Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
CLOUD ATTACK MITIGATION & F IREWALL ON DEMAND
HiPEAC – CSW Athens, Oct. 2014
Attacks Against the Cloud: A Mitigation Strategy
Leonidas Poulopoulos
leopoul@noc .grnet .gr
GRNET NOC
(@leopoul )
Alex Zachar is
azahar [email protected] .gr
GRNET CERT
(@grnet_cert)
Cloud Attack Mitigation & Firewall on Demand
Content
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
�Roles-Actors-Services
� Security Measures
� Incident Response
� Statistics
� Security Tools� Firewall on Demand
� Live Demo
Roles-Actors-Services
� Security Officer � GRNET CERT� Dev. Team� NOC� Helpdesk� Users
� Service: ~okeanos� IaaS Service� Create VMs� Store Files� Create Virtual Networks
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
https://okeanos.grnet.gr
Secure Architecture
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Security Meassures
� Admin/Dev Side� Password Policy � Log Monitoring� Update/Patching Policy� Firewalling – FOD� Audits (Pen Tests, Code Audits)
� Client Side� SSL(2048 bits)� Shibboleth� Password Policy� Enforcing Terms of Use
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Incident Response
� Attacks launched on others from within Okeanos infrastructure.� Compromise of individual user accounts or VMs� Scans of University or other Computer Security Systems.� Spam and mail forgery that originates from, or is relayed through Okeanos.
� Viruses, Worms and Trojan Horses� Threats to individuals (only in conjunction with law enforcement)� Involvement in Criminal Activity (only in conjunction with law enforcement)
� DOS & DDOS attacks� Phishing Attacks� Hosting Illegal content� Copyright Infringement
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Incident Life Cycle
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Ticketing
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Incident Examples: Phishing
HiPEAC – CSW Athens, Oct. 2014
Phishing Page (Visa)� Abuse Mail Received
� Incident Analysis� WordPress site was identified to be hosted containing a fake phishing
page of Visa.
� The malicious URL:
� http://83.212.101.1/wp-includes/css/visa.dk/
� http://83.212.101.1/wp-includes/css/dk.zip
� Stolen Credentials were send to the following email:
$send2="[email protected]"
� Actions Taken� Page Take down
� Informing User
Cloud Attack Mitigation & Firewall on Demand
Incident Examples: Botnet
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Incident Examples: Forum Spam
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Statistics 2012 - 2013
HiPEAC – CSW Athens, Oct. 2014
0
50
100
150
2011 2012 2013
123
140
Abuses per year
16
134
14
CategoryCategory 1
Category 2
Category 3
0
5
10
15
20
25
30
Abuses per month
42
20
19157
18
7
36
Abuse typeScan
OpenDNS
bruteforce
network-scan
Commercial aim
DDOS
DOS
other
Cloud Attack Mitigation & Firewall on Demand
Statistics 2014
HiPEAC – CSW Athens, Oct. 2014
46
180
10
category 1
category 2
category 3
0
20
40
60
80
Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014
Number of abuses per month
0
10
20
30
40
50
60
Incidents per type
2014
52.27%47.73%
Open DNS Resolvers that turned to DDoS attack
Open DNS Resolver
DDoS
Cloud Attack Mitigation & Firewall on Demand
Statistics 2013 vs 2014
HiPEAC – CSW Athens, Oct. 2014
0
10
20
30
40
50
60
70
Jan Feb Mar Apr May Jun
Number of abuses per month
2014
2013
0
10
20
30
40
50
60
Incidents per category per year
2014
2013
Cloud Attack Mitigation & Firewall on Demand
Mitigation Strategy: Security Checks
� Audits� Web Scans� Code Audits� Stress Testing� Release Check
� Tools Used:� Accunetix� Backtrack� Burp Suite� Agnito
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Tool Development
� CLOUD HONEYPOT VIZUALIZER
� CLOUD POLICY ENFORCER
� FIREWALL ON DEMAND
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Cloud Honeypot Vizualizer
HiPEAC – CSW Athens, Oct. 2014
Stats:1. Source per Country2. Time analysis3. Attacks per Port4. Top 10 Attackers5. All Attackers
Cloud Attack Mitigation & Firewall on Demand
Cloud Policy Enforcer
Checks for:
1. Hosting of Illegal Services(ex. Torrent Tracker)
2. Illegal Content(ex. Images, Phishing forms)
3. Dangerous Content(ex. Virs Trojan)
4. Password Policy Check
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Cloud Policy Enforcer
HiPEAC – CSW Athens, Oct. 2014
WWW Capture
SCAN RESULTS
Cloud Attack Mitigation & Firewall on Demand
Firewall on Demand
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
DDoS Illustrated
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
DDoS facts
<1 1 3 10 17 2440 49
100
60 60
309
0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 0 1 1 1 2 1 3 1 4
400Gbps
HiPEAC – CSW Athens, Oct. 2014
Source: Arbor Networks Inc. & Cloudflare
Cloud Attack Mitigation & Firewall on Demand
Staying alive…
HiPEAC – CSW Athens, Oct. 2014
acls, firewall filters
RTBH
BGP flowspec
Cloud Attack Mitigation & Firewall on Demand
BGP FlowSpec – Quick recap
Internet2 Global Summit, Apr 9 2014 Firewall on Demand Multidomain 24
RFC 5575“Dissemination of flow specification rules with BGP”
BGP propagates n-tuple filter with flow matching criteria and actions
source/dest prefixsource/dest portICMP type/codepacket sizeDSCPTCP flagfragment typeetc
MATCH
acceptdiscardrate-limitsampleredirectetc
ACTIONS
BGP community flow vs. RTBH vs. ACLs
HiPEAC – CSW Athens, Oct. 2014
• Distributed across the network• Closer to the source• Fine-grained even on core/backbone networks • Multidomain easy propagation towards the upstream via BGP• Easy automation & integration
ACLS
• Flowspec: enhancement of RTBH• Does not affect all trafficto victim• Less coarse• More actions• Separate NLRI
BGP RTHB
Cloud Attack Mitigation & Firewall on Demand
Firewall on Demand
HiPEAC – CSW Athens, Oct. 2014
GRANULARITY: Per-flow level
ACTION: Drop, rate-limit, redirect
SPEED: 1-2 orders of magnitude quicker
EFFICIENCY: closer to the source, multi-domain
AUTOMATION: integration with other systems
MANAGEABILITY: status tracking, web interface
NEED FOR BETTER TOOLS TO MITIGATETRANSIENT ATTACKS
Cloud Attack Mitigation & Firewall on Demand
Development Framework
HiPEAC – CSW Athens, Oct. 2014
Source: Wikimedia Foundation
Python Django
Cloud Attack Mitigation & Firewall on Demand
FoD Architecture
HiPEAC – CSW Athens, Oct. 2014
• https://code.grnet.gr/projects/flowspy• http://flowspy.readthedocs.org
OPEN SOURCE
https://fod.grnet.gr
Cloud Attack Mitigation & Firewall on Demand
How it works
HiPEAC – CSW Athens, Oct. 2014
• Customer’s NOC logs in web tool (shibboleth) & describes flows and actions• Destination validated against customer’s IP space• A dedicated router is configured (NETCONF) to advertise the route via BGP flowspec• Dynamic firewall filters are implemented on all routers• Attack is mitigated upon entrance• End of attack: Removal via the tool, or auto-expire Web
NETCONF
eBGP
iBGP
Cloud Attack Mitigation & Firewall on Demand
GRNET FoD usage examples
HiPEAC – CSW Athens, Oct. 2014
3years 400Tbytes 120rules 50users 25peers
Cloud Attack Mitigation & Firewall on Demand
GÉANT Tests
HiPEAC – CSW Athens, Oct. 2014
Click Apply
6 seconds later…
Cloud Attack Mitigation & Firewall on Demand
FoD multidomain deployment scenarios
HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand
Current Status
HiPEAC – CSW Athens, Oct. 2014
�GRNET in production since end of 2011� Tests:
�Multihop BGP peering with PSNC� Interest/Evaluation from BELNET
�GÉANT (https://fod.geant.net)�BGP flowspec enabled in all core devices� Successful tests between GRNET and GÉANT
�Multiple scenarios tested�Iperf between Croatia and Greece�Gone in 6 seconds
� In production by April 2015
Cloud Attack Mitigation & Firewall on Demand
Can I deploy/try/test it?
HiPEAC – CSW Athens, Oct. 2014
� Open source project
� FoD : https://code.grnet.gr/projects/flowspy
�Docs: https://flowspy.readthedocs.org� Ask for a demo account
PEER WITH US!Cloud Attack Mitigation & Firewall on Demand
Demo time…
HiPEAC – CSW Athens, Oct. 2014
attaaaaack!
Cloud Attack Mitigation & Firewall on Demand
Enhancenments
HiPEAC – CSW Athens, Oct. 2014
�FoD interfaces to other tools/platforms�REST API
�XMPP client/server
�ØMQ extensions
� Filter counters/graphs�NETCONF
�Juniper UtilityMIB�
� Ipv6 support (Whenever available)
Cloud Attack Mitigation & Firewall on Demand
Extensions – rapid anomaly detection
HiPEAC – CSW Athens, Oct. 2014
�RRD analysis
� STD-based
�Under dev
Cloud Attack Mitigation & Firewall on Demand
Top 5 Dst Port ordered by packets:
Date first seen Duration Proto Dst Port Flows(%) Packets(%) Bytes(%) pps bps bpp
2014-09-28 19:27:42.480 50235.670 TCP XX 532857(34.0) 134.4 M(19.9) 24.8 G( 5.3) 2674 3.9 M 184
2014-09-26 23:10:13.660 209673.50 UDP XXXX 132( 0.0) 50.3 M( 7.5) 23.4 G( 5.0) 239 892851 465
2014-09-27 14:17:38.090 155240.05 TCP XXX 123272( 7.9) 37.4 M( 5.5) 13.8 G( 2.9) 240 709019 368
2014-09-29 07:19:11.840 7515.870 UDP XX 4057( 0.3) 19.0 M( 2.8) 14.4 G( 3.1) 2521 15.4 M 761
Top 5 Dst IP Addr ordered by packets:
Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp
2014-09-29 09:19:18.730 286.270 UDP XX.YYY.XX.YY 35642( 2.3) 59.9 M( 8.9) 36.1 G( 7.7) 209192 1.0 G 602
2014-09-29 09:17:22.120 426.850 TCP XX.X.X.XXX 58534( 3.7) 12.9 M( 1.9) 1.1 G( 0.2) 30317 21.2 M 87
2014-09-29 09:17:22.110 426.860 TCP XXX.XX.XXX.XXX 39573( 2.5) 11.2 M( 1.7) 1.1 G( 0.2) 26336 20.5 M 97
Questions?
HiPEAC – CSW Athens, Oct. 2014
42: “The Answer to the Ultimate Question of Life, The Universe, and Everything.”Douglas Adams, The Hitchhiker's Guide to the Galaxy
Cloud Attack Mitigation & Firewall on Demand