The Other Advanced Attacks: DNS/NTP Amplification and Careto
-
Upload
mike-chapple -
Category
Technology
-
view
857 -
download
0
description
Transcript of The Other Advanced Attacks: DNS/NTP Amplification and Careto
© TechTarget
The Other Advanced Attacks
Mike Chapple, CISSP, Ph.D.Senior Director, IT Service DeliveryUniversity of Notre Dame
@mchapple [email protected]
2© TechTarget
Agenda
• The Threat is Changing
• DNS Threats
• NTP DDoS Amplification
• Unmasking Careto
3© TechTarget
The Threat is Changing
4
Script Kiddies
Are So Nineties
5© TechTarget
The New Threats
• Governments
• Terrorist Organizations
• Organized Crime
6
Cyberwarfare
Is Real
The Participants Are Well-Funded
Inside an Iranian Nuclear Facility
8
Source: Vitaly Shmatikov
And The Targets Are High
Stakes
10
“We're glad they are having trouble with their
centrifuge machine and (we) are doing
everything we can to make sure that we
complicate matters for them.”
Gary Samore
Special Assistant to the President and White House
Coordinator
for Arms Control and WMD
11© TechTarget
Zero Day Vulnerabilities
12© TechTarget
NEED VIGILANCEWe Must Remain
Vigilant
13© TechTarget
DNS Threats
14© TechTarget
Denial of Service Attacks
• Send huge number of requests to a targeted server, seeking to overwhelm it
• Difficult to distinguish legitimate requests from attack traffic
• Several limitations for the attacker– Requires massive bandwidth
– Easy for victims to block based upon IP
15© TechTarget
Distributed Denial of Service Attacks
• Leverage botnets to exhaust all resources on a targeted system
• Difficult to distinguish legitimate requests from attack traffic
16© TechTarget
Amplified DDoS Attacks
• Traditional DDoS still limited by bandwidth of zombie PCs
• Amplification attacks leverage the bandwidth of non-compromised intermediaries
• Requires a service that sends responses that are much larger than the queries
17© TechTarget
Amplification Factor
• Amplification factor is the degree to which the attack is increased in size
• 64 byte query resulting in a 512 byte response is an amplification factor of 8
18© TechTarget
Characteristics of an Amplification Attack
• Use botnets
• Leverage misconfigured services
• Spoof source addresses
• Require connectionless protocol
19© TechTarget
How DNS Should Work
• DNS servers should provide domain name resolution services:
1. To the systems on an organization’s network (for all addresses)
2. To the general Internet (for public names owned by the organization)
• Most DNS communications take place over UDP
• Some systems are configured as “open resolvers”, answering any question from the Internet at large
20© TechTarget
DNS Amplification Attack
Source: Microsoft
Amplification Factor of
60X
21© TechTarget
Don’t Be a Relay
• Ensure that you’re not an open resolver
• Open Resolver Projectopenresolverproject.org
• DNS Inspectdnsinspect.com
22© TechTarget
Be a Good Internet Citizen
23© TechTarget
NTP DDoS Amplification
24© TechTarget
How Dangerous Can a
Clock Be?
25© TechTarget
NTP
• Network Time Protocol used for clock synchronization
• Almost three decades of operation
• Relies upon UDP for sync traffic
26© TechTarget
MON_GETLIST
• System monitoring command
• Retrieves the list of the last 600 systems that interacted with the server
• Ideal for an amplification attack when used with forged source addresses
27© TechTarget
Exploring MON_GETLIST
Source: CloudFlare
Amplification Factor up
to 206X
28© TechTarget
Be a Good Citizen
• Upgrade NTP servers to v4.2.7p26 or later
• Perform egress filtering at the firewall
• Disable MONLIST and related features (see CERT VU#348126)
29© TechTarget
Unmasking
Careto
30© TechTarget
What is Careto?
• Spanish for “The Mask”
• Not a single piece of code, but an advanced threat
• Engaged in espionage activities since at least 2007, undetected until February 2014
• Victimized over 1,000 IPs in 31 countries
• Definite Spanish flavor
31© TechTarget
Naming the Beast
Source: Kaspersky
32© TechTarget
Who is Targeted?
• Government Agencies
• Energy Companies
• Researchers
• Private Equity Firms
• Activists
33© TechTarget
Initial Infection
• Spear phishing messages direct users to a website– linkconf.net
– redirserver.net
– swupdt.com
• Malware hosted in non-indexed folders on those sites
34© TechTarget
Malware Bears a Digital Signature
Source: Kaspersky
35© TechTarget
Variety of Targets
36© TechTarget
Diverse Objectives
• Intercept network traffic
• Perform keylogging
• Monitor Skype conversations
• Steal PGP keys
• Analyze WiFi traffic
• Perform screen captures
37© TechTarget
Stolen File Types
Source: Kaspersky
38© TechTarget
Hides from Kaspersky AV
• Exploits a 2008 vulnerability in Kaspersky
• Attempts to whitelist itself to avoid detection
• Vulnerability patched long ago; relying upon old copies with expired update subscriptions
39© TechTarget
Protecting Against APTs
• Update, update, update
• Filter at the gateway and defend at the endpoint
• Maintain a defense-in-depth approach that does not rely upon any single layer of control
• Monitor rigorously