Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

The Other Advanced Attacks: DNS/NTP Amplification and Careto

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 40 Anzeige

The Other Advanced Attacks: DNS/NTP Amplification and Careto

Herunterladen, um offline zu lesen

This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.

This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)

Anzeige

Ähnlich wie The Other Advanced Attacks: DNS/NTP Amplification and Careto (20)

Aktuellste (20)

Anzeige

The Other Advanced Attacks: DNS/NTP Amplification and Careto

  1. 1. The Other Advanced Attacks Mike Chapple, CISSP, Ph.D. Senior Director, IT Service Delivery University of Notre Dame © TechTarget @mchapple mchapple@nd.edu
  2. 2. Agenda 2© TechTarget • The Threat is Changing • DNS Threats • NTP DDoS Amplification • Unmasking Careto
  3. 3. 3© TechTarget The Threat is Changing
  4. 4. 4 Script Kiddies Are So Nineties
  5. 5. The New Threats • Governments • Terrorist Organizations • Organized Crime 5© TechTarget
  6. 6. 6 Cyberwarfare Is Real
  7. 7. The Participants Are Well-Funded
  8. 8. Inside an Iranian Nuclear Facility 8 Source: Vitaly Shmatikov And The Targets Are High Stakes
  9. 9. 9
  10. 10. 10 “We're glad they are having trouble with their centrifuge machine and (we) are doing everything we can to make sure that we complicate matters for them.” Gary Samore Special Assistant to the President and White House Coordinator for Arms Control and WMD
  11. 11. Zero Day Vulnerabilities 11© TechTarget
  12. 12. NEED VIGILANCE 12© TechTarget We Must Remain Vigilant
  13. 13. 13© TechTarget DNS Threats
  14. 14. Denial of Service Attacks • Send huge number of requests to a targeted server, seeking to overwhelm it • Difficult to distinguish legitimate requests from attack traffic • Several limitations for the attacker – Requires massive bandwidth – Easy for victims to block based upon IP 14© TechTarget
  15. 15. Distributed Denial of Service Attacks • Leverage botnets to exhaust all resources on a targeted system • Difficult to distinguish legitimate requests from attack traffic 15© TechTarget
  16. 16. Amplified DDoS Attacks • Traditional DDoS still limited by bandwidth of zombie PCs • Amplification attacks leverage the bandwidth of non-compromised intermediaries • Requires a service that sends responses that are much larger than the queries 16© TechTarget
  17. 17. Amplification Factor • Amplification factor is the degree to which the attack is increased in size • 64 byte query resulting in a 512 byte response is an amplification factor of 8 17© TechTarget
  18. 18. Characteristics of an Amplification Attack • Use botnets • Leverage misconfigured services • Spoof source addresses • Require connectionless protocol 18© TechTarget
  19. 19. How DNS Should Work • DNS servers should provide domain name resolution services: 1. To the systems on an organization’s network (for all addresses) 2. To the general Internet (for public names owned by the organization) • Most DNS communications take place over UDP • Some systems are configured as “open resolvers”, answering any question from the Internet at large 19© TechTarget
  20. 20. DNS Amplification Attack 20© TechTarget Source: Microsoft Amplification Factor of 60X
  21. 21. Don’t Be a Relay • Ensure that you’re not an open resolver • Open Resolver Project openresolverproject.org • DNS Inspect dnsinspect.com 21© TechTarget
  22. 22. Be a Good Internet Citizen 22© TechTarget
  23. 23. 23© TechTarget NTP DDoS Amplification
  24. 24. 24© TechTarget How Dangerous Can a Clock Be?
  25. 25. NTP • Network Time Protocol used for clock synchronization • Almost three decades of operation • Relies upon UDP for sync traffic 25© TechTarget
  26. 26. MON_GETLIST • System monitoring command • Retrieves the list of the last 600 systems that interacted with the server • Ideal for an amplification attack when used with forged source addresses 26© TechTarget
  27. 27. Exploring MON_GETLIST 27© TechTarget Source: CloudFlare Amplification Factor up to 206X
  28. 28. Be a Good Citizen • Upgrade NTP servers to v4.2.7p26 or later • Perform egress filtering at the firewall • Disable MONLIST and related features (see CERT VU#348126) 28© TechTarget
  29. 29. 29© TechTarget Unmasking Careto
  30. 30. What is Careto? • Spanish for “The Mask” • Not a single piece of code, but an advanced threat • Engaged in espionage activities since at least 2007, undetected until February 2014 • Victimized over 1,000 IPs in 31 countries • Definite Spanish flavor 30© TechTarget
  31. 31. Naming the Beast 31© TechTarget Source: Kaspersky
  32. 32. Who is Targeted? • Government Agencies • Energy Companies • Researchers • Private Equity Firms • Activists 32© TechTarget
  33. 33. Initial Infection • Spear phishing messages direct users to a website – linkconf.net – redirserver.net – swupdt.com • Malware hosted in non-indexed folders on those sites 33© TechTarget
  34. 34. Malware Bears a Digital Signature 34© TechTarget Source: Kaspersky
  35. 35. Variety of Targets 35© TechTarget
  36. 36. Diverse Objectives • Intercept network traffic • Perform keylogging • Monitor Skype conversations • Steal PGP keys • Analyze WiFi traffic • Perform screen captures 36© TechTarget
  37. 37. Stolen File Types 37© TechTarget Source: Kaspersky
  38. 38. Hides from Kaspersky AV • Exploits a 2008 vulnerability in Kaspersky • Attempts to whitelist itself to avoid detection • Vulnerability patched long ago; relying upon old copies with expired update subscriptions 38© TechTarget
  39. 39. Protecting Against APTs • Update, update, update • Filter at the gateway and defend at the endpoint • Maintain a defense-in-depth approach that does not rely upon any single layer of control • Monitor rigorously 39© TechTarget
  40. 40. 40 Questions? © TechTarget mchapple@nd.edu @mchapple

×