The document discusses things the author wishes they had known about IPv6 before starting to implement it for their small provider network. It covers IPv6 justification in terms of IPv4 address scarcity and rising costs, advice on IPv6 addressing plans and transition technologies, and gotchas like IPv6 neighbor discovery exhaustion issues. The author advocates for embracing IPv6 to avoid expensive IPv4 solutions and make the most of the large IPv6 allocations provided.
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
This document provides an overview and introduction to IPv6 security presented by Wardner Maia. Some key points:
- Wardner Maia is a Brazilian engineer and IPv6 security expert who will discuss new threats introduced by IPv6 features and protocols.
- IPv6 adoption is important due to the depletion of IPv4 addresses but it introduces new security challenges due to its new features and protocols.
- The presentation will cover reconnaissance techniques enabled by IPv6's large address space, vulnerabilities in address autoconfiguration and neighbor discovery, and countermeasures using Mikrotik RouterOS firewall rules.
- Live demonstrations will show how threats like man-in-the-middle attacks can be carried out using IPv6 neighbor
The document summarizes a presentation on optimizing Linux, Windows, and Firebird for heavy workloads. It describes two customer implementations using Firebird - a medical company with 17 departments and over 700 daily users, and a repair services company with over 500 daily users. It discusses tuning the operating system, hardware, CPU, RAM, I/O, network, and Firebird configuration to improve performance under heavy loads. Specific recommendations are provided for Linux and Windows configuration.
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana: A Brief Overview
Active Directory (AD) Monitoring is essential for maintaining network security, performance, and compliance. One powerful approach to achieve this is by utilizing the combination of Telegraf, InfluxDB, and Grafana.
Telegraf: Data Collection
Telegraf acts as a versatile data collector, capable of retrieving various metrics from your AD environment. It offers a range of plugins to monitor AD-related parameters, including event logs, replication status, user activity, and more. Telegraf gathers these metrics and prepares them for further processing.
InfluxDB: Data Storage
InfluxDB serves as a robust time-series database, designed to handle high-frequency data updates. It's an ideal choice for storing the metrics collected by Telegraf. The schemaless architecture accommodates evolving data requirements. Metrics are stored with timestamps, making historical analysis and trend identification seamless.
Grafana: Data Visualization
Grafana excels in turning data into meaningful insights. It connects to InfluxDB and transforms raw metrics into interactive, visually appealing dashboards. You can design custom visualizations, such as line charts for monitoring replication status, gauges for real-time user login activity, and tables for critical event logs. Alerts can also be set up to notify administrators of anomalies.
This complete deck covers various topics and highlights important concepts. It has PPT slides which cater to your business needs. This complete deck presentation emphasizes Vulnerability Management Whitepaper PowerPoint Presentation Slides and has templates with professional background images and relevant content. This deck consists of total of fourty six slides. Our designers have created customizable templates, keeping your convenience in mind. You can edit the colour, text and font size with ease. Not just this, you can also add or delete the content if needed. Get access to this fully editable complete presentation by clicking the download button below. https://bit.ly/3d4HfFm
This document discusses managing transactions across multiple transactional resources like databases and message queues using Apache Camel. It presents different approaches for handling transactions, including using multiple transaction managers, a single transaction manager with policies, and an XA-capable transaction manager with Atomikos wrappers. An error handler route is also demonstrated to handle exceptions.
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
This document provides an overview and introduction to IPv6 security presented by Wardner Maia. Some key points:
- Wardner Maia is a Brazilian engineer and IPv6 security expert who will discuss new threats introduced by IPv6 features and protocols.
- IPv6 adoption is important due to the depletion of IPv4 addresses but it introduces new security challenges due to its new features and protocols.
- The presentation will cover reconnaissance techniques enabled by IPv6's large address space, vulnerabilities in address autoconfiguration and neighbor discovery, and countermeasures using Mikrotik RouterOS firewall rules.
- Live demonstrations will show how threats like man-in-the-middle attacks can be carried out using IPv6 neighbor
The document summarizes a presentation on optimizing Linux, Windows, and Firebird for heavy workloads. It describes two customer implementations using Firebird - a medical company with 17 departments and over 700 daily users, and a repair services company with over 500 daily users. It discusses tuning the operating system, hardware, CPU, RAM, I/O, network, and Firebird configuration to improve performance under heavy loads. Specific recommendations are provided for Linux and Windows configuration.
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana: A Brief Overview
Active Directory (AD) Monitoring is essential for maintaining network security, performance, and compliance. One powerful approach to achieve this is by utilizing the combination of Telegraf, InfluxDB, and Grafana.
Telegraf: Data Collection
Telegraf acts as a versatile data collector, capable of retrieving various metrics from your AD environment. It offers a range of plugins to monitor AD-related parameters, including event logs, replication status, user activity, and more. Telegraf gathers these metrics and prepares them for further processing.
InfluxDB: Data Storage
InfluxDB serves as a robust time-series database, designed to handle high-frequency data updates. It's an ideal choice for storing the metrics collected by Telegraf. The schemaless architecture accommodates evolving data requirements. Metrics are stored with timestamps, making historical analysis and trend identification seamless.
Grafana: Data Visualization
Grafana excels in turning data into meaningful insights. It connects to InfluxDB and transforms raw metrics into interactive, visually appealing dashboards. You can design custom visualizations, such as line charts for monitoring replication status, gauges for real-time user login activity, and tables for critical event logs. Alerts can also be set up to notify administrators of anomalies.
This complete deck covers various topics and highlights important concepts. It has PPT slides which cater to your business needs. This complete deck presentation emphasizes Vulnerability Management Whitepaper PowerPoint Presentation Slides and has templates with professional background images and relevant content. This deck consists of total of fourty six slides. Our designers have created customizable templates, keeping your convenience in mind. You can edit the colour, text and font size with ease. Not just this, you can also add or delete the content if needed. Get access to this fully editable complete presentation by clicking the download button below. https://bit.ly/3d4HfFm
This document discusses managing transactions across multiple transactional resources like databases and message queues using Apache Camel. It presents different approaches for handling transactions, including using multiple transaction managers, a single transaction manager with policies, and an XA-capable transaction manager with Atomikos wrappers. An error handler route is also demonstrated to handle exceptions.
This document discusses Corosync and Pacemaker, which are open source cluster management and resource management tools. Corosync provides messaging, membership, and quorum services, while Pacemaker acts as a cluster resource manager that can monitor resources and move them between nodes as needed. Resources can be configured as clones, which have multiple instances across nodes, or as master-slave, where one node is active and others are backups. Pacemaker uses resource agents to monitor specific services and resources. The document provides examples of configuring and clustering an Apache web server and IP address.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
A shell is a user interface for accessing an operating system's services, either through a command-line interface or graphical user interface. A bind shell opens a listener port on the target machine and waits for an incoming connection from the attacker. A reverse shell is when the target machine connects back to the attacking machine. Netcat and PowerShell can be used to create bind and reverse shells for command execution on remote systems. Examples show how netcat can be used to establish each type of shell connection between an attacker and victim machine.
This document provides a summary of the Aruba Instant 6.4.0.2-4.1 User Guide, including:
- An overview of Aruba Instant and supported devices.
- Details on new features in version 6.4.0.2-4.1 such as wireless network profiles and captive portal configurations.
- Instructions for initial configuration tasks like modifying the IAP name and location details.
- Sections on monitoring the network, configuring wireless and wired profiles, and authentication methods.
The user guide contains information to help users set up, configure, and manage an Instant network and IAP devices.
The document provides an overview of a course on secure programming. It discusses topics like resource management, denial of service attacks, and resource exhaustion vulnerabilities. Specific issues covered include CPU exhaustion, generous protocols, memory management problems, and human resource exhaustion attacks.
IBM DataPower Gateway V7.1 is a consolidated, modular gateway platform that provides security, integration, control and optimization for mobile, API, web, SOA, and cloud workloads. It combines the functionality of previous IBM gateway products onto a single hardware and software platform. The new release features an improved hardware platform for increased performance, deployment flexibility through physical and virtual options, and additional modules for capabilities like B2B integration and access control through IBM Security Access Manager.
The document discusses advanced cryptographic techniques for securing cloud computing. It introduces fully homomorphic encryption and functional encryption. Fully homomorphic encryption allows computations to be performed on encrypted data and obtain encrypted results, providing privacy for cloud data and computations. Functional encryption allows decryption of ciphertexts using secret keys to reveal specific functions of the plaintext without other information. The document proposes constructing an efficient fully homomorphic encryption scheme based on learning with errors to enable encrypted computations in cloud computing.
Seven years ago at LCA, Van Jacobsen introduced the concept of net channels but since then the concept of user mode networking has not hit the mainstream. There are several different user mode networking environments: Intel DPDK, BSD netmap, and Solarflare OpenOnload. Each of these provides higher performance than standard Linux kernel networking; but also creates new problems. This talk will explore the issues created by user space networking including performance, internal architecture, security and licensing.
VMware Cloud on AWS provides a VMware software-defined data center delivered as a service on AWS infrastructure. It allows customers to run applications using VMware technologies like vSphere, vSAN and NSX in AWS without having to manage underlying hardware. Key features include dynamic capacity, software-defined data center capabilities, and integration with AWS services. The document discusses the architecture, account structure, connectivity options, use cases and resources for VMware Cloud on AWS.
Perf is a Linux profiler tool that uses performance monitoring hardware to count various events like CPU cycles, instructions, and cache misses. It can count events for a single thread, entire process, specific CPUs, or system-wide. Perf stat is used to count events during process execution, while perf record collects profiling data in a file for later analysis with perf report.
The document discusses how replacing certain Windows accessibility tool binaries, like sethc.exe, with cmd.exe allows gaining command prompt access on Windows systems. The authors developed a tool called Sticky Key Slayer that scans networks for systems vulnerable to this issue by automating the process of connecting via RDP, triggering the accessibility tools, and checking for command prompts. When tested on a large network, over 500 vulnerable systems were found. The document recommends remediation steps and warns that this technique is a sign of potential compromise.
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives.
Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decisions making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
Google Sheet (Golden Source):
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
Website:
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Follow on Twitter for updates:
https://twitter.com/c2_matrix
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
Promgen is a Prometheus management tool that allows web-based management of server configurations and alerting rules. It addresses the need for an easier way to manage Prometheus server configurations than manually editing YAML files. Promgen stores configuration data in a MySQL database and generates YAML files from the stored configurations. It aims to provide a simple interface for configuring Prometheus exporters, ports, alerts and other settings across multiple servers and projects.
This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.
This document is a collage document cut & paste from the original SCSM document published by Microsoft. I only took what needed for the document to be completed. As I was developing a System Center Service Manager Sizing on Hardware and Software, the actual BOM is listed at the bottom of the document with design guidelines.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
The document outlines an agenda for a 3HOWs event discussing IPv6 and MPLS technology. The morning sessions will cover how to deal with IPv6, including why it is important now due to limited IPv4 addresses, IPv6 addressing details, and how to connect to IPv6. The afternoon will discuss how to connect with MPLS technology, the benefits it provides for interconnecting offices, and actual customer case studies. Questions from attendees will conclude the event.
This document discusses Corosync and Pacemaker, which are open source cluster management and resource management tools. Corosync provides messaging, membership, and quorum services, while Pacemaker acts as a cluster resource manager that can monitor resources and move them between nodes as needed. Resources can be configured as clones, which have multiple instances across nodes, or as master-slave, where one node is active and others are backups. Pacemaker uses resource agents to monitor specific services and resources. The document provides examples of configuring and clustering an Apache web server and IP address.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
A shell is a user interface for accessing an operating system's services, either through a command-line interface or graphical user interface. A bind shell opens a listener port on the target machine and waits for an incoming connection from the attacker. A reverse shell is when the target machine connects back to the attacking machine. Netcat and PowerShell can be used to create bind and reverse shells for command execution on remote systems. Examples show how netcat can be used to establish each type of shell connection between an attacker and victim machine.
This document provides a summary of the Aruba Instant 6.4.0.2-4.1 User Guide, including:
- An overview of Aruba Instant and supported devices.
- Details on new features in version 6.4.0.2-4.1 such as wireless network profiles and captive portal configurations.
- Instructions for initial configuration tasks like modifying the IAP name and location details.
- Sections on monitoring the network, configuring wireless and wired profiles, and authentication methods.
The user guide contains information to help users set up, configure, and manage an Instant network and IAP devices.
The document provides an overview of a course on secure programming. It discusses topics like resource management, denial of service attacks, and resource exhaustion vulnerabilities. Specific issues covered include CPU exhaustion, generous protocols, memory management problems, and human resource exhaustion attacks.
IBM DataPower Gateway V7.1 is a consolidated, modular gateway platform that provides security, integration, control and optimization for mobile, API, web, SOA, and cloud workloads. It combines the functionality of previous IBM gateway products onto a single hardware and software platform. The new release features an improved hardware platform for increased performance, deployment flexibility through physical and virtual options, and additional modules for capabilities like B2B integration and access control through IBM Security Access Manager.
The document discusses advanced cryptographic techniques for securing cloud computing. It introduces fully homomorphic encryption and functional encryption. Fully homomorphic encryption allows computations to be performed on encrypted data and obtain encrypted results, providing privacy for cloud data and computations. Functional encryption allows decryption of ciphertexts using secret keys to reveal specific functions of the plaintext without other information. The document proposes constructing an efficient fully homomorphic encryption scheme based on learning with errors to enable encrypted computations in cloud computing.
Seven years ago at LCA, Van Jacobsen introduced the concept of net channels but since then the concept of user mode networking has not hit the mainstream. There are several different user mode networking environments: Intel DPDK, BSD netmap, and Solarflare OpenOnload. Each of these provides higher performance than standard Linux kernel networking; but also creates new problems. This talk will explore the issues created by user space networking including performance, internal architecture, security and licensing.
VMware Cloud on AWS provides a VMware software-defined data center delivered as a service on AWS infrastructure. It allows customers to run applications using VMware technologies like vSphere, vSAN and NSX in AWS without having to manage underlying hardware. Key features include dynamic capacity, software-defined data center capabilities, and integration with AWS services. The document discusses the architecture, account structure, connectivity options, use cases and resources for VMware Cloud on AWS.
Perf is a Linux profiler tool that uses performance monitoring hardware to count various events like CPU cycles, instructions, and cache misses. It can count events for a single thread, entire process, specific CPUs, or system-wide. Perf stat is used to count events during process execution, while perf record collects profiling data in a file for later analysis with perf report.
The document discusses how replacing certain Windows accessibility tool binaries, like sethc.exe, with cmd.exe allows gaining command prompt access on Windows systems. The authors developed a tool called Sticky Key Slayer that scans networks for systems vulnerable to this issue by automating the process of connecting via RDP, triggering the accessibility tools, and checking for command prompts. When tested on a large network, over 500 vulnerable systems were found. The document recommends remediation steps and warns that this technique is a sign of potential compromise.
C2 Matrix A Comparison of Command and Control FrameworksJorge Orchilles
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives.
Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decisions making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
Google Sheet (Golden Source):
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
Website:
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Follow on Twitter for updates:
https://twitter.com/c2_matrix
Cyber attacks are a real and growing threat to businesses and an increasing number of attacks take place at application layer. The best defence against is to develop applications where security is incorporated as part of the software development lifecycle.
The OWASP Top 10 Proactive Controls project is designed to integrate security in the software development lifecycle. In this special presentation for PHPNW, based on v2.0 released this year, you will learn how to incorporate security into your software projects.
Recommended to all developers who want to learn the security techniques that can help them build more secure applications.
Promgen is a Prometheus management tool that allows web-based management of server configurations and alerting rules. It addresses the need for an easier way to manage Prometheus server configurations than manually editing YAML files. Promgen stores configuration data in a MySQL database and generates YAML files from the stored configurations. It aims to provide a simple interface for configuring Prometheus exporters, ports, alerts and other settings across multiple servers and projects.
This document provides an overview of fuzz testing and fuzzing tools. It discusses what fuzzing is, the history and evolution of fuzzing, popular fuzzing tools like Peach Fuzz and Sulley, and fuzzing methods like generation-based, mutation-based, and byte flipping fuzzing. The document also covers the phases of fuzzing like identifying targets and inputs, generating fuzzed data, executing it, and monitoring for exceptions. Key fuzzing frameworks and tools from organizations like CERT and their capabilities are described as well.
This document is a collage document cut & paste from the original SCSM document published by Microsoft. I only took what needed for the document to be completed. As I was developing a System Center Service Manager Sizing on Hardware and Software, the actual BOM is listed at the bottom of the document with design guidelines.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
The document outlines an agenda for a 3HOWs event discussing IPv6 and MPLS technology. The morning sessions will cover how to deal with IPv6, including why it is important now due to limited IPv4 addresses, IPv6 addressing details, and how to connect to IPv6. The afternoon will discuss how to connect with MPLS technology, the benefits it provides for interconnecting offices, and actual customer case studies. Questions from attendees will conclude the event.
Hypes? Fanfares? Fads? Wading through the muddy IPv6 puddleAPNIC
Hypes? Fanfares? Fads? Wading through the muddy IPv6 puddle, by Sunny Yeung.
A presentation given at the APNIC 40 "Hypes? Fanfares? Fads? Wading through the muddy IPv6 puddle" session on Wed, 9 Sep 2015.
IPv6 adoption is accelerating due to growing challenges with IPv4 addresses and the increasing number of internet devices. Carrier grade NAT (CGN) solutions are being used to share public IPv4 addresses but negatively impact user experience. IPv6 deployment avoids these issues by providing each user with a unique IP address and allows the "full spectrum" internet. Global IPv6 deployment is now doubling every 9 months with some networks seeing 10-15% of users on IPv6. Full deployment is forecast within the next 5 years and will be required to support continued internet growth.
The document discusses Marco d'Itri's thoughts on the transition to IPv6. It describes the transition as ongoing, with no flag days, as IPv6 adoption grows. It notes that while IPv4 NAT is easy for access networks, it is difficult for servers. Many large content providers already use IPv6. The transition involves steps before IPv4 addresses ran out, the current transition period, and after the transition when IPv4 will be optional. IPv6 adoption is growing in several countries like Belgium and the US. Eventually IPv4-only islands will need to make themselves accessible over IPv6. The document provides advice on starting an IPv6 transition and offers a simple IPv6 addressing plan.
The document discusses challenges and realities of IPv6 deployment based on presentations from a security conference. Key points include:
- IPv6 deployments are growing but not yet widespread, with challenges around remote discovery, dual-stack systems, and outdated tools/firewalls.
- IPv6 support is required by PCI standards but reduces implementation risks if using new IPv6-prepared infrastructure.
- Cloud providers are starting to support IPv6 but full native support will take time and resources to implement across all network devices.
- When assessing IPv6 environments, tools need to discover addresses via various methods and monitor related IPv4 and IPv6 addresses/names.
- Organizations should evaluate their IPv6 capabilities and prepare a security
IPv6 is the most recent version of the Internet Protocol (IP), and was developed by IETF to overcome the inevitable exhaustion of IPv4 addresses. In order to simplify the transition towards IPv6, the protocol iterated very little on how IPv4 operates other than offering more address space. This inadvertently produced the exact opposite of the intended effect: with no compelling new features for anyone outside of network engineering, IPv6 deployment has been hampered for decades, as developers find increasingly creative ways of efficiently using IPv4 address space rather than bearing the cost of transition.
In this talk, Fastly Network Engineer João Taveira discusses these protocol design failures and instead explain how Fastly re-architected its infrastructure around IPv6. By addressing IPv6 in a clean-slate manner, Fastly avoided perpetuating many of the mistakes of IPv4, and the resulting network architecture has the potential to significantly affect the performance, resilience, and economics of content delivery.
The document discusses the 6NET project, which built and operated an IPv6 network across Europe to test IPv6 applications. It provides an overview of the 6NET network topology and details several applications that were tested over the network, including video conferencing using GnomeMeeting and OpenMCU, SIP voice calls using SIP Express Router, and IPv6 streaming demonstrations. The goal of the project was to gain experience with IPv6 and help drive further deployment through testing interoperability and applications.
This document summarizes Academia Sinica Computing Centre's experience transitioning their network to support IPv6. It discusses upgrading their backbone routers to support IPv6, developing an IPv6 addressing plan and allocating address space. It also covers transitioning customer networks, managing and monitoring IPv6 traffic and services, and security considerations. It provides an overview of Academia Sinica's IPv6 network status, including their participation in the 6bone test network and running a multicast testbed.
While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4.
Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC
After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
Peter Rounds, Senior Network Engineer, Syracuse University
Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.
This document discusses the security of IPv6 and addresses some common myths. It provides a brief comparison of IPv4 and IPv6, noting areas of both similarity and difference. While IPv6 introduces some new capabilities like larger addresses and mandatory IPsec support, it also brings new potential security issues from features like stateless autoconfiguration. Proper implementation and ongoing evaluation work is needed to understand IPv6 security as attack surfaces continue to be explored. Transition technologies also introduce new vectors that require consideration. Overall, IPv6 differs little from IPv4 at the network layer, and securing applications and higher layers remains paramount.
This document discusses the security of IPv6 and addresses some common myths. It provides a brief comparison of IPv4 and IPv6, noting areas of both similarity and difference. While IPv6 introduces some new capabilities like larger addresses and mandatory IPsec support, it also brings new potential security issues like those related to auto-configuration. Proper implementation and ongoing evaluation work is needed to help secure both protocols. Overall, IPv6 provides capabilities but does not inherently improve security without diligent configuration and management.
1) IPv4 addresses are running out as the number of internet devices grows exponentially. IPv6 is needed to support continued growth.
2) IPv6 is already deployed on large networks like Google and Verizon Wireless and works well, with over 50% of traffic delivered via IPv6 to some sites.
3) IPv6-only networks can support all applications, including those requiring IPv4 like Skype, through technologies like NAT64 and 464XLAT address translation which allow IPv6-only devices to access IPv4 internet resources.
IPv6 IAB/IETF Activities Report as presented by Cathy Aronson at ARIN's Public Policy and Members Meeting in April 2014. All ARIN 33 presentations are posted online at: https://www.arin.net/ARIN33_materials
The document discusses IPv6 and transitioning from IPv4 to IPv6. Some key points include:
- IPv6 addresses larger address space and other improvements over IPv4 like more efficient routing and built-in security.
- Transition technologies like IPv6 over IPv4 tunneling can help transition from IPv4 to IPv6 networks.
- There are some valid concerns about transitioning like needing larger packet headers but overall the benefits of IPv6 outweigh these issues. Proper hardware support can alleviate performance concerns.
APNIC Internet Resource Analyst Pubudu Jayasinghe presents on the status of IPv6 deployment at npNOG 5 in Kathmandu, Nepal, from from 8 to 13 December 2019.
Similar to Things I wish I had known about IPv6 before I started (20)
Our presentation to UKNOF in September 2020
In two very long nights of maintenance we acheived:
- Full table BGP on VyOS converge time in seconds
- Routing on MikroTiks converges near-instantly
- BCP38 (customers cannot spoof source address)
- IRR filtering* (only accept where route/route6 object)
- RPKI (will not accept invalid routes from P/T)
- Templated configuration (repeatable, automated) Single source of truth (the docs become the config)
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
How we found a firewall vendor bug using Teleport as a bastion jump hostFaelix Ltd
Teleport is an SSH system which we’ve fallen in love with. There are some great security features, of course:
- two factor authentication right out of the box
- acts as ssh certificate authority issuing short-lived credentials
- commercial options for role-based access control
But the features which we find most compelling are the ones you can’t get as easily with the likes of OpenSSH:
- session recording which can be used for audit or to refer back to from troubleshooting tickets
- session sharing so that our customers or junior staff can learn-by-doing, just like having dual controls on a car
- NAT-piercing to help manage devices within customer networks that do not have direct Internet connectivity
We have been using Teleport on a number of projects and with several customers:
- a remote probe deployment to debug a strange, intermittent connectivity problem (given as a talk at UKNOF 40 in conjunction with David Farrar of Exa Networks)
- training sessions with customers’ technical staff to show them a slightly unusual systems administration request — and the resulting session recording is an excellent reference for next time their staff encounter a similar request for changes
- paralleling pair programming we have been able to “observe” or “navigate” while junior staff “drive” the console to perform systems or network adminstration for the first time
I’ve evangelised Teleport because I feel its use fits with our philosophy of openness. Teleport could complement the knowledge sharing that goes on within network operations teams, and help senior staff work out the playbooks and improve operational procedures for their junior staff. At least one service provider was inspired by my longer Teleport presentation at NetMcr and set their junior staff the background task of moving all out-of-band access to their POP infrastructure to Teleport. I hope that their use of this tool empowers their junior engineers to take on more work, while satisfying any regulatory or audit requirements that security staff worry about.
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6Faelix Ltd
During some research which found CVE-2018-19298 (MikroTik IPv6 Neighbor Discovery Protocol exhaustion), I uncovered a larger problem with MikroTik RouterOS’s handling of IPv6 packets. This led to CVE-2018-19299 vulnerability in RouterOS which allowed for remote, unauthenticated denial of service.
Keeping your rack cool with one "/IP route rule"Faelix Ltd
This document discusses how Faelix, an ISP, uses MikroTik hardware and RouterOS at their provider edge to route over 600k IPv4 routes and 30k IPv6 routes. They initially migrated from Quagga and BIRD on Linux servers to MikroTik due to its energy efficiency and affordable hardware. While there were some bugs experienced, MikroTik has proven reliable overall. The document then explains how Faelix is able to firewall traffic with zero filter rules using a single "/ip route rule" to mark and route traffic to a separate routing table based on address lists from fail2ban and AMQP. This allows blocking of attacking traffic at the provider edge across multiple data centers in a
Marek Isalski, Faelix.net Ltd, describes the MikroTik range of routers and their applications, gives a pros and cons summary, and recommendations for budget provider edge deployment.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Things I wish I had known about IPv6 before I started
1. THINGS I WISH
I HAD KNOWN ABOUT IPv6
BEFORE I STARTED
MAREK ISALSKI — FAELIX — UKWISPA MEMBERS' MEETING 2019-06-13
https://faelix.link/ukwispa201906
2. THINGS I WISH
I HAD KNOWN ABOUT IPv6
BEFORE I STARTED
WARNING: MIGHT CONTAIN A BIT OF VENDOR BASHING
https://faelix.link/ukwispa201906
3. About Marek
Stuff I do:
CTO @FAELIX – https://faelix.net/
PC @uknof – https://uknof.uk/
PC @net_mcr – https://www.netmcr.uk/
Trail of SSIDs in my wake: "AS41495 Faelix Limited"
Me — @maznu – @NetworkMoose – @IPv6HULK
4. About Marek
Stuff I do:
CTO @FAELIX – https://faelix.net/
PC @uknof – https://uknof.uk/
PC @net_mcr – https://www.netmcr.uk/
Trail of SSIDs in my wake: "AS41495 Faelix Limited"
Me — @maznu – @NetworkMoose – @IPv6HULK
8. Problem Statement
Small provider network (100-10000 customers)
Mixed B2B and B2C
With its own AS, /22 IPv4, /29-/32 IPv6 (i.e. an LIR)
Even where incumbents cannot provide access,
customer expectations of price/performance remain
9. Problem Statement
Small provider network (100-10000 customers)
Mixed B2B and B2C
With its own AS, /22 IPv4, /29-/32 IPv6 (i.e. an LIR)
Even where incumbents cannot provide access,
customer expectations of price/performance remain
10. Problem Statement
Small provider network (100-10000 customers)
Mixed B2B and B2C
With its own AS, /22 IPv4, /29-/32 IPv6 (i.e. an LIR)
Even where incumbents cannot provide access,
customer expectations of price/performance remain
14. “Grant me the optimism of this lorry,
attempting to slowly advance beneath
a low bridge, but the wisdom to know
when it's time to reverse.”
– @lunarsynthesis
15. IPv4 Market Group,
UKNOF33, January 2016
IPv4 Life Cycle
• Events
– ARIN Runout
– RIPE Inter-RIR Transfers
– /8s come to market
– IPv6 Adoption
2
20. “…a plateau before $20 seems
unlikely because demand is currently
greater than supply, and there are not
as many sellers coming to market…”
– IPv4 Market Group
21. “…a plateau before $20 seems
unlikely because demand is currently
greater than supply, and there are not
as many sellers coming to market…”
– IPv4 Market Group
per-customer capex
22. Trade-Off
Engineering time vs capital expenditure
Training, tooling, support
Existing backhaul/infrastructure
Backfilling existing customers
Transition technology costs vs legacy costs
23. End-to-end connectivity
IPv4 + NAT is not security
NAT gives you stateful firewalling
CG-NAT puts that state in the core of the network
IPv6 has stateful firewalling too!
But now the state is in each customer's router
24. Where is the state?
CGNAT
router
customer
routers
transit
router
25. Where is the state?
customer
router
transit
router
26. Why I think WISPs should
embrace IPv6
"Small" networks
"Local" networks
Exist to fill gaps in competitive market
No "triple-play" offer (but increasingly irrelevant?)
Does 5G feel like a threat?
27. Why I think WISPs should
embrace IPv6
IPv4 CG-NAT is stateful and therefore expensive
More IPv4 addresses are also expensive
IPv6 already deployed on the big content networks
And plenty of eyeball devices support IPv6
Your IPv6 allocation is mindbogglingly big
"Less bullshit, more engineering"
32. Resi IPv6 Address Plan
/29
is 8 /32s
each of which is 16777216 /56s
each of which is 256 /64s
33. Resi IPv6 Address Plan
/29
is 8 /32s
each of which is 16777216 /56s
each of which is 256 /64s
who has this many
connected homes?
34. Resi IPv6 Address Plan
/29
is 8 /32s
each of which is 16777216 /56s
each of which is 256 /64s
who has a residential customer
with this many subnets?
35. Biz IPv6 Address Plan
/29
is 8 /32s
each of which is 65536 /48s
each of which is 65536 /64s
36. Biz IPv6 Address Plan
/29
is 8 /32s
each of which is 65536 /48s
each of which is 65536 /64s
who has this
many business
customers?
37. Biz IPv6 Address Plan
/29
is 8 /32s
each of which is 65536 /48s
each of which is 65536 /64s
please find me the "IT Network
Manager" hero who
configured this many subnets
53. Transition Technologies
End customer doesn't have a static IPv4
Can't do port forwarding, DMZ, etc
CCTV/etc might be a challenge
Some protocols signal IPv4 address literals within
the packet payloads
ALGs for SIP
Skype, others
60. "We've blocked your /48 from our
network because the IPv6 scanning
you are performing against
2a01:9e00::/32 is aggressive."
– email to cesr-scanning@eecs.berkeley.edu, 2018-03-31
62. Actions
Emailed abuse and project contact in WHOIS
Blocked their scanner
Went back to sleep
…got an email back from them!
63. Discussed with Berkeley
AM: "smart scanning techniques […] measurement
research […] probe a large set of hosts on the
Internet "
MI: "slipshod IPv6 implementations"
AM: "based on RFC7707 and RFC6583 we have
decided to add a module to our scanner that will rate
control probes sent to each /64 in addition to each
routed prefix"
80. CVE-2018-19298 Timeline
2018-04-08 — reported to vendor
2018-06-29 — "not yet fixed"
2018-11-15 — CVE assigned
2019-01-15 — "can not give you any ETA for the fix"
2019-02-14 — discussion at NetMcr
2019-03-31 — lots of stuff happens
2019-04-09 — wider disclosure
81. Nothing to See Here
CVE-2018-19298 is not that new, fundamentally
Most vendors have fixes for NDP exhaustion
Could just not use /64 subnets
…except for Android not having DHCPv6
…so you rely on IPv6 RA
…and so you probably have /64 subnets (RFC7421)
But at least not having /64 linknets would save core
routers from short-lived loss of adjacency (RFC6164)
82. Nothing to See Here
CVE-2018-19298 is not that new, fundamentally
Most vendors have fixes for NDP exhaustion
Could just not use /64 subnets
…except for Android not having DHCPv6
…so you rely on IPv6 RA
…and so you probably have /64 subnets (RFC7421)
But at least not having /64 linknets would save core
routers from short-lived loss of adjacency (RFC6164)
another
vendor
"gotcha"
83. “simplistic implementations of [ND]
can be vulnerable to deliberate or
accidental [DoS], whereby they attempt
to perform address resolution for
large numbers of unassigned […]”
– RFC6583, Operational Neighbor Discovery Problems, 2012
84. “simplistic implementations of [ND]
can be vulnerable to deliberate or
accidental [DoS], whereby they attempt
to perform address resolution for
large numbers of unassigned […]”
– RFC6583, Operational Neighbor Discovery Problems, 2012
85. Conclusion
IPv6 support in RouterOS needs some love:
>6 year old ops-experience RFCs unaddressed
MikroTik RouterOS v6 is (very patched) Linux 3.3.5
95. CVE-2018-19299 Timeline
2018-04-16 — reported to vendor
2018-04-17 — [this is ND exhaustion]
2018-04-17 — no, it isn't
2018-04-17 — [yes it is]
2018-04-17 — no, it isn't
2018-04-17 — [it is! you used an NDP exhaust tool!]
96. CVE-2018-19299 Timeline
2018-04-16 — reported to vendor
2018-04-17 — [this is ND exhaustion]
2018-04-17 — no, it isn't
2018-04-17 — [yes it is]
2018-04-17 — no, it isn't
2018-04-17 — [it is! you used an NDP exhaust tool!]
2018-04-17 — …no! I'm begging you! It isn't NDP!
104. CVE-2018-19299 Timeline
2018-04-19 — "ipv6 traffic eats all the memory"
2018-04-19 — "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "we accept this as a bug, but we
would not call it a vulnerability"
105. CVE-2018-19299 Timeline
2018-04-19 — "ipv6 traffic eats all the memory"
2018-04-19 — "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "we accept this as a bug, but we
would not call it a vulnerability"
2018-11-15 — "with our development team"
UKWISPA
106. CVE-2018-19299 Timeline
2018-04-19 — "ipv6 traffic eats all the memory"
2018-04-19 — "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "we accept this as a bug, but we
would not call it a vulnerability"
2018-11-15 — "with our development team"
2019-01-15 — "can not give you any ETA for the fix"
107. CVE-2018-19299 Timeline
2018-04-19 — "ipv6 traffic eats all the memory"
2018-04-19 — "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "we accept this as a bug, but we
would not call it a vulnerability"
2018-11-15 — "with our development team"
2019-01-15 — "can not give you any ETA for the fix"
NetMcr discuss
108. NetMcr 2019-02-14
Explained IPv6 NDP exhaustion
Spoke about how this is CVE-2018-19298
Presented initial version of first half of this talk
Did not give details of exploit of CVE-2018-19299
Asked the audience, "What next?"
Continue to aggro the vendor?
Publish full details in MITRE?
Make noise in the technology press?
109. NetMcr 2019-02-14
Decided plan for way forward:
Notify vendor of publication date (2019-04-09)
Get word out (notify NCSC, CISP, CERTs, etc)
Prepare for move to full disclosure
110. I shall be discussing IPv6 neighbor discovery exhaustion, and also
how RouterOS will crash when routing IPv6 packets, i.e. both
vulnerabilities I have disclosed to MikroTik in April 2018,
currently unpublished as CVE-2018-19298 and CVE-2018-19299.
Do you think that MikroTik will have an update about these
vulnerabilities that I can include in my presentation on April 9th?
– email to MikroTik support, 2019-03-04
111. "At the moment there is no news,
but I will definitely let you know
as soon as there will be an update
regarding this matter."
– email from MikroTik support, 2019-03-11
112. CVE-2018-19299 Timeline
2018-04-19 — "ipv6 traffic eats all the memory"
2018-04-19 — "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "we accept this as a bug, but we
would not call it a vulnerability"
2018-11-15 — "with our development team"
2019-01-15 — "can not give you any ETA for the fix"
2019-03-11 — "there is no news"
114. CVE-2018-19299 in Wild?
mar/09/2019 06:58:04 system,error,critical router was rebooted
without proper shutdown, probably kernel failure
mar/09/2019 06:58:04 system,error,critical kernel failure in previous
boot
mar/09/2019 06:58:04 system,error,critical out of memory condition
was detected
mar/10/2019 16:56:18 system,error,critical router was rebooted
without proper shutdown, probably kernel failure
mar/10/2019 16:56:18 system,error,critical kernel failure in previous
boot
mar/10/2019 16:56:18 system,error,critical out of memory condition
was detected
115. production MikroTik router at AS41495 edge
graph of free memory vs time
first two weeks of March 2019
scraped every 30 seconds by API into Prometheus
122. “Yes, it is highly possible,
however, we would prefer to not
jump to conclusions without
seeing an actual file.”
– email from MikroTik support, 2019-03-21
123. “Sadly, I will not be able to provide any
supouts showing IPv6 crashes - we are
removing MikroTik from our IPv6 transit
network entirely, because you have
not taken this bug seriously.”
– email to MikroTik support, 2019-03-21
124. “Sadly, I will not be able to provide any
supouts showing IPv6 crashes - we are
removing MikroTik from our IPv6 transit
network entirely, because you have
not taken this bug seriously.”
– email to MikroTik support, 2019-03-21
126. One Mitigation We Adopted
IPv6
Ubiquiti
destinationupstream
IPv4
MikroTik
127. How EdgeOS Fared
Some MikroTik/Ubiquiti interop issues (OSPFv3)
Does it have fastpath?
[cannot] enable IPv6 offloading for PPPoE and
VLANs simultaneously.
Some self-made gotchas involving IPv6 RA
IPv6 firewall maybe not as efficient for BCP38
Doesn't suffer some of RouterOS' IPv6 routing bugs
On the whole: pretty good!
129. CVE-2018-19299 Timeline
2018-04-16 — reported to vendor
2018-04-19 — acknowledged by vendor as "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "not […] a vulnerability"
2018-11-15 — CVE assigned; "with our development team"
2019-01-15 — "can not give you any ETA for the fix"
2019-02-14 — V-Day 0-day discussion @net_mcr
2019-03-11 — "there is no news"
2019-03-14 — last ditch scrabble around for CERTs/etc
2019-04-09 — full disclosure @uknof
130. CVE-2018-19299 Timeline
2018-04-16 — reported to vendor
2018-04-19 — acknowledged by vendor as "not a security vulnerability"
2018-06-29 — "not yet fixed"
2018-10-10 — "not […] a vulnerability"
2018-11-15 — CVE assigned; "with our development team"
2019-01-15 — "can not give you any ETA for the fix"
2019-02-14 — V-Day 0-day discussion @net_mcr
2019-03-11 — "there is no news"
2019-03-14 — last ditch scrabble around for CERTs/etc
2019-04-09 — full disclosure @uknof
then things got busy
131. CVE-2018-19299 Timeline
2019-03-27 14:08 — "UKNOF 43 CVE" topic starts to MikroTik forum
2019-03-28 11:37 — TechRepublic starts coverage
2019-03-28 11:57 — another thread starts on forum; multiple Reddits
2019-03-28 11:50 — MikroTik: "we are aware […] working on it"
2019-03-29 07:56 — MikroTik: "we aim to fix before [UKNOF]"
2019-03-29 08:02 — MI: "contact me privately" (via forum)
2019-03-29 11:00 — @mikrotik_build: "version 6.45beta22" claims fix
2019-03-29 11:23 — @maznu: "not fixed"
2019-03-29 11:35 — MI: "not fixed" (via forum)
2019-03-29 12:17 — MikroTik: "please clarify" (via forum)
then things got weird
132. “It’s MikroTik’s fault that this was filed
as yet another ipv6 bug […] The issue
is now fixed, the memory exhaustion
is also fixed, build is coming Monday.”
– @normis on Twitter, 2019-03-30 12:36
133. Condensed Timeline
2019-03-29 11:00 — 6.45beta22 (not a fix)
2019-03-29 14:46 — workaround for other issues
2019-03-29 14:09 — "next beta version"
2019-03-30 12:36 — "build is coming Monday"
2019-04-01 ??:?? — release fix for CVE-2018-19299
134. Condensed Timeline
2019-03-29 11:00 — 6.45beta22 (not a fix)
2019-03-29 14:46 — workaround for other issues
2019-03-29 14:09 — "next beta version"
2019-03-30 12:36 — "build is coming Monday"
2019-04-01 ??:?? — release fix for CVE-2018-19299
what goes here?
135. “RouterOS IPv6 route cache max size
by default is 1 million. […] If you have
device that does not have such
resources, it will reboot itself.”
– forum post by MikroTik, 2019-03-31 13:28
140. Changelog
v6.44.2 — v6.45beta23 — v6.43.14
ipv6 - fixed soft lockup when forwarding IPv6
packets
ipv6 - fixed soft lockup when processing large IPv6
Neighbor table
ipv6 - adjust IPv6 route cache max size based on
total RAM memory
141.
142. MikroTik Security
"Responsible disclosure of discovered
vulnerabilities"
"If you have found such a security flaw, we would
like to hear more about it to be able to correct the
problem as soon as possible."
"We promise you that: […]"
When contacting MikroTik about vulnerabilities,
please use the e-mail address
security@mikrotik.com
148. IPv6 is in production
Sky IPv6 Roll-Out, I. Dickinson, UKNOF33
EE IPv6 Only, N. Heatley, UKNOF36
Virgin Media, L. Olopade, UK IPv6 Council (Dec 2018)
Psychology of IPv6, V. McKillop, UKNOF43
149. CHAT OVER
A BREW?
E: marek @ faelix . net
T: @maznu
T: @faelix
W: https://faelix.net/
https://faelix.link/ukwispa201906