Download Infrastructure Attack Vectors and Mitigation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Computer security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Deep packet inspection wikipedia , lookup

Net neutrality law wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Net bias wikipedia , lookup

Peering wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Hypertext Transfer Protocol wikipedia , lookup

Transcript 
Infrastructure Attack Vectors
and Mitigation
Benno Overeinder
NLnet Labs
http://www.nlnetlabs.nl/
What Is Internet
Infrastructure?
• What makes the network of networks eventually
the Internet
– IP (v4/v6): protocol to exchange data between endpoints
– DNS: resolving human readable names to IP addresses
– routing: inter-domain routing between networks,
making IP addresses globally reachable
• Thus presentation not about end-points
– nothing about trojans, botnets, viruses, etc
– it is about the network between the end-points
http://www.nlnetlabs.nl/
NLnet
Labs
The Nature of Attacks on the
Internet Infrastructure
• DNS spoofing
– redirect to websites that are “evil twins”
– stealing personal information or money
• DDoS amplification reflection attacks
– knock-out competitor: business or in gaming
– blackmailing: receive money to stop DDoS
• Route hijacks
– knock-out competitor or inspecting traffic
– intention (malicious or mistake) difficult to assess
http://www.nlnetlabs.nl/
NLnet
Labs
DNS SPOOFING AND DNSSEC
http://www.nlnetlabs.nl/
NLnet
Labs
DNS Spoofing and DNSSEC
• DNS Spoofing by cache poisoning
– attacker flood a DNS resolver with phony information
with bogus DNS results
– by the law of large numbers, these attacks get a match
and plant a bogus result into the cache
• Man-in-the-middle attacks
– redirect to wrong Internet sites
– email to non-authorized email
server
http://www.nlnetlabs.nl/
NLnet
Labs
What is DNSSEC?
• Digital signatures are added to responses by
authoritative servers for a zone
• Validating resolver can use signature to verify
that response is not tampered with
• Trust anchor is the key used to sign the DNS
root
• Signature validation creates a chain of
overlapping signatures from trust anchor to
signature of response
credits Geoff Huston
http://www.nlnetlabs.nl/
NLnet
Labs
DNSSEC and Validation
.
A record www.nlnetlabs.nl.
+ signature
1
validating resolver
local root key (preloaded)
5
http://www.nlnetlabs.nl/
DS record .nl. + signature
4
.nl.
DS record .nlnetlabs.nl. + signature
DNSKEY record .nl. + signature 3
.nlnetlabs.nl.
DNSKEY record .nlnetlabs.nl. + signature
2
NLnet
Labs
DNSSEC Deployment
• Open source authoritative DNS name servers
supporting DNSSEC
– e.g., NSD, BIND 9, and Knot
• Open source DNSSEC validating resolvers
– e.g., Unbound, BIND 9
• Google Public DNS – DNSSEC validation
– 8.8.8.8 and 8.8.4.4
– 2001:4860:4860::8888 and 2001:4860:4860::8844
http://www.nlnetlabs.nl/
NLnet
Labs
DNSSEC and Community
RIPE
• DNS Working Group at RIPE
meetings
IETF
• DNSOP Working Group at
IETF meetings
• DNS Working Group mailing
list [email protected]
• DNSOP Working Group
mailing list [email protected]
• DNSSEC training course
http://www.ripe.net/lirservices/training/courses
• RFC on operational
practiceshttp://tools.ietf.or
g/html/rfc6781
http://www.nlnetlabs.nl/
NLnet
Labs
Other References to DNSSEC
• ISOC Deploy360
– http://www.internetsociety.org/deploy360/dnssec/
– information on basics, deployment, training, etc.
• DNSSEC Deployment Initiative
– https://www.dnssec-deployment.org
– mailing list [email protected]
• OpenDNSSEC
– open-source turn-key solution for DNSSEC
– www.opendnssec.org
http://www.nlnetlabs.nl/
NLnet
Labs
AMPLIFICATION ATTACKS AND
SOURCE ADDRESS FILTERING
http://www.nlnetlabs.nl/
NLnet
Labs
Spoofed Source Address
Attacks
attacker
1.2.3.4
query www.example.com
source address 9.8.7.6
20-50 bytes
victim
9.8.7.6
A record [+ signature]
destination address 9.8.7.6
avg. around 600 bytes
DNS server
auth/resolver
http://www.nlnetlabs.nl/
NLnet
Labs
DNS Amplification Attack
http://www.nlnetlabs.nl/
NLnet
Labs
Recent DDoS Attacks with
Spoofed Traffic
• The new normal: 200-400 Gbps DDoS Attacks
• March 2013: 300 Gbps DDoS attack
– victim Spamhaus
– DNS amplication attack
– [offender arrested by Spanish police and handed
over to Dutch police]
• Februari 2014: 400 Gbps DDoS attack
– victim customers of CloudFlare
– NTP amplification
http://www.nlnetlabs.nl/
NLnet
Labs
Mitigation to Amplification
Attacks
• DNS amplification attacks
– response rate limiting (RRL)
– RRL available in NSD, BIND 9, and Knot
• NTP
– secure NTP template from Team Cymru
http://www.teamcymru.org/ReadingRoom/Templates/securentp-template.html
http://www.nlnetlabs.nl/
NLnet
Labs
… or BCP38 and Filter
Spoofed Traffic
• BCP 38 (and related BCP 84)
• Filter your customers
– strict filter traffic from your customers
– strict unicast reverse path forwarding (uRPF)
– don’t be part of the problem
• Filter your transit
– difficult to strict filter your transit
– feasible or loose uRPF
– feasible not well supported by hardware vendors
http://www.nlnetlabs.nl/
NLnet
Labs
Address Spoofing and
Community
RIPE
IETF and others
• RIPE meetings in plenary and
working groups
• BCP 38 and BCP 84
• RIPE document 431 and 432
– http://www.ripe.net/ripe/docs
/ripe-431
– http://www.ripe.net/ripe/docs
/ripe-432
• IETF SAVI WG
• Open Resolver Project
openresolverproject.org
• Open NTP Project
openntpproject.org
• RIPE training course
http://www.ripe.net/lirservices/training/courses
http://www.nlnetlabs.nl/
NLnet
Labs
ROUTE HIJACKS AND RPKI
http://www.nlnetlabs.nl/
NLnet
Labs
Recent News on Internet
Routing Security
• April 2, 2014: “Indonesia Hijacks the World”
– Indosat leaked over 320,000 routes (out of 500,000) of
the global routing table multiple times over a two-hour
period
– claimed that it “owned” many of the world’s networks
– few hundred were widely accepted
• 0.2% low impact (5-25% of routes)
• 0.06% medium impact (25-50% of routes)
• 0.03% high impact (more than 50% of routes)
– for details see
http://www.renesys.com/2014/04/indonesia-hijacksworld/
http://www.nlnetlabs.nl/
NLnet
Labs
Less Recent News on Internet
Routing Security
• April 8, 2010: “China Hijacks 15% of the Internet”
– 50,000 of 340,000 IP address blocks makes 15%
– for roughly 15 minutes
• Hijacking 15% of the routes,
does not imply 15% of Internet traffic
• More realistic guesses
– order of 1% to 2% traffic actually diverted
• much less in Europe and US
– order of 0.015% based on 80 ATLAS ISP observations
• but still an estimation
http://www.nlnetlabs.nl/
NLnet
Labs
Even Less Recent News on
Internet Routing Security
• February 2008: Pakistan’s attempt to block
YouTube access within their country takes
down YouTube globally
– mistakenly the YouTube block was also sent to a
network outside of Pakistan, and propagated
• August 2008: Kapela & Pilosov showed
effective man-in-the-middle attack
– already known to the community, but never tested
in real
http://www.nlnetlabs.nl/
NLnet
Labs
Old News on Internet Routing
Security
• January 2006: Con-Edison hijacks a chunk of the
Internet
• December 24, 2004: TTNet in Turkey hijacks the
Internet (aka Christmas Turkey hijack)
• May 2004: Malaysian ISP blocks Yahoo Santa Clara
data center
• May 2003: Northrop Grumman hit by spammers
• April 1997: The "AS 7007 incident”, maybe the
earliest notable example?
http://www.nlnetlabs.nl/
NLnet
Labs
Today’s Routing Infrastructure
is Insecure
• The Border Gateway Protocol (BGP) is the
sole inter-domain routing protocol used
• BGP is based on informal trust models
– routing by rumor
– business agreements between networks
• Routing auditing is a low value activity
– and not always done with sufficient
thoroughness
http://www.nlnetlabs.nl/
NLnet
Labs
IP Hijacking Explained
D
A
213.154/16: A
213.154/16: C, A
C
213.154/16: A
213.154/16: E
213.154/16: E
213.154/16: C, A
B
http://www.nlnetlabs.nl/
E
NLnet
Labs
Typical Threats
• Derivation of traffic (man-in-the-middle)
– third party inspection, denial of service,
subversion
• Dropping traffic
– denial of service, compound attacks
• Adding false addresses
– support for compound attacks
• Isolating/removing routers from the network
http://www.nlnetlabs.nl/
NLnet
Labs
Current Methods to Secure
Routing Infrastructure
• Filtering, filtering, filtering, …
– IP prefix filtering
– AS path filtering
– max prefix filtering
• Monitoring IP prefix / AS path
– detect changes in route origin announcement
– services provided by e.g. RIPE NCC, open source
projects, and commercial partners
• However, there is no trusted and authoritative
data repository
http://www.nlnetlabs.nl/
NLnet
Labs
Secure Inter-Domain Routing
• Focus of the IETF Secure Inter-Domain
Routing (SIDR) working group
• Create trusted and authoritative resource
data infrastructure
– IP addresses and AS networks
• Improve on IP prefix filtering and AS path
filtering
– who holds the “right-of-usage” of a resource
http://www.nlnetlabs.nl/
NLnet
Labs
Resource PKI: First Step to
Improve Security
• Regional Internet Registries (RIPE, APNIC, etc.) issue
resource certificates
– proof of ownership of resources (IP addresses)
– … and recursively repeated by NIR/LIR/…
• owner of IP addresses publishes signed route origin
attestations
– private key signed ROA states right of use of addresses
by a network (the route origin)
• ISPs can validate BGP routing announcements
– validate ownership of route origin by checking
signature in ROA with public key in resource certificate
http://www.nlnetlabs.nl/
NLnet
Labs
Routing with RPKI Explained
A
213.154/16: A
✔
213.154/16: A
213.154/16: C, A
C
✔
✗
D
✗
213.154/16: E
213.154/16: E
✔
B
http://www.nlnetlabs.nl/
✔
213.154/16: C, A
E
NLnet
Labs
Routing Security and
Community
RIPE
• Enable RPKI in RIPE LIR
portal for your resources
• RPKI origin validation in
Cisco, Juniper, AlcatelLucent, … and open source
software Quagga and BIRD
• RIPE meetings in plenary
and Routing WG [email protected]
http://www.nlnetlabs.nl/
IETF and others
• IETF SIDR WG for RPKI and
BGPSEC protocol
standardization
• IETF GROW WG on
operational problems
• ISOC Deploy360 Programme
http://www.internetsociety
.org/deploy360/securingbgp/tools/
NLnet
Labs
Summary
• Internet a dangerous place?
– yes/no, not different from the real world
• We have a shared responsibility in securing
our infrastructure (the Internet is you!)
– deploy DNSSEC
– BCP 38 and BCP 84
– route filtering and RPKI
• Excellent training courses by RIPE NCC
• Contact me or staff of RIPE NCC for questions
http://www.nlnetlabs.nl/
NLnet
Labs
Related documents
presentation
presentation
Chapter 8 Laboratory
Chapter 8 Laboratory
chapter 1 - MHSAPEnvironmental
chapter 1 - MHSAPEnvironmental
PPT
PPT
Different Types of Labs for Students Considering a Career in
Different Types of Labs for Students Considering a Career in
Lab Set Up
Lab Set Up
CSCI6268L36
CSCI6268L36
Syllabus for AP Environmental Science
Syllabus for AP Environmental Science
Seven Years of Anti-Spoofing
Seven Years of Anti-Spoofing
PHYS 101 Conceptual Physics Lab
PHYS 101 Conceptual Physics Lab