Documentos de Académico
Documentos de Profesional
Documentos de Cultura
LTRSEC-2004
@ciscoliveeurope, #CLEUR
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions and Meet the Engineer Visit the Cisco Store to purchase your recommended readings Please switch off your mobile phones After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
LTRSEC-2004
Cisco Public
Agenda
State of Network Security Threat Models for IP Networks Six Phase Methodology Telemetry Data: NetFlow, Flexible NetFlow, and DNS Identifying and Reacting to Attacks with Cisco Firewalls Remotely-Triggered Black Hole (RTBH) Filtering
LTRSEC-2004
Cisco Public
- Policy, operations, and design are more important Network security system
- A collection of network-connected devices, technologies, and best practices that work in complementary ways to provide security to information assets
LTRSEC-2004
Cisco Public
LTRSEC-2004
Cisco Public
LTRSEC-2004
Cisco Public
10
11
Clear distinction between human error and malicious attacks is intent Protection against malicious and unintentional attacks must both be considered
- An outage is an outage
LTRSEC-2004
Cisco Public
12
LTRSEC-2004
Cisco Public
13
Description
Attacks Against IP control-plane Services Unauthorized Access Attacks Software Vulnerabilities Malicious Network Reconnaissance Attacks against DHCP, DNS, and NTP Affects network availability and operations Attempts to gain unauthorized access to restricted systems and networks Software defect that may compromise confidentiality, integrity, or availability of the device and data plane traffic Gathering info about a target device, network, or organization Enables attacker to id specific security weaknesses that may be exploited in a future attack.
LTRSEC-2004
Cisco Public
14
Spoofing Attacks
Miscreants Spoof Packets to Cause Havoc in the Network
Which parts of the packet can be spoofed?
IP Header L7 TCP Header
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ~~~~~~~~~~~~~~~~~~ + 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| IHL |Type of Service| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 16-bit src port number | 16-bit dst port number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32-bit sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32-bit acknowledgement number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | THL | Rsrvd |U A P R S F| 16-bit window size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 16-bit TCP Checksum | 16-bit Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HTTP GET URL CGI. www.victim.com
Source IP address (bypass ACLs) TCP flags (SYN, RST, etc.) and TCP port numbers (consume host resources, reset sessions, etc.) Fragmentation parameters Spoofing most often happens in combinations (several fields)
Cisco Public
15
Rogue devices
- Rogue devices will be as easy to insert into an IPv6 network as in IPv4
Flooding
- Flooding attacks are identical between IPv4 and IPv6
LTRSEC-2004
Cisco Public
16
Collateral Damage
Attacks may have additional consequences beyond the intended target A DoS attack against one remote network may adversely affect other networks resulting in collateral damage and a wider impact Collateral damage must also be considered when evaluating risk and impact of potential attacks
LTRSEC-2004
Cisco Public
17
Six-Phase Methodology
Identification
How do you know about the attack? What tools can you use? Whats your process for communication?
Reaction
What options do you have to remedy? Which option is the best under the circumstances?
Classification Traceback
Where is the attack coming from? Where and how is it affecting the network?
Cisco Public
LTRSEC-2004
19
Develop security policies that can take advantage of this uniform addressing
- Control Plane Policing can allow iBGP from all peers with a single ACE - ACLs can identify traffic from guest, wireless, or otherwise untrusted subnets more easily
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Possible to use non-contiguous wildcard masks in ACLs rules to apply consistency across subnets
- 10.0.1/24, 10.1.1/24, 10.2.1/24, 10.3.1/24, etc., can be matched using 10.0.1.0 0.255.0.255 - Possible but not always recommended
21
2ndcase.com
Internal External WAN Servers
External Servers
Employees Labs
LTRSEC-2004
Cisco Public
22
23
Production
Considerable safeguards between corporate and public Protect data transiting steep gradients
Communication security Confidentiality, integrity, authentication
LTRSEC-2004
Cisco Public
24
DNS
Finance
ISP
Internet Access
DMZ
Corporate Core
Dev
Web Apps
Ops
LTRSEC-2004
Cisco Public
25
DNS
Finance
Internet
Dev
Web Apps
Ops
LTRSEC-2004
Cisco Public
26
Transit
X
Internet AS1 Service Provider Core Network Enterprise Network
Internal Assets, Servers E-mail, Web Servers
Cisco Public
AS2
X X
Internet
Remote Access Systems
X X Edge
Core
LTRSEC-2004
Receive ACLs AS3 CoPP ICMP techniques Transit QoS techniques Routing techniques Disable unused services Protocol specific filters Password security SNMP security Remote terminal access security System banners AAA Network telemetry Secure file systems
27
Lab Overview
All equipment is located at a Cisco location There are 10 student pods
- Two 2811 routers - One ASA 5510 with embedded IPS (AIP)
Lab Infrastructure
- Attackers - Victim Servers - Switches and routers
LTRSEC-2004
Cisco Public
29
LTRSEC-2004
Cisco Public
30
LTRSEC-2004
Cisco Public
31
32
LTRSEC-2004
Cisco Public
33
LTRSEC-2004
Cisco Public
34
We are here to teach and you are here to learn, please do not hesitate to ask for help! We are very friendly, I promise!!! ;-)
LTRSEC-2004
Cisco Public
35
What is NetFlow
Packet capture is like a wiretap NetFlow is like a phone bill This level of granularity allows NetFlow to scale for very large amounts of traffic
- We can learn a lot from studying the phone bill - Who is talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc., etc. - NetFlow is a form of telemetry pushed from routers and switches - each one can be a sensor
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
NetFlow Versions
NetFlow Version 1 5 Comments
Original Standard and most common Specific to Cisco Catalyst 6500 and 7600 Series Switches
Similar to version 5, but does not include AS, Interface, TCP Flag, and TOS Information Choice of 11 aggregation schemes Reduces resource usage Flexible, extensible file export format to enable easier support of additional fields and technologies; coming out now are MPLS, Multicast, and BGP Next-Hop
LTRSEC-2004
Cisco Public
38
Usage
QoS
39
1. 2. 3.
Inspect a packets seven key fields and identify the values If the set of key field values is unique, create a flow record or cache entry When the flow terminates, export the flow to the collector
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
3 Reporting
LTRSEC-2004
40
NetFlow
Internal Threat Information Resource
router (config-if)# ip flow ingress router (config)# ip flow-export destination 172.17.246.225 9996
NetFlow is available on routers and switches Provides syslog-like information without having to buy a firewall One NetFlow packet has information about multiple flows
Header
Sequence number Record count Version number
Flow Record
Flow Record
41
Detail
NetFlow Performance
http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd802a0eb9.shtml
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
LTRSEC-2004
Cisco Public
43
Template FlowSet
(Version, Number of Packets, Sequence Number, Source ID) Template Record Template ID #1 (Specific Field Types and Lengths) Template Record Template ID #2 (Specific Field Types and Lengths)
Data FlowSet
FlowSet ID #1
Data Record Data Record
Data FlowSet
FlowSet ID #2
Data Record
Option Data FlowSet FlowSet ID Option Option Data Data Record Record (Field (Field Values) Values)
(Field Values)
(Field Values)
(Field Values)
Matching ID numbers is the way to associate template to the data records The header follows the same format as prior NetFlow versions so collectors will be backward compatible Each data record represents one flow If exported flows have the same fields, they can be contained in the same template record; that is, unicast traffic can be combined with multicast records If exported flows have different fields, they cannot be contained in the same template record; that is, BGP next-hop cannot be combined with MPLS-aware NetFlow records
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
LTRSEC-2004
Cisco Public
45
Offers new export protocols (UDP, SCTP) New Cache concept (normal, permanent, no-cache) Flexible NetFlow is available in Release 12.4(9)T
LTRSEC-2004
Cisco Public
46
FNF Components
The flow monitor is a flow cache with flow records
- Applied to an interface
- Flow monitors can be ingress or egress - Packet sampling possible per flow monitor
LTRSEC-2004
Cisco Public
47
FNF
Multiple Monitors with Unique Key Fields Traffic
Flow monitor 1 Flow monitor 2
Key Fields Source IP Destination IP Source port Destination port Layer 3 Protocol TOS Byte Input Interface
Dest. I/F E1 E1
Protocol 6 6
Source IP 3.3.3.3
Dest. IP 2.2.2.2
Dest. I/F E1
Input I/F E1
Sec 101
Pkts 11000
48
ISP
DATA CENTER
Si
WAN
Si
CAMPUS
IP Flows
Multicast Flows Protocol Ports IP Subnets Packet Replication
Security Flows
Protocol Ports IP Addresses TCP Flags Packet Section
LTRSEC-2004
Cisco Public
49
50
NFDump Output
http://nfdump.sourceforge.net/
IP Precedence Breakdown
LTRSEC-2004
Cisco Public
51
LTRSEC-2004
Cisco Public
52
Primary Use
Traffic Analysis Collector Device Collector Device Reporting for FlowTools Traffic Analysis
Comment
No longer supported Scalable Support V9 UNIX UNIX
OS
Support V9, IPv4, IPv6, MPLS, SCTP, etc.. Supports V9 V5, support v9
Reporting Tools Traffic Analysis Collector Device Security Monitoring Reporting for FlowTools Traffic Analysis Supports V5 and v9
UNIX
53
54
LTRSEC-2004
Cisco Public
55
LTRSEC-2004
Cisco Public
56
LTRSEC-2004
Cisco Public
58
Pr 06 06 06
Pkts 1 1 1
59
LTRSEC-2004
Cisco Public
60
LTRSEC-2004
Cisco Public
61
DNS
63
Query Type
count
---------- --------- -----A? NS? SOA? PTR? MX? TXT? 9 1 1 15 10 2 23.7 2.6 2.6 39.5 26.3 5.3
Source: http://dns.measurement-factory.com/tools/dnstop/
LTRSEC-2004
Cisco Public
64
29 5 4
65
Source: http://oss.oetiker.ch/rrdtool/
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
66
Kumamoto University in Tokyo have published several very good papers on DNS correlation see http://dua.cc.kumamoto-u.ac.jp/~musashi/
LTRSEC-2004
Cisco Public
67
Source: www.honeynet.org
68
Can use local packet display functionality or save as pcap and view on your workstation using Wireshark Use the packet capture functionality in the Cisco ASA firewall to capture and classify attack packets
- A different attack is transiting the firewall
LTRSEC-2004
Cisco Public
70
Adaptive Security Appliance Service Module (ASA-SM) and Firewall Services Module (FWSM) line card in Catalyst 6500 that provides firewall services. No physical interfaces, uses VLANs as virtual interfaces IOS device running a firewall feature set in software (IOS-FW) configuration is in IOS (not covered in this session) IOS device stateless filtering using access-lists Ciscos firewall has been around over 15 years, PIX the legacy platform
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
73
Packet Conformance
Several attacks use fuzzed or irregular packet fields to identify hosts or exploit vulnerabilities or evade detection Fragmentation overwrite, overlap, short, long (teardrop, jolt, evasion) Nmap passive OS identification scanning Source routing to evade access control or cause other vulnerabilities Abnormal TCP flags, values, overwrite TTL abnormalities
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
75
77
LTRSEC-2004
Cisco Public
78
Cookie Created via HASH from SYN Data SYN ACK No Resources Used
- Nothing needs to be spoofed With SYN cookies, the server/network device doesnt need to allocate memory, thus the higher resilience to the DoS
ACK COOKIE + 1
LTRSEC-2004
Cisco Public
79
TCP-Intercept
!-- Using Modular Policy Framework (MPF) !-- which is available on ASA and PIX access-list management permit tcp any 192.168.131.0 255.255.255.0 ! class-map connection-limit match access-list management ! policy-map spoof-protect class connection-limit ! !-- Setting limit to one forces all connections after !-- first to be validated set connection embryonic-conn-max 1 service-policy spoof-protect interface outside
Using MPF
! !-- Static NAT, this will map the inside IP address of Static NAT !-- 192.168.111.111 to the outside IP address 192.168.222.222 !-- and will create an embryonic connection limit of 1 static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1 ! !- Static Identity NAT, ie: No Address Translation static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 tcp 0 1 !
LTRSEC-2004
Cisco Public
80
81
Regex Example
Requirement: Match on any HTTP GET or POST messages:
asa(config)# regex test_get get asa(config)# regex test_post post
Would only match GET and POST that were in lower-case Better regex expression to match any mix of case:
asa(config)# regex test_get [Gg][Ee][Tt] asa(config)# regex test_post [Pp][Oo][Ss][Tt]
Use either CLI test regex <regexp> or the Cisco ASDM Regex Wizard for validation of regex string syntax
LTRSEC-2004
Cisco Public
82
Feature on ASA and FWSM security devices Stateful deep packet inspection
- Good for protocols that open secondary ports and use embedded IP addresses - Potential DoS vector due to performance implications
User-defined policies Response actions for undesirable traffic Default inspection policy shown
match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service-policy global_policy global Cisco Public
LTRSEC-2004
83
Inspects traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326
- Default ports for Cisco IPS #WEBPORTS variable
Implemented using inspect class maps and inspect policy maps Caution: Regex matches text strings at any location in body of HTML response Caution: ALPI will decrease firewall performance
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
MPF: Class-Maps
Class-maps are the building blocks of a service policy They set the match criteria for a given policy and commonly match a value using a regex
!-- Configure regexes for ActiveX Class ID "D27CDB6E-AE6D-11cf-96B8-444553540000 and ProgID !-- "ShockwaveFlash.ShockwaveFlash., and combination of .wbcat file extension and malicious library !-- file fveapi.dll ! regex CLSID_activeX "[dD]27[cC][dD][bB]6[eE][-][aA][eE]6[dD][-]11[cC][fF][-]96[bB]8[-]444553540000 regex ProgID_activeX "ShockwaveFlash\.ShockwaveFlash\. regex MS11-001_1 ".+\x2e[Ww][Bb][Cc][Aa][Tt].*[Ff][Vv][Ee][Aa][Pp][Ii]\x2e[Dd][Ll][Ll]" regex MS11-001_2 "[Ff][Vv][Ee][Aa][Pp][Ii]\x2e[Dd][Ll][Ll].*.+\x2e[Ww][Bb][Cc][Aa][Tt]" ! !-- Configure a regex class to match on the regular !-- expressions that are configured above ! class-map type regex match-any vulnerable_activeX_class match regex CLSID_activeX match regex ProgID_activeX class-map type regex match-any MS11-001_regex_class match regex MS11-001_1 match regex MS11-001_2
LTRSEC-2004
Cisco Public
85
LTRSEC-2004
Cisco Public
86
MPF: Policy-Maps
Policy-maps contain the response action Can contain multiple class-maps Typically setting a connection limit, traffic shaping, priority queuing, or an inspection policy
!-- HTTP application inspection policy map drops connections with regexes configured on previous !-- slide ! policy-map type inspect http http-Policy parameters ! !-- "body-match-maximum is maximum number of characters in body of an HTTP message that is !-- searched n a body match. The default value is 200 bytes. A large number may have an impact !-- on system performance. ! body-match-maximum 1380 match response body regex class vulnerable_activeX_class drop-connection log match response body regex class MS11-001_regex_class drop-connection log ! policy-map global_policy class Webports-Class inspect http http-Policy
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
LTRSEC-2004
Cisco Public
88
LTRSEC-2004
Cisco Public
89
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
; <<>> DiG 9.5.0b3 <<>> www.google.com ;; global options: f ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7 ;; QUESTION SECTION: ;www.google.com. ;; ANSWER SECTION: www.google.com. www.l.google.com. www.l.google.com. www.l.google.com. www.l.google.com.
IN
118837 37 37 37 37
IN IN IN IN IN
CNAME A A A A
[user@linux ~]$ [user@linux ~]$ dig www.google.com ; <<>> DiG 9.5.0b3 <<>> www.google.com ;; global options: printcmd ;; connection timed out; no servers could be reached [user@linux ~]$
LTRSEC-2004
Cisco Public
91
LTRSEC-2004
Cisco Public
92
LTRSEC-2004
Cisco Public
93
A Bad PDF
PDFiD 0.0.10_PL z5r.pdf PDF Header: %PDF-1.3 obj 14 endobj 14 stream 2 endstream 2 xref 1 trailer 1 startxref 1 /Page 1 /Encrypt 0 /ObjStm 0 /JS 2 /JavaScript 3 /AA 0 /OpenAction 1 %%EOF After last %%EOF 0 Total entropy: 7.396393 ( Entropy inside streams: 7.922360 ( Entropy outside streams: 5.004960 ( 0000 0010 0020 0030 0040 25 0A 6E 68 53 50 31 41 69 20 44 20 63 73 2F 46 30 74 2E 4A 2D 20 69 71 61 31 6F 6F 77 76 2E 62 6E 65 61 33 6A 20 72 53 0D 0D 3C 5C 63 0A 0A 3C 28 72 25 3C 2F 5C 69 E2 3C 4A 29 70
4301 bytes) 2671 bytes) 1630 bytes) E3 2F 53 29 74 CF 4F 20 0D 0D D3 70 28 0A 0A 0D 65 74 2F 3E %PDF-1.3..%..... .1 0 obj..<</Ope nAction <</JS (t his.qwer.(.))../ S /JavaScript..>
LTRSEC-2004
Cisco Public
94
95
PDF files contain objects and elements, some that can be used maliciously
- Hint: /JavaScript, /JS, and /AA, - see slides 92 - 94
Configure a Application Layer Protocol Inspection policy to detect and drop the malicious PDF file
- Hint: See slides 84 - 91 (on how to configure an ALPI inspection policy)
LTRSEC-2004
Cisco Public
97
When a threat is detected, ASA generates syslog events 733100 - 733103 Two options: Basic and Advanced
- Basic is enabled by default and has no performance impact - Advanced provides more granular object tracking including ports, protocols and individual hosts. Could significantly impact CPU
8.3 introduces memory optimization of TD Use show threat-detection memory for TD memory footprint
LTRSEC-2004
Cisco Public
99
ASA monitors dropped packets and security events attempting to identify threats and then generates syslog messages (733100 - 733103) when a threat is detected
Denies By ACL
100
Burst Rate 400 Drops/Sec over Last 10 Sec 320 Drops/Sec over Last 60 Sec 10 Drops/Sec over Last 10 Sec 8 Drops/Sec over Last 60 Sec 200 Drops/Sec over Last 10 Sec 160 Drops/Sec over Last 60 Sec 800 Drops/Sec over Last 10 Sec 640 Drops/Sec over Last 60 Sec
101
Denied by ACL
LTRSEC-2004
400 Drops/Sec over Last 10 Sec 320 Drops/Sec over Last 60 Sec 8000 Drops/Sec over Last 10 Sec 6400 Drops/Sec over Last 60 Sec
Interface Overload
Cisco Security Appliance 8.2 Configuration Guide: Preventing Network Attacks http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide /conns_threat.html
LTRSEC-2004
Cisco Public
102
LTRSEC-2004
Cisco Public
103
LTRSEC-2004
Cisco Public
104
LTRSEC-2004
Cisco Public
105
Use Threat Detection on the ASA to identify and block an ongoing attack
-This is not the same attack as seen in other scenarios
Use Threat Detection logs to identify the attack Use access control lists on the ASA to block the attacker
-Correctly update the existing ACL if one exists
LTRSEC-2004
Cisco Public
107
Blackhole Filtering
Blackhole Filtering or Blackhole Routing, forwards a packet to a devices bit bucket
- Also known as route to Null0
Works only on destination addresses because it is really part of the forwarding logic Forwarding ASICs are designed to work with routes to Null0 - dropping the packet with minimal to no performance impact Used for years as a way to blackhole unwanted packets
LTRSEC-2004
Cisco Public
109
Peer A Peer B
Upstream C
IXP-E
D
Upstream A Upstream B
C Upstream D
Target
F POP
NOC
LTRSEC-2004
110
Customer is DoSed
Before Collateral Damage
IXP-W
A
Peer A Peer B
Upstream C
IXP-E
D
Upstream A Upstream B
C Upstream D
Target Customers
F POP
NOC
LTRSEC-2004
111
LTRSEC-2004
Cisco Public
112
113
Configure a static route with a /32 mask from one of the TESTNET address space allocations Set the next-hop to the Null0 interface Add this static route to every edge router/switch on the network
ip route 192.0.2.1 255.255.255.255 Null0
LTRSEC-2004
Cisco Public
114
IXP-W
Peer A Peer B
Sinkhole Network Upstream C
IXP-E
Upstream A Upstream B
Upstream D
10.68.19.0/24 Target
POP 172.19.61.1
LTRSEC-2004
NOC
115
LTRSEC-2004
Cisco Public
116
router bgp 65535 . redistribute static route-map static-to-bgp . ! route-map static-to-bgp permit 10 Set Next-Hop match tag 66 to the Trigger set ip next-hop 192.0.2.1 set community no-export set origin igp
LTRSEC-2004
Cisco Public
117
BGP advertisement goes out to all BGP-speaking routers Routers received BGP update, and glue it to the existing static route; due to recursion, the next-hop is now Null0
LTRSEC-2004
Cisco Public
118
FIB
(Unless Multipath)
OSPF RIB
192.0.2.1/32 = Null0
192.0.2.1/32 = Null0
LTRSEC-2004
119
Activating RTBH
120
Peer A Peer B
Upstream C
IXP-E
D
Upstream A Upstream B
C Upstream D
Target
LTRSEC-2004
Cisco Public
121
Customer Is DoSed
After Packet Drops Pushed to the Edge
IXP-W
A
Peer A Peer B
Upstream C
IXP-E
D
Upstream A Upstream B
C Upstream D
Target
LTRSEC-2004
Cisco Public
122
LTRSEC-2004
Cisco Public
123
Sinkhole Routers/Networks
Sinkholes are a topological security featurethink network honeypot Router or workstation built to draw in traffic and assist in analyzing attacks (original use) Redirect attacks away from the customerworking the attack on a router built to withstand the attack Used to monitor attack noise, scans, data from misconfiguration and other activity (via the advertisement of default or unused IP space) Traffic is typically diverted via BGP route advertisements and policies Leverage instrumentation in a controlled environment
- Pull the traffic past analyzers/analysis tools
LTRSEC-2004
Cisco Public
125
Customers
192.168.20.0/24Target Network
LTRSEC-2004
Cisco Public
126
Customers
192.168.20.0/24Target Network
LTRSEC-2004
Cisco Public
127
192.168.20.0/24Target Network
LTRSEC-2004
Cisco Public
128
LTRSEC-2004
Cisco Public
129
LTRSEC-2004
Cisco Public
130
Sinkhole Architecture
To Backbone
To Backbone
Expand sinkhole with dedicated router into a variety of tools Pull DDoS attack to the sinkhole and forward data toward target router Static ARP to the target router keeps the sinkhole operationaltarget router can crash from attack and static ARP will keep gateway forwarding traffic to the Ethernet switchrather than generating lots of ICMP error messages Observe trends and deviations, reserve packet detail for research and specific analysis
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
131
Sinkhole Network
May Also Use NetFlow Data from Edge Routers for This Purpose
Customer
Conficker
LTRSEC-2004
Cisco Public
132
Collect data about the traffic and realize the benefits of sinkholes
LTRSEC-2004
Cisco Public
133
Why Sinkholes?
They work. Providers, enterprise operators, and researchers use them for data collection and analysis More uses are being found through experience and individual innovation Deploying sinkholes correctly takes preparation Team Cymru Darknet Projecthttp://www.teamcymru.org/Services/darknets.html
LTRSEC-2004
Cisco Public
134
135
Anycast Sinkholes
Sinkhole
IXP-W
Sinkhole
Peer B
Sinkhole
Upstream C
IXP-E
Sinkhole
Upstream A Upstream B
Sinkhole
Upstream D
192.168.19.0/24 Customer
Sinkhole
POP 192.168.19.1
Sinkhole
Services Network
Core
Distribute sinkholes as appropriate for traffic engineering and routing architecture Some key locations
- Inside internet connection
Server Farm
WAN
Internet
LTRSEC-2004
137
All BGP-speaking routers receive update Complex design can use multiple route-maps and next-hops to provide very flexible designs May require BGP on all routers
LTRSEC-2004
Cisco Public
138
LTRSEC-2004
Cisco Public
139
Sinkhole Routers/Networks
Customers
192.168.20.0/24Targets Network
LTRSEC-2004
Cisco Public
140
Safety Precautions
Do not allow advertisements to leak
- BGP no-export, no-advertise, additive communities - Explicit egress prefix policies (community, prefix, etc.)
141
Classify the attack using NetFlow Use RTBH as to remove attack traffic from the network
- Configure podX-rtr2 as trigger router
Use NetFlow on podX-rtr1 to verify that attack packets are being dropped
LTRSEC-2004
Cisco Public
143
Source-Based RTBH
Source-based Remotely Triggered Blackhole Filtering aka SRTBH Dropping on destination is important
- Dropping on source is often what we really need
145
int 3
Sy D data
sourceIP=any int?
Cisco Public
sourceIP=any int?
146
Configuring SRTBH
Uses the same architecture as Destination-Based Filtering + Unicast RPF Edge routers must have static in place They also require Unicast RPF BGP trigger sets next hop - in this case the attacker is the source we want to drop
Blackhole Filtering
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
147
148
SRTBH
What do we have?
- Blackhole Filtering - if the destination address equals Null0, we drop the packet - Remote Triggered - trigger a prefix to equal Null0 on routers across the Network at iBGP speeds - Unicast RPF Loose Check - if the source address equals Null0, we drop the packet
Put them together and we have a tool to trigger drop for any packet coming into the network whose source or destination equals Null0
LTRSEC-2004
Cisco Public
149
IXP-W
Peer A Peer B
Upstream C
Edge Routers Drop Incoming Packets Based on Their Source IXP-E Address D
Upstream A Upstream B
Target
F POP
NOC
LTRSEC-2004
Cisco Public
150
LTRSEC-2004
Cisco Public
151
LTRSEC-2004
Cisco Public
152
BGP has a unique property among routing protocols: arbitrary next hops can be administratively defined There is no need to actually carry routes in BGP
- Deploy iBGP mesh internally and do not use it for routing - Under normal conditions, BGP holds zero routes - When used for drops, only the blackholed addresses are in the table
If BGP is used for inter-region routing, drop boundaries can be both local within a campus and global
- Use communities to scope the drops
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
153
For example, traffic from 10.1.1.1 will be discarded Can be deployed in reaction to attacks A start but wont be fast and doesnt scale
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
154
Use any available technique to see if attack packets are correctly being dropped
LTRSEC-2004
Cisco Public
156
Keeping Up to Date
LTRSEC-2004
Cisco Public
158
Dynamic Content
www.cisco.com/security
Security Alerts CVSS Scores IPS Signatures PSIRT Security Advisories Applied Mitigation Bulletins
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
159
Cisco PSIRT
Monitor Cisco Security Advisories
In order for a network to be secure, the network devices within the network must use secure software Security bugs in Cisco products are disclosed using Security Advisories and Responses
- http://www.cisco.com/go/psirt
By monitoring these documents, an administrator is more able to learn about security vulnerabilities that may affect their network
- Available as RSS feeds - Subscribe to cust-securityannounce@cisco.com
LTRSEC-2004
Cisco Public
160
Intelligence at a Glance
Cisco IntelliShield Event Response Summary information, threat analysis, and mitigation techniques that feature Cisco products
Microsoft Security Bulletin ID Cisco IntelliShield Alert ID CVE ID Cisco Mitigations CVSS Base Score Impact on Cisco Products Related Information
LTRSEC-2004
Cisco Public
161
Intelligence Services
Cisco IntelliShield Alert Manager Threat and vulnerability intelligence alerting service Receive vital intelligence that is relevant and targeted to your environment
Tactical, operational, and strategic intelligence Vendor neutral Lifecycle reporting Vulnerability workflow management system Comprehensive searchable alert database
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
162
163
LTRSEC-2004
Cisco Public
164
Allows querying one or more Cisco IOS Software versions against previously published Security Advisories Simplifies identification of affected software versions Long requested feature by Cisco customers Cisco IOS Software specific only but more to come!
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
165
Global
Insight
Visibility across different devices, services, and network layers
LTRSEC-2004
Control
Consistent policy across offices and for remote users
Cisco Public
Peace of Mind
Actionable remediation and governance controls
166
LTRSEC-2004
Cisco Public
167
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books
168
Recommended Reading
Additional resources for your security library Check the Recommended Reading flyer for suggested books
169
References
Security Research
Public Security Mailing Lists
BugTraq
- http://www.securityfocus.com/archive/1/description
Full Disclosure
- http://lists.grok.org.uk/full-disclosure-charter.html
VoipSec
- http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
LTRSEC-2004
Cisco Public
171
Security Research
Public Security Websites
http://www.securityfocus.com/ http://voipsa.org/ http://www.owasp.org/ http://www.voipshield.com/ http://www.cymru.com
LTRSEC-2004
Cisco Public
172
LTRSEC-2004
Cisco Public
173
References
DoS detection:
- Inferring Internet Denial-of-Service Activity: David Moore et al, May 2001 - http://www.caida.org/outreach/papers/2001/BackScatter/usenixs ecurity01.pdf - The Spread of the Code Red Worm: David Moore, CAIDA, July 2001 - http://www.caida.org/research/security/code-red/
DoS tracing:
- Tracing Spoofed IP Addresses: Rob Thomas, Feb 2001 (good technical description of using NetFlow to trace back a flow) - http://www.cymru.com/Documents/tracking-spoofed.html - Cisco Security Intelligence Operations - http://www.cisco.com/security/ - Cisco Applied Mitigation Bulletins - http://tools.cisco.com/security/center/searchAIR.x
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
174
NetFlow
Cisco NetFlow home
- http://www.cisco.com/en/US/tech/tk812/tsd_technology_support _protocol_home.html
LTRSEC-2004
Cisco Public
175
SNMP
Cisco SNMP object tracker
- http://tools.cisco.com/Support/SNMP/do/Browse MIB.do?local=en
SNMPLink
- http://www.snmplink.org/
LTRSEC-2004
Cisco Public
176
RMON
IETF RMON WG
- http://www.ietf.org/proceedings/99mar/44th-99mar-ietf77.html
LTRSEC-2004
Cisco Public
177
Packet Capture
tcpdump/libpcap home
- http://www.tcpdump.org/
Wireshark
- http://www.wireshark.org/
LTRSEC-2004
Cisco Public
178
Syslog
Syslog.org
- http://www.syslog.org/
Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events
- http://www.cisco.com/web/about/security/intelligence/ident ify-incidents-via-syslog.html
LTRSEC-2004
Cisco Public
179
BGP
Cisco BGP home
- http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technolo gy_support_sub-protocol_home.html
Slammer/BGP analysis
- https://wiki.netsec.colostate.edu/images/8/88/Netsec_iwd c03.pdf
LTRSEC-2004
Cisco Public
180
LTRSEC-2004
Cisco Public
181
Sinkholes
Worm Mitigation Technical Details
- http://www.cisco.com/web/about/security/intelligence/wor m-mitigation-whitepaper.html
LTRSEC-2004
Cisco Public
182
References
Ciscos product vulnerabilities
- http://www.cisco.com/en/US/products/products_security_adviso ries_listing.html
ISP essentials: Technical tips for ISPs every ISP should know
- ftp://ftp-eng.cisco.com/cons/isp/
LTRSEC-2004
Cisco Public
183
References
The show processes command
- http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/ products_tech_note09186a00800a65d0.shtml
Mailing list:
- cust-security-announce@cisco.com - all customers should be on this list
LTRSEC-2004
Cisco Public
184
References
Security Intelligence Operations Best Practices
- http://tools.cisco.com/security/center/intelliPapers.x?i=55
LTRSEC-2004
Cisco Public
185
References
Cisco Guide to Harden Cisco IOS XR Devices
- http://cisco.com/web/about/security/intelligence/CiscoIOS XR.html
LTRSEC-2004
Cisco Public
186
Recommended Reading
LTRSEC- 2004
http://m.cisco.com/mat/cleu12/
LTRSEC-2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
188
LTRSEC-2004
Cisco Public
189
Thank you.
LTRSEC-2004
Cisco Public
190