Facilitating Firewall Filter Configuration in JUNOS using ‘apply-path’

Undoubtedly, one of the coolest features in JUNOS is the apply-path statement. Using apply-path, an operator can configure a prefix-list which comprises IP prefixes linked to a defined path within JUNOS. This facilitates tasks like configuring firewall filters to allow traffic from configured BGP neighbors, making them highly dynamic.

Continue reading “Facilitating Firewall Filter Configuration in JUNOS using ‘apply-path’”

An Overview of BGP FlowSpec

I have given this presentation a few times in the last year and was asked to make this available for public consumption. Essentially, this is a brief overview of RFC 5575, entitled “Dissemination of Flow Specification Rules”, written by Danny McPherson, Jared Mauch, and others.

This standard had somewhat of a rocky beginning as there was limited vendor support, but as of recently it appears to have picked up quite a bit of steam with Cisco announcing support for the protocol in the very near future.

The benefit of BGP Flow Spec is that it allows BGP speakers to use a new BGP NLRI defining flow filter information which can then be advertised to upsteam neighbors via BGP. The primary and immediate motivation of this protocol is to provide intra and inter provider distribution of traffic filtering rules to filter DoS and DDoS attacks, however it can be used for a wide variety of applications in which filtering information must be dynamically distributed throughout a network.

I will probably make additional modifications to these slides as the protocol gains more significant foothold throughout the vendor community and as Service Providers gain more practical deployment experience. As with my other presentations, I will eventually add a voice-over to turn this into a slide-cast.

 

Hardening DNS Against Reflection Attacks

Generally, the most prevalent types of attacks and the ones which are most likely to target a DNS infrastructure are reflection/amplification attacks (which generally use a DNS servers resources against other third-parties).  Understanding the attack-vector employed in most reflection attacks is necessary in order to understand how to harden an environment against these types of attacks.

In a typical DNS reflection attack, attackers send a large number of queries from a spoofed source address.  The address which is spoofed is typically that of the victim.  When the requests are received by the nameserver, all ensuing responses to these queries are directed back towards the spoofed IP of the victim.  The amplification factor comes into play in these types of attacks because the attacker will typically query for a record of a large size, typically that of a root record which by it’s very nature is very large in size.  By simply sending in small queries, on the order of around 90 Bytes, an attacker can typically get a multiplication factor of five times that of the original query.  This allows an attacker to use a smaller number of hosts in the botnet and cause considerably more impact than would otherwise be possible if these devices were sending traffic directly towards the victim.

Due to the fact that the purpose of this attack is to reflect packets back towards the victim, all of the source IPs of the DNS queries contain the same address.  This makes it fairly easy to spot a reflection attack utilizing your infrastructure.  A simple observation of a spike in DNS queries from a singular IP is a clear indication that this is going on.  One would think that these types of attacks can be mitigated fairly easily by implementing simple ACLs on routers to prevent the incoming queries from those spoofed IP, and in fact that is a method commonly used by network administrators to protect against these types of attacks.  However, most security experts suggest that the filtering should actually be implemented on the nameserver itself – in fact this has been considered an industry best practice for quite some time now.  The reason for this is that implementing an ACLs on a router is largely a reactive countermeasure which can only be deployed after the fact.  An administrator will still need to identify the target of the attack before filters can be put in place; furthermore these types of filters only serve to cause a legitimate Denial of Service when that particular victim actually attempts to query anything for which the nameserver is actually authoritative for.  As an alternative to ACLs, some proposed configurations below can be used to eliminate this problem in it’s entirety.

At the very onset of your investigation into the vulnerabilities of your DNS infrastructure and potential remedies one of the very first things a network administrator must determine is if the nameservers allow anyone on the outside world to query for root (.).  Using the example below, one can easily check to see if their nameserver responds with a root-referral when queried for root.  If you see something along these lines, you can be fairly certain your nameserver is responding with a root-referral:

/usr/bin/dig . NS @dns.example.com
 
; <<>> DiG 9.2.4 <<>> . NS @DNS.EXAMPLE.COM ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54368 ;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
 
;; QUESTION SECTION:
;. IN NS
 
;; ANSWER SECTION:
. 86400 IN NS A.ROOT-SERVERS.NET.
. 86400 IN NS B.ROOT-SERVERS.NET.
. 86400 IN NS C.ROOT-SERVERS.NET.
. 86400 IN NS D.ROOT-SERVERS.NET.
. 86400 IN NS E.ROOT-SERVERS.NET.
. 86400 IN NS F.ROOT-SERVERS.NET.
. 86400 IN NS G.ROOT-SERVERS.NET.
. 86400 IN NS H.ROOT-SERVERS.NET.
. 86400 IN NS I.ROOT-SERVERS.NET.
. 86400 IN NS J.ROOT-SERVERS.NET.
. 86400 IN NS K.ROOT-SERVERS.NET.
. 86400 IN NS L.ROOT-SERVERS.NET.
. 86400 IN NS M.ROOT-SERVERS.NET.
 
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 86400 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 86400 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 86400 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 86400 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 86400 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 86400 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 86400 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 86400 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 86400 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 86400 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 86400 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 86400 IN A 202.12.27.33
 
;; Query time: 43 msec
;; SERVER: www.example.com#53(www.example.com)
;; WHEN: Thu Nov 12 17:01:51 2009
;; MSG SIZE rcvd: 436

Normally, most Internet-facing authoritative nameservers should not respond to recursive third-party queries for root.  If an authoritative nameserver responds to queries for root with a root-referral, attackers will likely use your nameservers as an amplification vector to launch attacks.  It is better to remove the temptation altogether, by not allowing these in the first place.  Furthermore, instead of responding with the root-referral, nameservers should be configured to respond with REFUSED or SERVFAIL or another similar type of message.  The reason for this is simple – a REFUSED message is only on the order of around 50 Bytes.  If a countermeasure such as this is not employed, attackers can send in a relatively small spoofed query and will get roughly a 512 Byte response.  However, if we respond with a REFUSED message, the amplification factor is on the order of 1:1.  From an efficiency standpoint this does not provide much if any amplification, and therefore the attackers will simply look for other providers whom don’t apply such stringent security measures.

NOTE: Of course if you are in the business of providing recursive DNS service, that is an entirely different story – if that is the case, network administrators should take extra precautions by strictly enabling this function on the Recursive DNS servers (not the Authoritatives) and combining firewall-filters to limit recursive service to only IP blocks of paying customers.

While we’re on the subject, another current best practice in the industry is to apply a similar methodology to requests for records for which a given DNS Server is not authoritative for.  Some resolvers may respond to these types of requests by providing a root-referral, and in the worst cases a resolver may actually perform a recursive query on behalf of the original source.  An authoritative resolver should respond to any non-existent domain requests with either the REFUSED message or other similar type of message, rather than providing a root referral or performing a recursive query.  In fact, BCP 140 (Preventing Use of Recursive Nameservers in Reflector Attacks, RFC 5358) looked at this problem and concluded that sending REFUSED was the best general guidance that can be given.  While BCP 140 applies guidance to recursive servers, returning REFUSED to queries which are not within the namespace served by authoritative servers is entirely consistent with BCP 140.  You can generally find out if your nameservers allows for recursion or if it responds with a root-referral, by using a command such as the following:

/usr/bin/dig +recurs @yournameserver_ip www.facebook.com

If you see a response which looks like the large root-referral response above, or some other type of response other than a REFUSED or SERVFAIL, you should take steps to harden your resolver.  One can also look for an “RA” entry in the “Flags” section of the DNS response which should give you some indication as to whether the resolver allows for recursion.

In conclusion, there are several such steps which allow administrators to prevent from being used as an unwitting pawn in an attack against third-parties.  Firewall filters are effective, but are reactive in nature.  Therefore, it is recommended to follow some of the steps below in order to effectively harden your DNS infrastructure against reflection attacks.

SYNOPSIS – Steps to prevent a DNS infrastructure from being used for reflection/amplification type attacks:

  1. Disable querying for root on Authoritative resolvers, return REFUSED
  2. Filter queries to Recursives from only paying customers, via ACLs
  3. Apply BCP 140 or similar rules to cause any non-existent domain queries to respond with a REFUSED.

An excellent whitepaper entitled “Anatomy of Recent DNS Reflector Attacks from the Victim and Reflector Point of View” by Ken Silva, Frank Scalzo and Piet Barber covers this topic in more detail.

Preventing DNS Fragmentation and Large DNS Packet Attacks

Often times, attackers will attempt to perform very rudimentary attacks against DNS resolvers in an attempt to cause a Denial of Service. It is not uncommon to see attackers crafting a DoS attack composed mostly of UDP packets destined to port 53 with invalid payloads containing the ‘more-fragments’ bit set. In some cases, the packets may contain the ‘non-more-fragments’ bit set with packets of specific lengths, typically larger than the average size of a normal DNS packet.

Many flow analysis tools and IDP products have the ability to look for IP fragmentation misuse based on parameters that the operator may set; these tools are invaluable as an early warning system to alert the network administrator that their infrastructure is under attack.

Insofar as being able to mitigate these types of attacks, a few simple approaches can be utilized by a network administrator in order to filter this type of traffic using simple ACLs or firewall filters on routers or other types of equipment capable of filtering at Layers 3 and 4. Normally, is is not typical to see DNS queries which are fragmented, therefore the following Juniper firewall-filter should effectively filter the fragmented packets:

term DNS-Fragments {
  from {
     destination-prefix-list {
         dns-server-prefixes;
   }
     }
     fragment-flags more-fragments;
     destination-port 53;
  }
  then {
     count dns-fragments;
     log;
     discard;
  }
}

For packets containing the ‘non-more-fragments’ bit set, or which all packets within the attack flows share a common packet size (typically this will be large, on the order of 540 bytes or larger), a network administrator can easily filter those on the router as well. Normally we should not expect to see queries of this large size, so the following could be effectively used to filter these types of attacks as well.  In this example we are filtering UDP or TCP packets destined to port 53, with a size of either 540 bytes or 1480:

term DNS-InvalidSize {
   from {
       destination-prefix-list {
          dns-server-prefixes;
    }
       packet-length [ 540 1480 ];
       destination-port 53;
   }
   then {
       count dns-InvalidSize;
      log;        
      discard;
   }
}

NOTE: It is more than likely a network administrator would need to adjust the above packet sizes after analysis of the packet size used in the attack vector using whatever flow reporting or network visibility tools are in use, since it is unlikely an attacker would use the exact same packet sizes listed in the example above.

Book Review :: Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)

extreme_exploits

Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
by Victor Oppelman, Oliver Friedrichs, and Brett Watson
Paperback: 448 pages
Publisher:  McGraw-Hill Osborne Media
ISBN-13: 978-0072259551

4starsGood coverage of darknets, honeynets, and triggered blackholes

First I must admit that I know and have worked with several of the authors of this book. I was given an autographed copy of the book late last year, however seeing as the book was published in 2005 I didn’t think there would be much along the lines of useable information seeing as many of the security threats and vulnerabilities have evolved quite a bit since then. However, as I started reading the book I quickly realized much of the information was still relevant today as it was several years ago. The chapters on ISP Security Practices and Securing the Domain Name System had very good coverage of many of the techniques used throughout Service Provider networks to secure their network and DNS infrastructure.

I particularly enjoyed reading the sections on using egress packet filters to restrict data leaks from within an organization – a particular problem today with the prevalance of Internet Worms and other Malware which often attempt to communicate back to their centralized Command & Control (C&C) hosts. The chapter on ‘Sinkholes and Backscatter’ has very good coverage on a wide variety of topics such as using Darknets and Honeynets to monitor malicious traffic and other nasties emanating throughout your network, as well as using techniques such as Triggered Blackhole Routing to propagate filters quickly and dynamically to drop DDoS and other malevolent traffic.

I would have to disagree with Dr. Anton Chuvakin that the chapters on Digital Forensics were disappointing. Personally, I learned quite a bit from these chapters and came away from reading them with a whole arsenal of new tools to use with which I can perform my own digital forensics on compromised systems. The coverage of Foremost, memdump, and some of the advanced digital forensic tools was top notch.

All in all, I would say this is still a good book for anyone involved in Network Security. Much of the information covered is still relevant in today’s networks. If the authors attempt to release a second edition I would suggest coverage of adapting Triggered Blackhole techniques to be used in more modern DDoS Mitigation scenarios. Additionally, discussion of new techniques used for Malware C&C and coverage of Fast-flux and Double-flux techniques used by the attackers to create more robust and reliable networks would be welcomed.

Book Review :: Configuring NetScreen Firewalls

netscreen_firewalls

Configuring NetScreen Firewalls
by Rob Cameron
Paperback: 600 pages
Publisher: Syngress
ISBN-13: 978-1932266399

2starsBetter off waiting for a Second Edition…

I read a lot of books, and while I don’t review all of them, I am often compelled to write a review when a book stands out, either for it’s clear leadership and technical distinction in the marketplace, or for it’s extreme lack thereof. In this case, I was compelled to write the review based on the latter.

Seeing as this is the only Netscreen book on the market, I had high expectations for it. When one looks at the credentials of the numerous authors, it reads like a veritable list of leaders in the Security industry. As such, I was rather excited when I picked up this book. As I began reading this book, I quickly realized that it was not going to meet my expectations. Clearly this book was rushed to market, another sign that the primary concern of many publishers is not in producing quality, but rather quantity. This book suffers from many of the same problems I see with other books on the market with multiple contributing authors, which is that the voice isn’t consistent throughout the book. Some chapters have diagrams, screen shots, or CLI commands outlining various procedural steps, whereas these details are noticeably absent in others.

In addition, this book is littered with many errors throughout, both typographical as well as technical. In some cases, as other reviewers point out, sentences simply stop abruptly mid-sentence. The text often refers to diagrams which don’t even exist. There are numerous references to find additional information in other chapters which are non-existent.

With regards to technical content, the authors certainly could have added more detail, especially considering the number of authors who contributed to this text. For example, the chapter on Routing does a good job of telling the reader how to enable BGP, but provides no details on how to actually configure a BGP neighbor. Another example is URL filtering which is discussed in the chapter on Attack Detection and Defense. While the authors do a good job of describing the various modes to support URL filtering (redirect vs. integrated), there is no explanation of how redirection actually takes place and no diagrams to provide for comprehensive understanding of the subject matter.

I can’t blame the authors entirely for the many flaws in this book, as any decent technical editor should have been able to spot many of these errors prior to publication. One wonders whether the technical editors even read the book as many of the errors are so blatant that it’s inconceivable that so many managed to slip through. I’m disappointed in Syngress for publishing a book with so many errors, and this has definitely led me to believe that Syngress does not want to maintain a leadership position of publishing technical content of the highest magnitude, but rather they are only concerned with being the first to market with a particular product.

I will give this book 2 stars in that it is indeed a noble attempt at covering a wide array of topics, as well as for being the only book in the industry which covers this subject matter. I suggest that the authors should examine the possibility of releasing a second edition which may fix these blatant errors, as well as hiring some decent technical editors.