IP Spoofing - DEFCON

IP Spooﬁng
(what is it, how it allows largest attacks and how to ﬁx it)
Marek Majkowski

View Slide

What is it?
2

View Slide

3
IP Spooﬁng
(source: DaPuglet)

View Slide

4
IP Spooﬁng
8.8.8.8
5.6.7.8

View Slide

5
Enables impersonation
Real
8.8.8.8 Destination
5.6.7.8
Spoofed
8.8.8.8

View Slide

6

View Slide

IP Spoofing is still a problem
• 1995 - Mitnick pwned Shimomura with TCP seq
• 1996 - SYN flooding
• 1998 - idle scanning (ipid)
• 1998 - BGP connection reset - RFC 2385
• 2008 - Dan Kaminsky's DNS bug
• 2013+ - Multiple amplification DDoS
7

View Slide

IP Spooﬁng ﬁght
• 1998 - Reverse Path Forwarding RFC2267
• 2000 - BCP38 / RFC2827
• 2004 - BCP84 / RFC3704 / Unicast RPF
• 2009 - IETF SAVI https://tools.ietf.org/wg/savi/
• 2014 - MANRS https://routingmanifesto.org/manrs/
• 2015 - http://spoofer.caida.org
8

View Slide

9
Inconsistent
15.8%
Spoofable
27.8%
UnSpoofable
56.4%
Measured Autonomic Systems
spoofer.caida.org

View Slide

bulletproof hostig
10

View Slide

IP Spooﬁng enables
largest attacks
11

View Slide

12

View Slide

13
Global network

View Slide

14
Daily attacks
Daily Attacks

View Slide

15
Some are super large

View Slide

Two types
1. Direct
2. Ampliﬁcation
16

View Slide

1. Direct attacks
a) keep us online
b) identify the source
17

View Slide

18
Direct: “Winter of attacks”
Target
Server
Attacker
400 Gbps

View Slide

19
Direct: SYN Flood "winter of attacks"

View Slide

20
Direct attacks

View Slide

1. Direct attacks
a) keep us online
21

View Slide

22
Tcpdump
$ tcpdump -ni eth0 -c 100
IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243
IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551
IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607
IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778
IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891
IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808
IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272
IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210
IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714
IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351
IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902
IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511
IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148

View Slide

Blocked with BPF
23
iptables -A INPUT \
--dst 1.2.3.4 \
-p tcp --dport 80 \
--syn \
-m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
0,6 0 0 1,6 0 0 0" \
-j DROP

View Slide

24
ldx 4*([14]&0xf)
ld #34
add x
tax
lb_0:
ldb [x + 0]
add x
add #1
tax
ld [x + 0]
jneq #0x07657861, lb_1
ld [x + 4]
jneq #0x6d706c65, lb_1
ld [x + 8]
jneq #0x03636f6d, lb_1
ldb [x + 12]
jneq #0x00, lb_1
ret #1
lb_1:
ret #0
BPF bytecode

View Slide

25

View Slide

Extreme Data Path - XDP
• Feature of kernels 4.9+
• Super fast
• Tomorrow, Saturday 2pm, Packet Hacking Village!
26

View Slide

1. Direct attacks
a) keep us online
27

View Slide

28
Which router iface is it from?
Router Server

View Slide

29
Identifying interface
Attacks

View Slide

30
Identifying the interface

View Slide

31
Other side of the cable
Internet
Carrier
Direct Peering
Router
Local
Internet Exchange
Server

View Slide

32
1. Direct Peering
Router
Direct Peering

View Slide

33

View Slide

2. Internet Exchange
3. Internet Carrier
34
Internet
Carrier
Local
Internet Exchange
Router
Router

View Slide

35
2. Internet Exchanges

View Slide

36
2. Internet Exchanges
L3 Router
Internet Exchange
L2 SWITCH
Local ISP #1
Local ISP #2
Local ISP #3

View Slide

37
3. Internet Carriers
Router
Internet
Carrier

View Slide

38
3. Internet Carriers
Router
Internet
Carrier
Customer #1
Customer #2
Customer #3

View Slide

Tracing back is impossible

View Slide

40
Direct: SYN Flood "winter of attacks"
“Winter of attacks”

View Slide

41
src IP=
Hurricane
Electric
LAX router
Internet
Carrier

View Slide

42
LAX router
Internet
Carrier
Hurricane
Electric
???
Hurricane
Electric
???

View Slide

Other examples

View Slide

44

View Slide

45

View Slide

46

View Slide

47

View Slide

48

View Slide

49

View Slide

50

View Slide

2. Ampliﬁcation attacks
a) keep us online
51
51

View Slide

52
SSDP: Ampliﬁcation

View Slide

UDP request-response
53
UDP Server
UDP Client
request response

View Slide

Ampliﬁcation
54
Attacker
Target
UDP Server
request
response

View Slide

Ampliﬁcation factor
55
Attacker
Target
UDP Server
request
response
10 bytes
100 bytes

View Slide

Scale up!
56
Attacker
Target
UDP Servers
requests
responses

View Slide

June 2017: SSDP
57
112 Gbps of traﬃc
5 Gbps of spooﬁng
940k exposed
SSDP Devices

View Slide

a) keep us online
58

View Slide

59
Dispersed geographically

View Slide

1.2.3.0/24
Internet
Los Angeles
1.2.3.0/24
London
1.2.3.0/24
Amsterdam
1.2.3.0/24
Moscow
1.2.3.0/24
San Jose
1.2.3.0/24
New York

View Slide

61
Trivial to block
iptables -A INPUT \
--dst 1.2.3.4 \
-p udp --sport 1900 \
-j DROP

View Slide

a) keep us online
62

View Slide

63
Tracing back is impossible
Router
Reflector #1
Reflector #2
Reflector #3
Attacker

View Slide

Other ampliﬁcations
64
Count Proto Src port
3774 udp 123 NTP
1692 udp 1900 SSDP
438 udp 0 IP fragmentation (*)
253 udp 53 DNS
42 udp 27015 SRCDS
20 udp 19 Chargen
19 udp 20800 Call Of Duty
16 udp 161 SNMP
12 udp 389 CLDAP
11 udp 111 Sunrpc
10 udp 137 Netbios
6 tcp 80 HTTP
5 udp 27005 SRCDS
2 udp 520 RIP

View Slide

Ampliﬁcation sizes
65
$ cat all-gbps |cut -d " " -f 1|~/bin/mmhistogram
Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353
Gbps:
value |-------------------------------------------------- count
0 | **************** 658
1 | ************************* 1012
2 |************************************************** 1947
4 | ****************************** 1176
8 | **************** 641
16 | ******************* 748
32 | **** 157
64 | 14

View Slide

• IP spooﬁng is bad
• You need network capacity
• Tracing back is impossible
66

View Slide

How to ﬁx it?
67

View Slide

68

View Slide

69
IP spooﬁng is the root of all evil

View Slide

70
Promote BCP38

View Slide

• From spoofer.caida.org
71
Report IP spooﬁng

View Slide

Vendor defaults
72

View Slide

73
Filtering is hard
Internet
Carrier A
Source Destination
ISP 1
Internet
Carrier B
X

View Slide

We're left with the incompetent
74

View Slide

75

View Slide

76
BGP Flowspec for the rescue!

View Slide

77
Router
under attack
Flowspec
Flowspec
Flowspec
BGP Flowspec

View Slide

78

View Slide

• https://conference.apnic.net/data/41/apricot-ddos-
mitigation-using-ﬂowspec_1456208439.pdf
79

View Slide

80
Adoption = nil

View Slide

BGP Flowspec success story
• RASCOM AS20764
• https://www.slideshare.net/pavel_odintsov/
implementing-bgp-ﬂowspec-at-ip-transit-network
81

View Slide

82

View Slide

83
Netﬂow / IP FIX!

View Slide

84
How?

View Slide

85
Netflow within one AS
Netflow
collector
Netflow samples
Netflow samples
Netflow samples

View Slide

86
Router
Internet
Carrier
Customer #1
Customer #2
Customer #3
Internet Carriers

View Slide

87

View Slide

88
Netﬂow
(netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t -300 -s dstip/packets "in if 731"
Top 2 Dst IP Addr ordered by packets:
Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp
173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65
173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82
Summary: total flows: 1361108, total bytes: 5087980650496, total packets:
23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218
Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772
Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2

View Slide

• Open source toolchain is great
• Scales well
• Set high sampling rate - 1/64k ﬂows
• Rotate logs every 72h
89
Netﬂow

View Slide

90
Internet exchanges

View Slide

91
L3 Router
Internet Exchange
L2 SWITCH
Local ISP #1
Local ISP #2
Local ISP #3
Internet Exchanges

View Slide

Internet Exchanges
• SFlow
• IX charts
• mac-accounting
• IP FIX support for mac addresses
92

View Slide

Recap
• Prevent IP spoofing - BCP38
• The root of all evil, unfixable in short time
• BGP flowspec firewall
• A stop gap for capacity
• Netflow/IP FIX sampling
• Gives visibility into your network. Solves attack attribution.
93

View Slide

• https://blog.cloudflare.com
• https://github.com/cloudflare
94
[email protected]flare.com
@majek04
DDoS is fixable!

View Slide

95

View Slide

Mirai was diﬀerent
96

View Slide

97

View Slide

Why IP Filtering must be on
the edge
98

View Slide

99
Filtering is hard
Internet
Carrier A
Destination
5.6.7.8

View Slide

100
Filtering is hard
Internet
Carrier A
Source
1.2.3.4
Destination
5.6.7.8
ISP 1
1.2.3.0/24

View Slide

101
Filtering is hard
Internet
Carrier A
Source
1.2.3.4
Destination
5.6.7.8
ISP 1
Internet
Carrier B
1.2.3.0/24
1.2.3.0/24

View Slide

102
Internet
Carrier A
Source
1.2.3.4
Destination
5.6.7.8
ISP 1
Filtering is hard
Internet
Carrier B
ISP 2
Source
4.3.2.1
1.2.3.0/24
4.3.2.0/24

View Slide

103
Internet is asymmetric
Internet
Carrier A
Source
1.2.3.4
Destination
5.6.7.8
ISP 1
Internet
Carrier B

View Slide

104
Filter close to the source
Internet
Carrier A
Source Destination
ISP 1
Internet
Carrier B
X

View Slide

IP Spoofing - DEFCON

IP Spoofing - DEFCON

majek04

More Decks by majek04

Other Decks in Programming

Featured

Transcript