HIJACKING LABEL SWITCHED NETWORKS IN THE CLOUD. BSides Asheville 2014

HIJACKING LABEL SWITCHED NETWORKS IN THE CLOUD BSides Asheville 2014 aul Coggin Internetwork Consulting Solutions Architect @aulcoggin www.dynetics.com V## Goes Here 1

BG Hijacking in the News 2008 akistan Telecom accidentally hijacks 2011 Chinanet accidentally hijacks In 2010 China Telecom accidentally hijacked 50,000 blocks of I addresses 20 minutes Renesys reported a major BG hijacking in 2013 - Belaruse and Iceland IS s possibly compromised - A software bug blamed http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/ http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/ http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/ 2

AS 5 Hijack I subnet /24 BG I refix and AS Hijacking Route Reflector AS 1 Route Reflector AS 6 IBG AS 7 EBG EBG EBG L2 Cross Connect AS 2 AS 3 AS 4 Hijack AS 4 & I subnet /24 The Longest I refix Wins 3

BG Hijacking in the News 2008 akistan Telecom accidentally hijacks 2011 Chinanet accidentally hijacks In 2010 China Telecom accidentally hijacked 50,000 blocks of I addresses 20 minutes Renesys reported a major BG hijacking in 2013 - Belaruse and Iceland IS s possibly compromised - A software bug blamed http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/ http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/ http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/ 4

Virtual rivate Networks Virtual Networks Virtual rivate Networks Virtual Dialup Networks Virtual LANs Overlay VN eer-to-eer VN Layer-2 VN Layer-3 VN Access lists (Shared router) Split routing (Dedicated router) MLS/VN X.25 F/R ATM GRE ISec MLS VN is not encrypted unless encrypted separately 5

MLS and the OSI and TC/I Model OSI Model MLS Label Stack TC/I Model 7 Application 6 resentation Application 5 4 Session Transport Own the Label Transport 3 Network OSI 2.5 VN Label LD Label Internet 2 1 Data Link hysical TE Label Frame Header Network Interface 6

MLS Label CA 32-bit MLS Label Format Label : 20-bit EX : 3-bit Bottom-of-Stack : 1-bit TTL : 8-bit Source: http://www.netoptics.com/blog/01-07-2011/sample-pcap-files 7

MLS Architecture Overview VN_A 10.2.0.0 VN_B 10.2.0.0 VN_A 11.6.0.0 VN_B 10.1.0.0 ibg sessions VN_A 11.5.0.0 VN_A 10.1.0.0 VN_B 10.3.0.0 Routers (LSRs) are in the Core of the MLS Cloud Routers (Edge LSRs or LERs) Use MLS with the Core and lain I with Routers and Routers Use the Same IG Routing rotocol Routers are M-iBG Fully-meshed Service provider may accidentally or intentionally misconfigure VN s Utilize ISEC VN over MLS VN to insure security 8

CLI - VRF configuration ip vrf cust_a rd 200:1 route-target export 200:1 route-target import 200:1 ip vrf cust_2 rd 200:2 route-target export 200:2 route-target import 200:2 Interface Serial2/0 ip vrf forwarding cust_a Interface Serial2/1 ip vrf forwarding cust_b 1" M-BG! " OSF \ ISIS and LD 2" ip vrf cust_a rd 200:1 route-target export 200:1 route-target import 200:1 ip vrf cust_b rd 200:2 route-target export 200:2 route-target import 200:2 Interface Serial2/0 ip vrf forwarding cust_a Interface Serial2/1 ip vrf forwarding cust_b Static, BG, OSF, EIGR, RI Cust_1! Cust-2! Cust-1! Cust-2! MLS Trust Relationship Customer Trusts Service roviders 9

MLS Routing Table Global Routing Table Cust_A MLS VN Routing Table Cust_B MLS VN Routing Table 3 Routing Tables on 1 Router Separated by MLS VRF 10

MLS M-BG VN 11

MLS Network Attack Vectors Transport Network Infrastructure Network and System Architecture - Centralized, Distributed, Redundant - hysical and Logical - Transport Network (RF, Fiber, Copper) Attack Tree Network Infrastructure Attack Vectors Network rotocols - RouBng, Switching, Redundancy - Apps, Client/Server HW, SW, Apps, RDBMS - Open Source - Commercial Trust Rela@onships Internet, BSS, OSS, NMS, Net - Network Management and Network Devices - Billing, Middleware, rovisioning - Vendor remote access - (VT) - Tech staff remote access - Self rovisioning - hysical access - Trusted Insider - Cross connect - in- band management - hysical access to configurabon seqngs SNM Community String Dictionary Attack with Spoofing to Download Router\ Switch Configuration Build New Router Configuration File to enable further privilege escation Upload New Configuration File Using Comprimised SNM RW String Own Network Infrastructure Telnet\SSH Dictionary Attack Router\Switches\ NetMgt Server Build New Router Configuration File to enable further privilege escation Own Network Infrastructure Exploit ACL Trust Relationship Attack SNM\Telnet\SSH UNIX NetMgt Server Running NIS v1 Ypcat -d <domain> <server I> passwd Grab shadow file hashes Crack asswords Access Server Directly Discover Backup HW Configs Crack asswords Own Network Infrastructure Find NetMgt passwords and SNM config files MITM AR oisoning Sniffing Capture SNM Community Strings and Unencrypted Login\asswords, rotocol asswords Inject New Routes Or Bogus rotocol ackets Configure Device for Further rivilege Escalation Own Network Infrastructure Network Mgt Application Attempt to Login Using Default Login\assword Reconfigure Router or Switch Own Network Infrastructure Execute OS CMDs from Oracle L/SQL Attack Network from DB Further Enumerate Oracle SID s to Identify Default DBA System Level Accts\asswords H OpenView Server Enumerate Oracle TNS Listener to Identify Default SID s Login to Oracle DB with Discovered DBA rivilege Account Run Oracle SQL CMDs Execute OS CMDs Find NetMgt asswords, SNM info, OS password files Crack asswords Own Network Infrastructure Further Enumerate Oracle SID s to Identify User Accts. erform Dictionary Attack Run Oracle SQL CMDs Execute OS CMDs Add New rivileged OS Account Use New rivileged OS account to Escalate rivileged Access to Network 12

Service rovider MLS Network Global Internet Central Office/ O Label I Internet & MLS VN VN Label Data I Data I Data MLS VN Static, BG Internet & MLS VN MLS VN Central Office/ O Insider Threat - Add VN router - Layer 2 attacks - L2Tv3 - ERSAN - Lawful Intercept - GRE tunnel - Co-location cross connect Evil Cloud 13

Network Management Architecture for a Service rovider Remote VN NetMgt User \ Vendor AAA NOC Reports Database OSS rovisioning SQL OSS Internet Network Operations - Target - Leverage Intel from exploited - Exploit trust relationship to NOC - ivot NOC to,,, VN s - ivot to Internal, ITV, VoI, Internet\BG, Vendors,Transport Cust -1 Cust-2 Cust-1 Cust-2 SNM Agent Alarms, Traps, Reports, Backup I DWDM MLS CORE NMS, EMS, MOM Servers TL1 Gateway (TL1 to/from SNM) TL1 Configuration rovisioning, Control, Software Download OSS Cust-2 Cust-1 Cust-1 hysical Access - In-band Mgt - assword recovery - Trust Relationships - SNM, ACL s, Accts - rotocols - AAA, NetMgt I s 14

Transit Between MLS-VN backbones acket Capture Inject routes into VN Denial of Service Join VN MITM Cross-connect Inject labeled packets Traffic Engineering Disable I TTL Carrier Backbone 2 running IG and LD -1 Label Label 1 I M-iBG for VN-Iv4 OSF or ISIS LD Data -2 MLS Label\refix Recon - ERSAN - Lawful Intercept Attacker Network Monitoring Infrastructure Carrier Backbone 1 running IG and LD -1 OSF or ISIS LD Label I 1 L2 IX Data M-eBG for VN-Iv4 M-eBG for VN-Iv4 OSF or ISIS LD Label I 2 Carrier Backbone 3 running IG and LD Data L2 IX M-iBG for VN-Iv4 -ASBR1 -ASBR2 M-iBG for VN-Iv4-2 I Data I Data -1 If BG is being hijacked why not MLS? BG Transport ath Redirected Using MLS TE? -2 15

BG Route Monitoring Monitor Your I refixes Monitor Your Business artner I refixes Monitor Industry eers for Intel to redict Future Attack 16

MLS Security Recommendations Monitor for New Unexpected Route Advertisements Know Your Network! Utilize Encryption over MLS VN Links; S - ISEC Whitelist the Network Trust Relationships including Routing rotocols Whitelist Trusted Information Flows in Monitoring Utilize Separate VRF for In-band Management Dedicated Out-of-band Network Management with Un-attributable Internet I for VN AAA with separation of roles and responsibilities for operations and security monitoring Configuration Management and Monitoring Log all changes!! 2 Factor Authentication! 17

References Internet Routing Architectures, Halabi, Cisco ress MLS VN Security, Michael H. Behringer, Monique J. Morrow, Cisco ress IS Essentials, Barry Raveendran Greene, hilip Smith, Cisco ress Router Security Strategies Securing I Network Traffic lanes, Gregg Schudel, David J. Smith, Cisco ress MLS and VN Architectures, Jim Guichard, Ivan apelnjak, Cisco ress MLS Configuration on Cisco IOS Software, Lancy Lobo, Umesh Lakshman, Cisco ress Traffic Engineering with MLS, Eric Osborne, Ajay Simha, Cisco ress LAN Switch Security What Hackers Know About Your Switches, Eric Vyncke, Christopher aggen, Cisco ress RFC 2547 RFC 2547bis RFC 2917 RFC 4364 Attack Trees, Bruce Schneier, https://www.schneier.com/paper-attacktrees-ddj-ft.html hrp://www.nrl.navy.mil/itd/ncs/products/core http://www.cisco.com/go/mpls hrp://www.wired.com/2013/12/bgp- hijacking- belarus- iceland/ hrp://www.blyon.com/hey- ar- customers- your- facebook- data- went- to- china- and- korea- this- morning/ hrp://www.renesys.com/2008/02/pakistan- hijacks- youtube- 1/ hrp://www.netopbcs.com/blog/01-07- 2011/sample- pcap- files 18

QuesBons? paul.coggin@dynebcs.com @aulcoggin 19