310 likes | 333 Views
This presentation explores the nature of attacks on internet infrastructure and covers topics such as DNS spoofing, DDoS attacks, route hijacks, and more. Learn about DNSSEC and how it can help secure the internet. Discover mitigation techniques for amplification attacks and source address filtering. Get insights into the latest news on internet routing security and the importance of RPKI.
E N D
Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs
What Is Internet Infrastructure? • What makes the network of networks eventually the Internet • IP (v4/v6): protocol to exchange data between end-points • DNS: resolving human readable names to IP addresses • routing: inter-domain routing between networks, making IP addresses globally reachable • Thus presentation not about end-points • nothing about trojans, botnets, viruses, etc • it is about the network between the end-points
The Nature of Attacks on the Internet Infrastructure • DNS spoofing • redirect to websites that are “evil twins” • stealing personal information or money • DDoS amplification reflection attacks • knock-out competitor: business or in gaming • blackmailing: receive money to stop DDoS • Route hijacks • knock-out competitor or inspecting traffic • intention (malicious or mistake) difficult to assess
DNS Spoofing and DNSSEC • DNS Spoofing by cache poisoning • attacker flood a DNS resolver with phony information with bogus DNS results • by the law of large numbers, these attacks get a match and plant a bogus result into the cache • Man-in-the-middle attacks • redirect to wrong Internet sites • email to non-authorized email server
What is DNSSEC? the one slide version • Digital signatures are added to responses by authoritativeservers for a zone • Validating resolver can use signature to verify that response is not tampered with • Trust anchor is the key used to sign the DNS root • Signature validation creates a chain of overlapping signatures from trust anchor to signature of response credits Geoff Huston
DNSSEC and Validation in a single picture . DS record .nl. + signature 4 A record www.nlnetlabs.nl. + signature .nl. DS record .nlnetlabs.nl. + signature DNSKEY record .nl. + signature 1 3 validating resolver .nlnetlabs.nl. DNSKEY record .nlnetlabs.nl. + signature local root key (preloaded) 2 5
DNSSEC Deployment • Open source authoritative DNS name servers supporting DNSSEC • e.g., NSD, BIND 9, and Knot • Open source DNSSEC validating resolvers • e.g., Unbound, BIND 9 • Google Public DNS – DNSSEC validation • 8.8.8.8 and 8.8.4.4 • 2001:4860:4860::8888 and 2001:4860:4860::8844
DNSSEC and Community RIPE IETF DNSOP Working Group at IETF meetings DNSOP Working Group mailing list dnsop@ietf.org RFC on operational practiceshttp://tools.ietf.org/html/rfc6781 • DNS Working Group at RIPE meetings • DNS Working Group mailing list dns-wg@ripe.net • DNSSEC training course http://www.ripe.net/lir-services/training/courses
Other References to DNSSEC • ISOC Deploy360 • http://www.internetsociety.org/deploy360/dnssec/ • information on basics, deployment, training, etc. • DNSSEC Deployment Initiative • https://www.dnssec-deployment.org • mailing list dnssec-deployment@dnssec-deployment.org • OpenDNSSEC • open-source turn-key solution for DNSSEC • www.opendnssec.org
Spoofed Source Address Attacks query www.example.com source address 9.8.7.6 victim 9.8.7.6 attacker 1.2.3.4 20-50 bytes A record [+ signature] destination address 9.8.7.6 avg. around 600 bytes DNS server auth/resolver
Recent DDoS Attacks with Spoofed Traffic • The new normal: 200-400 GbpsDDoS Attacks • March 2013: 300 GbpsDDoS attack • victim Spamhaus • DNS amplication attack • [offender arrested by Spanish police and handed over to Dutch police] • Februari 2014: 400 GbpsDDoS attack • victim customers of CloudFlare • NTP amplification
Mitigation to Amplification Attacks • DNS amplification attacks • response rate limiting (RRL) • RRL available in NSD, BIND 9, and Knot • NTP • secure NTP template from Team Cymru http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
… or BCP38 and Filter Spoofed Traffic • BCP 38 (and related BCP 84) • Filter your customers • strict filter traffic from your customers • strict unicast reverse path forwarding (uRPF) • don’t be part of the problem • Filter your transit • difficult to strict filter your transit • feasible or loose uRPF • feasible not well supported by hardware vendors
Address Spoofing and Community RIPE IETF and others BCP 38 and BCP 84 IETF SAVI WG Open Resolver Project openresolverproject.org Open NTP Project openntpproject.org • RIPE meetings in plenary and working groups • RIPE document 431 and 432 • http://www.ripe.net/ripe/docs/ripe-431 • http://www.ripe.net/ripe/docs/ripe-432 • RIPE training course http://www.ripe.net/lir-services/training/courses
Recent News on Internet Routing Security • April 2, 2014: “Indonesia Hijacks the World” • Indosat leaked over 320,000 routes (out of 500,000) of the global routing table multiple times over a two-hour period • claimed that it “owned” many of the world’s networks • few hundred were widely accepted • 0.2% low impact (5-25% of routes) • 0.06% medium impact (25-50% of routes) • 0.03% high impact (more than 50% of routes) • for details see http://www.renesys.com/2014/04/indonesia-hijacks-world/
Less Recent News on Internet Routing Security • April 8, 2010: “China Hijacks 15% of the Internet” • 50,000 of 340,000 IP address blocks makes 15% • for roughly 15 minutes • Hijacking 15% of the routes, does not imply 15% of Internet traffic • More realistic guesses • order of 1% to 2% traffic actually diverted • much less in Europe and US • order of 0.015% based on 80 ATLAS ISP observations • but still an estimation
Even Less Recent News on Internet Routing Security • February 2008: Pakistan’s attempt to block YouTube access within their country takes down YouTube globally • mistakenly the YouTube block was also sent to a network outside of Pakistan, and propagated • August 2008: Kapela & Pilosov showed effective man-in-the-middle attack • already known to the community, but never tested in real
Old News on Internet Routing Security • January 2006: Con-Edison hijacks a chunk of the Internet • December 24, 2004: TTNet in Turkey hijacks the Internet (aka Christmas Turkey hijack) • May 2004: Malaysian ISP blocks Yahoo Santa Clara data center • May 2003: Northrop Grumman hit by spammers • April 1997: The "AS 7007 incident”, maybe the earliest notable example?
Today’s Routing Infrastructure is Insecure • The Border Gateway Protocol (BGP) is the sole inter-domain routing protocol used • BGP is based on informal trust models • routing by rumor • business agreements between networks • Routing auditing is a low value activity • and not always done with sufficient thoroughness
IP Hijacking Explained D A 213.154/16: A 213.154/16: C, A C 213.154/16: A 213.154/16: E 213.154/16: E 213.154/16: C, A B E
Typical Threats • Derivation of traffic (man-in-the-middle) • third party inspection, denial of service, subversion • Dropping traffic • denial of service, compound attacks • Adding false addresses • support for compound attacks • Isolating/removing routers from the network
Current Methods to Secure Routing Infrastructure • Filtering, filtering, filtering, … • IP prefix filtering • AS path filtering • max prefix filtering • Monitoring IP prefix / AS path • detect changes in route origin announcement • services provided by e.g. RIPE NCC, open source projects, and commercial partners • However, there is no trusted and authoritative data repository
Secure Inter-Domain Routing • Focus of the IETF Secure Inter-Domain Routing (SIDR) working group • Create trusted and authoritative resource data infrastructure • IP addresses and AS networks • Improve on IP prefix filtering and AS path filtering • who holds the “right-of-usage” of a resource
Resource PKI: First Step to Improve Security • Regional Internet Registries (RIPE, APNIC, etc.) issue resource certificates • proof of ownership of resources (IP addresses) • … and recursively repeated by NIR/LIR/… • owner of IP addresses publishes signed route origin attestations • private key signed ROA states right of use of addresses by a network (the route origin) • ISPs can validate BGP routing announcements • validate ownership of route origin by checking signature in ROA with public key in resource certificate
Routing with RPKI Explained D A ✔ 213.154/16: A 213.154/16: C, A ✗ C ✔ ✗ 213.154/16: A 213.154/16: E 213.154/16: E 213.154/16: C, A B ✔ E ✔
Routing Security and Community RIPE IETF and others IETF SIDR WG for RPKI and BGPSEC protocol standardization IETF GROW WG on operational problems ISOC Deploy360 Programme http://www.internetsociety.org/deploy360/securing-bgp/tools/ • Enable RPKI in RIPE LIR portal for your resources • RPKI origin validation in Cisco, Juniper, Alcatel-Lucent, … and open source software Quagga and BIRD • RIPE meetings in plenary and Routing WG routing-wg@ripe.net
Summary • Internet a dangerous place? • yes/no, not different from the real world • We have a shared responsibility in securing our infrastructure (the Internet is you!) • deploy DNSSEC • BCP 38and BCP 84 • route filtering and RPKI • Excellent training courses by RIPE NCC • Contact me or staff of RIPE NCC for questions