120000 (2001/12/6-16) 10 100000 80000 60000 40000 20000 0 12/6 12/7 12/8 12/9 12/10 12/11 12/12 12/13 12/14 12/15 12/16 :SPAM 120000 100000 80000 60000 40000 20000 ddos_ddos-shaft-synflood-incoming INFO - Possible Squid Scan SCAN Proxy attempt web-misc_http-cgi-space-wildcard netbios_netbios-name-query rpc_tcp_traffic_contains_bin_sh TCP ******S* scan Concept-Nimda(root.exe) Concept-Nimda 3 10 SPAM RBL(Realtime Blackhole List) RBL : 3 0 12/6 12/7 12/8 12/9 12/10 12/11 12/12 12/13 12/14 12/15 12/16 : : Cracker ls ps : OS FTP 1
:Nimda : Web Nimda Web Nimda IIS : Nimda Personal Firewall (1/3) (2/3) 100% (3/3) 2
? W97.Melissa.A Worm W32.Sircam.Worm@mm, W32.Badtrans.B@mm OS HTML PREVIEW HTML JavaScript Java 3
CPU http://www.trendmicro.co.jp http://www.symantec.com OS fmlvirus_check.pl Windows!? (1/3) : OS (2/3) (3/3) : Redhat Linux: /sbin/chconfig del FreeBSD: /etc/rc.conf Windows NT/2000/XP inetd /etc/inetd.conf netstat na 4
(1/2) (2/2) : IIS wu-ftpd Script kiddies C : http://www.jpcert.or.jp/ http://www.cert.org/ http://www.ipa.go.jp/security/ 3 Firewall Firewall Firewall = Firewall Internet / Firewall Firewall ActiveX Java Web Firewall Web /PHS ISP ( 2 ) Firewall 5
Firewall (1/2) / IP IP Proxy (2/2) NAT Network Address Translation RFC1631:The IP Network Address : IP / Translation IP 203.178.142.133 203.178.142.133 IP 11 Filter IP 133.27.4.121 NAPT 1 IP 133.4..34.39 IP Masquerade NAT NAT 192.168.0.2 192.168.0.3 192.168.0.4 192.168.0.5 End-to-End IP 133.27.24.254 192.168.0.1 Internet NAT IMIRC VoIP P2P 6
http, pop, smtp Proxy http proxy, ftp proxy Web/Mail Firewall application transport website website network datalink physical VPN VPN - IPSec IP PPTP, L2F, L2TP /Firewall / VPN TCP Wrapper / Network A Network B (1/2) 3 SPAM ( CNS ) POP before SMTP: POP SMTP AUTH: 7
(2/2) DNS (1/2) APOP / POP over TLS Slave BIND: allow transfer MIME DNSSEC DNS (2/2) Web (1/2) CGI DNS CGI DNS Web CGI DNS PHP/ASP/JSP Web (2/2) Index Apache.htaccess Options Indexes Cookie 3 8
(1/3) (2/3) Ethernet Ethernet : A D ARP HUB Switch A B C D E A B C D E ftp operation hogehoge pop http telnet ftp apop https ssh ssh(scp/sftp) SSH Port Forwarding IPsec 9
(3/3) (4/4) Ingress Filtering Web IP ( ) Firewall IP ( ) IP Directed broadcast (IDS) (IDS) Intrusion Detection System 10
IDS HIDS ( IDS) IDS NIDS ( IDS) IDS Worm Excel E-mail W32.Badtrans.B@mm W32.Nimda.A@mm W32.Sircam.Worm@mm Worm MicrosoftOutlookExpress HTML HTML deamonroot Ex.>telnet ftp /etc/inetd.conf /etc/rc.conf /etc/defaults/rc.conf (FreeBSD) 11
/etc/rc.conf(freebsd) apm_enable="yes" hostname= hoge.sfc.wide.ad.jp" inetd_enable="no" kern_securelevel_enable="no" keymap="jp.106" linux_enable="yes" moused_enable="yes" sendmail_enable="no" sshd_enable="yes" usbd_enable="yes" ipfilter_enable="yes" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipmon_enable="yes" ipmon_flags="-d /var/log/ipflag" /etc/hosts.allow allow deny /etc/hosts.allow ALL : localhost 127.0.0.1 : allow ALL :.sfc.keio.ac.jp : allow ALL :.sfc.wide.ad.jp : allow ALL :.ht.sfc.keio.ac.jp : allow in.ftpd: 10.11.7. #10.11.7.* FTP ALL :.hoge.com EXCEPT terminal.hoge.com #terminal.hoge.com hoge.com /etc/hosts.deny FreeBSD /etc/hosts.allow last /etc/hosts.deny /var/log/messages ALL:ALL OS /etc/hosts.allow /var/log/wtmp /var/log/maillog 12
Solaris /var/adm/messages OS /var/log/syslog System log sendmail /var/adm/lastlog /var/adm/sulog su (1/2) : (2/2) Third-Party Mail Relay SPAM RAID sendmail FD,CD-R,MO,DVD, etc.. sendmail8.8.5 CD-R sendmail sendmail.cf DNSSEC DNS Ex.> DNS dnssec-keygen a hmac-md5 b 128 n ZONE sample-k named.conf hmac-md5 128bitZONE zone hoge.com { sample-k allow transfer { 192.168.30.4; localhost } } Ksample-k+157+02663.key( ) #ns.hoge.com 192.168.1.4 Ksample+155+02663.privat( ) 13
DNS SSI Server Side Include named.conf options{ allow-recursion{192.168.30.0/24;localhost;} } CGI CGI Ex.> NCSA httpdphf test-cgi nph-test-cgi CGI SSI CGISSI chrootcgi Index Ex.>http://www.sfc.keio.ac.jp/~hoge/ ~hoge httpd.conf <Directory /> Options Indexes FollowSymLinks </Directory> Indexes 14