IP Spoofing - DEFCON - Speaker Deck

Slide 1

Slide 1 text

IP Spooﬁng (what is it, how it allows largest attacks and how to ﬁx it) Marek Majkowski

Slide 2

Slide 2 text

What is it? 2

Slide 3

Slide 3 text

3 IP Spooﬁng (source: DaPuglet)

Slide 4

Slide 4 text

4 IP Spooﬁng 8.8.8.8 5.6.7.8

Slide 5

Slide 5 text

5 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

Slide 6

Slide 6 text

Slide 7

Slide 7 text

IP Spoofing is still a problem • 1995 - Mitnick pwned Shimomura with TCP seq • 1996 - SYN flooding • 1998 - idle scanning (ipid) • 1998 - BGP connection reset - RFC 2385 • 2008 - Dan Kaminsky's DNS bug • 2013+ - Multiple amplification DDoS 7

Slide 8

Slide 8 text

IP Spooﬁng ﬁght • 1998 - Reverse Path Forwarding RFC2267 • 2000 - BCP38 / RFC2827 • 2004 - BCP84 / RFC3704 / Unicast RPF • 2009 - IETF SAVI https://tools.ietf.org/wg/savi/ • 2014 - MANRS https://routingmanifesto.org/manrs/ • 2015 - http://spoofer.caida.org 8

Slide 9

Slide 9 text

9 Inconsistent 15.8% Spoofable 27.8% UnSpoofable 56.4% Measured Autonomic Systems spoofer.caida.org

Slide 10

Slide 10 text

bulletproof hostig 10

Slide 11

Slide 11 text

IP Spooﬁng enables largest attacks 11

Slide 12

Slide 12 text

Slide 13

Slide 13 text

13 Global network

Slide 14

Slide 14 text

14 Daily attacks Daily Attacks

Slide 15

Slide 15 text

15 Some are super large

Slide 16

Slide 16 text

Two types 1. Direct 2. Ampliﬁcation 16

Slide 17

Slide 17 text

1. Direct attacks a) keep us online b) identify the source 17

Slide 18

Slide 18 text

18 Direct: “Winter of attacks” Target Server Attacker 400 Gbps

Slide 19

Slide 19 text

19 Direct: SYN Flood "winter of attacks"

Slide 20

Slide 20 text

20 Direct attacks

Slide 21

Slide 21 text

1. Direct attacks a) keep us online b) identify the source 21

Slide 22

Slide 22 text

22 Tcpdump $ tcpdump -ni eth0 -c 100 IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243 IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551 IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607 IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778 IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891 IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808 IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272 IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210 IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714 IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351 IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902 IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511 IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148

Slide 23

Slide 23 text

Blocked with BPF 23 iptables -A INPUT \ --dst 1.2.3.4 \ -p tcp --dport 80 \ --syn \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP

Slide 24

Slide 24 text

24 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0 BPF bytecode

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Extreme Data Path - XDP • Feature of kernels 4.9+ • Super fast • Tomorrow, Saturday 2pm, Packet Hacking Village! 26

Slide 27

Slide 27 text

1. Direct attacks a) keep us online b) identify the source 27

Slide 28

Slide 28 text

28 Which router iface is it from? Router Server

Slide 29

Slide 29 text

29 Identifying interface Attacks

Slide 30

Slide 30 text

30 Identifying the interface

Slide 31

Slide 31 text

31 Other side of the cable Internet Carrier Direct Peering Router Local Internet Exchange Server

Slide 32

Slide 32 text

32 1. Direct Peering Router Direct Peering

Slide 33

Slide 33 text

Slide 34

Slide 34 text

2. Internet Exchange 3. Internet Carrier 34 Internet Carrier Local Internet Exchange Router Router

Slide 35

Slide 35 text

35 2. Internet Exchanges

Slide 36

Slide 36 text

36 2. Internet Exchanges L3 Router Internet Exchange L2 SWITCH Local ISP #1 Local ISP #2 Local ISP #3

Slide 37

Slide 37 text

37 3. Internet Carriers Router Internet Carrier

Slide 38

Slide 38 text

38 3. Internet Carriers Router Internet Carrier Customer #1 Customer #2 Customer #3

Slide 39

Slide 39 text

Tracing back is impossible

Slide 40

Slide 40 text

40 Direct: SYN Flood "winter of attacks" “Winter of attacks”

Slide 41

Slide 41 text

41 “Winter of attacks” src IP= Hurricane Electric LAX router Internet Carrier

Slide 42

Slide 42 text

42 “Winter of attacks” LAX router Internet Carrier Hurricane Electric ??? Hurricane Electric ???

Slide 43

Slide 43 text

Other examples

Slide 44

Slide 44 text

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Slide 47

Slide 47 text

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Slide 51

Slide 51 text

2. Ampliﬁcation attacks a) keep us online b) identify the source 51 51

Slide 52

Slide 52 text

52 SSDP: Ampliﬁcation

Slide 53

Slide 53 text

UDP request-response 53 UDP Server UDP Client request response

Slide 54

Slide 54 text

Ampliﬁcation 54 Attacker Target UDP Server request response

Slide 55

Slide 55 text

Ampliﬁcation factor 55 Attacker Target UDP Server request response 10 bytes 100 bytes

Slide 56

Slide 56 text

Scale up! 56 Attacker Target UDP Servers requests responses

Slide 57

Slide 57 text

June 2017: SSDP 57 112 Gbps of traﬃc 5 Gbps of spooﬁng 940k exposed SSDP Devices

Slide 58

Slide 58 text

2. Ampliﬁcation attacks a) keep us online b) identify the source 58

Slide 59

Slide 59 text

59 Dispersed geographically

Slide 60

Slide 60 text

1.2.3.0/24 Internet Los Angeles 1.2.3.0/24 London 1.2.3.0/24 Amsterdam 1.2.3.0/24 Moscow 1.2.3.0/24 San Jose 1.2.3.0/24 New York

Slide 61

Slide 61 text

61 Trivial to block iptables -A INPUT \ --dst 1.2.3.4 \ -p udp --sport 1900 \ -j DROP

Slide 62

Slide 62 text

2. Ampliﬁcation attacks a) keep us online b) identify the source 62

Slide 63

Slide 63 text

63 Tracing back is impossible Router Reflector #1 Reflector #2 Reflector #3 Attacker

Slide 64

Slide 64 text

Other ampliﬁcations 64 Count Proto Src port 3774 udp 123 NTP 1692 udp 1900 SSDP 438 udp 0 IP fragmentation (*) 253 udp 53 DNS 42 udp 27015 SRCDS 20 udp 19 Chargen 19 udp 20800 Call Of Duty 16 udp 161 SNMP 12 udp 389 CLDAP 11 udp 111 Sunrpc 10 udp 137 Netbios 6 tcp 80 HTTP 5 udp 27005 SRCDS 2 udp 520 RIP

Slide 65

Slide 65 text

Ampliﬁcation sizes 65 $ cat all-gbps |cut -d " " -f 1|~/bin/mmhistogram Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353 Gbps: value |-------------------------------------------------- count 0 | **************** 658 1 | ************************* 1012 2 |************************************************** 1947 4 | ****************************** 1176 8 | **************** 641 16 | ******************* 748 32 | **** 157 64 | 14

Slide 66

Slide 66 text

• IP spooﬁng is bad • You need network capacity • Tracing back is impossible 66

Slide 67

Slide 67 text

How to ﬁx it? 67

Slide 68

Slide 68 text

• IP spooﬁng is bad • You need network capacity • Tracing back is impossible 68

Slide 69

Slide 69 text

69 IP spooﬁng is the root of all evil

Slide 70

Slide 70 text

70 Promote BCP38

Slide 71

Slide 71 text

• From spoofer.caida.org 71 Report IP spooﬁng

Slide 72

Slide 72 text

Vendor defaults 72

Slide 73

Slide 73 text

73 Filtering is hard Internet Carrier A Source Destination ISP 1 Internet Carrier B X

Slide 74

Slide 74 text

We're left with the incompetent 74

Slide 75

Slide 75 text

• IP spooﬁng is bad • You need network capacity • Tracing back is impossible 75

Slide 76

Slide 76 text

76 BGP Flowspec for the rescue!

Slide 77

Slide 77 text

77 Router under attack Flowspec Flowspec Flowspec BGP Flowspec

Slide 78

Slide 78 text

Slide 79

Slide 79 text

• https://conference.apnic.net/data/41/apricot-ddos- mitigation-using-ﬂowspec_1456208439.pdf 79

Slide 80

Slide 80 text

80 Adoption = nil

Slide 81

Slide 81 text

BGP Flowspec success story • RASCOM AS20764 • https://www.slideshare.net/pavel_odintsov/ implementing-bgp-ﬂowspec-at-ip-transit-network 81

Slide 82

Slide 82 text

• IP spooﬁng is bad • You need network capacity • Tracing back is impossible 82

Slide 83

Slide 83 text

83 Netﬂow / IP FIX!

Slide 84

Slide 84 text

84 How?

Slide 85

Slide 85 text

85 Netflow within one AS Netflow collector Netflow samples Netflow samples Netflow samples

Slide 86

Slide 86 text

86 Router Internet Carrier Customer #1 Customer #2 Customer #3 Internet Carriers

Slide 87

Slide 87 text

Slide 88

Slide 88 text

88 Netﬂow (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t -300 -s dstip/packets "in if 731" Top 2 Dst IP Addr ordered by packets: Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82 Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218 Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772 Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2

Slide 89

Slide 89 text

• Open source toolchain is great • Scales well • Set high sampling rate - 1/64k ﬂows • Rotate logs every 72h 89 Netﬂow

Slide 90

Slide 90 text

90 Internet exchanges

Slide 91

Slide 91 text

91 L3 Router Internet Exchange L2 SWITCH Local ISP #1 Local ISP #2 Local ISP #3 Internet Exchanges

Slide 92

Slide 92 text

Internet Exchanges • SFlow • IX charts • mac-accounting • IP FIX support for mac addresses 92

Slide 93

Slide 93 text

Recap • Prevent IP spoofing - BCP38 • The root of all evil, unfixable in short time • BGP flowspec firewall • A stop gap for capacity • Netflow/IP FIX sampling • Gives visibility into your network. Solves attack attribution. 93

Slide 94

Slide 94 text

• https://blog.cloudflare.com • https://github.com/cloudflare 94 marek@cloudflare.com @majek04 DDoS is fixable!

Slide 95

Slide 95 text

Slide 96

Slide 96 text

Mirai was diﬀerent 96

Slide 97

Slide 97 text

Slide 98

Slide 98 text

Why IP Filtering must be on the edge 98

Slide 99

Slide 99 text

99 Filtering is hard Internet Carrier A Destination 5.6.7.8

Slide 100

Slide 100 text

100 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 1.2.3.0/24

Slide 101

Slide 101 text

101 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24

Slide 102

Slide 102 text

102 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24

Slide 103

Slide 103 text

103 Internet is asymmetric Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 Internet Carrier B

Slide 104

Slide 104 text

104 Filter close to the source Internet Carrier A Source Destination ISP 1 Internet Carrier B X