IP Spoofing - DEFCON

Transcript

1. IP Spoofing (what is it, how it allows largest attacks

   and how to fix it) Marek Majkowski

2. What is it? 2

3. 3 IP Spoofing (source: DaPuglet)

4. 4 IP Spoofing 8.8.8.8 5.6.7.8

5. 5 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

6. 6

7. IP Spoofing is still a problem • 1995 - Mitnick

   pwned Shimomura with TCP seq • 1996 - SYN flooding • 1998 - idle scanning (ipid) • 1998 - BGP connection reset - RFC 2385 • 2008 - Dan Kaminsky's DNS bug • 2013+ - Multiple amplification DDoS 7

8. IP Spoofing fight • 1998 - Reverse Path Forwarding RFC2267

   • 2000 - BCP38 / RFC2827 • 2004 - BCP84 / RFC3704 / Unicast RPF • 2009 - IETF SAVI https://tools.ietf.org/wg/savi/ • 2014 - MANRS https://routingmanifesto.org/manrs/ • 2015 - http://spoofer.caida.org 8

9. 9 Inconsistent 15.8% Spoofable 27.8% UnSpoofable 56.4% Measured Autonomic Systems

   spoofer.caida.org

10. bulletproof hostig 10

11. IP Spoofing enables largest attacks 11

12. 12

13. 13 Global network

14. 14 Daily attacks Daily Attacks

15. 15 Some are super large

16. Two types 1. Direct 2. Amplification 16

17. 1. Direct attacks a) keep us online b) identify the

    source 17

18. 18 Direct: “Winter of attacks” Target Server Attacker 400 Gbps

19. 19 Direct: SYN Flood "winter of attacks"

20. 20 Direct attacks

21. 1. Direct attacks a) keep us online b) identify the

    source 21

22. 22 Tcpdump $ tcpdump -ni eth0 -c 100 IP 94.242.250.109.47330

    > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243 IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551 IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607 IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778 IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891 IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808 IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272 IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210 IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714 IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351 IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902 IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511 IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148

23. Blocked with BPF 23 iptables -A INPUT \ --dst 1.2.3.4

    \ -p tcp --dport 80 \ --syn \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP

24. 24 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb

    [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0 BPF bytecode

25. 25

26. Extreme Data Path - XDP • Feature of kernels 4.9+

    • Super fast • Tomorrow, Saturday 2pm, Packet Hacking Village! 26

27. 1. Direct attacks a) keep us online b) identify the

    source 27

28. 28 Which router iface is it from? Router Server

29. 29 Identifying interface Attacks

30. 30 Identifying the interface

31. 31 Other side of the cable Internet Carrier Direct Peering

    Router Local Internet Exchange Server

32. 32 1. Direct Peering Router Direct Peering

33. 33

34. 2. Internet Exchange 3. Internet Carrier 34 Internet Carrier Local

    Internet Exchange Router Router

35. 35 2. Internet Exchanges

36. 36 2. Internet Exchanges L3 Router Internet Exchange L2 SWITCH

    Local ISP #1 Local ISP #2 Local ISP #3

37. 37 3. Internet Carriers Router Internet Carrier

38. 38 3. Internet Carriers Router Internet Carrier Customer #1 Customer

    #2 Customer #3

39. Tracing back is impossible

40. 40 Direct: SYN Flood "winter of attacks" “Winter of attacks”

41. 41 “Winter of attacks” src IP= Hurricane Electric LAX router

    Internet Carrier

42. 42 “Winter of attacks” LAX router Internet Carrier Hurricane Electric

    ??? Hurricane Electric ???

43. Other examples

44. 44

45. 45

46. 46

47. 47

48. 48

49. 49

50. 50

51. 2. Amplification attacks a) keep us online b) identify the

    source 51 51

52. 52 SSDP: Amplification

53. UDP request-response 53 UDP Server UDP Client request response

54. Amplification 54 Attacker Target UDP Server request response

55. Amplification factor 55 Attacker Target UDP Server request response 10

    bytes 100 bytes

56. Scale up! 56 Attacker Target UDP Servers requests responses

57. June 2017: SSDP 57 112 Gbps of traffic 5 Gbps

    of spoofing 940k exposed SSDP Devices

58. 2. Amplification attacks a) keep us online b) identify the

    source 58

59. 59 Dispersed geographically

60. 1.2.3.0/24 Internet Los Angeles 1.2.3.0/24 London 1.2.3.0/24 Amsterdam 1.2.3.0/24 Moscow

    1.2.3.0/24 San Jose 1.2.3.0/24 New York

61. 61 Trivial to block iptables -A INPUT \ --dst 1.2.3.4

    \ -p udp --sport 1900 \ -j DROP

62. 2. Amplification attacks a) keep us online b) identify the

    source 62

63. 63 Tracing back is impossible Router Reflector #1 Reflector #2

    Reflector #3 Attacker

64. Other amplifications 64 Count Proto Src port 3774 udp 123

    NTP 1692 udp 1900 SSDP 438 udp 0 IP fragmentation (*) 253 udp 53 DNS 42 udp 27015 SRCDS 20 udp 19 Chargen 19 udp 20800 Call Of Duty 16 udp 161 SNMP 12 udp 389 CLDAP 11 udp 111 Sunrpc 10 udp 137 Netbios 6 tcp 80 HTTP 5 udp 27005 SRCDS 2 udp 520 RIP

65. Amplification sizes 65 $ cat all-gbps |cut -d " "

    -f 1|~/bin/mmhistogram Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353 Gbps: value |-------------------------------------------------- count 0 | **************** 658 1 | ************************* 1012 2 |************************************************** 1947 4 | ****************************** 1176 8 | **************** 641 16 | ******************* 748 32 | **** 157 64 | 14

66. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 66

67. How to fix it? 67

68. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 68

69. 69 IP spoofing is the root of all evil

70. 70 Promote BCP38

71. • From spoofer.caida.org 71 Report IP spoofing

72. Vendor defaults 72

73. 73 Filtering is hard Internet Carrier A Source Destination ISP

    1 Internet Carrier B X

74. We're left with the incompetent 74

75. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 75

76. 76 BGP Flowspec for the rescue!

77. 77 Router under attack Flowspec Flowspec Flowspec BGP Flowspec

78. 78

79. • https://conference.apnic.net/data/41/apricot-ddos- mitigation-using-flowspec_1456208439.pdf 79

80. 80 Adoption = nil

81. BGP Flowspec success story • RASCOM AS20764 • https://www.slideshare.net/pavel_odintsov/ implementing-bgp-flowspec-at-ip-transit-network

    81

82. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 82

83. 83 Netflow / IP FIX!

84. 84 How?

85. 85 Netflow within one AS Netflow collector Netflow samples Netflow

    samples Netflow samples

86. 86 Router Internet Carrier Customer #1 Customer #2 Customer #3

    Internet Carriers

87. 87

88. 88 Netflow (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t

    -300 -s dstip/packets "in if 731" Top 2 Dst IP Addr ordered by packets: Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82 Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218 Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772 Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2

89. • Open source toolchain is great • Scales well •

    Set high sampling rate - 1/64k flows • Rotate logs every 72h 89 Netflow

90. 90 Internet exchanges

91. 91 L3 Router Internet Exchange L2 SWITCH Local ISP #1

    Local ISP #2 Local ISP #3 Internet Exchanges

92. Internet Exchanges • SFlow • IX charts • mac-accounting •

    IP FIX support for mac addresses 92

93. Recap • Prevent IP spoofing - BCP38 • The root

    of all evil, unfixable in short time • BGP flowspec firewall • A stop gap for capacity • Netflow/IP FIX sampling • Gives visibility into your network. Solves attack attribution. 93

94. • https://blog.cloudflare.com • https://github.com/cloudflare 94 marek@cloudflare.com @majek04 DDoS is fixable!

95. 95

96. Mirai was different 96

97. 97

98. Why IP Filtering must be on the edge 98

99. 99 Filtering is hard Internet Carrier A Destination 5.6.7.8

100. 100 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

     5.6.7.8 ISP 1 1.2.3.0/24

101. 101 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

     5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24

102. 102 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1

     Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24

103. 103 Internet is asymmetric Internet Carrier A Source 1.2.3.4 Destination

     5.6.7.8 ISP 1 Internet Carrier B

104. 104 Filter close to the source Internet Carrier A Source

     Destination ISP 1 Internet Carrier B X