Transcription
Managing Security Incidentsin an IPv6 WorldTroopers 15 – IPv6 Security SummitMarch 16, 2015Merike KaeoCISO, IIDmerike@internetidentity.com
Topics For Todayu Introduction and Backgroundu Anatomy of Security Incidentu How Does IPv6 Impact Incident Handlingu Lets Take a Look at Passive DNSu Where Do We Go From Here
Introduction andBackground
A Little Background – Merike Kaeou u Work Historyu National Institute of Health (1988-1993)u Cisco (1993-2000)u Double Shot Security (2000-2012)Industry Recognitionu Authored “Designing Network Security” by Cisco Press (1999 / 2003)u Active Contributor to IETF Standardsu IPv6 Forum Fellow since 2007u Member of FCC CSRIC III (Botnet Remediation) and FCC CSRIC IV (DNS/Routing)
Anatomy of SecurityIncidents
Incident Responseu u u It is always best to have a plan in place before something badhappensDO NOT PANIC!If you set appropriate guidelines now, it will make things a lot easierwhen a security incident happensCreate a checklist that can be followed whena significant security incident does occur!!
Security Incident LifecyclePREPARATIONPOST MORTEM What was done? Can anything be done toprevent it? How can it be less painful inthe future? Prepare the networkCreate toolsTest toolsPrepare proceduresTrain teamPracticeIDENTIFICATION How do you know aboutthe attack? What tools can you use? What’s your process forcommunication?RECOVERY What options do youhave to remedy? Which option is the bestunder thecircumstances?ERADICATION Where is the attackcoming from? Where and7how is itaffecting the network?CONTAINMENT What kind of attack isit?
Most Common Threats and Attacksu u Unauthorized access – insecure hosts, crackingEavesdropping a transmission – access to the mediumu u Hijacking, or taking over a communicationu u u Looking for passwords, credit card numbers, or business secretsInspect and modify any data being transmittedIP spoofing, or faking network addressesu Impersonate to fool access control mechanismsu Redirect connections to a fake serverDOS attacksu Interruption of service due to system destruction or using up all available systemresources for the service (CPU, memory, bandwidth)
Examples of Sophisticated Attacksu DNS Changeru u u BroBot DDoSu u u Install malware on PCs and MACs, changes the DNS, and tries toreconfigure the home gateway’s DNS.Point the DNS configurations to DNS resolvers in specific address blocksand use it for their criminal enterprise.Computers linked to high-bandwidth websites and web-hosting datacenters compromised mostly thru outdated versions of Joomla,WordPress and cPanel applications.Then near-invisible code is embedded onto these hosts into theextensions’ HTMLDNS Amplification DDoSu Utilize forged (spoofed) traffic and unmanaged open recursive resolvers tolaunch large bandwidth attacks
How does IPv6 ImpactIncident Handling?
Does Operations Understand IPv6?u It *is* similar to IPv4 .but NOT J [Training is Important!!]u IPv4 and IPv6 interface addressing nuancesu u Which IPv6 address used to source traffic?u When is IPv4 address used vs IPv6 address for a dual-stacked host?u Where are special transition addresses used?More IPv6 nuancesu Every mobile device is a /64u Extension headersu Path MTU Discoveryu Fragmentation
Required Host IPv6 Addressesu Each host must assign the following addresses to identify itself:u Its link-local address for each interfaceu Any assigned unicast addressesu The loopback addressu The all-nodes multicast addressu u Solicited-node multicast address for each assigned unicast or anycastaddressMulticast addresses for all other group memberships
Sample MacOS InterfaceTidal-Wave: merike ifconfiglo0: flags 8049 UP,LOOPBACK,RUNNING,MULTICAST mtu 16384inet 127.0.0.1 netmask 0xff000000inet6 ::1 prefixlen 128inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1gif0: flags 8010 POINTOPOINT,MULTICAST mtu 1280stf0: flags 0 mtu 1280en0: flags 8863 UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500inet 71.39.132.244 netmask 0xfffffff8 broadcast 71.39.132.247inet6 fe80::20d:93ff:fe2f:554c%en0 prefixlen 64 scopeid 0x4inet6 2001:440:1880:5001:20d:93ff:fe2f:554c prefixlen 64 autoconfether 00:0d:93:2f:55:4cmedia: autoselect (10baseT/UTP half-duplex ) status: active
Mac OSX Interface Today .14
IPv6 Reserved Addresses (RFC 1/128IPv4- ‐IPv6Transla onaddress64::ff9b::/96IPv4- ‐compa bleIPv6address::/96IPv4- ‐mappedIPv6address::ffff:0:0/96discard- :/8unique- ‐localaddressfc00::/7mul castaddressff00::/8documenta onaddresses2001:db8::/32
Can You Listen to the Network using IPv4 / IPv6 ?u Sources (data collection points)u Protocols to use for data collectionu Tools used to collect dataConferenceNetSyslog, TFTP,AAA, DNS,SMTPNetFlow,SNMPNOC
Fundamental Applications and Toolsu u Preparation / Identificationu SNMPu Netflow / sFlow / IPFIXu Syslog or other application based logsu TACACS / RADIUSInvestigationu u Ping / Traceroute / DIG / WHOIS / pDNSContainment / Eradicationu Route and Packet Filteringu Blacklists (i.e. SPAM or Domains)
SNMPu u u Status of MIBs (are IPv6 MIBs implemented?)u IP Protocol Version Independent MIBs make IPv6-specific MIBs obsoleteu RFC 4292 (IP Forwarding Table MIB) / RFC 4293 (MIB for the IP)Transport Issue (can communication use IPv6?)u Agent to Collectoru Collector to ViewerViewers / Tools (do they support IPv6?)
SNMP Walk Syntaxu It is different from IPv4u For IPv4 you only use the IP address of deviceu For IPv6 you need to enter “udp6:[ IPv6 Address ]”u In some cases you also need to specify the port numberu You may also need to configure transport specific variablesu u (i.e. Rcommunity6 public)Examples:u u snmpset -v 1 -c private "udp6:[ ipv6 address here ]:161"1.3.6.1.4.1.318.1.1.26.4.4.1.4.1 i 7snmpwalk -v 2c -c public udp6:[fe80::10] iso.org.dod.internet.2.1.1.5.0 SNMPv2MIB::sysName.0 STRING: CiscoRouter
SNMP and Addressingu Know what IP address is being used by an SNMP server to poll :FE04:CCF2 RouterACLconfiguredtoallowonlyunicastaddress ServerusedEUI- ‐64addressforpolling
NetFlowu Must use Netflow-v9 to get IPv6 informationu Does netflow collect both IPv4 and IPv6 traffic?u u u Might depend on specific implementationNetFlow Analyzer by default give priority to ipv4 information. NetFlow Analyzer donot support flow export with both ipv4 and ipv6 data exported at the same time froman source device. th-flexible-netflow-ipv6-and-qos)Do netflow tools correlate between IPv4 and IPv6 traffic?u Are separate tables created for the different transports?
What Are Transition Mechanism oesitreturnIPv4orIPv6? HappyEyeballs DNS64DNS Server
Growing Trends in DDoSu u u u u Reflective DDoS attacks use spoofed IP addresses of legitimateusersCombining spoofed addresses with legitimate protocol use makesmitigation extremely difficult – what do you block and where?Recent trends have been utilizing DNS as attack vector since it is afundamentally used Internet technologyUtilize resources of large hosting providers for added attackbandwidthMany other Internet protocols also susceptible
DNS Amplification Attacks Utilizing Forged (Spoofed) IP ingAuthorita(veDNSServersA1ackerUse forged IP address of intendedvictim to send legitimate queries toopen recursive DNS pen recursive DNSservers send legitimatequeries toauthoritative servers13Attacker has controlof a BotNetAuthoritativeservers sendback legitimatereplies torecursive DNSservers142Open recursive DNSserver legitimateresponses createmassive DDoS attackto victim’s IP address.1BotNet sends queriesappearing to comefrom victim toauthoritative ative servers send repliesdirectly to the victim
Help Mitigate DDoS: Ingress/Egress FiltersDeploy anti-spoofing filters as close to potential source as possibleSMB CustomerINGRESSrouter bgp AS# neighbor IP remote-as AS# neighbor IP prefix-list customer inip prefix-list customer permit netblock ip prefix-list customer deny everything else ipv6 access-list extended DSL-ipv6-Inboundpermit ipv6 2001:DB8:AA65::/48 anydeny ipv6 any any loginterface atm 0/0ipv6 traffic-filter DSL-ipv6 Inbound inISPINGRESSEGRESSHomeCustomeripv6 access-list extended DSL-ipv6-Outboundpermit ipv6 2001:DB8:AA65::/48 anydeny ipv6 any any loginterface atm 0/0ipv6 traffic-filter DSL-ipv6 Outbound out
Let’s Take A Look AtPassive DNS
What is Passive DNSu u u Passive DNS replication is a technology invented in 2004 by FlorianWeimeru Many uses!u Malware, e-crime, legitimate Internet services all use the DNSInter-server DNS messages are captured by sensors and forwardedto a collection point for analysis.After being processed, individual DNS records are stored in adatabase
Passive DNS and ResolverQ2:whatisIPaddressofauthorita a orauthorita veserverfor.nsrc.org?R3:IPaddressofauthorita ta www.nsrc.orgR4:IPaddressofauthorita 3,R3,Q4,R4PassiveDNSSensorCollector
Questions that can be answered using pDNSu Where did this domain name point to in the past?u What domain names are hosted by a given nameserver?u What domain names point into a given IP network?u What subdomains exist below a certain domain name?u What new names are hosted in ccTLDs?
Passive DNS – Tool to Find the Badness[h1ps://www.dnsdb.info/]
Zeus hunting y(YET!).moredomains.moreIPresources
Let’s look at SPAMLet’s see what we can find from one of those domainsin a pDNS Database:www.srbijadanas.com
DNSDB Results:This is interesting!!33
IPv4-Mapped Addresses80 bits16 bits032 bitsFFFF0:0:0:0:0:FFFF:192.168.100.6IPv4 Address::FFFF:C0A8:6206XXXX XXXX : XXXX XXXX : XXXX XXXX : XXXX XXXX1921681100 0000C01001010 1000A860110 0010620000 011006An IPv4-mapped address should not be seen on the global Internet!!
Find Associated Domains [IPv4]:TODAY’S TREND Most all maliciousdomains utilize Arecords althoughthese could belegitimate Many AAAA recordsassociated withlegitimate domains
Find Associated Domains [IPv6]:
Further Investigation u Correlate domains seen in IPv4 and in IPv6u IPv4 and IPv4-mapped addresses both associated with 10,000 domainsu Not all domains are same as seen in IPv4 and IPv6u Investigate same domains seen in IPv4 and IPv6u Investigate domains seen separately from IPv4 vs IPv6 addressu Might be legitimate hosting companyPassive DNS can be used to correlate someIPv4 and IPv6 related information
Where Do We GoFrom Here?
Operational Observationsu u Some IPv6 attacks known but not discussedRecent SMTP over IPv6 discussions where lack of reputationinformation blocks legitimate traffic that would not be blocked on IPv4u u u Many folks turn off SMTP use over IPv6 as ws/M3AAWG Inbound IPv6 Policy Issues-2014-09.pdfMany IPv6 invalid source addresses observedu https://ripe67.ripe.net/presentations/288-Jen RIPE67.pdfu How would you tell configuration error from deliberate spoofing?
Trust But Verify .u u u u Understand what is able to be monitored for IPv4 and/or IPv6 trafficand know how the traffic patterns can be correlatedTest dual-stack and transition technology behavior to know whenDNS replies utilize A and/or AAAA recordsTools for incident response improving for IPv6 but there is still moreimprovement neededu Not all management functionality can utilize IPv6 transportu Some networks being built for IPv6 only and are motivating vendors :)Correlation is important!!
QUESTIONS?
NetFlow ! Must use Netflow-v9 to get IPv6 information ! Does netflow collect both IPv4 and IPv6 traffic? ! Might depend on specific implementation ! NetFlow Analyzer by default give priority to ipv4 information. NetFlow Analyzer do not support flow export with both ipv4 and ipv6 data exported at the same time from an source device.
