Sink Holes, Dark IP, and HoneyNets

Transcription

1 Sink Holes, Dark IP, and HoneyNets

2 Sink Hole Routers/Networks Sink Holes are a Swiss Army Knife security tool. BGP speaking Router or Workstation that built to suck in attacks. Used to redirect attacks away from the customer working the attack on a router built to withstand the attack. Used to monitor attack noise, scans, and other activity (via the advertisement of default)

3 Why Sinkhole? Sinkhole is used to describe a technique that does more than the individual tools we ve had in the past: Blackhole Routers Technique used to exploit a routers forwarding logic in order to discard data, typically in a distributed manner, triggered by routing advertisements. Tar Pits A section of a honey net or DMZ designed to slow down TCP based attacks to enable analysis and traceback. Often used interchangeably with Sinkhole. Shunts Redirecting traffic to one of the router s connected interfaces, typically to discard traffic. Honey Net A network of one or more systems designed to analyze and capture penetrations and similar malicious activity. Honey Pot - A system designed to analyze and capture penetrations and similar malicious activity.

4 Sinkhole Routers/Networks Sinkholes are the network equivalent of a honey pot, also commonly referred to as a tar pit, sometimes referred to as a blackhole. Router or workstation built to suck in and assist in analyzing attacks. Used to redirect attacks away from the customer working the attack on a router built to withstand the attack. Used to monitor attack noise, scans, data from mis-configuration and other activity (via the advertisement of default or unused IP space) Traffic is typically diverted via BGP route advertisements and policies.

5 Sinkhole Routers/Networks Sinkhole Network Customers Customers Customers Target of Attack /24 target s network host is target

6 Sinkhole Routers/Networks Router advertises /32 Sinkhole Network Customers Customers Customers Target of Attack /24 target s network host is target

7 Sinkhole Routers/Networks Attack is pulled away from customer/aggregation router. Can now apply classification ACLs, Packet Capture, Etc Objective is to minimize the risk to the network while investigating the attack incident. Customers Target of Attack Router advertises /32 Sinkhole Network /24 target s network Customers host is target

8 Infected End Points Sink Hole advertising Bogon and Dark IP Space Sink Hole Network Customer SQL Computer starts scanning the Internet is infected

9 Sinkhole Routers/Networks Advertising default from the Sinkhole will pull down all sorts of garbage traffic: Customer Traffic when circuits flap Network Scans to unallocated address space Code Red/NIMDA/Worms Backscatter Can place tracking tools in the Sinkhole network to monitor the noise. Customers Customers Customers Router advertises default Sinkhole Network Customers

10 Scaling Sinkhole Networks Multiple Sinkholes can be deployed within a network Combination of IGP with BGP Trigger Regional deployment Major PoPs Functional deployment Peering points Data Centers Note: Reporting more complicated, need aggregation and correlation mechanism Customers Sinkhole Network /24 target s network is attacked

11 Why Sinkholes? They work! Providers and researchers use them in their network for data collection and analysis. More uses are being found through experience and individual innovation. Deploying Sinkholes correctly takes preparation.

12 The Basic Sinkhole Sinkhole Server Advertise small slices of Bogon and Dark IP space To ISP Backbone Sinks Holes do not have to be complicated. Some large providers started their Sinkhole with a spare workstation with free unix, Zebra, and TCPdump. Some GNU or MRTG graphing and you have a decent sinkhole.

13 Expanding the Sinkhole To ISP Backbone Static ARP to Target Router Sinkhole Gateway Target Router To ISP Backbone To ISP Backbone Sniffers and Analyzers Expand the Sinkhole with a dedicated router into a variety of tools. Pull the DOS/DDOS attack to the sinkhole and forwards the attack to the target router. Static ARP to the target router keeps the Sinkhole Operational Target Router can crash from the attack and the static ARP will keep the gateway forwarding traffic to the Ethernet switch.

14 What to monitor in a Sinkhole? Scans on Dark IP (allocated & announced but unassigned address space). Who is scoping out the network pre-attack planning. Scans on Bogons (unallocated). Worms, infected machines, and Bot creation Backscatter from Attacks Who is getting attacked Backscatter from Garbage traffic (RFC-1918 leaks) Which customers have misconfiguration or leaking networks.

15 Monitoring Scan Rates To ISP Backbone Sinkhole Gateway Place various /32 Infrastructure addresses here Target Router To ISP Backbone To ISP Backbone Sniffers and Analyzers Select /32 (or larger) address from different block of your address space. Advertise them out the Sinkhole Assign them to a workstation built to monitor and log scans. ( Arbor Network s Dark IP Peakflow module is one turn key commercial tool that can monitor scan rates via data collected from the network.)

16 Worm Detection & Reporting UI Operator instantly notified of Worm infection. System automatically generates a list of infected hosts for quarantine and clean-up.

17 Automate Quarantine of Infected Hosts

18 Monitoring Backscatter Advertise Bogons with To ISP no-export Backbone community Capture Backscatter Traffic Sinkhole Gateway Target Router To ISP Backbone To ISP Backbone Sniffers and Analyzers Advertise bogon blocks with NO_EXPORT community and an explicit safety community (plus prefix-based egress filtering on the edge) Static/set the BGP NEXT_HOP for the bogon to a backscatter collector workstation (as simple as TCPdump). Pulls in backscatter for that range allows monitoring.

19 Monitoring Backscatter Inferring Internet Denial-of-Service Activity

20 Monitoring Spoof Ranges Classification ACL To ISP Backbone with Source Address Sinkhole Gateway Target Router Export ACL Logs to a syslog server To ISP Backbone To ISP Backbone Sniffers and Analyzers Attackers use ranges of valid (allocated blocks) and invalid (bogon, martian, and RFC1918 blocks) spoofed IP addresses. Extremely helpful to know the spoof ranges. Set up a classification filter on source addresses.

21 Monitoring Spoof Ranges Example: Jeff Null s [jnull@truerouting.com] Test Extended IP access list 120 (Compiled) permit tcp any any established ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches) deny ip any ( matches).. permit ip any any ( matches)

22 Monitoring Spoof Ranges To ISP Backbone Sinkhole Gateway Place various /32 Infrastructure addresses here Target Router To ISP Backbone To ISP Backbone Sniffers and Analyzers Select /32 address from different block of your address space. Advertise them out the Sinkhole Assign them to a workstation built to monitor and log scans. Home grown and commercial tools available to monitor scan rates ( Arbor Network s Dark IP Application is one turn key commercial tool that can monitor scan rates.)

23 Safety Precautions Do not allow bogons to leak: BGP NO_EXPORT community Explicit Egress Prefix Policies (community, prefix, etc.) Do not allow traffic to escape the sinkhole: Backscatter from a Sinkhole defeats the function of a Sinkhole (egress ACL on the Sinkhole router)

24 Simple Sinkholes Internet Facing BCP is to advertise the whole allocated CIDR block out to the Internet. Left over unallocated Dark IP space gets pulled into the advertising router. The advertising router becomes a Sinkhole for garbage packets. Internet Backscatter Scanners Worms Pee r Border Aggregation CPE Pulls in garbage packets. Large CIDR Block Out Customer s Allocated Block CPE Router /w Default

25 ASIC Drops at Line Rate? Forwarding/Feature ASICs will drop packets with no performance impact. Line Rate dropping will not solve the problem of garbage packets saturating the link. Internet Backscatter Scanners Worms Pee r Border Aggregation Garbage Saturates Link! Large CIDR Block Out Customer s Allocated Block CPE CPE Router /w Default

26 Backbone Router Injecting Aggregates Backscatter Scanners Worms Some ISPs use the Backbone/core routers to inject their aggregates. Multiple Backbone injection points alleviate issues of link saturation, but exposes the loopback addresses (at least the way it is done today). In a world of multiple Gig-Bots and Turbo worms, do you really want you backbone routers playing the role of garbage collectors? Internet Peer border Aggregation CPE Garbage packets are forwarded to backbone router Backbone Large CIDR Block Out Customer s Allocated Block CPE Router /w Default

27 Simple Sinkholes Customer Facing Defaults on CPE devices pull in everything. Default is the ultimate packet vacuum cleaner Danger to links during times of security duress. Internet Peer border Aggregation Pulls in garbage packets. Large CIDR Block Out Customer s Allocated Block Worms Backscatter Scanners CPE CPE Router /w Default

28 Simple Sinkholes Impact Today In the past, this issue of pulling down garbage packets has not been a big deal. GigBots and Turbo Worms change everything Even ASIC-based forwarding platforms get impacted from the RFC 1812 overhead. Backscatter Scanners Worms Internet Peer Border Aggregation Pulls in garbage packets. Large CIDR Block Out Customer s Allocated Block CPE CPE Router /w Default

29 Sinkholes Advertising Dark IP To ISP Backbone Blocks with Static To ISP Backbone Advertise CIDR Lock-ups pointing to the target router Target Router Target router receives the garbage To ISP Backbone Sinkhole Gateway Sniffers and Analyzers Move the CIDR Block Advertisements (or at least more-specifics of those advertisements) to Sinkholes. Does not impact BGP routing route origination can happen anywhere in the ibgp mesh (careful about MEDs and aggregates). Control where you drop the packet. Turns networks inherent behaviors into a security tool!

30 Anycast Sinkholes to Scale POPs Anycast allows garbage packet load management and distribution. POPs Regional Node Regional Node POPs Core Backbone POPs Regional Node Regional Node POPs POPs Regional Node Regional Node ISPs ISPs ISPs

31 Anycast Sinkholes Sinkhole IXP-W Sinkhole Peer A Peer B Sinkhole IXP-E Sinkhole Upstream A Upstream A Upstream B Sinkhole Upstream B Sinkhole /24 Customer POP Sinkhole Services Network Sinkhole employs same Anycast mechanism. Primary DNS Servers

32 Protecting the Core With Sink Holes

33 Protecting the Backbone Point to Point Addresses Do you really need to reach the Backbone router s Point to Point Address from any router other than a directly connected neighbor? BK-02-A BK-02-B

34 Protecting the Backbone Point to Point Addresses What could break? Routing protocols are either loopback (BGP or NTP) or adjacent (OSPF, IS-IS, EIGRP). NOC can Ping the Loopback. Traceroutes reply with the address in the reply. Reachability of the source is not required. BGP, NTP BGP, NTP BK-02-A BK-02-B OSPF, ISIS, EIGRP OSPF, ISIS, EIGRP

35 Protecting the Backbone Point to Point Addresses What have people done in the past: ACLs Long term ACL management problems. RFC 1918 Works against the theme of the RFC Traceroute still replies with RFC 1918 source address. Does not protect against a reflection attack. BK-02-A BK-02-B

36 Protecting the Backbone Point to Point Addresses Move the Point to Point Addresses blocks to IGP based Sink Holes. All packets to these addresses will be pulled into the Sink Hole. People who could find targets with traceroute cannot now hit the router with an attack based on that intelligence. Protects against internal and reflection based attacks. Packet P-t-P infrastructure address. Packet P-t-P infrastructure address. BK-02-A BK-02-B Sink Hole Module

37 Sinkholes - Addendum

38 Sinkhole Router Monitoring Link and Interface Sinkhole Router Analysis Segment Sniffer/Analyser Flow of Mgmt Data Target of Attack Neflow/Syslog Collector 38

39 Guidelines No IGP on Sinkhole ibgp Peering sessions via Management Interface Sinkhole is a RR client Monitoring Interface to data-plane only Routes injected into IGP by router servicing the Monitoring Link 39

40 Sample TEST-NET Allocation Address Block Purpose /32 All ibgp routers for Drop to NULL /32 All Peering Edge routers drop /32 All Customer Edge routers drop /30 Monitor Link addresses NOTE: provision these addresses in all Sinkholes ANYCAST Sinkhole Address > balance Sinkhole Diversion Addresses 40

41 Sinkhole Router - Routing Statics /32 -> /32 -> NOTE: /30 is reused at each Sinkhole Static & ibgp /32 -> NULL /32 ->NULL /32 -> <AnalysisIntf> Advertise IGP LSAs / /32 d.e.f.1/ / /30 d.e.f.3/29 d.e.f.2/29 d.e.f.4/29 Not Addressed No Routing Sniffer/Network Analyzer Advertise IGP LSA d.e.f.0/28 ibgp d.e.f.2 RRc of d.e.f.1 d.e.f.1 NH=self 41 NetFlow Collector/ Arbor System

42 BGP Triggers for Sinkholes - Addendum Configuration

43 Trigger Router s Config router bgp 100. redistribute static route-map static-to-bgp.! route-map static-to-bgp permit 10 description Std Redirect For Edge Drop description - Use Static Route with Tag of 66 match tag 66 set origin igp set next-hop set community NO-EXPORT!

44 Trigger Router s Config! route-map static-to-bgp permit 20 description Redirect For Sinkhole NULL0 Drop description - Use Static Route with Tag of 67 match tag 67 set origin igp set next-hop set community NO-EXPORT 67:67!!

45 Trigger Router s Config! route-map static-to-bgp permit 30 description Redirect For Sinkhole Analysis description - Use Static Route with Tag of 68 match tag 68 set origin igp set next-hop set community NO-EXPORT 68:68!!

46 Trigger Router s Config! route-map static-to-bgp permit 40 description Redirect For ANYCAST Sinkhole description - Use Static Route with Tag of 69 match tag 69 set origin igp set next-hop set community NO-EXPORT 69:69!!

47 Trigger Router s Config! route-map static-to-bgp permit 50 description Redirect For ANYCAST Sinkhole Analysis description - Use Static Route with Tag of 70 match tag 70 set origin igp set next-hop set community NO-EXPORT 70:70! route-map static-to-bgp permit 100

48 Sinkhole Triggers! Drop all traffic at edge of network ip route null0 tag 66!! Redirect victim traffic to Sinkhole ip route null0 tag 67!! Redirect victim traffic to Sinkhole for Analysis ip route null0 tag 68

49 ANYCAST Triggers! Redirect victim traffic to ANYCAST Sinkhole ip route null0 tag 69!! Redirect victim traffic to ANYCAST Sinkhole! for Analysis ip route null0 tag 70

50 Sinkhole Router Config router bgp 100. Neighbor peer-group INTERNAL neighbor INTERNAL route-map Redirect-to-Sinkhole in neighbor INTERNAL remote-as 100 neighbor d.e.f.1 peer-group INTERNAL! route-map Redirect-to-sinkhole permit 10 description - Send to Router's NULL0 Interface match community 67:67 set ip next-hop !

51 Sinkhole Router Config route-map Redirect-to-sinkhole permit 20 description - Send to Router's Analyzer Interface match community 68:68 set ip next-hop !

52 Sinkhole Router Config route-map Redirect-to-sinkhole permit 30 description ANYCAST drop match community 69:69 set ip next-hop !

53 Sinkhole Router Config route-map Redirect-to-sinkhole permit 40 description Anycast Analysis match community 70:70 set ip next-hop ! Route-map Redirect-to-sinkhole permit

54 Sinkhole Router Routing! For Std drop ip route null0!! For Analysis ip route interface FA0/0!! Bogus ARP for to stop ARP request ip arp c arpa!! For ANYCAST Sinkhole Services ip route <interface> 54

55 Sinkhole Router Routing No Default static route in Sinkhole. Sinkhole must not loop traffic back out Management Interface. Telnet access via router servicing the Sinkhole s Management Segment. 55

56 Sinkhole Router Sinkhole Router Redirected Traffic Analysis Segment Sniffer/Analyser Flow of Mgmt Data Neflow/Syslog Collector 56

57 Sinkhole Analysis Services Local Netflow Collector and Analyser Local Syslog Server Analyser remotely controlled I.e. VNC or Telnet 57

58 Results / Benefits Traffic pulled from Victim Control collateral damage ibgp Triggered Allows attack flow analysis 58

59 BackScatter Traceback Technique

60 Backscatter Traceback Technique Pioneered by Chris Morrow and Brian UUNET as a means of finding the entry point of a spoofed DOS/DDOS. Combines the Sink Hole router, Backscatter Effects of Spoofed DOS/DDOS attacks, and remote triggered Black Hole Filtering to create a traceback system that provides a result within ~10 minutes. 60

61 Backscatter Traceback Technique What is backscatter? ICMP Unreachable to SRC Packets Arrive SRC = DST = FIB = Null Null0 ICMP Process Packets whose destination is unreachable (even Null0) will have a ICMP Unreachable sent back. This unreachable noise is backscatter. 61

62 Backscatter Traceback Preparation 1. Sink Hole Router/Network connected to the network and ready to classify the traffic. Like before, BGP Route Reflector Client, device to analyze logs, etc. Can use one router to do both the route advertisement and logging OR break them into two separation routers one for route advertisement and the other to accept/log traffic Can be used for other Sink Hole functions while not using the traceback technique. Sink Hole Router can be a ibgp Route Reflector into the network. 62

63 Backscatter Traceback Preparation IXP-W Peer A Sink Hole Router Ready to advertise routes and accept traffic. Peer B IXP-E Upstream A Sink Hole Network Upstream A Upstream B Upstream B /24 Target POP G NOC

64 Backscatter Traceback Activation! router bgp 31337!! set the static redistribution to include a route-map so we can filter! the routes somewhat... or at least manipulate them! redistribute static route-map static-to-bgp!! add a stanza to the route-map to set our special next hop! route-map static-to-bgp permit 5 match tag 666 set ip next-hop set local-preference 50 set origin igp 64

65 Backscatter Traceback Activation # Setup the bgp protocol to export our special policy, like redistributing, NOTE: "XXX" # is the IBGP bgp group... we don't want to send this to customers do we? # set protocols bgp group XXX export BlackHoleRoutes # # Now, setup the policy option for BlackHoleRoutes, like a route-map if static route # with right tag, set local-pref low, internal, no-export can't leak these or Tony Bates # will have a fit, and set the nexthop to the magical next-hop. # set policy-statement BlackHoleRoutes term match-tag666 from protocol static tag 666 set policy-statement BlackHoleRoutes term match-tag666 then local-preference 50 set policy-statement BlackHoleRoutes term match-tag666 then origin igp set policy-statement BlackHoleRoutes term match-tag666 then community add no-export set policy-statement BlackHoleRoutes term match-tag666 then nexthop set policy-statement BlackHoleRoutes term match-tag666 then accept 65

66 Backscatter Traceback Preparation 2. All edge devices (routers, NAS, IXP Routers, etc) with a static route to Null0. The Test-Net is a safe address to use ( /24) since no one is using it. Cisco: Juniper: ip route Null0 set routing-options static route /32 reject install Routers also need to have ICMP Unreachables working. If you have ICMP Unreachables turned off (i.e. no ip unreachables on a Cisco), then make sure they are on. If ICMP Unreachable Overloads are a concern, use a ICMP Unreachable Rate Limit (i.e. ip icmp rate-limit unreachable command on a Cisco). 66

67 Backscatter Traceback Preparation Edge Router with Test-Net to Null0 IXP-W Peer A Edge Router with Test-Net to Null0 Peer B IXP-E Upstream A Sink Hole Network Upstream A Upstream B Upstream B /24 Target POP Edge Router with Test- Net to Null0 G NOC 67

68 Backscatter Traceback Preparation 3. Sink Hole Router advertising a large block of unallocated address space with the BGP no-export community and BGP Egress route filters to keep the block inside /3 is an example. Check with IANA for unallocated blocks: BGP Egress filter should keep this advertisement inside your network. Use BGP no-export community to insure it stays inside your network. 68

69 Backscatter Traceback Preparation IXP-W Peer A Sink Hole Router advertising /3 Peer B IXP-E Upstream A Sink Hole Network Upstream A Upstream B Upstream B /24 Target POP G NOC

70 Backscatter Traceback Activation Activation happens when an attack has been identified. Basic Classification should be done to see if the backscatter traceback will work: May need to adjust the advertised block. Statistically, most attacks have been spoofed using the entire Internet block. 70

71 Backscatter Traceback Activation 1.Sink Hole Router Advertises the /32 under attack into ibgp with. Advertised with a static route with the 666 tag: ip route victimip Null0 tag 666 or set routing-options static route victimip/32 discard tag 666 The static triggers the routers to advertise the customer s prefix 71

72 Backscatter Traceback Activation Edge Routers start dropping packets to the/32 IXP-W Peer A Sink Hole router advertises the /32 under attack with nexthop equal to the Test- Net Peer B Edge Routers start dropping packets to the/32 IXP-E Upstream A Sink Hole Network Upstream A Upstream B Upstream B /24 Target POP G NOC

73 Backscatter Traceback Activation 2. Black Hole Filtering is triggered by BGP through out the network. Packets to the target get dropped. ICMP Unreachable Backscatter starts heading for /3. Access list is used on the router to find which routers are dropping packets. access-list 101 permit icmp any any unreachables log access-list 101 permit ip any any 73

74 Backscatter Traceback Activation ICMP Unreachable backscatter will start sending packets to 96/3 IXP-W Peer A Sink Hole Router receive the backscatter to 96/3 with entry points of the attack Peer B ICMP Unreachable backscatter will start sending packets to 96/3 IXP-E Upstream A Sink Hole Network Upstream A Upstream B Upstream B /24 Target POP G NOC

75 Backscatter Traceback Activation SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet SLOT 5:3w1d: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp > (3/1), 1 packet 75