Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Other Advanced Attacks: DNS/NTP Amplification and Careto

1,470 views

Published on

This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Other Advanced Attacks: DNS/NTP Amplification and Careto

  1. 1. The Other Advanced Attacks Mike Chapple, CISSP, Ph.D. Senior Director, IT Service Delivery University of Notre Dame © TechTarget @mchapple mchapple@nd.edu
  2. 2. Agenda 2© TechTarget • The Threat is Changing • DNS Threats • NTP DDoS Amplification • Unmasking Careto
  3. 3. 3© TechTarget The Threat is Changing
  4. 4. 4 Script Kiddies Are So Nineties
  5. 5. The New Threats • Governments • Terrorist Organizations • Organized Crime 5© TechTarget
  6. 6. 6 Cyberwarfare Is Real
  7. 7. The Participants Are Well-Funded
  8. 8. Inside an Iranian Nuclear Facility 8 Source: Vitaly Shmatikov And The Targets Are High Stakes
  9. 9. 9
  10. 10. 10 “We're glad they are having trouble with their centrifuge machine and (we) are doing everything we can to make sure that we complicate matters for them.” Gary Samore Special Assistant to the President and White House Coordinator for Arms Control and WMD
  11. 11. Zero Day Vulnerabilities 11© TechTarget
  12. 12. NEED VIGILANCE 12© TechTarget We Must Remain Vigilant
  13. 13. 13© TechTarget DNS Threats
  14. 14. Denial of Service Attacks • Send huge number of requests to a targeted server, seeking to overwhelm it • Difficult to distinguish legitimate requests from attack traffic • Several limitations for the attacker – Requires massive bandwidth – Easy for victims to block based upon IP 14© TechTarget
  15. 15. Distributed Denial of Service Attacks • Leverage botnets to exhaust all resources on a targeted system • Difficult to distinguish legitimate requests from attack traffic 15© TechTarget
  16. 16. Amplified DDoS Attacks • Traditional DDoS still limited by bandwidth of zombie PCs • Amplification attacks leverage the bandwidth of non-compromised intermediaries • Requires a service that sends responses that are much larger than the queries 16© TechTarget
  17. 17. Amplification Factor • Amplification factor is the degree to which the attack is increased in size • 64 byte query resulting in a 512 byte response is an amplification factor of 8 17© TechTarget
  18. 18. Characteristics of an Amplification Attack • Use botnets • Leverage misconfigured services • Spoof source addresses • Require connectionless protocol 18© TechTarget
  19. 19. How DNS Should Work • DNS servers should provide domain name resolution services: 1. To the systems on an organization’s network (for all addresses) 2. To the general Internet (for public names owned by the organization) • Most DNS communications take place over UDP • Some systems are configured as “open resolvers”, answering any question from the Internet at large 19© TechTarget
  20. 20. DNS Amplification Attack 20© TechTarget Source: Microsoft Amplification Factor of 60X
  21. 21. Don’t Be a Relay • Ensure that you’re not an open resolver • Open Resolver Project openresolverproject.org • DNS Inspect dnsinspect.com 21© TechTarget
  22. 22. Be a Good Internet Citizen 22© TechTarget
  23. 23. 23© TechTarget NTP DDoS Amplification
  24. 24. 24© TechTarget How Dangerous Can a Clock Be?
  25. 25. NTP • Network Time Protocol used for clock synchronization • Almost three decades of operation • Relies upon UDP for sync traffic 25© TechTarget
  26. 26. MON_GETLIST • System monitoring command • Retrieves the list of the last 600 systems that interacted with the server • Ideal for an amplification attack when used with forged source addresses 26© TechTarget
  27. 27. Exploring MON_GETLIST 27© TechTarget Source: CloudFlare Amplification Factor up to 206X
  28. 28. Be a Good Citizen • Upgrade NTP servers to v4.2.7p26 or later • Perform egress filtering at the firewall • Disable MONLIST and related features (see CERT VU#348126) 28© TechTarget
  29. 29. 29© TechTarget Unmasking Careto
  30. 30. What is Careto? • Spanish for “The Mask” • Not a single piece of code, but an advanced threat • Engaged in espionage activities since at least 2007, undetected until February 2014 • Victimized over 1,000 IPs in 31 countries • Definite Spanish flavor 30© TechTarget
  31. 31. Naming the Beast 31© TechTarget Source: Kaspersky
  32. 32. Who is Targeted? • Government Agencies • Energy Companies • Researchers • Private Equity Firms • Activists 32© TechTarget
  33. 33. Initial Infection • Spear phishing messages direct users to a website – linkconf.net – redirserver.net – swupdt.com • Malware hosted in non-indexed folders on those sites 33© TechTarget
  34. 34. Malware Bears a Digital Signature 34© TechTarget Source: Kaspersky
  35. 35. Variety of Targets 35© TechTarget
  36. 36. Diverse Objectives • Intercept network traffic • Perform keylogging • Monitor Skype conversations • Steal PGP keys • Analyze WiFi traffic • Perform screen captures 36© TechTarget
  37. 37. Stolen File Types 37© TechTarget Source: Kaspersky
  38. 38. Hides from Kaspersky AV • Exploits a 2008 vulnerability in Kaspersky • Attempts to whitelist itself to avoid detection • Vulnerability patched long ago; relying upon old copies with expired update subscriptions 38© TechTarget
  39. 39. Protecting Against APTs • Update, update, update • Filter at the gateway and defend at the endpoint • Maintain a defense-in-depth approach that does not rely upon any single layer of control • Monitor rigorously 39© TechTarget
  40. 40. 40 Questions? © TechTarget mchapple@nd.edu @mchapple

×