Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Spoofing - DEFCON

IP Spoofing - DEFCON

majek04

July 26, 2017
Tweet

More Decks by majek04

Other Decks in Programming

Transcript

  1. IP Spoofing (what is it, how it allows largest attacks

    and how to fix it) Marek Majkowski
  2. 6

  3. IP Spoofing is still a problem • 1995 - Mitnick

    pwned Shimomura with TCP seq • 1996 - SYN flooding • 1998 - idle scanning (ipid) • 1998 - BGP connection reset - RFC 2385 • 2008 - Dan Kaminsky's DNS bug • 2013+ - Multiple amplification DDoS 7
  4. IP Spoofing fight • 1998 - Reverse Path Forwarding RFC2267

    • 2000 - BCP38 / RFC2827 • 2004 - BCP84 / RFC3704 / Unicast RPF • 2009 - IETF SAVI https://tools.ietf.org/wg/savi/ • 2014 - MANRS https://routingmanifesto.org/manrs/ • 2015 - http://spoofer.caida.org 8
  5. 12

  6. 22 Tcpdump $ tcpdump -ni eth0 -c 100 IP 94.242.250.109.47330

    > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243 IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551 IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607 IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778 IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891 IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808 IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272 IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210 IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714 IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351 IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902 IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511 IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148
  7. Blocked with BPF 23 iptables -A INPUT \ --dst 1.2.3.4

    \ -p tcp --dport 80 \ --syn \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  8. 24 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb

    [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0 BPF bytecode
  9. 25

  10. Extreme Data Path - XDP • Feature of kernels 4.9+

    • Super fast • Tomorrow, Saturday 2pm, Packet Hacking Village! 26
  11. 31 Other side of the cable Internet Carrier Direct Peering

    Router Local Internet Exchange Server
  12. 33

  13. 44

  14. 45

  15. 46

  16. 47

  17. 48

  18. 49

  19. 50

  20. June 2017: SSDP 57 112 Gbps of traffic 5 Gbps

    of spoofing 940k exposed SSDP Devices
  21. Other amplifications 64 Count Proto Src port 3774 udp 123

    NTP 1692 udp 1900 SSDP 438 udp 0 IP fragmentation (*) 253 udp 53 DNS 42 udp 27015 SRCDS 20 udp 19 Chargen 19 udp 20800 Call Of Duty 16 udp 161 SNMP 12 udp 389 CLDAP 11 udp 111 Sunrpc 10 udp 137 Netbios 6 tcp 80 HTTP 5 udp 27005 SRCDS 2 udp 520 RIP
  22. Amplification sizes 65 $ cat all-gbps |cut -d " "

    -f 1|~/bin/mmhistogram Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353 Gbps: value |-------------------------------------------------- count 0 | **************** 658 1 | ************************* 1012 2 |************************************************** 1947 4 | ****************************** 1176 8 | **************** 641 16 | ******************* 748 32 | **** 157 64 | 14
  23. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 66
  24. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 68
  25. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 75
  26. 78

  27. • IP spoofing is bad • You need network capacity

    • Tracing back is impossible 82
  28. 87

  29. 88 Netflow (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t

    -300 -s dstip/packets "in if 731" Top 2 Dst IP Addr ordered by packets: Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82 Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218 Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772 Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2
  30. • Open source toolchain is great • Scales well •

    Set high sampling rate - 1/64k flows • Rotate logs every 72h 89 Netflow
  31. 91 L3 Router Internet Exchange L2 SWITCH Local ISP #1

    Local ISP #2 Local ISP #3 Internet Exchanges
  32. Recap • Prevent IP spoofing - BCP38 • The root

    of all evil, unfixable in short time • BGP flowspec firewall • A stop gap for capacity • Netflow/IP FIX sampling • Gives visibility into your network. Solves attack attribution. 93
  33. 95

  34. 97

  35. 101 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24
  36. 102 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1

    Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24
  37. 104 Filter close to the source Internet Carrier A Source

    Destination ISP 1 Internet Carrier B X