Download Hijacking Label Switched Networks in the Cloud

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Net bias wikipedia , lookup

Peering wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Computer security wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Computer network wikipedia , lookup

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Airborne Networking wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Transcript 
UNCLASSIFIED
HIJACKING LABEL SWITCHED
NETWORKS IN THE CLOUD
BSides Asheville
2014
Paul Coggin
Internetwork Consulting Solutions Architect
@PaulCoggin
www.dynetics.com
V## Goes Here
V100230_Faint
0000-00-yymm
UNCLASSIFIED
11
Information Engineering Solutions
UNCLASSIFIED
BGP Hijacking in the News
2008 Pakistan Telecom accidentally hijacks
2011 Chinanet accidentally hijacks
In 2010 China Telecom accidentally hijacked
50,000 blocks of IP addresses 20 minutes
Renesys reported a major BGP hijacking in 2013
-  Belaruse and Iceland ISP’s possibly compromised
-  A software bug blamed
http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/
http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/
http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/
V100230_Faint
0000-00-yymm
UNCLASSIFIED
2
Information Engineering Solutions
BGP
UNCLASSIFIED
IP Prefix and AS Hijacking
AS 5
Hijack
IP subnet /24
AS 1
Route
Reflector
Route
Reflector
AS 6
IBGP
AS 7
EBGP
EBGP
EBGP
L2 Cross
Connect
AS 2
Hijack AS 4
& IP subnet /24
V100230_Faint
0000-00-yymm
UNCLASSIFIED
AS 3
AS 4
The Longest IP Prefix Wins
3
Information Engineering Solutions
UNCLASSIFIED
BGP Hijacking in the News
2008 Pakistan Telecom accidentally hijacks
2011 Chinanet accidentally hijacks
In 2010 China Telecom accidentally hijacked
50,000 blocks of IP addresses 20 minutes
Renesys reported a major BGP hijacking in 2013
-  Belaruse and Iceland ISP’s possibly compromised
-  A software bug blamed
http://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/
http://www.blyon.com/hey-att-customers-your-facebook-data-went-to-china-and-korea-this-morning/
http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/
V100230_Faint
0000-00-yymm
UNCLASSIFIED
4
Information Engineering Solutions
UNCLASSIFIED
Virtual Private Networks
Virtual Networks
Virtual Private Networks
Virtual Dialup Networks
Overlay VPN
Layer-2 VPN
X.25
F/R
ATM
Virtual LANs
Peer-to-Peer VPN
Layer-3 VPN
GRE
Access lists
(Shared router)
Split routing
(Dedicated router)
MPLS/VPN
IPSec
MPLS VPN is not encrypted unless encrypted separately
V100230_Faint
0000-00-yymm
UNCLASSIFIED
5
Information Engineering Solutions
UNCLASSIFIED
MPLS and the OSI and TCP/IP Model
7
Application
6
Presentation
5
Session
4
Transport
3
Network
Application
VPN Label
OSI 2.5
2
Data Link
V100230_Faint
0000-00-yymm
UNCLASSIFIED
Transport
Internet
LDP Label
TE Label
Frame Header
1
TCP/IP Model
MPLS Label Stack
Own the Label
OSI Model
Network Interface
Physical
6
Information Engineering Solutions
UNCLASSIFIED
MPLS Label PCAP
32-bit MPLS Label Format
•  Label : 20-bit
•  EXP : 3-bit
•  Bottom-of-Stack : 1-bit
•  TTL : 8-bit
Source: http://www.netoptics.com/blog/01-07-2011/sample-pcap-files
V100230_Faint
0000-00-yymm
UNCLASSIFIED
7
Information Engineering Solutions
UNCLASSIFIED
MPLS Architecture Overview
VPN_A
10.2.0.0
CE
CE
P
10.2.0.0 CE
VPN_B
P
PE
VPN_A
11.5.0.0
VPN_A
VPN_B
11.6.0.0
VPN_A
iBGP sessions
PE
P
CE
10.1.0.0
P
CE
PE
PE
CE
VPN_B
10.3.0.0
10.1.0.0 CE
•  P Routers (LSRs) are in the Core of the MPLS Cloud
•  PE Routers (Edge LSRs or LERs) Use MPLS with the
Core and Plain IP with CE Routers
•  P and PE Routers Use the Same IGP Routing Protocol
•  PE Routers are MP-iBGP Fully-meshed
Service provider may accidentally or intentionally misconfigure VPN’s
Utilize IPSEC VPN over MPLS VPN to insure security
V100230_Faint
0000-00-yymm
UNCLASSIFIED
8
Information Engineering Solutions
UNCLASSIFIED
CLI - VRF configuration
ip vrf cust_A
rd 200:1
route-target export 200:1
route-target import 200:1
ip vrf cust_2
rd 200:2
route-target export 200:2
route-target import 200:2
Interface Serial2/0
ip vrf forwarding cust_A
Interface Serial2/1
ip vrf forwarding cust_B
MP-BGP!
P
P"
PE1"
PE2"
OSPF \ ISIS and LDP
ip vrf cust_A
rd 200:1
route-target export 200:1
route-target import 200:1
ip vrf cust_B
rd 200:2
route-target export 200:2
route-target import 200:2
Interface Serial2/0
ip vrf forwarding cust_A
Interface Serial2/1
ip vrf forwarding cust_B
Static, BGP, OSPF,
EIGRP, RIP
Cust_1!
Cust-1!
Cust-2!
Cust-2!
MPLS Trust Relationship
Customer Trusts Service Providers
V100230_Faint
0000-00-yymm
UNCLASSIFIED
9
Information Engineering Solutions
UNCLASSIFIED
MPLS PE Routing Table
Global Routing Table
Cust_A MPLS VPN Routing Table
Cust_B MPLS VPN Routing Table
3 Routing Tables on 1 Router
Separated by MPLS VRF
V100230_Faint
0000-00-yymm
UNCLASSIFIED
10
Information Engineering Solutions
UNCLASSIFIED
MPLS PE MP-BGP VPN
V100230_Faint
0000-00-yymm
UNCLASSIFIED
11
Information Engineering Solutions
UNCLASSIFIED
MPLS Network Attack Vectors
Transport Network Infrastructure
Attack Tree
Network and System Architecture -­‐ 
-­‐ 
-­‐ 
Centralized, Distributed, Redundant Physical and Logical Transport Network (RF, Fiber, Copper) Network Infrastructure
Attack Vectors
Network Protocols -­‐ 
-­‐ 
RouBng, Switching, Redundancy Apps, Client/Server HW, SW, Apps, RDBMS -­‐ 
-­‐ 
Open Source Commercial Trust Rela@onships – Internet, BSS, OSS, NMS, Net -­‐  Network Management and Network Devices -­‐  Billing, Middleware, Provisioning -­‐  Vendor remote access -­‐ (VPT) -­‐  Tech staff remote access -­‐  Self Provisioning -­‐ Physical access -­‐ Trusted Insider -­‐  Cross connect -­‐  CE in-­‐band management -­‐  Physical access to CE configuraBon seQngs V100230_Faint
0000-00-yymm
UNCLASSIFIED
SNMP Community
String Dictionary Attack
with Spoofing to
Download Router\
Switch Configuration
Telnet\SSH
Dictionary Attack
Router\Switches\
NetMgt Server
Build New Router
Configuration File to
enable further privilege
escation
Build New Router
Configuration File to
enable further privilege
escation
UNIX NetMgt Server
Running NIS v1
Ypcat -d <domain>
<server IP> passwd
Grab shadow file hashes
Crack Passwords
Upload New
Configuration File
Using Comprimised
SNMP RW String
Own Network
Infrastructure
MITM
ARP Poisoning
Sniffing
Capture SNMP Community
Strings and Unencrypted
Login\Passwords, Protocol
Passwords
Inject New Routes
Or Bogus Protocol
Packets
Configure
Device for
Further
Privilege
Escalation
Access Server
Directly
Own Network
Infrastructure
Own Network
Infrastructure
Discover Backup
HW Configs
Exploit ACL Trust
Relationship
Attack SNMP\Telnet\SSH
Find NetMgt
passwords and
SNMP config files
HP OpenView Server
Enumerate Oracle
TNS Listener to
Identify Default SID’s
Network Mgt Application
Attempt to Login Using
Default Login\Password
Reconfigure
Router or Switch
Further Enumerate
Oracle SID’s to
Identify Default
DBA System Level
Accts\Passwords
Own Network
Infrastructure
Further Enumerate
Oracle SID’s to
Identify User Accts.
Perform Dictionary
Attack
Login to Oracle DB
with Discovered DBA
Privilege Account
Execute OS CMDs from
Oracle PL/SQL
Run Oracle SQL CMDs
Execute OS CMDs
Attack Network from DB
Find NetMgt Passwords,
SNMP info, OS password
files
Run Oracle SQL
CMDs
Execute OS CMDs
Add New
Privileged OS
Account
Crack Passwords
Crack Passwords
Own Network
Infrastructure
Use New Privileged
OS account to
Escalate Privileged
Access to Network
Own Network
Infrastructure
12
Information Engineering Solutions
UNCLASSIFIED
Service Provider MPLS Network
Global Internet
Central Office/
POP
Central Office/
POP
PE
PE
P
PE
Label
VPN
Label
IP
Data
PE
IP
PE
Data
Internet &
MPLS VPN
Data
CE
CE
V100230_Faint
PE
PE
IP
0000-00-yymm
UNCLASSIFIED
P
Insider Threat
-  Add VPN router
-  Layer 2 attacks
-  L2TPv3
-  ERSPAN
-  Lawful Intercept
-  GRE tunnel
-  Co-location cross
connect
MPLS VPN
Static, BGP
Internet &
MPLS VPN
CE
CE
MPLS VPN
Evil
Cloud
13
Information Engineering Solutions
UNCLASSIFIED
Network Management Architecture for a Service Provider
Remote VPN
NetMgt User \ Vendor
NOC
AAA
OSS
Reports
Database
Internet
Network Operations - Target
-  Leverage Intel from exploited CE
-  Exploit trust relationship to NOC
-  Pivot NOC to P, PE, CE, VPN’s
-  Pivot to Internal, IPTV, VoIP,
Internet\BGP, Vendors,Transport
OSS Provisioning
SQL
NMS, EMS, MOM
Servers
OSS
TL1
TL1 Gateway
SNMP Agent
Alarms, Traps,
Reports, Backup
(TL1 to/from SNMP)
IP
Configuration Provisioning, Control,
Software Download
Cust-2 CE
Cust -1 CE
PE
Cust-2 CE
PE
PE
Cust-1 CE
PE
P
P
Cust-1 CE
P
P
DWDM
Cust-2 CE
PE
V100230_Faint
0000-00-yymm
UNCLASSIFIED
Cust-1 CE
MPLS CORE
PE
Physical Access - In-band Mgt
-  Password recovery
-  Trust Relationships
-  SNMP, ACL’s, Accts
-  Protocols
-  AAA, NetMgt IP’s
14
Information Engineering Solutions
UNCLASSIFIED
Transit Between MPLS-VPN backbones
Packet Capture
Inject routes into VPN
Denial of Service
Join VPN
MITM
Cross-connect
Inject labeled packets
Traffic Engineering
Disable IP TTL
P1
PE-1
PE-2
Label
MP-eBGP for VPN-IPv4
PE-1
IP
Data
MP-iBGP for VPN-IPv4
IP
CE-1
V100230_Faint
0000-00-yymm
UNCLASSIFIED
IP
Attacker Network
Monitoring Infrastructure
Data
MP-iBGP for VPN-IPv4
P1
Label
Label
MP-eBGP for VPN-IPv4
OSPF or ISIS
LDP
OSPF or ISIS
LDP
L2 IXP
Carrier Backbone 1
running IGP and LDP
MPLS Label\Prefix Recon
-  ERSPAN
-  Lawful Intercept
Carrier Backbone 2
running IGP and LDP
PE-ASBR1
Carrier Backbone 3
running IGP and LDP
OSPF or ISIS
LDP
L2 IXP
P2
Label
PE-ASBR2
IP
Data
MP-iBGP for VPN-IPv4
Data
IP
If BGP is being hijacked why not MPLS?
BGP Transport Path Redirected Using MPLS TE?
PE-2
Data
CE-2
15
Information Engineering Solutions
UNCLASSIFIED
BGP Route Monitoring
Monitor Your IP Prefixes
Monitor Your Business Partner IP Prefixes
Monitor Industry Peers for Intel to Predict Future Attack
V100230_Faint
0000-00-yymm
UNCLASSIFIED
16
Information Engineering Solutions
UNCLASSIFIED
MPLS Security Recommendations
Monitor for New Unexpected Route Advertisements – Know Your Network!
Utilize Encryption over MPLS VPN Links; SP PE-PE IPSEC
Whitelist the Network Trust Relationships including Routing Protocols
Whitelist Trusted Information Flows in Monitoring
Utilize Separate VRF for In-band Management
Dedicated Out-of-band Network Management with Un-attributable Internet IP for VPN
AAA with separation of roles and responsibilities for operations and security monitoring
Configuration Management and Monitoring – Log all changes!!
2 Factor Authentication!
V100230_Faint
0000-00-yymm
UNCLASSIFIED
17
Information Engineering Solutions
UNCLASSIFIED
References
Internet Routing Architectures, Halabi, Cisco Press
MPLS VPN Security, Michael H. Behringer, Monique J. Morrow, Cisco Press
ISP Essentials, Barry Raveendran Greene, Philip Smith, Cisco Press
Router Security Strategies – Securing IP Network Traffic Planes, Gregg Schudel, David J. Smith, Cisco Press
MPLS and VPN Architectures, Jim Guichard, Ivan Papelnjak, Cisco Press
MPLS Configuration on Cisco IOS Software, Lancy Lobo, Umesh Lakshman, Cisco Press
Traffic Engineering with MPLS, Eric Osborne, Ajay Simha, Cisco Press
LAN Switch Security – What Hackers Know About Your Switches, Eric Vyncke, Christopher Paggen, Cisco Press
RFC 2547
RFC 2547bis
RFC 2917
RFC 4364
Attack Trees, Bruce Schneier, https://www.schneier.com/paper-attacktrees-ddj-ft.html
hRp://www.nrl.navy.mil/itd/ncs/products/core http://www.cisco.com/go/mpls
hRp://www.wired.com/2013/12/bgp-­‐hijacking-­‐belarus-­‐iceland/ hRp://www.blyon.com/hey-­‐aR-­‐customers-­‐your-­‐facebook-­‐data-­‐went-­‐to-­‐china-­‐and-­‐korea-­‐this-­‐morning/ hRp://www.renesys.com/2008/02/pakistan-­‐hijacks-­‐youtube-­‐1/ hRp://www.netopBcs.com/blog/01-­‐07-­‐2011/sample-­‐pcap-­‐files V100230_Faint
0000-00-yymm
UNCLASSIFIED
18
Information Engineering Solutions
UNCLASSIFIED
QuesBons? [email protected] @PaulCoggin V100230_Faint
0000-00-yymm
UNCLASSIFIED
19
Information Engineering Solutions
Related documents
Mullvad Barnprogram
Mullvad Barnprogram
514-25-Wrap
514-25-Wrap
MPLS-based Virtual Private Networks
MPLS-based Virtual Private Networks
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
level 3sm secure access - Level 3 Communications
level 3sm secure access - Level 3 Communications
What is a VPN? A VPN (Virtual Private Network) is a private
What is a VPN? A VPN (Virtual Private Network) is a private
MS Word Format - Artificial Intelligence Applications Institute
MS Word Format - Artificial Intelligence Applications Institute
Virtual Private Network(VPN)
Virtual Private Network(VPN)
Understanding Evaluation
Understanding Evaluation
a presentation for Company Name date
a presentation for Company Name date
Criminal Epidemiological Training Brief
Criminal Epidemiological Training Brief
Solution: Virtual Private Network (VPN)
Solution: Virtual Private Network (VPN)