sp infrastructure security survey attack classification
play

SP Infrastructure Security Survey & Attack Classification Danny - PowerPoint PPT Presentation

Jul 24, 2023 •157 likes •1.03k views

SP Infrastructure Security Survey & Attack Classification Danny McPherson danny@arbor.net & Ray Hunt ray.hunt@canterbury.ac.nz Apricot 2006 - Perth, Australia 1 Goals Given time constraints, focus will be given to providing

  1. SP Infrastructure Security Survey & Attack Classification Danny McPherson danny@arbor.net & Ray Hunt ray.hunt@canterbury.ac.nz Apricot 2006 - Perth, Australia 1

  2. Goals • Given time constraints, focus will be given to providing details of a few popular techniques, rather than providing overly terse information on many techniques – full slide deck provides considerably more detail • Nothing new or especially exciting here, just information on how some techniques service providers are using to protect their customers and their own infrastructure Apricot 2006 - Perth, Australia 2

  3. Agenda • 3 Discrete Planes • DDOS Traceback Techniques • DDOS Mitigation Techniques • Infrastructure Security Survey • IMS Data - If time permits Apricot 2006 - Perth, Australia 3

  4. Internet Address Spaces • Bogon: – Regional Internet Registries • RIPE NCC, APNIC, ARIN, LACNIC, AFNIC? – RFC 1918/Reserved – Unallocated – IANA or an RIR • Dark Address Space – Allocated and advertised but unused/not sub-allocated • Active Address Space – In Use Apricot 2006 - Perth, Australia 4

  5. Three Discrete Planes • Management Plane – SNMP, Telnet, Out of Band Access, Etc.. • Control Plane – Routing & Signaling Protocols; BGP, OSPF/IS-IS, LDP, Etc.. • Data Plane – Packet forwarding functions Apricot 2006 - Perth, Australia 5

  6. Management Plane Apricot 2006 - Perth, Australia 6

  7. Management Plane • Device Access & Management Functions • Protocols include: – Telnet – SSH – SNMP • Also consider console & OOBA, etc.. Apricot 2006 - Perth, Australia 7

  8. Control Plane Apricot 2006 - Perth, Australia 8

  9. Control Plane • Inter-domain routing in the Internet: BGP • Interior Routing: IS-IS, OSPF, EIGRP, RIP • MPLS: LDP & RSVP-TE • Multicast: PIM SSM, MSDP, MP-BGP Apricot 2006 - Perth, Australia 9

  10. Control Plane • TCP employed for transport of BGP/LDP – Makes session vulnerable to many attack vectors (e.g., SYN, RST, etc..) – Protection? • MD5 TCP Signature Option • IPSEC • Infrastructure ACLs (iACLs) • GTSH – IGPs support MD5 for many functions • Neighbor discovery & adjacency establishment • LSA/LSP/Update authentication • Etc.. – Control Plane Policing • filter/limit who/what/how much can gain access to a router or switch control plane/route processor Apricot 2006 - Perth, Australia 10

  11. Route Hijacking • What is it? – Announcing Internet address space that belongs to someone else – without their permission – Typically via BGP – Result of misconfiguration or malicious intent, more often the latter • Why do it? – Anonymous IP space for spamming – Launching non-spoofed (e.g., Application Layer) attacks from source addresses within the space – Sharing materials anonymously – Breaking connectivity to rightful owners of address space (i.e., Denial of Service) Apricot 2006 - Perth, Australia 11

  12. Route Hijacking • Why is it possible? – Routing on the Internet always prefer “longest match” (most specific route) for a given destination – No central authoritative source for who owns what addresses, and who provides transit services for address space owners, etc.. – As such, very little inter-domain prefix filtering, mostly limited to customer/subscriber routing sessions (as opposed to ‘peer’ sessions), if employed at all! Apricot 2006 - Perth, Australia 12

  13. Route Hijacking • What to do about it? – Prefix filtering • Need accurate central repository for route ownership data – Internet Routing Registries (e.g., RADB)? – Regional Internet Registries (e.g., RIPE, ARIN, APNIC)? – Secure the routing system – hrmmm..? • SBGP- Secure BGP • soBGP- Secure Origin BGP – IETF: • SIDR WG – Secure Inter-Domain Routing IETF WG • RPSEC WG – Routing Protocol Security Requirements WG Apricot 2006 - Perth, Australia 13

  14. Route Hijacking • NANOG 36: Short-lived Prefix Hijacking on the Internet: – http://www.nanog.org/mtg-0602/pdf/boothe.pdf • “Result: between 26 and 95 successful prefix hijackings occurred in December of 2005” • Note: prefix hijackings do not include events which appear to be the result of misconfiguration Apricot 2006 - Perth, Australia 14

  15. Slammer Data Plane Impact - A European SPs View • Some DDOS/worms easier to detect than others… Apricot 2006 - Perth, Australia 15 15

  16. Slammer Control Plane Impact – THE BGP PICTURE Apricot 2006 - Perth, Australia 16 16

  17. Data Plane Apricot 2006 - Perth, Australia 17

  18. Infrastructure ACLs (iACLs) • Simple concept: instigate policies on the network perimeter that do not allow traffic to enter my network if it is destined for addresses allocated to network infrastructure devices (e.g., routers, switches, etc..) • Exceptions may be required in order to permit legitimate traffic such as ICMP Echo Requests, etc.. (although you may desire to rate-limit this traffic) • Never allow packets with source addresses of your own address space to enter your network (could be used for control plane attacks, etc..) Apricot 2006 - Perth, Australia 18

  19. Infrastructure ACLs in Action SRC: valid SRC: 127.0.0.1 DST: Rx (any R) DST: any ACL “in” ACL “in” PR1 PR2 R3 R1 R2 R5 R4 CR1 CR2 ACL “in” ACL “in” SRC: eBGP peer SRC: valid DST: CR1 eBGP DST: external to AS (e.g. customer) Apricot 2006 - Perth, Australia 19

  20. Infrastructure ACL Example (Cisco) –! Deny our internal space as a source of external packets –access-list 101 deny ip our_CIDR_block any –! Deny src addresses of 0.0.0.0 and 127/8 –access-list 101 deny ip host 0.0.0.0 any –access-list 101 deny ip 127.0.0.0 0.255.255.255 any –! Deny RFC1918 space from entering AS –access-list 101 deny ip 10.0.0.0 0.255.255.255 any –access-list 101 deny ip 172.16.0.0 0.0.15.255 any –access-list 101 deny ip 192.168.0.0 0.0.255.255 any Apricot 2006 - Perth, Australia 20

  21. TTL Security Hack • Formerly known as BTSH (BGP TTL Security Hack), then GTSH (Generalized TTL Security Hack), and finally, GTSM (Generalized TTL Security Mechanism) • Defined in RFC 3682 • Can be performed in hardware data path (in forwarding ASICs) • Initially applied to BGP, but can be employed for any IP-based protocols • Exploits routers native TTL decrement behavior Apricot 2006 - Perth, Australia 21

  22. TTL Security Hack • Protect peers from multi- Transmits all hop attacks packets with TTL of 255 • Routers are configured to Doesn’t accept transmit packets with TTL packets with TTL < 254 of 255 and reject received packets with TTL of < 254 • Removes possibly of B injected packets affecting eBGP A session • Applied on external BGP peering sessions where Packets generated iACLs could not be here cannot reach router A with a applied TTL > 253 Apricot 2006 - Perth, Australia 22

  23. Ingress Filtering • RFC 3704/BCP 84 updates RFC 2827/BCP 38 - mitigate address spoofing and packets destined to bogon space • Employ packet filtering mechanisms such that subscribers/customers are only allowed to source packets from addresses which they’ve been allocated – apply filters as close to the edge as possible, filter as precisely as possible • Extremely difficult to maintain filters for customers with large numbers of routes • Rarely applied to “peers” on the Internet, per ACL generation is extremely difficult and hardware would be required to support hundreds of thousands of filters • Removes plausibility of spoofing – makes tracing attacks/malicious activity back to actual source much simpler Apricot 2006 - Perth, Australia 23

  24. Ingress Packet Filtering ISP’s Customer Allocation Block: 96.0.0.0/19 BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24 96.0.20.0/24 96.0.21.0/24 Internet ISP 96.0.19.0/24 96.0.18.0/24 Filter Applied on Downstream Aggregation and NAS Routers Apricot 2006 - Perth, Australia 24

  25. What’s in a FIB? • FIB == Forwarding Information Base (i.e., forwarding table) • Correspondingly, RIB == Routing Information Base (i.e., Routing Table) Apricot 2006 - Perth, Australia 25

  26. Conceptual Router Architecture (RIBs & FIBS) Input Policy Engine Output Policy Engine BGP Decision Algorithm IS-IS OSPF LSDB LSDB Adj-RIB-In Adj-RIB-Out Loc-RIB Adj-RIB-In Adj-RIB-Out (sh ip bgp) Adj-RIB-In Adj-RIB-Out SPF SPF IS-IS RIB OSPF RIB (sh isis route) (sh ospf route) Static RIB Route Table Manager Connected RIB Distance/Weight Applied IP Routing Information Base - RIB IP Forwarding Information Base - FIB (sh ip route) (sh ip cef) Apricot 2006 - Perth, Australia 26 dFIB dFIB dFIB dFIB dFIB

Recommend

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Attack Graphs Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1 Outline Attack

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attack Graphs Systems and Internet Infrastructure Security (SIIS)

1.06k views • 60 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
2010 Infrastructure Security Report 6 th Annual Edi;on Roland

2010 Infrastructure Security Report 6 th Annual Edi;on Roland

2010 Infrastructure Security Report 6 th Annual Edi;on Roland Dobbins Craig Labovitz Carlos Morales 2010 Infrastructure Security Survey 6 th Annual Survey

303 views • 19 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security &amp; Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA A Scalable Approach to Attack Graph Generation By Ou, Boyer,

591 views • 33 slides
Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things (IoT)? Why is IoT Security so Important? Dyn DDOS Attack What are the security challenges of an IoT network? A Proposed Taxonomy

176 views • 14 slides
Protecting UK Critical National Infrastructure from Cyber Attack Kevin T National Cyber Security

Protecting UK Critical National Infrastructure from Cyber Attack Kevin T National Cyber Security

Protecting UK Critical National Infrastructure from Cyber Attack Kevin T National Cyber Security Centre (NCSC) This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.

197 views • 8 slides
Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Green Lights Forever: Analyzing the Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic Infrastructure Case Study Threat Model Types of Attack Recommendation Broader Lesson Conclusion Outline

777 views • 36 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT &amp; Return-to-plt Attack &amp; GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Compiler Infrastructure Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Compiler Infrastructure Systems and Internet Infrastructure Security

603 views • 23 slides
Data Classification Data Classification While not (explicitly) on the CCNA Security (640-553

Data Classification Data Classification While not (explicitly) on the CCNA Security (640-553

Data Classification Data Classification While not (explicitly) on the CCNA Security (640-553 IINS) blueprint, all of the Cisco Press books for the CCNA Security exam that I reviewed included data classification (specifically US data

255 views • 9 slides
A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond,

A Classification of SQL Injection Attack Techniques and Countermeasures William G.J. Halfond, Jeremy Viegas &amp; Alessandro Orso Georgia Institute of Technology This work was partially supported by DHS contract FA8750-05-2-0214 and NSF award

425 views • 29 slides
Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i .

Effective Security Going Back To The Basics M e r i k e K a e o , C T O m e r i k e @ f s i . i o FARSIGHT SECURITY DISCUSSION POINTS Attack Trends A Historical View Attack Vectors in Recent Years Evolution of Mitigation

634 views • 29 slides
Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

673 views • 56 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack

Software Defjned Networking Security Outline Introduction What is SDN? SDN attack surface Recent vulnerabilities Security response Defensive technologies Next steps Introduction Security nerd, recovering

790 views • 39 slides
A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon

A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon Luo Daniel Xiapu Roberto Perdisci

691 views • 41 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

536 views • 42 slides
Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack &amp; defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

Center for W eb I ntelligence Center for W eb I ntelligence School of CTI, DePaul University Chicago, Illinois, USA The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation * Chad Williams, Runa Bhaumik,

380 views • 24 slides
Advanced Metering Infrastructure Attack Methodology Document Matthew Carpenter ASAP Red Team

Advanced Metering Infrastructure Attack Methodology Document Matthew Carpenter ASAP Red Team

Advanced Metering Infrastructure Attack Methodology Document Matthew Carpenter ASAP Red Team Lead matt@inguardians.com Introduction to Attack Methodology Guide for consistent testing Authors: Matthew Carpenter Travis

105 views • 8 slides

More recommend