Articulus Detecting IP Hijacking Through Server Fingerprinting - - PowerPoint PPT Presentation

articulus
SMART_READER_LITE
LIVE PREVIEW

Articulus Detecting IP Hijacking Through Server Fingerprinting - - PowerPoint PPT Presentation

Nov 18, 2022 474 likes •796 views

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

slide-1
SLIDE 1

Articulus

Detecting IP Hijacking Through Server Fingerprinting

slide-2
SLIDE 2

Research Question

How can we detect BGP IP hijacking by probing the at–risk subnets to detect suspect change to hosts and subnets.

2

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-3
SLIDE 3

(Slightly) related work

 BGPmon  Cyclops by UCLA  Uptrends SSL monitoring  Unnamed Eric & Mick tool

3

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-4
SLIDE 4

The problem

4

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-5
SLIDE 5

What are the possibilities

 Man-in-the-middle attacks  Downgrade attacks  False information

5

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-6
SLIDE 6

6

Articulus

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-7
SLIDE 7

Terminology

 Sentinel

 Globally spread out  Executes fingers

 Node

 At-risk host in need of protection

 Server

 Command & control server  Result comparison

 Fingers

 Commands executed on Sentinels

7

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-8
SLIDE 8

Our solution

8

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-9
SLIDE 9

Fingerprinting

 Identifying software used  Identifying software version used  Identifying specific host characteristics

9

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-10
SLIDE 10

Fingerprinting - DNS

 Response only  DNS censorship/hijacking detection.

10

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-11
SLIDE 11

Fingerprinting - Mail services

 SMTP / IMAP / POP  STARTTLS

11

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-12
SLIDE 12

Fingerprinting – Secure Shell

 RSA Fingerprint  OpenSSH version  Distribution

12

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-13
SLIDE 13

Fingerprinting - Webservices

 WordPress 3.8  Apache 2.2.16  JQuery 1.10.2

13

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-14
SLIDE 14

Fingerprinting – Sercure Webservices

 Nginx 1.4.4  SHA-1 of certificate

14

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-15
SLIDE 15

Fingerprinting - Traceroute

 ICMP / UDP / TCP port 80

15

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-16
SLIDE 16

Fingerprinting – TCP/IP

 Uptime Guess  TCP characteristics  TCP Sequence difficulty

16

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-17
SLIDE 17

Reporting

 Three levels

 Paranoid  System administrator  User

 Alerts

 Email  SMS

17

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-18
SLIDE 18

Fingerprinting – Avoiding detection

18

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-19
SLIDE 19

Comparing Fingerprints

 All output saved  RegEx fingerprint  Compare result to previous result

19

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-20
SLIDE 20

Technical details

 Command and Control server

 Python API  Only works for approved UUID’s  HTTPS webserver with Python support (Apache, Nginx, …)  MySQL database (MariaDB should work as well)

 Sentinels

 Python  Hardcoded server and certificate (-pinning)  POST requests to C&C API  Generates UUID  Parallel command execution

20

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-21
SLIDE 21

Technical details

 Secure  Lightweight  Scalable

21

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-22
SLIDE 22

Modular setup

 Add commands for execution on the fly

 Sentinel needs commands to be installed though

 Add nodes dynamically  IPv4 and IPv6 support

22

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-23
SLIDE 23

DEMO

23

 http://sne.pretwolk.nl:81 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-24
SLIDE 24

Thank you for your attention

 Are there any questions?

24

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-25
SLIDE 25

25

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-26
SLIDE 26

26

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-27
SLIDE 27

27

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-28
SLIDE 28

28

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-29
SLIDE 29

29

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-30
SLIDE 30

30

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

slide-31
SLIDE 31

Thank you for your attention

 Are there any questions?

31

Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions