Other Techniques That Ascertain Alive Worms
Internet account providers (ISP) use added techniques to ascertain an alive bastard that
propagates in their networks. Actually, ISP can ascertain arrangement scanning to accidental IP
addresses.
The ambush is to advanced all packets to nonexisting addresses, such as nonallocated IP
addresses, to a distinct host that can be monitored for cartage surge. If this host receives too
much traffic, this agency that abounding packets are beatific to nonexisting hosts. This is most
probably the aftereffect of a bastard about scanning the arrangement to bear itself.
More on Nonallocated IP Addresses
In the case of an ISP, all the abode amplitude accustomed alongside from Internet Assigned
Numbers Authority (IANA) is not absolutely allocated to the ISP basement or to ISP
customers. The addresses accustomed but not allocated are absolutely absent and, therefore,
should never accept any cartage if the arrangement is able-bodied configured and if the cartage is normal.
In the case of an action application a block of IP addresses accustomed through its ISP, the same
reasoning applies: Not all accustomed IP addresses are allocated, and there should be no traffic
destined to the nonallocated IP addresses.
In the case of an action application RFC 1918 clandestine addresses, such as arrangement 10.0.0.0/8
or 192.168.0.0/16, not all those clandestine addresses are absolutely acclimated by the network
infrastructure or are assigned to subnets. Again, all cartage destined to those nonallocated IP
addresses is apprehensive because there should be no cartage to nonallocated addresses in wellconfigured
networks.
Other Techniques That Ascertain Alive Worms 253
In accession to the nonallocated IP addresses, several IP addresses don’t abide in the Internet;
they are alleged bogons. (For an adapted list, see The Team Cymru Bogon List.8
Figure 15-7 depicts how a bore aperture is set up in a network. The sink-hole router announces
a absence avenue to all added routers. (It is affected that no absence avenue is appear in this
network.)
Figure 15-7 Bore Aperture Receives Bastard Scans
When no bastard is in the network, absolute hosts (clients and servers) barter all IP
packets; therefore, all packets accept a accurate destination IP abode (that is, one absolute in
the acquisition tables). They consistently ability their destination. Hence, the sink-hole router never
gets any traffic.
When a bastard is alive on some adulterated hosts, it tries to bear itself by generating
random IP addresses and by aggravating to affix to those accidental addresses to affect more
machines. When the bastard connects to a accurate address—that is, an abode absolute in the
routers’ acquisition tables—the IP packets are absolutely forwarded to their destination. But,
when the bastard tries to accelerate IP packets to a absent address, those packets chase the
default avenue appear by the sink-hole router and ability this router. If the router itself is
configured with a absence avenue to a abutting hop (which is a sniffer), the adenoids analyzes the
incorrectly addressed packets.
Sinkhole
Network
Worm Tries to
Propagate to Non-
Existent IP Address
Router Advertises
Default Route
254 Chapter 15: Application Switches to Ascertain a Data Plane DoS
To summarize:
• No worm. The sink-hole router does not accept any packet.
• Alive worm. The sink-hole router receives abounding packets (that is, the incorrectly
addressed ones).
When the arrangement already announces a absence avenue (for example, a firewall abutting to
the Internet), it is still accessible to use the sink-hole technique. Instead of announcement a
default route, the sink-hole router charge advertise several absent prefixes:
• Prefixes not allocated by IANA or added registries. For example, 0.0.0.0/7, 2.0.0.0/
8, and so on. These prefixes are alleged bogons.
• Prefixes of your arrangement that are not in use. For example, if the arrangement is using
RFC 1918 clandestine acclamation with prefix 10.0.0.0/8, and if 10.254.0.0/16 and
10.255.0.0/16 are not used, the sink-hole router advertises those two prefixes.
Because DoS attacks and worms access arrangement traffic, this cartage billow can additionally be
detected by simple tools, such as Multirouter Cartage Grapher9 (MRTG). MRTG collects
interface statistics with the advice of SNMP and presents them in abundant graphs.
Figure 15-8 displays a accustomed behavior of cartage on a low-speed link, while Figure 15-9
exhibits abnormal behavior about 9 A.M. with a aiguille in cartage of 80 Mbps. In both figures,
time flows from appropriate to left, and the numbers beneath the X arbor represent the hour in the day.
Alas, MRTG has no accouterment to accomplish alerts and gives little clue about what is actually
happening in the network: no advice about protocol, antecedent and destination addresses,
and so on. Also, MRTG uses the bulk of cartage rather than the bulk of new flows, and
traffic does not acutely announce a worm.
Figure 15-8 MRTG Graph for Accustomed Traffic
Figure 15-9 MRTG Graph for Abnormal Cartage Pattern
References 255
Summary
DoS attacks’ and worms’ behaviors are unusual: a huge bulk of new flows with several
flows actuality beatific to absent IP addresses. You can configure alien switches to collect
data about all those flows and accelerate them to specific applications, such as CS-MARS. Those
applications can administer a simple aphorism to ascertain DoS attacks and worms: bridge a threshold
of cardinal of new flows per minute.
NAM, which is the RMON brand for Catalyst 6500, can alike abduction the absolute offending
packets. This gives you abounding clues to assay the advance and abate it.
The sink-hole router abode assiduously all packets addressed to a invalid IP abode to a
sniffer, accepted as the bore hole. Because worms about try to bear by abutting to
random IP addresses, some of those probes are directed to absent IP addresses;
therefore, they ability the bore hole, which ability activate alerts.
In short, switches and routers are absolutely alien sensors that can ascertain a DoS advance or
propagating worm.
References
1 Cisco Systems. NetFlow Services Solutions Guide. http://www.cisco.com/univercd/cc/td/
doc/cisintwk/intsolns/netflsol/nfwhite.htm.
2 Claise, Benoît. RFC 3954. IETF, “Cisco Systems NetFlow Services Export Version 9.”
October 2004.
3Tesch, Dale and Greg Abelar. Security Threat Mitigation and Response: Understanding
Cisco Security MARS. Cisco Press, September 2006.
4 Flow-tools. http://www.splintered.net/sw/flow-tools/.
5 Cooperative Association for Internet Data Analysis. Cflowd. http://www.caida.org/
tools/measurement/cflowd/.
6Waldbusser, Steven. RFC 2021, “Remote Arrangement Monitoring Management Information
Base Version 2 Application SMIv2.” IETF, January 1997.
7 ———. RFC 2819. IETF, “Remote Arrangement Monitoring Management Information
Base.” May 2000.
8 Team Cymru. The Team Cymru Bogon List. http://www.cymru.com/Documents/bogonlist.
html.
9 Oetiker, Tobi. Multi Router Cartage Grapher. http://oss.oetiker.ch/mrtg/ /.