http:// infrastructure attack vectors and mitigation benno overeinder nlnet labs
TRANSCRIPT
http://www.nlnetlabs.nl/
Infrastructure Attack Vectors and Mitigation
Benno Overeinder
NLnet Labs
http://www.nlnetlabs.nl/ NLnetLabs
What Is Internet Infrastructure?
• What makes the network of networks eventually the Internet– IP (v4/v6): protocol to exchange data between end-
points– DNS: resolving human readable names to IP addresses– routing: inter-domain routing between networks,
making IP addresses globally reachable
• Thus presentation not about end-points– nothing about trojans, botnets, viruses, etc– it is about the network between the end-points
http://www.nlnetlabs.nl/ NLnetLabs
The Nature of Attacks on the Internet Infrastructure
• DNS spoofing– redirect to websites that are “evil twins”– stealing personal information or money
• DDoS amplification reflection attacks– knock-out competitor: business or in gaming– blackmailing: receive money to stop DDoS
• Route hijacks– knock-out competitor or inspecting traffic– intention (malicious or mistake) difficult to assess
http://www.nlnetlabs.nl/ NLnetLabs
DNS Spoofing and DNSSEC
http://www.nlnetlabs.nl/ NLnetLabs
DNS Spoofing and DNSSEC• DNS Spoofing by cache poisoning
– attacker flood a DNS resolver with phony information with bogus DNS results
– by the law of large numbers, these attacks get a match and plant a bogus result into the cache
• Man-in-the-middle attacks– redirect to wrong Internet sites– email to non-authorized email
server
http://www.nlnetlabs.nl/ NLnetLabs
What is DNSSEC?• Digital signatures are added to responses by
authoritative servers for a zone• Validating resolver can use signature to verify
that response is not tampered with• Trust anchor is the key used to sign the DNS
root• Signature validation creates a chain of
overlapping signatures from trust anchor to signature of response
the one slide version
credits Geoff Huston
http://www.nlnetlabs.nl/ NLnetLabs
DNSSEC and Validation
.nlnetlabs.nl.
A record www.nlnetlabs.nl.+ signature .nl.
.
validating resolver
DNSKEY record .nlnetlabs.nl. + signature
DS record .nlnetlabs.nl. + signatureDNSKEY record .nl. + signature
DS record .nl. + signature
local root key (preloaded)
1
2
3
4
5
in a single picture
http://www.nlnetlabs.nl/ NLnetLabs
DNSSEC Deployment• Open source authoritative DNS name servers
supporting DNSSEC– e.g., NSD, BIND 9, and Knot
• Open source DNSSEC validating resolvers– e.g., Unbound, BIND 9
• Google Public DNS – DNSSEC validation– 8.8.8.8 and 8.8.4.4– 2001:4860:4860::8888 and 2001:4860:4860::8844
http://www.nlnetlabs.nl/ NLnetLabs
DNSSEC and Community
RIPE• DNS Working Group at RIPE
meetings
• DNS Working Group mailing list [email protected]
• DNSSEC training course http://www.ripe.net/lir-services/training/courses
IETF• DNSOP Working Group at
IETF meetings
• DNSOP Working Group mailing list [email protected]
• RFC on operational practiceshttp://tools.ietf.org/html/rfc6781
http://www.nlnetlabs.nl/ NLnetLabs
Other References to DNSSEC• ISOC Deploy360
– http://www.internetsociety.org/deploy360/dnssec/– information on basics, deployment, training, etc.
• DNSSEC Deployment Initiative– https://www.dnssec-deployment.org– mailing list dnssec-deployment@dnssec-
deployment.org
• OpenDNSSEC– open-source turn-key solution for DNSSEC– www.opendnssec.org
http://www.nlnetlabs.nl/ NLnetLabs
AMPLIFICATION Attacks and Source Address Filtering
http://www.nlnetlabs.nl/ NLnetLabs
Spoofed Source Address Attacks
DNS serverauth/resolver
attacker1.2.3.4
victim9.8.7.6
query www.example.comsource address 9.8.7.6
A record [+ signature]destination address 9.8.7.6
20-50 bytes
avg. around 600 bytes
http://www.nlnetlabs.nl/ NLnetLabs
DNS Amplification Attack
http://www.nlnetlabs.nl/ NLnetLabs
Recent DDoS Attacks with Spoofed Traffic
• The new normal: 200-400 Gbps DDoS Attacks• March 2013: 300 Gbps DDoS attack
– victim Spamhaus– DNS amplication attack– [offender arrested by Spanish police and handed
over to Dutch police]
• Februari 2014: 400 Gbps DDoS attack– victim customers of CloudFlare– NTP amplification
http://www.nlnetlabs.nl/ NLnetLabs
Mitigation to Amplification Attacks
• DNS amplification attacks– response rate limiting (RRL)– RRL available in NSD, BIND 9, and Knot
• NTP– secure NTP template from Team Cymru
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
http://www.nlnetlabs.nl/ NLnetLabs
… or BCP38 and Filter Spoofed Traffic
• BCP 38 (and related BCP 84)• Filter your customers
– strict filter traffic from your customers – strict unicast reverse path forwarding (uRPF)– don’t be part of the problem
• Filter your transit– difficult to strict filter your transit– feasible or loose uRPF– feasible not well supported by hardware vendors
http://www.nlnetlabs.nl/ NLnetLabs
Address Spoofing and Community
RIPE• RIPE meetings in plenary and
working groups
• RIPE document 431 and 432– http
://www.ripe.net/ripe/docs/ripe-431
– http://www.ripe.net/ripe/docs/ripe-432
• RIPE training course http://www.ripe.net/lir-services/training/courses
IETF and others• BCP 38 and BCP 84
• IETF SAVI WG
• Open Resolver Project openresolverproject.org
• Open NTP Project openntpproject.org
http://www.nlnetlabs.nl/ NLnetLabs
Route Hijacks and RPKI
http://www.nlnetlabs.nl/ NLnetLabs
Recent News on Internet Routing Security
• April 2, 2014: “Indonesia Hijacks the World”– Indosat leaked over 320,000 routes (out of 500,000) of
the global routing table multiple times over a two-hour period
– claimed that it “owned” many of the world’s networks– few hundred were widely accepted
• 0.2% low impact (5-25% of routes)• 0.06% medium impact (25-50% of routes)• 0.03% high impact (more than 50% of routes)
– for details see http://www.renesys.com/2014/04/indonesia-hijacks-world/
http://www.nlnetlabs.nl/ NLnetLabs
Less Recent News on Internet Routing Security
• April 8, 2010: “China Hijacks 15% of the Internet”– 50,000 of 340,000 IP address blocks makes 15%– for roughly 15 minutes
• Hijacking 15% of the routes,does not imply 15% of Internet traffic
• More realistic guesses– order of 1% to 2% traffic actually diverted
• much less in Europe and US– order of 0.015% based on 80 ATLAS ISP observations
• but still an estimation
http://www.nlnetlabs.nl/ NLnetLabs
Even Less Recent News on Internet Routing Security
• February 2008: Pakistan’s attempt to block YouTube access within their country takes down YouTube globally– mistakenly the YouTube block was also sent to a
network outside of Pakistan, and propagated
• August 2008: Kapela & Pilosov showed effective man-in-the-middle attack– already known to the community, but never
tested in real
http://www.nlnetlabs.nl/ NLnetLabs
Old News on Internet Routing Security
• January 2006: Con-Edison hijacks a chunk of the Internet
• December 24, 2004: TTNet in Turkey hijacks the Internet (aka Christmas Turkey hijack)
• May 2004: Malaysian ISP blocks Yahoo Santa Clara data center
• May 2003: Northrop Grumman hit by spammers• April 1997: The "AS 7007 incident”, maybe the
earliest notable example?
http://www.nlnetlabs.nl/ NLnetLabs
Today’s Routing Infrastructure is Insecure
• The Border Gateway Protocol (BGP) is the sole inter-domain routing protocol used
• BGP is based on informal trust models– routing by rumor– business agreements between networks
• Routing auditing is a low value activity– and not always done with sufficient
thoroughness
http://www.nlnetlabs.nl/ NLnetLabs
IP Hijacking Explained
A213.154/16: A
D
E
C
B
213.154/16: E213.154/16: C, A
213.154/16: A213.154/16: E
213.154/16: C, A
http://www.nlnetlabs.nl/ NLnetLabs
Typical Threats • Derivation of traffic (man-in-the-middle)
– third party inspection, denial of service, subversion
• Dropping traffic– denial of service, compound attacks
• Adding false addresses– support for compound attacks
• Isolating/removing routers from the network
http://www.nlnetlabs.nl/ NLnetLabs
Current Methods to Secure Routing Infrastructure
• Filtering, filtering, filtering, …– IP prefix filtering– AS path filtering– max prefix filtering
• Monitoring IP prefix / AS path – detect changes in route origin announcement– services provided by e.g. RIPE NCC, open source
projects, and commercial partners• However, there is no trusted and authoritative
data repository
http://www.nlnetlabs.nl/ NLnetLabs
Secure Inter-Domain Routing
• Focus of the IETF Secure Inter-Domain Routing (SIDR) working group
• Create trusted and authoritative resource data infrastructure– IP addresses and AS networks
• Improve on IP prefix filtering and AS path filtering– who holds the “right-of-usage” of a resource
http://www.nlnetlabs.nl/ NLnetLabs
Resource PKI: First Step to Improve Security
• Regional Internet Registries (RIPE, APNIC, etc.) issue resource certificates– proof of ownership of resources (IP addresses)– … and recursively repeated by NIR/LIR/…
• owner of IP addresses publishes signed route origin attestations– private key signed ROA states right of use of addresses
by a network (the route origin)• ISPs can validate BGP routing announcements
– validate ownership of route origin by checking signature in ROA with public key in resource certificate
http://www.nlnetlabs.nl/ NLnetLabs
Routing with RPKI Explained
A213.154/16: A
D
E
C
B
213.154/16: E213.154/16: C, A
213.154/16: A213.154/16: E
213.154/16: C, A
✔
✗
✗
✔
✔
✔
http://www.nlnetlabs.nl/ NLnetLabs
Routing Security and Community
RIPE• Enable RPKI in RIPE LIR
portal for your resources
• RPKI origin validation in Cisco, Juniper, Alcatel-Lucent, … and open source software Quagga and BIRD
• RIPE meetings in plenary and Routing WG [email protected]
IETF and others• IETF SIDR WG for RPKI and
BGPSEC protocol standardization
• IETF GROW WG on operational problems
• ISOC Deploy360 Programme http://www.internetsociety.org/deploy360/securing-bgp/tools/
http://www.nlnetlabs.nl/ NLnetLabs
Summary• Internet a dangerous place?
– yes/no, not different from the real world• We have a shared responsibility in securing
our infrastructure (the Internet is you!)– deploy DNSSEC– BCP 38 and BCP 84– route filtering and RPKI
• Excellent training courses by RIPE NCC• Contact me or staff of RIPE NCC for questions