This page has been translated from Italian
February
18

Your network is under attack? Always on Saturday morning.

| 5 commenti | TrackBack | | | 5 comments | TrackBack |
una stelladue stelletre stellequattro stellecinque stelle (6 votes, average: 5.00)
Loading ... Loading ...

un_tranquillo_weekend_di_paura.jpg E 'morning, but very late. You get up and you know that today is a special day. And 'Saturday and then have a nice day of relaxation before and Cazzeggio.

You walk to the coffee machine but a glance will fall on your mobile. Turn on or turn it on. This is the dilemma. Of course I turn it on, it's Saturday and everything is perfect.

Beep, Beep. ... Beep, Beep ... .7 unanswered calls. CEO of MICS, connects 1, link 2, link 3, client 1, client 2, client 3.

Ok, the coffee is back on Saturday to relax and cazzeggiando is delayed. I'm going to have a deja-vu. Something bad has happened in Micso.

Time to connect and to call his holiness, the CEO of the firm where I work. From background noise immediately sensed that lies in the server farm and then the situation is tragic, it's worse!

In essence it seems that the firewall that manages and protects the nosta network is blocked.

Well, it starts. Aim of the game: to understand where is the problem and restart the network. The enemies are: time, network complexity and the fact that currently there is remote and therefore unable to gain access to any machine, firewall complete.

Let's see how to proceed.

Step 1 - Shutdown and reboot

Like any good computer, I know the basic rule of any game. If a computer does not work you probably crashed some service or the kernel. It turns off and on again, hoping that the problem will magically resolve itself.

I therefore give the reboot from our CEO to the firewall and look at your fingers crossed.

The response is that the machine is broken down, but got to the loading of firewall rules seems as if it is loading a rule at a time with extreme slowness.

From where the car crashed to start it soon becomes clear that the problem is not software but is on the network. Undoubtedly, somewhere, they're getting a abnormal amount of data, so enormous that the firewall can not make it to manage and then collapse.

The next step is obvious.

Step 2 - Disconnect all

I disconnect all network cables from the firewall that immediately catch your breath. Ok. They begin to hang up the network cables. Very slowly smile.gif

Before the power of our personal cars to work. Everything ok. The firewall still works. Then the cable to the Internet. Still all ok. Now I can finally fall in the firewall.

Finally the cable to the server farm. Buummmm, crashhh, whishhhhhh. Not rifunziona nothing. Ok, the problem was, as anticipated in the server farm.

Undoubtedly there is some machine that is doing casino inside out. This was easy to guess why the attack came from outside if there would be enough bandwidth to saturate and kill the firewall, and then because the firewall would have crashed immediately just hung up the cable to the Internet. But it crashed now.

Given the impossibility of working on the firewall with the network cable connected to the server farm, to understand who and what's slowing down everything, you have to go step by step.

Step 3 - Identify the service under attack

First, let's see if there is a particular service use in acute.

Iptraf active on the firewall, I start listening on to the server farm for ten seconds and I attach the network cable disconnect immediately after making to regain control of the firewall.

The result is obvious.

attacco_micso_2008_02_16_iptraf.png

Someone is doing the naughty on port 53 that is doing a flood of requests on DNS. Let's see who.

Step 4 - Identify the attackers

Doing that is now very simple. We run a tcpdump on the firewall to listen on the network interface of the server farm that scans all incoming packets to and from port 53 and we write everything on a file.

tcpdump -i eth1 -w tcpdump_attacco.dump port 53

Attack the network cable to the server farm for ten seconds and remove to regain control of the firewall. Download the file to your PC at home and got analizziamolo with Wireshark.

attacco_micso_2008_02_16_wireshark.png

Oh, we finally have an IP and then the culprit.

You should have heard, by phone, screaming to the administrator: "Unplug the network cable from that machine, turn it off, burn !!!!!!".

Now that the entire network is back to 100% active, to see if our Saturday or we start to relax only one-tenth of the work you have to understand if the car is ours or is a housing for a client.

If the car is ours, are painful, as we must understand why the car is doing all of this mess, and given that the explanation is one, someone who has succeeded in making some inroads in some vulnerability of the car, took control and now has transformed it into a "monster", we must understand how it came, what other damage was done and how to fix the problem. Then figure out who is responsible for leaving our car with a vulnerability open. A hollow weekend track

Luckily the car is not ours but of our client. Them off and then stays off. Someone will receive a phone call on Monday not so happy by myself grin.gif

Told so it seems as if the thing has been resolved in ten minutes. Actually from the first moment of panic-mode, the second time like "I do not remember this network interface where it goes" and the third time when you go to "ignore-mode = on" it took nearly hour to deal with them.

Oh well, the important thing is that now the 'real' may start Saturday.

This article has been viewed 1189 time

5 Responses to "Your network is under attack? Always on Saturday morning. "

Leave a comment

/ me runs

Training

Racing

Categories