Security Overview, Threat Pragmatics & Cryptography
Issue Date: Revision: Overview
• Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics
2 3 Where is the Security Layer?
Application Application Application Presentation (HTTP, DNS, FTP) Data (HTTP, DNS, FTP) Session Transport Transport Data Transport Transport Header (TCP/UDP) (TCP/UDP)
IP Transport Network Internet Data Internet (IPv4/IPv6) Header Header (IPv4/IPv6)
Data Link Frame IP Transport Network Data Network Header Header Header Access Access Physical (Ethernet, PPP) (Ethernet, PPP) 0011010100000111
https://gettys.wordpress.com/2018/04/09/mythology-about-security/
4 Why Security?
• The Internet was designed for connectivity – Trust was assumed – Security protocols added on top of the TCP/IP
• The Internet has become fundamental to our daily activities (business, work, and personal)
5 Internet Evolution
LAN connectivity Content driven Data on the Cloud (email, web, music, video)
Security (threats and challenges) change as the Internet evolves!
6 Recent Incidents
• Cisco - Ripple20 impacting the TCP/IP stack • F5 BIG-IP TMUI RCE vulnerability (7th Jul 2020) • Microsoft out of order patch (CVE-2020-1425) • ZombieVPN
https://isc.sans.edu/podcast.html
7 Recent Incidents
• Lucifer (June 2020) Cryptojacking and DDoS Campaign – dropping XMRig for cryptojacking Monero – command and control (C2) operation – self-propagation – credential brute-forcing – runs EternalBlue, EternalRomance, and DoublePulsar backdoor
https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/
8 Recent Incidents
• Ransomware – LG Electronics and Xerox allegedly hit by Maze – OSX.ThiefQuest targeting MACs – masquerading as COVID-19 contact-tracing apps – Thanos ransomware campaign targeting mid-level employees in Europe – WastedLocker being used since May 2020 – Cognizant confirms data breach after ransomware attack
https://team-cymru.com/community-services/dnb/
9 Recent Incidents
• CVE-2019-19494 – Released 2nd Dec 2019 – Buffer Overflow attack – Broadcom chipset modems – Exploit code is available
10 Recent Incidents
• Targets vulnerable middleware running on the chip • Allows a remote attacker to execute code at the kernel level via JavaScript run in a victim's browser. • Potential to intercept private messages, redirect traffic, or modems to participate in botnets
11 Recent Incidents
• WhatsApp spyware (May 2019)
– Exploited voice call feature • Caller could install spyware on the target device • Even if the call wasn’t answered! • Spy emails/messages, locations
– Versions prior to: • v2.19.134 (android) https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers- • v2.19.51 (iOS) install-government-grade-spyware-on-phones/ • v2.18.348 (Windows)
– ~1.5 Billion users
12 Recent Incidents
• Facebook (March 2019)
– announced that it was storing user passwords (~600 million) in plain text • since 2012! • Could be read by FB employees
– April • Oops.. Wasn’t just Facebook accounts, but also some Instagram accts
https://about.fb.com/news/2019/03/keeping-passwords-secure/
13 Not-so Recent Incidents
• Slingshot (March 2018) - APT
– Active since 2012!
– Compromise MikroTik routers • not much clarity to on how they do it, but assumed to be based on the ChimayRed exploit - https://github.com/BigNerd95/Chimay-Red
– replace one of the dll in the router's file system with a malicious one (ipv4.dll) • loaded into user's computer when they run the Winbox tool
– Once infected • capture screenshots, collect network info, passwords on browsers,. key strokes etc
14 Not-so Recent Incidents
• Meltdown/Spectre (Jan 2018)
– Exploits processor vulnerabilities! • Intel, AMD, ARM
– Meltdown (CVE-2017-5754): • Breaks the isolation between programs & OS • An application could read kernel memory locations
– Spectre (CVE-2017-5753/CVE-2017-5715) • Breaks isolation between applications • An application could read other application memory
15 Not-so Recent Incidents • (Not)Petya Ransomware/Wiper (June 2017) – Exploited a backdoor in MeDoc accounting suite • Update pushed on June 22 from an update server (stolen credentials) • proxied to the attacker’s machine (176.31.182.167)
– Spread laterally across the network (June 27) • EternalBlue exploit (SMB exploit: MS17-010) • through PsExec/WMIC using clear-text passwords from memory • C:\Windows\perfc.dat hosted the post-exploit code (called by rundll32.exe)
16 Not-so Recent Incidents
• WannaCry Ransomware (May 2017) – As of 12 May, 45K attacks across 74 countries – Remote code execution in SMBv1 using EternalBlue exploit • TCP 445, or via NetBIOS (UDP/TCP 135-139) – Patch released on 14 March 2017 (MS17-010) • https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – Exploit released on 14 April 2017
17 Not-so Recent Incidents
• SHA-1 is broken (Feb 23, 2017) – Hash collision: obtain same SHA-1 hash for two different pdf files (inputs) • which can be abused as a valid signature on the second PDF file. • https://shattered.io
18 Find any device • shodan.io
19 Find any device • 1st July 2020
20 haveibeenpwned.com • Have you been compromised? – Tracks compromised accounts and released into the wild • 364 pwned websites • >7 million pwned accounts • ~100K pastes
21 Acknowledgment
• Most of the content from:
Steven M.Bellovin’s “Thinking Security” https://www.cs.columbia.edu/~smb/
22 Before we start…
• What are we protecting - asset? and • From whom?
• All security system designs should be based on these questions!
23 The Incident Response Hierarchy of Needs
https://github.com/swannman/ircapabilities Attack Motivation (Who are your Enemies?)
• Nation states want SECRETS • Organized criminals want MONEY • Protesters or activists want ATTENTION • Hackers and researchers want KNOWLEDGE
http://cartoonsmix.com/cartoons/national-security-agency-cartoon.html
Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014
25 Who are your Enemies?
• Script kiddies: – little real ability, but can cause damage if you’re careless
• Money makers: – Hack into machines, turn them into spam engines, etc.
• Government intelligence agencies, AKA Nation State Adversaries
26 The Threat Matrix
Opportunistic Advanced Persistent hacks Threats
Joy hacks Targeted attacks
Degree of Focus
Source: Thinking Security – Steve M. Bellovin
27 Joy Hacks
• For fun – with little skill using known exploits
• Minimal damage – especially unpatched machines
• Random targets – anyone they can hit
• Most hackers start this way – learning curve
28 Opportunistic Hacks
• Skilled (often very skilled) - also don’t care whom they hit – Know many different vulnerabilities and techniques
• Profiting is the goal - bank account thefts, botnets, ransomwares…. – WannaCry? Petya?
• Most phishers, virus writers, etc.
29 Targeted Attacks
• Have a specific target!
• Research the target and tailor attacks – physical reconnaissance
• At worst, an insider (behind all your defenses) – Not-so happy employee
• Watch for tools like “spear-phishing”
• May use 0-days
30 Advanced Persistent Threats
• Highly skilled (well funded) - specific targets – Mostly 0-days
• Sometimes (not always) working for a nation-state – Think Stuxnet (up to four 0-days were used)
• May use non-cyber means: – burglary, bribery, and blackmail
• Note: many lesser attacks blamed on APTs
31 ATT&CK Matrix for Enterprise
https://attack.mitre.org – accessed 12th Nov 2018 Are you a Target?
• Biggest risk? – assuming you are not interesting enough!
• Vendors/System Integrators and their take on security: – Either Underwhelming or Overwhelming
33 Defense Strategies
• Depends on what you’re trying to protect – Assets
• Tactics that keep out teenagers won’t keep out a well-funded agency
• But stronger defenses are often much more expensive and cause great inconvenience
34 What Are You Protecting?
• Identify your critical Assets – Both tangible and intangible (patents, methodologies) assets • Hardware, software, data, people, documents – Who would be interested?
• Place a Value on the Asset – Different assets require different level of protection – Security measures must be in proportion with asset value • How much can you afford?
• Determine Likelihood of breaches – threats and vulnerabilities?
35 Exercise
• Imagine you had a bar of gold to protect
– What container would you put it in? – What room would the container be in? – What locks are on the doors? – Where is the room located in the building? – What cameras are watching the room and building? – What humans are watching the cameras? – Who will respond with force to a theft attempt? – How much did all of these cost?
36 Threats, Vulnerability, and Risks
• Threat • Vulnerability – circumstance or – A weakness in an asset that can event with potential be exploited to cause harm to an • Software bugs asset • Design flaws/protocol bugs • Configuration mistakes • Lack of encryption • Lack of or no physical security • Risk – The likelihood that a particular vulnerability will be exploited Risk = Threat x Vulnerability Risk = Impact (Consequence) x Threat x Vulnerability
37 Risk Assessment Matrix
• Managing risks – Probability-Impact matrix to define the level of risk • Commonly used in real-world risk assessment
High Medium High High
Medium Low Medium High IMPACT Low Low Low Medium
Low Medium High LIKELIHOOD
38 Exercise
• Discuss: – Some recent vulnerabilities • https://cve.mitre.org • Cable Haunt CVE-2019-19494 – How does it fit into the risk matrix?
• Place a risk in the matrix by assigningHigh Medium High High ratings to its Medium Low Medium High – Severity/impact, and IMPACT Low Low Low Medium – Probability Low Medium High LIKELIHOOD/ PROBABILITY
39 Against Joy Hacks
• By definition, joy hackers use known exploits
• Patches exist for known exploits: – Security updates/system patches – Update antivirus database
• Ordinary enterprise-grade firewalls – Closer to users/services
40 Against Opportunistic Hacks
• Sophisticated techniques used
• You need multiple layers of defense – Firewalls near users and services – Host hardening • Apply security updates, patches, AVs – Monitoring • Intrusion detection • attention to log files
41 Against Targeted Attacks
• Targeted attacks exploit knowledge of target – Try to block or detect reconnaissance – Security policies and procedures matter a lot • How do you respond to phone callers? • What do people do with unexpected email attachments? • USB sticks in the parking lot?
• Hardest case: disgruntled employee or ex-employee – Already behind your defenses – Think Manning & Snowden
42 Against APTs
• VERY VERY hard to defend against! • Use all of the previous defenses – There are no sure answers • Pay special attention to policies and procedures • Investigate all oddities
43 Defense in Depth
• Layer your security controls – Provides redundancy in case of failure
https://commons.wikimedia.org/wiki/File:Caerphilly_aerial.jpg
44 Example of Security Controls
Category Example of Controls Purpose Make everyone aware of the Policy & Cyber Security Policy, Incident importance of security, define Procedure Handling Procedure role and responsibilities (pre and post incident), understand scope of the problem Technical Firewall, Intrusion Detection Prevent and detect potential System, AV, Logging Systems attacks, mitigate risk of breach
Physical CCTV, Locks, Biometrics, Secure Prevent physical theft of working space information assets or unauthorized physical access
45 However…
• Every machine (connected) is valuable
• They could be turned into bots – Send spam, launch DDoS, host phishing sites – Sniff your local traffic
• Defense: – watch outbound traffic from your network
46 Summary
• Use proper crypto
• Layer your defenses: – Policies, Procedures, and Awareness • Strictly follow • Revise and audit frequently – Physical security – Firewalls closer to services/users – Host hardening • Updated patches and AVs – Application Hardening – Backup important data – IDS/IPS (anomaly detection)
47 Overview
• Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics
48 Goals of Security
Confidentiality Integrity Availability
prevent safeguard the authorized users
unauthorized use accuracy and have reliable and SECURITY or disclosure of completeness of timely access to information information information
49 Access Control
• To permit or deny the use of resource(s)
• All about: – Authentication (who is the user) – Authorization (who is allowed to use what) – Accountability (what did the user do) Authentication
• Verify a user’s identity – “User” may refer to: • a person • an application or process • a machine or device
• Identification comes before authentication – Ex: username to establish user’s identity
• To prove identity, a user must present either: – What you know (passwords, passphrase, PIN) – What you have (token, smart cards, passcodes, RFID) – Who you are (biometrics such as fingerprints and iris scan, signature or voice) Strong Authentication
• An absolute requirement!
• Two-factor authentication – Passwords (something only you know) – Tokens (something only you have)
• Examples: – Passwords – Tokens – PINs – Biometrics – Certificates Two-factor Authentication • At least two authentication ‘factors’ to prove user’s identity – something you know • Username/password – something “only” you have • Token using a one-time password (OTP), or a SMS code
• OTP is generated using a device in physical possession of the user – generated each time and expires after some time – through applications on your device • Authy/Google Authenticator Authorization
• Defines the user’s rights and permissions on a system – Typically ‘if authenticated’ • Grants a user access to a resource and actions they are permitted to perform on that resource Authorisation Concepts
• Authorisation Creep – When users may possess unnecessarily high access privileges within an organisation
• Default to Zero (Zero trust) – Start with zero access and build on top of that
• Principle of least privilege – give access only to information that the user absolutely need Authorization - Single Sign On
• User logs in only once and gains access to all authorized resources within a system • Benefits: – Ease of use – Reduces logon cycle (time spent re-entering passwords for the same identity) • Common SSO technologies: – Kerberos (prevents replays – T_REQ:timestamp/lifetime) – RADIUS – OTP Token – SAML/OpenID • Disadvantage: Single point of attack – May need to mix with MFA Accounting
• What did the user do with the resource?
• Actions of an entity to be traced back uniquely to that entity – Senders cannot deny sending information – Receivers cannot deny receiving it – Users cannot deny performing a certain action
• Supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention and after-action recovery and legal action
Source: NIST Risk Management Guide for Information Technology Systems Types of Access Control
• Centralized Access Control – RADIUS • Encrypts the password – TACACS+ • Encrypts the entire message – Diameter (TCP) • Enhanced RADIUS (reliable and secure channel)
• Decentralized Access Control – User database maintained on the resource • Not scalable • No method for consistent control Overview
• Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics
59 Target
• Targets could be: – Network infrastructure – Network services – Application services – End user machines Uneven Playing Field
• The defender has to think about the entire perimeter – all the weakness
• The attacker has to find only one weakness
• This is not good news for defenders
61 Attack Surface
• Entire Perimeter you have to Defend
Firewall
SMTP Application
Web Server DNS
Power Fiber
62 Soft Gooey Inside
• But it is not just the perimeter! Firewall
SMTP Application USB Sticks Spearfishing Web Server Passwords DNS Ex-Employees SysAdmins
Fiber Power
63 Attacks on Different Layers Application Application Presentation Session Transport Transport Network Internet
Data Link Network Access Physical (Link Layer) OSI Reference Model TCP/IP Model
64 Attacks on Different Layers
Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Application Radius, SSH, SMTP,Application SNMP, Telnet, DNS,DHCP Presentation
Session Layer 5: NFS, Socks Transport Transport Layer 4: TCP, UDP, SCTP
Network Layer 3: IPv4, IPv6, ICMP,Internet ICMPv6, IGMP
Data Link Layer 2: Ethernet,Network PPP, ARP, NDP, Access OSPF Physical (Link Layer) OSI Reference Model TCP/IP Model
65 Attacks on Different Layers
Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Application Radius, SSH, SMTP,Application SNMP, Telnet, DNS,DHCP DNS Poisoning, Phishing, Presentation SQL injection, Spam/Scam
Session Layer 5: NFS, Socks Transport Transport Layer 4: TCP, UDP, SCTPTCP attacks, Routing attack, SYN flooding
Network Layer 3: IPv4, IPv6, ICMP,Internet ICMPv6, IGMP Ping/ICMP Flood, Sniffing Data Link Layer 2: Ethernet,Network PPP, ARP, NDP, Access OSPF ARP spoofing, MAC Physical flooding(Link Layer) OSI Reference Model TCP/IP Model
66 Layer 2 Attacks
• ARP Spoofing • MAC attacks • DHCP attacks • VLAN hopping
67 ARP Spoofing
I want to connect to Wait, I am 10.0.0.3! 10.0.0.3. I don’t know the MAC address
10.0.0.2 BB-BB-BB-BB-BB-BB ARP Request
10.0.0.3 10.0.0.1 ARP Reply CC-CC-CC-CC-CC-CC AA-AA-AA-AA-AA-AA
ARP Cache poisoned. Machine A 10.0.0.4 connects to Machine D (not C) DD-DD-DD-DD-DD-DD
I am 10.0.0.3. This is my MAC address
68 MAC Flooding
• Exploits the limitation of all switches – CAM stores mapping of individual MAC addresses to source ports – Finite memory • Attacker floods the CAM table using spoofed source MAC addresses
69 DHCP Attacks
• DHCP Starvation Attack – Broadcasting vast number of DHCP requests with spoofed MAC address simultaneously.
• DHCP Spoofing – Rogue DHCP
70 Wireless Attacks- MITM
• Creates a fake access point and have clients authenticate to it instead of a legitimate one. • Capture traffic (usernames, passwords)
71 Wireless Attacks
• WEP (wired equivalent privacy) – first go at wireless security • 104-bit WEP key: – 50% of the time broken with 45k packets – 95% of the time with 85k packets (in less than 60 seconds) Tews,Weinmann, and Pyshkin, "Breaking 104 bit WEP in less than 60 seconds", Proceedings of the 8th international conference on Information security applications, 2007
• Use WPA2 (wired protected access) – WPA – 256-bit key – WPA2 - AES
72 Link-Layer Defence
• Dynamic ARP Inspection – Protects against ARP spoofing
– uses DHCP Snooping
– forward ARP packets on Trusted interfaces without checks
– intercept all ARP packets on Untrusted ports and check against IP-to-MAC binding • Drop (and log) if no valid binding
73 Link-Layer Defence
• Port Security – Protects the MAC table
– Limit the number of MACs per port (static or sticky learning) • Forwards valid frames (valid source MACs), and drops invalid frames
– Violation could trigger: • Dropping of invalid frames and port shutdown, or • Drop frames with/without notification
74 Link-Layer Defence
• 802.1X – Identity based network access control – Protection against rogue devices (DHCP or AP) attaching to a LAN
Client Authenticator AAA Server
EAP-Request/Id
EAP-Response/Id Access-Request
EAP-Request/pw Access-Challenge
EAP-Response/pw Access-Request EAP-Success Access-Accept
Port Authorized
Image Source: www.en.wikipedia.org/wiki/IEEE_802.1X
75 Layer 3 Attacks
• ICMP Attacks – ICMP Smurf/Flood – Ping of death
• Routing (control plane) attacks
76 ICMP Flood/Smurf
Echo request Echo request Broadcast Network Address
Attacker Echo reply to actual Other forms of ICMP attack: destination -Ping of death
• Defense: – Disable directed broadcast
no ip directed-broadcast Victim
77 Routing Protocol Attacks
• Malicious route insertion – Poison routing table – To divert traffic and eavesdrop • Analyse/Modify/Drop packets
• BGP attacks – hijack prefixes – Tamper the path information
78 Defence- Routing Attacks
• Authenticate source of routing updates CA – Peer authentication X.509 Cert
• Origin Validation RFC 3779 Extension – Rolled out today as RPKI – ROA (resource certificate) signed by IP Resources the owner (Addr & ASN) • Verifies the origin AS (signed route announcement) SIA – URI (repository) for where this Publishes
• Path Validation Subject Public Key Signed by Parent’s Private Key Parent’s by Signed – Sign the full path (ASNs traversed) (algorithm and key) • In IETF process as BGPsec
79 SYN Flooding SYN
Server SYN+ACK (Victim)
Attacker ACK?
• Exploits the TCP 3-way handshake • Attacker sends a series of SYN packets • No ACK • Retains state for bogus half-open connections – Finite SYN_RECV queue size – no more resources (memory) to for new legitimate connections – drops!
80 SYN Flood - Defense
• SYN Cookies – MD5 hash (src IP, src port, dst IP, dst port, and ISN in SYN) • Sent back as ISN in its SYN-ACK
– no states for half-open connections in memory • until valid ACK: SEQ = ISN+1 • Store state after valid ACK
Enable: vi /etc/sysctl.conf net.ipv4.tcp_syncookies = 1
Verify: cat /proc/sys/net/ipv4_tcpsyncookies sysctl –n net ipv4.tcp_syncookies
81 Application Layer Attacks
• Very common: – Scripting vulnerabilities
– Buffer overflow
– Cookie poisoning • Tamper session information
– X-site scripting • Client-side code injection
– SQL injection
82 Application Layer - Defense
• User input validation – SQL injection, X-site scripting
• Pen-test or vulnerability scan by experts – Scripting vulnerabilities – Buffer overflow (bounds checking)
83 Layer 7 DDoS Attack
• Traditional DoS attacks focus on L3 and L4 • On L7, DoS attack targets applications disguised as legitimate packets – exhaust application resources (bandwidth, ports, protocol weakness) • Includes: – Slowloris – RUDY (R-U-Dead Yet) • POST request with long content length and write forms slowly – LOIC/HOIC (Low/high orbit Ion canon) • TCP/UDP/HTTP requests (H-only HTTP with scripts)
84 Layer 7 DDoS – Slowloris
• Incomplete HTTP requests – No blank line (\r\n) in request header
• Properties – Low bandwidth – Keep threads active • Only affects threaded web servers (Apache) • Doesn’t work through load balancers – Keepalives to reset timeout
85 Layer 7 DDoS – Defense
• Load balancers – Delayed binding – Perform HTTP Request header completeness check • Request not sent to server until the final \r\n (CRLF) received from client
• Non-threaded webservers – not vulnerable to slow header attacks
• ModSecurity – Open source WAF plugin for Apache – embedded or reverse proxy mode • In front of the web server
86 DNS Changer
• Anyone who controls Countries affected by your DNS controls what DNSChanger (2012): you see!
• How: – infect computers with malware – malware changes the user’s DNS settings • to attacker’s resolvers (specific Image Source: Kaspersky address blocks)
https://en.wikipedia.org/wiki/DNSChanger
87 DNS Changer - Defense
• Find out if you are infected – FBI: • forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS • 64.28.176.0/20; 67.210.0.0/20; 77.67.83.0/24; 85.255.112.0/20; 93.188.160.0/23; 213.109.64.0/20
– DNSChanger Working Group: • www.dcwg.org/fix/
• Clean up: – Run free anti-malware tools • DNSChanger WG site maintains clean-up guides and list of free tools to remove the malware – firewall rules to only allow queries to legitimate servers
88 DNS Cache Poisoning
• Resolvers caching incorrect records that did not originate from authoritative DNS servers
• Result: – redirect to sites (controlled by the attacker)
89 DNS Cache Poisoning
1 3 www.tashi.com 192.168.1.99 I want to access QID=64569 www.tashi.com (pretending to be the QID=64570 authoritative zone) QID=64571 match!
2 QID=64571 Client DNS Caching Root/GTLD Server
QID=64571 3 www.tashi.com 192.168.1.1 WebServer (192.168.1.1) ns.tashi.com
90 Cache Poisoning - Defense
• DNSSEC – DNS security extensions – Uses public-key crypto • Records (RRset) signed with private key (authenticity and integrity) • Signatures (RRSIG) published in DNS responses • Public key published (DNSKEY) to verify signatures • Child zones sign their records with their pvt key • Parent sings the hash of child’s public key - DS (chain-of-trust)
91 Cache Poisoning - Defense
Recursive Server Root Server (root’s public key) 2
Where is 3 1 www.apnic.net? www.apnic.net 4 (DO bit) 8 www.apnic.net RRSIG, DNSKEY , DS Client is at 61.45.255.100 Cache 5 (Signed referral) (stub Resolver) (Secure resolution) .net TLD 6
7 apnic.net (authoritative)
92 Amplification Attacks
• Exploits UDP protocol to return large amplified amounts of data – small request, LARGE reply
• Examples: – DNS – NTP – Memcached
93 DNS Amplification Attack
• A type of reflection attack combined with amplification – Source of attack is reflected off other machine(s) – Traffic received is bigger (amplified) than the traffic sent by the attacker
• UDP packet’s source address is spoofed
https://www.us-cert.gov/ncas/alerts/TA13-088A
94 DNS Amplification
Root/GTLD
Open DNS Resolvers Bots
Queries (ANY) with spoofed (victim’s) IP ns.example.com www.example.com 192.168.1.1 dig ANY www.example.com @8.8.8.8 +edns=0 +notcp +bufsize=4096 +dnssec
Victim Attacker
95 DNS Amplification Example
> dig ANY microsoft.com @8.8.8.8 microsoft.com. 21599 IN NS ns1.msft.net. microsoft.com. 3599 IN SOA ns1.msft.net. msnhst.microsoft.com. 2018052001 7200 600 2419200 3600 microsoft.com. 3599 IN MX 10 microsoft-com.mail.protection.outlook.com. microsoft.com. 3599 IN TXT "facebook-domain-verification=bcas5uzlvu0s3mrw139a00os3o66wr" microsoft.com. 3599 IN TXT "adobe-sign-verification=c1fea9b4cdd4df0d5778517f29e0934" microsoft.com. 3599 IN TXT "facebook-domain-verification=gx5s19fp3o8aczby6a22clfhzm03as" microsoft.com. 3599 IN TXT "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all" 96 microsoft.com. 3599 IN TXT "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVY NabdQ==" Reflection and Amplification
• What makes for good reflection? – UDP • Spoofable / forged source IP addresses • Connectionless (no 3-way handshake) • What makes for good amplification? – Small command results in a larger reply • This creates a Bandwidth Amplification Factor (BAF) • Reply Length / Request Length = BAF – Example: 3223 bytes / 64 bytes = BAF of 50.4 • Chart on next slide created with data from https://www.us-cert.gov/ncas/alerts/TA14-017A 97 Amplification Factors
Bandwidth Bandwidth Amplification Amplification Protocol Factor Protocol Factor Multicast DNS (mDNS) 2-10 LDAP 46 to 55 BitTorrent 3.8 TFTP 60 NetBIOS 3.8 Quake Network Protocol 63.9 Steam Protocol 5.5 RIPv1 131.24 SNMPv2 6.3 QOTD 140.3 Portmap (RPCbind) 7 to 28 CHARGEN 358.8
DNS 28 to 54 NTP 556.9 98 SSDP 30.8 Memcached 10,000 to 51,000 Source IP spoofing – Defense
• BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38
• Only allow traffic with valid source addresses to – Leave your network • Only from your own address space
– To enter/transit your network • Only from downstream customer address space
99 uRPF – Unicast Reverse Path
• Unicast Reverse Path Forwarding (uRPF) – Router verifies if the source address of any packets received is in the FIB table and reachable (routing table) • Drop if not valid! – Recommended on customer facing interfaces
100 uRPF – Unicast Reverse Path
• Modes of Operation:
Src = 2406:6400:100::1 – Strict: verifies both ge0/0 pos0/0 source address and incoming interface Src = 2406:6400:200::1 with FIB entries FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 – Loose: verifies Src = 2406:6400:100::1 existence of route to ge0/0 pos0/0 source address Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
101 NTP Amplification
• UDP 123 • NTP versions older than v4.2.7p26 vulnerable to “monlist” attack (CVE-2013-5211)
– made easier by Open NTP servers (time.google.com)
– Monlist fetches the MRU list of NTP (600) associations ntpdc -c -n monlist
• Several incidents in 2014 – 400Gbps attack on cloud provider
102 NTP Amplification - Defense
• BCP38 • Upgrade NTP (ntpd) server – to v4.2.7p26 or later – Removes/disables “monlist” command; replaced with “mrulist” • Requires proof that the command came from the address in the NTP packet • In older versions: – disable ntp monitor and do not answer ntpq/ntpdc queries
vi /etc/ntp.conf
disable monitor restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
103 Transport Layer Security
• SSL/TLS • Secure Shell (SSH)
104 Application Layer Security - Encryption • HTTPS – PKI/centralised trust
• PGP (Pretty Good Privacy) – Web of trust (decentralised trust)
• SMIME (Secure Multipurpose Internet Mail Extensions) – Chain of trust (centralised trust/CA)
105 106