must have duct tape lots of duct tape
play

Must have duct tape...lots of duct tape. - MacGyver or Building - PowerPoint PPT Presentation

Mar 24, 2023 •326 likes •602 views

Must have duct tape...lots of duct tape. - MacGyver or Building a walled garden on a shoestring Scott A. McIntyre XS4ALL Internet, KPN-CERT, FIRST Summary History of how we did abuse handling Problems with initial approach

  1. Must have duct tape...lots of duct tape. - MacGyver or Building a walled garden on a shoestring Scott A. McIntyre XS4ALL Internet, KPN-CERT, FIRST

  2. Summary • History of how we did abuse handling • Problems with initial approach • Enhanced abuse handling • And some problems • The Walled Garden • Next steps • Constantly evaluating and improving

  3. XS4ALL • Security & Abuse incident management • Router tricks & bulk handling of huge number of events. Automated warning, walled garden, free home AV, Abuse Centre, free email scanning for spam/malware • 6 customer facing ACers, 4 in SOC/System Admin dept • We do more than most, we cost more than most. • These costs you save on helpdesk calls • € 5/call on average • It’s all about the time & money we save • Inaction is a threat to our business, and our customers. • We choose how we want to spend our time (and money), we prefer not to let the surprises choose for us!

  4. That was then...

  5. The early days • Most customers were on dialup • Kicking offline was a matter of setting login shell to xsh and clearing their session on the terminal server • Attitude of sysadmins • “We only care about abuse from customers, not to.” • Only 100Mbit to all of DSL • Easy to do IPS and control traffic • Setting IOS ACLs controlled problems • But I hate IOS ACLs

  6. DSL increases... • 100M > 200M -> 400M > 1G -> 2G -> .. • Created firewall statements in JunOS • Referenced Prefix Lists. • Login to router, add someone to list, kick ‘em off. term evil-discard { from { source-prefix-list { EVIL; } A very binary solution... } then { count evil; discard; } }

  7. Problems • Full shut off of customer no panacea • Less modems out there, no dialup way in • Customers were annoyed • Helpdesk was annoyed • Regulatory headaches • VoIP, 112, etc.

  8. So we built a better mousetrap.

  9. Overall procedure Find Notify Filter Resolve Sometimes we shorten this a bit...

  10. Find A daily nfdump is healthy. /usr/local/bin/nfdump -R /nfdump/$DATE1 -o "fmt:%ts %sa %sp %da %dp %pr %flg" '(dst port 42 or dst port 1433) and flags S and not flags A and not flags F and not flags R a nd not flags P and not flags U and (src AS xxxx or src AS yyyy) and src port > 1024' nfdump for evil ports which are likely to indicate a problem.

  11. Find Daily EvilFlow Date flow start Src IP Addr Src Pt Dst IP Addr Dst Pt Proto Flags 2008-01-20 23:59:18.405 194.109.163.13 38332 194.19.5.18 139 TCP ....S. 2008-01-20 23:59:41.451 194.109.163.13 36275 192.168.127.33 445 TCP ....S. 2008-01-20 23:59:50.425 194.109.163.13 38441 194.19.5.163 445 TCP ....S. 2008-01-21 00:00:03.697 194.109.163.13 38474 192.168.40.181 139 TCP ....S. 2008-01-20 23:59:52.635 82.92.28.58 25484 194.109.152.38 139 TCP ....S. 2008-01-20 23:59:22.414 194.109.152.134 1670 194.109.154.48 1433 TCP ....S. 2008-01-21 00:00:08.320 212.83.240.227 1537 194.109.35.13 1433 TCP ....S. 2008-01-21 00:00:39.242 82.92.215.82 19282 161.89.56.69 139 TCP ....S. 2008-01-21 00:01:01.186 194.109.163.13 38161 194.19.6.155 1433 TCP ....S. 2008-01-21 00:01:03.610 194.109.163.13 40113 194.19.6.209 135 TCP ....S. 2008-01-21 00:00:20.237 80.127.172.42 4593 43.124.63.170 139 TCP ....S. 2008-01-21 00:00:42.178 83.68.73.47 51037 83.68.27.225 445 TCP ....S. 2008-01-21 00:00:40.814 80.88.172.114 1126 80.127.231.96 135 TCP ....S. 2008-01-21 00:01:04.814 80.88.172.114 1154 80.127.240.98 135 TCP ....S. 2008-01-21 00:00:48.814 80.88.172.114 1122 80.127.234.99 135 TCP ....S. 2008-01-21 00:00:35.814 80.88.172.114 2179 80.127.229.105 135 TCP ....S. 2008-01-21 00:00:32.814 80.88.172.114 4404 80.127.227.244 135 TCP ....S. 2008-01-21 00:00:52.193 82.67.136.175 1364 82.94.228.155 445 TCP ....S. 2008-01-21 00:00:44.949 212.238.206.170 7280 213.222.13.134 139 TCP ....S. 2008-01-21 00:00:51.883 82.93.182.198 64617 82.0.0.78 139 TCP ....S. 2008-01-21 00:01:04.305 82.229.159.227 2010 82.94.197.10 445 TCP ....S. 2008-01-21 00:01:31.216 194.109.163.13 40466 192.168.88.112 445 TCP ....S. 2008-01-21 00:02:16.113 194.109.163.13 38910 194.19.7.189 139 TCP ....S. 2008-01-21 00:02:07.942 194.109.163.13 36555 192.168.79.249 445 TCP ....S. 2008-01-21 00:01:28.630 80.126.6.24 35232 192.168.16.2 135 TCP ....S. 2008-01-21 00:01:41.509 82.92.37.47 55790 192.168.200.6 445 TCP ....S. 2008-01-21 00:01:31.269 83.68.73.55 4801 83.68.30.72 139 TCP ....S. 2008-01-21 00:01:22.209 194.109.34.76 1309 194.109.34.4 1433 TCP ....S. 2008-01-21 00:02:15.449 82.93.182.198 64764 82.0.0.234 139 TCP ....S. 2008-01-21 00:01:31.173 212.83.240.227 3080 194.109.35.13 1433 TCP ....S. 2008-01-21 00:02:05.755 213.84.26.228 34953 172.29.1.43 135 TCP ....S. 2008-01-21 00:03:03.073 194.109.163.13 38891 192.168.54.150 1433 TCP ....S. 2008-01-21 00:02:14.416 80.127.90.79 38106 81.4.95.90 1433 TCP ....S.

  12. Filter Walking on xshs • From unix shell • Used to block slip/ppp auth by changing valid shell • NSA development • Our provisioning system inherited the use of xshs • Hierarchy led to xsh as attachment • Any component can have the xsh • Regular exports of data affect service delivery with xshs • Functional impact important • So is political! • Customers must fix problems before starting new ones

  13. SUIsite is painless • Sales/User Interface • Graphical overview of customer • All packages and mutations • Billing information, links to payment information • Respects our authorisation matrix • Can’t see or access what your role doesn’t permit • Displays minimal information for XSHd • Enough to direct customer to the right department

  14. Still not ideal... • Difficult to maintain “whitelist” of IPs • Known good IP addresses for customers to talk to • Confusing with stuff like Akamai • Router can’t handle DNS (good thing, really) • Still tough to get fixes • Dialup gone, CD’s slow, ... • We needed a technical solution which also made customers happier • And the helpdesk. • Advising on setting proxy settings became quite time consuming

  15. Resolve Walled Garden t e n r e t n I e h T A bit of what you need with reasonable structure

  16. Resolve Our walled garden • JunOS prefix lists • Uploaded from the abuse tools hourly • JunOS firewall statements • Refer to the lists; no need to change firewall often • Policy based routing • Routing Instances in Juniperese • Linux boxes with iptables & squid • There are commercial options out there • This was cheaper, and probably better

  17. JunOS config term walled-garden { from { destination-address { 194.109.6.92/32 except; 0.0.0.0/0; } source-prefix-list { DSL-WORM; } protocol tcp; destination-port 80; } then { count garden; routing-instance garden; } } garden { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 1.2.3.4; } } }

  18. Other firewall changes • At the same time we added the WG, we made other changes: • Permit SIP to/from us • SSL • Authenticated SMTP • Various other communication enhancing things. • But: Blocked everything else.

  19. Linux iptables Chain PREROUTING (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 And of course all the normal filtering you’d do on a Linux box. This is just the NAT table.

  20. Squid conf emulate_httpd_log off acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl CONNECT method CONNECT acl allowed-URLs dstdomain "/etc/allowed-URLs.conf" http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow allowed-URLs http_access deny all http_reply_access allow all httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on deny_info error.html all

  21. #general OSes .ms.akadns.net Allowed URLs .microsoft.com .microsoft.nsatc.net .windowsupdate.com .apple.nl .apple.com .verisign.com #info URLs for lusers www.waarschuwingsdienst.nl www.govcert.nl www.virusalert.nl www.sans.org www.sysinternals.com #anti-virus and anti-spyware vendors .mcafee.com .symantec.com .clamav.net .avast.com .trendmicro.com .sophos.com Just a snippet, many more .viruslist.com .zonelabs.com listed and we review regularly .nod32.com .swatit.org # useful .mozilla.org ftp-mozilla.netscape.com

  22. Walled Garden costs. • Hardware: € 3000 • Software development: € 0 • Operating system license: € 0 • Network technology: € 0 • Value to business:

  23. An oz of prevention is worth a £ of cure.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Makerspaces YSS - April 2014 Maker spaces : stop with the duct tape wallets already

Makerspaces YSS - April 2014 Maker spaces : stop with the duct tape wallets already

Making Library Makerspaces YSS - April 2014 Maker spaces : stop with the duct tape wallets already @doseofsnark cshoemaker@ryelibrary.o rg Libraries and Maker Spaces The Idea Box 4th Floor Maker Space Fab Lab HYPE Detroit, MI Tea

723 views • 31 slides
ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July

ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July

ANGRY MODULE EXCAVATION LET'S PLAY WITH DUCT TAPE. Stanislas 'P1kachu' Lejay LSE Week - July 14, 2016 1 MODULE EXCAVATION ? Use concolic analysis to explore kernel modules and get informations about their IOCTLs 2 WHAT IS AN IOCTL ? long

798 views • 52 slides
DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit

1.11k views • 78 slides
LOCAL RECOVERY MAPS AS DUCT TAPE FOR MANY BODY SYSTEMS Michael J. Kastoryano November 14 2016,

LOCAL RECOVERY MAPS AS DUCT TAPE FOR MANY BODY SYSTEMS Michael J. Kastoryano November 14 2016,

LOCAL RECOVERY MAPS AS DUCT TAPE FOR MANY BODY SYSTEMS Michael J. Kastoryano November 14 2016, QuSoft Amsterdam Tuesday, November 15, 16 CONTENTS Local recovery maps Exact recovery and approximate recovery Local recovery for many body

758 views • 39 slides
Understanding Data Motion in the Modern HPC Data Center Glenn K. Lockwood Shane Snyder Suren

Understanding Data Motion in the Modern HPC Data Center Glenn K. Lockwood Shane Snyder Suren

Understanding Data Motion in the Modern HPC Data Center Glenn K. Lockwood Shane Snyder Suren Byna Philip Carns Nicholas J. Wright - 1 - Scientific computing is more than compute! Tape Tape Tape Tape Tape Tape Tape Tape GW Tape

360 views • 23 slides
The heart of the European tape network Who we are Afera is the European Adhesive Tape

The heart of the European tape network Who we are Afera is the European Adhesive Tape

The heart of the European tape network Who we are Afera is the European Adhesive Tape Association, a not-for-profit trade organisation representing the interests of the best-in-class businesses within the adhesive tape value chain. Who we are

426 views • 27 slides
From Red Tape to Green Tape: Improving Grievance Procedures in Local Government Organizations

From Red Tape to Green Tape: Improving Grievance Procedures in Local Government Organizations

From Red Tape to Green Tape: Improving Grievance Procedures in Local Government Organizations Leisha DeHart-Davis, Associate Professor, UNC-Chapel Hill William Horne, City Manager, Clearwater, FL Reina Schwartz, Director of General Services,

571 views • 34 slides
Certifying the Performance of Manufactured Stormwater Treatment Devices: A Review of the TAPE

Certifying the Performance of Manufactured Stormwater Treatment Devices: A Review of the TAPE

Certifying the Performance of Manufactured Stormwater Treatment Devices: A Review of the TAPE Process and Testing Centers 1 Dylan Ahearn, PhD TAPE expert for 10+ years Had a hand in >90% of TAPE approvals Helped draft the 2011

632 views • 47 slides
Function of Salivary Glands Salivary Gland and Duct Anatomy Parotid Gland and Stensens

Function of Salivary Glands Salivary Gland and Duct Anatomy Parotid Gland and Stensens

11/6/2014 Andrew H. Murr, MD Professor and Chairman Roger Boles, MD Endowed Chair in Otolaryngology Education Department of Otolaryngology- Head and Neck Surgery Salivary Gland and Duct Anatomy UCSF Sialendoscopy/Salivary Duct Surgery Course

263 views • 10 slides
Kinesiology Taping Certification Myra M Meekins PT, DPT, OCS, FAAOMPT myrameekins@gmail.com 1

Kinesiology Taping Certification Myra M Meekins PT, DPT, OCS, FAAOMPT myrameekins@gmail.com 1

Kinesiology Taping Certification Myra M Meekins PT, DPT, OCS, FAAOMPT myrameekins@gmail.com 1 History of Elastic Tape Been in practice for years Most poplar: Kinesio Tape Other well know tapes: Rock tape, KT tape, SpiderTech 2

1.13k views • 67 slides
FOR (ultr FOR (ultra)R a)RUNN UNNERS ERS T184 2014 ITS MORE THAN JUST TAPE ON THE APE

FOR (ultr FOR (ultra)R a)RUNN UNNERS ERS T184 2014 ITS MORE THAN JUST TAPE ON THE APE

FOR (ultr FOR (ultra)R a)RUNN UNNERS ERS T184 2014 ITS MORE THAN JUST TAPE ON THE APE ON THE SKIN SKIN WHY TAPE? 1. REDUCE PAIN. 2. DELAY FATIGUE. 3. ALTER POSTURE. WHY T WHY TAPE? APE? NEUROSENSORY STIMULATION Increase/alter

1.12k views • 43 slides
Ia Iatr trogenic ogenic bile duct bile duct injur injury Eduard Jonas Surgical

Ia Iatr trogenic ogenic bile duct bile duct injur injury Eduard Jonas Surgical

Ia Iatr trogenic ogenic bile duct bile duct injur injury Eduard Jonas Surgical Gastroenterology Unit University of Cape Town and Groote Schuur Hospital Cape Town, South Africa Conflict of Interest I declare I have no conflict of interest

961 views • 36 slides
Mainframe Virtual Tape: Improve Operational Efficiencies and Mitigate Risk in the Data Center

Mainframe Virtual Tape: Improve Operational Efficiencies and Mitigate Risk in the Data Center

Mainframe Virtual Tape: Improve Operational Efficiencies and Mitigate Risk in the Data Center Ralph Armstrong EMC Backup Recovery Systems August 11, 2011 Session # 10135 Agenda Mainframe Tape Use Cases Traditional Mainframe Tape

647 views • 16 slides
Agenda Red Tape Red Carpet Process Red Tape Red Carpet Update Burlington Economic

Agenda Red Tape Red Carpet Process Red Tape Red Carpet Update Burlington Economic

CM-24-19 File #155-03-01 Agenda Red Tape Red Carpet Process Red Tape Red Carpet Update Burlington Economic Development Update Council Review Business Engagement Task Force Implementation Economic Development Overview & Key

701 views • 27 slides
Multitape Turing Machines CSC 540 Christopher Siu 1 / 8 Multitape Turing Machines Defjnition A

Multitape Turing Machines CSC 540 Christopher Siu 1 / 8 Multitape Turing Machines Defjnition A

Multitape Turing Machines CSC 540 Christopher Siu 1 / 8 Multitape Turing Machines Defjnition A k -tape machine has k tapes and k independent tape heads. The machine reads the tapes simultaneously, but has only one state. Tape 3 Tape 2 Tape

572 views • 8 slides
SQL Database Systems: The Complete Book Ch 2.3, 6.1-6.4 1 Project Outline ??? Parser &

SQL Database Systems: The Complete Book Ch 2.3, 6.1-6.4 1 Project Outline ??? Parser &

SQL Database Systems: The Complete Book Ch 2.3, 6.1-6.4 1 Project Outline ??? Parser & SQL Query Relational Algebra Translator .sql JSqlParser Optimizer ??? Statistics Hope and Duct Tape? Query Evaluation Execution Plan Result

637 views • 40 slides
Istio SRE Hybrid Specialist: Shawn Ho shawnho@google.com 1 What is

Istio SRE Hybrid Specialist: Shawn Ho shawnho@google.com 1 What is

Istio SRE Hybrid Specialist: Shawn Ho shawnho@google.com 1 What is SRE? Product Lifecycle Concept Business Development Operations Market Agile DevOps solves this solves this Dev & Ops KPIs aren't

880 views • 28 slides
Monitoring 7000+ hosts in Zabbix Automate all the things Today were talking about

Monitoring 7000+ hosts in Zabbix Automate all the things Today were talking about

Monitoring 7000+ hosts in Zabbix Automate all the things Today were talking about Zabbix Deployment Automation Commercial in Confidence | 3 About me Kinetic IT are a Managed Service Provider in Australia

540 views • 22 slides
/me: Andrea Cardaci Application Security Specialist @ SecureFlag cardaci.xyz Blog and

/me: Andrea Cardaci Application Security Specialist @ SecureFlag cardaci.xyz Blog and

/me: Andrea Cardaci Application Security Specialist @ SecureFlag cardaci.xyz Blog and vulnerability research github.com/cyrus-and GTFOBins gdb-dashboard mysql-unsha1 fracker ... Walkthrough PwnLab: init

551 views • 36 slides
One-Slide Summary Objectifying and Programming Real databases, unlike PS5, have many with

One-Slide Summary Objectifying and Programming Real databases, unlike PS5, have many with

One-Slide Summary Objectifying and Programming Real databases, unlike PS5, have many with Objects concerns, such as scalability and atomic transactions. An object packages state and procedures. A procedure on an object is called a

229 views • 8 slides
Controlling Aq for A1n Caryn Palatchi 7/24/2019 Goal Aq<200ppm What ch changes the Aq Aq?

Controlling Aq for A1n Caryn Palatchi 7/24/2019 Goal Aq<200ppm What ch changes the Aq Aq?

Controlling Aq for A1n Caryn Palatchi 7/24/2019 Goal Aq<200ppm What ch changes the Aq Aq? IA cell setting *** (this is what well use for control of Aq) IHWP insertion/removal RHWP rotation Cathode Spot Move Clipping

559 views • 26 slides
FlexiVoice Low-fi Prototyping & Pilot Usability Testing Esther Goldstein, Rachel Jorgensen,

FlexiVoice Low-fi Prototyping & Pilot Usability Testing Esther Goldstein, Rachel Jorgensen,

FlexiVoice Low-fi Prototyping & Pilot Usability Testing Esther Goldstein, Rachel Jorgensen, Ron Tep Overview of Talk 1. Mission and Interface 2. Prototype and Task Flows 3. Testing and Results 4. Suggested Changes and Summary

546 views • 27 slides
X-ray Laser Wakefield Acceleration in Nanotubes Sahel Hakimi 1 , Xioamei Zhang 2 , Deano Farinella

X-ray Laser Wakefield Acceleration in Nanotubes Sahel Hakimi 1 , Xioamei Zhang 2 , Deano Farinella

X-ray Laser Wakefield Acceleration in Nanotubes Sahel Hakimi 1 , Xioamei Zhang 2 , Deano Farinella 1 , Calvin Lau 1 , Youngmin Shin 3 , Jonathan Wheeler 4 , Peter Taborek 1 , Gerard Mourou 4 , Franklin Dollar 1 , Toshiki Tajima 1 1 University of

671 views • 29 slides
Learning Driving Styles for Autonomous Vehicles for Demonstration Markus Kuderer, Shilpa

Learning Driving Styles for Autonomous Vehicles for Demonstration Markus Kuderer, Shilpa

Learning Driving Styles for Autonomous Vehicles for Demonstration Markus Kuderer, Shilpa Gulati, Wolfram Burgard Presented by: Marko Ilievski Agenda 1. Problem definition 2. Background a. Important vocabulary b. Driving style 3.

217 views • 20 slides

More recommend