Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

Transcription

1 Attacks Against the Cloud: A Mitigation Strategy C L O U D A T T A C K M I T I G A T I O N & F I R E W A L L O N D E M A N D A l e x Z a c h a r i s a z a h a r i a d m i n. g r n e t. g r G R N E T C E R T g r n e t _ c e r t ) L e o n i d a s P o u l o p o u l o s l e o p o u n o c. g r n e t. g r G R N E T N O C l e o p o u l )

2 Content Roles-Actors-Services Security Measures Incident Response Statistics Security Tools Firewall on Demand Live Demo

3 Security Officer GRNET CERT Dev. Team NOC Helpdesk Users Service: ~okeanos IaaS Service Create VMs Store Files Create Virtual Networks Roles-Actors-Services

4 Secure Architecture

5 Security Meassures Admin/Dev Side Password Policy Log Monitoring Update/Patching Policy Firewalling FOD Audits (Pen Tests, Code Audits) Client Side SSL(2048 bits) Shibboleth Password Policy Enforcing Terms of Use

6 Incident Response Attacks launched on others from within Okeanos infrastructure. Compromise of individual user accounts or VMs Scans of University or other Computer Security Systems. Spam and mail forgery that originates from, or is relayed through Okeanos. Viruses, Worms and Trojan Horses Threats to individuals (only in conjunction with law enforcement) Involvement in Criminal Activity (only in conjunction with law enforcement) DOS & DDOS attacks Phishing Attacks Hosting Illegal content Copyright Infringement

7 Incident Life Cycle

8 Ticketing

9 Incident Examples: Phishing Phishing Page (Visa) Abuse Mail Received Incident Analysis WordPress site was identified to be hosted containing a fake phishing page of Visa. The malicious URL: Stolen Credentials were send to the following $send2="ro.kiax@yahoo.com" Actions Taken Page Take down Informing User

10 Incident Examples: Botnet

11 Incident Examples: Forum Spam

12 Statistics Abuses per year Category Category 1 Category Category 3 Abuses per month Abuse type Scan OpenDNS bruteforce network-scan Commercial aim DDOS DOS other

13 Statistics Number of abuses per month 180 category 1 category 2 category Incidents per type 0 Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun Open DNS Resolvers that turned to DDoS attack 47.73% 52.27% Open DNS Resolver DDoS

14 Statistics 2013 vs Number of abuses per month Jan Feb Mar Apr May Jun Incidents per category per year

15 Mitigation Strategy: Security Checks Audits Web Scans Code Audits Stress Testing Release Check Tools Used: Accunetix Backtrack Burp Suite Agnito

16 Tool Development CLOUD HONEYPOT VIZUALIZER CLOUD POLICY ENFORCER FIREWALL ON DEMAND

17 Cloud Honeypot Vizualizer Stats: 1. Source per Country 2. Time analysis 3. Attacks per Port 4. Top 10 Attackers 5. All Attackers

18 Cloud Policy Enforcer Checks for: 1. Hosting of Illegal Services(ex. Torrent Tracker) 2. Illegal Content(ex. Images, Phishing forms) 3. Dangerous Content(ex. Virs Trojan) 4. Password Policy Check

19 Cloud Policy Enforcer WWW Capture SCAN RESULTS

20 Firewall on Demand

21 DDoS Illustrated

22 DDoS facts 400 Gbps 309 < Source: Arbor Networks Inc. & Cloudflare

23 Staying alive acls, firewall filters RTBH BGP flowspec

24 BGP FlowSpec Quick recap RFC 5575 Dissemination of flow specification rules with BGP BGP propagates n-tuple filter with flow matching criteria and actions MATCH source/dest prefix source/dest port ICMP type/code packet size DSCP TCP flag fragment type etc ACTIONS accept discard rate-limit sample redirect etc Firewall on Demand Multidomain 24 Internet2 Global Summit, Apr

25 BGP community flow vs. RTBH vs. ACLs ACLS Distributed across the network Closer to the source Fine-grained even on core/backbone networks Multidomain easy propagation towards the upstream via BGP Easy automation & integration BGP RTHB Flowspec: enhancement of RTBH Does not affect all traffic to victim Less coarse More actions Separate NLRI

26 Firewall on Demand NEED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS GRANULARITY: Per-flow level ACTION: Drop, rate-limit, redirect SPEED: 1-2 orders of magnitude quicker EFFICIENCY: closer to the source, multi-domain AUTOMATION: integration with other systems MANAGEABILITY: status tracking, web interface

27 Development Framework Source: Wikimedia Foundation Python Django

28 FoD Architecture OPEN SOURCE

29 How it works Customer s NOC logs in web tool (shibboleth) & describes flows and actions Destination validated against customer s IP space A dedicated router is configured (NETCONF) to advertise the route via BGP flowspec Dynamic firewall filters are implemented on all routers Attack is mitigated upon entrance End of attack: Removal via the tool, or auto-expire Web ebgp NETCONF ibgp

30 GRNET FoD usage examples 3years 400Tbytes 120rules 50users 25peers

31 GÉANT Tests Click Apply 6 seconds later

32 FoD multidomain deployment scenarios

33 Current Status GRNET in production since end of 2011 Tests: Multihop BGP peering with PSNC Interest/Evaluation from BELNET GÉANT ( BGP flowspec enabled in all core devices Successful tests between GRNET and GÉANT Multiple scenarios tested Iperf between Croatia and Greece Gone in 6 seconds In production by April 2015

34 Can I deploy/try/test it? Open source project FoD : Docs: Ask for a demo account PEER WITH US!

35 Demo time attaaaaack!

36 Enhancenments FoD interfaces to other tools/platforms REST API XMPP client/server ØMQ extensions Filter counters/graphs NETCONF Juniper UtilityMIB Ipv6 support (Whenever available)

37 Extensions rapid anomaly detection Top 5 Dst Port ordered by packets: Date first seen Duration Proto Dst Port Flows(%) Packets(%) Bytes(%) pps bps bpp :27: TCP XX (34.0) M(19.9) 24.8 G( 5.3) M :10: UDP XXXX 132( 0.0) 50.3 M( 7.5) 23.4 G( 5.0) :17: TCP XXX ( 7.9) 37.4 M( 5.5) 13.8 G( 2.9) :19: UDP XX 4057( 0.3) 19.0 M( 2.8) 14.4 G( 3.1) M 761 Top 5 Dst IP Addr ordered by packets: Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp :19: UDP XX.YYY.XX.YY 35642( 2.3) 59.9 M( 8.9) 36.1 G( 7.7) G :17: TCP XX.X.X.XXX 58534( 3.7) 12.9 M( 1.9) 1.1 G( 0.2) M :17: TCP XXX.XX.XXX.XXX 39573( 2.5) 11.2 M( 1.7) 1.1 G( 0.2) M 97 RRD analysis STD-based Under dev

38 Questions? 42: The Answer to the Ultimate Question of Life, The Universe, and Everything. Douglas Adams, The Hitchhiker's Guide to the Galaxy