Upload
shareef-ghouse
View
230
Download
0
Embed Size (px)
Citation preview
8/3/2019 Car Nbar Layer2 Block
1/34
8/3/2019 Car Nbar Layer2 Block
2/34
222222SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Network Attack & Threat MitigationTim Ryan
Systems Engineer Cisco SystemsSoutheast Coastal Operation
8/3/2019 Car Nbar Layer2 Block
3/34
333333SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
PolicyThe Security Foundation
Enterprise-widesecurity policy
Who can seewhat information?
Who can change it?
From where?
How protected is it?What are the assets ?
What is the cost ?
UNIVERSALPASSPORT
USA
8/3/2019 Car Nbar Layer2 Block
4/34
444444SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
The Security E-Co System
Security Functions atseveral layers.
Client / Server
Software Firewalls
Intrusion Detection
URL filtering
Virus Checking
Encryption
User Authentication
ApplicationsServers
Network Access& User Access
Intrusion DetectionFirewalls
Authentication
Logging
Physical Access
8/3/2019 Car Nbar Layer2 Block
5/34
555555SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Security Agenda
Denial of Service Attack Limiting
Code Red/Nimda Threat Mitigation
Intrusion Detection Considerations
Ethernet Switch Attacks Layer 2
8/3/2019 Car Nbar Layer2 Block
6/34
666666SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Rate Limiting as a Security Tool
Why would anyone want to send over 45
Mbps of ICMP Traffic?If they did, how would you stop it?
Answer - Rate Limit the badtraffic
Committed Access Rate (CAR)
8/3/2019 Car Nbar Layer2 Block
7/34777777SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Committed Access Rate to MinimizeDDOS/DOS attacks
The Internet Customers
Layer-3CAR Filter
Layer-3 Input and Output Rate Limits specifically Input RateLimits
Security Filters use the Input Rate Limit to drop packets beforethere are forwarded through the network.
Aggregate and Granular Limits
Port, MAC address, IP address, application, precedence
Excess Burst Policies
8/3/2019 Car Nbar Layer2 Block
8/34888888SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Rate Limiting as a Security Tool
Limit all ICMP echo and echo-reply traffic received at the borders to256 Kbps with a small amount of burst:
! traffic we want to limit
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
! interface configurations for borders
interface Serial3/0/0
rate-limit input access-group 102 256000 8000
8000 conform-action transmit exceed-action drop Multiple rate-limit commands can be added to an interface in order
to control other kinds of traffic as well.From:
http://www.cisco.com/warp/public/707/newsflash.html
8/3/2019 Car Nbar Layer2 Block
9/34999999SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Rate Limiting as a Security Tool
Use CAR to limit TCP SYN floods to particular hosts --without impeding existing connections. Someattackers have started using very high streams of TCPSYN packets in order to harm systems.
This example limits TCP SYN packets directed at host 10.0.0.1 to 8 kbps or
so:! We don't want to limit established TCP sessions -- non-SYN packets
access-list 103 deny tcp any host 10.0.0.1 established
! We do want to limit the rest of TCP (this really only
includes SYNs)access-list 103 permit tcp any host 10.0.0.1
! interface configurations for network borders
interface Serial3/0/0
rate-limit input access-group 103 8000 8000 8000
conform-action transmit exceed-action drop
8/3/2019 Car Nbar Layer2 Block
10/34101010101010SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
ISP and Enterprise Security
Strategies to protect against DDOS attacks..
http://www.cisco.com/warp/public/707
White papers here contain information to help you:
understand how DDoS attacks are orchestrated
recognize programs used to facilitate DDoS attacks
apply measures to prevent the attacks
gather forensic information if you suspect an attack
learn more about host security
8/3/2019 Car Nbar Layer2 Block
11/34111111111111SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Code Red / Nimda Detection and Control
Host IDS will stop thisperiod.
Patched Microsoft Servers will stop this per Microsoft
Intrusion Detection Sensors will alarmon this and can then block attacks
NBAR- Configured on a Cisco Routerwill stop most attacks
8/3/2019 Car Nbar Layer2 Block
12/34121212121212SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
NBARNetwork Based Application Recognition
Tag Data coming into your Network
policy-map police-inbound-http-hacksclass http-hacksset ip dscp 1
Int ethernet 0/0service-policy input mark-inbound-http-hackclass-map match-any http-hacks
match protocol http url "*default.ida*"match protocol http url "*x.ida*"match protocol http url "*.ida*"match protocol http url "*cmd.exe*"match protocol http url "*root.exe*"match protocol http url "*readme.exe*"
match protocol http url "*readme.eml*"
ISPNetwork Customer
Network
Egress from the Internet
Drop Data before it enters networkpolicy-map drop-http-hacks
class http-hackspolice 8000 8000 8000 conform-ac
drop exceed-action drop
interface Eth 0/0service-policy input drop-inbound-
http://www.cisco.com/warp/public/63
/
8/3/2019 Car Nbar Layer2 Block
13/34131313131313SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Intrusion Detection Systems
Host and network
both have their place
False positives
Placement
Alarm or enforce?
SiSi
Attacker
Public Services
Internal Services
Internal Users
8/3/2019 Car Nbar Layer2 Block
14/3414
SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Layer 2 Insecurity
Fun with Dsniff
8/3/2019 Car Nbar Layer2 Block
15/34151515151515
SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Switches vs. Hubs
Hubs
-Single broadcast domain
-All ports see all traffic
-Sniffers work everywhere
Switches
-Multiple broadcast domains, VLANs, etc
-All ports see all broadcasts and trafficdestined for their MAC
-Sniffers work only on SPAN/mirror ports?
8/3/2019 Car Nbar Layer2 Block
16/34161616161616
SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
ARP Refresher
An ARP request messageshould be placed in a hardwareframe and broadcast to allcomputers on the network.
Each computer receives therequest and examines the IPaddress.
The computer mentioned in therequest sends a response; all
other computers process anddiscard the request withoutsending a response.
8/3/2019 Car Nbar Layer2 Block
17/34171717171717
SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Gratuitous ARP
HOST W: Hey everyone Im host W and my IP Address is 1.2.3.4and my MAC address is 12:34:56:78:9A:BC
Gratuitous ARP is used by hosts to "announce" their IP address to thelocal network and avoid duplicate IP addresses on the network.Routers and other network hardware may use cache informationgained from gratuitous ARPs.
Gratuitous ARP is a broadcast packet (like an ARP request)
8/3/2019 Car Nbar Layer2 Block
18/34181818181818
SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Hey Tim!. Why do I care?
ARP has no security or ownership of IP or MAC addresses
What if we did the following?
Host W: Hey everyone Im the router and my IP Address is1.2.3.1 and my MAC address is 12:34:56:78:9A:BC
(wait 5 seconds)
Host W: Hey everyone Im the router and my IP Address is
1.2.3.1 and my MAC address is 12:34:56:78:9A:BC
1.2.3.0/24
Host W
.4
.1
Host Y
.2
Host X
.3
8/3/2019 Car Nbar Layer2 Block
19/34191919191919
SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Test
Host X and Y will likely ignore the message unless theycurrently have an ARP table entry for 1.2.3.1
When host Y requests the MAC of 1.2.3.1 the real router willreply and communications will work until the timer on the
gratuitous ARP (GARP?) kicks off Host Y then receives the GARP and updates his ARP table and
starts sending all traffic destined for 1.2.3.1 to host W.
Even a static ARP entry for 1.2.3.1 on Y will get overwritten bythe GARP on some OSs (NT4 for sure)
1.2.3.0/24
Host W
.4
.1
Host Y
.2
Host X
.3
8/3/2019 Car Nbar Layer2 Block
20/34
202020202020SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Dug Song, Author of dsniff
Dsniff Is Not Your Friend
ARP spoofing
MAC flooding
Selective sniffing
SSH / SSL Interception
www.monkey.org/~dugsong/dsniff
8/3/2019 Car Nbar Layer2 Block
21/34
212121212121SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Arpspoof in Action
C:\>test
C:\>arp -d 15.1.1.1
C:\>ping -n 1 15.1.1.1
Pinging 15.1.1.1 with 32 bytes of data:
Reply from 15.1.1.1: bytes=32 timearp -a
Interface: 15.1.1.26 on Interface 2
Internet Address Physical Address Type
15.1.1.1 00-04-4e-f2-d8-01 dynamic15.1.1.25 00-10-83-34-29-72 dynamic
C:\>arp -a
Interface: 15.1.1.26 on Interface 2
Internet Address Physical Address Type
15.1.1.1 00-10-83-34-29-72 dynamic
15.1.1.25 00-10-83-34-29-72 dynamic
[root@sconvery-lnx dsniff-2.3]# ./arpspoof 15.1.1.1
0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:4:4e:f2:d8:1
0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:4:4e:f2:d8:1
0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:4:4e:f2:d8:1
0:4:43:f2:d8:1 ff:ff:ff:ff:ff:ff 0806 42: arp reply
15.1.1.1 is-at 0:4:4e:f2:d8:1
8/3/2019 Car Nbar Layer2 Block
22/34
222222222222SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
More on Arpspoof
All Traffic now flows through machine runningdsniff in a half-duplex manner
Not quite a sniffer but fairly close Port security doesnt help
Note that attack could be generated in theopposite direction by spoofing the destination
host when the router sends its ARP request(more difficult because of race condition)
8/3/2019 Car Nbar Layer2 Block
23/34
232323232323SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Promiscuous
Port
Promiscuous
Port
CommunityA
CommunityB
IsolatedPorts
Primary VLAN
Community VLAN
Community VLAN
Isolated VLAN
Only One Subnet!
x x x x
ARP Spoof Mitigation: Private VLANs
Consider Local Proxy ARP as an option for host to host communication withoutbroadcasts
8/3/2019 Car Nbar Layer2 Block
24/34
242424242424SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Catalyst CAM Tables
Catalyst switches use hash to place MAC in CAM table
A B C
D E F G
H
I
J K
L M N O P Q R S
1
2
3
.
.
.
16,00063 bits of source (MAC, VLAN, misc) creates a 17 bit hash value.
-if the value is the same there are 8 columns to place CAM entries, if all 8 are
filled the packet is flooded
TFlooded!
8/3/2019 Car Nbar Layer2 Block
25/34
252525252525SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
MAC Flooding switches with Dsniff
[root@sconvery-lnx dsniff-2.3]# ./macof
101.59.29.36 -> 60.171.137.91 TCP D=55934 S=322 Syn Seq=1210303300 Len=0 Win=512
145.123.46.9 -> 57.11.96.103 TCP D=44686 S=42409 Syn Seq=1106243396 Len=0 Win=52
109.40.136.24 -> 51.158.227.98 TCP D=59038 S=21289 Syn Seq=2039821840 Len=0 Win2
126.121.183.80 -> 151.241.231.59 TCP D=7519 S=34044 Syn Seq=310542747 Len=0 Win2
211.28.168.72 -> 91.247.223.23 TCP D=62807 S=53618 Syn Seq=2084851907 Len=0 Win2
183.159.196.56 -> 133.10.138.87 TCP D=23929 S=51034 Syn Seq=1263121444 Len=0 Wi2
19.113.88.77 -> 16.189.146.61 TCP D=1478 S=56820 Syn Seq=609596358 Len=0 Win=512
237.162.172.114 -> 51.32.8.36 TCP D=38433 S=31784 Syn Seq=410116516 Len=0 Win2
118.34.90.6 -> 61.169.58.50 TCP D=42232 S=31424 Syn Seq=1070019027 Len=0 Win=52
46.205.246.13 -> 72.165.185.7 TCP D=56224 S=34492 Syn Seq=937536798 Len=0 Win=52
105.109.246.116 -> 252.233.209.72 TCP D=23840 S=45783 Syn Seq=1072699351 Len=0 2
60.244.56.84 -> 142.93.179.59 TCP D=3453 S=4112 Syn Seq=1964543236 Len=0 Win=512
151.126.212.86 -> 106.205.161.66 TCP D=12959 S=42911 Syn Seq=1028677526 Len=0 W2
9.121.248.84 -> 199.35.30.115 TCP D=33377 S=31735 Syn Seq=1395858847 Len=0 Win=2
226.216.132.20 -> 189.89.89.110 TCP D=26975 S=57485 Syn Seq=1783586857 Len=0 Wi2124.54.134.104 -> 235.83.143.109 TCP D=23135 S=55908 Syn Seq=852982595 Len=0 Wi2
27.54.72.62 -> 207.73.65.108 TCP D=54512 S=25534 Syn Seq=1571701185 Len=0 Win=2
246.109.199.72 -> 1.131.122.89 TCP D=61311 S=43891 Syn Seq=1443011876 Len=0 Win2
251.49.6.89 -> 18.168.34.97 TCP D=25959 S=956 Syn Seq=6153014 Len=0 Win=512
51.105.154.55 -> 225.89.20.119 TCP D=33931 S=1893 Syn Seq=116924142 Len=0 Win=52
82.2.236.125 -> 210.40.246.122 TCP D=43954 S=49355 Syn Seq=1263650806 Len=0 Win2
21.221.14.15 -> 9.240.58.59 TCP D=61408 S=26921 Syn Seq=464123137 Len=0 Win=512
70.63.102.43 -> 69.88.108.26 TCP D=61968 S=53055 Syn Seq=682544782 Len=0 Win=512
8/3/2019 Car Nbar Layer2 Block
26/34
262626262626SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
CAM Table Full!
Dsniff (macof) can generate 155,000 MAC entrieson a switch per minute
Assuming a perfect hash function the CAM tablewill total out at 128,000 (16,000 x 8) 131,052 to beexact
-Since hash isnt perfect it actually takes 70 seconds tofill the cam table
Once table is full, traffic without a CAM entryfloods on the VLAN
CAT6506 (enable) sho cam count dynamic
Total Matching CAM Entries = 131052
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?
15.1.1.26 -> 15.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS15.1.1.25 -> 15.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS
Snoop output on non-SPAN port
8/3/2019 Car Nbar Layer2 Block
27/34
272727272727SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Port SecurityBeware management and performance hit
Lots of options besides just ON/OFF
1025 MAC entries into table + 1 per port
Restrict option will fail under dsniff load and disablethe port
MAC flooding mitigation
set port security 3/21 enable age 10 maximum 5 violation
restrict
2001 Jul 03 15:40:32 %SECURITY-1-PORTSHUTDOWN:Port 3/21 shutdown due to no space
8/3/2019 Car Nbar Layer2 Block
28/34
282828282828SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
Selective Sniffing
Once traffic is flooded through either ofthe previous two methods Dsniff obtainspasswords
[root@sconvery-lnx dsniff-2.3]# ./dsniff -c
dsniff: listening on eth0
-----------------07/17/01 10:09:48 tcp 15.1.1.26.1126 -> wwwin-apps.cisco.com.80
(http)
GET /SERVICE/Paging/page/ HTTP/1.1
Host: wwwin-apps.cisco.com
Authorization: Basic c2Nvdlgh39UNMRH4lejDmaA== [sconvery:mypassword]
Supports more than 30 standardized / proprietary protocols: FTP, Telnet, SMTP,HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL,Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB,Oracle SQL*Net, Sybase et Microsoft SQL.
8/3/2019 Car Nbar Layer2 Block
29/34
292929292929SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
SSL / SSH Interception
Using dnsspoof all web sites can resolve to thedsniff host IP address:
C:\>ping www.amazon.com
Pinging www.amazon.com [15.1.1.25] with 32 bytes of data:
Reply from 15.1.1.25: bytes=32 time
8/3/2019 Car Nbar Layer2 Block
30/34
303030303030SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
SSL / SSH Interception
Using dsniff (webmitm) most SSL sessions can beintercepted and bogus certificate credentials can bepresented
8/3/2019 Car Nbar Layer2 Block
31/34
313131313131SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
SSL / SSH Interception
Upon inspection
they will lookinvalid but theywould likely fool
most users
8/3/2019 Car Nbar Layer2 Block
32/34
323232323232SEC-2123084_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved.
New R & D
Two New ARP features being researched
Secure ARP Discovery (SAD) EDCS-129119(reverse dsniff mitigation)
ARP inspection and filtering through ARPredirection on a switch (dsniff mitigation)
Contact Marco Foschiano[[email protected]] with comments /questions
8/3/2019 Car Nbar Layer2 Block
33/34
8/3/2019 Car Nbar Layer2 Block
34/34
SEC 212