Attacks Against the Cloud: A Mitigation Strategy C L O U D A T T A C K M I T I G A T I O N & F I R E W A L L O N D E M A N D A l e x Z a c h a r i s a z a h a r i s @ a d m i n. g r n e t. g r G R N E T C E R T ( @ g r n e t _ c e r t ) L e o n i d a s P o u l o p o u l o s l e o p o u l @ n o c. g r n e t. g r G R N E T N O C ( @ l e o p o u l )
Content Roles-Actors-Services Security Measures Incident Response Statistics Security Tools Firewall on Demand Live Demo
Security Officer GRNET CERT Dev. Team NOC Helpdesk Users Service: ~okeanos IaaS Service Create VMs Store Files Create Virtual Networks https://okeanos.grnet.gr Roles-Actors-Services
Secure Architecture
Security Meassures Admin/Dev Side Password Policy Log Monitoring Update/Patching Policy Firewalling FOD Audits (Pen Tests, Code Audits) Client Side SSL(2048 bits) Shibboleth Password Policy Enforcing Terms of Use
Incident Response Attacks launched on others from within Okeanos infrastructure. Compromise of individual user accounts or VMs Scans of University or other Computer Security Systems. Spam and mail forgery that originates from, or is relayed through Okeanos. Viruses, Worms and Trojan Horses Threats to individuals (only in conjunction with law enforcement) Involvement in Criminal Activity (only in conjunction with law enforcement) DOS & DDOS attacks Phishing Attacks Hosting Illegal content Copyright Infringement
Incident Life Cycle
Ticketing
Incident Examples: Phishing Phishing Page (Visa) Abuse Mail Received Incident Analysis WordPress site was identified to be hosted containing a fake phishing page of Visa. The malicious URL: http://83.212.101.1/wp-includes/css/visa.dk/ http://83.212.101.1/wp-includes/css/dk.zip Stolen Credentials were send to the following email: $send2="ro.kiax@yahoo.com" Actions Taken Page Take down Informing User
Incident Examples: Botnet
Incident Examples: Forum Spam
Statistics 2012-2013 Abuses per year Category 150 140 14 16 Category 1 Category 2 100 50 0 23 1 2011 2012 2013 134 Category 3 Abuses per month Abuse type Scan 30 25 OpenDNS 20 36 42 bruteforce 15 7 18 7 15 19 20 network-scan Commercial aim DDOS DOS 10 5 0 other
Statistics 2014 10 46 Number of abuses per month 180 category 1 category 2 category 3 80 60 40 20 Incidents per type 0 Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014 60 50 40 30 20 10 0 2014 Open DNS Resolvers that turned to DDoS attack 47.73% 52.27% Open DNS Resolver DDoS
Statistics 2013 vs 2014 70 60 50 40 30 20 10 0 Number of abuses per month 2014 2013 Jan Feb Mar Apr May Jun Incidents per category per year 60 50 40 30 20 10 0 2014 2013
Mitigation Strategy: Security Checks Audits Web Scans Code Audits Stress Testing Release Check Tools Used: Accunetix Backtrack Burp Suite Agnito
Tool Development CLOUD HONEYPOT VIZUALIZER CLOUD POLICY ENFORCER FIREWALL ON DEMAND
Cloud Honeypot Vizualizer Stats: 1. Source per Country 2. Time analysis 3. Attacks per Port 4. Top 10 Attackers 5. All Attackers
Cloud Policy Enforcer Checks for: 1. Hosting of Illegal Services(ex. Torrent Tracker) 2. Illegal Content(ex. Images, Phishing forms) 3. Dangerous Content(ex. Virs Trojan) 4. Password Policy Check
Cloud Policy Enforcer WWW Capture SCAN RESULTS
Firewall on Demand
DDoS Illustrated
DDoS facts 400 Gbps 309 <1 1 3 10 17 24 40 49 100 60 60 02 03 04 05 06 07 08 09 10 11 12 13 14 Source: Arbor Networks Inc. & Cloudflare
Staying alive acls, firewall filters RTBH BGP flowspec
BGP FlowSpec Quick recap RFC 5575 Dissemination of flow specification rules with BGP BGP propagates n-tuple filter with flow matching criteria and actions MATCH source/dest prefix source/dest port ICMP type/code packet size DSCP TCP flag fragment type etc ACTIONS accept discard rate-limit sample redirect etc Firewall on Demand Multidomain 24 Internet2 Global Summit, Apr 9 2014
BGP community flow vs. RTBH vs. ACLs ACLS Distributed across the network Closer to the source Fine-grained even on core/backbone networks Multidomain easy propagation towards the upstream via BGP Easy automation & integration BGP RTHB Flowspec: enhancement of RTBH Does not affect all traffic to victim Less coarse More actions Separate NLRI
Firewall on Demand NEED FOR BETTER TOOLS TO MITIGATE TRANSIENT ATTACKS GRANULARITY: Per-flow level ACTION: Drop, rate-limit, redirect SPEED: 1-2 orders of magnitude quicker EFFICIENCY: closer to the source, multi-domain AUTOMATION: integration with other systems MANAGEABILITY: status tracking, web interface
Development Framework Source: Wikimedia Foundation Python Django
FoD Architecture OPEN SOURCE https://code.grnet.gr/projects/flowspy http://flowspy.readthedocs.org https://fod.grnet.gr
How it works Customer s NOC logs in web tool (shibboleth) & describes flows and actions Destination validated against customer s IP space A dedicated router is configured (NETCONF) to advertise the route via BGP flowspec Dynamic firewall filters are implemented on all routers Attack is mitigated upon entrance End of attack: Removal via the tool, or auto-expire Web ebgp NETCONF ibgp
GRNET FoD usage examples 3years 400Tbytes 120rules 50users 25peers
GÉANT Tests Click Apply 6 seconds later
FoD multidomain deployment scenarios
Current Status GRNET in production since end of 2011 Tests: Multihop BGP peering with PSNC Interest/Evaluation from BELNET GÉANT (https://fod.geant.net) BGP flowspec enabled in all core devices Successful tests between GRNET and GÉANT Multiple scenarios tested Iperf between Croatia and Greece Gone in 6 seconds In production by April 2015
Can I deploy/try/test it? Open source project FoD : https://code.grnet.gr/projects/flowspy Docs: https://flowspy.readthedocs.org Ask for a demo account PEER WITH US!
Demo time attaaaaack!
Enhancenments FoD interfaces to other tools/platforms REST API XMPP client/server ØMQ extensions Filter counters/graphs NETCONF Juniper UtilityMIB Ipv6 support (Whenever available)
Extensions rapid anomaly detection Top 5 Dst Port ordered by packets: Date first seen Duration Proto Dst Port Flows(%) Packets(%) Bytes(%) pps bps bpp 2014-09-28 19:27:42.480 50235.670 TCP XX 532857(34.0) 134.4 M(19.9) 24.8 G( 5.3) 2674 3.9 M 184 2014-09-26 23:10:13.660 209673.50 UDP XXXX 132( 0.0) 50.3 M( 7.5) 23.4 G( 5.0) 239 892851 465 2014-09-27 14:17:38.090 155240.05 TCP XXX 123272( 7.9) 37.4 M( 5.5) 13.8 G( 2.9) 240 709019 368 2014-09-29 07:19:11.840 7515.870 UDP XX 4057( 0.3) 19.0 M( 2.8) 14.4 G( 3.1) 2521 15.4 M 761 Top 5 Dst IP Addr ordered by packets: Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 2014-09-29 09:19:18.730 286.270 UDP XX.YYY.XX.YY 35642( 2.3) 59.9 M( 8.9) 36.1 G( 7.7) 209192 1.0 G 602 2014-09-29 09:17:22.120 426.850 TCP XX.X.X.XXX 58534( 3.7) 12.9 M( 1.9) 1.1 G( 0.2) 30317 21.2 M 87 2014-09-29 09:17:22.110 426.860 TCP XXX.XX.XXX.XXX 39573( 2.5) 11.2 M( 1.7) 1.1 G( 0.2) 26336 20.5 M 97 RRD analysis STD-based Under dev
Questions? 42: The Answer to the Ultimate Question of Life, The Universe, and Everything. Douglas Adams, The Hitchhiker's Guide to the Galaxy