Attacks Against the Cloud: A Mitigation Strategy · (@grnet_cert) Cloud Attack Mitigation & Firewall on Demand. Content Cloud Attack Mitigation & Firewall on Demand HiPEAC –CSW

CLOUD ATTACK MITIGATION & F IREWALL ON DEMAND

HiPEAC – CSW Athens, Oct. 2014

Attacks Against the Cloud: A Mitigation Strategy

Leonidas Poulopoulos

leopoul@noc .grnet .gr

GRNET NOC

(@leopoul )

Alex Zachar is

azahar [email protected] .gr

GRNET CERT

(@grnet_cert)

Cloud Attack Mitigation & Firewall on Demand

Content

HiPEAC – CSW Athens, Oct. 2014Cloud Attack Mitigation & Firewall on Demand

�Roles-Actors-Services

� Security Measures

� Incident Response

� Statistics

� Security Tools� Firewall on Demand

� Live Demo

Roles-Actors-Services

� Security Officer � GRNET CERT� Dev. Team� NOC� Helpdesk� Users

� Service: ~okeanos� IaaS Service� Create VMs� Store Files� Create Virtual Networks


https://okeanos.grnet.gr

Secure Architecture


Security Meassures

� Admin/Dev Side� Password Policy � Log Monitoring� Update/Patching Policy� Firewalling – FOD� Audits (Pen Tests, Code Audits)

� Client Side� SSL(2048 bits)� Shibboleth� Password Policy� Enforcing Terms of Use


Incident Response

� Attacks launched on others from within Okeanos infrastructure.� Compromise of individual user accounts or VMs� Scans of University or other Computer Security Systems.� Spam and mail forgery that originates from, or is relayed through Okeanos.

� Viruses, Worms and Trojan Horses� Threats to individuals (only in conjunction with law enforcement)� Involvement in Criminal Activity (only in conjunction with law enforcement)

� DOS & DDOS attacks� Phishing Attacks� Hosting Illegal content� Copyright Infringement


Incident Life Cycle


Ticketing


Incident Examples: Phishing


Phishing Page (Visa)� Abuse Mail Received

� Incident Analysis� WordPress site was identified to be hosted containing a fake phishing

page of Visa.

� The malicious URL:

� http://83.212.101.1/wp-includes/css/visa.dk/

� http://83.212.101.1/wp-includes/css/dk.zip

� Stolen Credentials were send to the following email:

$send2="[email protected]"

� Actions Taken� Page Take down

� Informing User


Incident Examples: Botnet


Incident Examples: Forum Spam


Statistics 2012 - 2013


0

50

100

150

2011 2012 2013

123

140

Abuses per year

16

134

14

CategoryCategory 1

Category 2

Category 3

0

5

10

15

20

25

30

Abuses per month

42

20

19157

18

7

36

Abuse typeScan

OpenDNS

bruteforce

network-scan

Commercial aim

DDOS

DOS

other


Statistics 2014


46

180

10

category 1

category 2

category 3

0

20

40

60

80

Jan 2014 Feb 2014 Mar 2014 Apr 2014 May 2014 Jun 2014

Number of abuses per month

0

10

20

30

40

50

60

Incidents per type

2014

52.27%47.73%

Open DNS Resolvers that turned to DDoS attack

Open DNS Resolver

DDoS


Statistics 2013 vs 2014


0

10

20

30

40

50

60

70

Jan Feb Mar Apr May Jun

Number of abuses per month

2014

2013

0

10

20

30

40

50

60

Incidents per category per year

2014

2013


Mitigation Strategy: Security Checks

� Audits� Web Scans� Code Audits� Stress Testing� Release Check

� Tools Used:� Accunetix� Backtrack� Burp Suite� Agnito


Tool Development

� CLOUD HONEYPOT VIZUALIZER

� CLOUD POLICY ENFORCER

� FIREWALL ON DEMAND


Cloud Honeypot Vizualizer


Stats:1. Source per Country2. Time analysis3. Attacks per Port4. Top 10 Attackers5. All Attackers


Cloud Policy Enforcer

Checks for:

1. Hosting of Illegal Services(ex. Torrent Tracker)

2. Illegal Content(ex. Images, Phishing forms)

3. Dangerous Content(ex. Virs Trojan)

4. Password Policy Check


Cloud Policy Enforcer


WWW Capture

SCAN RESULTS


Firewall on Demand


DDoS Illustrated


DDoS facts

<1 1 3 10 17 2440 49

100

60 60

309

0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 1 0 1 1 1 2 1 3 1 4

400Gbps


Source: Arbor Networks Inc. & Cloudflare


Staying alive…


acls, firewall filters

RTBH

BGP flowspec


BGP FlowSpec – Quick recap

Internet2 Global Summit, Apr 9 2014 Firewall on Demand Multidomain 24

RFC 5575“Dissemination of flow specification rules with BGP”

BGP propagates n-tuple filter with flow matching criteria and actions

source/dest prefixsource/dest portICMP type/codepacket sizeDSCPTCP flagfragment typeetc

MATCH

acceptdiscardrate-limitsampleredirectetc

ACTIONS

BGP community flow vs. RTBH vs. ACLs


• Distributed across the network• Closer to the source• Fine-grained even on core/backbone networks • Multidomain easy propagation towards the upstream via BGP• Easy automation & integration

ACLS

• Flowspec: enhancement of RTBH• Does not affect all trafficto victim• Less coarse• More actions• Separate NLRI

BGP RTHB


Firewall on Demand


GRANULARITY: Per-flow level

ACTION: Drop, rate-limit, redirect

SPEED: 1-2 orders of magnitude quicker

EFFICIENCY: closer to the source, multi-domain

AUTOMATION: integration with other systems

MANAGEABILITY: status tracking, web interface

NEED FOR BETTER TOOLS TO MITIGATETRANSIENT ATTACKS


Development Framework


Source: Wikimedia Foundation

Python Django


FoD Architecture


• https://code.grnet.gr/projects/flowspy• http://flowspy.readthedocs.org

OPEN SOURCE

https://fod.grnet.gr


How it works


• Customer’s NOC logs in web tool (shibboleth) & describes flows and actions• Destination validated against customer’s IP space• A dedicated router is configured (NETCONF) to advertise the route via BGP flowspec• Dynamic firewall filters are implemented on all routers• Attack is mitigated upon entrance• End of attack: Removal via the tool, or auto-expire Web

NETCONF

eBGP

iBGP


GRNET FoD usage examples


3years 400Tbytes 120rules 50users 25peers


GÉANT Tests


Click Apply

6 seconds later…


FoD multidomain deployment scenarios


Current Status


�GRNET in production since end of 2011� Tests:

�Multihop BGP peering with PSNC� Interest/Evaluation from BELNET

�GÉANT (https://fod.geant.net)�BGP flowspec enabled in all core devices� Successful tests between GRNET and GÉANT

�Multiple scenarios tested�Iperf between Croatia and Greece�Gone in 6 seconds

� In production by April 2015


Can I deploy/try/test it?


� Open source project

� FoD : https://code.grnet.gr/projects/flowspy

�Docs: https://flowspy.readthedocs.org� Ask for a demo account

PEER WITH US!Cloud Attack Mitigation & Firewall on Demand

Demo time…


attaaaaack!


Enhancenments


�FoD interfaces to other tools/platforms�REST API

�XMPP client/server

�ØMQ extensions

� Filter counters/graphs�NETCONF

�Juniper UtilityMIB�

� Ipv6 support (Whenever available)


Extensions – rapid anomaly detection


�RRD analysis

� STD-based

�Under dev


Top 5 Dst Port ordered by packets:

Date first seen Duration Proto Dst Port Flows(%) Packets(%) Bytes(%) pps bps bpp

2014-09-28 19:27:42.480 50235.670 TCP XX 532857(34.0) 134.4 M(19.9) 24.8 G( 5.3) 2674 3.9 M 184

2014-09-26 23:10:13.660 209673.50 UDP XXXX 132( 0.0) 50.3 M( 7.5) 23.4 G( 5.0) 239 892851 465

2014-09-27 14:17:38.090 155240.05 TCP XXX 123272( 7.9) 37.4 M( 5.5) 13.8 G( 2.9) 240 709019 368

2014-09-29 07:19:11.840 7515.870 UDP XX 4057( 0.3) 19.0 M( 2.8) 14.4 G( 3.1) 2521 15.4 M 761

Top 5 Dst IP Addr ordered by packets:

Date first seen Duration Proto Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp

2014-09-29 09:19:18.730 286.270 UDP XX.YYY.XX.YY 35642( 2.3) 59.9 M( 8.9) 36.1 G( 7.7) 209192 1.0 G 602

2014-09-29 09:17:22.120 426.850 TCP XX.X.X.XXX 58534( 3.7) 12.9 M( 1.9) 1.1 G( 0.2) 30317 21.2 M 87

2014-09-29 09:17:22.110 426.860 TCP XXX.XX.XXX.XXX 39573( 2.5) 11.2 M( 1.7) 1.1 G( 0.2) 26336 20.5 M 97

Questions?


42: “The Answer to the Ultimate Question of Life, The Universe, and Everything.”Douglas Adams, The Hitchhiker's Guide to the Galaxy


Documents

Attacks Against the Cloud: A Mitigation Strategy · (@grnet_cert) Cloud Attack Mitigation & Firewall on Demand. Content Cloud Attack Mitigation & Firewall on Demand HiPEAC –CSW