Security Overview, Threat Pragmatics & Cryptography

Issue Date: Revision: Overview

• Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics

2 3 Where is the Security Layer?

Application Application Application Presentation (HTTP, DNS, FTP) Data (HTTP, DNS, FTP) Session Transport Transport Data Transport Transport Header (TCP/UDP) (TCP/UDP)

IP Transport Network Internet Data Internet (IPv4/IPv6) Header Header (IPv4/IPv6)

Data Link Frame IP Transport Network Data Network Header Header Header Access Access Physical (Ethernet, PPP) (Ethernet, PPP) 0011010100000111

https://gettys.wordpress.com/2018/04/09/mythology-about-security/

4 Why Security?

• The Internet was designed for connectivity – Trust was assumed – Security protocols added on top of the TCP/IP

• The Internet has become fundamental to our daily activities (business, work, and personal)

5 Internet Evolution

LAN connectivity Content driven Data on the Cloud (email, web, music, video)

Security (threats and challenges) change as the Internet evolves!

6 Recent Incidents

• Cisco - Ripple20 impacting the TCP/IP stack • F5 BIG-IP TMUI RCE vulnerability (7th Jul 2020) • Microsoft out of order patch (CVE-2020-1425) • ZombieVPN

https://isc.sans.edu/podcast.html

7 Recent Incidents

• Lucifer (June 2020) Cryptojacking and DDoS Campaign – dropping XMRig for cryptojacking Monero – command and control (C2) operation – self-propagation – credential brute-forcing – runs EternalBlue, EternalRomance, and DoublePulsar backdoor

https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-/

8 Recent Incidents

– LG Electronics and Xerox allegedly hit by Maze – OSX.ThiefQuest targeting MACs – masquerading as COVID-19 contact-tracing apps – Thanos ransomware campaign targeting mid-level employees in Europe – WastedLocker being used since May 2020 – Cognizant confirms data breach after ransomware attack

https://team-cymru.com/community-services/dnb/

9 Recent Incidents

• CVE-2019-19494 – Released 2nd Dec 2019 – Buffer Overflow attack – Broadcom chipset modems – Exploit code is available

10 Recent Incidents

• Targets vulnerable middleware running on the chip • Allows a remote attacker to execute code at the kernel level via JavaScript run in a victim's browser. • Potential to intercept private messages, redirect traffic, or modems to participate in botnets

11 Recent Incidents

• WhatsApp spyware (May 2019)

– Exploited voice call feature • Caller could install spyware on the target device • Even if the call wasn’t answered! • Spy emails/messages, locations

– Versions prior to: • v2.19.134 (android) https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers- • v2.19.51 (iOS) install-government-grade-spyware-on-phones/ • v2.18.348 (Windows)

– ~1.5 Billion users

12 Recent Incidents

(March 2019)

– announced that it was storing user passwords (~600 million) in plain text • since 2012! • Could be read by FB employees

– April • Oops.. Wasn’t just Facebook accounts, but also some Instagram accts 

https://about.fb.com/news/2019/03/keeping-passwords-secure/

13 Not-so Recent Incidents

• Slingshot (March 2018) - APT

– Active since 2012!

– Compromise MikroTik routers • not much clarity to on how they do it, but assumed to be based on the ChimayRed exploit - https://github.com/BigNerd95/Chimay-Red

– replace one of the dll in the router's file system with a malicious one (ipv4.dll) • loaded into user's computer when they run the Winbox tool

– Once infected • capture screenshots, collect network info, passwords on browsers,. key strokes etc

14 Not-so Recent Incidents

• Meltdown/Spectre (Jan 2018)

– Exploits processor vulnerabilities! • Intel, AMD, ARM

– Meltdown (CVE-2017-5754): • Breaks the isolation between programs & OS • An application could read kernel memory locations

– Spectre (CVE-2017-5753/CVE-2017-5715) • Breaks isolation between applications • An application could read other application memory

15 Not-so Recent Incidents • (Not) Ransomware/Wiper (June 2017) – Exploited a backdoor in MeDoc accounting suite • Update pushed on June 22 from an update server (stolen credentials) • proxied to the attacker’s machine (176.31.182.167)

– Spread laterally across the network (June 27) • EternalBlue exploit (SMB exploit: MS17-010) • through PsExec/WMIC using clear-text passwords from memory • C:\Windows\perfc.dat hosted the post-exploit code (called by rundll32.exe)

16 Not-so Recent Incidents

• WannaCry Ransomware (May 2017) – As of 12 May, 45K attacks across 74 countries – Remote code execution in SMBv1 using EternalBlue exploit • TCP 445, or via NetBIOS (UDP/TCP 135-139) – Patch released on 14 March 2017 (MS17-010) • https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – Exploit released on 14 April 2017

17 Not-so Recent Incidents

• SHA-1 is broken (Feb 23, 2017) – Hash collision: obtain same SHA-1 hash for two different pdf files (inputs) • which can be abused as a valid signature on the second PDF file. • https://shattered.io

18 Find any device • shodan.io

19 Find any device • 1st July 2020

20 haveibeenpwned.com • Have you been compromised? – Tracks compromised accounts and released into the wild • 364 pwned websites • >7 million pwned accounts • ~100K pastes

[email protected]

21 Acknowledgment

• Most of the content from:

Steven M.Bellovin’s “Thinking Security” https://www.cs.columbia.edu/~smb/

22 Before we start…

• What are we protecting - asset? and • From whom?

• All security system designs should be based on these questions!

23 The Incident Response Hierarchy of Needs

https://github.com/swannman/ircapabilities Attack Motivation (Who are your Enemies?)

• Nation states want SECRETS • Organized criminals want MONEY • Protesters or activists want ATTENTION • and researchers want KNOWLEDGE

http://cartoonsmix.com/cartoons/national-security-agency-cartoon.html

Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014

25 Who are your Enemies?

• Script kiddies: – little real ability, but can cause damage if you’re careless

• Money makers: – Hack into machines, turn them into spam engines, etc.

• Government intelligence agencies, AKA Nation State Adversaries

26 The Threat Matrix

Opportunistic Advanced Persistent hacks Threats

Joy hacks Targeted attacks

Degree of Focus

Source: Thinking Security – Steve M. Bellovin

27 Joy Hacks

• For fun – with little skill using known exploits

• Minimal damage – especially unpatched machines

• Random targets – anyone they can hit

• Most hackers start this way – learning curve

28 Opportunistic Hacks

• Skilled (often very skilled) - also don’t care whom they hit – Know many different vulnerabilities and techniques

• Profiting is the goal - bank account thefts, botnets, ransomwares…. – WannaCry? Petya?

• Most phishers, virus writers, etc.

29 Targeted Attacks

• Have a specific target!

• Research the target and tailor attacks – physical reconnaissance

• At worst, an insider (behind all your defenses) – Not-so happy employee 

• Watch for tools like “spear-phishing”

• May use 0-days

30 Advanced Persistent Threats

• Highly skilled (well funded) - specific targets – Mostly 0-days

• Sometimes (not always) working for a nation-state – Think (up to four 0-days were used)

• May use non-cyber means: – burglary, bribery, and blackmail

• Note: many lesser attacks blamed on APTs

31 ATT&CK Matrix for Enterprise

https://attack.mitre.org – accessed 12th Nov 2018 Are you a Target?

• Biggest risk? – assuming you are not interesting enough!

• Vendors/System Integrators and their take on security: – Either Underwhelming or Overwhelming 

33 Defense Strategies

• Depends on what you’re trying to protect – Assets

• Tactics that keep out teenagers won’t keep out a well-funded agency

• But stronger defenses are often much more expensive and cause great inconvenience

34 What Are You Protecting?

• Identify your critical Assets – Both tangible and intangible (patents, methodologies) assets • Hardware, software, data, people, documents – Who would be interested?

• Place a Value on the Asset – Different assets require different level of protection – Security measures must be in proportion with asset value • How much can you afford?

• Determine Likelihood of breaches – threats and vulnerabilities?

35 Exercise

• Imagine you had a bar of gold to protect

– What container would you put it in? – What room would the container be in? – What locks are on the doors? – Where is the room located in the building? – What cameras are watching the room and building? – What humans are watching the cameras? – Who will respond with force to a theft attempt? – How much did all of these cost?

36 Threats, Vulnerability, and Risks

• Threat • Vulnerability – circumstance or – A weakness in an asset that can event with potential be exploited to cause harm to an • Software bugs asset • Design flaws/protocol bugs • Configuration mistakes • Lack of encryption • Lack of or no physical security • Risk – The likelihood that a particular vulnerability will be exploited Risk = Threat x Vulnerability Risk = Impact (Consequence) x Threat x Vulnerability

37 Risk Assessment Matrix

• Managing risks – Probability-Impact matrix to define the level of risk • Commonly used in real-world risk assessment

High Medium High High

Medium Low Medium High IMPACT Low Low Low Medium

Low Medium High LIKELIHOOD

38 Exercise

• Discuss: – Some recent vulnerabilities • https://cve.mitre.org • Cable Haunt CVE-2019-19494 – How does it fit into the risk matrix?

• Place a risk in the matrix by assigningHigh Medium High High ratings to its Medium Low Medium High – Severity/impact, and IMPACT Low Low Low Medium – Probability Low Medium High LIKELIHOOD/ PROBABILITY

39 Against Joy Hacks

• By definition, joy hackers use known exploits

• Patches exist for known exploits: – Security updates/system patches – Update antivirus database

• Ordinary enterprise-grade firewalls – Closer to users/services

40 Against Opportunistic Hacks

• Sophisticated techniques used

• You need multiple layers of defense – Firewalls near users and services – Host hardening • Apply security updates, patches, AVs – Monitoring • Intrusion detection • attention to log files

41 Against Targeted Attacks

• Targeted attacks exploit knowledge of target – Try to block or detect reconnaissance – Security policies and procedures matter a lot • How do you respond to phone callers? • What do people do with unexpected email attachments? • USB sticks in the parking lot?

• Hardest case: disgruntled employee or ex-employee – Already behind your defenses – Think Manning & Snowden

42 Against APTs

•  VERY VERY hard to defend against! • Use all of the previous defenses – There are no sure answers • Pay special attention to policies and procedures • Investigate all oddities

43 Defense in Depth

• Layer your security controls – Provides redundancy in case of failure

https://commons.wikimedia.org/wiki/File:Caerphilly_aerial.jpg

44 Example of Security Controls

Category Example of Controls Purpose Make everyone aware of the Policy & Cyber Security Policy, Incident importance of security, define Procedure Handling Procedure role and responsibilities (pre and post incident), understand scope of the problem Technical Firewall, Intrusion Detection Prevent and detect potential System, AV, Logging Systems attacks, mitigate risk of breach

Physical CCTV, Locks, Biometrics, Secure Prevent physical theft of working space information assets or unauthorized physical access

45 However…

• Every machine (connected) is valuable

• They could be turned into bots – Send spam, launch DDoS, host phishing sites – Sniff your local traffic

• Defense: – watch outbound traffic from your network

46 Summary

• Use proper crypto

• Layer your defenses: – Policies, Procedures, and Awareness • Strictly follow • Revise and audit frequently – Physical security – Firewalls closer to services/users – Host hardening • Updated patches and AVs – Application Hardening – Backup important data – IDS/IPS (anomaly detection)

47 Overview

• Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics

48 Goals of Security

Confidentiality Integrity Availability

prevent safeguard the authorized users

unauthorized use accuracy and have reliable and SECURITY or disclosure of completeness of timely access to information information information

49 Access Control

• To permit or deny the use of resource(s)

• All about: – Authentication (who is the user) – Authorization (who is allowed to use what) – Accountability (what did the user do) Authentication

• Verify a user’s identity – “User” may refer to: • a person • an application or process • a machine or device

• Identification comes before authentication – Ex: username to establish user’s identity

• To prove identity, a user must present either: – What you know (passwords, passphrase, PIN) – What you have (token, smart cards, passcodes, RFID) – Who you are (biometrics such as fingerprints and iris scan, signature or voice) Strong Authentication

• An absolute requirement!

• Two-factor authentication – Passwords (something only you know) – Tokens (something only you have)

• Examples: – Passwords – Tokens – PINs – Biometrics – Certificates Two-factor Authentication • At least two authentication ‘factors’ to prove user’s identity – something you know • Username/password – something “only” you have • Token using a one-time password (OTP), or a SMS code

• OTP is generated using a device in physical possession of the user – generated each time and expires after some time – through applications on your device • Authy/Google Authenticator Authorization

• Defines the user’s rights and permissions on a system – Typically ‘if authenticated’ • Grants a user access to a resource and actions they are permitted to perform on that resource Authorisation Concepts

• Authorisation Creep – When users may possess unnecessarily high access privileges within an organisation

• Default to Zero (Zero trust) – Start with zero access and build on top of that

• Principle of least privilege – give access only to information that the user absolutely need Authorization - Single Sign On

• User logs in only once and gains access to all authorized resources within a system • Benefits: – Ease of use – Reduces logon cycle (time spent re-entering passwords for the same identity) • Common SSO technologies: – Kerberos (prevents replays – T_REQ:timestamp/lifetime) – RADIUS – OTP Token – SAML/OpenID • Disadvantage: Single point of attack – May need to mix with MFA Accounting

• What did the user do with the resource?

• Actions of an entity to be traced back uniquely to that entity – Senders cannot deny sending information – Receivers cannot deny receiving it – Users cannot deny performing a certain action

• Supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention and after-action recovery and legal action

Source: NIST Risk Management Guide for Information Technology Systems Types of Access Control

• Centralized Access Control – RADIUS • Encrypts the password – TACACS+ • Encrypts the entire message – Diameter (TCP) • Enhanced RADIUS (reliable and secure channel)

• Decentralized Access Control – User database maintained on the resource • Not scalable • No method for consistent control Overview

• Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics

59 Target

• Targets could be: – Network infrastructure – Network services – Application services – End user machines Uneven Playing Field

• The defender has to think about the entire perimeter – all the weakness

• The attacker has to find only one weakness

• This is not good news for defenders

61 Attack Surface

• Entire Perimeter you have to Defend

Firewall

SMTP Application

Web Server DNS

Power Fiber

62 Soft Gooey Inside

• But it is not just the perimeter! Firewall

SMTP Application USB Sticks Spearfishing Web Server Passwords DNS Ex-Employees SysAdmins

Fiber Power

63 Attacks on Different Layers Application Application Presentation Session Transport Transport Network Internet

Data Link Network Access Physical (Link Layer) OSI Reference Model TCP/IP Model

64 Attacks on Different Layers

Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Application Radius, SSH, SMTP,Application SNMP, Telnet, DNS,DHCP Presentation

Session Layer 5: NFS, Socks Transport Transport Layer 4: TCP, UDP, SCTP

Network Layer 3: IPv4, IPv6, ICMP,Internet ICMPv6, IGMP

Data Link Layer 2: Ethernet,Network PPP, ARP, NDP, Access OSPF Physical (Link Layer) OSI Reference Model TCP/IP Model

65 Attacks on Different Layers

Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Application Radius, SSH, SMTP,Application SNMP, Telnet, DNS,DHCP DNS Poisoning, Phishing, Presentation SQL injection, Spam/Scam

Session Layer 5: NFS, Socks Transport Transport Layer 4: TCP, UDP, SCTPTCP attacks, Routing attack, SYN flooding

Network Layer 3: IPv4, IPv6, ICMP,Internet ICMPv6, IGMP Ping/ICMP Flood, Sniffing Data Link Layer 2: Ethernet,Network PPP, ARP, NDP, Access OSPF ARP spoofing, MAC Physical flooding(Link Layer) OSI Reference Model TCP/IP Model

66 Layer 2 Attacks

• ARP Spoofing • MAC attacks • DHCP attacks • VLAN hopping

67 ARP Spoofing

I want to connect to Wait, I am 10.0.0.3! 10.0.0.3. I don’t know the MAC address

10.0.0.2 BB-BB-BB-BB-BB-BB ARP Request

10.0.0.3 10.0.0.1 ARP Reply CC-CC-CC-CC-CC-CC AA-AA-AA-AA-AA-AA

ARP Cache poisoned. Machine A 10.0.0.4 connects to Machine D (not C) DD-DD-DD-DD-DD-DD

I am 10.0.0.3. This is my MAC address

68 MAC Flooding

• Exploits the limitation of all switches – CAM stores mapping of individual MAC addresses to source ports – Finite memory • Attacker floods the CAM table using spoofed source MAC addresses

69 DHCP Attacks

• DHCP Starvation Attack – Broadcasting vast number of DHCP requests with spoofed MAC address simultaneously.

• DHCP Spoofing – Rogue DHCP

70 Wireless Attacks- MITM

• Creates a fake access point and have clients authenticate to it instead of a legitimate one. • Capture traffic (usernames, passwords)

71 Wireless Attacks

• WEP (wired equivalent privacy) – first go at wireless security • 104-bit WEP key: – 50% of the time broken with 45k packets – 95% of the time with 85k packets (in less than 60 seconds) Tews,Weinmann, and Pyshkin, "Breaking 104 bit WEP in less than 60 seconds", Proceedings of the 8th international conference on Information security applications, 2007

• Use WPA2 (wired protected access) – WPA – 256-bit key – WPA2 - AES

72 Link-Layer Defence

• Dynamic ARP Inspection – Protects against ARP spoofing

– uses DHCP Snooping

– forward ARP packets on Trusted interfaces without checks

– intercept all ARP packets on Untrusted ports and check against IP-to-MAC binding • Drop (and log) if no valid binding

73 Link-Layer Defence

• Port Security – Protects the MAC table

– Limit the number of MACs per port (static or sticky learning) • Forwards valid frames (valid source MACs), and drops invalid frames

– Violation could trigger: • Dropping of invalid frames and port shutdown, or • Drop frames with/without notification

74 Link-Layer Defence

• 802.1X – Identity based network access control – Protection against rogue devices (DHCP or AP) attaching to a LAN

Client Authenticator AAA Server

EAP-Request/Id

EAP-Response/Id Access-Request

EAP-Request/pw Access-Challenge

EAP-Response/pw Access-Request EAP-Success Access-Accept

Port Authorized

Image Source: www.en.wikipedia.org/wiki/IEEE_802.1X

75 Layer 3 Attacks

• ICMP Attacks – ICMP Smurf/Flood – Ping of death

• Routing (control plane) attacks

76 ICMP Flood/Smurf

Echo request Echo request Broadcast Network Address

Attacker Echo reply to actual Other forms of ICMP attack: destination -Ping of death

• Defense: – Disable directed broadcast

no ip directed-broadcast Victim

77 Routing Protocol Attacks

• Malicious route insertion – Poison routing table – To divert traffic and eavesdrop • Analyse/Modify/Drop packets

• BGP attacks – hijack prefixes – Tamper the path information

78 Defence- Routing Attacks

• Authenticate source of routing updates CA – Peer authentication X.509 Cert

• Origin Validation RFC 3779 Extension – Rolled out today as RPKI – ROA (resource certificate) signed by IP Resources the owner (Addr & ASN) • Verifies the origin AS (signed route announcement) SIA – URI (repository) for where this Publishes

• Path Validation Subject Public Key Signed by Parent’s Private Key Parent’s by Signed – Sign the full path (ASNs traversed) (algorithm and key) • In IETF process as BGPsec

79 SYN Flooding SYN

Server SYN+ACK (Victim)

Attacker ACK?

• Exploits the TCP 3-way handshake • Attacker sends a series of SYN packets • No ACK • Retains state for bogus half-open connections – Finite SYN_RECV queue size – no more resources (memory) to for new legitimate connections – drops!

80 SYN Flood - Defense

• SYN Cookies – MD5 hash (src IP, src port, dst IP, dst port, and ISN in SYN) • Sent back as ISN in its SYN-ACK

– no states for half-open connections in memory • until valid ACK: SEQ = ISN+1 • Store state after valid ACK

Enable: vi /etc/sysctl.conf  net.ipv4.tcp_syncookies = 1

Verify:  cat /proc/sys/net/ipv4_tcpsyncookies  sysctl –n net ipv4.tcp_syncookies

81 Application Layer Attacks

• Very common: – Scripting vulnerabilities

– Buffer overflow

– Cookie poisoning • Tamper session information

– X-site scripting • Client-side code injection

– SQL injection

82 Application Layer - Defense

• User input validation – SQL injection, X-site scripting

• Pen-test or vulnerability scan by experts – Scripting vulnerabilities – Buffer overflow (bounds checking)

83 Layer 7 DDoS Attack

• Traditional DoS attacks focus on L3 and L4 • On L7, DoS attack targets applications disguised as legitimate packets – exhaust application resources (bandwidth, ports, protocol weakness) • Includes: – Slowloris – RUDY (R-U-Dead Yet) • POST request with long content length and write forms slowly – LOIC/HOIC (Low/high orbit Ion canon) • TCP/UDP/HTTP requests (H-only HTTP with scripts)

84 Layer 7 DDoS – Slowloris

• Incomplete HTTP requests – No blank line (\r\n) in request header

• Properties – Low bandwidth – Keep threads active • Only affects threaded web servers (Apache) • Doesn’t work through load balancers – Keepalives to reset timeout

85 Layer 7 DDoS – Defense

• Load balancers – Delayed binding – Perform HTTP Request header completeness check • Request not sent to server until the final \r\n (CRLF) received from client

• Non-threaded webservers – not vulnerable to slow header attacks

• ModSecurity – Open source WAF plugin for Apache – embedded or reverse proxy mode • In front of the web server

86 DNS Changer

• Anyone who controls Countries affected by your DNS controls what DNSChanger (2012): you see!

• How: – infect computers with malware – malware changes the user’s DNS settings • to attacker’s resolvers (specific Image Source: Kaspersky address blocks)

https://en.wikipedia.org/wiki/DNSChanger

87 DNS Changer - Defense

• Find out if you are infected – FBI: • forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS • 64.28.176.0/20; 67.210.0.0/20; 77.67.83.0/24; 85.255.112.0/20; 93.188.160.0/23; 213.109.64.0/20

– DNSChanger Working Group: • www.dcwg.org/fix/

• Clean up: – Run free anti-malware tools • DNSChanger WG site maintains clean-up guides and list of free tools to remove the malware – firewall rules to only allow queries to legitimate servers

88 DNS Cache Poisoning

• Resolvers caching incorrect records that did not originate from authoritative DNS servers

• Result: – redirect to sites (controlled by the attacker)

89 DNS Cache Poisoning

1 3 www.tashi.com 192.168.1.99 I want to access QID=64569 www.tashi.com (pretending to be the QID=64570 authoritative zone) QID=64571 match!

2 QID=64571 Client DNS Caching Root/GTLD Server

QID=64571 3 www.tashi.com 192.168.1.1 WebServer (192.168.1.1) ns.tashi.com

90 Cache Poisoning - Defense

• DNSSEC – DNS security extensions – Uses public-key crypto • Records (RRset) signed with private key (authenticity and integrity) • Signatures (RRSIG) published in DNS responses • Public key published (DNSKEY) to verify signatures • Child zones sign their records with their pvt key • Parent sings the hash of child’s public key - DS (chain-of-trust)

91 Cache Poisoning - Defense

Recursive Server Root Server (root’s public key) 2 

Where is 3 1 www.apnic.net? www.apnic.net 4 (DO bit) 8 www.apnic.net RRSIG, DNSKEY , DS Client is at 61.45.255.100 Cache 5 (Signed referral) (stub Resolver) (Secure resolution) .net TLD 6

7 apnic.net (authoritative)

92 Amplification Attacks

• Exploits UDP protocol to return large amplified amounts of data – small request, LARGE reply

• Examples: – DNS – NTP – Memcached

93 DNS Amplification Attack

• A type of reflection attack combined with amplification – Source of attack is reflected off other machine(s) – Traffic received is bigger (amplified) than the traffic sent by the attacker

• UDP packet’s source address is spoofed

https://www.us-cert.gov/ncas/alerts/TA13-088A

94 DNS Amplification

Root/GTLD

Open DNS Resolvers Bots

Queries (ANY) with spoofed (victim’s) IP ns.example.com www.example.com 192.168.1.1 dig ANY www.example.com @8.8.8.8 +edns=0 +notcp +bufsize=4096 +dnssec

Victim Attacker

95 DNS Amplification Example

> dig ANY microsoft.com @8.8.8.8 microsoft.com. 21599 IN NS ns1.msft.net. microsoft.com. 3599 IN SOA ns1.msft.net. msnhst.microsoft.com. 2018052001 7200 600 2419200 3600 microsoft.com. 3599 IN MX 10 microsoft-com.mail.protection.outlook.com. microsoft.com. 3599 IN TXT "facebook-domain-verification=bcas5uzlvu0s3mrw139a00os3o66wr" microsoft.com. 3599 IN TXT "adobe-sign-verification=c1fea9b4cdd4df0d5778517f29e0934" microsoft.com. 3599 IN TXT "facebook-domain-verification=gx5s19fp3o8aczby6a22clfhzm03as" microsoft.com. 3599 IN TXT "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all" 96 microsoft.com. 3599 IN TXT "FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVY NabdQ==" Reflection and Amplification

• What makes for good reflection? – UDP • Spoofable / forged source IP addresses • Connectionless (no 3-way handshake) • What makes for good amplification? – Small command results in a larger reply • This creates a Bandwidth Amplification Factor (BAF) • Reply Length / Request Length = BAF – Example: 3223 bytes / 64 bytes = BAF of 50.4 • Chart on next slide created with data from https://www.us-cert.gov/ncas/alerts/TA14-017A 97 Amplification Factors

Bandwidth Bandwidth Amplification Amplification Protocol Factor Protocol Factor Multicast DNS (mDNS) 2-10 LDAP 46 to 55 BitTorrent 3.8 TFTP 60 NetBIOS 3.8 Quake Network Protocol 63.9 Steam Protocol 5.5 RIPv1 131.24 SNMPv2 6.3 QOTD 140.3 Portmap (RPCbind) 7 to 28 CHARGEN 358.8

DNS 28 to 54 NTP 556.9 98 SSDP 30.8 Memcached 10,000 to 51,000 Source IP spoofing – Defense

• BCP38 (RFC2827) – Since 1998! – https://tools.ietf.org/html/bcp38

• Only allow traffic with valid source addresses to – Leave your network • Only from your own address space

– To enter/transit your network • Only from downstream customer address space

99 uRPF – Unicast Reverse Path

• Unicast Reverse Path Forwarding (uRPF) – Router verifies if the source address of any packets received is in the FIB table and reachable (routing table) • Drop if not valid! – Recommended on customer facing interfaces

100 uRPF – Unicast Reverse Path

• Modes of Operation:

Src = 2406:6400:100::1 – Strict: verifies both ge0/0 pos0/0 source address and incoming interface Src = 2406:6400:200::1 with FIB entries FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 – Loose: verifies Src = 2406:6400:100::1 existence of route to ge0/0 pos0/0 source address Src = 2406:6400:200::1

Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002

101 NTP Amplification

• UDP 123 • NTP versions older than v4.2.7p26 vulnerable to “monlist” attack (CVE-2013-5211)

– made easier by Open NTP servers (time.google.com)

– Monlist fetches the MRU list of NTP (600) associations ntpdc -c -n monlist

• Several incidents in 2014 – 400Gbps attack on cloud provider

102 NTP Amplification - Defense

• BCP38 • Upgrade NTP (ntpd) server – to v4.2.7p26 or later – Removes/disables “monlist” command; replaced with “mrulist” • Requires proof that the command came from the address in the NTP packet • In older versions: – disable ntp monitor and do not answer ntpq/ntpdc queries

vi /etc/ntp.conf

disable monitor restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery

103 Transport Layer Security

• SSL/TLS • Secure Shell (SSH)

104 Application Layer Security - Encryption • HTTPS – PKI/centralised trust

• PGP (Pretty Good Privacy) – Web of trust (decentralised trust)

• SMIME (Secure Multipurpose Internet Mail Extensions) – Chain of trust (centralised trust/CA)

105 106