Trouble in the Tubes

Video thumbnail (Frame 0) Video thumbnail (Frame 4563) Video thumbnail (Frame 5489) Video thumbnail (Frame 8019) Video thumbnail (Frame 9205) Video thumbnail (Frame 10804) Video thumbnail (Frame 11751) Video thumbnail (Frame 13267) Video thumbnail (Frame 14786) Video thumbnail (Frame 16143) Video thumbnail (Frame 19457) Video thumbnail (Frame 20750) Video thumbnail (Frame 22295) Video thumbnail (Frame 24182) Video thumbnail (Frame 25360) Video thumbnail (Frame 29176) Video thumbnail (Frame 31107) Video thumbnail (Frame 32066) Video thumbnail (Frame 32969) Video thumbnail (Frame 34975) Video thumbnail (Frame 35911) Video thumbnail (Frame 40752) Video thumbnail (Frame 46143) Video thumbnail (Frame 47100) Video thumbnail (Frame 48112) Video thumbnail (Frame 49231) Video thumbnail (Frame 53126) Video thumbnail (Frame 55884) Video thumbnail (Frame 57658) Video thumbnail (Frame 60073) Video thumbnail (Frame 61722) Video thumbnail (Frame 62631) Video thumbnail (Frame 64212) Video thumbnail (Frame 65137) Video thumbnail (Frame 68128) Video thumbnail (Frame 69307)
Video in TIB AV-Portal: Trouble in the Tubes

Formal Metadata

Trouble in the Tubes
Alternative Title
How Internet Routing Security Breaks Down
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We all protect our home networks, but how safe is your data once it leaves on its journey to the latest cat pictures? How does your traffic make it to its destination and what threats does it face on its way? What is BGP and why should you care? In this talk, I'll explain the basic structure of the network that is the Internet and the trust relationships on which it is built. We'll explore several types of attacks that you may have seen in the news that exploit this relationship to bring down websites, steal cryptocurrency, and monitor dissidents. Because talking about bringing down the Internet isn't as much fun as doing, I'll show how to create a mini Internet using Mininet and demonstrate the attacks without the need for a BGP router or a lawyer. Finally, because nation states shouldn't get to have all the fun, I'll use Scapy and some novel techniques to demonstrate how a compromised router can be used to prevent attribution, frame a friend, or create a covert communication channel.
Context awareness Group action Demo (music) Multiplication sign Range (statistics) Data storage device Expert system Control flow Computer network Bit Staff (military) Control flow Tube (container) Internetworking Personal digital assistant Internetworking Internet service provider Computer network Computer network Autonomic computing Right angle Wireless LAN Traffic reporting Information security
Positional notation Internetworking Block (periodic table) Multiplication sign Core dump Computer network Bit Router (computing) Firmware IP address Backdoor (computing) Address space
Slide rule Matching (graph theory) Information Block (periodic table) Direction (geometry) Bit 32-bit IP address Number Positional notation Different (Kate Ryan album) Internetworking Auditory masking Computer network Router (computing) Routing Address space Address space
Point (geometry) Server (computing) Functional (mathematics) Firewall (computing) Server (computing) Firewall (computing) Tube (container) Amsterdam Ordnance Datum Tube (container) Web 2.0 Direct numerical simulation Dynamic Host Configuration Protocol Internetworking Internetworking Series (mathematics) Computer network Direct numerical simulation Configuration space Series (mathematics) Wireless LAN Router (computing) Router (computing) Wireless LAN Spacetime
Point (geometry) Touchscreen Tube (container) Autonomous system (mathematics) Tube (container) Type theory In-System-Programmierung Hacker (term) Internetworking Internet service provider Computer network Website Series (mathematics) Address space
Autonomous System (Internet) Game controller Group action Information and communications technology IP address Number Local Group Web service Internetworking Computer network Computer network Core dump Energy level Spacetime Address space Wireless LAN Graph (mathematics) Multitier architecture Autonomous system (mathematics) Computer network Peer-to-peer Computer network Wireless LAN Routing Physical system Spacetime
Gateway (telecommunications) Group action Border Gateway Protocol Matching (graph theory) Information System administrator Multiplication sign Autonomous system (mathematics) Attribute grammar Attribute grammar Computer network System programming Information Communications protocol Router (computing) Freeware Local ring Routing Communications protocol Address space Local ring Spacetime Physical system
Gateway (telecommunications) Server (computing) Border Gateway Protocol Link (knot theory) Decision theory IP address Session Initiation Protocol Direct numerical simulation Casting (performing arts) Roundness (object) Internetworking Authorization Information Address space Multiplication Information Block (periodic table) Autonomous system (mathematics) Computer network Uniform resource locator Internet service provider Routing Communications protocol Row (database) Spacetime
Virtuelles Netz Game controller Dataflow Game controller Dataflow Demo (music) Firewall (computing) Namespace Firewall (computing) Computer network Open set Special unitary group Open set Emulator Emulator Internetworking Computer network Computer network Computer network Namespace Router (computing) Router (computing)
Chain Link (knot theory) User interface Digital media Link (knot theory) Computer network Computer network Software testing IP address Window 2 (number)
Plane (geometry) Presentation of a group Group action Kernel (computing) Computer network Queue (abstract data type) Queue (abstract data type) Process (computing) output Table (information) Computer programming Spacetime
Module (mathematics) Direct numerical simulation Mathematics Module (mathematics) Spyware Internetworking Queue (abstract data type) Queue (abstract data type) Spyware Escape character Line (geometry) Physical system
Web page Server (computing) Sine State of matter Reflection (mathematics) IP address Volume Semiconductor memory Internetworking Software testing Router (computing) Lastteilung Traffic reporting Address space Identity management Physical system Dot product Reflection (mathematics) Forcing (mathematics) Physical law State of matter Autonomous system (mathematics) Denial-of-service attack Connected space Internetworking Video game Software testing Lastteilung HTTP cookie Block (periodic table) Volume Routing Identity management Address space
Server (computing) Demo (music) Information Reflection (mathematics) State of matter 1 (number) Reflection (mathematics) Denial-of-service attack Complex number Number Direct numerical simulation Web service Internetworking Internetworking Web service Reflektor <Informatik> Volume UDP <Protokoll> Address space Address space
Point (geometry) Dependent and independent variables Divisor Dependent and independent variables Multiplication sign Reflection (mathematics) Computer network Perturbation theory Density of states Band matrix Direct numerical simulation Web service Different (Kate Ryan album) Direct numerical simulation Computer worm Divisor Computer worm
Server (computing) Information State of matter Decision theory Demo (music) Data storage device Reflection (mathematics) Bit System call Web 2.0 Internetworking Computer network Computer network Series (mathematics) Router (computing)
Pell's equation Web service Link (knot theory) Divisor Reflection (mathematics) Interface (computing) Motion capture Maxima and minima Set (mathematics) Bit Router (computing) Address space
Pairwise comparison Greatest element Dependent and independent variables Dependent and independent variables Motion capture Source code Mereology Address space Computer worm
Email Code Multiplication sign Client (computing) IP address Public key certificate Web 2.0 Direct numerical simulation Web service Blog Computer network Source code UDP <Protokoll> Area Link (knot theory) Spyware Block (periodic table) Reflection (mathematics) Sampling (statistics) Electronic mailing list Internet service provider Computer simulation Flow separation Band matrix Latent heat Internetworking Internet service provider Telecommunication Direct numerical simulation Cycle (graph theory) Spacetime Windows Registry Web page Surface PC Card Autonomous System (Internet) Statistics Server (computing) Divisor Dependent and independent variables Spyware Login 2 (number) 4 (number) Goodness of fit Internetworking Band matrix Spacetime Divisor Computer-assisted translation Router (computing) Address space Form (programming) Dependent and independent variables Information Surface Autonomous system (mathematics) Client (computing) Incidence algebra Personal digital assistant Web service Computer network Routing Form (programming) Computer worm
Web 2.0 Email Server (computing) Spyware Demo (music) Demo (music) Computer network Website
Web 2.0 Greatest element Server (computing) Integrated development environment Computer network Autonomous system (mathematics) Table (information) Physical system
Web 2.0 Server (computing) Greatest element Autonomous system (mathematics) Website Right angle Table (information) Routing Spacetime
Server (computing) Game controller Group action State of matter Firewall (computing) Spyware Streaming media Web 2.0 Direct numerical simulation Web service Term (mathematics) Internetworking Operator (mathematics) Intrusion detection system Computer network Energy level Router (computing) Physical system Firewall (computing) Computer network Bit Ripping Control flow Web service Internet service provider Computer network Energy level Block (periodic table) Routing Router (computing) Spacetime
Game controller Server (computing) 1 (number) Surgery Mereology IP address Attribute grammar Neuroinformatik Number Telecommunication Synchronization In-System-Programmierung Intrusion detection system Endliche Modelltheorie Router (computing) Address space Dependent and independent variables Information Direction (geometry) Electronic mailing list Bit Sequence Connected space Personal digital assistant Telecommunication Internet service provider Computer network Endliche Modelltheorie Right angle Routing Sinc function Router (computing)
Web page Dependent and independent variables Server (computing) Demo (music) Sound effect ACID IP address Connected space Tabu search Web 2.0 Inclusion map Router (computing) Address space God
Covering space Injektivität State observer Game controller Email Demo (music) State observer Steganography Computer network Bit Control flow Steganography Degree (graph theory) Bit rate Computer network Telecommunication Computer network Asynchronous Transfer Mode
Email Internetworking Keyboard shortcut Normal (geometry) Bimodal distribution Control flow Computer worm
Multiplication sign Flag Control flow Spacetime
Scaling (geometry) Internetworking Demo (music) Internetworking Autonomous system (mathematics) Control flow Metadata
Scripting language Covering space Web 2.0 Server (computing) Goodness of fit Touchscreen Demo (music) Cuboid Energy level Control flow Connected space
Trail Control flow Connected space
all right so it may be the last day but we still have first time speakers and we have a first-time speaker here in case you weren't aware first time speakers must hydrates before they before they speak so he has elected for hydration and we here's going to give it we're going to give it to it here's to you guys [Applause] if you if you sat through that that that autonomous talk yesterday you should probably get a shot okay hey thanks for coming today we're gonna be talking about the internet and internet security over the next 45 minutes we're gonna go over a little bit of fluff Who I am why I'm here we're gonna go over some remedial networking because there may be some network pros out here I'm sure there's at least one you know person who's around the birth of the Internet has a staff made from in you know transatlantic cable and will be casting spells on me if I say anything wrong but first but there's a pretty wide range of people here we've got reporters we have security experts we have people who specialized in networking people who never deal with networking at all so we're gonna go over just some of the basic concepts and then we're going to transition to the basics of how the internet works itself and for those of us who don't have a home cisco and lab and you know aren't set up to build that build a home network and try some of the attacks were going over today we're going to show it we're gonna go over some tools you can use to build your own internet at home and then we're going to go over some tools we can use to break it we're going to go over some of the ways the Internet is already broken we're going to detail we're going to do some demos or some of the attacks that are out in the wild right now and then we're gonna explore some ways that we can damage the internet a little bit more now Who am I I'm Lane Broadbent I'm a security engineer with Vivint Inc Vivint is a home security home automation company also has does cloud storage and is a wireless internet service provider some of you may know us some of you may have had our sales guys come to your door the demos and tools that I'll be using today you can get and github I'll be posting them after the after the talk as soon as I can get reliable internet access I was have to sure when that will be but I'll try and get them up to date definitely now what
spawned this here's a here's an announcement from us-cert mentioning well talking about how nation-states are targeting Internet infrastructure devices and Internet routers now mostly when we talked about routers being attacked people are what we're talking about is home routers with poorly configured credentials and and backdoors from from firmwares that haven't been updated a long time but there's also the routers that make up the core infrastructure of the internet that has to be considered and those are what we're going to talk about today now a
little bit of remedial internet remedial networking here we have an IP address insider block notation and IP address is
a 32-bit number I'm sorry this slide actually didn't come out too great but internet an IP addresses are generally broken up into four blocks of eight called octet and this is octet notation and the after the slash is your subnet mask so the first 24 bits of our network our IP address signify our network address or as well be calling it from here on our prefix if four addresses the match that I'd have the same network address in you as you on say your homeland as a simplification you generally you can access them directly for those that have a different network address you generally have to go through a device called a router routers which are connected to multiple networks and they'll they'll take that packet they'll look at where it's trying to go and they'll compare it to the information they have about where they can get to now routers will have different routes to different networks and though there may be multiple routes that'll match so those go through the most specific route or the route with the longest match so for example that first one ten dot slash eight doesn't match at all so that's not a route that's going to be taken that leaves us with two two routes that do the work however one has a slash 23 and the others of slash 24 24 bits is longer than 23 bits so we're going to the router is going to choose that route and send the data that direction now I keep
saying router I know a lot of you probably cut your teeth on these raise your hand if you have one of these laying in your closet somewhere that's right now these are generally called routers but what they are really is it's
a converged device there are a wireless access point their DHCP server firewall that providing that the DNS server they're neat they have an Ethernet switch web server configuration and they also act as a router which is connecting those two networks and fourteen traffic between them what we're going to be
talking about today generally look more like this this is a dedicated router and what it does is it functions as a router and also if you need a nap is an excellent space heater so quickly
what is the Internet yeah are one of our elected officials in an earlier net neutrality debate informed us that the Internet is a series of tubes so let's talk about some of those tubes here we have a you know a
greenie hacker he hasn't earned his black hoodie yet and he's trying to get to the DEF CON website here he has this tube and that's kind of what it feels like usually you type in an address you hit enter and also in the web site pics it shows up on your screen what's really happening is closer to this where to get
from signing and from one side to the other you have to go through a series of intermediate networks and these are called autonomous systems and these autonomous systems are what actually make up the Internet there is no one provider that gets you from point A to point B you have these different systems such as your ISP which then connects to another autonomous system that it for is the traffic to and so on until you get to your destination so what is an
autonomous system it's a group of network it's a network of group of networks and the control of a single entity use an example here at Vivint Wireless some company I worked for identified the autonomous system number it connects to and routes traffic between one or more other autonomous systems so this autonomous system connects to a hurricane Electric and level 3 communications and they announced an internal IP address space and address space learned through their peers that they can they can forward traffic to this autonomous system advertises these per to two particular routes as well as others here's a graph
I pulled off a hurricane electrics website which has some great BGP tools if you want to learn about BGP here you can see we're connecting level 3 and hurricane electric he's and then those two autonomous systems connect to a large number of other autonomous systems now the level 3 is what's called a tier 1 Network tier 1 networks are the big dawgs or if you think about the internet this they would be the core of the internet from a Tier one network you can get to any play any address that's publicly available on the Internet and they generally have thousands of miles of cables spanning countries if not continents and they don't pay anybody for access to their networks it's either they they have a no-cost agreement with other tier 1 networks or and they have other networks that pay them Hurricane electric comes me a tier 2 no because they pay somebody else but then they have a large number of people who also buy their services and access to the network
now all these autonomous systems communicate over the border gateway protocol so they can exchange routing information so autonomous systems they will agree to interconnect as a business agreement you pay for access to a network or or you are paid or you have one of those as a transit free agreement and then your autonomous systems your BGP routers will then announce their routes to their neighbors so you connect or not another autonomous system and it says I can reach this address space and this is how I can reach it that's the a s path and the prefix and then when packet comes in that needs to get to a destination the most specific prefix the most specific route the light route with the longest match is chosen and the data is forwarded through that next autonomous system after that the shortest path and there's other attributes and local admins can set policies to prefer certain networks as well now I said BGP and they'll announce
the space so here we have three different time in the system's each one with its own prefix that it's going to be announcing so we're going to look at autonomous system 3 and follow its announcement over to autonomous system 1
autonomous system 3 says hey I can route to 13/8 it tells that to autonomous system to autonomous system to then records that says hey I can get to this prefix through autonomous system 3 it then announces that to its neighbor autonomous system 1 an autonomous system 1 now knows that you can get the 13/8 through autonomous system to an autonomous system 3 which is the final which is where the address space is serviced and then that continues and eventually every autonomous system on the internet knows how to get to 13/8 really big quick primer on bgp announcements it's
something to know about border gateway the border gateway protocol and autonomous systems there's no central authority that actively monitors it manages and forces who can announce a prefix when you you're assigned a prefix through Ayane and its regional registrar's the same year as really receive an address block now there's no there is no definite link between an autonomous system and an address block you can also have an autonomous system without an address block and you can have you can have a block of addresses without having an autonomous system there's there's nothing that says that one person can can announce a certain space and then when you come with an agreement to appear your autonomous systems it's really the who manages that is between is between those two autonomous systems they'll agree hey you can pass this information to me and I will then pass that round and rounding information on its new neighbors there's there's no central authority that says this person can announce this round and there's some pretty good reasons for that as well autonomous system can connect and disconnect to its neighbors it will you can always take down your link and when you do that your route will disappear and and and your draft traffic will take a different route you can take your IP addresses you can move into a different autonomous system if you if you have a provider that's announced in your address space for you and you want to upgrade or your say you're under an attack and you want to move to a different provider then you do that you say an ounce of space for me and they start announcing the space they don't have to check with anyone to make sure they can do that first and you can also announce for multiple locations anycast traffic will use any cast what it does is you'll have multiple geographic locations so it'll announce a certain space and and your traffic goes to the closest one it Google's DNS and other DNS servers to do that for example and it's something to note that the the since the routing decision is made at every autonomous system along the way there is no definite path that your traffic is going to take you can take one path to the destination and then the return traffic can always take a different route so let's talk about some
tools that we can use to build our own Internet see how this all works and then destroy it first up is mini net mignonette is a network emulator that you can use to stand up a realistic network on your your host it doesn't require the you don't have to set aside as a host like you would with a hypervisor well depending on your hypervisor it's a simple tool you can use to create a network namespace and stand-up hosts routers firewalls if you want to learn about software-defined networking it uses open flow switches and you can control they can you can set up controllers important for this discussion is that it is cheaper than by going out buying a bunch of Cisco equipment and setting up home lab and it's a lot more flexible and you don't need the Cisco knowledge this to do it and it's incredibly fast so I say it's
fast so let's do a little demo see how fast we can set this up let's create this network here nine hosts four four switches let's get over here oh yeah we
already got it primed all right so
really quick we're going to send it okay
not so quick
all right I guess we'll do it in Windows
Media Player then okay so we ran the command it set up the network I created all of our hosts created links between the switches we know it's getting ahead of me now we just did a ping test between all of them they can all communicate with each other we can run commands on the host so we're going to tell one host of paying another host that works and just to show we can still run commands let's get the IP address all right so now we've set up a network we communicated with the host and that was all 21 seconds to set up that Network and how do I get back in a
presentation on this no that wasn't it somebody shout out how
do I get this one you say you phew there we go
both scream Lila see that's why it's a good group to have a technical problem with all right so another tool we're
gonna use is nfq and live netfilter q NF q is an IP tables target that basically instead of accepting dropping or rejecting a packet it allows you to throw it into a queue and that queue is that accessible from user space you can have a program in user space examine that packet make the routing decision and pass it back down to the kernel you can also modify that packet before it's accepted really quick to set it up here's here's the command IP tables that we're going to add nfq and we're going to send traffic to destination port 23 and nfq and from there it's accessible from user space now what do we used to deal with those packets we're going to
escaping those of you who aren't familiar escapee is a Python module that allows for packet manipulation decoding we can craft raw packets and most and we can interact with the earth netfilter queues now we can craft packets and what we have here is a quick one liner that to generate a dns request without going through the different layers we set the destination we're saying UDP we're going to make it a DNS packet put a put a name in it and then we send it and that's it one line okay so let's get back to the
Internet now we how can we exploit the Internet there's too many things we're going to talk about today IP spoofing and prefix hijacking IP spoofing is change is
changing the source address on your packets as you're sending them out why you might want to do this you want to hide your identity impersonate somebody else to incriminate them or just annoy them or you could be doing from a general reasons like load balancing or testing again here's another one liner force KP where we're going to see we're going to forge the IP address of a packet and send it out so why does this work the routers aren't to exam necessarily examining the source of a packet whether main concern is the destination and they're not always configured to care where the packet came from so it's hard to say that a certain autonomous system shouldn't carry the packet because the routes aren't set and those IP addresses are portable and it's also it's easier to trust somebody than to distrust them you have a relationship with somebody you trust them to be doing what they're supposed to and not making your life more difficult so you say ok they must be sending me legitimate traffic there's also the issue that some people don't care or they haven't configured their systems correctly an example this is bogan routes where an autonomous system will advertise private address spaces like 10 10 dots 119 one six eighths various address spaces that shouldn't be used on the the public Internet if you want to see who's doing that hurricane Electric has a page they'll give you a report of what who different people were sending out Bogue on routes actually kind of interesting okay so using IP spoofing what can we do we talk about state exhaustion attacks specifically syn floods and we're into it really quickly because it's kind of solved but we're gonna we're going to come back to that later and volumetric attacks specifically reflection attacks really quick syn floods older attack TCP it's a former connection you have to go through a 3-way handshake where you send a syn packet that risk to a server server responds with syn ACK and then you acknowledge their sin ACK you synchronized and you know how a session with them to initially when doing that you're the server would set aside a certain amount of memory and to attract that session waiting for the syn ACK packet because of course the person is going to respond with it correctly to it and everyone's gonna be happy they're gonna communicate you send a lot of syn packets it consumes a lot of resources the servers and the law no longer able to take new connections mostly solved with things like syn cookies but we're going to show how we can do something similar to that again and now volumetric attacks passivity reflection attacks oh we're gonna have a
demo where we go through one of the more dangerous ones that are on the internet today really quick though IP spoofing
let's say we want to get talked to DNS server host aces host B what's the address for I love puppies with a source address of host a it responds back looking at the hosts edge at the source address and says Hosting I love puppies is that whatever address all right so let's say we want to spoof host B give me everything you know about I love puppies sincerely host C we're gonna throw host C's address on as a source patent a source address it then responds to host C with all the information ho C says huh and ask for that so now we can scale that up we can have our botnet all of our zombies that are then sending spoofed requests to a large number of DNS servers or other UDP services and these are going to act as reflectors and they're all going to have a source address of whoever won a target so our button that's going to send a lot of patent traffic to our reflector as a reflector is going to send an even larger amount of traffic back to our target our targets not gonna be able to handle it and that's the premise behind a restricted reflection denial of service attack so one way of classifying
these is a bandwidth amplification factor us-cert uses that basically what it is is you're looking at the size of the payload in the responses and comparing that to the the payload in the request now certain UDP service is a
different reflection bandwidth amplification factors BitTorrent 3.8 so you sent it for every byte you send it's going to respond to a three point eight times as much to whoever your target is snmpv2 six point three DNS 28 254 and TP 550 about and then the latest hotness is memcache so what memcache is is a
in-memory data store that basically allows you to get to put information in quickly and then quickly retrieve it it's often use with web servers to managed web session State and 10,000 foot overview there so and this said so let's set up this attack in our let's set up a network in mini net use the tools that we have and perform it so we're going to simplify it a little bit we know the Internet is just a series of routers that make routing decisions so we can replace that with one router we'll call that the internet and then we have our attacker our reflect on our target so let's see how this works
due to do
okay so really quick set up our lab we created our three hosts or router and set up links between them in the background we've got a packet capture running really quick so it shows on the packet capture we're just going to send a ping from our attacker to our reflector okay and another one alright so let's start up our memcache service on our reflector we're going to tell it we want to listen on all ports and I and all address interfaces and that we want to use we want it to use UDP alright and let's quickly send our one spoofed packet now there's a little bit of magic sauce behind this to get a higher amplification factor but we don't change any of the settings in it and then we sent our one packet using our targets
our targets IP address so let's see what happened like I said
we had a packet capture running in the background alright so here is the spoof packet that we sent highlighted there it's got about 15 bytes worth of payload one single packet and also for comparison you've got our pings so we can see what we did actually spoof the address here's the response so that's the bottom one there is packet 761 part of it that's part of the response and these are full UDP packets so what do we
have we sent one packet with 15 bytes worth of payload and our response was 753 packets with 1 million 15 1705 byte payload bytes so that gives us a bandwidth amplification factor of about 70,000 and for those of you who have been spending too much time in the wireless village here it is in decibels all right so according to US sir memcache D 10,000 to 50,000 beyond the amplification factor we just showed it can be 70,000 it seems to be some area of debate what how effective this is but as you can see no matter what it's a very effective attack earlier this year this attack wood was used to generate 1.7 terabit per second of traffic towards the service when you're dealing with that you're not actually taking down the services running on the hosts you're not necessarily taking down the hosts either what you're doing is you're taking down all the infrastructure around it when you start getting 1.7 terabytes worth of traffic you're upstream providers are going to start shutting off your ports because it's taking them down as well I provide some sample code but this the code I provide is simplified doesn't have the magic sauce it just uses the stats call so it doesn't produce 70k bandwidth amplification factor so really quick where's some defenses no your attack surface note services you're running if you're running UDP services why are you running them if you don't need them shut them off block form a good relationship with the outcome provider in case you're the you're the reflector or the target make sure that you can work with them to to filter your traffic and monitoring infrastructure you know you're for your participating so let's go on to be bgp prefix hijacks so what happens in these is as I showed earlier autonomous systems learned how to route traffic by announcing their routes to their neighbors well what happens in a prefix hijack is that a malicious autonomous system advertises a more specific route than the route that's already out there if there's a route first slash 23 and announces a slash 24 all that all the traffic four addresses within that slash 24 will go to them because they have the most specific route the neighbors then pass on this route to their neighbors and eventually everyone has that route and all the traffic is route is heading towards that route early example this in 1997 the a s 7,000 an incident a network disaggregated all their routes in 2/24 s and through their own autonomous system number on it and then advertised that on the internet so now that it's 2018 we can do a high-tech computer simulation of what happened the Internet traffic on that day so here that little pink dot is a s seven thousand seven I think it was in Virginia they announced her routes and all the internet traffic started going to them they also apparently turned into the Death Star yeah so what happened was bass large portions
the internet ended up black hold for several hours also the upstream provider shut them off and ended up having the reset reset large portions of their network most routes aren't slash twenty fours and the equipment in that time wasn't made to handle the entire internet a slash twenty fours so the routers would crash come back up relearn all the bad routes from their neighbors crashed and the cycle to repeat it really couldn't have been better if it had been planned so there's certain height there's certain defenses you can have here's just a list of them probably the most prominent is the as a routing registry where you register your routes say this autonomous system is going to be advertised through this and this IP prefix is gonna be advertised to this autonomous system and there's other ways to ensure that communication is secure authorized and everyone's on the same page so let's see how that how well that's worked here we have in April 2018 the my ether-wall comm attack I don't know if any of you yeah I'm sure nobody here you just cryptocurrency right yeah during the hijack it wasn't actually a hijack against the server's themselves it was a hijack against the DNS infrastructure that that's my ether wallet was using specifically AWS and militia a poisoned DNS requests were returned playing to a Russian provider now there were defenses in place not all the not all networks carried the the banned routes but enough did really all what you know you need is one person who's not configured correctly to pass along the information and all the defenses break down do these trust relationships so really quick how things are supposed to work on the left side there we have a client trying to get to theta might want calm on the right Amazon who route 50 through is providing the DNS services announces its route to the Internet so starts to propagate it throughout the client assets DNS server how to get to my youth wall comm it doesn't know has a cat has a Miss so it hits Amazon it says hey how do I get to this response is returned it caches passes it to the client client then connects to my you through all calm logs in okay that's how it's supposed to work what really happened was that another autonomous system likely on behalf of one of its customers began advertising a slash 24 for Amazon's DNS server space where Amazon was using slash 23 s so advertising more specific routes when those propagated up I'll request Amazon's DNS servers and went to this malicious DNS server their response was returned to the credential for a credential harvester the clients connect to the credential harvester for some reason the attackers decided not to sell certificate so they were agree people were greeted with an SSL warning and some of them decided not to heed the warning and ended up losing money so let's let's give it a try and credit where credit's do this is a modification of a lab from yeah oh but quick note DEFCON 16 there's an awesome attack against the actual IP address for the DEFCON web servers I believe trying to know exactly what it was go check it out it's good I'm not going to demo it here because that's their thing it was awesome so here we're gonna do a prefix
hijack basically we're gonna modify a demo that's already out there and on the mignonette website if you can get to it but we've changed it to be a prefix hijack instead of a path hijack so here's our three networks we looked at before yes one two and three advertising eleven eight twelve eight thirteen eight we have a web server on as3 well yeah
am i doing on time okay good not bad not great okay so
really quick here's our here's our environment top left we're going to start up we're going to start up our network bottom left we're gonna we're going to be controlling whether or not we are autonomous systems are running and on the right we're going to be trying to hit our web server to see what happens so really quick let's pull the routing table okay so looking at looking at that routing
table sorry this is broken up here's the
writing table that we have from autonomous system one it can see the three autonomous system two antenna system three it can get to 13/8 alright
alright so back in our attack where we're now hitting a site on that web server over here on the bottom left we're going to start up on our autonomous system 4 which is going to advertise a slash nine compared to a slash eight for this the 13/8 web space alright few space and on the right in a second you'll see it's switching over to the attacker web server ok so pulling our routing table again we can see that we now have another route you probably can't see very well so let's plot up
we've started a tonus system for and it
announced a more specific route 4/13 which caused all of our traffic to divert to our malicious web server now it's not the most exciting attack and the reason for that is that everything worked the way it's supposed to somebody advertised a better way to get to to an IP prefix so everyone took it so without defenses this is the correct operation
so defenses would be registering your register your routes and an IRR establish that relationship dub stream providers so that they know what your advertising and they're able to defend against people trying to take over your space filter prefixes that you receive from others to avoid having your website taken over use DNS SEC HTTPS with HSTs and make sure you're monitoring your infrastructure all right so let's move on to a little bit more theoretical so at the beginning we showed that alert it says nation-states are trying to take over routers basically so why shouldn't states get to have all the fun let's let's let's do some of these attacks ourselves let's try it let's we don't know exactly what people are going to be at what what attacks are going to be done but we can make some guesses and one of the ways we can make some guesses is because we already know what things are going to be done because we can see them now in certain pieces of infrastructure really quick we know that if you have control of a router as with any you know you just think of it as your network monitoring equipment you can monitor traffic you can redirect traffic which we saw you can modify traffic as is passing through you can block traffic and you can flip the switch and just take down in terms of an infrastructure now we don't really need to imagine much because we already see this in action there's malicious networking equipment widely deployed now malicious is is relative to who's performing the operation so the intrusion detection system tonight intrusion prevention systems other firewalls Internet service providers doing service prioritization or denying access to certain services and then you have nation level monitoring and filtering enforcement such as you know a country putting up a large firewall to restrict internet access so we can already see what is what can be done with this because it's already being done corporations are already doing it my cellphone provider is blocking my VPN access for some reason you know we already see this in action but what else
can we do so we know that when you have we know that you can you can prevent IP spoofing by registering around having making sure that people aren't passing bad routes but we can also defeat that if we have control of one of the routers so if you have a router on say an Internet service providers network it has the ability to talk for addresses on that network and no one's going to question it because it's supposed to be the one carrying that traffic so we're doing that we can defeat IP prefix filtering we can spoof any host we want on that network it doesn't need to exist it doesn't particularly otherwise but but even in this case we can we can now have a bi-directional communication we can send traffic for a host and then receive the response and we can reduce our botnets from thousands of devices to just a handful of routers and I say we can have bi-directional communication before you can't really spoof TCP traffic because you have to have that you have that handshake and you have to be able to go through the synchronization but since we're receiving the responses we can now have open up TCP sessions either by a directional communication that we would have been able to do otherwise and this is kind of concerned because it breaks our attribution models a lot of you might get daily weekly or whatever threat feeds that with part of what they have is a list of IP addresses of surgery with certain activities you throw them into your intrusion detection systems you block them on your firewalls and and that's good but now we can we can change our IP address at will because we can access any of these other devices we can no longer really trust the IP addresses that we have in a threat feeds now this
is on a symmetric route saying it gets receives the response now what can we do if if if we want to still want to spoof traffic from a different network and we're not receiving the response like I said before you can really can't spoof a TCP connection because you have to there's a you have to synchronize with the server and this can be using a randomized sequence number however if we control one of the routers along the path to that spoofed host we can in we can still send our traffic from a different portion of the internet and have a full bi-directional I be able to maintain bi-directional communication and go through our TCP handshake so we're going to do a quick little attack here we're going to a spoof a syn packet we're going to capture the response on the second router the router on the right there and then we're going to have that router send the information to our to our attacking our attacker computer specifically the sequence number that it needs to sequence number that needs to I can complete the handshake and then we're going to complete the handshake so I simplified a little bit for the
demo we're replacing the routers with switches and running our Interceptor on the spoof toast but same effect so
all right so really quick we're going to see what our IP address is and we're going to request a page from a web server that's going to respond with our IP address that matches up 10 0 10 90 and then we're gonna make it so we can no longer communicate directly with that host just for the purposes of demonstration so now we can no longer communicate with the web server just so you guys believe me and we're going to spoof a TCP connection so here we're gonna send a syn packet that's going to be intercepted and sent back to us and then we're gonna put the handshake and make it and request traffic oh god that went too fast all right all right so here we're making our HTTP request and here's the response that we receive back we're able to complete our TCP handshake using spoof traffic and then make a request and receive that that response as it's being sent to the address that we're spoofing now to do
this we need a communication channel we
have i I've been I had it out of a full-screen mode for a while haven't I
somebody tell me these things all right so we need a control channel to be able to do this we need to go communicate between our interceptor and the the host is doing the spoofing how can we do this one way is network steganography steganography is hiding data and its presence from an observer there's
numerous ways of doing this with network traffic but some of them are pretty slow you'll flip a flag and in the in a header which gives you about one bit per packet not the quickest thing ever but if we want to trade a degree of stealth for increased data rate what we can do is we can inject traffic into other packets as their traffic as they're passing through a node and then strip that data out before it's passed on to its final destination and to do this HTTP another encrypted traffic using that as our cover medium is ideal really
quick here's a TCP packet the payload can be assuming yeah payload usually can be up to 14 160 bytes but a lot of
traffic is either has a full payload or
has no payload as an act packet there's a bind there's a bimodal distribution on the internet and basically it you'll have a lot of traffic that's being received and a lot of act packets for that receive traffic so these act packets have a lot of free space that we can use there's nothing that says that you can't send data with an ACK pack in fact it's normal
yeah I got a clap for that okay oh yeah I I made a meme all right so pretty long
how we doing on time okay no I can't see anyone anyway so alright so what I'm proposing is we do we use excess space that's not being consumed and we inject our own traffic into it now we need to make sure that it can't be read as well well yeah yeah we want
to make sure that it can't be read so we're going to encrypt everything at the end we're going to put a counter that encrypted counter that says how much data we're gonna put in it so we can quickly then pull that data out check for the flags at the beginning the end of the data that we're sending and know if it's a if it's actually our traffic or if it's a mistake so three steps before we get to our data that allows us to quickly toss out traffic that looks like our data but is not if that makes sense sorry I'm rushing to make sure I get this closed why are we going to use
HTTPS most the Internet is HTTPS it's expensive to monitor HTTP traffic and there's little value in recording it you can gather metadata about it but there's if you record HTTP traffic and large scale what you have is a bunch of data that you can't read that it's going to fill up your drives and when properly implemented encrypted data pretty much statistically indistinguishable from random data so we can take art we can take this already encrypted data throw our encrypted data on the end and there shouldn't be any way of determining that we've added data this was the demo that
I was going to do as you might be able to guess and ended up being kind of busy so we're gonna simplify and we're gonna do a demo just between two hosts that have had their traffic blocked basically right on this let's say autonomous system one autonomous system for just to show that it works so we're going to bypass some blocking through our covert
channel yeah don't let me forget to go back in full-screen that on you guys it's good alright so here we're just testing that we can reach the web server on 10 0 10 90 and then we're going to set up a listener throughout using our tunneled on localhost 87-65 now we've just blocked access to it on port 80 so we can no longer at directly access that web server on port 80 so now and that still doesn't work so now we're going to start our covert channel what what we're going to do is we're going to start on the other end we've already started our listener and then we're gonna run this quickly around the script starts to listener on this end that creates the channel and then gives us a bunch of cover traffic and I'm just using watch and coral command to generate a bunch of HTTP traffic there you go okay so we've started it and let's see so now we have a channel that we can you that here's their HTTP request we got to the server that we couldn't access before what we did is we hit a local listener on our box sent that over the tunnel using HTTP traffic as our cover medium and then had the other side complete the connection to the web server and returned that traffic back to us so means of creating a covert channel there and what does that look
like at the packet level and going back into full screen yes so here's the
original packet and then here's here's the packet with our data added on to it and at the end I left the counter unencrypted so we can look at that so what you have is traffic that looks like the traffic that we already have they're generally indistinguishable from what should be there now if you're going to monitor if you're going to monitor sessions and keep track of seek of acknowledgments you might be able to detect this is going on but if this isn't on a connection that you would expect to be malicious or you want to monitor chances are you're not going to be doing full session monitoring and this is going to slide by along with the other terabytes of HTTP traffic okay
thanks for listening appreciate you coming [Applause]