SysSec 7 Network Security Aurélien Francillon
News of the week 2
Overview Reconnaissance: discovering topology and servers Using network tools Fingerprinting Offensive Man In The Middle attacks, Bugs, Attacks on routing Bypassing network restrictions, Denial of service 4
Network Reconnaissance
Reconnaissance Network reconnaissance is always a first step Nmap, Hping2 Netcat Understanding open/filtered ports What services are running Discovering machines 6
Reconnaissance Network reconnaissance is always a first step Public databases always a good start whois iseclab.org dig iseclab.org whois 128.130.60.29 Zone transfers? If very lucky: dig axfr ZoneTransfer.me @ns16.zoneedit.com. See http://www.digininja.org/projects/zonetransferme.php 7
Reconnaissance Robtex : the Internet swiss army knife GeoIP: approximate physical location of an IP address More accurate solutions exist Finger directory service to provide information about users Almost not used anymore 8
Scanning Basics : Send TCP Syn packet Closed port: reply with a RST Open port: reply with Syn/Ack Filtered port: nothing back or ICMP error packet nmap -A -T4 scanme.nmap.org Smarter techniques : OS Detection Idle Scan 9
Idle Scan 2 main purposes: Stealth Reconnaissance Port may be blocked for you on server Maybe not for the zombie? Idle scan allows to discover this 10
Scanning for vulnerabilities directly Nessus / OpenVAS Has a list of test for discovering daemon type, version, kind of service, options set etc Has a list of vulnerabilities associated Will check that automatically and generate reports Client/server side can be programmed to run regularly Useful for Network administrators to check for vulnerabilities on the network Lazy attackers to find an attack point! 11
Routing AS etc... Internet is a set of Autonomous Systems (AS) e.g. Renater, France Telecom, Proxad (free) They are interconnected by links between their routers BGP is the protocol that is used to know on which links to send packets depending on their destination Some of the BGP/AS information is publicly available Whois records Looking glass 12
Network Attacks
Denial of Service Attacks DoS is an attack that aims at disrupting a service such that none of the customers can enjoy the services The consequence of flooding or vulnerability attacks Flooding : an attack that consumes the application resources at such a rate that the service becomes unresponsive In a vulnerability attack, a vulnerability cause the application to crash or go to an infinite loop How common is DoS? Answer: Very common Research showed ~4,000 reported attacks in a week (and most attacks go unreported) How likely are you to be victim of DoS? A report showed 25% of large companies suffer DoS attacks at some point 14
Denial of Service Attacks DDoS Distributed Denial of Service Attacking machines are called daemons, slaves, zombies or agents. Zombies are usually poorly secured machines that are exploited Machines that control and command the zombies are called masters or handlers. Attacker would like to hide trace: He hides himself behind machines that are called stepping stones 15
Denial of Service Amplification A DoS attacker may look for Network reflectors: To hide source of the attack Prevent blocking it e.g. ICMP reply to forged source address Network amplifiers To perform efficient DoS Find a service that replies N packets when 1 packet is sent with forged source This will amplify the DoS 17
Denial of Service Amplification Examples SYN flood with forged source address Smurf attack : e.g. send a ping packet to a broadcast address (x.x.x.255) DNS can generate many requests when the server is asked about a record not in cache DNSSec packets much larger 18
Denial of Service Attacks Web applications are particularly susceptible to denial of service attacks A web application can t easily tell the difference between an attack and ordinary traffic Because there is no reliable way to tell from whom an HTTP request is coming from, it is very difficult to filter out malicious traffic. Slashdotted effect Most web servers can handle several hundred concurrent users under normal use, but a single attacker can still generate enough traffic from a single host to swamp many applications Defending against denial of service attacks is difficult and only a small number of limited solutions exist 19
Who are the attackers? Research has shown that the majority of attacks are launched by script-kiddies Such attacks are easier to detect and defend against Kids use readily available tools to attack E.g. LOIC tool Some DoS attacks, however, are highly sophisticated and very difficult to defend against 20
Denial of Service Attacks: Defenses IP layer Drop IP connections from a list of IP addresses, Put in list those that send too many Syn Firewall : rate limiting, broadcast packets... Reroute BGP to a provider with lots of bandwidth; e.g. Spamhaus Event: http://blog.cloudflare.com/the-ddos-that-knockedspamhaus-offline-and-ho http://blog.cloudflare.com/the-ddos-that-almost-brokethe-internet 21
Denial of Service Attacks: Defenses HTTP layer Change the DNS to a CDN (Content Distribution Network) With a lot of bandwidth Caches HTTP requests Applies filtering rules (OWASP) e.g., Akamai: http://www.akamai.com/html/solutions/site_defender.ht ml Limit complex requests in complexity per IP 22
Denial of Service Attacks: Other Defenses Use a CAPTCHA if a human is expected to interact But they are annoying and not that hard to guess by machines after all Use a Cryptographic Puzzle : Some challenges are slow to compute by the client fast but to verify by the Server Sent by the server to the client before handling any further request Not very efficient against DDoS Make sure your hosts are patched against DoS vulnerabilities Anomaly detection and behavioral models Ingress filtering Firewall : rate limiting, broadcast packets 23
TCP connection-hijacking A bit old-school Was used by Kevin Mitnick in 1995 Attack on RSH to gain access on a server With control of a computer on the network Principle of the attack: Impersonate a computer with IP spoofing TCP sequence number guessing to send packets while ignoring responses DoS the spoofed machine to avoid the spoofed machine to reset the connection 24
TCP connection-hijacking: RSH Remote Shell Ancestor of SSH Can be configured to allow/deny connection based on: Remote username IP address No crypto in place... but hijacking an IP address is not easy. 25
TCP connection-hijacking: TCP
TCP connection-hijacking: TCP 3-way handshake Establishing a connection Source: http://www.tcpipguide.com/free/t_tcpconnectionestablishmentsequencenumbersynchroniz-2.htm 27
TCP connection-hijacking: TCP Syn-flooding Server keeps a state for each opening connection in a buffer This buffer has a limited size Server Client SYN SYN/ACK 28
TCP connection-hijacking: IP Spoofing Sending packets with spoofed IP address is as simple as forging source IP in a crafted packet Usually requires root (raw socket) MAC / IP address forging May be blocked by the switch / ISP Called Ingress filtering Packets with forged IP address Easy to send But no response received Is it still possible to exploit it?
IP address spoofing Can be used directly to exploit stateless protocols e.g., based only on UDP But on TCP how do we perform the 3-way handshake? We don't receive the response packets As we don't control the return path... How to guess the seq nr / prevent spoofed host to respond
Mitnick attack DoS Server Send packets to target guessing sequence numbers If guess is OK packets are accepted Replies will go to server Not seen by attacker Server DoS'ed will not send an error msg Used to send command over RSH echo + + >>/.rhosts Access to target gained!
ARP Poisoning ARP is a protocol to map MAC address to IP address on Ethernet: Who has <IP>? <IP> is at <mac> Needed to know where to send IP packets over Ethernet This can be abused to inject a wrong MAC address <=> IP address association Perform a Man in the Middle on a switched Ethernet network
ARP Poisoning
Source routing The route taken by TCP/IP packets is determined by router's routing tables Source routing allows to bypass this Specify the path that packets should take E.g., Authorized host can specify path Auth host A C D Server Auth host A B D Server
Source routing This allows an attacker to Discover network Have its packets go trough a specific network path Bypass IP address rules (TCP wrappers ) Access computers behind a NAT / private address space Solution : always disallow source routing, works :)
DNS Domain Name Service Maps host names to IP addresses on the Internet Makes Internet more user friendly A distributed system Root servers are at fixed IP The hints file http://www.internic.net/zones/named.root They provide IP addresses of TLD servers Top Level Domains (.com,.net,.org ) DNS servers provide IP addresses for domains Etc... 37
DNS Their security is very important Integrity of DNS responses Availability www.bank.com SSL certificates certifies hostnames not IP addresses No DNS no Internet :( Scalability Extensive Caching 38
Recursive DNS Request 39
Recursive DNS Request 40
Recursive DNS Request 41
Recursive DNS Request 42
Recursive DNS Request 43
Recursive DNS Request 44
Recursive DNS Request 45
Recursive DNS Request 46
Recursive DNS Requests Record obtained from DNS architecture the first time Will remain in cache until TTL timeout This record must not be corrupted 47
Kaminsky Attack I 2007 Dan Kaminsky found a serious issue Almost all DNS servers implementations were vulnerable to cache poisoning Allow to insert malicious information in a cache server Attacker controlled glue records Allows to forge DNS server for a domain in the cache 48
Cache poisoning attacks How do we know the response received is actually received as a reply to a query? Rely on transaction serial number Can be predicted by attacker? 49
Normal DNS Request http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html 50
Basic Poisoning Attack Overview http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
DNS Cache poisoning Query ID can be guessed... Solution? So they should be random? with good random number generators! Randomize the Query ID 16-bit field 64k possibilities An attacker has large chances to fail When it fails the targeted record is loaded in cache 52
Glue records There is a chicken and Egg problem in the DNS System, e.g.: Q: Who is the NS for domain.com? R: ns.domain.com We need a Glue record Glue records are used when name server is a host of that domain and provide IP address Q: Who is the NS for domain.com? R: ns.domain.com and it is at a.b.c.d 53
Kaminsky Attack Glue records are cached as well, What if we poison a glue record? Completely owns the domain, can forge any hostname of that domain. Query ID randomization? A failed attempt is not a problem, so we can try many times! 54
Kaminsky Attack Wrap-up http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
DNS cache poisoning Very damaging attacks, Mitigations: Cache servers should not face the Internet e.g. not be at the same time a cache server and an authoritative server for a domain Randomize : Query ID Source port Host name capitalization DNSsec : authenticated DNS records
The Border Gateway Protocol :: The art of building the Internet The Internet is divided into thousands of smaller networks called Autonomous Systems (ASes) administered by a single entity (e.g., an Internet Service Provider, a company, a university) AS3 AS1 AS5 AS4 AS2
The Border Gateway Protocol :: The art of building the Internet Each AS owns or is responsible for managing a set of network IP addresses (e.g., AS3 is responsible for the IP address block 2.2.0.0/16) 1.1.0.0/16 1.2.0.0/16 2.2.0.0/16 AS3 AS1 AS5 AS4 AS2 5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24
The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet 1.1.0.0/16 1.2.0.0/16 2.2.0.0/16 AS3 AS1 AS5 AS4 AS2 5.0.0.0/8 physical link BGP message 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24
The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet AS3 to AS1,AS4: I am AS3 and I am responsible for 2.2.0.0/16! 1.1.0.0/16 1.2.0.0/16 2.2.0.0/16 AS3 AS1 AS5 AS4 AS2 5.0.0.0/8 physical link BGP message 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24
The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet 1.1.0.0/16 1.2.0.0/16 2.2.0.0/16 AS3 AS1 AS5 AS1 to AS2: AS3 told me he is responsible for 2.2.0.0/16! AS4 AS2 5.0.0.0/8 physical link BGP message 15.1.2.0/24 45.54.0.0/16 45.55.0.0/16 AS4 to AS2,AS5: AS3 told me he is responsible for 2.2.0.0/16!
The Border Gateway Protocol :: The art of building the Internet The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information BGP glues ASes together to form the Internet 1.1.0.0/16 1.2.0.0/16 2.2.0.0/16 AS3 AS1 AS5 AS4 AS2 15.1.2.0/24 45.54.0.0/16 45.55.0.0/16 5.0.0.0/8 All networks on the Internet can eventually talk to each other!
The Border Gateway Protocol :: The art of building the Internet BGP messages record the path of ASes they go through to avoid routing loops INTERNET Network: 192.92.94.0/24 AS path : AS702,AS35289 Network: 192.92.94.0/24 AS path : AS5466,AS35289 AS5466 Eircom Ltd Network: 192.92.94.0/24 AS path : AS35289 BGP message AS702 Verizon AS35289 Symantec Ltd 192.92.94.0/24 Network: 192.92.94.0/24 AS path : AS35289
The Border Gateway Protocol :: The art of building the Internet Inter-AS links reflect the business relationships between their respective owner (e.g., some provide transit connectivity to the Internet to their customers) INTERNET (UPSTREAM) TRANSIT AS5466 AS702 Eircom Ltd Verizon PROVIDERS CUSTOMER AS35289 Symantec Ltd 192.92.94.0/24
BGP hijacking :: The art of breaking the Internet CAUSES The injection of erroneous network reachability information into BGP Trust-based exchange of network reachability information No widely deployed security mechanism yet EFFECTS Blackhole (e.g., Youtube hijack by Pakistan Telecom) Impersonation (e.g., Spamhaus hijack) MITM (e.g., BGP MITM [1]) of the victim network EXPLANATIONS Router misconfiguration, operational fault (e.g., AS7007 incident [2]) Malicious intent? [1] Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008) [2] http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html
BGP hijack incidents that made the headlines
BGP hijack incidents that made the headlines RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013
BGP hijack incidents that made the headlines RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013 ISC SEVERAL BANKS TARGETED BY BGP HIJACKS
BGP hijack incidents that made the headlines RENESYS 1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013 ISC SEVERAL BANKS TARGETED BY BGP HIJACKS BGPmon.net BGP HIJACK ATTACK AGAINST ANTI-SPAM COMPANY SPAMHAUS
BGP hijack incidents that made the headlines? MALICIOUS! BENIGN!
BGP hijacks :: Separate the wheat from the chaff Identifying BGP hijacks is challenging BGP hijacks look similar to some legitimate BGP engineering practices lack of ground truth information, only the owner of a network can precisely diagnose routing events related to his network
Case I :: BGP blackhole DoS of the victim network similar to Youtube hijack Here is an example INTERNET Network: 192.92.94.0/25 Network: 192.92.94.128/25 AS path : ASX,AS35289 AS5466 Eircom Ltd ASX ispam Inc BGP message AS702 Verizon AS35289 SYMANTEC Symantec Ltd NETWORK IS 192.92.94.0/24 BLACKHOLED
Case II : BGP impersonation Fly-by spammers CONJECTURE Spammers would use BGP hijacking to send spam from the stolen IP space and evade spam sender blacklists BGP spectrum agility : short-lived (< 1 day) spam networks [3] POTENTIAL EFFECTS Misattribute attacks launched from hijacked networks due to hijackers stealing IP identity Spam filters heavily rely on IP reputation as a first layer of defense [3] Understanding the Network-level Behavior of Spammers (SIGCOMM 2006)
Fly-by spammers :: Hijack signature Hijacked networks are dormant IP address blocks, i.e., by the time the networks are hijacked they have been left unadvertised by their owner advertised for a rather short period of time AS hijack: prefix is advertised in BGP from an apparently legitimate AS but via a presumably illegitimate upstream provider AS Prefix hijack: prefix is advertised in BGP from an apparently rogue AS but via a presumably legitimate upstream provider AS
Fly-by spammers :: AS hijack illustration spam spam INTERNET Network: A.B.C.D/E AS path : ASX,ASY BGP message A.B.C.1 A.B.C.255 ASX ispam Inc ILLEGITIMATE (UPSTREAM) TRANSIT PROVIDER AS ASY Owner of A.B.C.0/24 LEGITIMATE AS A.B.C.0/24
Fly-by spammers :: case study IP prefixes are only announced when spam is received! Few blacklisted spam sources at the time of the BGP announcements!
Case III :: BGP Man-In-The-Middle Step 1: discover path between AS_Mallory (attacker) and AS_Alice (victim) AS_Mallory AS_D AS_A AS_Alice Step 2: advertise more specific prefix 66.102.0.0/24 and secure backup route (P) Step 3: adjust TTLs (ultimate stealth!) Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008)
Securing BGP? Security extensions to BGP e.g., RPKI, ROVER Similar to DNSSEC for DNS Deployment is expansive BGP monitoring Analyze BGP updates and trigger alarm upon abnormal routing change, e.g., BGP hijack e.g., BGPmon.net, Renesys (Dyn), UCLA Cyclops BGP best current practices e.g., Customer routes filtering Seldom followed by network operators
Conclusion Network attack and defense Can be surprisingly easy Many countermeasures known already And many are in place on most networks Still some very difficult attacks to solve and countermeasures to deploy DoS DNSsec