 2002
TotalTime: 23.52 seconds
TotalCapSize: 0.01MB CapLen: 96 bytes
# of packets: 147 (12.47KB)
AvgRate: 5.56Kbps stddev:5.40K PeakRate: 25.67Kbps

### IP flow (unique src/dst pair) Information ###
# of flows: 9 (avg. 16.33 pkts/flow)
Top 10 big flow size (bytes/total in %):
26.6% 16.5% 14.7% 11.6% 9.8% 7.6% 5.4% 5.4% 2.5%

### IP address Information ###
# of IPv4 addresses: 7
Top 10 bandwidth usage (bytes/total in %):
97.5% 34.1% 31.2% 21.4% 10.7% 2.5% 2.5%
### Packet Size Distribution (including MAC headers) ###
<<<<
[ 32- 63]: 79
[ 64- 127]: 53
[ 128- 255]: 8
[ 256- 511]: 6
[ 512- 1023]: 1
>>>>

### Protocol Breakdown ###
<<<<
protocol packets bytes bytes/pkt
------------------------------------------------------------------------
[0] total 147 (100.00%) 12769 (100.00%) 86.86
[1] ip 147 (100.00%) 12769 (100.00%) 86.86
[2] tcp 107 ( 72.79%) 6724 ( 52.66%) 62.84
[3] telnet 66 ( 44.90%) 3988 ( 31.23%) 60.42
[3] pop3 41 ( 27.89%) 2736 ( 21.43%) 66.73
[2] udp 26 ( 17.69%) 4673 ( 36.60%) 179.73
[3] dns 24 ( 16.33%) 4360 ( 34.15%) 181.67
[3] other 2 ( 1.36%) 313 ( 2.45%) 156.50
[2] icmp 14 ( 9.52%) 1372 ( 10.74%) 98.00
It's easy to see how these useful tools can help you quickly determine what type of traffic is most prevalent. They save a lot of time by parsing and processing the captured packets.

A router can also be used to monitor incoming traffic. Through the use of specific access lists, a router can serve as a basic packet filter. It will also be the device you are likely focused on since it's the gateway between your network and the Internet. The following example from Cisco illustrates a very simple way of using access lists to monitor incoming traffic:

access-list 169 permit icmp any any echo
access-list 169 permit icmp any any echo-reply
access-list 169 permit udp any any eq echo
access-list 169 permit udp any eq echo any
access-list 169 permit tcp any any established
access-list 169 permit tcp any any
access-list 169 permit ip any any

interface serial 0
ip access-group 169 in
Using the "show access-list" command will summarize the match count for each rule:

Extended IP access list 169
permit icmp any any echo (2 matches)
permit icmp any any echo-reply (21374 matches)
permit udp any any eq echo
permit udp any eq echo any
permit tcp any any established (150 matches)
permit tcp any any (15 matches)
permit ip any any (45 matches)
The output is simple, but effective - note the high number of ICMP echo-reply packets. More information about suspect packets can be gathered by appending the "log-input" command to the proper rule. This rule will log information about any ICMP traffic:

access-list 169 permit icmp any any echo-reply log-input
The router logs now capture more detail (view using "show log") about the matching packets. In the example below, the log shows several packets that matched a DENY ICMP rule:

%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.142 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.113 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.212.72 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 172.16.132.154 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.15 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.142 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 172.16.132.47 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.212.35 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.113 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 172.16.132.59 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.82 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.212.56 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 172.16.132.84 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.212.47 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.45.35 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 192.168.212.15 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
%SEC-6-IPACCESSLOGDP: list 169 denied icmp 172.16.132.33 (Serial0 *HDLC*) -> 10.2.3.7 (0/0), 1 packet
Note the information contained in each entry: source and destination address, interface and the rule that it matched. This type of detailed information will help determine our defense.