UDP-based Amplification Attacks and its Mitigations

Transcription

1 UDP-based Amplification Attacks and its Mitigations Yoshiaki Kasahara 1/21/2014 APAN 37th in Bandung, Indonesia 1

2 Summary If you have servers with global IP addresses 1. Make sure you don t have NTP servers answering monlist query 2. Make sure you don t have open DNS resolvers (If you are a network admin) consider implementing ingress/egress filter at the border router 1/21/2014 APAN 37th in Bandung, Indonesia 2

3 UDP: User Datagram Protocol Defined in RFC 768 This protocol provides a procedure for application programs to send messages to other programs with a minimum of protocol mechanism. The protocol is transaction oriented, and delivery and duplicate protection are not guaranteed. Applications requiring ordered reliable delivery of streams of data should use the Transmission Control Protocol (TCP) [2]. Very simple, light weight protocol on top of IP Basically just add port numbers 1/21/2014 APAN 37th in Bandung, Indonesia 3

4 UDP-based protocols (examples) DNS: Domain Name System NFS: Network File System NTP: Network Time Protocol SNMP: Simple Network Management Protocol DHCP: Dynamic Host Configuration Protocol TFTP: Trivial File Transfer Protocol Syslog Streaming / VoIP UDP is used for... Simplicity Less overhead (latency) Broadcast / Multicast 1/21/2014 APAN 37th in Bandung, Indonesia 4

5 What s wrong? Source Address Spoofing UDP itself doesn t validate the peer address Send packets with spoofed source address, and reply packets will go to the spoofed address Not a new problem (known before 2000) Traffic Amplification Servers may return packets larger than a client s query packet 1/21/2014 APAN 37th in Bandung, Indonesia 5

6 Normal Communication Source Dest. A B Source Dest. B A Host A Host B 1/21/2014 APAN 37th in Bandung, Indonesia 6

7 Source Address Spoofing Source Dest. C B Host A Host B Source Dest. B C Host C 1/21/2014 APAN 37th in Bandung, Indonesia 7

8 Amplification Source C Source C Dest. SourceB C Dest. SourceB C Dest. B Dest. B Query packets Host A Host B Source B Source B Dest. SourceC B Dest. SourceC B Dest. C Dest. C Reply packets (with large payloads) Host C 1/21/2014 APAN 37th in Bandung, Indonesia 8

9 Distributed DoS Botnet Spoofed queries Open UDP Servers Huge replies Host C 1/21/2014 APAN 37th in Bandung, Indonesia 9

10 Mitigations It is almost impossible to mitigate attack at the victim side DDoS packets might come from all over the world Vulnerable servers should be closed Ultimately spoofed packet should be prohibited at the source side BCP38 1/21/2014 APAN 37th in Bandung, Indonesia 10

11 Ongoing targets (AFAIK) NTP More than 1M vulnerable servers (as of Jan-2014) (report from DNS Almost 30M servers (as of Oct-2013) (report from SNMP chargen echo (reflection only) 1/21/2014 APAN 37th in Bandung, Indonesia 11

12 NTP Network Time Protocol Used to synchronize clock via the Internet NTP daemon (ntpd) can be used as both client and server Around last Christmas, amplification attack using NTP started to emerge Using monlist query against NTP servers to amplify traffic 1/21/2014 APAN 37th in Bandung, Indonesia 12

13 monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server % ntpdc -nc monlist localhost remote address port local address count m ver code avgint lstint =============================================================================== :: :: c c c c c The reply of monlist is considerably larger than its query Also it might leak intranet IP address usage 1/21/2014 APAN 37th in Bandung, Indonesia 13

14 How to fix Removed in ntpd 4.2.7p26 (development version) Not in stable version yet Some venders had released fixes independently Workaround deny queries by restrict command restrict default nomodify nopeer noquery notrap restrict # allow query from localhost 1/21/2014 APAN 37th in Bandung, Indonesia 14

15 Check your hosts Unix/Linux host might be running ntpd Even some gateway routers have the same function Send monlist command from another host and see the result % ntpdc -nc monlist xxx.xxx xxx.xxx: timed out, nothing received ***Request timed out If you see a list of IP addresses, your host can be abused You can use nmap network scanner to find if a host is running NTP service or not 1/21/2014 APAN 37th in Bandung, Indonesia 15

16 Filtering? You need to allow query packets from your network to external NTP servers, and their replies Many systems have preconfigured NTP servers such as time.windows.com and time.apple.com Filtering by simple ACL is difficult Not all the client implementation uses ephemeral ports ntpd uses port 123 for both source and destination ports Cannot distinguish if a packet is a query or reply based on its port numbers Modern (stateful) firewall should handle that properly 1/21/2014 APAN 37th in Bandung, Indonesia 16

17 DNS Domain Name System Hierarchical, distributed naming system Mainly used for mapping easily-memorable domain names to numeric IP addresses One of fundamental components of the Internet 1/21/2014 APAN 37th in Bandung, Indonesia 17

18 DNS servers DNS server actually has two meanings Authoritative or Contents server Provide information of zones ( domains) to others Recursive or Cache server (resolver) Ask information to other auth servers on behalf of stub resolver of client hosts Sometimes both function is on the same host (hybrid server) 1/21/2014 APAN 37th in Bandung, Indonesia 18

19 (Simplified) Diagram Authoritative Server of. (root server) Cache Server Authoritative Server of jp Client PC (Stub Resolver) Authoritative Server of kyushu-u.ac.jp 1/21/2014 APAN 37th in Bandung, Indonesia 19

20 Open Resolver is a cache server which replies to recursive query from everywhere Good target for DNS Amp Attackers can let it cache any data they want, to make the amplification more efficient Your cache server should serve only for your clients (inside your network) You can write acl in named.conf to limit clients IP ranges 1/21/2014 APAN 37th in Bandung, Indonesia 20

21 Filtering? You cannot blindly filter DNS packets toward your network Authoritative server must receive packets from all the Internet You need to collect a list of authoritative servers and exclude them But then you cannot filter hybrid (act as both auth and cache) servers 1/21/2014 APAN 37th in Bandung, Indonesia 21

22 Response Rate Limiting (RRL) Query toward auth server cannot be filtered Rate-limit to reduce impact of amplification Due to caching, auth server shouldn t receive repeating query from the same resolver 1/21/2014 APAN 37th in Bandung, Indonesia 22

23 Implementation BIND Officially supported from Patch available for 9.7 and 9.8 Available at This page discusses both RPZ (Response Policy Zone) and RRL Some Linux distributions independently backported patches to their packages (including RHEL6, Debian etc) NSD Supported by both NSD3 ( and later) and NSD4 1/21/2014 APAN 37th in Bandung, Indonesia 23

24 Separating servers BIND (a reference implementation of DNS) has both authoritative and cache server functionalities in one binary In old days it was fine, but If you are running one BIND instance for both authoritative and cache server (hybrid), Please consider separating them to two different IP addresses (possibly on separate hosts) Easier configuration and trouble shooting Easier filtering and rate control 1/21/2014 APAN 37th in Bandung, Indonesia 24

25 Legacy configuration Hybrid Server Client PC (Stub Resolver) Another Cache Server Authoritative Servers 1/21/2014 APAN 37th in Bandung, Indonesia 25

26 Separated configuration Cache Server Client PC (Stub Resolver) Auth. Server Authoritative Servers 1/21/2014 Another Cache Server APAN 37th in Bandung, Indonesia 26

27 Other Protocols SNMP (port 161) If you know community string, you can send a query packet and receive answer Some major implementation has the default string public for read-only community (it is enough for amplification) chargen (port 19) Fossil service emitting a large character stream echo (port 7) Return the same contents of received packets No amplification, reflection only 1/21/2014 APAN 37th in Bandung, Indonesia 27

28 Other Protocols These protocol should be filtered at the border router SNMP Don t forget to change community string chargen and echo Check /etc/inetd.conf and make sure the service is disabled #chargen dgram udp wait root internal On Windows, chargen and echo can be enabled by enabling Simple TCP/IP Services Please make sure your PC doesn t respond telnet hostname 19 Scan your host by nmap if suspicious 1/21/2014 APAN 37th in Bandung, Indonesia 28

29 In Kyushu University... Timeline Feb Sporadically seen spoofed DNS query to open resolvers Apr Started to filter DNS packets from outside except registered authoritative DNS servers Sep Massive spoofed DNS traffic toward some of these (excluded) DNS servers observed DoS protection based on simultaneous session count enabled on our firewall Jan Spoofed NTP traffic toward a switch consume 100% CPU NTP filtering installed 1/21/2014 APAN 37th in Bandung, Indonesia 29

30 Some Details Massive DNS traffic to our network in Sep Some of our hybrid DNS servers were used as reflectors The traffic itself was not huge enough to fill our uplink, but... Our (next generation) firewall collapsed by its DPI functionality Several signatures to inspect DNS traffic (to detect some malwares) consumed 100% resources Internet connection became very unstable (maybe because DNS traffic was choked) 1/21/2014 APAN 37th in Bandung, Indonesia 30

31 At that time... Cache-only DNS servers had already been filtered Authoritative servers were visible from the Internet and some of them were hyblid open resolvers... We postponed to tell them fix these servers (my bad) After the attack, we started to fix these servers, but spoofed traffic won t stop Maybe attackers didn t care much about individual targets We enabled DoS protection (limiting the number of simultaneous sessions) which causes other problems (it is another story) 1/21/2014 APAN 37th in Bandung, Indonesia 31

32 Ingress Filtering BCP38 (RFC2827): Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing First published as RFC2267 in 1998 Revised in 2000 Idea is simple Drop packets entering a network at the border router whose source address is not same as the assigned network address of the origin network 1/21/2014 APAN 37th in Bandung, Indonesia 32

33 Ingress Filtering: Example Source The Internet Kyushu University /16 Source Allow packets with valid source address only 1/21/2014 APAN 37th in Bandung, Indonesia 33

34 Caveats Conventional Mobile IP will break A mobile device will send packets with their home address (triangle routing) Need to tunnel returning packet by home agent Reverse path tunneling Multihoming Discussed in BCP84 (RFC 3704) 1/21/2014 APAN 37th in Bandung, Indonesia 34

35 Egress Filtering Similar Idea to Ingress Filtering Drop packets leaving the network at the border router which violate the security policy of the network (such as the source address is not same as the assigned network address) Bad customers won t implement Egress Filter Still useful for larger edge network with many consumers (such as universities, enterprise ) 1/21/2014 APAN 37th in Bandung, Indonesia 35

36 Egress Filtering: Example Source The Internet Kyushu University /16 Source Allow packets with valid source address only 1/21/2014 APAN 37th in Bandung, Indonesia 36

37 Summary (again) If you have servers with global IP addresses 1. Make sure you don t have NTP servers answering monlist query 2. Make sure you don t have open DNS resolvers (If you are a network admin) consider implementing ingress/egress filter at the border router 1/21/2014 APAN 37th in Bandung, Indonesia 37

38 References Please try the following URL to check your systems and read how-to NTP Scanning Project Open Resolver Project 1/21/2014 APAN 37th in Bandung, Indonesia 38

39 Thank you for your attention! Yoshiaki Kasahara 1/21/2014 APAN 37th in Bandung, Indonesia 39