1

Infrastructure Security

Securing the device (Hardening)

2

Think of ALL devices• 21 Sept 2016

– 600Gbps+ attack on Brian Krebs site (hosted by Akamai)• https://krebsonsecurity.com

• 30 Sept 2016 – Mirai source code released to https://hackforums.net– More (smarter and competing) variants

• 21 Oct 2016– ~1Tbps attack on Dyn

• 26 Nov 2016– 900K+ Deutsche Telecom subscribers offline

• Feb 2018– 1.35Tbps attack on Github– Memcache (UDP11211) with spoofed source addresses

• 10000x!

What caused all these?

• “Internet of STUPID Things (IoT)” – Geoff Huston– CPEs, IP Cameras/webcams, DVRs, etc

• The issue?– Admin password exposed via web interface– Factory (OEM) default admin credentials– WAN management allowed (this means anyone on Internet)

• TR-069 (CWMP)

And the techniques?

• Attack techniques were common (and not so common ones too)

– SYN floods– Low bandwidth HTTP floods– DNS water torture (Query floods reported since 2014)– GRE floods*

Password visible - Web Interface

Allow remote access

How difficult is it to find one?

Source: https://www.flickr.com/photos/kylaborg/12887906353/

Mirai brute force –OEM default UN and PW

9

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456 root 54321 support support root (none) admin password root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech

What was/is the scale?• Geo-locations of Mirai-infected devices as of Oct 2016

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

What was/is the scale?• As many as 20 million devices vulnerable to CWMP

exploits (Oct 2017)

https://maps.shodan.io

Current Status?• Only 15 devices worldwide (yesterday night)

https://maps.shodan.io

Could device hardening have made a difference?

Agenda Item

Turn OFF unused services

Feature Description Command

CDP Proprietary layer 2 discovery protocol

no cdp enable

TCP small servers

Standard TCP network services: echo, chargen, etc (19 and lower)

no service tcp-small-servers

UDP small servers

Standard UDP network services: echo, discard, etc (19 and lower)

no service udp-small-servers

Finger Unix user lookup service, allows remote listing of logged in users.

no service finger

HTTP server Some Cisco IOS devices offer web-based configuration

no ip http serverno ip http secure-server

Bootp server Service to allow other routers to boot from this one

no ip bootp server

Turn Off Unused Services

Feature Description Command

Unreachables Router will send ICMP unreachable message for unknown destinations (Null0)

no ip unreachablesno ipv6 unreachables

IP source routing

Feature that allows a packet to specify its own route

no ip source-routeno ipv6 source-route

Proxy ARP Router will act as a proxy for layer 2 address resolution

no ip proxy-arp

IP directed broadcast

Routers will direct packets to broadcast addresses of subnets attached to it

no ip directed-broadcast

Configuration example

! Per-interfaceinterface <interface-ID>no ip redirectsno ip directed-broadcastno ip proxy arpno cdp enable!interface Null0no ip unreachablesno ipv6 unreachables!

! Globallyno ip domain-lookupno cdp runno ip http serverno ip http secure-serverno ip source-routeno ipv6 source-routeno service fingerno ip bootp serverno service udp-small-serversno service tcp-small-server

Route Filtering

17

Route Filters – inbound

18

• Transit provider:– Block bogus routes and accept everything

• Peer:– Only accept their prefixes (and their downstream)

router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peerneighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4neighbor x4.x4.x4.x4 prefix-list <prefix-filter> in

!address-family ipv6neighbor x6:x6::x6 prefix-list <prefix-filter> in

IPv4 transit - inbound

19

no ip prefix-list in-filterip prefix-list in-filter deny 0.0.0.0/0 ! Defaultip prefix-list in-filter deny 0.0.0.0/8 le 32 ! Network Zeroip prefix-list in-filter deny 10.0.0.0/8 le 32 ! RFC1918ip prefix-list in-filter deny 100.64.0.0/10 le 32 ! RFC6598 shared addressip prefix-list in-filter deny <your prefix>/X le 32 ! Your address spaceip prefix-list in-filter deny 127.0.0.0/8 le 32 ! Loopbackip prefix-list in-filter deny 169.254.0.0/16 le 32 ! APIPAip prefix-list in-filter deny 172.16.0.0/12 le 32 ! RFC1918ip prefix-list in-filter deny 192.0.0.0/24 le 32 ! IETF Protocolip prefix-list in-filter deny 192.0.2.0/24 le 32 ! TEST1ip prefix-list in-filter deny 192.168.0.0/16 le 32 ! RFC1918ip prefix-list in-filter deny 198.18.0.0/15 le 32 ! Benchmarkingip prefix-list in-filter deny 198.51.100.0/24 le 32 ! TEST2ip prefix-list in-filter deny 203.0.113.0/24 le 32 ! TEST3ip prefix-list in-filter deny 224.0.0.0/4 le 32 ! Multicastip prefix-list in-filter deny 240.0.0.0/4 le 32 ! Future Useip prefix-list in-filter deny 0.0.0.0/0 ge 25 ! Prefixes >/24ip prefix-list in-filter permit 0.0.0.0/0 le 32

20

no ipv6 prefix-list v6in-filter ipv6 prefix-list v6in-filter deny 2001::/32 le 128 ! Teredo subnetsipv6 prefix-list v6in-filter deny 2001:db8::/32 le 128 ! Documentationipv6 prefix-list v6in-filter deny 2002::/16 le 128 ! 6to4 subnetsipv6 prefix-list v6in-filter deny <your::/32> le 128 ! Your prefixipv6 prefix-list v6in-filter deny 3ffe::/16 le 128 ! Old 6boneipv6 prefix-list v6in-filter deny fc00::/7 le 128 ! ULAipv6 prefix-list v6in-filter deny fe00::/9 le 128 ! Reserved IETFipv6 prefix-list v6in-filter deny fe80::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny fec0::/10 le 128 ! Link-localipv6 prefix-list v6in-filter deny ff00::/8 le 128 ! Link-localipv6 prefix-list v6in-filter permit 2000::/3 le 48 ! Global Unicastipv6 prefix-list v6in-filter deny ::/0 le 128

IPv6 transit - inbound

IPv4/v6 peer - inbound

21

no ip prefix-list peer-in-filterip prefix-list peer-in-filter permit A.A.A.A/18 le 24 ! Peer’s prefixip prefix-list peer-in-filter permit B.B.B.B/19 le 24 ! Peer’s prefixip prefix-list peer-in-filter deny 0.0.0.0/0 ge 32 ! Deny everything else!!no ipv6 prefix-list peerv6-in-filter ipv6 prefix-list peerv6-in-filter permit 2002:A::/32 le 48 ! Peer’s prefixipv6 prefix-list peerv6-in-filter deny ::/0 le 128 ! Deny everything else

Outbound routes

22

router bgp 17821neighbor x6:x6::x6 remote-as <transit|peer>neighbor x6:x6::x6 description v6 peering with upstream|peerneighbor x4.x4.x4.x4 remote-as <transit|peer>neighbor x4.x4.x4.x4 description v4 peering with upstream|peer!address-family ipv4neighbor x4.x4.x4.x4 prefix-list <out-filter> out

!address-family ipv6neighbor x6:x6::x6 prefix-list <outv6-filter> out

!!no ip prefix-list <out-filter>ip prefix-list peer-filter permit M.M.M.M/19 le 24 ! Your prefixip prefix-list peer-filter permit N.N.N.N/19 le 24 ! Your prefixip prefix-list peer-filter deny 0.0.0.0/0 ge 32 ! Deny everything else!no ipv6 prefix-list <outv6-filter> ipv6 prefix-list peerv6-filter permit 2002:M::/32 le 48 ! Your prefixipv6 prefix-list peerv6-filter deny ::/0 le 128 ! Deny everything else

• Transit/Peer:– Only advertise your prefixes (and your downstream)

Bogons• Not all IP (v4 and v6) are allocated by IANA

• Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”)– RFC1918s + Reserved space

• IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users

• https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml

• https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

Bogons

• Commonly found as source addresses of DDoS packets

• We should have ingress and egress filters for bogon routes– Should not route them nor accept them from peers

• We could manually craft prefix filters based on the bogon list from IANA– But bogon list is dynamic– New allocations made out of reserved blocks frequently

Bogon Route Server Project

• In comes the Bogon Route Server project by Team Cymru

• Provides dynamic bogons information using eBGP multihop sessions

– Traditional bogons (AS65333) • martians plus prefixes not allocated by IANA

– Full-bogons (AS65332) • above plus prefixes allocated to RIRs but not yet assigned to ISPs/end-

users by RIRs

• For details: – http://www.team-cymru.org/bogon-reference-bgp.html

Peering- Bogon Route Servers

• To peer with bogon route servers– Write to bogonrs@cymru.com

• You should provide:• Your ASN• Which bogons you wish to receive• Your peering addresses• MD5 for BGP?• PGP public key (optional)

• It is recommended to have at least 2 (two) peering sessions for redundancy

Bogon Config

27

router bgp 17821neighbor cymru-bogons peer-groupneighbor cymru-bogons remote-as 65332neighbor cymru-bogons description Peering with Cymru Bogon RSneighbor cymru-bogons ebgp-multihop 255neighbor cymru-bogons password <md5-pw>neighbor cymru-bogons update-source Loopback0!neighbor cymru-v6bogons peer-groupneighbor cymru-v6bogons remote-as 65332neighbor cymru-v6bogons description Peering with Cymru IPv6 Bogon RSneighbor cymru-v6bogons ebgp-multihop 255neighbor cymru-v6bogons password <md5-pw>neighbor cymru-v6bogons update-source Loopback0!neighbor 2620:0:6B0:XXXX::20 peer-group cymru-v6bogonsneighbor 38.XXX.XXX.20 peer-group cymru-bogons!address-family ipv4neighbor cymru-bogons prefix-list DENY-ALL outneighbor cymru-bogons maximum-prefix 10000 90neighbor 38.XXX.XXX.20 activate

!address-family ipv6neighbor cymru-v6bogons prefix-list DENYv6-ALL outneighbor cymru-v6bogons maximum-prefix 100000 90neighbor 2620:0:6B0:XXXX::20 activate

Bogon Config

28

!Do not announce anything to Bogon RSip prefix-list DENY-ALL seq 5 deny 0.0.0.0/0 le 32ipv6 prefix-list DENYv6-ALL seq 5 deny ::/0 le 128!!Define communities for Bogons!Cymru full-bogons are tagged with the community 65332:888ip bgp-community new-formatip community-list 10 permit 65332:888ip community-list 11 permit 17821:888 !our own bogon tag for iBGP peers

!Define route-map to set the next-hop address for the bogons (null routed)!Set local (no-export) community to propagate bogons to partial iBGP peersroute-map CYMRU-BOGONS permit 10match community 10set local-preference 1000set community 17821:888 no-exportset ip next-hop 192.0.2.1!route-map CYMRU-v6BOGONS permit 10match community 10set local-preference 1000set community 17821:888 no-exportset ipv6 next-hop 2001:db8::1

Bogon Config

29

!Null route the bogon next hops (this is also needed on all iBGP peers)ip route 192.0.2.1 255.255.255.255 null0ipv6 route 2001:db8::1/128 null0!!Define route-map to propagate the bogons to partial iBGP peers:route-map iBGP-BOGONS permit 10description allow our bogonsmatch community 11!route-map v6—iBGP-BOGONS permit 10description allow our bogonsmatch community 11!

Packet Filtering

30

Firewalls in Network?• Run a dirty but fast network – Maz (IIJ)

– FWs in front of your services/applications

• Firewall in modern networks (Randy Bush –IIJ):

iACL– IPv4 (equivalent for v6!) ip access-list extended TRAFFIC-INdeny udp/tcp any any eq 19 ! Chargendeny udp/tcp any any range 135 139 ! netbios stuff deny udp any any eq 123 ! no one should use our NTP deny tcp any any eq 445 ! Blaster/SMB worm deny tcp any any eq 1025 ! uSoft RPC exploit deny tcp any any eq 1337 ! Redshell backdoor deny tcp any any eq 1433 ! MS SQL worm deny udp any any eq 1434 ! MS SQL worm deny udp any any eq 2049 ! Sun NFS deny tcp any any eq 2745 ! Blaster worm deny tcp any any eq 3001 ! NessusD backdoor deny tcp any any eq 3127 ! MyDoom worm deny tcp any any eq 3128 ! MyDoom worm deny tcp any any eq 5000 ! WindowsXP UPnP port deny tcp any any eq 6129 ! Dameware backdoordeny udp/tcp any any eq 11211 ! Memcached exploitdeny tcp any any eq 11768 ! Dipnet/Oddbob worm deny tcp any any eq 15118 ! Dipnet/Oddbob wormdeny icmp any any fragments ! Block ICMP fragmentspermit icmp any anydeny ip <your-address> <wildcard> anypermit ip any any

Source IP spoofing – Defense • BCP38 (RFC2827)

– Since 1998!– https://tools.ietf.org/html/bcp38

• Only allow traffic with valid source addresses to– Leave your network

• Only packets with source address from your own address space

– To enter/transit your network• Only source addresses from downstream customer address space

33

uRPF – Unicast Reverse Path• Unicast Reverse Path Forwarding (uRPF)

– Router verifies if the source address of any packets received is in the FIB table and reachable (routing table)• Drop if not!

– Recommended on customer facing interfaces

34

(config-if)#ipv6 verify unicast source reachable-via {rx | any}

uRPF – Unicast Reverse Path

35

• Modes of Operation:

– Strict: verifies both source address and incoming interface with FIB entries

– Loose: verifies existence of route to source address

pos0/0ge0/0Src = 2406:6400:100::1

Src = 2406:6400:200::1

FIB:2400:6400:100:/48 ge0/02400:6400:200:/48 fa0/0

pos0/0ge0/0Src = 2406:6400:100::1

Src = 2406:6400:200::1

Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002

Example

access-list 121 permit ip <my-subnet> <wild-card> anyaccess-list 121 deny ip any any log!access-list 200 permit ip <cust-subnet> <wild-card> anyaccess-list 200 deny ip any any log!interface Te0/0/0description Link to Upstreamip access-group 121 out

interface Gig0/0description link to downstream customer-Aip access-group 200 in

Configuration backup/ archiving

37

Configuration Files• Careful sending config files - people can snoop the

wire– MD5 validation

– SCP to copy files/images• Avoid TFTP and FTP!

• Use tools like ‘rancid’ or ‘oxidized’ to periodically check them against modified configuration files

scp <file|image> user@router-ip:bootflash:<file-image>!scp user@router-ip:bootflash:<file-image> .

#verify /md5 nvram:startup-config.Done!verify /md5 (nvram:startup-config) = 7b9e589178bd133fecb975195701447d

OOB Management

39

• OOB device management should be used - DoS attacks do not hinder access to critical devices

• Reverse Telnet is a good tool in emergencies!AUX <-> Console

telnet <your-IP>:<2000+TTY#>

sh line