Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
1
Infrastructure Security
Securing the device (Hardening)
2
Think of ALL devices• 21 Sept 2016
– 600Gbps+ attack on Brian Krebs site (hosted by Akamai)• https://krebsonsecurity.com
• 30 Sept 2016 – Mirai source code released to https://hackforums.net– More (smarter and competing) variants
• 21 Oct 2016– ~1Tbps attack on Dyn
• 26 Nov 2016– 900K+ Deutsche Telecom subscribers offline
• Feb 2018– 1.35Tbps attack on Github– Memcache (UDP11211) with spoofed source addresses
• 10000x!
What caused all these?
• “Internet of STUPID Things (IoT)” – Geoff Huston– CPEs, IP Cameras/webcams, DVRs, etc
• The issue?– Admin password exposed via web interface– Factory (OEM) default admin credentials– WAN management allowed (this means anyone on Internet)
• TR-069 (CWMP)
And the techniques?
• Attack techniques were common (and not so common ones too)
– SYN floods– Low bandwidth HTTP floods– DNS water torture (Query floods reported since 2014)– GRE floods*
Password visible - Web Interface
Allow remote access
How difficult is it to find one?
Source: https://www.flickr.com/photos/kylaborg/12887906353/
Mirai brute force –OEM default UN and PW
9
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456 root 54321 support support root (none) admin password root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech
What was/is the scale?• Geo-locations of Mirai-infected devices as of Oct 2016
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
What was/is the scale?• As many as 20 million devices vulnerable to CWMP
exploits (Oct 2017)
https://maps.shodan.io
Current Status?• Only 15 devices worldwide (yesterday night)
https://maps.shodan.io
Could device hardening have made a difference?
Agenda Item
Turn OFF unused services
Feature Description Command
CDP Proprietary layer 2 discovery protocol
no cdp enable
TCP small servers
Standard TCP network services: echo, chargen, etc (19 and lower)
no service tcp-small-servers
UDP small servers
Standard UDP network services: echo, discard, etc (19 and lower)
no service udp-small-servers
Finger Unix user lookup service, allows remote listing of logged in users.
no service finger
HTTP server Some Cisco IOS devices offer web-based configuration
no ip http serverno ip http secure-server
Bootp server Service to allow other routers to boot from this one
no ip bootp server
Turn Off Unused Services
Feature Description Command
Unreachables Router will send ICMP unreachable message for unknown destinations (Null0)
no ip unreachablesno ipv6 unreachables
IP source routing
Feature that allows a packet to specify its own route
no ip source-routeno ipv6 source-route
Proxy ARP Router will act as a proxy for layer 2 address resolution
no ip proxy-arp
IP directed broadcast
Routers will direct packets to broadcast addresses of subnets attached to it
no ip directed-broadcast
Configuration example
! Per-interfaceinterface <interface-ID>no ip redirectsno ip directed-broadcastno ip proxy arpno cdp enable!interface Null0no ip unreachablesno ipv6 unreachables!
! Globallyno ip domain-lookupno cdp runno ip http serverno ip http secure-serverno ip source-routeno ipv6 source-routeno service fingerno ip bootp serverno service udp-small-serversno service tcp-small-server
Route Filtering
17
Route Filters – inbound
18
• Transit provider:– Block bogus routes and accept everything
• Peer:– Only accept their prefixes (and their downstream)
router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peerneighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4neighbor x4.x4.x4.x4 prefix-list <prefix-filter> in
!address-family ipv6neighbor x6:x6::x6 prefix-list <prefix-filter> in
IPv4 transit - inbound
19
no ip prefix-list in-filterip prefix-list in-filter deny 0.0.0.0/0 ! Defaultip prefix-list in-filter deny 0.0.0.0/8 le 32 ! Network Zeroip prefix-list in-filter deny 10.0.0.0/8 le 32 ! RFC1918ip prefix-list in-filter deny 100.64.0.0/10 le 32 ! RFC6598 shared addressip prefix-list in-filter deny <your prefix>/X le 32 ! Your address spaceip prefix-list in-filter deny 127.0.0.0/8 le 32 ! Loopbackip prefix-list in-filter deny 169.254.0.0/16 le 32 ! APIPAip prefix-list in-filter deny 172.16.0.0/12 le 32 ! RFC1918ip prefix-list in-filter deny 192.0.0.0/24 le 32 ! IETF Protocolip prefix-list in-filter deny 192.0.2.0/24 le 32 ! TEST1ip prefix-list in-filter deny 192.168.0.0/16 le 32 ! RFC1918ip prefix-list in-filter deny 198.18.0.0/15 le 32 ! Benchmarkingip prefix-list in-filter deny 198.51.100.0/24 le 32 ! TEST2ip prefix-list in-filter deny 203.0.113.0/24 le 32 ! TEST3ip prefix-list in-filter deny 224.0.0.0/4 le 32 ! Multicastip prefix-list in-filter deny 240.0.0.0/4 le 32 ! Future Useip prefix-list in-filter deny 0.0.0.0/0 ge 25 ! Prefixes >/24ip prefix-list in-filter permit 0.0.0.0/0 le 32
20
no ipv6 prefix-list v6in-filter ipv6 prefix-list v6in-filter deny 2001::/32 le 128 ! Teredo subnetsipv6 prefix-list v6in-filter deny 2001:db8::/32 le 128 ! Documentationipv6 prefix-list v6in-filter deny 2002::/16 le 128 ! 6to4 subnetsipv6 prefix-list v6in-filter deny <your::/32> le 128 ! Your prefixipv6 prefix-list v6in-filter deny 3ffe::/16 le 128 ! Old 6boneipv6 prefix-list v6in-filter deny fc00::/7 le 128 ! ULAipv6 prefix-list v6in-filter deny fe00::/9 le 128 ! Reserved IETFipv6 prefix-list v6in-filter deny fe80::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny fec0::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny ff00::/8 le 128 ! Link-localipv6 prefix-list v6in-filter permit 2000::/3 le 48 ! Global Unicastipv6 prefix-list v6in-filter deny ::/0 le 128
IPv6 transit - inbound
IPv4/v6 peer - inbound
21
no ip prefix-list peer-in-filterip prefix-list peer-in-filter permit A.A.A.A/18 le 24 ! Peer’s prefixip prefix-list peer-in-filter permit B.B.B.B/19 le 24 ! Peer’s prefixip prefix-list peer-in-filter deny 0.0.0.0/0 ge 32 ! Deny everything else!!no ipv6 prefix-list peerv6-in-filter ipv6 prefix-list peerv6-in-filter permit 2002:A::/32 le 48 ! Peer’s prefixipv6 prefix-list peerv6-in-filter deny ::/0 le 128 ! Deny everything else
Outbound routes
22
router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peerneighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4neighbor x4.x4.x4.x4 prefix-list <out-filter> out
!address-family ipv6neighbor x6:x6::x6 prefix-list <outv6-filter> out
!!no ip prefix-list <out-filter>ip prefix-list peer-filter permit M.M.M.M/19 le 24 ! Your prefixip prefix-list peer-filter permit N.N.N.N/19 le 24 ! Your prefixip prefix-list peer-filter deny 0.0.0.0/0 ge 32 ! Deny everything else!no ipv6 prefix-list <outv6-filter> ipv6 prefix-list peerv6-filter permit 2002:M::/32 le 48 ! Your prefixipv6 prefix-list peerv6-filter deny ::/0 le 128 ! Deny everything else
• Transit/Peer:– Only advertise your prefixes (and your downstream)
Bogons• Not all IP (v4 and v6) are allocated by IANA
• Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”)– RFC1918s + Reserved space
• IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users
• https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml
• https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
Bogons
• Commonly found as source addresses of DDoS packets
• We should have ingress and egress filters for bogon routes– Should not route them nor accept them from peers
• We could manually craft prefix filters based on the bogon list from IANA– But bogon list is dynamic– New allocations made out of reserved blocks frequently
Bogon Route Server Project
• In comes the Bogon Route Server project by Team Cymru
• Provides dynamic bogons information using eBGP multihop sessions
– Traditional bogons (AS65333) • martians plus prefixes not allocated by IANA
– Full-bogons (AS65332) • above plus prefixes allocated to RIRs but not yet assigned to ISPs/end-
users by RIRs
• For details: – http://www.team-cymru.org/bogon-reference-bgp.html
Peering- Bogon Route Servers
• To peer with bogon route servers– Write to [email protected]
• You should provide:• Your ASN• Which bogons you wish to receive• Your peering addresses• MD5 for BGP?• PGP public key (optional)
• It is recommended to have at least 2 (two) peering sessions for redundancy
Bogon Config
27
router bgp 17821neighbor cymru-bogons peer-groupneighbor cymru-bogons remote-as 65332neighbor cymru-bogons description Peering with Cymru Bogon RSneighbor cymru-bogons ebgp-multihop 255neighbor cymru-bogons password <md5-pw>neighbor cymru-bogons update-source Loopback0!neighbor cymru-v6bogons peer-groupneighbor cymru-v6bogons remote-as 65332neighbor cymru-v6bogons description Peering with Cymru IPv6 Bogon RSneighbor cymru-v6bogons ebgp-multihop 255neighbor cymru-v6bogons password <md5-pw>neighbor cymru-v6bogons update-source Loopback0!neighbor 2620:0:6B0:XXXX::20 peer-group cymru-v6bogonsneighbor 38.XXX.XXX.20 peer-group cymru-bogons!address-family ipv4neighbor cymru-bogons prefix-list DENY-ALL outneighbor cymru-bogons maximum-prefix 10000 90neighbor 38.XXX.XXX.20 activate
!address-family ipv6neighbor cymru-v6bogons prefix-list DENYv6-ALL outneighbor cymru-v6bogons maximum-prefix 100000 90neighbor 2620:0:6B0:XXXX::20 activate
Bogon Config
28
!Do not announce anything to Bogon RSip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32ipv6 prefix-list DENYv6-ALL seq 5 deny ::/0 le 128!!Define communities for Bogons!Cymru full-bogons are tagged with the community 65332:888ip bgp-community new-formatip community-list 10 permit 65332:888ip community-list 11 permit 17821:888 !our own bogon tag for iBGP peers
!Define route-map to set the next-hop address for the bogons (null routed)!Set local (no-export) community to propagate bogons to partial iBGP peersroute-map CYMRU-BOGONS permit 10match community 10set local-preference 1000set community 17821:888 no-exportset ip next-hop 192.0.2.1!route-map CYMRU-v6BOGONS permit 10match community 10set local-preference 1000set community 17821:888 no-exportset ipv6 next-hop 2001:db8::1
Bogon Config
29
!Null route the bogon next hops (this is also needed on all iBGP peers)ip route 192.0.2.1 255.255.255.255 null0ipv6 route 2001:db8::1/128 null0!!Define route-map to propagate the bogons to partial iBGP peers:route-map iBGP-BOGONS permit 10description allow our bogonsmatch community 11!route-map v6—iBGP-BOGONS permit 10description allow our bogonsmatch community 11!
Packet Filtering
30
Firewalls in Network?• Run a dirty but fast network – Maz (IIJ)
– FWs in front of your services/applications
• Firewall in modern networks (Randy Bush –IIJ):
iACL– IPv4 (equivalent for v6!) ip access-list extended TRAFFIC-INdeny udp/tcp any any eq 19 ! Chargendeny udp/tcp any any range 135 139 ! netbios stuff deny udp any any eq 123 ! no one should use our NTP deny tcp any any eq 445 ! Blaster/SMB worm deny tcp any any eq 1025 ! uSoft RPC exploit deny tcp any any eq 1337 ! Redshell backdoor deny tcp any any eq 1433 ! MS SQL worm deny udp any any eq 1434 ! MS SQL worm deny udp any any eq 2049 ! Sun NFS deny tcp any any eq 2745 ! Blaster worm deny tcp any any eq 3001 ! NessusD backdoor deny tcp any any eq 3127 ! MyDoom worm deny tcp any any eq 3128 ! MyDoom worm deny tcp any any eq 5000 ! WindowsXP UPnP port deny tcp any any eq 6129 ! Dameware backdoordeny udp/tcp any any eq 11211 ! Memcached exploitdeny tcp any any eq 11768 ! Dipnet/Oddbob worm deny tcp any any eq 15118 ! Dipnet/Oddbob wormdeny icmp any any fragments ! Block ICMP fragmentspermit icmp any anydeny ip <your-address> <wildcard> anypermit ip any any
Source IP spoofing – Defense • BCP38 (RFC2827)
– Since 1998!– https://tools.ietf.org/html/bcp38
• Only allow traffic with valid source addresses to– Leave your network
• Only packets with source address from your own address space
– To enter/transit your network• Only source addresses from downstream customer address space
33
uRPF – Unicast Reverse Path• Unicast Reverse Path Forwarding (uRPF)
– Router verifies if the source address of any packets received is in the FIB table and reachable (routing table)• Drop if not!
– Recommended on customer facing interfaces
34
(config-if)#ipv6 verify unicast source reachable-via {rx | any}
uRPF – Unicast Reverse Path
35
• Modes of Operation:
– Strict: verifies both source address and incoming interface with FIB entries
– Loose: verifies existence of route to source address
pos0/0ge0/0Src = 2406:6400:100::1
Src = 2406:6400:200::1
FIB:2400:6400:100:/48 ge0/02400:6400:200:/48 fa0/0
pos0/0ge0/0Src = 2406:6400:100::1
Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
Example
access-list 121 permit ip <my-subnet> <wild-card> anyaccess-list 121 deny ip any any log!access-list 200 permit ip <cust-subnet> <wild-card> anyaccess-list 200 deny ip any any log!interface Te0/0/0description Link to Upstreamip access-group 121 out
interface Gig0/0description link to downstream customer-Aip access-group 200 in
Configuration backup/ archiving
37
Configuration Files• Careful sending config files - people can snoop the
wire– MD5 validation
– SCP to copy files/images• Avoid TFTP and FTP!
• Use tools like ‘rancid’ or ‘oxidized’ to periodically check them against modified configuration files
scp <file|image> user@router-ip:bootflash:<file-image>!scp user@router-ip:bootflash:<file-image> .
#verify /md5 nvram:startup-config.Done!verify /md5 (nvram:startup-config) = 7b9e589178bd133fecb975195701447d
OOB Management
39
• OOB device management should be used - DoS attacks do not hinder access to critical devices
• Reverse Telnet is a good tool in emergencies!AUX <-> Console
telnet <your-IP>:<2000+TTY#>
sh line