Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Similar documents
Data Plane Protection. The googles they do nothing.

NETWORK SECURITY. Ch. 3: Network Attacks

CSE 565 Computer Security Fall 2018

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Security in inter-domain routing

DDoS and Traceback 1

Denial of Service Protection Standardize Defense or Loose the War

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Prevent DoS using IP source address spoofing

Distributed Denial of Service (DDoS)

Network Security. Thierry Sans

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

Denial of Service. EJ Jung 11/08/10

Chapter 10: Denial-of-Services

Unicast Reverse Path Forwarding Loose Mode

Configuring attack detection and prevention 1

Computer Security: Principles and Practice

Contents. Configuring urpf 1

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

TDC 375 Network Protocols TDC 563 P&T for Data Networks

DNS Attacks. Haythem EL MIR, CISSP CTO, NACS

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Chapter 7. Denial of Service Attacks

DDoS Testing with XM-2G. Step by Step Guide

Filtering Trends Sorting Through FUD to get Sanity

Network Policy Enforcement

Configuring attack detection and prevention 1

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Cloudflare Advanced DDoS Protection

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

THE "TRIBE FLOOD NETWORK 2000" DISTRIBUTED DENIAL OF SERVICE ATTACK TOOL

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Network Infrastructure Filtering at the border. stole slides from Fakrul Alam

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Denial of Service and Distributed Denial of Service Attacks

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

Routing and router security in an operator environment

Analysis. Group 5 Mohammad Ahmad Ryadh Almuaili

Remember Extension Headers?

Network and Internet Vulnerabilities

Life After IPv4 Depletion

HP High-End Firewalls

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

CSE Computer Security (Fall 2006)

Collective responsibility for security and resilience of the global routing system

Configuring Unicast Reverse Path Forwarding

Denial Of Service Attacks

Attack Prevention Technology White Paper

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Collective responsibility for security and resilience of the global routing system

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

UDP-based Amplification Attacks and its Mitigations

CSE Computer Security

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

Security by BGP 101 Building distributed, BGP-based security system

On the State of the Inter-domain and Intra-domain Routing Security

Are You Fully Prepared to Withstand DNS Attacks?

DDoS Protection in Backbone Networks

An Operational Perspective on BGP Security. Geoff Huston February 2005

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

CS Paul Krzyzanowski

The information in this document is based on Cisco IOS Software Release 15.4 version.

HP High-End Firewalls

Network Infrastructure Security

DNS Security. Ch 1: The Importance of DNS Security. Updated

DDoS Defense Mechanisms for IXP Infrastructures

Anatomy and Mechanism of DOS attack

A Survey of BGP Security Review

ELEC5616 COMPUTER & NETWORK SECURITY

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

CE Advanced Network Security Botnets

Guide to DDoS Attacks November 2017

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

Network Security. Chapter 0. Attacks and Attack Detection

Configuring Unicast RPF

CSC 4900 Computer Networks: Routing Protocols

OpenFlow DDoS Mitigation

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

CS 134 Winter 2018 Lecture 16. Network Threats & Attacks

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Securing network infrastructure

Phase 4 Traceback the Attack. 2002, Cisco Systems, Inc. All rights reserved.

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Denial of Service (DoS)

Transcription:

Routing Security DDoS and Route Hijacks Merike Kaeo CEO, Double Shot Security merike@doubleshotsecurity.com

DISCUSSION POINTS Understanding The Growing Complexity DDoS Attack Trends Packet Filters and RTBH Admitting We Need to Take More Action Our Collective Responsibility

HOW DO ANY ATTACKS START? Protocols have flaws Implementations have bugs Implementations have poor default settings Home users are IoT operators but not network engineers If someone floods traffic, how do you NOT cause collateral damage to legitimate traffic?

DDoS AND ROUTING INFRASTRUCTURES Distributed and mostly coordinated attacks Increasing in rate and sophistication Hundreds of Gbps is not uncommon in extreme cases Infrastructure availability at risk Coordinated attack against infrastructure Attacks against multiple infrastructure components Overwhelming amounts of data Huge effort required to analyze Lots of uninteresting events

AUTOMATED DDoS ATTACKS 2 Vulnerable hosts are compromised and attack tools installed Attacker 1 Initiate port scan 2 Vulnerable hosts are compromised and attack tools installed 3 Further scanning for compromises 3 Further scanning for compromises 4 Massive DDoS attack launched Victim

HISTORICAL VIEW: DoS Single Machine and relatively unsophisticated Ping of Death (1996) Attacker sends ping packet larger than 65,536 bytes Land.c (1997) Attacker sends TCP SYN spoofed packet where source and destination IPs and ports are identical Smurf (1999) Large number of ICMP messages sent using target spoofed source IP address and destination IP broadcast address Fraggle Variation of SMURF attack using UDP port 7 (echo) and port 23 (chargen) instead of ICMP

HISTORICAL VIEW: DDoS Multiple Machines used to orchestrate attack Distributed and automated Trinoo (1999) The attacker(s) control one or more "master" servers, each of which can control many "daemons. The daemons are all instructed to coordinate a packet based attack against one or more victim systems. Specific ports are used in communications Utilizes UDP and ICMP Port Unreachable messages

HISTORICAL VIEW: DDoS TFN (Tribal Flood Network) (1999) - More sophisticated tool that can cause ICMP flood, SYN flood, UDP flood and SMURT-style attacks - Communications between attack infrastructures uses ICMP echo and echo-reply packets - IP Identification and payload of ICMP echo-reply identify type of attack - IP address can be spoofed TFN2K (1999/2000) Newer variant of TFN and doesn t use specific ports Stacheldraht (2000) Combines features of Trinoo and original TFN tool It can encrypt communications

OTHER WELL KNOWN ATTACKS YouTube [Blackhole Traffic] Pakistan Telecom was ordered to block YouTube YouTube s traffic was temporarily rerouted to Pakistan Turk Telekom [DNS Cache Poisoning] Turkish president ordered censorship of twitter Turk Telekom s DNS servers configured to return false IP Turk Telekom hijacked Google s IP addresses to disable using 8.8.8.8 Mirai Up to 1.2Gbps DDoS targeting Dyn Many Many More (many not in mainstream media) www.digitalattackmap.com

CURRENT DDoS TRENDS Source: Verisign DDoS Trends Report Volume 5, Issue 1 1 st Quarter 2018

GAME CHANGERS PEAK SIZE DURATION COMPLEXITY Source: Verisign DDoS Trends Report Volume 5, Issue 1 1 st Quarter 2018

RECENT DNS ATTACK VIA ROUTE HIJACK Amazon route prefixes were hijacked Amazon s Route53 DNS traffic was re-routed towards a malicious DNS server The malicious DNS authoritative server had a legitimate IP address These malicious DNS authoritative servers sent DNS answers back to DNS resolvers that pointed to malicious sites (i.e. cache poisoning) Traffic to any query to DNS resolvers that asked for names handled by Route53 would route to malicious sites.

BGP ROUTE HIJACK I usually announce 205.251.192.0/23 205.251.194.0/23 205.251.196.0/23 205.251.198.0/23 I don t prefix filter and propagate the BAD routes Internet I hijack the Amazon AWS53 routes by sending more specific prefixes I accept the Amazon AWS 53 ranges with more specific route prefixes (/24s) and send them on. VicRm Client Recursive DNS Servers Vic@m I hear and believe the hijacked routes to Route53

DNS CACHE POISONING I send fake answer for the Ethereum site to cache poison recursive DNS servers Malicious AuthoritaRve Route53 DNS Servers Internet How do I get to the Ethereum site VicRm Client Recursive DNS Servers I route the request to get to Route53 authoritarve servers which are now the malicious authoritarve DNS servers There is no entry in cache so let me go ask authoritarve DNS server

ATTACK MITIGATION TECHNIQUES Route hijack would not have been possible if there had been effective BGP prefix filtering Most environments do NOT filter comprehensively ISPs should be filtering customer s prefixes ISPs should be filtering prefixes going out of their network Route hijack would not have been possible if RPKI used Recursive DNS server cache poisoning would not have been possible if DNSSEC had been deployed

WHY NETWORK HYGIENE MATTERS Best practices for network infrastructure security risk mitigation techniques have existed for decades Without deploying appropriate mitigation techniques we leave ourselves at risk for attackers to succeed with more sophisticated attacks. BGP and DNS have inter-dependencies which recently caused a successful attack. How many more attacks of this nature are in our immediate future?

DDoS AND ROUTER CPU OVERLOAD Attacks on applications affect CPU performance and leads to BGP instability Increasing numbers infected hosts that still used forged source IP addresses Small packet processing is taxing on many routers, even high-end architectures Filtering is useful but also has CPU hit

DEFENDING AGAINST DDoS Packet filters at customer site Must consider that packets have already traversed link Link could already be swamped Filters at ISP side could help Requires human intervention Requires serious CPU power on ISP access router doing the filtering Using all the ISPs routers to help Manually null route all traffic to IP address under attack Automated solution via Remotely Triggered Blackhole Filtering (RTBH)

REMOTELY TRIGGERED BLACKHOLE ROUTING BGP used to trigger network wide response Exploits router s forwarding logic to drop packets Packets are forwarded to a Null interface (aka Discard Interface ) Effective against spoofed and valid source IP addresses Fast response times Triggers network wide black holes as fast as ibgp can update the network Operational Deployments/Standardization Operationally used since the early 2000s RFC3882 Configuring BGP to Block Denial-of-Service Attacks (2004) RFC5635 Remotely Triggered Black Hole Filtering with urpf (2009) RFC7999 Blackhole Community (2016)

COMPONENTS OF RTBH ebgp Session Provider Edge Routers Attack Traffic BGP Update ibgp Trigger Router TARGET

DESTINATION BASED RTBH Steps 1. Prepara@on 2. Trigger 3. Withdrawal ibgp Trigger Router 1 2 3 PE configured with static route to unused space set to Null0 (192.0.2.6/32 set to Null0) Receives ibgp update which states next hop for target is 192.0.2.6/32 Installs new (valid) route to target NOTE: All traffic to the target is dropped, even legitimate traffic TARGET 2 3 1 TR configured to redistribute static into every ibgp peer Add static route which sets next hop to target destination (192.0.2.6) Manually remove static route which causes BGP route withdrawl

UNICAST REVERSE PATH FORWARDING Originally created to scale BCP38 ingress filtering Check router s FIB for matching source IP address Strict vs Loose Mode Loose mode urpf provided ISPs with the means to trigger a network wide, source based black hole filter

BLACKHOLE FILTER CPU ADVANTAGES Packets Arrive FIB --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- --------------------- Null0/Discard Ingress Packet Filter --------------------- --------------------- --------------------- --------------------- Egress Interface Forward packet to the Bit Bucket Blackhole Filtering Saves on CPU and ACL processing

SOURCE BASED RTBH Steps 1. Prepara@on 2. Trigger 3. Withdrawal ibgp Trigger Router 1 PE configured with static route to unused space set to Null0 TARGET 1 (192.0.2.6/32 set to Null0) and loose mode urpf on external interfaces 2 3 Receives ibgp update which states next hop for target is 192.0.2.6/32. All traffic from source IP will fail loose urpf check. Installs new (valid) route to target NOTE: Only traffic from the attack sources get dropped 3 2 TR configured to redistribute static into every ibgp peer Add static route which sets next hop to target destination (192.0.2.6) Manually remove static route which causes BGP route withdrawl

COMBINE PACKET FILTERS AND RTBH Packet Filter Strengths Detailed filtering (ports, protocols, ranges, fragments, etc.) Enlist support of upstream ISP Packet Filter Weaknesses Operationally challenging with frequent changes Difficult to deploy simultaneously on a multitude of devices Utilize Both Packet Filters and RTBH to Address Strengths Packet filters handle the strict static policies urpf remote-triggered black hole handles the dynamic sourcebased drops

ADDED CONSIDERATIONS Deploy Ingress Filtering [IETF - BCP 38] Segment Areas for Route Distribution Design Networks to Avoid Fate Sharing Outages don t affect entire network but only portions of it Control Router Access Watch against internal attacks [physical and/or virtual] Use different credentials for router root ( enable ) access Use cryptographically protected protocols for device access and management (SSH, NTP, SNMP, SCP, etc) Monitor for Configurations Changes Scanning Craze for all Kinds of Ports and Vulnerabilities Will Be a Never Ending Battle

ASSUMING RESPONSIBILITY A smart man learns from his own mistakes, a wise man learns from mistakes of others, and a fool never learns

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback