Mais conteúdo relacionado Semelhante a The Other Advanced Attacks: DNS/NTP Amplification and Careto (20) The Other Advanced Attacks: DNS/NTP Amplification and Careto1. The Other Advanced
Attacks
Mike Chapple, CISSP, Ph.D.
Senior Director, IT Service Delivery
University of Notre Dame
© TechTarget
@mchapple mchapple@nd.edu
5. The New Threats
• Governments
• Terrorist Organizations
• Organized Crime
5© TechTarget
8. Inside an Iranian Nuclear
Facility
8
Source: Vitaly Shmatikov
And The Targets
Are High Stakes
10. 10
“We're glad they are having
trouble with their centrifuge
machine and (we) are doing
everything we can to make
sure that we complicate
matters for them.”
Gary Samore
Special Assistant to the President
and White House Coordinator
for Arms Control and WMD
14. Denial of Service Attacks
• Send huge number of requests to a targeted server,
seeking to overwhelm it
• Difficult to distinguish legitimate requests from attack
traffic
• Several limitations for the attacker
– Requires massive bandwidth
– Easy for victims to block based upon IP
14© TechTarget
15. Distributed Denial of Service Attacks
• Leverage botnets to
exhaust all resources
on a targeted system
• Difficult to distinguish
legitimate requests
from attack traffic
15© TechTarget
16. Amplified DDoS Attacks
• Traditional DDoS still limited
by bandwidth of zombie PCs
• Amplification attacks
leverage the bandwidth of
non-compromised
intermediaries
• Requires a service that
sends responses that are
much larger than the queries
16© TechTarget
17. Amplification Factor
• Amplification factor is the
degree to which the attack
is increased in size
• 64 byte query resulting in a
512 byte response is an
amplification factor of 8
17© TechTarget
18. Characteristics of an Amplification Attack
• Use botnets
• Leverage misconfigured
services
• Spoof source addresses
• Require connectionless
protocol
18© TechTarget
19. How DNS Should Work
• DNS servers should provide domain name resolution
services:
1. To the systems on an organization’s network (for all addresses)
2. To the general Internet (for public names owned by the
organization)
• Most DNS communications take place over UDP
• Some systems are configured as “open resolvers”,
answering any question from the Internet at large
19© TechTarget
21. Don’t Be a Relay
• Ensure that you’re not an
open resolver
• Open Resolver Project
openresolverproject.org
• DNS Inspect
dnsinspect.com
21© TechTarget
22. Be a Good Internet Citizen
22© TechTarget
25. NTP
• Network Time Protocol
used for clock
synchronization
• Almost three decades of
operation
• Relies upon UDP for
sync traffic
25© TechTarget
26. MON_GETLIST
• System monitoring command
• Retrieves the list of the last 600
systems that interacted with the
server
• Ideal for an amplification attack
when used with forged source
addresses
26© TechTarget
28. Be a Good Citizen
• Upgrade NTP servers to v4.2.7p26 or later
• Perform egress filtering at the firewall
• Disable MONLIST and related features (see CERT
VU#348126)
28© TechTarget
30. What is Careto?
• Spanish for “The Mask”
• Not a single piece of code, but an advanced threat
• Engaged in espionage activities since at least 2007,
undetected until February 2014
• Victimized over 1,000 IPs in 31 countries
• Definite Spanish flavor
30© TechTarget
32. Who is Targeted?
• Government Agencies
• Energy Companies
• Researchers
• Private Equity Firms
• Activists
32© TechTarget
33. Initial Infection
• Spear phishing messages direct
users to a website
– linkconf.net
– redirserver.net
– swupdt.com
• Malware hosted in non-indexed
folders on those sites
33© TechTarget
36. Diverse Objectives
• Intercept network traffic
• Perform keylogging
• Monitor Skype conversations
• Steal PGP keys
• Analyze WiFi traffic
• Perform screen captures
36© TechTarget
38. Hides from Kaspersky AV
• Exploits a 2008 vulnerability in Kaspersky
• Attempts to whitelist itself to avoid detection
• Vulnerability patched long ago; relying upon old
copies with expired update subscriptions
38© TechTarget
39. Protecting Against APTs
• Update, update, update
• Filter at the gateway and defend at the endpoint
• Maintain a defense-in-depth approach that does not rely
upon any single layer of control
• Monitor rigorously
39© TechTarget