anti IP spoofing technique

Transcription

1 anti IP spoofing technique MATSUZAKI maz Yoshinobu Copyright (C) 2006 Internet Initiative Japan Inc. 1

2 ip spoofing creation of IP packets with source addresses other than those assigned to that host Copyright (C) 2006 Internet Initiative Japan Inc. 2

3 Malicious uses with IP spoofing impersonation session hijack or reset hiding flooding attack reflection ip reflected attack Copyright (C) 2006 Internet Initiative Japan Inc. 3

4 src: partner dst: victim impersonation sender ip spoofed packet partner Oh, my partner sent me a packet. I ll process this. victim Copyright (C) 2006 Internet Initiative Japan Inc. 4

5 hiding sender ip spoofed packet src: random dst: victim Oops, many packets are coming. But, who is the real source? victim Copyright (C) 2006 Internet Initiative Japan Inc. 5

6 reflection sender ip spoofed packet src: victim dst: reflector reflector reply packet src: reflector dst: victim Oops, a lot of replies without any request victim Copyright (C) 2006 Internet Initiative Japan Inc. 6

7 ip reflected attacks smurf attacks icmp echo (ping) ip spoofing (reflection) directed-broadcast amplification dns amplification attacks dns query ip spoofing (reflection) DNS amplification Copyright (C) 2006 Internet Initiative Japan Inc. 7

8 amplification 1. multiple replies Sender 2. bigger reply Sender Copyright (C) 2006 Internet Initiative Japan Inc. 8

9 directed-broadcast amplification Sender icmp echo request icmp echo replies Copyright (C) 2006 Internet Initiative Japan Inc. 9

10 DNS amplification ANY?xxx.example.com Sender DNS xxx.example.com IN TXT XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX Copyright (C) 2006 Internet Initiative Japan Inc. 10

11 ip reflected attacks attacker ip spoofed packets open amplifier replies victim Copyright (C) 2006 Internet Initiative Japan Inc. 11

12 smurf attack ip spoofed ping Attacker ICMP echo replies victim Copyright (C) 2006 Internet Initiative Japan Inc. 12

13 dns amplification attack Attacker ip spoofed DNS queries DNS DNS DNS DNS DNS replies victim Copyright (C) 2006 Internet Initiative Japan Inc. 13

14 relations dns amp attack DNS root-servers Command&Control stub-resolvers DNS full-resolvers DNS DNS IP spoofed DNS queries tld-servers DNS example-servers botnet victim Copyright (C) 2006 Internet Initiative Japan Inc. 14

15 solutions for ip reflected attacks attacker ip spoofed packets open amplifier prevent ip spoofing replies disable open amplifiers victim Copyright (C) 2006 Internet Initiative Japan Inc. 15

16 two solutions disable open amplifier disable directed-broadcast disable open recursive DNS server contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer only. prevent ip spoofing!! source address validation BCP38 & BCP84 Copyright (C) 2006 Internet Initiative Japan Inc. 16

17 Source Address Validation Check the source ip address of ip packets filter invalid source ip address filter close to the packets origin as possible filter precisely as possible If no networks allow ip spoofing, we can eliminate these kinds of attacks Copyright (C) 2006 Internet Initiative Japan Inc. 17

18 our assumption ISP/network administrator assign ip address for their users. dynamic or static DHCP, connectivity service Users should use these assigned ip address as their source ip address. Copyright (C) 2006 Internet Initiative Japan Inc. 18

19 close to the origin You are spoofing! RT.a srcip: You are spoofing! srcip: RT.b You are spoofing! srcip: /23 Hmm, this looks ok...but.. srcip: srcip: You are spoofing! You are spoofing! /24 srcip: Copyright (C) 2006 Internet Initiative Japan Inc. 19

20 how to configure the checking ACL packet filter permit valid-source, then drop any urpf check check incoming packets using routing table look-up the return path for the source ip address loose mode can t stop ip reflected attacks use strict mode or feasible mode Copyright (C) 2006 Internet Initiative Japan Inc. 20

21 cisco ACL example ISP Edge Router point-to-point /30 ip access-list extended fromcustmer permit ip any permit ip any deny ip any any! interface Gigabitethernet0/0 ip access-group fromcustomer in! customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 21

22 juniper ACL example point-to-point /30 ISP Edge Router customer network /24 firewall family inet { filter fromcustomer { term CUSTOMER { from source-address { /16; /30; } then accept; } term Default { then discard; } } } [edit interface ge-0/0/0 unit 0 family inet] filter { input fromcustomer; } Copyright (C) 2006 Internet Initiative Japan Inc. 22

23 cisco urpf example ISP Edge Router point-to-point /30 urpf interface Gigabitethernet0/0 ip verify unicast source reachable-via rx customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 23

24 juniper urpf example ISP Edge Router point-to-point /30 urpf [edit interface ge-0/0/0 unit 0 family inet] rpf-check; customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 24

25 multistage verification ISP Edge Router urpf customers know their network. good for precise filter Customer Edge Router urpf We can filter spoofed traffic at earliy stage. Customer Router urpf Copyright (C) 2006 Internet Initiative Japan Inc. 25

26 urpf - failures common failures unused space private space wrong address asymmetric routing failures multi-connected network transit LAN special failures private/non-routed backbone network Copyright (C) 2006 Internet Initiative Japan Inc. 26

27 unused space ISP Edge Router /16 default urpf customer network /24 dst: src: if there is no filter, these packets keep looping until ttl expired... fix the routing! add null routes on the customer router Copyright (C) 2006 Internet Initiative Japan Inc. 27

28 private space NAT didn t work ISP Edge Router urpf NAT Router home network (private address) usual case bad implementation of NAT mis-configuration router/firewall network Copyright (C) 2006 Internet Initiative Japan Inc. 28

29 wrong IP address ISP Edge Router urpf ip: mobile PC trying their old IP mis-configuration typo just spoofing customer network /24 Copyright (C) 2006 Internet Initiative Japan Inc. 29

30 multi-connected network ISP A ISP B urpf urpf ip address from ISP A /24 src: ip address from ISP B /24 PBR can fix this. Copyright (C) 2006 Internet Initiative Japan Inc. 30

31 transit LAN dst: RT.2 interface src: external RT.1 RT.2 urpf urpf packets to the router interface may filter Copyright (C) 2006 Internet Initiative Japan Inc. 31

32 private/non-routed backbone ISP A backbone using private address urpf ISP B backbone hiding technique... but icmp error messages will be filtered. traceroute can t show the ISP1 s network this also breaks PMTUD Copyright (C) 2006 Internet Initiative Japan Inc. 32

33 IIJ s case discussion router capability policy problems Copyright (C) 2006 Internet Initiative Japan Inc. 33

34 internal discussion Do we need anti-spoofing in our network? We heard a rumor that attackers don t use ip spoofing anymore in these days. Answer is YES. ip spoofing is still used for attacks. dns amplification attacks preparation for new attacks using ip-spoofing Copyright (C) 2006 Internet Initiative Japan Inc. 34

35 kubo graph #1 Copyright (C) 2006 Internet Initiative Japan Inc. 35

36 kubo graph #2 Copyright (C) 2006 Internet Initiative Japan Inc. 36

37 router urpf capability #1 Cisco urpf loose/strict mode Cisco 72xx, 75xx software processing... Cisco sup2, sup720 hardware support for urpf/acl one urpf mode per box Copyright (C) 2006 Internet Initiative Japan Inc. 37

38 router urpf capability #2 Cisco 12xxx GSR depends on engine type of line card E0,E1: software processing E2: per physical interface, exclusion ACL E3: loose mode only microcode reload... Copyright (C) 2006 Internet Initiative Japan Inc. 38

39 router urpf capability #3 Juniper T/M works fine feasible means set of same length prefixes routing table prefix pref / / feasible routing table prefix / /30 non-feasible Copyright (C) 2006 Internet Initiative Japan Inc. 39

40 router urpf capability Cisco depends on box/linecard urpf strict/loose mode are supported some boxes use software processing additional 5~20% cpu load Juniper works fine need some hack to export cflowd data of discarded traffic Copyright (C) 2006 Internet Initiative Japan Inc. 40

41 our initial choice single homed user simple urpf strict mode or ACL multihomed user bgp customer(isps) enterprise (need for redundancy) urpf loose mode something is better than nothing Copyright (C) 2006 Internet Initiative Japan Inc. 41

42 IIJ s policy peer ISP upstream ISP IIJ/AS2497 customer ISP single homed static customer multi homed static customer urpf strict mode urpf loose mode Copyright (C) 2006 Internet Initiative Japan Inc. 42

43 ACL and urpf ACL deterministic statically configured maintenance of access-list urpf easy to configure care about asymmetric routing strict mode is working well only for symmetric routing loose mode can t stop the ip reflected attack there are few venders support of feasible mode Copyright (C) 2006 Internet Initiative Japan Inc. 43

44 problems urpf/acl works fine in most case. bug, device capability, performance... less confidence for urpf operations know urpf, but never use it. test it! unaware of Source Address Validation why do we need this? Copyright (C) 2006 Internet Initiative Japan Inc. 44

45 Why do we need? Source Address Validation do NOT protect your users from DoS/Attacks/Etc. directly. This reduce malicious activity. sending ip spoofed packets from your network. If no networks allow ip spoofing, we can eliminate these kinds of attacks. Copyright (C) 2006 Internet Initiative Japan Inc. 45

46 bogon traffic 1.8Mbps 150Mbps 6Kpps 36Kpps Copyright (C) 2006 Internet Initiative Japan Inc. 46

47 please consider Source Address Validation in your network Copyright (C) 2006 Internet Initiative Japan Inc. 47

48 END Copyright (C) 2006 Internet Initiative Japan Inc. 48