syssec 06 network - EURECOMs3.eurecom.fr/~aurel/syssec/syssec_06_network.pdf · • nmap, hping2, netcat ... Reconnaissance • robtex.com → the Internet Swiss-army knife • GeoIP:

SysSec 9Network Security

Aurélien Francillon

[email protected]

2

News of the week

3

4

5

6

Overview• Reconnaissance: discovering topology and servers

• Using network tools

• Fingerprinting

• Offensive

• Man In The Middle attacks, Bugs, Attacks on routing

• Bypassing network restrictions

• Denial of service

Network Reconnaissance

8

Reconnaissance

• Network reconnaissance is always a first step

• Discovering machines

• Understanding what services are running (open/filtered ports)

• Identify weak/vulnerable point(s) in target network

• “Collect intelligence”

9

Reconnaissance• Network reconnaissance is always a first step

• nmap, hping2, netcat

• Public databases always a good start

•domain WHOIS → whois iseclab.org

•DNS queries → dig iseclab.org

• DNS zone transfers* (if very lucky) → dig axfr ZoneTransfer.me @ns16.zoneedit.com.

• IP WHOIS (IRR) → whois 128.130.60.29*see http://www.digininja.org/projects/zonetransferme.php

10

Reconnaissance• robtex.com → the Internet Swiss-army knife

• GeoIP: approximate physical location of an IP address

• More accurate solutions exist

• Finger directory service to provide information about users

• Almost not used anymore

11

Scanning• Basics: Send TCP SYN packet

• Closed port: reply with a RST

• Open port: reply with SYN/ACK

• Filtered port: nothing back or ICMP error packet

• nmap -A -T4 scanme.nmap.org

• Smarter techniques:

• OS detection

• Idle Scan

12

Scanning for vulnerabilities directly

• Nessus / OpenVAS

• Has a list of tests for discovering daemon type, version, kind of service, options set, etc

• Has a list of vulnerabilities associated

• Will check that automatically and generate reports

• Client/server side can be programmed to run regularly

• Useful for

• Network administrators to check for vulnerabilities on the network

• Lazy attackers to find an attack point!

13

Routing

• Internet is split into smaller networks called Autonomous Systems (AS)

• e.g. Renater, France Telecom, Proxad (free)

• They are interconnected by links between their routers

• BGP is the protocol that is used to know on which links to send packets depending on their destination (routing)

• Some of the BGP/AS information is publicly available

• IP WHOIS records (Internet Routing Registries, IRRs)

• Looking glass

• Live BGP data feeds (RIPE RIS, RouteViews)

14

Internet-connected device search engines

• Examples: shodan.io, censys.io

• Powered by fast “Internet-scale” scanners

• masscan, zmap

• Aggregates a lot of information about millions of hosts and networks

shodan.io censys.io

15

Web searches, social media, …

• Instead of performing reconnaissance on the network directly…

• An attacker can search for another vulnerable point of entry: people

• By running simple web searches

• By checking for social media accounts

• By building profiles of individuals (e.g., employees of the target company)

• This intelligence can then be used to mount targeted attacks, e.g., via social engineerings, spear phishing emails, etc

Network Attacks

17

Denial-of-Service Attack (DoS)• DoS is an attack that aims at disrupting a service such that none of the

customers can enjoy the services

• The consequence of flooding or vulnerability attacks

• Flooding : an attack that consumes the application resources at such a rate that the service becomes unresponsive

• In a vulnerability attack, a vulnerability cause the application to crash or go to an infinite loop

• How common is DoS? Answer: Very common

• Research showed ~4,000 reported attacks in a week (and most attacks go unreported)

• How likely are you to be victim of DoS?

• A report showed 25% of large companies suffer DoS attacks at some point

18

Denial-of-Service Attack (DoS)• DDoS → Distributed Denial-of-Service

• Attacking machines are called daemons, slaves, zombies or agents

• Zombies are usually poorly secured machines that are exploited

• Machines that control and command the zombies are called masters or handlers.

• Attacker hides himself behind machines that are called stepping stones → cover his trace

19

20

Denial-of-Service Attack (DoS)• A DoS attacker may look for

• Network reflectors

• To hide the source of the attack

• To prevent blocking it, e.g. ICMP reply to forged source address

• Network “amplifiers”

• To perform efficient DoS: (1) find a service that replies N packets when 1 packet is sent with forged source that (2) will amplify the DoS

• Vulnerable/exploitable devices, e.g., to build a DDoS botnet

21

Denial-of-Service Attack (DoS): Examples

• SYN flood

• with forged source address

• “Smurf” attack

• E.g. send a ping packet to a broadcast address (x.x.x.255)

• DNS can generate many requests when the server is asked about a record not in cache

• DNSSec packets much larger

22

Example: the MIRAI Botnet Architecture

Command & Control

LoaderReport Server

Devices

Infrastructure

Attacker

DDoS Target

Send command

Dispatch

Attack

Report

Scan

Load Relay

Victim

Bots

Figure 2: Mirai Operation—Mirai bots scan the IPv4 addressspace for devices that run telnet or SSH, and attempt to log in us-ing a hardcoded dictionary of IoT credentials. Once successful,the bot sends the victim IP address and associated credentials toa report server, which asynchronously triggers a loader to infectthe device. Infected hosts scan for additional victims and acceptDDoS commands from a command and control (C2) server.

listened for attack commands from the command and con-trol server (C2) while simultaneously scanning for newvictims.

Malware phylogeny While not directly related toour study, the Mirai family represents an evolution ofBASHLITE (otherwise known as LizardStresser, Torlus,Gafgyt), a DDoS malware family that infected Linuxdevices by brute forcing default credentials [86]. BASH-LITE relied on six generic usernames and 14 generic pass-words, while the released Mirai code used a dictionaryof 62 username/password pairs that largely subsumedBASHLITE’s set and added credentials specific to con-sumer routers and IoT devices. In contrast to BASHLITE,Mirai additionally employed a fast, stateless scanningmodule that allowed it to more efficiently identify vulner-able devices.

3 Methodology

Our study of Mirai leverages a variety of network vantagepoints: a large, passive network telescope, Internet-widescanning, active Telnet honeypots, logs of C2 attackcommands, passive DNS traffic, and logs from DDoSattack targets. In this section, we discuss our data sourcesand the role they play in our analysis. We provide ahigh-level summary in Table 1.

3.1 Network Telescope

Mirai’s indiscriminate, rapid scanning strategy lends it-self to tracking the botnet’s propagation to new hosts. Wemonitored all network requests to a network telescope [9]composed of 4.7 million IP address operated by MeritNetwork over a seven month period from July 18, 2016to February 28, 2017. On average, the network telescopereceived 1.1 million packets from 269,000 IP addressesper minute during this period. To distinguish Mirai trafficfrom background radiation [94] and other scanning ac-tivity, we uniquely fingerprinted Mirai probes based onan artifact of Mirai’s stateless scanning whereby everyprobe has a TCP sequence number—normally a random32-bit integer—equal to the destination IP address. Thelikelihood of this occurring incidentally is 1/232, and wewould expect to see roughly 86 packets demonstratingthis pattern in our entire dataset. In stark contrast, weobserved 116.2 billion Mirai probes from 55.4 million IPaddresses. Prior to the emergence of Mirai, we observedonly three IPs that perform scans with this fingerprint.Two of the IP addresses generated five packets; two onTCP/80 and three on TCP/1002. The third IP address be-longs to Team Cymru [1], who conducts regular TCP/443scans.

We caution that the raw count of IP addresses seenscanning over time is a poor metric of botnet size due toDHCP churn [87]. To account for this, we tracked the sizeof the botnet by considering the number of hosts actively“scanning” at the start of every hour. We detected scansusing the methodology presented by Durumeric et al. [23],in which we group packets from a single IP address ina temporal window into logical scans. We specificallyidentified scans that targeted the IPv4 address space at anestimated rate of at least five packets per second, expiringinactive scans after 20 minutes. We geolocated IPs usingMaxmind [61].

3.2 Active Scanning

While Mirai is widely considered an IoT botnet, therehas been little comprehensive analysis of infected devicesover the botnet’s entire lifetime. In order to determine themanufacturer and model of devices infected with Mirai,we leveraged Censys [22], which actively scans the IPv4space and aggregates application layer data about hosts onthe Internet. We focused our analysis on scans of HTTPS,FTP, SSH, Telnet, and CWMP between July 19, 2016 andFebruary 28, 2017.

A number of challenges make accurate device labelingdifficult. First, Mirai immediately disables common out-ward facing services (e.g., HTTP) upon infection, whichprevents infected devices from being scanned. Second,Censys scans often take more than 24 hours to complete,

USENIX Association 26th USENIX Security Symposium 1095

1. Bots scan for vulnerable IoT devices

2. Bots report vulnerable IoT devices

3. Report server instructs devices exploitation

4. Loader exploits devices

5. Attacker sends commands

6. C2C server relays attack commands

7. DDoS attacks are launched

Credits: Manos Antonakakis et al., Understanding the Mirai Botnet, USENIX Security, 2017

23

Example: the MIRAI Botnet DDoS Attack Workflow

1. Bot Master or DDoS for Hire User chooses DDoS target and triggers the attack

2. Attack command is passed onto the Command & Control server

3. Attack command is relayed to the Botnet Nodes

4. Botnet Nodes generate DIRECT DDoS traffic towards the DDoS victim

Credits: https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.html, Imperva Incapsula

1

2

3

4

24

Denial-of-Service Attacks• Web applications are particularly susceptible to denial of service

attacks

• A web application can’t easily tell the difference between an attack and ordinary traffic

• Because there is no reliable way to tell from whom an HTTP request is coming from, it is very difficult to filter out malicious traffic.

• Slashdotted effect

• Most web servers can handle several hundred concurrent users under normal use, but a single attacker can still generate enough traffic from a single host to swamp many applications

• Defending against denial of service attacks is difficult and only a small number of “limited” solutions exist

25

Who Are the Attackers?• Research has shown that the majority of attacks are launched by script-kiddies

• Such attacks are “easier” to detect and defend against

• Kids use readily available tools to attack

• E.g., LOIC tool, booters/IP stressers (DDoSaaS)

• Some (D)DoS attacks, however, are highly sophisticated and very difficult to defend against

• Small-scale (targeted) or large-scale (massive)

• Hacktivism

• Financial gain

• Nation-state cyber attacks

26

Denial of Service Attacks: Defenses IP Layer

• Firewall

• Rate limiting, broadcast packets...

• Drop IP connections from a list of IP addresses

• Put in list those that send too many SYN

• Use BGP to reroute attack traffic to a provider with a lot of bandwidth; e.g. Spamhaus Event:

•http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

•http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

27

Denial of Service Attacks: Defenses HTTP Layer

• Change the DNS to a CDN (Content Distribution Network)

• With a lot of bandwidth

• Caches HTTP requests

• Applies filtering rules (OWASP)

• e.g., Akamai: http://www.akamai.com/html/solutions/site_defender.html

• Limit complex requests

• in complexity

• per IP

28

Denial of Service Attacks: Other Defenses

• Use a CAPTCHA if a human is expected to interact

• But they are annoying and not that hard to guess by machines after all …

• Use a Cryptographic Puzzle :

• Some challenges are slow to compute by the client fast but to verify by the Server

• Sent by the server to the client before handling any further request

• Not very efficient against DDoS

• Make sure your hosts are patched against DoS vulnerabilities

• Anomaly detection and behavioral models

• Ingress filtering

• Firewall : rate limiting, broadcast packets

29

TCP Connection Hijacking • A bit “old-school”

• Was used by Kevin Mitnick in 1995 …

• Attack on RSH to gain access on a server

• With control of a computer on the network

• Principle of the attack:

• Impersonate a computer with IP spoofing

• TCP sequence number guessing to send packets while ignoring responses

• DoS the spoofed machine to avoid the spoofed machine to reset the connection

30

TCP Connection Hijacking: RSH• Remote Shell

• “Ancestor” of SSH

• Can be configured to allow/deny connection based on

• Remote username

• IP address

• No crypto in place... but hijacking an IP address is not easy

31

TCP Connection Hijacking: TCP

Source: http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentSequenceNumberSynchroniz-2.htm32

TCP Connection Hijacking:TCP 3-way Handshake

SYN

SYN/ACK

Client Server

33

TCP Connection Hijacking:TCP Syn-flooding

• Server keeps a state for each opening connection in a buffer

• This buffer has a limited size

34

TCP Connection Hijacking:IP Spoofing

• Sending packets with spoofed IP address is as simple as forging source IP in a crafted packet

• Usually requires root (raw socket)

• MAC/IP address forging

• May be blocked by the switch / ISP

• Called “Ingress filtering”

• Packets with forged IP address

• Easy to send

• But no response received… → is it still possible to exploit it?

35

IP Address Spoofing• Can be used directly to exploit stateless protocols,

e.g., based only on UDP

• But in TCP how do we perform the 3-way handshake?

• We don't receive the response packets

• As we don't control the return path...

• How to guess the SEQ#/prevent spoofed host to respond

36

Mitnick Attack• DoS server

• Send packets to target guessing sequence numbers

• If guess is correct packets are accepted

• Replies will go to server

• Not seen by attacker

• DoS’ed server will not send an error message

• Used to send command over RSH

• echo + + >>/.rhosts

• Access to target gained!

37

38

ARP Poisoning• ARP is a protocol to map MAC address to IP address on

Ethernet:

• Who has <IP> ?

• <IP> is at <mac>

• Needed to know where to send IP packets over Ethernet

• This can be abused to inject a wrong MAC address <=> IP address association

• Perform a Man in the Middle on a switched Ethernet network

39

ARP Poisoning

40

Source Routing• The route taken by TCP/IP packets is determined by router's routing tables

• Source routing allows to bypass this

• Specify the path that packets should take

• E.g., Authorized host can specify path

• Auth host → A → C → D → Server

• Auth host → A → B → D → Server

41

Source Routing• This allows an attacker to

• Discover network

• Have its packets go trough a specific network path

• Bypass IP address rules (TCP wrappers, …), firewalls

• Access computers behind a NAT/private address space

• Solution : always disallow source routing → it works :)

42

DNS • Domain Name Service

• Map host names to IP addresses on the Internet

• Makes Internet more “user friendly”

• A distributed system

• Root servers are at fixed IP

• The “hints” file → http://www.internic.net/zones/named.root

• They provide IP addresses of TLD servers

• Top Level Domains (.com, .net, .org, …) DNS servers provide IP addresses for domains

• Etc…

• Two query modes: (i) recursive and (ii) iterative

43

DNS • Their security is very important

• Integrity of DNS responses

• www.bank.com

• SSL certificates certify hostnames, not IP addresses

• Availability

• No DNS → no Internet :(

• Scalability

• Extensive caching

44

Recursive DNS Request

45


46


47


48


49


50


51


52

Recursive DNS Requests

• Record obtained from the DNS architecture the first time

• Will remain in cache until TTL timeout

• This record must not be corrupted

53

Kaminsky Attack I• 2007 Dan Kaminsky found a serious issue

• Almost all DNS servers implementations were vulnerable to cache poisoning

• Allow to insert malicious information in a cache server

• Attacker takes control over “glue records”

• Allows to impersonate authoritative DNS server for a domain in the cache

54

Cache Poisoning Attacks

• How do we know the response received is actually received as a reply to a query ?

• Rely on transaction serial number

• Can be predicted by attacker?

55

Normal DNS Request

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

56

Basic Poisoning Attack Overview

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

57

DNS Cache Poisoning• Query ID can be guessed... Solution ?

• So they should be random ?

• … with good random number generators!

• Randomize the Query ID

• 16-bit field → 64k possibilities

• An attacker has large chances to fail

• When it fails the targeted record is loaded in cache

58

Glue Records• There is a chicken and egg problem in the DNS System, for

instance:

Q: Who is the NS for domain.com ?

R: ns.domain.com

• We need a glue record: glue records are used when name server is a host of that domain and provide IP address

Q: Who is the NS for domain.com ?

R: ns.domain.com and it is at a.b.c.d

59

Kaminsky Attack• Glue records are cached as well

• What if we poison a glue record?

• Completely owns the domain, can forge any subdomain/hostname of that domain

• Query ID randomization?

• A failed attempt is not a problem, so we can try many times !

http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html60

Kaminsky Attack Wrap-up

61

DNS Cache Poisoning • Very damaging attacks

• Mitigations:

• Cache servers should not face the Internet, e.g. not be at the same time a cache server and an authoritative server for a domain

• Randomize: query ID, source port, host name capitalization

• DNSsec : authenticated DNS records

AS2

AS3

AS5AS1

AS4

62

The Border Gateway Protocol:The art of Building the Internet

• The Internet is divided into thousands of smaller networks called Autonomous Systems (ASes) administered by a single entity (e.g., an Internet Service Provider, a company, a university)

5.0.0.0/8

45.54.0.0/16 45.55.0.0/16

15.1.2.0/24

2.2.0.0/161.1.0.0/16 1.2.0.0/16

63


• Each AS “owns” or is responsible for managing a set of network IP addresses (e.g., AS3 is responsible for the IP address block 2.2.0.0/16)

AS2

AS3

AS5AS1

AS4

AS2

AS3AS1

AS4

physical linkBGP message

64


• The Border Gateway Protocol (BGP) allows ASes to interconnect with each other by exchanging network IP address block reachability information

• BGP glues ASes together to form the Internet

5.0.0.0/8

45.54.0.0/16 45.55.0.0/16

15.1.2.0/24

2.2.0.0/161.1.0.0/16 1.2.0.0/16

AS5

65


AS2

AS3AS1

AS4


5.0.0.0/8

45.54.0.0/16 45.55.0.0/16

15.1.2.0/24

2.2.0.0/161.1.0.0/16 1.2.0.0/16

AS5

AS3 to AS1,AS4: “I am AS3 and I am responsible for 2.2.0.0/16!”



66




AS2

AS3AS1

AS4


5.0.0.0/8

45.54.0.0/16 45.55.0.0/16

15.1.2.0/24

2.2.0.0/161.1.0.0/16 1.2.0.0/16

AS5

AS1 to AS2: “AS3 told me he is responsible for 2.2.0.0/16!”

AS4 to AS2,AS5: “AS3 told me he is responsible for 2.2.0.0/16!”

67


AS2

AS3AS1

AS4


5.0.0.0/8

45.54.0.0/16 45.55.0.0/16

15.1.2.0/24

2.2.0.0/161.1.0.0/16 1.2.0.0/16

AS5

All networks on the Internet can eventually talk to each other!



Network: 192.92.94.0/24AS path : AS35289

AS5466 Eircom Ltd

AS35289 Symantec Ltd

192.92.94.0/24

INTERNET

AS702 Verizon

Network: 192.92.94.0/24AS path : AS5466,AS35289

Network: 192.92.94.0/24AS path : AS702,AS35289

Network: 192.92.94.0/24AS path : AS35289

BGP message68


• BGP messages record the path of ASes they go through to avoid routing loops

AS5466Eircom Ltd

AS35289Symantec Ltd

192.92.94.0/24

INTERNET

AS702Verizon

(UPSTREAM) TRANSIT PROVIDERS

CUSTOMER69


• Inter-AS links reflect the business relationships between their respective owner (e.g., some provide transit connectivity to the Internet to their customers)

[1] Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008)[2] http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html

70

BGP Hijacking: The Art of Breaking the Internet

• CAUSES

• The injection of erroneous network reachability information into BGP

• Trust-based exchange of network reachability information

• No widely deployed security mechanism yet

• EFFECTS

• Blackhole (e.g., Youtube hijack by Pakistan Telecom)

• Impersonation (e.g., Spamhaus hijack)

• MITM (e.g., BGP MITM [1])

• of the victim network

• EXPLANATIONS

• Router misconfiguration, operational fault (e.g., AS7007 incident [2])

• Malicious intent?

71

BGP Hijacks in the News

72

BGP Hijacks in the NewsRENESYS

1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013

ISC SEVERAL BANKS

TARGETED BY BGP HIJACKS

73

BGP Hijacks in the NewsRENESYS

1,500 MITM (TRAFFIC INTERCEPTION) HIJACKS IN 2013

74


ISC SEVERAL BANKS

TARGETED BY BGP HIJACKS

BGPmon.net BGP HIJACK ATTACK AGAINST ANTI-SPAM

COMPANY “SPAMHAUS”

RENESYS 1,500 MITM (TRAFFIC INTERCEPTION)

HIJACKS IN 2013

75


?

BENIGN!MALICIOUS!

76

BGP Hijacks: Challenges

• Identifying BGP hijacks is challenging

• BGP hijacks look similar to some legitimate BGP engineering practices

• lack of ground truth information, only the owner of a network can precisely diagnose routing events related to his network

AS5466Eircom Ltd

192.92.94.0/24

AS702Verizon

ASXiSpam Inc

AS35289Symantec Ltd

INTERNET

Network: 192.92.94.0/25 Network: 192.92.94.128/25 AS path : ASX, AS35289

SYMANTEC NETWORK IS

BLACKHOLEDBGP message 77

Case I: BGP Blackhole• DoS of the victim network

• similar to Youtube hijack

• Here is an example

https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study

*Understanding the Network-level Behavior of Spammers (SIGCOMM 2006)78

Case II: BGP ImpersonationFly-by Spammers

• CONJECTURE

• Spammers would use BGP hijacking to send spam from the stolen IP space and evade spam sender blacklists

• “BGP spectrum agility”: short-lived (<1 day) spam networks*

• POTENTIAL EFFECTS

• Misattribute attacks launched from hijacked networks due to hijackers stealing IP identity

• Spam filters heavily rely on IP reputation as a first layer of defense

79

Fly-by Spammers: Hijack Signature

• Hijacked networks

• are dormant IP address blocks, i.e., by the time the networks are hijacked they have been left unadvertised by their owner

• advertised for a rather short period of time

• AS hijack: prefix is advertised in BGP from an apparently legitimate origin AS but via a presumably illegitimate upstream provider AS

• Prefix hijack: prefix is advertised in BGP from an apparently rogue origin AS but via a presumably legitimate upstream provider AS

A.B.C.0/24

ASXiSpam Inc

ASYowner of

A.B.C.0/24

INTERNET

Network: A.B.C.D/EAS path: ASX, ASY ILLEGITIMATE

(UPSTREAM) TRANSIT

PROVIDER AS

LEGITIMATE AS

BGP message

spam spam

A.B.C.1…A.B.C.255

80

Fly-by Spammers: AS Hijack Illustration

81

Fly-by Spammers: Case Study

• IP prefixes are only announced when spam is received!

• Few blacklisted spam sources at the time of the BGP announcements!

Stealing The Internet An Internet-Scale Man In The Middle Attack (Defcon 2008)82

Case III: BGP Man-In-The-Middle• Step 1: discover path between AS_Mallory (attacker) and AS_Alice (victim)

• AS_Mallory → AS_D → AS_A → AS_Alice

• Step 2: advertise more specific prefix 66.102.0.0/24 and secure backup route (P)

• Step 3: adjust TTLs (ultimate stealth!)

83

Securing BGP?• Security extensions to BGP

• e.g., RPKI, BGPsec, ROVER

• Similar to DNSSEC for DNS

• Deployment is expansive

• BGP monitoring

• Analyze BGP updates and trigger alarm upon abnormal routing change, e.g., BGP hijack

• e.g., BGPmon.net, Renesys (Dyn/Oracle), UCLA Cyclops

• BGP “best current practices”

• e.g., Customer routes filtering

• Seldom followed by network operators

84

Conclusion• Myriad of network attacks and defenses

• Can be surprisingly easy to mount attacks

• Many countermeasures are known already

• And many are in place on most networks

• Still some very difficult attacks to solve and countermeasures to deploy

• DoS

• DNSsec

Documents

syssec 06 network - EURECOMs3.eurecom.fr/~aurel/syssec/syssec_06_network.pdf · • nmap, hping2, netcat ... Reconnaissance • robtex.com → the Internet Swiss-army knife • GeoIP: