Строим ханипот и выявляем DDoS-атаки
3 likes2,599 views
The document discusses the use of honeypots to monitor DDoS attack vectors, highlighting the predominance of infrastructure attacks in recent data. It presents an architecture for tracking and visualizing attack data using various technologies, including Elasticsearch and Logstash, and outlines the methodology for collecting and analyzing data from DDoS attacks. The authors emphasize the importance of reproducible research and collaboration in understanding DDoS threats.
![Parse this Nice and Easy with this.
input {
#Production Logs#############################
file {
type => "BRO_connlog"
path => "/nsm/bro/logs/current/conn.log"
}
# BRO_connlog ######################
if [type] == "BRO_connlog" {
grok {
match => [ "message",
"(?<ts>(.*?))t(?<uid>(.*?))t(?<id.orig_h>(.*?))t(?<id.orig_p>(.*?))t(?<id.resp_h>(.*?))t(?<id.resp_p>(.*?))t(?<proto>(.*?))t(?<service>(.
*?))t(?<duration>(.*?))t(?<orig_bytes>(.*?))t(?<resp_bytes>(.*?))t(?<conn_state>(.*?))t(?<local_orig>(.*?))t(?<missed_bytes>(.*?))t(
?<history>(.*?))t(?<orig_pkts>(.*?))t(?<orig_ip_bytes>(.*?))t(?<resp_pkts>(.*?))t(?<resp_ip_bytes>(.*?))t(?<tunnel_parents>(.*?))" ]
}
}](https://image.slidesharecdn.com/buildingdigitalthreatintelligenceprograms-ruautosaved-160531150602/85/DDoS-29-320.jpg)
Строим ханипот и выявляем DDoS-атаки
- 2. Introduction
- 5. Problem
- 6. Problem
- 7. Problem
- 8. Problem
- 9. Problem
- 10. Problem 2.1 / DDoS Attack Vectors / As shown in Figure 2-1, infrastructure attacks continue to dominate, increasing 2% from last quarter and accounting for 97% of all DDoS attack activity. The large increases at the infrastructure layer further diminished the percentage of application layer attacks, which have decreased slightly over time. https://www.akamai.com/us/en/multimedia/documents/report/q4-2015-state-of-the-internet-security-report.pdf
- 11. • (AS) (Count) • 6939 7034 HURRICANE - Hurricane Electric,Inc.,US • 4134 6663 CHINANET-BACKBONE No.31,Jin-rong Street,CN • 7922 3447 COMCAST-7922 - ComcastCable Communications,Inc.,US • 16276 3161 OVH OVH SAS,FR • 37963 2989 CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN • 200000 2272 UKRAINE-AS Hosting Ukraine LTD,UA • 48347 2056 MTW-AS JSC MediaSoftEkspert,RU • 4837 1950 CHINA169-BACKBONE CNCGROUP China169 Backbone,CN • 58543 1940 CHINATELECOM-GUANGDONG-IDC Guangdong,CN • 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US • 28573 1290 CLAROS.A.,BR • 701 1216 UUNET - MCI Communications Services,Inc.d/b/a Verizon Business,US • 23650 981 CHINANET-JS-AS-AP AS Number for CHINANET jiangsu province backbone,CN • 5089 945 NTL Virgin Media Limited,GB • 24940 940 HETZNER-AS Hetzner Online GmbH,DE • 18881 936 Global Village Telecom,BR • 20115 931 CHARTER-NET-HKY-NC - Charter Communications,US • 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB • 13335 783 CLOUDFLARENET- CloudFlare,Inc.,US • 1221 723 ASN-TELSTRA Telstra Pty Ltd,AU Our research has pointed something out
- 12. DoS Evolution
- 14. 20 Million Open DNS Resolvers According to Open Resolver Project (10.15.2015)
- 16. Scanners
- 18. What Services we support PORT Service Provide 19 CHARGEN x 7 Echo x 5353 MDNS x 1434 Mssql 5351 NAT-PMP x 111 Portmapper x 27960 Quake 520 RIP 5093 Sentinal x 161 SNMP x 1900 SSDP x 9987 TeamSpeak3, x 7778 UnrealTournament 177 XDMCP x 500 IKE x 69 TFTP
- 19. Architecture
- 24. Basics • Ubuntu 14.04LTS • Installs via Bash Script • Runs Xinetd, Bind9, NTPD, Emulators • Logs with BRO • Ships logs with logstash via AMQP • Receive and index in elasticsearch with Logstash via AMQP • Visualize with Kibana
- 25. Simple Sketch
- 27. Bro
- 30. Parse this Nice and Easy with this. output { rabbitmq { user => "USER" exchange_type => "direct" password => "PASSWORD" exchange => "amq.direct" vhost => "/amp" durable => true ssl => true port => 5671 persistent => true host => "hose_ip" } }
- 34. Same on the Other End Don’t forget to click all the things
- 38. Annoyances TLP:RED Hosting Providers responding to abuse….
- 39. Code
- 43. What have we seen? (AS) (Count) 6939 7034 HURRICANE - Hurricane Electric, Inc.,US 4134 6663 CHINANET-BACKBONENo.31,Jin-rong Stre 7922 3447 COMCAST-7922 - Comcast Cable Communic 16276 3161 OVH OVH SAS,FR 37963 2989 CNNIC-ALIBABA-CN-NET-APHangzhouAlib 200000 2272 UKRAINE-AS HostingUkraine LTD,UA 48347 2056 MTW-AS JSC MediaSoft Ekspert,RU 4837 1950 CHINA169-BACKBONE CNCGROUP China1 58543 1940 CHINATELECOM-GUANGDONG-IDC Guang 7018 1677 ATT-INTERNET4 - AT&T Services, Inc.,US 28573 1290 CLARO S.A.,BR 701 1216 UUNET - MCI CommunicationsServices,Inc 23650 981 CHINANET-JS-AS-AP AS Number for CHINA backbone,CN 5089 945 NTL Virgin Media Limited,GB 24940 940 HETZNER-AS Hetzner OnlineGmbH,DE 18881 936 Global Village Telecom,BR 20115 931 CHARTER-NET-HKY-NC - Charter Communi 5607 911 BSKYB-BROADBAND-AS Sky UK Limited,GB 13335 783 CLOUDFLARENET - CloudFlare, Inc.,US 1221 723 ASN-TELSTRA Telstra PtyLtd,AU
- 50. These are the best dudes in the world Zane Witherspoon – San Francisco Acheleas Mustakis – Athens, Greece
- 51. Science should be repeatable and open RStudio Desktop https://github.com/kingtuna/Hybrid-Darknet-Concept Special thanks to - A10 Networks, Nexusguard, fsi.io, and Cari.net Collaborators: Zane Witherspoon, Acheleas Mustakis, and Krassimir