Control Plane Protection

Transcription

1 Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control.

2 Layer 2 Attacks ARP injections MAC address flooding

3 ARP Injection What is ARP injection? How can it be used? The only protection is to protect your communications, unless you control the switch. Perhaps add in what is arp?

4 What is ARP injection? ARP injection is where a on a shared layer 2 an attacker modifies the ARP table on one or more routers.

5 How does it work?

6 How does it work?

7 How does it work?

8 How does it work?

9 ARP injection What can it be used for? Switch flooding. Allows for traffic interception. Disrupting traffic flows.

10 Defenses? Dynamic ARP Inspection. Your whole layer two domain is on DHCP right? Other wise ARP ACL s :(

11 MAC address flooding What is it? How can it be used? Mac address limits on switch ports

12 What is MAC address flooding? Switches have a maximum number of ARP address they can store (in the tens of thousands normally) So you send more than it can handle. The switch turns into a hub and floods all traffic to all ports.

13 Network Flooding

14 Network Flooding

15 Success. Network Flooding

16 Switches STP VTP VLAN Hopping Native VLAN

17 STP What is STP? Potential attacks.

18 What is STP Allows a network of switches to automatically remove loops from a layer two network. It assists in directing traffic through the network So it could be used for intercepting traffic or disrupting traffic flow. Also sending a lot can cause STP to not converge.

19 VTP Cisco proprietary protocol for distributing vlan configuration. Never allow it to the outside world. Just disable it.

20 VLAN hopping Gaining access to a VLAN that was unintended. Harder than some people think. Potential to exploit DTP switchport nonegotiate switchport mode access

21 Native VLAN What is a native VLAN? When a port is a trunk, the native VLAN defines the behaviour of untagged packets. Don t run management or customer traffic over vlan 1. Force the native VLAN to use tagged packets, Also change it. switchport trunk native vlan tag switchport trunk native vlan 999 On unused ports change the default vlan to something else switchport access vlan 2

22 Layer 3 Protection ICMP Open Protocols

23 ICMP source-route redirects router advertisments unreachables proxy-arp gratuitous-arps mask-reply

24 Source routing Source routing allows the sender of the packet to choose the next hop. Don t allow random packets to choose their routing and ignore our policy.

25 Redirects Router won t accept them anyway, this disables sending. But don t send them as it s a leak of information.

26 Router Advertisements Used for advertising routers to a local subnet. For IPv4 abandoned, perhaps if you have a large layer two domain filter on the edges. For IPv6 it s enable automatically :( ipv6 nd ra suppress all

27 Unreachables no ip unreachables Rate limiting is now the default.

28 proxy-arp Please tell me no one is still using this!

29 ip arp gratuitous none Disable accepting ARP packets we didn t ask for. This disables the acceptance of unsolicited ARP packets. ip arp gratuitous none <- global C730F25E-343A-4C4A-9E8C-2662B09EA5C4 A9F7-1F8552D3CFED

30 mask-reply Disables replying to ICMP packets that request the subnet.

31 Echo Reply Request Don t disable it.

32 OSPF Make sure it s passive by default. Only enable it on internal networks. Always use MD5 authentication.

33 ebgp Security MD5 authentication TTL hack Prefix filters for inbound routes. Prefix filters for outbound routes.

34 MD5 Passwords Without means you trust everyone Prevents making connections without authentication. Also means corrupted packets will be dropped. But the MD5 sum needs to be verified for every packet.

35 TTL Protection Has anyone heard of this? It s pretty neat.

36 TTL Protection Most BGP connections are on directly connected routers. So the TTL should never be decremented. So if we set the TTL to one on our packets should never get back to an attacker.

37 TTL Protection But that doesn t save us from accepting those initial SYN packets. And calculating the MD5 sum for the packet :(

38 TTL Protection So instead set the TTL to 255. :) Must be hard to configure! If the TTL is less than 254, drop it.

39 TTL Protection! Configuration. bgp router AS neighbor <neighbour> ttl-security hops 1!! obviously needs to be done at both ends.! Only on ebgp!! check with show ip bgp neighbors <neighbour>! Look for;! Mininum incoming TTL 254, Outgoing TTL 255!

40 Prefix Filters They really need some thinking about before applying them. Policy needs to be thought about before creating.

41 Prefix Filters RFC 1918 address space? RFC 1122, 3927, 5736, 5737, 2544, 6333, 3068 and 6598? /8, /4 Loopback Address /8, /12, /16 Private Space /15 Network interconnection device testing /24 6to4 relay Anycast /16 Local link v /24, /24, /24 Test networks / / /24 IETF protocol assignments.

42 Prefix Filters Bogon Filtering

43 Prefix Filters Your own prefixes? For downstream customer, only accept their prefix. For upstream vendors you ll need to accept routes for customers that are multihoming.

44 Prefix Filters Customer filtering. Accept only what s assigned. Peer filtering. Get a prefix list from them, but still block bogons and your space. Provider filtering. Unlikely they would give you a prefix list, it would be too long anyway, still filter bogons and your space. Note that for peers, they may advertise other peers thus providing a limited form of transit as well. So check what your peers advertise. ftp://ftp-eng.cisco.com/cons/isp/security/ingress-prefix-filter-templates/t-ip-prefix-filter-ingress-loose-check-vcurrent.txt

45 Max Prefixes Should you accept 1,000,000 routes from everyone? Even customers? Is there one good number?

46 Communities + Route maps Settings communities on BGP routes is a great policy enforcement tool. Reduces the need to statically configure prefix lists at every peering point. Makes out bound prefix selection a breeze. If it s fast and easy it will be better maintained. Use route maps to apply policy to incoming and outgoing routes.

47 Internet Exchange Security Layer 2 issues. ARP injection MAC attacks (flooding) Layer 3 issues Non-Policy Routing. data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_ pdf

48 Layer 2 Issues We ve talked about this already, but this is where you are most in danger of it happening. I ve never heard about anyone being attacked, so don t be too nervous.

49 Non-Policy Routing? What s that? When another organisation ignores advertised routing policy and makes up their own. Examples?

50 Free outbound transit Easy, just add a static route for a destination and send it to a router on the exchange. This isn t a how-to Of course you ll want to test it before put the route in.

51 Lay out, two AS both connected to the same exchange. Free outbound

52 AS10 notices that it s outbound traffic to it s upstream is busy. Doesn t want to pay for more bandwidth! Free outbound

53 They noticed that a lot of the traffic is going to AS30. They also notice that AS30 is connected directly to AS20. Free outbound

54 Free outbound So a less than ethical admin adds a route for /16 to send traffic via AS20 s router that is attached to the exchange.

55 Free outbound Now their traffic bound for AS30 goes via AS20 over their hopefully well provisioned exchange port. Now the link between and AS20 and AS30 is busy who pays for the upgrade?, or perhaps AS20 s exchange port gets busy, so they pay for an upgrade.

56 Free inbound transit Bit more difficult to do. Again this isn t a how to

57 Free inbound

58 Free inbound So advertise more specifics via a lower cost path. Perhaps you wouldn t want to advertise your whole address space de-aggregated.

59 Is this the only way to do it? Nope, you could just advertise subnet, or use appending ASs to your path. You could use this on peers as well. Free inbound

60 Free symmetric traffic. This is the most valuable type of stealing bandwidth. So the most specific and difficult. Still this is not a how to

61 So here we have AS10 is connected to two exchanges, along with AS20. Free symmetric transit

62 Free symmetric transit So AS10 has an expensive transit services between it s two POPs. But it s getting too busy, what to do? So an unethical admin notices that AS20 is connected to both exchanges as well.

63 Free symmetric transit So after a bit of testing adds static route for two subnets to send traffic via AS20.

64 Problem solved, for someone. Other ways to achieve that? Advertise those sub-subnets? Free symmetric transit

65 Defences? Prefixes lists. ACLs. Separate exchange router, recommended. Separate VRF.

66 The null0 route drops all the traffic for which there is no known routes. Exchange Router

67 VRF Lite Combined with urpf is a way to secure your peering interface. Creates a separate forwarding instance that allows you to select what routes are accessible from the exchange interface. Be warned it makes configurations difficult

68 Mike Jager Exchange security testing

69 v4 vs v6 Security Is there a difference in the control plane?

70 v4 vs v6 Security Actually there are some slight differences.

71 What s different? There s no ARP any more. Now there s multicast for neighbour discovery.

72 What s different? They insist on making our lives easier SLAAC via RD and RA s Source routing still available. Source routing is disabled by default in Cisco boxes, yay.

73 What s different? I can t heard wh..<bzzt> No more fragmentation on routers.

74 What s different? But that means ICMPv6 is important now. Neighbour discovery (v6 ARP) SLAAC Packet too big ICMP messages Also by the way, TTL has been renamed to Hop Limit, but also changing the function instead of being related to time spent in transit it refers to hop limit. Which everyone did anyway.

75 What s different? The max packet size allowable is now, 32**2-1 (That s over 4Gig in size) Can t wait to see what some operating systems make of that.

76 What s different? Privacy is harder to find with SLAAC But minimum allocations are /64 so the OS can use temporary addresses.

77 What s different? The addresses are HEAPS longer. Making management harder.

78 What s different? Tunneling? We got tunneling. 6to4 (automatic) Teredo (automatic) 6in4 (configured) All run over protocol 41, but can fallback to UDP. Perhaps a user installs some torrenting software, and they are now firewall free, inside your organisation.

79 What s different? Implementations are new, so there will be new bugs. Juniper was forwarding traffic to linklocal addresses?!