Threat Pragmatics 25-29 June 2018 PacNOG 22, Honiara, Solomon Islands Supported by: Issue Date: Revision: 1 Target Many sorts of targets: Network infrastructure Network services Application services User machines What s at risk? 1
Attacks on Different Layers Application Presentation Session Transport Network Data Link Physical OSI Reference Model Layer 5: NFS, Socks Application Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP DNS Poisoning, Phishing, SQL injection, Spam/Scam Transport Layer 4: TCP, UDP, SCTP TCP attacks, Routing attack, SYN flooding Internet Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP Ping/ICMP Flood, Sniffing Layer 2: Ethernet, PPP, ARP, NDP Network Access (Link Layer) ARP spoofing, MAC flooding TCP/IP Model 3 Layer 2 Attacks ARP Spoofing MAC attacks DHCP attacks VLAN hopping 4 2
ARP Spoofing I want to connect to 10.0.0.3. I don t know the MAC address Wait, I am 10.0.0.3! ARP Request 10.0.0.2 BB-BB-BB-BB-BB-BB 10.0.0.1 AA-AA-AA-AA-AA-AA ARP Reply 10.0.0.3 CC-CC-CC-CC-CC-CC ARP Cache poisoned. Machine A connects to Machine D (not C) ARP Reply 10.0.0.4 DD-DD-DD-DD-DD-DD I am 10.0.0.3. This is my MAC address 5 MAC Flooding Exploits the limitation of all switches CAM = Content Addressable memory = stores info on the mapping of individual MAC addresses to physical ports on the switch. Attacker floods the switch interface with very large number of Ethernet frames with different fake source MAC address. Port 1 Port 2 Port 3 Port 4 00:01:23:45:67:A1 x 00:01:23:45:67:B2 x 00:01:23:45:67:C3 x 00:01:23:45:67:D4 x 6 3
DHCP Attacks DHCP Starvation Attack Broadcasting vast number of DHCP requests with spoofed MAC address simultaneously. DoS attack using DHCP leases Rogue DHCP Server Attacks Server runs out of IP addresses to allocate to valid users Attacker sends many different DHCP requests with many spoofed addresses. 7 Man in the Middle Attacks (Wireless) Creates a fake access point and have clients authenticate to it instead of a legitimate one. Capture traffic to see usernames, passwords, etc that are sent in clear text. 8 4
Link-Layer Defense Dynamic ARP Inspection Protects against ARP spoofing uses DHCP Snooping forward ARP packets on Trusted interfaces without checks intercept all ARP packets on Untrusted ports and check against IP-to- MAC binding Drop (and log) if no valid binding 9 Link-Layer Defense Port Security Protects the MAC table Limit the number of MACs per port (static or sticky learning) Forwards valid frames (valid source MACs), and drops invalid frames Violation could trigger: Dropping of invalid frames and port shutdown, or Drop frames with/without notification 10 5
Link-Layer Defense 802.1X Identity based network access control Protection against rogue devices (DHCP or AP) attaching to a LAN 11 Layer 3 Attacks ICMP Ping Flood ICMP Smurf Ping of death 12 6
ICMP Smurf Attacker Echo request Src ip = victim Network ICMP Smurf is one type of DDOS attack. Other forms of ICMP attack: -Ping of death Echo request Broadcast Enabled Network Echo reply to actual destination Defense: Disable directed broadcast no ip directed-broadcast Victim 13 Routing Attacks Malicious route insertion Poison routing table To divert traffic and eavesdrop Analyse/Modify/Drop packets BGP attacks hijack prefixes Tamper the path information 14 7
Defense- Routing Attacks Authenticate source of routing updates Peer authentication Origin Validation Rolled out today as RPKI ROA (resource certificate) signed by the owner Verifies the origin AS (signed route announcement) Path Validation Sign the full path (ASNs traversed) In IETF process as BGPsec 15 TCP Attacks SYN Flood occurs when an attacker sends SYN requests in succession to a target. Causes a host to retain enough state for bogus halfconnections such that there are no resources left to establish new legitimate connections. 16 8
TCP Attacks Exploits the TCP 3-way handshake Attacker sends a series of SYN packets without replying with the ACK packet Finite queue size for incomplete connections SYN SYN+ACK ACK CONNECTION ESTABLISHED Server 17 TCP Attacks Exploits the TCP 3-way handshake Attacker sends a series of SYN packets without replying with the ACK packet Finite queue size for incomplete connections SYN SYN+ACK Attacker ACK? Server (Victim) OPEN CONNECTIONS 18 9
Application Layer Attacks Scripting vulnerabilities Cookie poisoning Buffer overflow Hidden field manipulation Parameter tampering Cross-site scripting SQL injection 19 DoS A Denial of Service attack aims to disrupt the availability of a service such as a machine or network resource by Flooding Bandwidth number of connections crashing the service Nowadays also known as stress tests 20 10
Layer 7 DDoS Attack Traditional DoS attacks focus on Layer 3 and Layer 4 In Layer 7, a DoS attack is targeted towards the applications disguised as legitimate packets The aim is to exhaust application resources (bandwidth, ports, protocol weakness) rendering it unusable Includes: HTTP GET HTTP POST Slowloris LOIC / HOIC RUDY (R-U-Dead Yet) 21 Layer 7 DDoS Slowloris Incomplete HTTP requests Properties Low bandwidth Keep sockets alive Only affects certain web servers Doesn t work through load balancers Managed to work around accf_http 22 11
Distributed Denial of Service attack 23 DNS Attack Example On 26th Jan 2015, Domain Name System (DNS) has been compromised where users are re-directed to a hacker website 24 12
DNS Changer Criminals have learned that if they can control a user s DNS servers, they can control what sites the user connects to the Internet. How: infect computers with a malicious software (malware) This malware changes the user s DNS settings with that of the attacker s DNS servers Points the DNS configuration to DNS resolvers in specific address blocks and use it for their criminal enterprise 25 DNS Changer - Defense Find out if you are infected FBI: forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-dns 64.28.176.0/20; 67.210.0.0/20; 77.67.83.0/24; 85.255.112.0/20;93.188.160.0/23; 213.109.64.0/20 DNSChanger Working Group: www.dcwg.org/fix/ Clean up: Run free anti-malware tools DNSChanger WG site maintains clean-up guides and list of free tools toremove the malware firewall rules to only allow queries to legitimate servers 26 13
DNS Cache Poisoning Caching incorrect resource record that did not originate from authoritative DNS sources. Result: connection (web, email, network) is redirected to another target (controlled by the attacker) 27 DNS Cache Poisoning 1 I want to access www.example.com www.example.com 192.168.1.99 3 QID=64569 QID=64570 QID=64571 match! (pretending to be the authoritative zone) Client 2 DNS Caching Server QID=64571 Root/GTLD Webserver (192.168.1.1) QID=64571 3 www.example.com 192.168.1.1 ns.example.com 28 14
Best Practices Preventing Unauthorised changes / Transfer Registry Lock Services 2 Factor Authentication DNS Sec Can be used to protect the communication between authoritative servers, and between authoritative servers and cache servers. 29 Amplification Attacks Distributed Reflection Denial of Service attack No need for a botnet, just use existing servers with UDP services. Some services can be misused because they amplify the request: DNS, NTP, SNMP, 1 small query in, 1 large answer out This misuse can be avoided by disabling specific options or implementing firewall rules. Typical amplification factors DNS: ~50-100 NTP: ~500-5000 SNMP: ~6-12 30 15
DNS Amplification Attack A type of reflection attack combined with amplification Source of attack is reflected off another machine Traffic received is bigger (amplified) than the traffic sent by the attacker UDP packet s source address is spoofed 31 DNS Amplification Queries for www.example.com Root/GTLD DNS Recursive server Compromised Machines (spoofed IP) ns.example.com www.example.com 192.168.1.1 Victim Machine Attacker 32 16
Source IP spoofing Defense BCP38 (RFC2827) Since 1998! https://tools.ietf.org/html/bcp38 Only allow traffic with valid source addresses to Leave your network Only from your own address space To enter/transit your network Only from downstream customer address space This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version. 33 urpf Unicast Reverse Path Unicast Reverse Path Forwarding (urpf) Router verifies if the source address of any packets received is in the FIB table and reachable (routing table) Drop if not valid! Recommended on customer facing interfaces 34 17
NTP Amplification Network Time Protocol (NTP) Port 123/UDP Exploits NTP versions older than v4.2.7 monlist Several incidents in 2014 400Gbps attack on cloud provider 35 NTP Amplification - Defense BCP38 Upgrade NTP (ntpd) server to v4.2.7p26 or later Removes/disables monlist command; replaced with mrulist Requires proof that the command came from the address in the NTP packet In older versions: disable ntp monitor and do not answer ntpq/ntpdc queries This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version. 36 18
Attacks on Different Layers Application Presentation Session Transport Network Data Link Physical OSI Reference Model Layer 5: NFS, Socks Application Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP DNS HTTPS, Poisoning, DNSSEC, Phishing, PGP, SQL injection, SMIME Spam/Scam Transport Layer 4: TCP, UDP, SCTP TCP TLS, attacks, SSL, Routing SSH attack, SYN flooding Internet Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP Ping/ICMP IPsec Flood, Sniffing Layer 2: Ethernet, PPP, ARP, NDP, OSPF Network Access flooding (Link Layer) IEEE ARP 802.1X, spoofing, PPP MAC & PPTP TCP/IP Model 37 Transport Layer Security Secure Socket Layer (SSL) Secure Shell Protocol 38 19
Application Layer Security HTTPS PGP (Pretty Good Privacy) SMIME (Secure Multipurpose Internet Mail Extensions) TSIG and DNSSEC Wireless Encryption - WEP, WPA, WPA2 39 20