The Other Advanced
Attacks
Mike Chapple, CISSP, Ph.D.
Senior Director, IT Service Delivery
University of Notre Dame
© Tech...
Agenda
2© TechTarget
• The Threat is Changing
• DNS Threats
• NTP DDoS Amplification
• Unmasking Careto
3© TechTarget
The Threat is
Changing
4
Script Kiddies
Are So Nineties
The New Threats
• Governments
• Terrorist Organizations
• Organized Crime
5© TechTarget
6
Cyberwarfare
Is Real
The Participants
Are Well-Funded
Inside an Iranian Nuclear
Facility
8
Source: Vitaly Shmatikov
And The Targets
Are High Stakes
9
10
“We're glad they are having
trouble with their centrifuge
machine and (we) are doing
everything we can to make
sure tha...
Zero Day Vulnerabilities
11© TechTarget
NEED VIGILANCE
12© TechTarget
We Must
Remain
Vigilant
13© TechTarget
DNS Threats
Denial of Service Attacks
• Send huge number of requests to a targeted server,
seeking to overwhelm it
• Difficult to dist...
Distributed Denial of Service Attacks
• Leverage botnets to
exhaust all resources
on a targeted system
• Difficult to dist...
Amplified DDoS Attacks
• Traditional DDoS still limited
by bandwidth of zombie PCs
• Amplification attacks
leverage the ba...
Amplification Factor
• Amplification factor is the
degree to which the attack
is increased in size
• 64 byte query resulti...
Characteristics of an Amplification Attack
• Use botnets
• Leverage misconfigured
services
• Spoof source addresses
• Requ...
How DNS Should Work
• DNS servers should provide domain name resolution
services:
1. To the systems on an organization’s n...
DNS Amplification Attack
20© TechTarget
Source: Microsoft
Amplification
Factor of 60X
Don’t Be a Relay
• Ensure that you’re not an
open resolver
• Open Resolver Project
openresolverproject.org
• DNS Inspect
d...
Be a Good Internet Citizen
22© TechTarget
23© TechTarget
NTP DDoS
Amplification
24© TechTarget
How
Dangerous
Can a Clock
Be?
NTP
• Network Time Protocol
used for clock
synchronization
• Almost three decades of
operation
• Relies upon UDP for
sync ...
MON_GETLIST
• System monitoring command
• Retrieves the list of the last 600
systems that interacted with the
server
• Ide...
Exploring MON_GETLIST
27© TechTarget
Source: CloudFlare
Amplification
Factor up to
206X
Be a Good Citizen
• Upgrade NTP servers to v4.2.7p26 or later
• Perform egress filtering at the firewall
• Disable MONLIST...
29© TechTarget
Unmasking
Careto
What is Careto?
• Spanish for “The Mask”
• Not a single piece of code, but an advanced threat
• Engaged in espionage activ...
Naming the Beast
31© TechTarget
Source: Kaspersky
Who is Targeted?
• Government Agencies
• Energy Companies
• Researchers
• Private Equity Firms
• Activists
32© TechTarget
Initial Infection
• Spear phishing messages direct
users to a website
– linkconf.net
– redirserver.net
– swupdt.com
• Malw...
Malware Bears a Digital Signature
34© TechTarget
Source: Kaspersky
Variety of Targets
35© TechTarget
Diverse Objectives
• Intercept network traffic
• Perform keylogging
• Monitor Skype conversations
• Steal PGP keys
• Analy...
Stolen File Types
37© TechTarget
Source: Kaspersky
Hides from Kaspersky AV
• Exploits a 2008 vulnerability in Kaspersky
• Attempts to whitelist itself to avoid detection
• V...
Protecting Against APTs
• Update, update, update
• Filter at the gateway and defend at the endpoint
• Maintain a defense-i...
40
Questions?
© TechTarget
mchapple@nd.edu
@mchapple
Upcoming SlideShare
Loading in …5
×

The Other Advanced Attacks: DNS/NTP Amplification and Careto

951
-1

Published on

This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
951
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Other Advanced Attacks: DNS/NTP Amplification and Careto

  1. 1. The Other Advanced Attacks Mike Chapple, CISSP, Ph.D. Senior Director, IT Service Delivery University of Notre Dame © TechTarget @mchapple mchapple@nd.edu
  2. 2. Agenda 2© TechTarget • The Threat is Changing • DNS Threats • NTP DDoS Amplification • Unmasking Careto
  3. 3. 3© TechTarget The Threat is Changing
  4. 4. 4 Script Kiddies Are So Nineties
  5. 5. The New Threats • Governments • Terrorist Organizations • Organized Crime 5© TechTarget
  6. 6. 6 Cyberwarfare Is Real
  7. 7. The Participants Are Well-Funded
  8. 8. Inside an Iranian Nuclear Facility 8 Source: Vitaly Shmatikov And The Targets Are High Stakes
  9. 9. 9
  10. 10. 10 “We're glad they are having trouble with their centrifuge machine and (we) are doing everything we can to make sure that we complicate matters for them.” Gary Samore Special Assistant to the President and White House Coordinator for Arms Control and WMD
  11. 11. Zero Day Vulnerabilities 11© TechTarget
  12. 12. NEED VIGILANCE 12© TechTarget We Must Remain Vigilant
  13. 13. 13© TechTarget DNS Threats
  14. 14. Denial of Service Attacks • Send huge number of requests to a targeted server, seeking to overwhelm it • Difficult to distinguish legitimate requests from attack traffic • Several limitations for the attacker – Requires massive bandwidth – Easy for victims to block based upon IP 14© TechTarget
  15. 15. Distributed Denial of Service Attacks • Leverage botnets to exhaust all resources on a targeted system • Difficult to distinguish legitimate requests from attack traffic 15© TechTarget
  16. 16. Amplified DDoS Attacks • Traditional DDoS still limited by bandwidth of zombie PCs • Amplification attacks leverage the bandwidth of non-compromised intermediaries • Requires a service that sends responses that are much larger than the queries 16© TechTarget
  17. 17. Amplification Factor • Amplification factor is the degree to which the attack is increased in size • 64 byte query resulting in a 512 byte response is an amplification factor of 8 17© TechTarget
  18. 18. Characteristics of an Amplification Attack • Use botnets • Leverage misconfigured services • Spoof source addresses • Require connectionless protocol 18© TechTarget
  19. 19. How DNS Should Work • DNS servers should provide domain name resolution services: 1. To the systems on an organization’s network (for all addresses) 2. To the general Internet (for public names owned by the organization) • Most DNS communications take place over UDP • Some systems are configured as “open resolvers”, answering any question from the Internet at large 19© TechTarget
  20. 20. DNS Amplification Attack 20© TechTarget Source: Microsoft Amplification Factor of 60X
  21. 21. Don’t Be a Relay • Ensure that you’re not an open resolver • Open Resolver Project openresolverproject.org • DNS Inspect dnsinspect.com 21© TechTarget
  22. 22. Be a Good Internet Citizen 22© TechTarget
  23. 23. 23© TechTarget NTP DDoS Amplification
  24. 24. 24© TechTarget How Dangerous Can a Clock Be?
  25. 25. NTP • Network Time Protocol used for clock synchronization • Almost three decades of operation • Relies upon UDP for sync traffic 25© TechTarget
  26. 26. MON_GETLIST • System monitoring command • Retrieves the list of the last 600 systems that interacted with the server • Ideal for an amplification attack when used with forged source addresses 26© TechTarget
  27. 27. Exploring MON_GETLIST 27© TechTarget Source: CloudFlare Amplification Factor up to 206X
  28. 28. Be a Good Citizen • Upgrade NTP servers to v4.2.7p26 or later • Perform egress filtering at the firewall • Disable MONLIST and related features (see CERT VU#348126) 28© TechTarget
  29. 29. 29© TechTarget Unmasking Careto
  30. 30. What is Careto? • Spanish for “The Mask” • Not a single piece of code, but an advanced threat • Engaged in espionage activities since at least 2007, undetected until February 2014 • Victimized over 1,000 IPs in 31 countries • Definite Spanish flavor 30© TechTarget
  31. 31. Naming the Beast 31© TechTarget Source: Kaspersky
  32. 32. Who is Targeted? • Government Agencies • Energy Companies • Researchers • Private Equity Firms • Activists 32© TechTarget
  33. 33. Initial Infection • Spear phishing messages direct users to a website – linkconf.net – redirserver.net – swupdt.com • Malware hosted in non-indexed folders on those sites 33© TechTarget
  34. 34. Malware Bears a Digital Signature 34© TechTarget Source: Kaspersky
  35. 35. Variety of Targets 35© TechTarget
  36. 36. Diverse Objectives • Intercept network traffic • Perform keylogging • Monitor Skype conversations • Steal PGP keys • Analyze WiFi traffic • Perform screen captures 36© TechTarget
  37. 37. Stolen File Types 37© TechTarget Source: Kaspersky
  38. 38. Hides from Kaspersky AV • Exploits a 2008 vulnerability in Kaspersky • Attempts to whitelist itself to avoid detection • Vulnerability patched long ago; relying upon old copies with expired update subscriptions 38© TechTarget
  39. 39. Protecting Against APTs • Update, update, update • Filter at the gateway and defend at the endpoint • Maintain a defense-in-depth approach that does not rely upon any single layer of control • Monitor rigorously 39© TechTarget
  40. 40. 40 Questions? © TechTarget mchapple@nd.edu @mchapple
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×