index_201
UNCLASSIFIED
Testing and Security Validation
Version 1.0g
UNCLASSIFIED
201
DDoS agents. For more information, visit:
http://www.iss.net/securing_e-business/security_products/
SAINT gathers information about remote hosts and networks by examining network
services such as finger, NFS, NIS, ftp, tftp, rsh commands and other services. The
initial data collection can then be used to investigate any potential security problems.
SAINT can also be configured to examine trust and dependency relationships in the
target network; this feature exposes the real security implications inherent in network
trust and services. For more information, including a FAQ, a tutorial and the latest
version of SAINT, visit: http://www.wwdsi.com/saint/index.html
SATAN was designed to help system administrators responsible for the security
posture of their systems; it is a tool for investigating the vulnerabilities of remote
systems. SATAN systematically proceeds through a target network probing for
common networking-related weaknesses and security problems. The vulnerabilities
discovered are then reported to the user without actually exploiting them. For each
problem found, SATAN offers a tutorial that explains the problem and the potential
impact. SATAN also provides corrective actions including configuration changes,
installing vendor bugfixes, or possibly disabling services. For more information or to
download a copy of SATAN, visit the COAST file archive site:
ftp://coast.cs.purdue.edu/pub/tools/unix/satan
6.3.4. Detecting Attacks
As mentioned in section 6.3.2 above, denial of service attacks are very common on
the internet. IOS access lists can be used to characterize the different packet types
and to tentatively identify DoS attacks. Assume the following access list is applied to
interface 14.2.0.20 of router North:
access-list 102 permit icmp any any echo log-input
access-list 102 permit icmp any any echo-reply log-input
access-list 102 permit tcp any any established
access-list 102 permit tcp any any log-input
access-list 102 permit ip any any
interface serial 0
ip access-group 102 in
This access list does not filter out any traffic but does separate the traffic by types.
An analysis of the packets arriving on the serial interface can identify the specific
attack being used, a necessary first step in countering DoS attacks. To see the
number of matches for each line in the access list, use the command show access-
list 102. For more information about access lists, consult Section 4.3.
The signature of a smurf attack where router North is the ultimate target would show
most of the packets as ICMP echo replies. If the incoming traffic consists mostly of
ICMP echo requests, the attack is probably a smurf attack where North is a reflector.
In a typical smurf attack, the source addresses in the echo reply packets are limited to
a few networks; these are the addresses of the reflector sites.