Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Spoofing - DEFCON

IP Spoofing - DEFCON

majek04

July 26, 2017
Tweet

More Decks by majek04

Other Decks in Programming

Transcript

  1. IP Spoofing
    (what is it, how it allows largest attacks and how to fix it)
    Marek Majkowski

    View full-size slide

  2. What is it?
    2

    View full-size slide

  3. 3
    IP Spoofing
    (source: DaPuglet)

    View full-size slide

  4. 4
    IP Spoofing
    8.8.8.8
    5.6.7.8

    View full-size slide

  5. 5
    Enables impersonation
    Real
    8.8.8.8 Destination
    5.6.7.8
    Spoofed
    8.8.8.8

    View full-size slide

  6. IP Spoofing is still a problem
    • 1995 - Mitnick pwned Shimomura with TCP seq
    • 1996 - SYN flooding
    • 1998 - idle scanning (ipid)
    • 1998 - BGP connection reset - RFC 2385
    • 2008 - Dan Kaminsky's DNS bug
    • 2013+ - Multiple amplification DDoS
    7

    View full-size slide

  7. IP Spoofing fight
    • 1998 - Reverse Path Forwarding RFC2267
    • 2000 - BCP38 / RFC2827
    • 2004 - BCP84 / RFC3704 / Unicast RPF
    • 2009 - IETF SAVI https://tools.ietf.org/wg/savi/
    • 2014 - MANRS https://routingmanifesto.org/manrs/
    • 2015 - http://spoofer.caida.org
    8

    View full-size slide

  8. 9
    Inconsistent
    15.8%
    Spoofable
    27.8%
    UnSpoofable
    56.4%
    Measured Autonomic Systems
    spoofer.caida.org

    View full-size slide

  9. bulletproof hostig
    10

    View full-size slide

  10. IP Spoofing enables
    largest attacks
    11

    View full-size slide

  11. 13
    Global network

    View full-size slide

  12. 14
    Daily attacks
    Daily Attacks

    View full-size slide

  13. 15
    Some are super large

    View full-size slide

  14. Two types
    1. Direct
    2. Amplification
    16

    View full-size slide

  15. 1. Direct attacks
    a) keep us online
    b) identify the source
    17

    View full-size slide

  16. 18
    Direct: “Winter of attacks”
    Target
    Server
    Attacker
    400 Gbps

    View full-size slide

  17. 19
    Direct: SYN Flood "winter of attacks"

    View full-size slide

  18. 20
    Direct attacks

    View full-size slide

  19. 1. Direct attacks
    a) keep us online
    b) identify the source
    21

    View full-size slide

  20. 22
    Tcpdump
    $ tcpdump -ni eth0 -c 100
    IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243
    IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551
    IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607
    IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778
    IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891
    IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808
    IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272
    IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210
    IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714
    IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351
    IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902
    IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511
    IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148

    View full-size slide

  21. Blocked with BPF
    23
    iptables -A INPUT \
    --dst 1.2.3.4 \
    -p tcp --dport 80 \
    --syn \
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \
    -j DROP

    View full-size slide

  22. 24
    ldx 4*([14]&0xf)
    ld #34
    add x
    tax
    lb_0:
    ldb [x + 0]
    add x
    add #1
    tax
    ld [x + 0]
    jneq #0x07657861, lb_1
    ld [x + 4]
    jneq #0x6d706c65, lb_1
    ld [x + 8]
    jneq #0x03636f6d, lb_1
    ldb [x + 12]
    jneq #0x00, lb_1
    ret #1
    lb_1:
    ret #0
    BPF bytecode

    View full-size slide

  23. Extreme Data Path - XDP
    • Feature of kernels 4.9+
    • Super fast
    • Tomorrow, Saturday 2pm, Packet Hacking Village!
    26

    View full-size slide

  24. 1. Direct attacks
    a) keep us online
    b) identify the source
    27

    View full-size slide

  25. 28
    Which router iface is it from?
    Router Server

    View full-size slide

  26. 29
    Identifying interface
    Attacks

    View full-size slide

  27. 30
    Identifying the interface

    View full-size slide

  28. 31
    Other side of the cable
    Internet
    Carrier
    Direct Peering
    Router
    Local
    Internet Exchange
    Server

    View full-size slide

  29. 32
    1. Direct Peering
    Router
    Direct Peering

    View full-size slide

  30. 2. Internet Exchange
    3. Internet Carrier
    34
    Internet
    Carrier
    Local
    Internet Exchange
    Router
    Router

    View full-size slide

  31. 35
    2. Internet Exchanges

    View full-size slide

  32. 36
    2. Internet Exchanges
    L3 Router
    Internet Exchange
    L2 SWITCH
    Local ISP #1
    Local ISP #2
    Local ISP #3

    View full-size slide

  33. 37
    3. Internet Carriers
    Router
    Internet
    Carrier

    View full-size slide

  34. 38
    3. Internet Carriers
    Router
    Internet
    Carrier
    Customer #1
    Customer #2
    Customer #3

    View full-size slide

  35. Tracing back is impossible

    View full-size slide

  36. 40
    Direct: SYN Flood "winter of attacks"
    “Winter of attacks”

    View full-size slide

  37. 41
    “Winter of attacks”
    src IP=
    Hurricane
    Electric
    LAX router
    Internet
    Carrier

    View full-size slide

  38. 42
    “Winter of attacks”
    LAX router
    Internet
    Carrier
    Hurricane
    Electric
    ???
    Hurricane
    Electric
    ???

    View full-size slide

  39. Other examples

    View full-size slide

  40. 2. Amplification attacks
    a) keep us online
    b) identify the source
    51
    51

    View full-size slide

  41. 52
    SSDP: Amplification

    View full-size slide

  42. UDP request-response
    53
    UDP Server
    UDP Client
    request response

    View full-size slide

  43. Amplification
    54
    Attacker
    Target
    UDP Server
    request
    response

    View full-size slide

  44. Amplification factor
    55
    Attacker
    Target
    UDP Server
    request
    response
    10 bytes
    100 bytes

    View full-size slide

  45. Scale up!
    56
    Attacker
    Target
    UDP Servers
    requests
    responses

    View full-size slide

  46. June 2017: SSDP
    57
    112 Gbps of traffic
    5 Gbps of spoofing
    940k exposed
    SSDP Devices

    View full-size slide

  47. 2. Amplification attacks
    a) keep us online
    b) identify the source
    58

    View full-size slide

  48. 59
    Dispersed geographically

    View full-size slide

  49. 1.2.3.0/24
    Internet
    Los Angeles
    1.2.3.0/24
    London
    1.2.3.0/24
    Amsterdam
    1.2.3.0/24
    Moscow
    1.2.3.0/24
    San Jose
    1.2.3.0/24
    New York

    View full-size slide

  50. 61
    Trivial to block
    iptables -A INPUT \
    --dst 1.2.3.4 \
    -p udp --sport 1900 \
    -j DROP

    View full-size slide

  51. 2. Amplification attacks
    a) keep us online
    b) identify the source
    62

    View full-size slide

  52. 63
    Tracing back is impossible
    Router
    Reflector #1
    Reflector #2
    Reflector #3
    Attacker

    View full-size slide

  53. Other amplifications
    64
    Count Proto Src port
    3774 udp 123 NTP
    1692 udp 1900 SSDP
    438 udp 0 IP fragmentation (*)
    253 udp 53 DNS
    42 udp 27015 SRCDS
    20 udp 19 Chargen
    19 udp 20800 Call Of Duty
    16 udp 161 SNMP
    12 udp 389 CLDAP
    11 udp 111 Sunrpc
    10 udp 137 Netbios
    6 tcp 80 HTTP
    5 udp 27005 SRCDS
    2 udp 520 RIP

    View full-size slide

  54. Amplification sizes
    65
    $ cat all-gbps |cut -d " " -f 1|~/bin/mmhistogram
    Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353
    Gbps:
    value |-------------------------------------------------- count
    0 | **************** 658
    1 | ************************* 1012
    2 |************************************************** 1947
    4 | ****************************** 1176
    8 | **************** 641
    16 | ******************* 748
    32 | **** 157
    64 | 14

    View full-size slide

  55. • IP spoofing is bad
    • You need network capacity
    • Tracing back is impossible
    66

    View full-size slide

  56. How to fix it?
    67

    View full-size slide

  57. • IP spoofing is bad
    • You need network capacity
    • Tracing back is impossible
    68

    View full-size slide

  58. 69
    IP spoofing is the root of all evil

    View full-size slide

  59. 70
    Promote BCP38

    View full-size slide

  60. • From spoofer.caida.org
    71
    Report IP spoofing

    View full-size slide

  61. Vendor defaults
    72

    View full-size slide

  62. 73
    Filtering is hard
    Internet
    Carrier A
    Source Destination
    ISP 1
    Internet
    Carrier B
    X

    View full-size slide

  63. We're left with the incompetent
    74

    View full-size slide

  64. • IP spoofing is bad
    • You need network capacity
    • Tracing back is impossible
    75

    View full-size slide

  65. 76
    BGP Flowspec for the rescue!

    View full-size slide

  66. 77
    Router
    under attack
    Flowspec
    Flowspec
    Flowspec
    BGP Flowspec

    View full-size slide

  67. • https://conference.apnic.net/data/41/apricot-ddos-
    mitigation-using-flowspec_1456208439.pdf
    79

    View full-size slide

  68. 80
    Adoption = nil

    View full-size slide

  69. BGP Flowspec success story
    • RASCOM AS20764
    • https://www.slideshare.net/pavel_odintsov/
    implementing-bgp-flowspec-at-ip-transit-network
    81

    View full-size slide

  70. • IP spoofing is bad
    • You need network capacity
    • Tracing back is impossible
    82

    View full-size slide

  71. 83
    Netflow / IP FIX!

    View full-size slide

  72. 85
    Netflow within one AS
    Netflow
    collector
    Netflow samples
    Netflow samples
    Netflow samples

    View full-size slide

  73. 86
    Router
    Internet
    Carrier
    Customer #1
    Customer #2
    Customer #3
    Internet Carriers

    View full-size slide

  74. 88
    Netflow
    (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t -300 -s dstip/packets "in if 731"
    Top 2 Dst IP Addr ordered by packets:
    Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp
    173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65
    173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82
    Summary: total flows: 1361108, total bytes: 5087980650496, total packets:
    23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218
    Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772
    Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2

    View full-size slide

  75. • Open source toolchain is great
    • Scales well
    • Set high sampling rate - 1/64k flows
    • Rotate logs every 72h
    89
    Netflow

    View full-size slide

  76. 90
    Internet exchanges

    View full-size slide

  77. 91
    L3 Router
    Internet Exchange
    L2 SWITCH
    Local ISP #1
    Local ISP #2
    Local ISP #3
    Internet Exchanges

    View full-size slide

  78. Internet Exchanges
    • SFlow
    • IX charts
    • mac-accounting
    • IP FIX support for mac addresses
    92

    View full-size slide

  79. Recap
    • Prevent IP spoofing - BCP38
    • The root of all evil, unfixable in short time
    • BGP flowspec firewall
    • A stop gap for capacity
    • Netflow/IP FIX sampling
    • Gives visibility into your network. Solves attack attribution.
    93

    View full-size slide

  80. • https://blog.cloudflare.com
    • https://github.com/cloudflare
    94
    marek@cloudflare.com
    @majek04
    DDoS is fixable!

    View full-size slide

  81. Mirai was different
    96

    View full-size slide

  82. Why IP Filtering must be on
    the edge
    98

    View full-size slide

  83. 99
    Filtering is hard
    Internet
    Carrier A
    Destination
    5.6.7.8

    View full-size slide

  84. 100
    Filtering is hard
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    1.2.3.0/24

    View full-size slide

  85. 101
    Filtering is hard
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    Internet
    Carrier B
    1.2.3.0/24
    1.2.3.0/24

    View full-size slide

  86. 102
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    Filtering is hard
    Internet
    Carrier B
    ISP 2
    Source
    4.3.2.1
    1.2.3.0/24
    4.3.2.0/24

    View full-size slide

  87. 103
    Internet is asymmetric
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    Internet
    Carrier B

    View full-size slide

  88. 104
    Filter close to the source
    Internet
    Carrier A
    Source Destination
    ISP 1
    Internet
    Carrier B
    X

    View full-size slide