IP Spoofing - DEFCON

IP Spoofing - DEFCON

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

July 26, 2017
Tweet

Transcript

  1. IP Spoofing (what is it, how it allows largest attacks

    and how to fix it) Marek Majkowski
  2. What is it? 2

  3. 3 IP Spoofing (source: DaPuglet)

  4. 4 IP Spoofing 8.8.8.8 5.6.7.8

  5. 5 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  6. 6

  7. IP Spoofing is still a problem • 1995 - Mitnick

    pwned Shimomura with TCP seq • 1996 - SYN flooding • 1998 - idle scanning (ipid) • 1998 - BGP connection reset - RFC 2385 • 2008 - Dan Kaminsky's DNS bug • 2013+ - Multiple amplification DDoS 7
  8. IP Spoofing fight • 1998 - Reverse Path Forwarding RFC2267

    • 2000 - BCP38 / RFC2827 • 2004 - BCP84 / RFC3704 / Unicast RPF • 2009 - IETF SAVI https://tools.ietf.org/wg/savi/ • 2014 - MANRS https://routingmanifesto.org/manrs/ • 2015 - http://spoofer.caida.org 8
  9. 9 Inconsistent 15.8% Spoofable 27.8% UnSpoofable 56.4% Measured Autonomic Systems

    spoofer.caida.org
  10. bulletproof hostig 10

  11. IP Spoofing enables largest attacks 11

  12. 12

  13. 13 Global network

  14. 14 Daily attacks Daily Attacks

  15. 15 Some are super large

  16. Two types 1. Direct 2. Amplification 16

  17. 1. Direct attacks a) keep us online b) identify the

    source 17
  18. 18 Direct: “Winter of attacks” Target Server Attacker 400 Gbps

  19. 19 Direct: SYN Flood "winter of attacks"

  20. 20 Direct attacks

  21. 1. Direct attacks a) keep us online b) identify the

    source 21
  22. 22 Tcpdump $ tcpdump -ni eth0 -c 100 IP 94.242.250.109.47330

    > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243 IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551 IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607 IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778 IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891 IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808 IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272 IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210 IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714 IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351 IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902 IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511 IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148
  23. Blocked with BPF 23 iptables -A INPUT \ --dst 1.2.3.4

    \ -p tcp --dport 80 \ --syn \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  24. 24 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb

    [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0 BPF bytecode
  25. 25

  26. Extreme Data Path - XDP • Feature of kernels 4.9+

    • Super fast • Tomorrow, Saturday 2pm, Packet Hacking Village! 26
  27. 1. Direct attacks a) keep us online b) identify the

    source 27
  28. 28 Which router iface is it from? Router Server

  29. 29 Identifying interface Attacks

  30. 30 Identifying the interface

  31. 31 Other side of the cable Internet Carrier Direct Peering

    Router Local Internet Exchange Server
  32. 32 1. Direct Peering Router Direct Peering

  33. 33

  34. 2. Internet Exchange 3. Internet Carrier 34 Internet Carrier Local

    Internet Exchange Router Router
  35. 35 2. Internet Exchanges

  36. 36 2. Internet Exchanges L3 Router Internet Exchange L2 SWITCH

    Local ISP #1 Local ISP #2 Local ISP #3
  37. 37 3. Internet Carriers Router Internet Carrier

  38. 38 3. Internet Carriers Router Internet Carrier Customer #1 Customer

    #2 Customer #3
  39. Tracing back is impossible

  40. 40 Direct: SYN Flood "winter of attacks" “Winter of attacks”

  41. 41 “Winter of attacks” src IP= Hurricane Electric LAX router

    Internet Carrier
  42. 42 “Winter of attacks” LAX router Internet Carrier Hurricane Electric

    ??? Hurricane Electric ???
  43. Other examples

  44. 44

  45. 45

  46. 46

  47. 47

  48. 48

  49. 49

  50. 50

  51. 2. Amplification attacks a) keep us online b) identify the

    source 51 51
  52. 52 SSDP: Amplification

  53. UDP request-response 53 UDP Server UDP Client request response

  54. Amplification 54 Attacker Target UDP Server request response

  55. Amplification factor 55 Attacker Target UDP Server request response 10

    bytes 100 bytes
  56. Scale up! 56 Attacker Target UDP Servers requests responses

  57. June 2017: SSDP 57 112 Gbps of traffic 5 Gbps

    of spoofing 940k exposed SSDP Devices
  58. 2. Amplification attacks a) keep us online b) identify the

    source 58
  59. 59 Dispersed geographically

  60. 1.2.3.0/24 Internet Los Angeles 1.2.3.0/24 London 1.2.3.0/24 Amsterdam 1.2.3.0/24 Moscow

    1.2.3.0/24 San Jose 1.2.3.0/24 New York
  61. 61 Trivial to block iptables -A INPUT \ --dst 1.2.3.4

    \ -p udp --sport 1900 \ -j DROP
  62. 2. Amplification attacks a) keep us online b) identify the

    source 62
  63. 63 Tracing back is impossible Router Reflector #1 Reflector #2

    Reflector #3 Attacker
  64. Other amplifications 64 Count Proto Src port 3774 udp 123

    NTP 1692 udp 1900 SSDP 438 udp 0 IP fragmentation (*) 253 udp 53 DNS 42 udp 27015 SRCDS 20 udp 19 Chargen 19 udp 20800 Call Of Duty 16 udp 161 SNMP 12 udp 389 CLDAP 11 udp 111 Sunrpc 10 udp 137 Netbios 6 tcp 80 HTTP 5 udp 27005 SRCDS 2 udp 520 RIP
  65. Amplification sizes 65 $ cat all-gbps |cut -d " "

    -f 1|~/bin/mmhistogram Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353 Gbps: value |-------------------------------------------------- count 0 | **************** 658 1 | ************************* 1012 2 |************************************************** 1947 4 | ****************************** 1176 8 | **************** 641 16 | ******************* 748 32 | **** 157 64 | 14
  66. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 66
  67. How to fix it? 67

  68. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 68
  69. 69 IP spoofing is the root of all evil

  70. 70 Promote BCP38

  71. • From spoofer.caida.org 71 Report IP spoofing

  72. Vendor defaults 72

  73. 73 Filtering is hard Internet Carrier A Source Destination ISP

    1 Internet Carrier B X
  74. We're left with the incompetent 74

  75. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 75
  76. 76 BGP Flowspec for the rescue!

  77. 77 Router under attack Flowspec Flowspec Flowspec BGP Flowspec

  78. 78

  79. • https://conference.apnic.net/data/41/apricot-ddos- mitigation-using-flowspec_1456208439.pdf 79

  80. 80 Adoption = nil

  81. BGP Flowspec success story • RASCOM AS20764 • https://www.slideshare.net/pavel_odintsov/ implementing-bgp-flowspec-at-ip-transit-network

    81
  82. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 82
  83. 83 Netflow / IP FIX!

  84. 84 How?

  85. 85 Netflow within one AS Netflow collector Netflow samples Netflow

    samples Netflow samples
  86. 86 Router Internet Carrier Customer #1 Customer #2 Customer #3

    Internet Carriers
  87. 87

  88. 88 Netflow (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t

    -300 -s dstip/packets "in if 731" Top 2 Dst IP Addr ordered by packets: Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82 Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218 Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772 Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2
  89. • Open source toolchain is great • Scales well •

    Set high sampling rate - 1/64k flows • Rotate logs every 72h 89 Netflow
  90. 90 Internet exchanges

  91. 91 L3 Router Internet Exchange L2 SWITCH Local ISP #1

    Local ISP #2 Local ISP #3 Internet Exchanges
  92. Internet Exchanges • SFlow • IX charts • mac-accounting •

    IP FIX support for mac addresses 92
  93. Recap • Prevent IP spoofing - BCP38 • The root

    of all evil, unfixable in short time • BGP flowspec firewall • A stop gap for capacity • Netflow/IP FIX sampling • Gives visibility into your network. Solves attack attribution. 93
  94. • https://blog.cloudflare.com • https://github.com/cloudflare 94 marek@cloudflare.com @majek04 DDoS is fixable!

  95. 95

  96. Mirai was different 96

  97. 97

  98. Why IP Filtering must be on the edge 98

  99. 99 Filtering is hard Internet Carrier A Destination 5.6.7.8

  100. 100 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 1.2.3.0/24
  101. 101 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24
  102. 102 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1

    Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24
  103. 103 Internet is asymmetric Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 Internet Carrier B
  104. 104 Filter close to the source Internet Carrier A Source

    Destination ISP 1 Internet Carrier B X