Firewall buyers-guide
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Andere mochten auch (20)
Ähnlich wie The Other Advanced Attacks: DNS/NTP Amplification and Careto (20)
Aktuellste (20)
The Other Advanced Attacks: DNS/NTP Amplification and Careto
- 1. The Other Advanced Attacks Mike Chapple, CISSP, Ph.D. Senior Director, IT Service Delivery University of Notre Dame © TechTarget @mchapple mchapple@nd.edu
- 2. Agenda 2© TechTarget • The Threat is Changing • DNS Threats • NTP DDoS Amplification • Unmasking Careto
- 3. 3© TechTarget The Threat is Changing
- 4. 4 Script Kiddies Are So Nineties
- 5. The New Threats • Governments • Terrorist Organizations • Organized Crime 5© TechTarget
- 6. 6 Cyberwarfare Is Real
- 7. The Participants Are Well-Funded
- 8. Inside an Iranian Nuclear Facility 8 Source: Vitaly Shmatikov And The Targets Are High Stakes
- 9. 9
- 10. 10 “We're glad they are having trouble with their centrifuge machine and (we) are doing everything we can to make sure that we complicate matters for them.” Gary Samore Special Assistant to the President and White House Coordinator for Arms Control and WMD
- 11. Zero Day Vulnerabilities 11© TechTarget
- 12. NEED VIGILANCE 12© TechTarget We Must Remain Vigilant
- 13. 13© TechTarget DNS Threats
- 14. Denial of Service Attacks • Send huge number of requests to a targeted server, seeking to overwhelm it • Difficult to distinguish legitimate requests from attack traffic • Several limitations for the attacker – Requires massive bandwidth – Easy for victims to block based upon IP 14© TechTarget
- 15. Distributed Denial of Service Attacks • Leverage botnets to exhaust all resources on a targeted system • Difficult to distinguish legitimate requests from attack traffic 15© TechTarget
- 16. Amplified DDoS Attacks • Traditional DDoS still limited by bandwidth of zombie PCs • Amplification attacks leverage the bandwidth of non-compromised intermediaries • Requires a service that sends responses that are much larger than the queries 16© TechTarget
- 17. Amplification Factor • Amplification factor is the degree to which the attack is increased in size • 64 byte query resulting in a 512 byte response is an amplification factor of 8 17© TechTarget
- 18. Characteristics of an Amplification Attack • Use botnets • Leverage misconfigured services • Spoof source addresses • Require connectionless protocol 18© TechTarget
- 19. How DNS Should Work • DNS servers should provide domain name resolution services: 1. To the systems on an organization’s network (for all addresses) 2. To the general Internet (for public names owned by the organization) • Most DNS communications take place over UDP • Some systems are configured as “open resolvers”, answering any question from the Internet at large 19© TechTarget
- 20. DNS Amplification Attack 20© TechTarget Source: Microsoft Amplification Factor of 60X
- 21. Don’t Be a Relay • Ensure that you’re not an open resolver • Open Resolver Project openresolverproject.org • DNS Inspect dnsinspect.com 21© TechTarget
- 22. Be a Good Internet Citizen 22© TechTarget
- 23. 23© TechTarget NTP DDoS Amplification
- 24. 24© TechTarget How Dangerous Can a Clock Be?
- 25. NTP • Network Time Protocol used for clock synchronization • Almost three decades of operation • Relies upon UDP for sync traffic 25© TechTarget
- 26. MON_GETLIST • System monitoring command • Retrieves the list of the last 600 systems that interacted with the server • Ideal for an amplification attack when used with forged source addresses 26© TechTarget
- 27. Exploring MON_GETLIST 27© TechTarget Source: CloudFlare Amplification Factor up to 206X
- 28. Be a Good Citizen • Upgrade NTP servers to v4.2.7p26 or later • Perform egress filtering at the firewall • Disable MONLIST and related features (see CERT VU#348126) 28© TechTarget
- 29. 29© TechTarget Unmasking Careto
- 30. What is Careto? • Spanish for “The Mask” • Not a single piece of code, but an advanced threat • Engaged in espionage activities since at least 2007, undetected until February 2014 • Victimized over 1,000 IPs in 31 countries • Definite Spanish flavor 30© TechTarget
- 31. Naming the Beast 31© TechTarget Source: Kaspersky
- 32. Who is Targeted? • Government Agencies • Energy Companies • Researchers • Private Equity Firms • Activists 32© TechTarget
- 33. Initial Infection • Spear phishing messages direct users to a website – linkconf.net – redirserver.net – swupdt.com • Malware hosted in non-indexed folders on those sites 33© TechTarget
- 34. Malware Bears a Digital Signature 34© TechTarget Source: Kaspersky
- 35. Variety of Targets 35© TechTarget
- 36. Diverse Objectives • Intercept network traffic • Perform keylogging • Monitor Skype conversations • Steal PGP keys • Analyze WiFi traffic • Perform screen captures 36© TechTarget
- 37. Stolen File Types 37© TechTarget Source: Kaspersky
- 38. Hides from Kaspersky AV • Exploits a 2008 vulnerability in Kaspersky • Attempts to whitelist itself to avoid detection • Vulnerability patched long ago; relying upon old copies with expired update subscriptions 38© TechTarget
- 39. Protecting Against APTs • Update, update, update • Filter at the gateway and defend at the endpoint • Maintain a defense-in-depth approach that does not rely upon any single layer of control • Monitor rigorously 39© TechTarget
- 40. 40 Questions? © TechTarget mchapple@nd.edu @mchapple
