Discussion:
New MultiNet Packet Filtering
(too old to reply)
Dan O'Reilly
2008-02-06 19:38:19 UTC
Permalink
At Process, we're putting more work and effort into enhancing security of
our products by enhancing packet filtering capabilities that already exist
in TCPware and MultiNet. It should be noted that what we're NOT attempting
to do is to create a comprehensive firewall; rather, we intend to enhance
our products to make them more resistant to some types of Denial-of-Service
attacks and breakin attacks such as "dictionary attacks". In recent
releases, we've done a fair amount of background work on this, and now we
need to look at specifics to be implemented.

As we move onto the next phase, for a set of components, we're looking at
detecting an attack then telling the MultiNet or TCPware kernel to add a
packet filter with a limited lifetime to stem and/or completely halt the
attack. The final phase will be to incorporate kernel-level attack
detection (for example, responding to SYN flood DOS attacks). This will be
in a release sometime in the future.

When dealing with components, for example: SSH determines a
dictionary-style attack is underway, because it's identified a large number
of invalid username attempts from the same system. SSH tells the kernel to
put up a filter for, say, 3 minutes, then 10 minutes if the attacks
continue, then 2 hours if they still continue (the times are all arbitrary
to this discussion).

Why a packet filter in the kernel? It's because this is by far the most
efficient place to drop this traffic; the alternative would be to allow the
connection to SSHD_MASTER to be made, then an SSHD server is spawned, then
it finally determines the user is fake. Dropping a single (or multiple)
packets at the kernel level is MUCH more efficient.

Some of the questions we're looking at right now:

- What components? At this point, we've identified several components:
SSH, telnet, ftp, IMAP and POP.

- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be blocked)
or the destination port level (where all traffic destined, for example, the
SSH port would be blocked but all other traffic from that system would be
allowed)? Would you want this to be configurable?

- How configurable would you want a ruleset to be? For example, would you
want to be able to set a rule on a dictionary attack to be triggered
(events over a time period) differently on different systems, or even
differently on different components on a given system? Note that we don't
want to get overly complex here. At this point, I don't think we'll have
user-defined rulesets available in terms of being able to define rules
outside the standard set we will provide.

- What types of attacks are most common for each component we're looking at?

What we're looking for is your input. Please DO NOT respond with specific
security issues, that may contain company-specific or proprietary details
in them, to this general forum; rather, respond to me privately at
***@process.com.

------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
Ken Connelly
2008-02-06 19:56:21 UTC
Permalink
Hopefully most have moved away from the plain-text apps, but this would
be very useful for SSH. In any case, once this is triggered, I would
lean towards dropping incoming traffic from the remote host aimed at the
port which is seeing the attack. For example, if 10.11.12.13 is
observed behaving badly coming to tcp/22, have the kernel filter those
tcp/22 packets from the bad boy, but still allow 10.11.12.13 to connect
to tcp/80 (or whatever).

- ken
Post by Dan O'Reilly
At Process, we're putting more work and effort into enhancing security
of our products by enhancing packet filtering capabilities that
already exist in TCPware and MultiNet. It should be noted that what
we're NOT attempting to do is to create a comprehensive firewall;
rather, we intend to enhance our products to make them more resistant
to some types of Denial-of-Service attacks and breakin attacks such as
"dictionary attacks". In recent releases, we've done a fair amount of
background work on this, and now we need to look at specifics to be
implemented.
As we move onto the next phase, for a set of components, we're looking
at detecting an attack then telling the MultiNet or TCPware kernel to
add a packet filter with a limited lifetime to stem and/or completely
halt the attack. The final phase will be to incorporate kernel-level
attack detection (for example, responding to SYN flood DOS attacks).
This will be in a release sometime in the future.
When dealing with components, for example: SSH determines a
dictionary-style attack is underway, because it's identified a large
number of invalid username attempts from the same system. SSH tells
the kernel to put up a filter for, say, 3 minutes, then 10 minutes if
the attacks continue, then 2 hours if they still continue (the times
are all arbitrary to this discussion).
Why a packet filter in the kernel? It's because this is by far the
most efficient place to drop this traffic; the alternative would be to
allow the connection to SSHD_MASTER to be made, then an SSHD server is
spawned, then it finally determines the user is fake. Dropping a
single (or multiple) packets at the kernel level is MUCH more efficient.
- What components? At this point, we've identified several
components: SSH, telnet, ftp, IMAP and POP.
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be
blocked) or the destination port level (where all traffic destined,
for example, the SSH port would be blocked but all other traffic from
that system would be allowed)? Would you want this to be configurable?
- How configurable would you want a ruleset to be? For example, would
you want to be able to set a rule on a dictionary attack to be
triggered (events over a time period) differently on different
systems, or even differently on different components on a given
system? Note that we don't want to get overly complex here. At this
point, I don't think we'll have user-defined rulesets available in
terms of being able to define rules outside the standard set we will
provide.
- What types of attacks are most common for each component we're looking at?
What we're looking for is your input. Please DO NOT respond with
specific security issues, that may contain company-specific or
proprietary details in them, to this general forum; rather, respond to
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who
don't." |
| http://www.process.com
| |
+-------------------------------+----------------------------------------+
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: ***@uni.edu p: (319) 273-5850 f: (319) 273-7373
Christoph Gartmann
2008-02-06 23:01:27 UTC
Permalink
Post by Dan O'Reilly
SSH, telnet, ftp, IMAP and POP.
Here it is SSH and FTP, the other ones are blocked via the firewall.
Post by Dan O'Reilly
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be blocked)
or the destination port level (where all traffic destined, for example, the
SSH port would be blocked but all other traffic from that system would be
allowed)?
Currently we block the whole host completely. This is sufficient for us.
Post by Dan O'Reilly
Would you want this to be configurable?
Only in case when the complete block is not the default.
Post by Dan O'Reilly
- How configurable would you want a ruleset to be?
We don't need specific ports to be configurable. A single rule like
"5 attempts over a period of 2 minutes" where "5" and "2" are configurable
would be sufficient.
Post by Dan O'Reilly
- What types of attacks are most common for each component we're looking at?
We see mostly SSH-attacks with invalid accounts. The same with FTP. The other
ones are blocked at the firewall.

Regards,
Christoph Gartmann
--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
Immunbiologie
Postfach 1169 Internet: ***@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html
Patrick Mahan
2008-02-07 03:28:08 UTC
Permalink
Dan O'Reilly presented these words - circa 2/6/08 11:38 AM->
Post by Dan O'Reilly
At Process, we're putting more work and effort into enhancing security
of our products by enhancing packet filtering capabilities that already
exist in TCPware and MultiNet. It should be noted that what we're NOT
attempting to do is to create a comprehensive firewall; rather, we
intend to enhance our products to make them more resistant to some types
of Denial-of-Service attacks and breakin attacks such as "dictionary
attacks". In recent releases, we've done a fair amount of background
work on this, and now we need to look at specifics to be implemented.
As we move onto the next phase, for a set of components, we're looking
at detecting an attack then telling the MultiNet or TCPware kernel to
add a packet filter with a limited lifetime to stem and/or completely
halt the attack. The final phase will be to incorporate kernel-level
attack detection (for example, responding to SYN flood DOS attacks).
This will be in a release sometime in the future.
When dealing with components, for example: SSH determines a
dictionary-style attack is underway, because it's identified a large
number of invalid username attempts from the same system. SSH tells the
kernel to put up a filter for, say, 3 minutes, then 10 minutes if the
attacks continue, then 2 hours if they still continue (the times are all
arbitrary to this discussion).
Why a packet filter in the kernel? It's because this is by far the most
efficient place to drop this traffic; the alternative would be to allow
the connection to SSHD_MASTER to be made, then an SSHD server is
spawned, then it finally determines the user is fake. Dropping a single
(or multiple) packets at the kernel level is MUCH more efficient.
SSH, telnet, ftp, IMAP and POP.
Why not all components that are controlled through the Master server (I
forget what TCPware uses). That way the configuration UI easier to do
for all services. I forget what services outside of the NFS server were
running standalone (its been over 10 years since I last played with
MultiNet). But also provide an API for third-party apps to set filters
as well.
Post by Dan O'Reilly
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be
blocked) or the destination port level (where all traffic destined, for
example, the SSH port would be blocked but all other traffic from that
system would be allowed)? Would you want this to be configurable?
I would recommend that you give as great a granularity as possible.
Allow for wildcards where ever possible or on omission (e.g. no port
specified means all ports are blocked). In fact I would allow the means
of specifying a <position>:<length>:<byte-string> where byte string
would be used to match against what data is there at <position> in the
IP packet for <length> bytes.
Post by Dan O'Reilly
- How configurable would you want a ruleset to be? For example, would
you want to be able to set a rule on a dictionary attack to be triggered
(events over a time period) differently on different systems, or even
differently on different components on a given system? Note that we
don't want to get overly complex here. At this point, I don't think
we'll have user-defined rulesets available in terms of being able to
define rules outside the standard set we will provide.
Give a definition of what you mean by ruleset? event trigger filter?
filter trigger filter? (by this I mean you enable other filters based
upon a filter triggering on a specific filter).
Post by Dan O'Reilly
- What types of attacks are most common for each component we're looking at?
My years at Cisco we wound up having to deal mostly with DDoS type of
attacks. In fact, IOS (given it's flat, monolithic nature) actually had
callouts a service could register (e.g. BGP) that would accept/reject
a packet. We also fixed a number of issues with TCP to tighten up the
acceptance of certain types of packets (SYN's, FIN's, etc).

This has jogged my memory somewhat . . . I seemed to recall having a
discussion with Bruce Miller back when he added BPF to the MultiNet
kernel about using it in this fashion. It might be a starting point
for you to consider.

Patrick Mahan
ex Window Washer
ex Cisco cog
Dan O'Reilly
2008-02-07 17:33:25 UTC
Permalink
Post by Patrick Mahan
Dan O'Reilly presented these words - circa 2/6/08 11:38 AM->
Post by Dan O'Reilly
At Process, we're putting more work and effort into enhancing security of
our products by enhancing packet filtering capabilities that already
exist in TCPware and MultiNet. It should be noted that what we're NOT
attempting to do is to create a comprehensive firewall; rather, we intend
to enhance our products to make them more resistant to some types of
Denial-of-Service attacks and breakin attacks such as "dictionary
attacks". In recent releases, we've done a fair amount of background
work on this, and now we need to look at specifics to be implemented.
As we move onto the next phase, for a set of components, we're looking at
detecting an attack then telling the MultiNet or TCPware kernel to add a
packet filter with a limited lifetime to stem and/or completely halt the
attack. The final phase will be to incorporate kernel-level attack
detection (for example, responding to SYN flood DOS attacks).
This will be in a release sometime in the future.
When dealing with components, for example: SSH determines a
dictionary-style attack is underway, because it's identified a large
number of invalid username attempts from the same system. SSH tells the
kernel to put up a filter for, say, 3 minutes, then 10 minutes if the
attacks continue, then 2 hours if they still continue (the times are all
arbitrary to this discussion).
Why a packet filter in the kernel? It's because this is by far the most
efficient place to drop this traffic; the alternative would be to allow
the connection to SSHD_MASTER to be made, then an SSHD server is spawned,
then it finally determines the user is fake. Dropping a single (or
multiple) packets at the kernel level is MUCH more efficient.
SSH, telnet, ftp, IMAP and POP.
Why not all components that are controlled through the Master server (I
forget what TCPware uses). That way the configuration UI easier to do
for all services. I forget what services outside of the NFS server were
running standalone (its been over 10 years since I last played with
MultiNet). But also provide an API for third-party apps to set filters
as well.
The problem with instrumenting all components is that there are very often
different rules for different components. As I mentioned, we're not trying
to create a general-purpose firewall here. OF course, the original
component list I mentioned is subject to change, but I suspect that not
many people are concerned, for example, with TIMED, DIG, TALK, FINGER, etc..

As for an API, that's under consideration, if not immediately then
later. My immediate goal is to keep the interface as simple as possible.
Post by Patrick Mahan
Post by Dan O'Reilly
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be
blocked) or the destination port level (where all traffic destined, for
example, the SSH port would be blocked but all other traffic from that
system would be allowed)? Would you want this to be configurable?
I would recommend that you give as great a granularity as possible.
Allow for wildcards where ever possible or on omission (e.g. no port
specified means all ports are blocked). In fact I would allow the means
of specifying a <position>:<length>:<byte-string> where byte string
would be used to match against what data is there at <position> in the
IP packet for <length> bytes.
Post by Dan O'Reilly
- How configurable would you want a ruleset to be? For example, would
you want to be able to set a rule on a dictionary attack to be triggered
(events over a time period) differently on different systems, or even
differently on different components on a given system? Note that we
don't want to get overly complex here. At this point, I don't think
we'll have user-defined rulesets available in terms of being able to
define rules outside the standard set we will provide.
Give a definition of what you mean by ruleset? event trigger filter?
filter trigger filter? (by this I mean you enable other filters based
upon a filter triggering on a specific filter).
Post by Dan O'Reilly
- What types of attacks are most common for each component we're looking at?
My years at Cisco we wound up having to deal mostly with DDoS type of
attacks. In fact, IOS (given it's flat, monolithic nature) actually had
callouts a service could register (e.g. BGP) that would accept/reject
a packet. We also fixed a number of issues with TCP to tighten up the
acceptance of certain types of packets (SYN's, FIN's, etc).
This has jogged my memory somewhat . . . I seemed to recall having a
discussion with Bruce Miller back when he added BPF to the MultiNet
kernel about using it in this fashion. It might be a starting point
for you to consider.
Patrick Mahan
ex Window Washer
ex Cisco cog
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
Patrick Mahan
2008-02-08 06:27:43 UTC
Permalink
See inline . . .

Dan O'Reilly presented these words - circa 2/7/08 9:33 AM->
Post by Dan O'Reilly
Post by Patrick Mahan
Dan O'Reilly presented these words - circa 2/6/08 11:38 AM->
Post by Dan O'Reilly
At Process, we're putting more work and effort into enhancing
security of our products by enhancing packet filtering capabilities
that already exist in TCPware and MultiNet. It should be noted that
what we're NOT attempting to do is to create a comprehensive
firewall; rather, we intend to enhance our products to make them more
resistant to some types of Denial-of-Service attacks and breakin
attacks such as "dictionary attacks". In recent releases, we've done
a fair amount of background work on this, and now we need to look at
specifics to be implemented.
As we move onto the next phase, for a set of components, we're
looking at detecting an attack then telling the MultiNet or TCPware
kernel to add a packet filter with a limited lifetime to stem and/or
completely halt the attack. The final phase will be to incorporate
kernel-level attack detection (for example, responding to SYN flood
DOS attacks).
This will be in a release sometime in the future.
When dealing with components, for example: SSH determines a
dictionary-style attack is underway, because it's identified a large
number of invalid username attempts from the same system. SSH tells
the kernel to put up a filter for, say, 3 minutes, then 10 minutes if
the attacks continue, then 2 hours if they still continue (the times
are all arbitrary to this discussion).
Why a packet filter in the kernel? It's because this is by far the
most efficient place to drop this traffic; the alternative would be
to allow the connection to SSHD_MASTER to be made, then an SSHD
server is spawned, then it finally determines the user is fake.
Dropping a single (or multiple) packets at the kernel level is MUCH
more efficient.
- What components? At this point, we've identified several
components: SSH, telnet, ftp, IMAP and POP.
Why not all components that are controlled through the Master server (I
forget what TCPware uses). That way the configuration UI easier to do
for all services. I forget what services outside of the NFS server were
running standalone (its been over 10 years since I last played with
MultiNet). But also provide an API for third-party apps to set filters
as well.
The problem with instrumenting all components is that there are very
often different rules for different components. As I mentioned, we're
not trying to create a general-purpose firewall here. OF course, the
original component list I mentioned is subject to change, but I suspect
that not many people are concerned, for example, with TIMED, DIG, TALK,
FINGER, etc..
Well it has been my experience that in practice it is easier to add
support for this in a more generic way than trying to be "specific"
per service. You wind up with n ways of doing almost the exact same
thing. And just because the config support is there doesn't mean it
must be activated. After all, unless something has changed, the Master
server is shipped with services disabled by default. The same could
be done for filtering.
Post by Dan O'Reilly
As for an API, that's under consideration, if not immediately then
later. My immediate goal is to keep the interface as simple as possible.
I would not be surprised if by the time you work down to the details,
you would fine that the API has taken care of itself.
Post by Dan O'Reilly
Post by Patrick Mahan
Post by Dan O'Reilly
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be
blocked) or the destination port level (where all traffic destined,
for example, the SSH port would be blocked but all other traffic from
that system would be allowed)? Would you want this to be configurable?
I would recommend that you give as great a granularity as possible.
Allow for wildcards where ever possible or on omission (e.g. no port
specified means all ports are blocked). In fact I would allow the means
of specifying a <position>:<length>:<byte-string> where byte string
would be used to match against what data is there at <position> in the
IP packet for <length> bytes.
Post by Dan O'Reilly
- How configurable would you want a ruleset to be? For example,
would you want to be able to set a rule on a dictionary attack to be
triggered (events over a time period) differently on different
systems, or even differently on different components on a given
system? Note that we don't want to get overly complex here. At
this point, I don't think we'll have user-defined rulesets available
in terms of being able to define rules outside the standard set we
will provide.
Give a definition of what you mean by ruleset? event trigger filter?
filter trigger filter? (by this I mean you enable other filters based
upon a filter triggering on a specific filter).
Also, I would recommend separating the setting of filters with the
events that trigger them. This would help keep down the amount of
kruft you would need to insert in the kernel.

Patrick
Bob Koehler
2008-02-07 13:29:06 UTC
Permalink
Post by Dan O'Reilly
SSH, telnet, ftp, IMAP and POP.
If it has a login authentication mechanism, it should be included.
Post by Dan O'Reilly
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be blocked)
or the destination port level (where all traffic destined, for example, the
SSH port would be blocked but all other traffic from that system would be
allowed)? Would you want this to be configurable?
Both, configurable. Prefereably the default configuration would
match login evasion as implemented by VMS for an old-fashioned serial
terminal.
Post by Dan O'Reilly
- How configurable would you want a ruleset to be? For example, would you
want to be able to set a rule on a dictionary attack to be triggered
(events over a time period) differently on different systems, or even
differently on different components on a given system? Note that we don't
want to get overly complex here. At this point, I don't think we'll have
user-defined rulesets available in terms of being able to define rules
outside the standard set we will provide.
I don't need different rules for attacks on different ports. I'd
like my IP stack to defaul to the behaviour VMS provides for an old
fashioned serial terminal login, and I'd like my IP stack to examine
and honor any SYSGEN parameters or logical names that VMS uses to
control its built-in behaviour.
Post by Dan O'Reilly
- What types of attacks are most common for each component we're looking at?
All I see are password guessing attacks, but I'd like to have
protection against DoS attacks, too.
David P. Drake
2008-02-07 14:42:43 UTC
Permalink
Dan,

Adding an SMTP trap and/or email notification when an event is
detected would be highly desirable. Generally, when I notice this
type of attack on one system. It is also in progress on other
systems from the same IP. Thus, blocking that IP at the Internet
facing firewall is more efficient.


Dave.

Everyone has a photographic memory. Some don't have film.
y***@vms.huji.ac.il
2008-02-10 09:56:39 UTC
Permalink
Post by Dan O'Reilly
SSH, telnet, ftp, IMAP and POP.
If you can have a generic mechanism which looks in the VMS intursion records
then it would be the best.
Post by Dan O'Reilly
- At what granularity do we want to set a filter? At the originating
system level (where all traffic from the offending system would be blocked)
or the destination port level (where all traffic destined, for example, the
SSH port would be blocked but all other traffic from that system would be
allowed)? Would you want this to be configurable?
I wrote something similar in the past (and would like to replace it with a
better written one...). When I detect an attack I block new conections from the
attacker machine to the specified port. I block only new connections (SYN
packets) as we had problems with terminal servers that one attacker blocks all
other active connections.


Thanks! __Yehavi:
v***@chclu.chemie.uni-konstanz.de
2008-02-11 09:14:57 UTC
Permalink
In article <***@hujicc>, ***@vms.huji.ac.il writes:
|>> Some of the questions we're looking at right now:
|>>
|>> - What components? At this point, we've identified several components:
|>> SSH, telnet, ftp, IMAP and POP.
|>
|>If you can have a generic mechanism which looks in the VMS intursion records
|>then it would be the best.
|>
|>> - At what granularity do we want to set a filter? At the originating
|>> system level (where all traffic from the offending system would be blocked)
|>> or the destination port level (where all traffic destined, for example, the
|>> SSH port would be blocked but all other traffic from that system would be
|>> allowed)? Would you want this to be configurable?
|>
|>I wrote something similar in the past (and would like to replace it with a
|>better written one...). When I detect an attack I block new conections from the
|>attacker machine to the specified port. I block only new connections (SYN
|>packets) as we had problems with terminal servers that one attacker blocks all
|>other active connections.
|>
|>
|> Thanks! __Yehavi:
|>

Could you post this stuff?

regards
Eberhard
y***@vms.huji.ac.il
2008-02-11 13:58:20 UTC
Permalink
Post by v***@chclu.chemie.uni-konstanz.de
|>I wrote something similar in the past (and would like to replace it with a
|>better written one...). When I detect an attack I block new conections from the
|>attacker machine to the specified port. I block only new connections (SYN
|>packets) as we had problems with terminal servers that one attacker blocks all
|>other active connections.
|>
|>
|>
Could you post this stuff?
Yes. Please note that it relies on a Cisco router to do the filtering and it
cannot catch SSH attempts as they do not create LOGFAIL records in the
accounting file.

The code is available at ftp://vms.huji.ac.il/block_intruder.bck

__Yehavi:

Loading...