* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Hijacking Label Switched Networks in the Cloud
Survey
Document related concepts
Distributed firewall wikipedia , lookup
Wireless security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
UNCLASSIFIED HIJACKING LABEL SWITCHED NETWORKS IN THE CLOUD BSides Asheville 2014 Paul Coggin Internetwork Consulting Solutions Architect @PaulCoggin www.dynetics.com V## Goes Here V100230_Faint 0000-00-yymm UNCLASSIFIED 11 Information Engineering Solutions UNCLASSIFIED BGP Hijacking in the News 2008 Pakistan Telecom accidentally hijacks 2011 Chinanet accidentally hijacks In 2010 China Telecom accidentally hijacked 50,000 blocks of IP addresses 20 minutes Renesys reported a major BGP hijacking in 2013 - Belaruse and Iceland ISP’s possibly compromised - A software bug blamed http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/ http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/ http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/ V100230_Faint 0000-00-yymm UNCLASSIFIED 2 Information Engineering Solutions BGP UNCLASSIFIED IP Prefix and AS Hijacking AS 5 Hijack IP subnet /24 AS 1 Route Reflector Route Reflector AS 6 IBGP AS 7 EBGP EBGP EBGP L2 Cross Connect AS 2 Hijack AS 4 & IP subnet /24 V100230_Faint 0000-00-yymm UNCLASSIFIED AS 3 AS 4 The Longest IP Prefix Wins 3 Information Engineering Solutions UNCLASSIFIED BGP Hijacking in the News 2008 Pakistan Telecom accidentally hijacks 2011 Chinanet accidentally hijacks In 2010 China Telecom accidentally hijacked 50,000 blocks of IP addresses 20 minutes Renesys reported a major BGP hijacking in 2013 - Belaruse and Iceland ISP’s possibly compromised - A software bug blamed http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/ http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/ http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/ V100230_Faint 0000-00-yymm UNCLASSIFIED 4 Information Engineering Solutions UNCLASSIFIED Virtual Private Networks Virtual Networks Virtual Private Networks Virtual Dialup Networks Overlay VPN Layer-2 VPN X.25 F/R ATM Virtual LANs Peer-to-Peer VPN Layer-3 VPN GRE Access lists (Shared router) Split routing (Dedicated router) MPLS/VPN IPSec MPLS VPN is not encrypted unless encrypted separately V100230_Faint 0000-00-yymm UNCLASSIFIED 5 Information Engineering Solutions UNCLASSIFIED MPLS and the OSI and TCP/IP Model 7 Application 6 Presentation 5 Session 4 Transport 3 Network Application VPN Label OSI 2.5 2 Data Link V100230_Faint 0000-00-yymm UNCLASSIFIED Transport Internet LDP Label TE Label Frame Header 1 TCP/IP Model MPLS Label Stack Own the Label OSI Model Network Interface Physical 6 Information Engineering Solutions UNCLASSIFIED MPLS Label PCAP 32-bit MPLS Label Format • Label : 20-bit • EXP : 3-bit • Bottom-of-Stack : 1-bit • TTL : 8-bit Source: http://www.netoptics.com/blog/01-07-2011/sample-pcap-files V100230_Faint 0000-00-yymm UNCLASSIFIED 7 Information Engineering Solutions UNCLASSIFIED MPLS Architecture Overview VPN_A 10.2.0.0 CE CE P 10.2.0.0 CE VPN_B P PE VPN_A 11.5.0.0 VPN_A VPN_B 11.6.0.0 VPN_A iBGP sessions PE P CE 10.1.0.0 P CE PE PE CE VPN_B 10.3.0.0 10.1.0.0 CE • P Routers (LSRs) are in the Core of the MPLS Cloud • PE Routers (Edge LSRs or LERs) Use MPLS with the Core and Plain IP with CE Routers • P and PE Routers Use the Same IGP Routing Protocol • PE Routers are MP-iBGP Fully-meshed Service provider may accidentally or intentionally misconfigure VPN’s Utilize IPSEC VPN over MPLS VPN to insure security V100230_Faint 0000-00-yymm UNCLASSIFIED 8 Information Engineering Solutions UNCLASSIFIED CLI - VRF configuration ip vrf cust_A rd 200:1 route-target export 200:1 route-target import 200:1 ip vrf cust_2 rd 200:2 route-target export 200:2 route-target import 200:2 Interface Serial2/0 ip vrf forwarding cust_A Interface Serial2/1 ip vrf forwarding cust_B MP-BGP! P P" PE1" PE2" OSPF \ ISIS and LDP ip vrf cust_A rd 200:1 route-target export 200:1 route-target import 200:1 ip vrf cust_B rd 200:2 route-target export 200:2 route-target import 200:2 Interface Serial2/0 ip vrf forwarding cust_A Interface Serial2/1 ip vrf forwarding cust_B Static, BGP, OSPF, EIGRP, RIP Cust_1! Cust-1! Cust-2! Cust-2! MPLS Trust Relationship Customer Trusts Service Providers V100230_Faint 0000-00-yymm UNCLASSIFIED 9 Information Engineering Solutions UNCLASSIFIED MPLS PE Routing Table Global Routing Table Cust_A MPLS VPN Routing Table Cust_B MPLS VPN Routing Table 3 Routing Tables on 1 Router Separated by MPLS VRF V100230_Faint 0000-00-yymm UNCLASSIFIED 10 Information Engineering Solutions UNCLASSIFIED MPLS PE MP-BGP VPN V100230_Faint 0000-00-yymm UNCLASSIFIED 11 Information Engineering Solutions UNCLASSIFIED MPLS Network Attack Vectors Transport Network Infrastructure Attack Tree Network and System Architecture -‐ -‐ -‐ Centralized, Distributed, Redundant Physical and Logical Transport Network (RF, Fiber, Copper) Network Infrastructure Attack Vectors Network Protocols -‐ -‐ RouBng, Switching, Redundancy Apps, Client/Server HW, SW, Apps, RDBMS -‐ -‐ Open Source Commercial Trust Rela@onships – Internet, BSS, OSS, NMS, Net -‐ Network Management and Network Devices -‐ Billing, Middleware, Provisioning -‐ Vendor remote access -‐ (VPT) -‐ Tech staff remote access -‐ Self Provisioning -‐ Physical access -‐ Trusted Insider -‐ Cross connect -‐ CE in-‐band management -‐ Physical access to CE configuraBon seQngs V100230_Faint 0000-00-yymm UNCLASSIFIED SNMP Community String Dictionary Attack with Spoofing to Download Router\ Switch Configuration Telnet\SSH Dictionary Attack Router\Switches\ NetMgt Server Build New Router Configuration File to enable further privilege escation Build New Router Configuration File to enable further privilege escation UNIX NetMgt Server Running NIS v1 Ypcat -d <domain> <server IP> passwd Grab shadow file hashes Crack Passwords Upload New Configuration File Using Comprimised SNMP RW String Own Network Infrastructure MITM ARP Poisoning Sniffing Capture SNMP Community Strings and Unencrypted Login\Passwords, Protocol Passwords Inject New Routes Or Bogus Protocol Packets Configure Device for Further Privilege Escalation Access Server Directly Own Network Infrastructure Own Network Infrastructure Discover Backup HW Configs Exploit ACL Trust Relationship Attack SNMP\Telnet\SSH Find NetMgt passwords and SNMP config files HP OpenView Server Enumerate Oracle TNS Listener to Identify Default SID’s Network Mgt Application Attempt to Login Using Default Login\Password Reconfigure Router or Switch Further Enumerate Oracle SID’s to Identify Default DBA System Level Accts\Passwords Own Network Infrastructure Further Enumerate Oracle SID’s to Identify User Accts. Perform Dictionary Attack Login to Oracle DB with Discovered DBA Privilege Account Execute OS CMDs from Oracle PL/SQL Run Oracle SQL CMDs Execute OS CMDs Attack Network from DB Find NetMgt Passwords, SNMP info, OS password files Run Oracle SQL CMDs Execute OS CMDs Add New Privileged OS Account Crack Passwords Crack Passwords Own Network Infrastructure Use New Privileged OS account to Escalate Privileged Access to Network Own Network Infrastructure 12 Information Engineering Solutions UNCLASSIFIED Service Provider MPLS Network Global Internet Central Office/ POP Central Office/ POP PE PE P PE Label VPN Label IP Data PE IP PE Data Internet & MPLS VPN Data CE CE V100230_Faint PE PE IP 0000-00-yymm UNCLASSIFIED P Insider Threat - Add VPN router - Layer 2 attacks - L2TPv3 - ERSPAN - Lawful Intercept - GRE tunnel - Co-location cross connect MPLS VPN Static, BGP Internet & MPLS VPN CE CE MPLS VPN Evil Cloud 13 Information Engineering Solutions UNCLASSIFIED Network Management Architecture for a Service Provider Remote VPN NetMgt User \ Vendor NOC AAA OSS Reports Database Internet Network Operations - Target - Leverage Intel from exploited CE - Exploit trust relationship to NOC - Pivot NOC to P, PE, CE, VPN’s - Pivot to Internal, IPTV, VoIP, Internet\BGP, Vendors,Transport OSS Provisioning SQL NMS, EMS, MOM Servers OSS TL1 TL1 Gateway SNMP Agent Alarms, Traps, Reports, Backup (TL1 to/from SNMP) IP Configuration Provisioning, Control, Software Download Cust-2 CE Cust -1 CE PE Cust-2 CE PE PE Cust-1 CE PE P P Cust-1 CE P P DWDM Cust-2 CE PE V100230_Faint 0000-00-yymm UNCLASSIFIED Cust-1 CE MPLS CORE PE Physical Access - In-band Mgt - Password recovery - Trust Relationships - SNMP, ACL’s, Accts - Protocols - AAA, NetMgt IP’s 14 Information Engineering Solutions UNCLASSIFIED Transit Between MPLS-VPN backbones Packet Capture Inject routes into VPN Denial of Service Join VPN MITM Cross-connect Inject labeled packets Traffic Engineering Disable IP TTL P1 PE-1 PE-2 Label MP-eBGP for VPN-IPv4 PE-1 IP Data MP-iBGP for VPN-IPv4 IP CE-1 V100230_Faint 0000-00-yymm UNCLASSIFIED IP Attacker Network Monitoring Infrastructure Data MP-iBGP for VPN-IPv4 P1 Label Label MP-eBGP for VPN-IPv4 OSPF or ISIS LDP OSPF or ISIS LDP L2 IXP Carrier Backbone 1 running IGP and LDP MPLS Label\Prefix Recon - ERSPAN - Lawful Intercept Carrier Backbone 2 running IGP and LDP PE-ASBR1 Carrier Backbone 3 running IGP and LDP OSPF or ISIS LDP L2 IXP P2 Label PE-ASBR2 IP Data MP-iBGP for VPN-IPv4 Data IP If BGP is being hijacked why not MPLS? BGP Transport Path Redirected Using MPLS TE? PE-2 Data CE-2 15 Information Engineering Solutions UNCLASSIFIED BGP Route Monitoring Monitor Your IP Prefixes Monitor Your Business Partner IP Prefixes Monitor Industry Peers for Intel to Predict Future Attack V100230_Faint 0000-00-yymm UNCLASSIFIED 16 Information Engineering Solutions UNCLASSIFIED MPLS Security Recommendations Monitor for New Unexpected Route Advertisements – Know Your Network! Utilize Encryption over MPLS VPN Links; SP PE-PE IPSEC Whitelist the Network Trust Relationships including Routing Protocols Whitelist Trusted Information Flows in Monitoring Utilize Separate VRF for In-band Management Dedicated Out-of-band Network Management with Un-attributable Internet IP for VPN AAA with separation of roles and responsibilities for operations and security monitoring Configuration Management and Monitoring – Log all changes!! 2 Factor Authentication! V100230_Faint 0000-00-yymm UNCLASSIFIED 17 Information Engineering Solutions UNCLASSIFIED References Internet Routing Architectures, Halabi, Cisco Press MPLS VPN Security, Michael H. Behringer, Monique J. Morrow, Cisco Press ISP Essentials, Barry Raveendran Greene, Philip Smith, Cisco Press Router Security Strategies – Securing IP Network Traffic Planes, Gregg Schudel, David J. Smith, Cisco Press MPLS and VPN Architectures, Jim Guichard, Ivan Papelnjak, Cisco Press MPLS Configuration on Cisco IOS Software, Lancy Lobo, Umesh Lakshman, Cisco Press Traffic Engineering with MPLS, Eric Osborne, Ajay Simha, Cisco Press LAN Switch Security – What Hackers Know About Your Switches, Eric Vyncke, Christopher Paggen, Cisco Press RFC 2547 RFC 2547bis RFC 2917 RFC 4364 Attack Trees, Bruce Schneier, https://www.schneier.com/paper-attacktrees-ddj-ft.html hRp://www.nrl.navy.mil/itd/ncs/products/core http://www.cisco.com/go/mpls hRp://www.wired.com/2013/12/bgp-‐hijacking-‐belarus-‐iceland/ hRp://www.blyon.com/hey-‐aR-‐customers-‐your-‐facebook-‐data-‐went-‐to-‐china-‐and-‐korea-‐this-‐morning/ hRp://www.renesys.com/2008/02/pakistan-‐hijacks-‐youtube-‐1/ hRp://www.netopBcs.com/blog/01-‐07-‐2011/sample-‐pcap-‐files V100230_Faint 0000-00-yymm UNCLASSIFIED 18 Information Engineering Solutions UNCLASSIFIED QuesBons? [email protected] @PaulCoggin V100230_Faint 0000-00-yymm UNCLASSIFIED 19 Information Engineering Solutions