SysSec 7 Network Security. Aurélien Francillon

(1)

SysSec 7

Network Security

(2)

(3)

(4)

Overview

 Reconnaissance: discovering topology and servers  Using network tools

 Fingerprinting  Offensive

 Man In The Middle attacks, Bugs, Attacks on routing  Bypassing network restrictions,

(5)

Network Reconnaissance

(6)

Reconnaissance

 Network reconnaissance is always a first step

 Nmap, Hping2  Netcat

 Understanding open/filtered ports

 What services are running

(7)

Reconnaissance



Network reconnaissance is always a first step



Public databases always a good start

 whois iseclab.org

 dig iseclab.org

 whois 128.130.60.29



Zone transfers ? If very lucky:

dig axfr ZoneTransfer.me @ns16.zoneedit.com.

(8)

Reconnaissance

 Robtex : the Internet swiss army knife

 GeoIP: approximate physical location of an IP address  More accurate solutions exist

 Finger directory service to provide information about users  Almost not used anymore

(9)

Scanning

 Basics : Send TCP Syn packet

 Closed port: reply with a RST  Open port: reply with Syn/Ack

 Filtered port: nothing back or ICMP error packet

nmap -A -T4 scanme.nmap.org

 Smarter techniques :

 OS Detection  Idle Scan

(10)

Idle Scan

 2 main purposes: Stealth Reconnaissance

 Port may be blocked for you on server

 Maybe not for the zombie?

(11)

Scanning for vulnerabilities directly

 Nessus / OpenVAS

 Has a list of test for discovering daemon type, version,

kind of service, options set etc

 Has a list of vulnerabilities associated

 Will check that automatically and generate reports

 Client/server side can be programmed to run

regularly

 Useful for

 Network administrators to check for vulnerabilities on

the network

(12)

Routing AS etc...

 Internet is a set of Autonomous Systems (AS)

 e.g. Renater, France Telecom, Proxad (free)

 They are interconnected by links between their routers  BGP is the protocol that is used to know on which links

to send packets depending on their destination

 Some of the BGP/AS information is publicly

available

 Whois records  Looking glass

(13)

Network Attacks

(14)

Denial of Service Attacks

 _{DoS is an attack that aims at disrupting a service such that none of the}

customers can enjoy the services

 _{The consequence of}_flooding_or_{vulnerability}_attacks

 _{Flooding : an attack that consumes the application resources at such a}

rate that the service becomes unresponsive

 _{In a vulnerability attack, a vulnerability cause the application to crash or}

go to an infinite loop

 _{How common is DoS? Answer: Very common}

 _{Research showed ~4,000 reported attacks in a week}

(and most attacks go unreported)

 _{How likely are you to be victim of DoS?}

 _{A report showed 25% of large companies suffer DoS attacks at some}

(15)

Denial of Service Attacks

_{DDoS Distributed Denial of Service}

_{Attacking machines are called daemons, slaves,}

zombies or agents.

_{Zombies are usually poorly secured machines that are exploited}

_{Machines that control and command the zombies are called masters}

or handlers.

_{Attacker would like to hide trace: He hides himself}

(16)

(17)

Denial of Service Amplification

_{A DoS attacker may look for}

_{Network reflectors:}

_{To hide source of the attack} _{Prevent blocking it}

_{e.g. ICMP reply to forged source address}

_{Network “amplifiers”}

_{To perform efficient DoS}

_{Find a service that replies N packets when 1 packet is} sent with forged source

(18)

Denial of Service Amplification

Examples

_{SYN flood}

_{with forged source address}

_{“Smurf” attack :}

_{e.g. send a ping packet to a broadcast address}

(x.x.x.255)

_{DNS can generate many requests when the}

server is asked about a record not in cache _{DNSSec packets much larger}

(19)

 _{Web applications are particularly susceptible to denial of}

service attacks

 _{A web application can’t easily tell the difference between an} attack and ordinary traffic

 _{Because there is no reliable way to tell from whom an HTTP} request is coming from, it is very difficult to filter out

malicious traffic.  _{Slashdotted effect}

 _{Most web servers can handle several hundred concurrent} users under normal use, but a single attacker can still

generate enough traffic from a single host to swamp many applications

 _{Defending against denial of service attacks is difficult and}

only a small number of “limited” solutions exist

(20)

 _{Research has shown that the majority of attacks are}

launched by script-kiddies

 _{Such attacks are “easier” to detect and defend against}  _{Kids use readily available tools to attack}

 _{E.g. LOIC tool}

 _{Some DoS attacks, however, are highly sophisticated and}

very difficult to defend against

(21)

Denial of Service Attacks:

Defenses IP layer

 _{Drop IP connections from a list of IP addresses,}  _{Put in list those that send too many Syn}

 _{Firewall : rate limiting, broadcast packets...}

 _{Reroute BGP to a provider with lots of bandwidth; e.g.}

Spamhaus Event:



http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho



(22)

Denial of Service Attacks:

Defenses HTTP layer

 _{Change the DNS to a CDN (Content Distribution Network)} _{With a lot of bandwidth}

_{Caches HTTP requests}

_{Applies filtering rules (OWASP)} _{e.g., Akamai:}

http://www.akamai.com/html/solutions/site_defender.ht ml

 _{Limit complex requests} _{in complexity}

(23)

Denial of Service Attacks:

Other Defenses

 _{Use a CAPTCHA if a human is expected to interact}

 _{But they are annoying and not that hard to guess by machines after}

all …

 _{Use a Cryptographic Puzzle :}

 _{Some challenges are slow to compute by the client fast but to}

verify by the Server

 _{Sent by the server to the client before handling any further request}  _{Not very efficient against DDoS}

 _{Make sure your hosts are patched against DoS vulnerabilities}  _{Anomaly detection and behavioral models}

 _{Ingress filtering}

(24)

TCP connection-hijacking

 A bit “old-school”

 Was used by Kevin Mitnick in 1995 …  Attack on RSH to gain access on a server  With control of a computer on the network

 Principle of the attack:

 Impersonate a computer with IP spoofing  TCP sequence number guessing

 to send packets while ignoring responses

 DoS the spoofed machine

(25)

TCP connection-hijacking: RSH

 Remote Shell

 “Ancestor” of SSH

 Can be configured to allow/deny connection based on:

 Remote username  IP address

 No crypto in place... but hijacking an IP address is not easy.

(26)

(27)

TCP connection-hijacking:

TCP 3-way handshake

(28)

TCP connection-hijacking:

TCP Syn-flooding

 Server keeps a state for each opening connection in

a buffer

 This buffer has a limited size

SYN

SYN/ACK

(29)

TCP connection-hijacking:

IP Spoofing

 Sending packets with spoofed IP address is as

simple as forging source IP in a crafted packet

 Usually requires root (raw socket)  MAC / IP address forging

 May be blocked by the switch / ISP  Called “Ingress filtering”

 Packets with forged IP address

 Easy to send

 But no response received …

(30)

IP address spoofing

 Can be used directly to exploit stateless protocols

 e.g., based only on UDP

 But on TCP how do we perform the 3-way

handshake ?

 We don't receive the response packets

 As we don't control the return path...

 How to guess the seq nr / prevent spoofed host to

(31)

Mitnick attack

 DoS Server

 Send packets to target guessing sequence numbers

 If guess is OK packets are accepted

 Replies will go to server

 Not seen by attacker

 Server DoS'ed will not send an error msg

 Used to send command over RSH

 echo + + >>/.rhosts

(32)

(33)

ARP Poisoning

 ARP is a protocol to map MAC address to IP address on Ethernet:  Who has <IP> ?

 <IP> is at <mac>

 Needed to know where to send IP packets over Ethernet

 This can be abused to inject a wrong MAC address <=> IP address

association

(34)

(35)

Source routing

 The route taken by TCP/IP packets is determined by

router's routing tables

 Source routing allows to bypass this

 Specify the path that packets should take

 E.g., Authorized host can specify path

 Auth host → A → C → D → Server  Auth host → A → B → D → Server

(36)

Source routing

 This allows an attacker to

 Discover network

 Have its packets go trough a specific network path

 Bypass IP address rules (TCP wrappers …)

 Access computers behind a NAT / private address space

(37)

DNS

 Domain Name Service

 Maps host names to IP addresses on the Internet  Makes Internet more “user friendly”

 A distributed system

 Root servers are at fixed IP

 The “hints” file

 http://www.internic.net/zones/named.root

 They provide IP addresses of TLD servers

 Top Level Domains (.com, .net, .org …) DNS servers

provide IP addresses for domains

(38)

DNS

 Their security is very important

 Integrity of DNS responses

 www.bank.com

 SSL certificates certifies hostnames not IP addresses

 Availability

 No DNS no Internet :(

 Scalability

(39)

(40)

(41)

(42)

(43)

(44)

(45)

(46)

(47)

Recursive DNS Requests

_{Record obtained from DNS architecture the first time}

_{Will remain in cache until}_TTL_timeout

(48)

Kaminsky Attack I

 2007 Dan Kaminsky found a serious issue

 Almost all DNS servers implementations were

vulnerable to cache poisoning

 Allow to insert malicious information in a cache

server

 Attacker controlled “glue records”

(49)

Cache poisoning attacks

 How do we know the response received is actually

received as a reply to a query ?

 Rely on transaction serial number

(50)

Normal DNS Request

(51)

(52)

DNS Cache poisoning

 Query ID can be guessed... Solution ?

 So they should be random ?

 … with good random number generators!

 Randomize the Query ID

 16-bit field 64k possibilities

 An attacker has large chances to fail

(53)

Glue records

 There is a chicken and Egg problem in the DNS

System, e.g.:

Q: Who is the NS for domain.com ? R: ns.domain.com

 We need a Glue record

 Glue records are used when name server is a host of that

domain and provide IP address

Q: Who is the NS for domain.com ?

(54)

Kaminsky Attack

Glue records are cached as well,

 What if we poison a glue record?

 Completely owns the domain, can forge any hostname

of that domain.

Query ID randomization?

 A failed attempt is not a problem, so we can try many

(55)

(56)

DNS cache poisoning

 Very damaging attacks, Mitigations:

 Cache servers should not face the Internet

 e.g. not be at the same time a cache server and an

authoritative server for a domain

 Randomize :

 Query ID  Source port

 Host name capitalization

(57)

The Border Gateway Protocol ::

The art of building the Internet

 _{The Internet is divided into thousands of smaller}

networks called Autonomous Systems (ASes)

administered by a single entity (e.g., an Internet Service Provider, a company, a university)

AS2

AS3

AS5 AS1

(58)

The Border Gateway Protocol ::

The art of building the Internet

 _{Each AS “owns” or is responsible for}_managing_a

set of network IP addresses (e.g., AS3 is responsible for the IP address block 2.2.0.0/16)

5.0.0.0/8 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 2.2.0.0/16 AS2 AS3 AS5 AS1 AS4 1.1.0.0/16 1.2.0.0/16

(59)

The Border Gateway Protocol ::

The art of building the Internet

 _{The Border Gateway Protocol (BGP) allows ASes to}

interconnect with each other by exchanging network IP address block reachability information

 _{BGP glues ASes together to form the Internet}

5.0.0.0/8 2.2.0.0/16 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 AS2 AS5 1.1.0.0/16 1.2.0.0/16 physical link AS3 AS1 AS4

(60)

The Border Gateway Protocol ::

The art of building the Internet

5.0.0.0/8 2.2.0.0/16 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 AS2 AS3 AS5 AS1 AS4

AS3 to AS1,AS4: “I am AS3 and I am responsible for 2.2.0.0/16!” 1.1.0.0/16

1.2.0.0/16

(61)

The Border Gateway Protocol ::

The art of building the Internet

5.0.0.0/8 2.2.0.0/16 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 AS2 AS3 AS5 AS1 AS4 1.1.0.0/16 1.2.0.0/16

AS1 to AS2: “AS3 told me he is responsible for 2.2.0.0/16!”

AS4 to AS2,AS5: “AS3 told me he is responsible for 2.2.0.0/16!”

(62)

The Border Gateway Protocol ::

The art of building the Internet

5.0.0.0/8 2.2.0.0/16 45.54.0.0/16 45.55.0.0/16 15.1.2.0/24 AS2 AS5 AS1 1.1.0.0/16 1.2.0.0/16 AS3 AS4

(63)

The Border Gateway Protocol ::

The art of building the Internet

 _{BGP messages record the}_{path of ASes}_{they go}

through to avoid routing loops

Network: 192.92.94.0/24 AS path : AS35289 AS5466 Eircom Ltd AS5466 Eircom Ltd AS35289 Symantec Ltd AS35289 Symantec Ltd 192.92.94.0/24 INTERNET INTERNET AS702 Verizon AS702 Verizon Network: 192.92.94.0/24

AS path : AS5466,AS35289 Network: 192.92.94.0/24AS path : AS702,AS35289

Network: 192.92.94.0/24

AS path : AS35289 BGP message

(64)

The Border Gateway Protocol ::

The art of building the Internet

 _{Inter-AS links reflect the}_{business relationships}

between their respective owner (e.g., some provide transit connectivity to the Internet to their

customers) AS5466 Eircom Ltd AS5466 Eircom Ltd AS35289 Symantec Ltd AS35289 Symantec Ltd INTERNET INTERNET AS702 Verizon AS702 Verizon

(UPSTREAM) TRANSIT

PROVIDERS

CUSTOMER

(65)

BGP hijacking ::

The art of breaking the Internet

 _CAUSES

 _{The injection of}_erroneous_network _{reachability information into BGP}  _{Trust-based exchange of network reachability information}

 _{No widely deployed security mechanism yet}

 _EFFECTS

 _Blackhole_{(e.g., Youtube hijack by Pakistan Telecom)}  _{Impersonation}_{(e.g., Spamhaus hijack)}

 _MITM_{(e.g., BGP MITM [1])}  _{of the victim network}

 _EXPLANATIONS

 _{Router misconfiguration, operational fault (e.g., AS7007 incident [2])}  _{Malicious intent?}

(66)

(67)

BGP hijack incidents that made the headlines

RENESYS

1,500 MITM (TRAFFIC

(68)

BGP hijack incidents that made the headlines

ISC

SEVERAL BANKS

TARGETED BY

BGP HIJACKS

RENESYS

1,500 MITM (TRAFFIC

INTERCEPTION) HIJACKS IN 2013

(69)

BGP hijack incidents that made the headlines

ISC

SEVERAL BANKS

TARGETED BY

BGP HIJACKS

BGPmon.net

BGP HIJACK ATTACK

AGAINST ANTI-SPAM

COMPANY

“SPAMHAUS”

RENESYS

1,500 MITM (TRAFFIC

INTERCEPTION) HIJACKS IN 2013

(70)

BGP hijack incidents that made the headlines

?

BENIGN!

(71)

BGP hijacks ::

Separate the wheat from the chaff

 _Identifying_{BGP hijacks is challenging}

 _{BGP hijacks look similar to some legitimate BGP} engineering practices

 _{lack of ground truth information, only the owner of a}

network can precisely diagnose routing events related to his network

(72)

Case I :: BGP blackhole

AS5466 Eircom Ltd AS5466 Eircom Ltd 192.92.94.0/24 AS702 Verizon AS702 Verizon ASX iSpam Inc ASX

iSpam Inc _{Symantec Ltd}_{Symantec Ltd}AS35289AS35289

INTERNET

Network: 192.92.94.0/25

Network: 192.92.94.128/25

AS path : ASX,AS35289

SYMANTEC

NETWORK IS

BLACKHOLED

BGP message

 _{DoS of the victim network}

 _{similar to Youtube hijack}

(73)

Case II : BGP impersonation

Fly-by spammers

 _CONJECTURE

 _{Spammers would use}_BGP_hijacking_{to send}_spam_from the stolen IP space and evade spam sender blacklists

 _{“BGP spectrum agility”: short-lived (< 1 day) spam} networks [3]

 _{POTENTIAL EFFECTS}

 _{Misattribute attacks launched from hijacked networks} due to hijackers stealing IP identity

 _{Spam filters heavily rely on IP reputation as}_{a first layer} of defense

(74)

Fly-by spammers :: Hijack signature

 _{Hijacked networks}

 _are_dormant_{IP address blocks, i.e., by the time the}

networks are hijacked they have been left unadvertised

by their owner

 _{advertised for a rather}_short_{period of time}

 _{AS hijack: prefix is advertised in BGP from an}

apparently legitimate AS but via a presumably

illegitimate upstream provider AS

 _{Prefix hijack: prefix is advertised in BGP from an}

apparently rogue AS but via a presumably

(75)

Fly-by spammers :: AS hijack illustration

ASX iSpam Inc ASX iSpam Inc ASY Owner of A.B.C.0/24 ASY Owner of A.B.C.0/24 INTERNET INTERNET Network: A.B.C.D/E AS path : ASX,ASY

ILLEGITIMATE

(UPSTREAM)

TRANSIT

PROVIDER AS

LEGITIMATE AS

spam _spam A.B.C.1…A.B.C.255

(76)

Fly-by spammers :: case study

 _{IP prefixes are only announced when spam is received!}

 _{Few blacklisted spam sources at the time of the BGP}

(77)

Case III :: BGP Man-In-The-Middle

 _{Step 1: discover path between AS_Mallory (attacker) and} AS_Alice (victim)

 _{AS_MalloryAS_DAS_AAS_Alice}

 _{Step 2: advertise more specific prefix 66.102.0.0/24 and} secure backup route (P)

(78)

Securing BGP?

 _{Security extensions to BGP}

 _{e.g., RPKI, ROVER}

 _{Similar to DNSSEC for DNS}  _{Deployment is expansive}

 _{BGP monitoring}

 _{Analyze BGP updates and trigger alarm upon abnormal}

routing change, e.g., BGP hijack

 _{e.g., BGPmon.net, Renesys (Dyn), UCLA Cyclops}

 _{BGP “best current practices”}

 _{e.g., Customer routes filtering}

(79)

Conclusion

 Network attack and defense

 Can be surprisingly easy

 Many countermeasures known already

 And many are in place on most networks

 Still some very difficult attacks to solve and countermeasures to deploy

 DoS