Trouble in the Tubes
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 322 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/39709 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 26268 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
Tube (container)Control flowComputer networkInternetworkingContext awarenessInternetworkingCASE <Informatik>Staff (military)Right angleSoftwareMultiplication signBitGroup actionSharewareInformation securityControl flowInternet service providerAutonomic computingExpert systemWireless LANTraffic reportingData storage deviceRange (statistics)
03:03
InternetworkingFirmwareRouter (computing)Backdoor (computing)State of matterCore dumpMultiplication signXMLUML
03:40
Address spaceIP addressBlock (periodic table)SoftwareNumberPositional notationBitInternetworkingAddress spaceSlide rule32-bitDifferent (Kate Ryan album)Router (computing)InformationMatching (graph theory)RoutingAuditory maskingDirection (geometry)JSONComputer animation
05:21
Router (computing)Wireless LANServer (computing)Dynamic Host Configuration ProtocolFirewall (computing)Direct numerical simulationRouter (computing)Firewall (computing)Direct numerical simulationServer (computing)Wireless LANConfiguration spaceWeb 2.0SoftwarePoint (geometry)Amsterdam Ordnance DatumSpacetimeFunctional (mathematics)Computer animation
06:08
InternetworkingSeries (mathematics)Tube (container)Series (mathematics)WeightInternetworkingTube (container)Type theoryHacker (term)TouchscreenWebsiteAddress spaceComputer animation
06:43
Computer networkLocal GroupSpacetimePhysical systemWireless LANInternet service providerAutonomous system (mathematics)Point (geometry)Series (mathematics)SoftwareIn-System-ProgrammierungInternetworkingAutonomous System (Internet)Group actionPeer-to-peerIP addressAddress spaceRoutingGame controllerSpacetimeGraph (mathematics)Wireless LANLevel (video gaming)Information and communications technologyJSON
07:50
Wireless LANInternetworkingSoftwareAutonomous system (mathematics)Coefficient of determinationMultitier architectureCore dumpNumberAddress spaceGraph (mathematics)Level (video gaming)Web serviceEngineering drawing
08:51
Border Gateway ProtocolInformationCommunications protocolSystem programmingLocal ringAttribute grammarAttribute grammarAutonomous system (mathematics)Local ringRoutingSoftwareGroup actionCommunications protocolGateway (telecommunications)InformationMatching (graph theory)Router (computing)FreewareSystem administratorAddress spaceJSON
09:51
Autonomous system (mathematics)SpacetimePhysical systemMultiplication signAddress spaceRoutingRow (database)InternetworkingDiagramComputer animation
10:46
InformationComputer networkBorder Gateway ProtocolAutonomic computingDecision theoryExecution unitUniform resource locatorAuthorizationRoutingDirect numerical simulationBlock (periodic table)InformationSpacetimeAddress spaceAutonomous system (mathematics)Internet service providerGateway (telecommunications)Server (computing)Communications protocolLink (knot theory)Roundness (object)MultiplicationCasting (performing arts)Session Initiation ProtocolIP addressComputer animation
12:58
Virtuelles NetzComputer networkNamespaceEmulatorOpen setGame controllerDataflowSpecial unitary groupRouter (computing)Firewall (computing)EmulatorFirewall (computing)SoftwareGame controllerNamespaceRouter (computing)InternetworkingOpen setDataflowJSONComputer animation
13:50
Computer networkChainUser interfaceLink (knot theory)SoftwareSharewarePrime idealRight angleWindowSoftware testing2 (number)Digital mediaIP addressLink (knot theory)JSONProgram flowchartSource codeXMLComputer animation
14:52
Computer networkQueue (abstract data type)Plane (geometry)Process (computing)outputPresentation of a groupView (database)Group actionTouchscreenQueue (abstract data type)Kernel (computing)Table (information)SpacetimeComputer programSource codeComputer animation
16:07
Module (mathematics)Queue (abstract data type)Line (geometry)Direct numerical simulationCodierung <Programmierung>Module (mathematics)Queue (abstract data type)Escape characterJSONComputer animation
16:42
Physical systemSpywareAddress spaceIdentity managementSoftware testingLastteilungBlock (periodic table)State of matterReflection (mathematics)VolumeSpywareMathematicsInternetworkingOpen sourceTraffic reportingAddress spaceWeb pageConnected spaceIP addressServer (computing)Autonomous system (mathematics)Reflection (mathematics)RoutingSemiconductor memoryPhysical systemLastteilungVideo gameState of matterDifferent (Kate Ryan album)Router (computing)Software testingPhysical lawDenial-of-service attackIdentity managementDot productSineForcing (mathematics)VolumeHTTP cookieComputer animationJSON
19:27
InternetworkingState of matterVolumeReflection (mathematics)Address spaceReflektor <Informatik>UDP <Protokoll>Web service1 (number)SharewareInternetworkingDenial-of-service attackServer (computing)NumberComplex numberWeb serviceAddress spaceDirect numerical simulationOpen sourceInformationReflection (mathematics)Computer animation
20:44
DivisorDensity of statesComputer networkComputer wormDependent and independent variablesDirect numerical simulationComputer wormBand matrixDivisorDependent and independent variablesWeb servicePerturbation theoryMultiplication signDirect numerical simulationDifferent (Kate Ryan album)Reflection (mathematics)Point (geometry)Computer animation
21:23
Reflection (mathematics)SoftwareWeb 2.0InternetworkingSystem callRouter (computing)Server (computing)Digital rights managementData storage deviceInformationState of matterSeries (mathematics)BitWeightDecision theoryProgram flowchart
21:59
SharewarePell's equationMaxima and minimaDivisorSet (mathematics)Router (computing)Web serviceReflection (mathematics)Motion captureAddress spaceBitInterface (computing)Link (knot theory)IP addressSource code
23:19
Dependent and independent variablesAddress spaceGreatest elementDependent and independent variablesMotion captureMereologyComputer wormPairwise comparisonComputer animationSource code
23:56
Band matrixDivisorDependent and independent variablesDirect numerical simulationUDP <Protokoll>Web serviceInternet service providerForm (programming)SurfaceSpywareLatent heatAreaAutonomous System (Internet)StatisticsBand matrixReflection (mathematics)RoutingMultiplication signWeb serviceCodeDivisorForm (programming)Computer wormSurfaceSampling (statistics)InternetworkingSpywareInternet service providerDependent and independent variables2 (number)CASE <Informatik>Incidence algebraSoftwareAutonomous system (mathematics)Address spaceComputer simulationBlock (periodic table)Source code
27:10
InternetworkingSpywareInternet service providerBlogDirect numerical simulationSpacetimeDependent and independent variablesEmailLatent heatPC CardClient (computing)Link (knot theory)Internet service providerSoftwareSpywareRoutingDirect numerical simulationMultiplication sign4 (number)Flow separationRouter (computing)Client (computing)Dependent and independent variablesServer (computing)Computer-assisted translationCycle (graph theory)InternetworkingSpacetimeTelecommunicationWeb serviceInformationAutonomous system (mathematics)Windows RegistryElectronic mailing listPublic key certificateLoginIP addressWeb pageGoodness of fitWeb 2.0Validity (statistics)FreewareAutonomic computingProgram flowchart
30:46
SharewareEmailSpywareSoftwareWeb 2.0Server (computing)SharewareWebsiteIntegrated development environmentGoodness of fitProgram flowchartComputer animation
31:24
Integrated development environmentSoftwareAutonomous system (mathematics)Server (computing)Web 2.0Greatest elementTable (information)Physical systemJSONSource codeComputer animationProgram flowchart
32:04
Autonomous system (mathematics)Right angleTable (information)SpacetimeServer (computing)Web 2.0RoutingGreatest elementWebsiteSource codeXML
32:49
SpywareRouter (computing)Control flowBlock (periodic table)Computer networkWeb serviceFirewall (computing)Level (video gaming)RippingPhysical systemAutonomous system (mathematics)RoutingWeb 2.0Operator (mathematics)Server (computing)Intrusion detection systemInternet service providerSoftwareInternetworkingGroup actionWeb serviceLevel (video gaming)Firewall (computing)Term (mathematics)BitStreaming mediaState of matterGame controllerSpacetimeDirect numerical simulationRouter (computing)Program flowchartSource code
35:25
Router (computing)Direction (geometry)TelecommunicationEndliche ModelltheorieIP addressAddress spaceElectronic mailing listRoutingMereologyRouter (computing)Game controllerSoftwareTelecommunicationAttribute grammarSynchronizationFirewall (computing)Filter <Stochastik>Carry (arithmetic)1 (number)Internet service providerIntrusion detection systemEndliche ModelltheorieDependent and independent variablesCASE <Informatik>SurgerySinc functionProgram flowchart
37:15
In-System-ProgrammierungRouter (computing)Server (computing)RoutingNumberRouter (computing)SequenceInformationConnected spaceDependent and independent variablesNeuroinformatikBitRight angleProgram flowchart
38:26
Inclusion mapACIDTabu searchSound effectRouter (computing)BitSharewareDependent and independent variablesAddress spaceWeb 2.0Web pageIP addressServer (computing)GodConnected spaceProgram flowchartComputer animation
40:03
SharewareControl flowComputer networkSteganographyState observerTelecommunicationAsynchronous Transfer ModeTouchscreenSoftwareGame controllerSteganographyState observerInjektivitätFlagCovering spaceNumeral (linguistics)Degree (graph theory)BitEmailBit rateSource codeComputer animation
41:09
Control flowEmailComputer wormKeyboard shortcutNormal (geometry)InternetworkingBimodal distribution
41:45
Control flowSpacetimeMultiplication signFlagClosed setProgram flowchart
42:48
InternetworkingControl flowInternetworkingSharewareScaling (geometry)Metadata
43:25
SharewareAutonomous system (mathematics)Server (computing)Web 2.0Arithmetic meanSoftware testingConnected spaceLocal ringAsynchronous Transfer ModeScripting languageCuboidGoodness of fitCovering space
45:25
SharewareControl flowTouchscreenLevel (video gaming)TrailConnected spaceComputer animation
46:12
Computer animation
Transcript: English(auto-generated)
00:00
Alright, so, it may be the last day, but we still have first-time speakers, and we have a first-time speaker here. In case you weren't aware, first-time speakers must hydrate before they speak, so he is elected for hydration, and we're going to give it to him.
00:23
Here's to you guys. If you sat through that autonomous talk yesterday, you should probably get a shot.
00:56
Hey, thanks for coming. Today we're going to be talking about the internet and internet security.
01:04
Over the next 45 minutes, we're going to go over a little bit of fluff, who I am, why I'm here. We're going to go over some remedial networking, because there may be some network pros out here. I'm sure there's at least one person who's around the birth of the internet and has
01:21
the staff made from transatlantic cable, and will be casting spells on me if I say anything wrong, but there's a pretty wide range of people here. We've got reporters, we have security experts, we have people who specialize in networking, people who never deal with networking at all. So we're going to go over just some of the basic concepts, and then we're going
01:41
to transition to the basics of how the internet works itself. For those of us who don't have a home Cisco lab and aren't set up to build a home network and try some of the attacks we're going to go over today, we're going to go over some tools you can use to build your own internet at home, and then we're going to go over
02:08
some tools we can use to break it. We're going to go over some of the ways the internet is already broken, we're going to do some demos of some of the attacks that are out in the wild right now, and then we're going to explore some ways that we can damage the internet a little bit more.
02:25
Now, who am I? I'm Lane Broadbent, I'm a security engineer with Vivint Inc. Vivint is a home security home automation company, also does cloud storage, and is a wireless internet service provider. Some of you may know us, some of you may have had our sales guys come to your door.
02:47
The demos and tools that I'll be using today, you can get on GitHub. I'll be posting them after the talk, as soon as I can get reliable internet access. Not exactly sure when that will be, but I'll try and get them up today, definitely.
03:03
Now, what spawned this? Here's an announcement from USCERT mentioning, well, talking about how nation states are targeting internet infrastructure devices and internet routers. Now, mostly when we talk about routers being attacked, what we're talking about is
03:22
home routers with poorly configured credentials and backdoors from firmwares that haven't been updated in a long time. But there's also the routers that make up the core infrastructure of the internet that have to be considered, and those are what we're going to talk about today.
03:40
Now, a little bit of remedial networking. Here we have an IP address in signer block notation. An IP address is a 32-bit number. I'm sorry, this slide actually didn't come out too great, but an IP address is generally broken up into four blocks of eight called octets, and this is octet notation.
04:04
And after the slash is your subnet mask. So the first 24 bits of our IP address signify our network address, or as we'll be calling it from here on, our prefix. For addresses that have the same network address as you on, say, your homeland, as
04:24
a simplification, generally you can access them directly. For those that have a different network address, you generally have to go through a device called a router. Routers are connected to multiple networks, and they'll take that packet, they'll look at where it's trying to go, and they'll compare it to the information they have
04:42
about where they can get to. Now routers will have different routes to different networks, and there may be multiple routes that'll match. So they'll go through the most specific route, or the route with the longest match. So quick example, that first one, 10 dot slash eight, doesn't match at all.
05:01
So that's not a route that's going to be taken. That leaves us with two routes that do work. However, one is a slash 23, and the other is a slash 24. 24 bits is longer than 23 bits, so the router's going to choose that route and send the data that direction.
05:22
Now I keep saying router. I know a lot of you probably cut your teeth on these. Raise your hand if you have one of these laying in your closet somewhere. That's right. Now these are generally called routers, but what they are really is it's a converged device. They're a wireless access point, they're DHCP server, firewall, they provide NAT,
05:42
DNS server, they have an Ethernet switch, web server configuration, and they also act as a router, which is connecting those two networks and forwarding traffic between them. What we're going to be talking about today generally look more like this. This is a dedicated router, and what it does is it functions as a router, and also if
06:04
you need a nap, it's an excellent space heater. So quickly, what is the Internet? Yeah. One of our elected officials in an earlier net neutrality debate informed us that the Internet is a series of tubes.
06:24
So let's talk about some of those tubes. Here we have a greeny hacker. He hasn't earned his black hoodie yet. He's trying to get to the DEF CON website. Here he has this tube, and that's kind of what it feels like usually. You type in an address, you hit enter, and all of a sudden the website shows up on
06:41
your screen. What's really happening is closer to this, where to get from one side to the other, you have to go through a series of intermediate networks, and these are called autonomous systems. These autonomous systems are what actually make up the Internet. There is no one provider that gets you from point A to point B.
07:01
You have these different systems, such as your ISP, which then connects to another autonomous system that it forwards the traffic to and so on until you get to your destination. So what is an autonomous system? It's a network of groups of networks under control of a single entity. Here's an example here of Vivint Wireless, a company I work for, identified by
07:24
autonomous system number. It connects to and routes traffic between one or more other autonomous systems. So this autonomous system connects to a hurricane electric and level three communications, and they announce an internal IP address space, and address
07:41
space is learned through their peers that they can forward traffic to. This autonomous system advertises these two particular routes as well as others. Here's a graph I pulled off Hurricane Electric's website, which has some great BGP tools, if you want to learn about BGP. Here you can see we're connected to level three and Hurricane Electric.
08:03
And then those two autonomous systems connect to a large number of other autonomous systems. Now, level three is what's called a tier one network. Tier one networks are the big dogs. If you think about the Internet, they would be the core of the Internet. From a tier one network, you can get to any address that's publicly available
08:23
on the Internet. They generally have thousands of miles of cables spanning countries, if not continents, and they don't pay anybody for access to their networks. It's either they have a no-cost agreement with other tier one networks, or they have other networks that pay them.
08:42
Hurricane Electric happens to be a tier two network because they pay somebody else, but then they have a large number of people who also buy their services and access to their network. Now, all these autonomous systems communicate over the border gateway protocol so that they can exchange routing information.
09:01
So autonomous systems, they will agree to interconnect. There's a business agreement. You pay for access to a network, or you are paid, or you have a transit-free agreement. And then your autonomous systems, your BGP routers will then announce their routes to their neighbors.
09:21
So you connect to another autonomous system, and it says, I can reach this address space, and this is how I can reach it. That's the AS path and the prefix. And then when a packet comes in that needs to get to a destination, the most specific prefix, the most specific route, the route with the longest match is chosen, and the data is forwarded through that next autonomous system.
09:43
After that, the shortest path, and there's other attributes, and local admins can set policies to prefer certain networks as well. Now, I said BGP, they'll announce a space. So here we have three different autonomous systems, each one with its own prefix that it's going to be announcing.
10:00
So we're going to look at autonomous system three and follow its announcement over to autonomous system one. Autonomous system three says, hey, I can route to 13 slash 8. It tells that to autonomous system two. Autonomous system two then records that, says, hey, I can get to this prefix through autonomous system three. It then announces that to its neighbor, autonomous system one,
10:23
and autonomous system one now knows that it can get to 13 slash 8 through autonomous system two and autonomous system three, which is where the address space is serviced. And then that continues, and eventually every autonomous system on the Internet
10:40
knows how to get to 13 slash 8. Really quick primer on BGP announcements. Something to note about the border gateway protocol and autonomous systems. There's no central authority that actively monitors, manages, and enforces who can announce a prefix. When you're assigned a prefix through IANA and its regional registrars,
11:03
the same unit will receive an address block. Now, there's no definite link between an autonomous system and an address block. You can also have an autonomous system without an address block, and you can have a block of addresses without having an autonomous system.
11:23
There's nothing that says that one person can announce a certain space. And then when you come with an agreement to peer your autonomous systems, it's really who manages that is between those two autonomous systems,
11:41
they'll agree, hey, you can pass this information to me, and I will then pass that routing information on to the neighbors. There's no central authority that says this person can announce this route, and there's some pretty good reasons for that as well. An autonomous system can connect and disconnect to its neighbors at will. You can always take down your link, and when you do that, your route will disappear and your traffic will take a different route.
12:04
You can take your IP addresses, you can move into a different autonomous system. If you have a provider that's announcing your address space for you and you want to upgrade, or say you're under an attack and you want to move to a different provider, then you do that. You say, announce this space for me, and they start announcing the space.
12:22
They don't have to check with anyone to make sure they can do that first. And you can also announce from multiple locations. Anycast traffic will... Anycast, what it does is you'll have multiple geographic locations so it'll announce a certain space, and your traffic goes to the closest one. Google's DNS and other DNS servers do that, for example.
12:43
And something to note, since the routing decision is made at every autonomous system along the way, there's no definite path that your traffic's going to take. You can take one path to the destination, and then the return traffic can always take a different route. So, let's talk about some tools that we can use to build our own Internet,
13:02
see how this all works, and then destroy it. First up is Mininet. Mininet is a network emulator that you can use to stand up a realistic network on your host. It doesn't require the... You don't have to set aside a host like you would with a hypervisor.
13:24
Well, depending on your hypervisor. It's a simple tool that you can use to create a network namespace and stand up hosts, routers, firewalls. If you want to learn about software-defined networking, it uses OpenFlow switches, and you can set up controllers. Important for this discussion is that it is cheaper than going out
13:41
and buying a bunch of Cisco equipment and setting up a home lab. And it's a lot more flexible, and you don't need the Cisco knowledge to do it. And it's incredibly fast. So, I say it's fast, so let's do a little demo and see how fast we can set this up. Let's create this network here. Nine hosts, four switches. Let's get over here.
14:05
Primed. All right. So, really quick, we're going to set up... Okay, not so quick. I guess we'll do it in Windows Media Player then.
14:22
Okay, so we ran the command. It set up the network. It created all of our hosts, created links between the switches. Oh, it's getting ahead of me now. We just did a ping test between all of them. They can all communicate with each other. We can run commands on the hosts, so we're going to tell one host to ping another host. That works.
14:40
And just to show we can still run commands, let's get the IP address. All right. So, now we've set up a network. We communicated with the hosts, and that was all in 21 seconds to set up that network. And how do I get back into presentation on this?
15:04
No, that wasn't it. Somebody shout out. How do I get this... You say you? View. There we go.
15:20
Full screen. See, that's why. It's a good group to have a technical problem with. All right. So, another tool we're going to use is NFQ and libnetfilterq. NFQ is an iptables target that basically, instead of accepting, dropping, or rejecting a packet, it allows you to throw it into a queue.
15:40
And that queue is then accessible from userspace. You can have a program in userspace, examine that packet, make the routing decision, and pass it back down to the kernel. You can also modify that packet before it's accepted. Really quick to set it up. Here's the command iptables. We're going to add NFQ. And we're going to send traffic to destination port 23 to NFQ.
16:03
And from there, it's accessible from userspace. Now, what do we use to deal with those packets? We're going to use Scapy. For those of you who aren't familiar, Scapy is a Python module that allows for packet manipulation, decoding. We can craft raw packets. And we can interact with the NFQs.
16:23
Now, we can craft packets. And what we have here is a quick one-liner to generate a DNS request without going through the different layers. We set the destination. We're saying UDP. We're going to make it a DNS packet, put a name in it, and then we send it.
16:40
And that's it, one line. Okay, so let's get back to the internet. Now, how can we exploit the internet? There's two main things we're going to talk about today, IP spoofing and prefix hijacking. IP spoofing is changing the source address on your packets as you're sending them out.
17:00
Why you might want to do this? You want to hide your identity, impersonate somebody else to incriminate them or just annoy them. Or you could be doing it for legitimate reasons like load balancing or testing. Again, here's another one-liner for Scapy where we're going to forge the IP address of a packet and send it out. So why does this work?
17:22
The routers aren't necessarily examining the source of a packet. Their main concern is the destination. And they're not always configured to care where the packet came from. So it's hard to say that a certain autonomous system shouldn't carry the packet because the routes aren't set and those IP addresses are portable.
17:42
And it's easier to trust somebody than to distrust them. You have a relationship with somebody, you trust them to be doing what they're supposed to and not making your life more difficult. So you say, okay, they must be sending me legitimate traffic. There's also the issue that some people don't care or they haven't configured their systems correctly. An example of this is Bogon routes
18:02
where an autonomous system will advertise private address spaces like 10 dots, 192.168, various address spaces that shouldn't be used on the public Internet. If you want to see who's doing that, Hurricane Electric has another page. They'll give you a report of different people who are sending out Bogon routes.
18:21
It's actually kind of interesting. Okay. So using IP spoofing, what can we do? We're going to talk about state exhaustion attacks, specifically SYN floods, and we're going to do that really quickly because it's kind of solved, but we're going to come back to that later. And volumetric attacks, specifically reflection attacks.
18:41
Really quick SYN floods, older attack, TCP. To form a connection, you have to go through a three-way handshake where you send a SYN packet to a server. The server responds with SYNAC and then you acknowledge their SYNAC. You synchronize and you now have a session with them. Initially when doing that, the server would set aside a certain amount of memory
19:02
to track that session waiting for the SYNAC packet because of course the person is going to respond correctly to it and everyone is going to be happy and they're going to communicate. You send a lot of SYN packets. It consumes a lot of resources. The server is no longer able to take new connections. Mostly solved with things like SYN cookies, but we're going to show how we can do something similar to that again.
19:26
Now volumetric attacks, specifically reflection attacks. We're going to have a demo where we go through one of the more dangerous ones that are on the internet today. Really quick though, IP spoofing. Let's say we want to talk to a DNS server. Host A says, host B, what's the address for I love puppies
19:43
with a source address of host A. It responds back looking at the source address and says, host A, I love puppies is that whatever address. All right, so let's say we want to spoof. Host B, give me everything you know about I love puppies, sincerely host C. We're going to throw host C's address on as a source address.
20:03
It then responds to host C with all the information. Host C says, huh, I didn't ask for that. So now we can scale that up. We can have our botnet, all of our zombies that are then sending spoofed requests to a large number of DNS servers
20:21
or other UDP services. These are going to act as reflectors. And they're all going to have a source address of whoever we want to target. So our botnet's going to send a lot of traffic to our reflectors. The reflectors are going to send an even larger amount of traffic back to our target. Our target's not going to be able to handle it. And that's the premise behind a distributor reflection
20:43
denial of service attack. So one way of classifying these is a bandwidth amplification factor. US cert uses that. Basically what it is is you're looking at the size of the payload and the responses and comparing that to the payload in the request.
21:01
Now certain UDP services have different bandwidth amplification factors. BitTorrent 3.8. So for every byte you send, it's going to respond to 3.8 times as much to whoever your target is. SNMP v2 is 6.3. DNS 28 to 54. NTP 550 about. And then the latest hotness is memcache.
21:24
So what memcache is is an in-memory data store that basically allows you to put information in quickly and then quickly retrieve it. It's often used with web servers to manage web session state. 10,000 foot overview there.
21:40
So let's set up this attack. Let's set up a network in Mininet, use the tools that we have, and perform it. So we're going to simplify it a little bit. We know the Internet is just a series of routers that make routing decisions, so we can replace that with one router. We'll call that the Internet. And then we have our attacker, our reflector, and our target. So let's see how this works.
22:20
So really quick, set up our lab. We created our three hosts, our router, and set up links between them. In the background, we've got a packet capture running. Really quick, so it shows on the packet capture, we're just going to send a ping from our attacker to our reflector. Okay. And another one, yada yada.
22:47
All right, so let's start up our memcache service on our reflector. We're going to tell it we want to listen on all ports and all address interfaces and that we want it to use UDP. All right, and let's quickly send our one spoof packet.
23:08
Now there's a little bit of magic sauce behind this to get a higher amplification factor, but we don't change any of the settings in it. And then we've sent our one packet using our target's IP address.
23:24
So let's see what happened. Like I said, we had a packet capture running in the background. All right, so here is the spoof packet that we sent. Highlighted there. It's got about 15 bytes worth of payload, a single packet.
23:40
And also for comparison, you've got our pings so we can see that we did actually spoof the address. Here's the response. So the bottom one there is packet 761. That's part of the response. And these are full UDP packets. So what do we have? We sent one packet with 15 bytes worth of payload. And our response was 753 packets with 1,051,705 payload bytes.
24:09
So that gives us a bandwidth amplification factor of about 70,000. And for those of you who have been spending too much time in the wireless village, here it is in decibels.
24:22
All right, so, according to U.S. Start memcached, 10,000 to 50,000 bandwidth amplification factor, we just showed it can be 70,000. It seems to be some area of debate how effective this is, but as you can see, no matter what, it's a very effective attack. Earlier this year, this attack was used to generate 1.7 terabit per second of traffic towards the service.
24:49
When you're dealing with that, you're not actually taking down the services running on the hosts. You're not necessarily taking down the hosts either. What you're doing is you're taking down all the infrastructure around it. When you start getting 1.7 terabits worth of traffic,
25:01
your upstream providers are going to start shutting off your ports, because it's taking them down as well. I provide some sample code, but the code I provide is simplified. It doesn't have the magic sauce. It just uses the stats call, so it doesn't produce 70K bandwidth amplification factor.
25:22
So, really quick, what are some defenses? Know your attack surface. Know what services you're running. If you're running UDP services, why are you running them? If you don't need them, shut them off. Form a good relationship with the upstream provider, in case you're the reflector or the target. Make sure that you can work with them to filter your traffic
25:41
and monitor your infrastructure so you know if you're participating. So, let's go on to BGP prefix hijacks. So, what happens in these is, as I showed earlier, autonomous systems learn how to route traffic by announcing their routes to their neighbors. What happens in a prefix hijack is that a malicious autonomous system
26:04
advertises a more specific route than the route that's already out there. If there's a route for a slash 23 and announces a slash 24, all the traffic for addresses within that slash 24 will go to them, because they have the most specific route. The neighbors then pass on this route to their neighbors, and eventually everyone has that route,
26:22
and all the traffic is heading towards that route. An early example of this, in 1997, the AS-7007 incident. A network disaggregated all their routes into slash 24s through their own autonomous system number on it,
26:42
and then advertised that on the internet. So, now that it's 2018, we can do a high-tech computer simulation of what happened to internet traffic on that day. So here, that little pink dot is AS-7007, I think it was in Virginia. They announced their routes, and all the internet traffic started going to them.
27:05
They also apparently turned into the Death Star. So, what happened was, large portions of the internet ended up black-holed for several hours. Also, their upstream providers shut them off, and ended up having to reset large portions of their network.
27:26
Most routes aren't slash 24s, and the equipment in that time wasn't made to handle the entire internet as slash 24s, so the routers would crash, come back up, relearn all the bad routes from their neighbors, crash, and the cycle would repeat. It really couldn't have been better if it had been planned.
27:44
So, there's certain defenses you can have. Here's just a list of them. Probably the most prominent is the routing registry, where you register your routes. Say, this autonomous system is going to be advertised through this, and this IP free fix is going to be advertised through this autonomous system. And there's other ways to ensure that communication is secure, authorized,
28:01
and everyone's on the same page. So, let's see how well that's worked. Here we have, in April 2018, the eatmyetherwallet.com attack. I don't know if any of you... I'm sure nobody here uses cryptocurrency, right? During the hijack, it wasn't actually a hijack against the servers themselves,
28:21
it was a hijack against the DNS infrastructure that MyEtherWallet was using, specifically AWS. Poison DNS requests were returned pointing to a Russian provider. Now, there were defenses in place. Not all networks carried the bad routes, but enough did.
28:41
Really, all you need is one person who's not configured correctly to pass along the information, and all the defenses break down due to these trust relationships. So, really quick, how are things supposed to work? On the left side there, we have a client trying to get to myeatherwallet.com. On the right, Amazon, who Route 53 is providing the DNS services,
29:01
announces its route to the internet. So, it starts to propagate its route. The client asks its DNS server how to get to myeatherwallet.com. It doesn't know, has a miss, so it hits Amazon, it says, hey, how do I get to this? Response is returned. It caches, passes it to the client. Client then connects to myeatherwallet.com and logs in.
29:23
Okay, that's how it's supposed to work. What really happened was that another autonomous system, likely on behalf of one of its customers, began advertising a slash 24 for Amazon's DNS server space, where Amazon was using slash 23s.
29:41
So, advertising more specific routes, when those propagated up, all requests to Amazon's DNS servers then went to this malicious DNS server. The response was returned for a credential harvester. Clients connect to the credential harvester. For some reason, the attackers decided not to get a valid SSL certificate,
30:03
so people were greeted with an SSL warning, and some of them decided not to heed the warning and ended up losing money. So, let's give it a try.
30:22
Credit where credit's due. This is a modification of a lab. Quick note. Defcon 16, there's an awesome attack against the actual IP address for the Defcon web servers, I believe. I'm trying to remember exactly what it was.
30:40
Go check it out. It's good. I'm not going to demo it here because that's their thing. It was awesome. So, here we're going to do a prefix hijack. We're going to modify a demo that's already out there on the MiniNet website if you can get to it, but we've changed it to be a prefix hijack instead of a path hijack. So, here's our three networks. We looked at before AS 1, 2, and 3, advertising 11, 8, 12, 8, 13, 8.
31:05
We have a web server on AS 3. Well, what am I doing on time? Okay, good. Not bad. Not great.
31:24
Okay, so really quick, here's our environment. Top left, we're going to start up our network. Bottom left, we're going to be controlling whether or not
31:41
our autonomous systems are running. On the right, we're going to be trying to hit our web server to see what happens. So, really quick, let's pull the routing table. Okay, so looking at that routing table, sorry, this is broken up. Here's the routing table that we have. From autonomous system 1, it can see that through autonomous system 2
32:01
and autonomous system 3, it can get to 13 slash 8. Alright, so I'm back in our attack. We're now hitting a site on that web server. Over here on the bottom left, we're going to start up our
32:22
autonomous system 4, which is going to advertise a slash 9 compared to a slash 8 for the 13 slash 8 web space, or IP space. And on the right, in a second, you'll see it switching over to the attack on your web server.
32:40
Okay, so pulling our routing table again. We can see that we now have another route. You probably can't see very well, so let's pull it up. We started autonomous system 4, and it announced a more specific route for slash 13, which caused all of our traffic to divert to our malicious web server.
33:02
Now, it's not the most exciting attack, and the reason for that is that everything worked the way it's supposed to. Somebody advertised a better way to get to an IP prefix, so everyone took it. So, without defenses, this is the correct operation.
33:22
So, defenses would be register your routes in an IRR, establish that relationship with the upstream providers so that they know what you're advertising and they're able to defend against people trying to take over your space, filter prefixes that you receive from others. To avoid having your website taken over, use DNSSEC,
33:40
HTTPS with HSTS, and make sure you're monitoring your infrastructure. All right, so let's move on to a little bit more theoretical. So, at the beginning, it showed that alert. It says nation states are trying to take over routers, basically. So, why should nation states get to have all the fun?
34:01
Let's do some of these attacks ourselves. We don't know exactly what attacks are going to be done, but we can make some guesses. And one of the ways we can make some guesses is because we already know what things are going to be done because we can see them now in certain pieces of infrastructure really quick.
34:20
We know that if you have control of a router, as with any, you know, you just think of it as your network monitoring equipment. You can monitor traffic, you can redirect traffic, which we saw. You can modify traffic as it's passing through, you can block traffic, and you can flip the switch and just take down a chunk of infrastructure. Now, we don't really need to imagine much because we already see this in action.
34:40
There's malicious networking equipment widely deployed. Now, malicious is relative to who's performing the operation. So, intrusion detection systems and intrusion prevention systems, other firewalls, Internet service providers doing service prioritization or denying access to certain services,
35:01
and then you have nation-level monitoring and filtering enforcement such as, you know, a country putting up a large firewall to restrict Internet access. So, we can already see what can be done with this because it's already being done. Corporations are already doing it. My cell phone provider is blocking my VPN access for some reason.
35:24
You know, we already see this in action. But what else can we do? So, we know that when you have, we know that you can prevent IP spoofing by registering a route and making sure that people aren't passing bad routes. But we can also defeat that if we have control of one of the routers.
35:42
So, if you have a router on, say, an Internet service provider's network, it has the ability to talk for addresses on that network, and no one's going to question it because it's supposed to be the one carrying that traffic. So, we're doing that. We can defeat prefix filtering. We can spoof any host we want on that network.
36:02
It doesn't need to exist. It doesn't particularly otherwise, but even in this case, we can now have a bi-directional communication. We can send traffic for a host and then receive the response. And we can reduce our botnets from thousands of devices to just a handful of routers. Now, say we can have bi-directional communication.
36:22
Before, you can't really spoof TCP traffic because you have that handshake and you have to be able to go through the synchronization. But since we're receiving the responses, we can now open up TCP sessions other than bi-directional communication that we wouldn't have been able to do otherwise.
36:40
And this is kind of concerning because it breaks our attribution models. A lot of you might get daily, weekly, or whatever threat feeds. Part of what they have is a list of IP addresses associated with certain activities. You throw them into your intrusion detection systems. You block them on your firewalls and that's good.
37:02
But now, we can change our IP address at will because we can act as any of these other devices. We can no longer really trust the IP addresses that we have in our threat feeds. Now, this is on a symmetric route saying it receives a response.
37:22
Now, what can we do if we still want to spoof traffic from a different network and we're not receiving the response? Like I said before, you really can't spoof a TCP connection because you have to synchronize with the server and it's going to be using a randomized sequence number.
37:42
However, if we control one of the routers along the path to that spoofed host, we can still send our traffic from a different portion of the internet and have a full bi-directional, be able to maintain bi-directional communication and go through our TCP handshake. So, we're going to do a quick little attack here.
38:05
We're going to spoof a SYN packet. We're going to capture the response on the second router, the router on the right there, and then we're going to have that router send the information to our attacker computer, specifically the sequence number that it needs to complete the handshake,
38:24
and then we're going to complete the handshake. So, I simplified a little bit for the demo. We're replacing the routers with switches and running our interceptor on the spoofed host, but same effect.
38:54
So, really quick, we're going to see what our IP address is, and we're going to request a page from a web server that's going to respond with our IP address.
39:02
That matches up, 10.0.10.90, and then we're going to make it so we can no longer communicate directly with that host, just for the purpose of the demonstration. So, now we can no longer communicate with the web server, just so you guys believe me, and we're going to spoof a TCP connection.
39:21
So, here we're going to send a SYN packet. It's been accepted and sent back to us, and then we're going to complete the handshake and request traffic. Oh, son of a gun. That went too fast. All right.
39:45
All right. So, here we're making our HTTP request, and here's the response that we received back. We're able to complete our TCP handshake using spoofed traffic and then make a request and receive that response as it's being sent to the address that we're spoofing.
40:05
Now, to do this, we need a communication channel. I've had it out of full screen mode for a while, haven't I? Somebody tell me these things.
40:20
All right. So, we need a control channel to be able to do this. We need to be able to communicate between our interceptor and the host that's doing the spoofing. How can we do this? One way is network steganography. Steganography is hiding data and its presence from an observer. There's numerous ways of doing this with network traffic,
40:40
but some of them are pretty slow. You'll flip a flag in a header, which gives you about one bit per packet. Not the quickest thing ever. But if we want to trade a degree of stealth for increased data rate, what we can do is we can inject traffic into other packets as they're passing through a node and then strip that data out before it's passed on to its final destination.
41:03
And to do this, HTTPS, another encrypted traffic, using that as our cover medium is ideal. Really quick, here's a TCP packet. The payload usually can be up to 1,460 bytes.
41:22
But a lot of traffic either has a full payload or has no payload as an ACK packet. There's a bimodal distribution on the Internet, and basically you'll have a lot of traffic that's being received and a lot of ACK packets for that received traffic. So these ACK packets have a lot of free space that we can use.
41:42
There's nothing that says that you can't send data with an ACK packet. In fact, it's normal. I've got to clap for that. Okay. Oh, yeah. I made a meme. All right.
42:01
So, how are we doing on time? Okay. I can't see anyone anyway. All right. So what I'm proposing is we use excess space that's not being consumed and we inject our own traffic into it. Now, we need to make sure that it can't be read as well. Wait. Yeah.
42:20
We want to make sure that it can't be read, so we're going to encrypt everything. At the end, we're going to put an encrypted counter that says how much data we're going to put in it so that we can quickly then pull that data out, check for the flags at the beginning and the end of the data that we're sending and know if it's actually our traffic or if it's a mistake. So, three steps before we get to our data
42:41
that allows us to quickly toss out traffic that looks like our data but is not, if that makes sense. Sorry, I'm rushing to make sure I get this closed. Why are we going to use HTTPS? Most of the internet is HTTPS. It's expensive to monitor HTTPS traffic and there's little value in recording it. You can gather metadata about it,
43:01
but if you record HTTPS traffic at large scale, what you have is a bunch of data that you can't read that's going to fill up your drives. And when properly implemented, encrypted data is pretty much statistically indistinguishable from random data. So, we can take this already encrypted data, throw our encrypted data on the end
43:20
and there shouldn't be any way of determining that we've added data. This was the demo that I was going to do. As you might be able to guess, it ended up being kind of busy. So, we're going to simplify it and we're going to do a demo just between two hosts that have had their traffic blocked, basically. On this, let's say autonomous system one
43:41
and autonomous system four, just to show that it works. So, we're going to bypass some blocking through our covert channel. Don't let me forget to go back in full screen mode. On you guys. All right.
44:04
So, here we're just testing that we can reach the web server on 10.0, 10.90. And then we're going to set up a listener using our tunnel on local host 8765. Now, we've just blocked access to it on port 80 so we can no longer directly access
44:21
that web server on port 80. So, now, and that still doesn't work. So, now we're going to start our covert channel. What we're going to do is, we're going to start on the other end. We've already started our listener and then we're going to quickly run the script, starts the listener, on this end that creates the channel,
44:41
and then gives us a bunch of covert traffic and I'm just using watch and coral command to generate a bunch of HTTPS traffic. Okay. So, we've started it. And let's see. So, now, we have a channel that we can use.
45:03
Here's our HTTPS request we got to the server that we couldn't access before. What we did is we hit a local listener on our box, sent that over the tunnel using HTTPS traffic as our covert medium, and then had the other side complete the connection to the web server and return that traffic back to us.
45:23
So, a means of creating a covert channel there. And what does that look like at the packet level? And going back into full screen. Yes. So, here's the original packet and then here's the packet with our data added onto it. And at the end, I left the counter unencrypted
45:44
so we can look at that. So, what you have is traffic that looks like the traffic that we already have there, generally indistinguishable from what should be there. Now, if you're going to monitor sessions and keep track of acknowledgments, you might be able to detect this is going on. But if this isn't on a connection
46:01
that you would expect to be malicious or you want to monitor, chances are you're not going to be doing full session monitoring and this is going to slide by along with the other terabytes of HTTPS traffic. Okay. Thanks for listening. Appreciate you coming.