Abuse of CPE Devices and Recommended Fixes



Similar documents
Moving Target Reference Implementation

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

2012 CyberSecurity Watch Survey

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

VoIP in Flow A Beginning

Cyber Intelligence Workforce

How To Use Elasticsearch

Applying Software Quality Models to Software Security

Penetration Testing Tools

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Supply-Chain Risk Management Framework

Building Resilient Systems: The Secure Software Development Lifecycle

Extending AADL for Security Design Assurance of the Internet of Things

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

Monitoring Trends in Network Flow for Situational Awareness

Network Monitoring for Cyber Security

$100 SiLK Network Flow Sensor

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Network Analysis with isilk

A Systematic Method for Big Data Technology Selection

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Risk Management Framework

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

Software Security Engineering: A Guide for Project Managers

DNS Best Practices. Mike Jager Network Startup Resource Center

SOA for Healthcare: Promises and Pitfalls

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

The Key to Successful Monitoring for Detection of Insider Attacks

SSDP REFLECTION DDOS ATTACKS

Port Blocking A BROADBAND INTERNET TECHNICAL ADVISORY GROUP TECHNICAL WORKING GROUP REPORT. A Uniform Agreement Report

XROADS NETWORKS WHITE PAPER

Data Management Maturity (DMM) Model Update

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

Software Assurance Competency Model

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

F5 Silverline DDoS Protection Onboarding: Technical Note

CERT Virtual Flow Collection and Analysis

How to launch and defend against a DDoS

Agile Development and Software Architecture: Understanding Scale and Risk

Assurance Cases for Design Analysis of Complex System of Systems Software

Deriving Software Security Measures from Information Security Standards of Practice

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

DNS amplification attacks

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Identifying Patterns in DNS Traffic

How To Ensure Security In A System

Open Source Used In Cisco Instant Connect for ios Devices 4.9(1)

A Layperson s Guide To DoS Attacks

RSA Two Factor Authentication

Linking 2 Sites Together Using VPN How To

Incident Management Capability Metrics Version 0.1

SIP Trunking with Microsoft Office Communication Server 2007 R2

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Configuring and Monitoring SharePoint Servers

How To Mitigate A Ddos Attack

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

Getting Started with Service- Oriented Architecture (SOA) Terminology

GEO Sticky DNS. GEO Sticky DNS. Feature Description

Architectural Implications of Cloud Computing

Using Web Security Services to Protect Portable Devices

AI Engine Rules June 2014

Penetration Testing Walkthrough

Network Security Equipment The Ever Changing Curveball

POTTAWATOMIE TELEPHONE COMPANY BROADBAND INTERNET SERVICE DISCLOSURES. Updated November 19, 2011

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

Internet Service Provider Agreement

CERT Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1

Trouble Shooting SiteManager to GateManager access via a corporate Intranet

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

RSA Two Factor Authentication. Feature Description

Penetration Testing of Industrial Control Systems

Microsoft Windows Server System White Paper

DDoS Attack and Its Defense

Internet and Intranet Calling with Polycom PVX 8.0.1

Transcription:

Abuse of CPE Devices and Recommended Fixes Dr. Paul Vixie (Farsight Security, Inc.) Chris Hallenbeck (US-CERT, DHS) Jonathan Spring (CERT/CC, Carnegie Mellon) August 7, 2014 Black Hat USA 2014 2014 Carnegie Mellon University

Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon, CERT and CERT Coordination Center are registered marks of Carnegie Mellon University. DM-0001511 2

Based on a CERT whitepaper Abuse of Customer Premise Equipment and Recommended Actions Goals: 1. Make sure everyone is on the same page 2. Measure what we ve all assumed 3. What we need to do about the problem 3

What is CPE? Customer Premise Equipment Home router PBX Phones i.e. what interfaces with the telco provider PBX image source: Wikipedia user Adamantios (Photo: Jörg Kantel, CC 2.0 license) 4

Threats that abuse CPE (I) The home router is a network proxy for most things on your home network So own that and you control even well-defended devices on the home network DNS changer botnet Attempted to reconfigure home router DNS server to only use adversary s DNS server See FBI s Operation Ghost Click 5

Threats that abuse CPE (II) DDoS DNS reflection and amplification Home routers run a recursive DNS server If it is misconfigured to be open Anyone can ask it anything Spoof UDP packets with target in source IP Reflection Anonymizes attacker, makes hard to block Amplification Responses are 20 times larger than requests (up to 50 times if DNSSEC is used) 6

Millions How many open resolvers? 30 Total Open Resolvers 25 20 15 10 5 There is something of an organic drop, which is mildly encouraging 0 Data source: OpenResolverProject 7

Where are they? It s hard to say exactly what device is the open resolver. But the link speed of the connection gives a good clue as to if it is a home or small-business user as compared to an enterprise Enterprises usually lease lines, or are high-speed Small users tend to be on DSL, cable, etc. 8

Where are they? Internet connection and speed baseline unknown-high unknown-medium isdn-medium framerelay-high consumer satellite-medium ocx-high fixed wireless-medium dialup-low cable-medium mobile wireless-low dsl-medium tx-high Unassigned speed_unknown Internet-wide IP Address Usage 4/4/2013 1/1/2014 5/9/2014 Connection type and speed data source: Neustar 0% 5% 10% 15% 20% 25% 30% 35% 40% 9

Millions Where are they? Open resolver link speed 14 DSL 12 10 8 6 4 2 0 speed unknown tx cable mobile wireless dialup fixed wireless ocx 10

Where are they? They re on DSL links 11% of the Internet 50% of open resolvers They re not on enterprise links Thus it seems the open resolver issue is disproportionately a CPE issue. 11

What do we do? Device manufacturers need a path for continuous upgrades Implement source address validation Reconfigure each device so it can't be leveraged quite so effectively Responsibility to manufacturers and providers 12

Continuous upgrades Current regime is fire-and-forget There is little to no user interface Updates, such as they are, are very manual Home routers may not be replaced until they break They re not shiny or forced into obsolescence like phones There s no path for continuous upgrades And there are plenty of vulnerabilities to exploit 1 1 CVE-2014-0356, CVE-2014-0354, CVE-2014-0353, CVE-2014-1982, CVE-2014-2925, CVE-2014-3792, CVE-2013-4772, CVE-2014-2719, CVE-2013-5948, CVE-2014-0337, CVE-2014-1599, CVE-2013-3365, CVE-2013-3098, CVE-2014-0329, CVE-2013-3090, CVE-2013-3087, CVE-2013-3084, CVE-2013-6343, CVE-2014-0659, CVE-2013-7282, CVE-2013-7043, CVE-2013-6918, CVE-2013-3095, CVE-2013-2271, CVE-2013-5703, CVE-2013-6027, CVE-2013-6026 13

Source address validation Prevent forged packets from being sent in the first place http://tools.ietf.org/html/bcp38 (also BCP 84) www.icann.org/en/committees/security/sac004.txt This has been well documented for a while now No seriously, please. @ customer-facing edge @ data centers 14

Responsibility Who is responsible for the data emitted or forwarded as the result of misconfigurations and errors? Manufacturers Providers who manage configs The incentives must be arranged so that those responsible can and will fix the issues. 15

Responsibility proper incentives Short-term individual costs are trumping long-term community gains This is predicted by game theory. Well, predicted for irrational agents under certain conditions These public Internet health risks are treated as externalities and not my problem These risks need to be internalized and shared evenly somehow 16

Thanks for Listening! Questions? Comments? 2014 Carnegie Mellon University

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information