Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

C L O U D A T T A C K M I T I G A T I O N & F I R E W A L L

O N D E M A N D

Attacks Against the Cloud:

A Mitigation Strategy

L e o n i d a s P o u l o p o u l o s

A l e x Z a c h a r i s

Content

Roles-Actors-Services

Security Measures

Incident Response

Statistics

Security Tools

Firewall on Demand



Live Demo

Roles-Actors-Services

Security Officer

GRNET CERT

Dev. Team

NOC

Helpdesk

Users

Service: ~okeanos

IaaS Service

Create VMs

Security Meassures

Admin/Dev Side

Password Policy

Log Monitoring

Update/Patching Policy

Firewalling – FOD

Audits (Pen Tests, Code Audits)

Client Side

SSL(2048 bits)

Shibboleth

Incident Response

Attacks launched on others from within Okeanos infrastructure.

Compromise of individual user accounts or VMs

Scans of University or other Computer Security Systems.

Spam and mail forgery that originates from, or is relayed through

Okeanos.

Viruses, Worms and Trojan Horses

Threats to individuals (only in conjunction with law enforcement)

Involvement in Criminal Activity (only in conjunction with law

enforcement)

DOS & DDOS attacks

Phishing Attacks

Hosting Illegal content

Copyright Infringement

Incident Examples: Phishing

Phishing Page (Visa)



Abuse Mail Received



Incident Analysis

WordPress site was identified to be hosted containing a fake phishing

page of Visa.

The malicious URL:

 http://83.212.101.1/wp-includes/css/visa.dk/  http://83.212.101.1/wp-includes/css/dk.zip
Stolen Credentials were send to the following email:

$send2="[email protected]"



Actions Taken

Page Take down
Informing User

Statistics 2012 - 2013

Abuses per year

16 134 14

Category

Abuses per month

42 20 19 15 7 18 7 36

Abuse type

Statistics 2014

Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014

Number of abuses per

month

30 40 50 60

Incidents per type

Open DNS Resolvers that

turned to DDoS attack

Statistics 2013 vs 2014

Jan Feb Mar Apr May Jun

Number of abuses per month

2014 2013 0 10 20 30 40 50 60

Incidents per category per year

2014 2013

Mitigation Strategy: Security Checks

Audits



Web Scans



Code Audits



Stress Testing



Release Check

Tools Used:



Accunetix



Backtrack

Tool Development

CLOUD HONEYPOT VIZUALIZER

CLOUD POLICY ENFORCER

Cloud Honeypot Vizualizer

Stats:

Cloud Policy Enforcer

Checks for:

1.

Hosting of Illegal Services(ex. Torrent Tracker)

2.

Illegal Content(ex. Images, Phishing forms)

3.

Dangerous Content(ex. Virs Trojan)

Cloud Policy Enforcer

WWW Capture

DDoS facts

<1 1

3 10

17 24

40 49

100

60 60

309

400

Staying alive…

acls, firewall filters

BGP FlowSpec – Quick recap

RFC 5575

“

Dissemination of

flow specification

rules with BGP

”

BGP propagates

n-tuple filter with

flow matching

criteria and

actions

source/dest prefix

source/dest port

ICMP type/code

packet size

DSCP

TCP flag

fragment type

etc

M

ATCH

accept

discard

rate-limit

sample

redirect

etc

A

CTIONS

BGP community flow

vs.

RTBH

vs.

ACLs

•

_Distributed

_{across the}

network

•

_Closer

_{to the source}

•

_Fine-grained

_{even on}

core/backbone networks

•

_Multidomain

_easy

propagation towards the

ACL

S

•

_Flowspec:

_enhancement

of RTBH

•

_{Does not affect}

_{all traffic}

to victim

•

_{Less coarse}

•

_{More actions}

•

_{Separate NLRI}

Firewall on Demand

G

RANULARITY

:

Per-flow level

A

CTION

:

Drop, rate-limit, redirect

S

PEED

:

1-2 orders of magnitude quicker

E

FFICIENCY

:

closer to the source, multi-domain

A

UTOMATION

:

integration with other systems

M

ANAGEABILITY

:

status tracking, web interface

N

EED FOR

BETTER

TOOLS TO MITIGATE

FoD Architecture

•

_{https://code.grnet.gr/projects/flowspy}

•

_{http://flowspy.readthedocs.org}

O

PEN

S

OURCE

How it works

•

_{Customer’s NOC logs in web}

tool (shibboleth) &

describes

flows and actions

•

_Destination

_validated

_against

customer’s IP space

•

_{A dedicated router is}

configured (

NETCONF

) to

advertise the route via BGP

flowspec

•

_{Dynamic firewall filters are}

implemented on

all

routers

GRNET FoD usage examples

GÉANT Tests

Current Status

GRNET

in production since end of 2011

Tests:

Multihop BGP peering with PSNC

Interest/Evaluation from BELNET

GÉANT (https://fod.geant.net)

BGP flowspec enabled in all core devices

Successful tests between GRNET and GÉANT

Can I deploy/try/test it?

Open source project

FoD

: https://code.grnet.gr/projects/flowspy

Docs

:

https://flowspy.readthedocs.org

Ask for a

demo

account

Demo time…

Enhancenments

FoD

interfaces to other tools/platforms

REST API

XMPP client/server

ØMQ extensions

Filter counters/graphs



NETCONF



Juniper UtilityMIB



Extensions – rapid anomaly detection

RRD analysis

STD-based

Under dev

Top 5 Dst Port ordered by packets:

Date first seen Duration Proto Dst Port Flows(%) Packets(%) Bytes(%) pps bps bpp 2014-09-28 19:27:42.480 50235.670 TCP XX 532857(34.0) 134.4 M(19.9) 24.8 G( 5.3) 2674 3.9 M 184 2014-09-26 23:10:13.660 209673.50 UDP XXXX 132( 0.0) 50.3 M( 7.5) 23.4 G( 5.0) 239 892851 465 2014-09-27 14:17:38.090 155240.05 TCP XXX 123272( 7.9) 37.4 M( 5.5) 13.8 G( 2.9) 240 709019 368 2014-09-29 07:19:11.840 7515.870 UDP XX 4057( 0.3) 19.0 M( 2.8) 14.4 G( 3.1) 2521 15.4 M 761

Top 5 Dst IP Addr ordered by packets:

Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp

2014-09-29 09:19:18.730 286.270 UDP XX.YYY.XX.YY 35642( 2.3) 59.9 M( 8.9) 36.1 G( 7.7) 209192 1.0 G 602

2014-09-29 09:17:22.120 426.850 TCP XX.X.X.XXX 58534( 3.7) 12.9 M( 1.9) 1.1 G( 0.2) 30317 21.2 M 87 2014-09-29 09:17:22.110 426.860 TCP XXX.XX.XXX.XXX 39573( 2.5) 11.2 M( 1.7) 1.1 G( 0.2) 26336 20.5 M 97

Questions?

42

: “The Answer to the Ultimate Question of

Life, The Universe, and Everything.”