Embed Size (px)
Citation preview
Network Protocol Tunneling
Network Security’s Friend or Foe
Spyridon Dosis
Description & Concerns
Tunneling Protocols & Protocol Tunneling
Network Tunneling Tools & Setup
Demo
Conclusions
Outline
A delivery network protocol encapsulates a payload network protocol
The delivery protocol usually operates at the same or higher level (e.g. in the TCP/IP stack) than the payload protocol
Network Protocol Tunneling
Protocol Tunneling◦ Order in Protocol Encapsulation◦ Obfuscation rather than hiding◦ Practical use cases & misuse
Covert Channels◦ Channels not intended for information
transfer◦ Hiding in unused protocol fields, utilizing
fields such as IP ID, TCP Sequence number etc.
◦ Network Steganography
Protocol Tunneling & Covert Channels
Carry data over incompatible delivery-networks
Provide a (encrypted) path through a public network◦ Monitoring vs Anti-Censorship
Allowing “some kind” of traffic may lead to “any kind”
Common Uses
Pre-existing network-based security tools (firewalls, IDS) may not be able to apply the controls to the tunneled traffic◦ Evading traffic regulation
Lack of host-based security controls◦ Defense in depth
Inability for ingress and egress filtering
‘Open-ended’ tunnel may forward traffic to other internal hosts
Misuse of Network Tunneling
Advanced Persistent Threats (APTs) - Remote Control & Data exfiltration◦ Backdoors with OS commands, file
transfer capabilities are installed in target systems.
◦ Upload collected files using common ports such as HTTP (80), HTTPS (443) and DNS (53) bypassing detection.
Covert channels for malware◦ e.g. C&C communications over
DNS (i.e. Feederbot, W32.Morto )
Network Tunneling – Rising Concerns
Description & Concerns
Tunneling Protocols & Protocol Tunneling
Network Tunneling Tools & Setup
Demo
Conclusions
Outline
The original IP packet is encrypted The ESP header indicates that the entire
packet is the payload (IP-in-IP) Inserts a new IP header (next header is ESP)
IPSec Tunnel Mode
Image taken from http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html
Security services from gateway to gateway or from host to gateway over an insecure network
The entire original packet is encrypted◦ Internal traffic behind the gateways is not
protected Often used to implement Virtual Private
Networks (IPsec VPNs)◦ Site-to-site◦ Client-to-site
IPSec Tunnel Mode
“GRE (Generic Routing Encapsulation) specifies a protocol for encapsulation of an arbitrary protocol over another arbitrary network layer protocol” – RFC 2784 and 2890
Point-to-point links
GRE – Generic Routing Encapsulation
Image taken from http://netwild.ru/pptp/
Ethernet over IPv4/IPv6 (e.g. Openstack Neutron)
Support for tunneling broadcasting/multicasting◦ e.g. Delivering routing updates to multiple sites
IPv4/IPv6 over IPv4/IPv6 No default encryption/security services
◦ IPSec Tunnel/Transport over GRE
GRE and IP
Tunnel Brokers provide a network tunneling service
6in4 – IPv6 over IPv4
4in6 – IPv4 over IPv6 ISATAP Teredo – IPv6 over UDP over IPv4 …and others
IPv6 over IPv4 Transition Mechanisms
Secure channel over an insecure network between an SSH client and an SSH server (e.g. OpenSSH) typically listening at TCP port 22
Public-key cryptography for server (and client) authentication
Remote command execution, file transfer (SCP, SFTP), TCP port and X forwarding, tunneling
SSH (Secure Shell) Protocol
Local-port forwarding when traffic coming to a local port is forwarded to a specified remote host/port
Destination is relative to the SSH server’s location and mostly unrestricted
SSH client can be configured to act either as a local-only service or public to other hosts
SSH Local-port forwarding
Remote-port forwarding when traffic coming to a remote port is forwarded to a specified local host/port
Destination is relative to the SSH client’s location and mostly unrestricted
SSH server can be configured to act either as a local-only service or public to other hosts
SSH Remote-port forwarding
Performs successfully for single-host/port communications◦ Simple Web (HTTP)◦ Mail (SMTP, POP3, IMAP)◦ SSH
Fails for more complex network services◦ Web with External References / Surfing
Solution: Chain to a Web Proxy◦ FTP◦ Peer-to-Peer
SSH Static Forwards Limitations
The SOCKS protocol proxies TCP connections/forwards UDP packets from client to server through a proxy
A local SOCKS proxy is created on the SSH client’s side and can forward traffic to arbitrary remote hosts and ports
Firewall Traversal / Content-filtering circumvention
SSH Dynamic-port Forwarding
Run remote X Window System based applications but displayed locally
Need for X server for Windows
Secure the X protocol by tunneling it over SSH
ssh –X user@host <application>◦ Run a remote browser visiting a blocked website
SSH X forwarding
“An ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an arbitrary-amount of data” – ping(8) man page
LOKI (Phrack Issue 49) utilized it to establish a covert channel between client/server
IP over ICMP TCP over ICMP
ICMP Tunneling
ICMP Tunneling – A Sample
Various network protocols are encapsulated using the HTTP protocol
HTTP is rarely blocked
Bypass restrictions◦ Firewalls◦ Proxy server / Content-filtering
HTTP Tunneling
HTTP Tunneling – A Sample
Transport arbitrary data by encoding them into DNS messages
Wide support and availability of the global DNS infrastructure
Few organizations block DNS traffic from individual clients to the Internet (e.g. captive portals in public Wi-Fi)
Effective for bypassing security measures such as firewalls or ACLs
Used for two-way communication or data exfiltration
DNS Tunneling - Overview
Around since 1998
NSTX (Nameserver Transfer Protocol)
OzymanDNS (Dan Kaminsky) – “Tunneling Audio, Video and SSH over DNS”
Used mostly for bypassing paywalls
DNS Tunneling - History
Mapping domain names and IP addresses
Record types◦ A, AAAA, CNAME, MX, NS, PTR, TXT, NULL
EDNS for UDP payloads larger than 512 bytes◦ Increased bandwidth
Internal users can contact arbitrary external domains through the organization’s DNS servers/resolvers
DNS Primer
DNS Recursive Resolution
Image taken from http://nirlog.com/2006/03/28/dns-amplification-attack/
DNS Tunneling – A Sample
Maximum 253 characters in domain Maximum 63 characters per subdomain Case-insensitive (Base32 encoding) TXT requests allow for maximum characters
in response + Base64 encoding
Bandwidth up to 110KB/s, 150ms latency (Van Leijenhorst, 2008)
DNS Tunneling - Limitations
Description & Concerns
Tunneling Protocols & Protocol Tunneling
Network Tunneling Tools & Setup
Demo
Conclusions
Outline
SSH Local-port forwarding
SSH Remote-port forwarding
Combined with NetCat◦ Establish a local/remote port forward over SSH
with an SSH server◦ Create a FIFO special file (a named pipe) on both
sides◦ Listen for UDP requests / Relay through the SSH
tunnel◦ Forward UDP requests / Relay through the SSH
tunnel tcp_to_udp & udp_to_tcp socat Relay & UDPTunnel (UDP over TCP)
UDP over SSH Static Forwards
SSH Dynamic-port Forwarding
In the case of HTTP browsing, DNS requests are still submitted by the client
Monitoring can reveal DNS requests for common websites along SSH traffic.
Solution: forward DNS requests also to the SSH server. ◦ (e.g. Firefox network.proxy.socks_remote_dns)
Multi-hop setups◦ Client (SSH lpf) -> Host 1 (SSH dpf) -> Host 2 -> Web
SSH Dynamic-port Forwarding
SSH Traffic Volume & SSH Tunnel Endpoints Tunnel Hunter (Dusi et al., 2008)
◦ Naïve Bayes Classifier◦ Packet size & Packet inter-arrival time◦ Detect Tunneling & Classify the actual protocol
(BitTorrent, POP, SMTP, HTTP) with high accuracy◦ Limitations with respect to multiple SSH
authentication types, data compression, login failures, network protocols
SSH server in non-standard ports (e.g. 443)◦ EmergingThreats Snort Rules, Cisco IDS
Degrade SSH performance (TCP over TCP )
SSH Tunneling Detection / Mitigation
ICMP Tunneling Technique
Image taken from http://www.sectechno.com/2010/10/31/bypassing-firewalls-using-icmp-tunnel/
SSH Tunnel over ICMP Tunnel
ICMPTX (IP over ICMP) ICMP Tunnel (IP over ICMP) Hans (IP over ICMP) itun (IP over ICMP) Ptunnel (TCP over ICMP)
Droid-VPN , Troid-VPN (Android Apps, need root) PD-Proxy, Wi-Free, Tunnel Guru
+++++++++++++++++++++++++++++++++++++++++++++++
ICMP Tunneling Tools
Detection Signatures◦ ICMP_PingTunnel_Detected◦ LOKI ICMP tunneling back door◦ ICMP Raw Sockets
Non-standard average packet size High ICMP traffic volume between tunnel
endpoints
Disallow ICMP traffic
ICMP Tunneling Detection / Mitigation
The Tunnel Client initiates an HTTP connection to the Tunnel Server
The application encapsulates the application requests in HTTP requests destined to the Tunnel Server
The Tunnel Server unwraps and forwards
HTTP Tunneling Technique
GNU httptunnel◦ htc – Tunnel Client component◦ hts – Tunnel Server component
Syntax◦ Server: hts –F remote:<remote_port> 80◦ Client: htc –F <local_port> server:80
ssh –p <local_port> user@localhost
HTTP Tunneling Tools
SSH Tunnel over HTTP Tunnel
DNS Tunneling - Technique
OzymanDNS Dns2tcp
Iodine Heyoka (+ source IP spoofing) DNSCat NSTX DNScapy
MagicTunnel, Element53, VPN-over-DNS (Android) iodine for iOS
“VPN over DNS”
DNS Tunneling - Tools
Increased DNS traffic (network traffic profiling)
Maximum DNS request packet size
Large number of DNS TXT requests
Number of DNS requests, unique hostnames to a single domain
Composition of hostnames◦ Length, unique characters, character frequency analysis
Split DNS◦ Web proxies (but not clients) can resolve external domains
DNS Tunneling – Detection / Mitigation
Determining which tunneling messages are malicious
◦ Real-time Blackhole Lists (DNSBL lookups) 23.42.168.192.dnsbl.example.net example.net.dnslist.example.com
◦ NIST National Software Reference Library 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.org
Mail server performs DNS TXT requests (SPF)
DNS Tunneling - Challenges
Description & Concerns
Tunneling Protocols & Protocol Tunneling
Network Tunneling Tools & Setup
Demo
Conclusions
Outline
Demo Topology
Description & Concerns
Tunneling Protocols & Protocol Tunneling
Network Tunneling Tools & Setup
Demo
Conclusions
Outline
Using existing core network protocols in innovative ways
Ability to bypass filtering controls and make monitoring difficult (SSH encrypted tunnels)
Need for improved tunneling detection (both delivery and payload protocols) methods and even forensic capabilities
Conclusions
Questions
