Evaluating Network Security using Internet Measurements Oliver - - PowerPoint PPT Presentation

evaluating network security using internet measurements
SMART_READER_LITE
LIVE PREVIEW

Evaluating Network Security using Internet Measurements Oliver - - PowerPoint PPT Presentation

Mar 03, 2024 352 likes •905 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security using Internet Measurements Oliver Gasser Tuesday 23 rd May, 2017 Chair of Network Architectures and Services

slide-1
SLIDE 1

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Evaluating Network Security using Internet Measurements

Oliver Gasser

Tuesday 23rd May, 2017 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

slide-2
SLIDE 2

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

About me

  • Scientific researcher / PhD candidate
  • Chair of Network Architectures and Services
  • Technical University of Munich (Germany)
  • Co-leader of the Global Internet Observatory project
  • Research interests
  • Security protocols (TLS, SSH,. . . )
  • Amplification attacks
  • IPv6 scanning
  • O. Gasser — Evaluating Network Security using Internet Measurements

2

slide-3
SLIDE 3

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

What will this talk be about?

  • Internet-wide measurements
  • SSH
  • BACnet
  • IPv6 scanning
  • O. Gasser — Evaluating Network Security using Internet Measurements

3

slide-4
SLIDE 4

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Internet measurements

  • Useful tool
  • Various techniques
  • Focus on empirical security measurements
  • O. Gasser — Evaluating Network Security using Internet Measurements

4

slide-5
SLIDE 5

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

SSH

  • Secure Shell protocol
  • Provides encrypted & authenticated remote shell access
  • Mostly used on servers and routers to provide administrative ac-

cess

  • Security critical protocol → evaluate SSH’s security
  • O. Gasser — Evaluating Network Security using Internet Measurements

5

slide-6
SLIDE 6

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

SSH measurements

  • Internet-wide SSH scans 1
  • Found ≈15 M servers
  • 42 k servers offer SSH 1 only
  • Downloaded > 25 M SSH host keys
  • Host keys identify a server similar to a certificate in TLS
  • Co-prime weak keys found (0.015 %, 2.4 % for SSH1)
  • Debian-weak keys found (0.05 %)
  • Man-in-the-Middle attack possible with weak keys

1 Gasser et al.: “A deeper understanding of SSH: results from Internet-wide scans”, NOMS’14.

  • O. Gasser — Evaluating Network Security using Internet Measurements

6

slide-7
SLIDE 7

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

SSH: Duplicate keys

  • Same key on multiple servers
  • Similar threat of MitM attacks
  • Heavily clustered based on

Autonomous Systems

  • Web-hosting

providers deploy systems with pre- generated keys

  • SSH gateways

Number of hosts per key =: X Pr[ #hosts > X ] 1 100 10,000 100,000 1e−4 1e−3 0.01 0.1 0.5 1.0 DE TW1 US/JP US SG

  • O. Gasser — Evaluating Network Security using Internet Measurements

7

slide-8
SLIDE 8

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

SSH: Lessons learned

  • Weak keys
  • Duplicate keys
  • Man-in-the-Middle attacks possible
  • Use public key authentication to thwart MitM
  • Take cautionary measures before conducting SSH scans ¨

  • O. Gasser — Evaluating Network Security using Internet Measurements

8

slide-9
SLIDE 9

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

The Internet?

  • O. Gasser — Evaluating Network Security using Internet Measurements

9

slide-10
SLIDE 10

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

The Internet

  • O. Gasser — Evaluating Network Security using Internet Measurements

10

slide-11
SLIDE 11

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet

  • Building Automation and Control Networks
  • Used to control
  • Heating
  • Solar panels
  • Ventilation
  • . . .
  • Unsolicited access can have real-world consequences
  • Presence detection → Break into home
  • Manipulate heating, water flow,. . .
  • Security & safety critical protocol → evaluate BACnet ’s security
  • O. Gasser — Evaluating Network Security using Internet Measurements

11

slide-12
SLIDE 12

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet measurements

  • Internet-wide BACnet scans2
  • UDP-based request-response protocol
  • Retrieve and set properties
  • No security built in
  • More than 16k devices found

2 Gasser et al.: “Security Implications of Publicly Reachable Building Automation Systems”,

WTMC’17.

  • O. Gasser — Evaluating Network Security using Internet Measurements

12

slide-13
SLIDE 13

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet: Deployment

→ Heavily clustered in countries and ASes

  • O. Gasser — Evaluating Network Security using Internet Measurements

13

slide-14
SLIDE 14

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Amplification attacks

Attacker Attacker Amplifier Network Amplifier Network Victim Victim Small requests with spoofed IP address Large response to victim

  • O. Gasser — Evaluating Network Security using Internet Measurements

14

slide-15
SLIDE 15

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks?

  • Connectionless:
  • O. Gasser — Evaluating Network Security using Internet Measurements

15

slide-16
SLIDE 16

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks?

  • Connectionless: BACnet → UDP-based
  • O. Gasser — Evaluating Network Security using Internet Measurements

15

slide-17
SLIDE 17

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks?

  • Connectionless: BACnet → UDP-based
  • No authentication:
  • O. Gasser — Evaluating Network Security using Internet Measurements

15

slide-18
SLIDE 18

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks?

  • Connectionless: BACnet → UDP-based
  • No authentication: BACnet → No handshake necessary
  • O. Gasser — Evaluating Network Security using Internet Measurements

15

slide-19
SLIDE 19

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks?

  • Connectionless: BACnet → UDP-based
  • No authentication: BACnet → No handshake necessary
  • Amplification:
  • O. Gasser — Evaluating Network Security using Internet Measurements

15

slide-20
SLIDE 20

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks?

  • Connectionless: BACnet → UDP-based
  • No authentication: BACnet → No handshake necessary
  • Amplification: BACnet → ?
  • O. Gasser — Evaluating Network Security using Internet Measurements

15

slide-21
SLIDE 21

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet: Amplification factor

  • About 14k BACnet devices misusable as amplifier
  • Request same property multiple times within one request
  • Amplification factor similar to DNS Open Resolver
  • Operators write really detailed location information into BACnet

devices

  • O. Gasser — Evaluating Network Security using Internet Measurements

16

slide-22
SLIDE 22

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet: Amplification factor

  • About 14k BACnet devices misusable as amplifier
  • Request same property multiple times within one request
  • Amplification factor similar to DNS Open Resolver
  • Operators write really detailed location information into BACnet

devices

  • Hwy 57; Located in the silver box on the electrical pole in front of

Grove Primary Care Clinic. Pole 123

  • O. Gasser — Evaluating Network Security using Internet Measurements

16

slide-23
SLIDE 23

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks!

  • Connectionless: BACnet → UDP-based
  • No authentication: BACnet → No handshake necessary
  • Amplification:
  • O. Gasser — Evaluating Network Security using Internet Measurements

17

slide-24
SLIDE 24

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet + Amplification attacks!

  • Connectionless: BACnet → UDP-based
  • No authentication: BACnet → No handshake necessary
  • Amplification: BACnet → Freely choose combination of requested

properties

  • O. Gasser — Evaluating Network Security using Internet Measurements

17

slide-25
SLIDE 25

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

BACnet: Lessons learned

  • Never attach your BACnet device to the public Internet
  • Direct threats: Information leakage, surveillance,. . .
  • Indirect threats: Misused as amplifier
  • Notify affected parties via CERTs
  • O. Gasser — Evaluating Network Security using Internet Measurements

18

slide-26
SLIDE 26

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6 measurements

  • IPv6 adoption3 ≈ 15%
  • Vast address space
  • Brute-force scanning approach infeasible
  • Smart address selection needed

3 https://www.google.com/intl/en/ipv6/statistics.html

  • O. Gasser — Evaluating Network Security using Internet Measurements

19

slide-27
SLIDE 27

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6: Hitlist-approach

  • Collect IPv6 addresses from various sources
  • Active sources
  • DNS AAAA resolution (Alexa Top 1M, IPv4 rDNS, DNS ANY, DNS

zone files)

  • CAIDA IPv6 router DNS names
  • Passive sources
  • Raw packet traces
  • Flow data (NetFlow, IPFIX)
  • Traceroute
  • O. Gasser — Evaluating Network Security using Internet Measurements

20

slide-28
SLIDE 28

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6: Scanning

  • ZMap version with IPv6 support4
  • Collected 150M IPv6 addresses for hitlist5
  • Evaluated reachability and longevity of addresses
  • Classify servers, routers, end-user devices

4 github.com/tumi8/zmap 5 Gasser et al.: “Scanning the IPv6 Internet: Towards a Comprehensive Hitlist”, TMA’16.

  • O. Gasser — Evaluating Network Security using Internet Measurements

21

slide-29
SLIDE 29

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6: Classifying devices

40 42

N(31. 5, 15. 75)

10 20 30 40 50 60 Number of host bits set to '1' (Scamper) 2 4 6 8 10 Frequency (%) 40 42

N(31. 5, 15. 75)

10 20 30 40 50 60 Number of host bits set to '1' (IXP) 2 4 6 8 10 Frequency (%)

  • O. Gasser — Evaluating Network Security using Internet Measurements

22

slide-30
SLIDE 30

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6: Classifying devices

40 42

N(31. 5, 15. 75)

10 20 30 40 50 60 Number of host bits set to '1' (Scamper) 2 4 6 8 10 Frequency (%) 40 42

N(31. 5, 15. 75)

10 20 30 40 50 60 Number of host bits set to '1' (IXP) 2 4 6 8 10 Frequency (%)

  • O. Gasser — Evaluating Network Security using Internet Measurements

22

slide-31
SLIDE 31

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6: Lessons learned

  • Address space sparsely populated
  • Clients cycle IPv6 addresses quickly → privacy extensions
  • IP address as a metric
  • IPv6 Hitlist service6 freely usable by researchers

6 https://www.net.in.tum.de/projects/gino/ipv6-hitlist.html

  • O. Gasser — Evaluating Network Security using Internet Measurements

23

slide-32
SLIDE 32

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

To conclude

  • Measurements: valuable tool to better understand the Internet
  • Regular measurements uncover changes
  • Proactive scanning + notification of affected parties
  • O. Gasser — Evaluating Network Security using Internet Measurements

24

slide-33
SLIDE 33

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

To conclude

  • Measurements: valuable tool to better understand the Internet
  • Regular measurements uncover changes
  • Proactive scanning + notification of affected parties

Oliver Gasser <gasser@net.in.tum.de> https://www.net.in.tum.de/~gasser/

  • O. Gasser — Evaluating Network Security using Internet Measurements

24

slide-34
SLIDE 34

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  • O. Gasser — Evaluating Network Security using Internet Measurements

25

slide-35
SLIDE 35

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Real-world BACnet location response:

Hwy 57; Located in the silver box on the electrical pole in front of Grove Primary Care Clinic. Pole 123

Amplification factors

  • BACnet: ≈ 30x
  • DNS: ≈ 40x
  • O. Gasser — Evaluating Network Security using Internet Measurements

26

slide-36
SLIDE 36

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Table 1: Overview of all BACnet scans.

Type of scan Ports Rate Duration Targets Resp. BACnet IPv4-wide 16 25 kpps 41 h 2.4 G 32 868 16 485 IPv6 hitlist 1 5 kpps 2 min 407 k Amplification 16 100 pps 3 min 16 k 15 598 15 429

  • O. Gasser — Evaluating Network Security using Internet Measurements

27

slide-37
SLIDE 37

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Table 2: Top 5 BACnet vendors in results.

Pos. Vendor ID Vendor Name Count % 1 35 Reliable Controls Corporation 3740 24.8 2 36 Tridium Inc. 2079 13.8 3 8 Delta Controls 2004 13.3 4 5 Johnson Controls Inc. 1328 8.8 5 24 Automated Logic Corporation 1051 7.0

  • O. Gasser — Evaluating Network Security using Internet Measurements

28

slide-38
SLIDE 38

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Table 3: Top 5 ASes by count of BACnet devices.

Pos. ASN Organization Count % 1 7018 AT&T Services, Inc. 1510 9.2 2 7922 Comcast Cable Communications, Inc. 1450 8.8 3 22394 Cellco Partnership DBA Verizon Wireless 774 4.7 4 852 TELUS Communications Inc. 697 4.3 5 6327 Shaw Communications Inc. 454 2.8

  • O. Gasser — Evaluating Network Security using Internet Measurements

29

slide-39
SLIDE 39

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

5 10 15 20 Bandwidth Amplification Factor 0.0 0.2 0.4 0.6 0.8 1.0 ECDF: Pr[BAF] x

Figure 1: Distribution of BAF for our generic ReadPropertyMultiple amplification payload used in scans.

  • O. Gasser — Evaluating Network Security using Internet Measurements

30

slide-40
SLIDE 40

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Table 4: Property BAF and payload BAF as mean over all, top 50 % and top 10 % amplifiers.

Property BAF Payload BAF Property Amplifiers all 50 % 10 % all 50 % 10 % model_name 14 072 6.2 8.3 8.5 1.5 1.7 1.7 vendor_name 14 072 9.0 13.9 14.5 1.8 2.2 2.3 firmware_revision 14 072 11.2 19.6 35.0 2.0 2.8 4.2 app_sw_version 14 071 5.9 10.3 14.0 1.5 1.9 2.2

  • bject_name

14 039 6.8 9.1 11.0 1.6 1.8 2.0 description 13 741 5.5 10.9 13.0 1.4 1.9 2.1 location 13 360 2.5 5.1 7.5 1.1 1.4 1.6 serial_number 2316 4.9 5.6 5.0 1.4 1.4 1.4 profile_name 1958 5.0 7.0 7.0 1.5 1.8 1.8 property_list 1389 141.0 193.8 200.0 7.3 9.7 10.0

  • O. Gasser — Evaluating Network Security using Internet Measurements

31

slide-41
SLIDE 41

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

20 40 60 80 100 120 Bandwidth Amplification Factor 0.0 0.2 0.4 0.6 0.8 1.0 ECDF: Pr[BAF] x Firmware Revision × 5 Firmware Revision × 50 Property List × 5 Property List × 50 Largest response property × 5 Largest response property × 50

Figure 2: Payload BAF when issuing multiple requests for the same property (within a single Multi-Property packet).

  • O. Gasser — Evaluating Network Security using Internet Measurements

32

slide-42
SLIDE 42

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  • O. Gasser — Evaluating Network Security using Internet Measurements

33

slide-43
SLIDE 43

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IPv6 needs a different scanning paradigm than IPv4

Active security scans continue to be a valuable tool

  • Discover vulnerable devices
  • Assess severity and prevalence of security problems

History of IPv4 hit lists

  • Opportunistic log file parsing
  • Passive taps
  • Repeated scans to determine stable IPs
  • Scanning it all

Our approach

  • Create a tailored hitlist of IPv6 addresses for security scanning
  • O. Gasser — Evaluating Network Security using Internet Measurements

34

slide-44
SLIDE 44

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Sources for IPv6 addresses

Passive

  • Large European IXP
  • MWN: uplink of Munich Scientific Network with ≈ 100k users

→ Evaluate for response rate and stability

Active

  • Alexa Top 1M
  • Rapid7 IPv4 rDNS
  • Rapid7 DNS ANY
  • DNS zone files
  • CAIDA IPv6 router DNS names

→ Evaluate for response rate

Traceroute

→ Evaluate additional IPs learned

  • O. Gasser — Evaluating Network Security using Internet Measurements

35

slide-45
SLIDE 45

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Passive sources

Characteristic IXP MWN Targets 146,722,097 2,687,679 ASes 6,783 7,398 AS coverage 66.61% 72.65% ASes unique to source 821 1,436 Prefixes 12,858 15,478 Prefix coverage 49.87% 60.04% Prefixes unique to source 2,076 4,696 Combined AS coverage 8,219 (80.71%) Combined prefix coverage 25,781 (68.09%) ICMP response rate ≈ 13% 31%

  • O. Gasser — Evaluating Network Security using Internet Measurements

36

slide-46
SLIDE 46

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Active sources

Alexa Top 1M rDNS DNS Any Zone Files File size 22MB 56GB 69GB 2.6GB Unique addresses 43,822 462,185 1,440,987 424,748 AS coverage 14.0% 47.1% 56.1% 23.3% ASes unique to source 1 30 685 5 Prefix coverage 6.57% 26.2% 33.0% 11.62% Prefixes unique to source 7 65 1,379 11 ICMPv6 response rate 95.3% 68.8% 72.6% 90.6% tcp80 response rate 94.2% 28.4% 51.6% 88.3% tcp443 response rate 75.8% 21.2% 27.8% 58.6% Combined AS coverage 7,331 (71.9%) Combined prefix coverage 12,854 (49.8%)

  • O. Gasser — Evaluating Network Security using Internet Measurements

37

slide-47
SLIDE 47

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Temporal stability of IPv6 addresses

Passive sources:

  • Trigger measurement immediately after observation
  • Repeat measurement using exponential back-off
  • Measure observed port/protocol and ICMPv6
  • zmap extended with IPv6 capabilities for high-volume scans

Active sources:

  • Scan ICMPv6
  • Scan tcp80 and tcp443
  • O. Gasser — Evaluating Network Security using Internet Measurements

38

slide-48
SLIDE 48

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IXP response rates

  • O. Gasser — Evaluating Network Security using Internet Measurements

39

slide-49
SLIDE 49

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

MWN response rates

  • O. Gasser — Evaluating Network Security using Internet Measurements

40

slide-50
SLIDE 50

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

IXP Hamming weight indicates privacy extensions

  • Interface ID: Commonly last 64 bits in IPv6 address
  • Privacy extensions (RFC 4941): 6th bit zero, other 63 bits random
  • Central limit theorem: 63 independent single-bit distributions →

normal distribution N (31.5, 15.75)

40 42

N(31. 5, 15. 75)

10 20 30 40 50 60 Number of host bits set to '1' (IXP) 2 4 6 8 10 Frequency (%)

  • O. Gasser — Evaluating Network Security using Internet Measurements

41

slide-51
SLIDE 51

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Traceroute Hamming weight indicates managed IP as- signements

40 42

N(31. 5, 15. 75)

10 20 30 40 50 60 Number of host bits set to '1' (Scamper) 2 4 6 8 10 Frequency (%)

  • O. Gasser — Evaluating Network Security using Internet Measurements

42

slide-52
SLIDE 52

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Analyzing EUI-64 IPs (ff:fe) in data sets

  • O. Gasser — Evaluating Network Security using Internet Measurements

43

slide-53
SLIDE 53

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Sources for an IPv6 hitlist

Characteristic Active sources Passive sources Traceroutes CAIDA Targets 2,699,573 148,631,234 109,554 102,580 ASes 5,750 8,219 4,170 5,488 Announced prefixes 8,602 17,554 5,367 9,269 AS coverage 56.46% 80.71% 41.00% 53.90% ASes unique to source 128 1,276 14 147 Prefix coverage 33.37% 68.09% 20.76% 36.00% Prefixes unique to source 346 5,798 53 514 ICMPv6 response rate 75.5% 13.3% n/a 42.0% Combined unique IPs 149,619,624 Combined AS coverage 8,531 (83.77%) Combined prefix coverage 18,502 (71.77%)

  • O. Gasser — Evaluating Network Security using Internet Measurements

44

slide-54
SLIDE 54

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Specific approach for your scan type

Internet structure finding links and nodes → passive, CAIDA, ::1 for missing prefixes Assessing security posture many server hosts → active sources Internet routers CAIDA, traceroute to active sources Client protocols passive tap, but be very quick! Finding active prefixes passive sources

  • O. Gasser — Evaluating Network Security using Internet Measurements

45