SlideShare uma empresa Scribd logo

LACNOG - Logging in the Post-IPv4 World

Transferir como PPTX, PDF
Carlos Martinez Cagnazzo
Carlos Martinez Cagnazzo

logging source ports

TecnologiaEducação
1 de 18
Logging for Incident Response in the Post-IPv4 World Carlos Martinez Cagnazzo LACNIC carlos @ lacnic.net @carlosm3011
Agenda • The Post-IPv4 Internet – No IPv4, CGNs, some IPv6 • Logging for incident response • Logging and incident response in the post-IPv4 Internet
The Post-IPv4 Internet • The Internet is at a crossroads. IPv4 exhaustion means that there will not be enough IPv4 addresses for every one, much less for every device • To an extent, this is already happening, but from now it will the norm 120 100 80 60 40 20 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 …
The Current, Almost End-to-End, Internet • Once upon a time there was something called the ‘End to End Principle’ – … describing how packets should travel from origin to destination untouched by the evil middle boxes • The current Internet is _almost_, but not quite, end-toend – Proxies, home routers, firewalls, traffic shapers, all of them do something to packets – But packets travel mostly unharmed
The Current End-to-End Internet • Well, almost end to end** D_Addr | O_Addr | Payload D_Addr | O_Addr | Payload • Packets remain (mostly) unchanged along their network path • A given source IP can be a marker of an individual, a household or an employee of a certain company
What happens when there is no IPv4 for every device ? • The post-IPv4 Internet: Single public IP address Web server sees thousands of users coming from the *same* IP • IPv4 will be provided, in many places, by employing CGNs, or Carrier-Grade NAT boxes
The CGN-ized Internet • The CGN Internet hides many users behind a small set of IP addresses • Our previous assumptions about what a source IP address means are no longer valid – Can represent thousands of users, of different households and different companies • Many abuse mitigation measures need to be reexamined – Be careful of blankly filtering out a single /24, that could now mean 10.000 users
Current practice for Incident Response • Think for a minute about your usual IR workflow – Phishing, Spam, DDoSing, you name it • When your incident involves network traffic, you try to find the following information: – – – – Source IP addresses Destination IP addresses and destination ports Maybe a packet dump, if available All of this decorated with nice timing information, preferable with a common time zone • You then look the sources in WHOIS or in your friendly CSIRT contact list and send the appropriate notifies
The Post-IPv4 Incident Response Workflow • Well, source IPv4 address may not be enough of an identifier anymore – The source network will not be able to identify the actual offender(s) just based on the source IPv4 address • ISPs will need source port data to actually track any abusers • Law enforcement also needs to realize what this means – Judges now need to look at an additional number before jailing a person
Jeez, what do we do now ? • First of all, accept that now your life as an incident response or site administrator will be harder – Hopefully for a short time, until the world gets its IPv6 act together • Additional requirements for post-IPv4 logging – Logging of source ports – Using the highest possible timing resolution – Time sync on distributed logging platforms becomes critical
Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files # # The following directives define some format nicknames for use # with a CustomLog directive (see below). # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common
Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files <VirtualHost [2001:13c7:7001:4000::10]:80> ServerAdmin carlos@lacnic.net DocumentRoot /var/www/html/ ServerName w6.labs.lacnic.net LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined CustomLog logs/w6.labs.lacnic.net-access_log "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common ErrorLog logs/w6.labs.lacnic.net-error_log
Example configuration, Source Port Logging in Apache • Must enable “mod_log_config” if not already enabled [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57366 - [31/Oct/2013:15:01:33 -0200] "GET /site/modules/openid/openid.js?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36" [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57365 - [31/Oct/2013:15:01:33 -0200] "GET /site/themes/newlabs/print.css?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36”
Example configuration, Exim4 logging • Sample configuration: – [ http://www.exim.org/exim-htmlcurrent/doc/html/spec_html/ch-log_files.html ] # uncomment this for debugging # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all subject -arguments .ifdef MAIN_LOG_SELECTOR log_selector = MAIN_LOG_SELECTOR +incoming_port .endif 2013-10-28 17:22:17 1VasOD-0005hG-KT <= carlos@lacnic.net H=localhost (coco) [127.0.0.1]:47264 P=esmtp S=474 2013-10-28 17:22:17 1VasOD-0005hG-KT => marcelo <marcelo@localhost> R=local_user T=maildir_home 2013-10-28 17:22:17 1VasOD-0005hG-KT Completed
Distributed logging • Did I say ‘time sync’ before ?  • Use NTP Luke, You Must. – It was invented for a reason • Look into fast data stores and mining tools – Splunk – ElasticSearch – NoSQL databases (Redis, MongoDB)
Key Takeaways • Yes, our sys/netadmin life will be harder, at least until IPv6 is widely deployed – Let’s embrace it with a smile • Do not assume that a source attack IPv4 address uniquely identifies an attacker anymore – Or a victim, in some cases, like phishing sites • Start logging source ports now. If you are a CSIRT, do not forget to reach out to your constituency and let them know this • Send source ports when reporting incidents. Ask for source ports when receiving incident reports
Key Takeaways (ii) • Log with the highest timing resolution your equipment allows • And repeat with me… – I will time sync my systems – I will time sync my systems – I will time sync my systems
Thank you very much! Questions? @carlosm3011

Recomendados

Apache Flume and its use case in Manufacturing
Apache Flume and its use case in ManufacturingApache Flume and its use case in Manufacturing
Apache Flume and its use case in Manufacturing
Rapheephan Thongkham-Uan
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
netvis
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
Aysylu Greenberg
 
ApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practicesApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practices
Timothy Spann
 
Streaming SQL
Streaming SQLStreaming SQL
Streaming SQL
Jungtaek Lim
 
Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010
Cloudera, Inc.
 

Recomendados

Apache Flume and its use case in Manufacturing
Apache Flume and its use case in ManufacturingApache Flume and its use case in Manufacturing
Apache Flume and its use case in Manufacturing
Rapheephan Thongkham-Uan
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
DNS-SD
DNS-SDDNS-SD
DNS-SD
netvis
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
Aysylu Greenberg
 
ApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practicesApacheCon 2021: Apache NiFi 101- introduction and best practices
ApacheCon 2021: Apache NiFi 101- introduction and best practices
Timothy Spann
 
Streaming SQL
Streaming SQLStreaming SQL
Streaming SQL
Jungtaek Lim
 
Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010Mozilla - Anurag Phadke - Hadoop World 2010
Mozilla - Anurag Phadke - Hadoop World 2010
Cloudera, Inc.
 
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Steve Hoffman
 
Cracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworksCracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworks
Timothy Spann
 
fluentd -- the missing log collector
fluentd -- the missing log collectorfluentd -- the missing log collector
fluentd -- the missing log collector
Muga Nishizawa
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Apache Flume
Apache FlumeApache Flume
Apache Flume
GetInData
 
Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)
Swiss Big Data User Group
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
confluent
 
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit SoftwaretestsEffizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
DECK36
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
Redge Technologies
 
Debugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden KarauDebugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden Karau
Spark Summit
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric Tools
Phase2
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
Daniel Stenberg
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
Dan Kaminsky
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
Daniel Stenberg
 
The Future of Apache Storm
The Future of Apache StormThe Future of Apache Storm
The Future of Apache Storm
DataWorks Summit/Hadoop Summit
 
Developing Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache StormDeveloping Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache Storm
Lester Martin
 
DNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e IntroducciónDNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e Introducción
Carlos Martinez Cagnazzo
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
Carlos Martinez Cagnazzo
 

Mais conteúdo relacionado

Mais procurados

Debugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden KarauDebugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden Karau
Spark Summit
 

Mais procurados (20)

Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
Chicago Hadoop User Group (CHUG) Presentation on Apache Flume - April 9, 2014
 
Cracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworksCracking the nut, solving edge ai with apache tools and frameworks
Cracking the nut, solving edge ai with apache tools and frameworks
 
fluentd -- the missing log collector
fluentd -- the missing log collectorfluentd -- the missing log collector
fluentd -- the missing log collector
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Apache Flume
Apache FlumeApache Flume
Apache Flume
 
Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)Practical Pig and PigUnit (Michael Noll, Verisign)
Practical Pig and PigUnit (Michael Noll, Verisign)
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
Kafka Summit SF 2017 - Streaming Processing in Python – 10 ways to avoid summ...
 
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit SoftwaretestsEffizientere WordPress-Plugin-Entwicklung mit Softwaretests
Effizientere WordPress-Plugin-Entwicklung mit Softwaretests
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platformSpy hard, challenges of 100G deep packet inspection on x86 platform
Spy hard, challenges of 100G deep packet inspection on x86 platform
 
Debugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden KarauDebugging PySpark: Spark Summit East talk by Holden Karau
Debugging PySpark: Spark Summit East talk by Holden Karau
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
Open Source Logging and Metric Tools
Open Source Logging and Metric ToolsOpen Source Logging and Metric Tools
Open Source Logging and Metric Tools
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
Just curl it!
Just curl it!Just curl it!
Just curl it!
 
The Future of Apache Storm
The Future of Apache StormThe Future of Apache Storm
The Future of Apache Storm
 
Developing Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache StormDeveloping Java Streaming Applications with Apache Storm
Developing Java Streaming Applications with Apache Storm
 

Destaque

Destaque (12)

DNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e IntroducciónDNSSEC - Generalidades e Introducción
DNSSEC - Generalidades e Introducción
 
Mitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRLMitigación de denegaciones de servicio en DNS con RRL
Mitigación de denegaciones de servicio en DNS con RRL
 
An Overview of RPKI
An Overview of RPKIAn Overview of RPKI
An Overview of RPKI
 
Enabling IPv6 Services Transparently
Enabling IPv6 Services TransparentlyEnabling IPv6 Services Transparently
Enabling IPv6 Services Transparently
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPs
 
Una introduccion a IPv6
Una introduccion a IPv6Una introduccion a IPv6
Una introduccion a IPv6
 
Seguridad de la Información para Traductores
Seguridad de la Información para TraductoresSeguridad de la Información para Traductores
Seguridad de la Información para Traductores
 
Introduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de InternetIntroduccion a RPKI - Certificacion de Recursos de Internet
Introduccion a RPKI - Certificacion de Recursos de Internet
 
Internet of Things en el Dia de Internet
Internet of Things en el Dia de InternetInternet of Things en el Dia de Internet
Internet of Things en el Dia de Internet
 
Monitoreo de Red para Peering
Monitoreo de Red para PeeringMonitoreo de Red para Peering
Monitoreo de Red para Peering
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 

Semelhante a LACNOG - Logging in the Post-IPv4 World

Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
csching
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
Hai Nguyen
 

Semelhante a LACNOG - Logging in the Post-IPv4 World (20)

Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Otimizando servidores web
Otimizando servidores webOtimizando servidores web
Otimizando servidores web
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Performance
PerformancePerformance
Performance
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
ION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David FreedmanION Belfast - Securing BGP - David Freedman
ION Belfast - Securing BGP - David Freedman
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
DSLing your System For Scalability Testing Using Gatling - Dublin Scala User ...
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
 
Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deck
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 

Mais de Carlos Martinez Cagnazzo

Mais de Carlos Martinez Cagnazzo (8)

Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4Como brindar servicio de Internet (casi) sin IPv4
Como brindar servicio de Internet (casi) sin IPv4
 
Evolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUICEvolución del stack de protocolos de Internet - IPv6 y QUIC
Evolución del stack de protocolos de Internet - IPv6 y QUIC
 
RPKI en America Latina y el Caribe
RPKI en America Latina y el CaribeRPKI en America Latina y el Caribe
RPKI en America Latina y el Caribe
 
Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017Evolución de Protocolos de Internet 2017
Evolución de Protocolos de Internet 2017
 
Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28Actualización sobre DNS en el IETF para LACNIC 28
Actualización sobre DNS en el IETF para LACNIC 28
 
IPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size AnalysisIPv6 Routing Table Prefix Size Analysis
IPv6 Routing Table Prefix Size Analysis
 
An IPv6 Primer
An IPv6 PrimerAn IPv6 Primer
An IPv6 Primer
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Último (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

LACNOG - Logging in the Post-IPv4 World

  • 1. Logging for Incident Response in the Post-IPv4 World Carlos Martinez Cagnazzo LACNIC carlos @ lacnic.net @carlosm3011
  • 2. Agenda • The Post-IPv4 Internet – No IPv4, CGNs, some IPv6 • Logging for incident response • Logging and incident response in the post-IPv4 Internet
  • 3. The Post-IPv4 Internet • The Internet is at a crossroads. IPv4 exhaustion means that there will not be enough IPv4 addresses for every one, much less for every device • To an extent, this is already happening, but from now it will the norm 120 100 80 60 40 20 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 …
  • 4. The Current, Almost End-to-End, Internet • Once upon a time there was something called the ‘End to End Principle’ – … describing how packets should travel from origin to destination untouched by the evil middle boxes • The current Internet is _almost_, but not quite, end-toend – Proxies, home routers, firewalls, traffic shapers, all of them do something to packets – But packets travel mostly unharmed
  • 5. The Current End-to-End Internet • Well, almost end to end** D_Addr | O_Addr | Payload D_Addr | O_Addr | Payload • Packets remain (mostly) unchanged along their network path • A given source IP can be a marker of an individual, a household or an employee of a certain company
  • 6. What happens when there is no IPv4 for every device ? • The post-IPv4 Internet: Single public IP address Web server sees thousands of users coming from the *same* IP • IPv4 will be provided, in many places, by employing CGNs, or Carrier-Grade NAT boxes
  • 7. The CGN-ized Internet • The CGN Internet hides many users behind a small set of IP addresses • Our previous assumptions about what a source IP address means are no longer valid – Can represent thousands of users, of different households and different companies • Many abuse mitigation measures need to be reexamined – Be careful of blankly filtering out a single /24, that could now mean 10.000 users
  • 8. Current practice for Incident Response • Think for a minute about your usual IR workflow – Phishing, Spam, DDoSing, you name it • When your incident involves network traffic, you try to find the following information: – – – – Source IP addresses Destination IP addresses and destination ports Maybe a packet dump, if available All of this decorated with nice timing information, preferable with a common time zone • You then look the sources in WHOIS or in your friendly CSIRT contact list and send the appropriate notifies
  • 9. The Post-IPv4 Incident Response Workflow • Well, source IPv4 address may not be enough of an identifier anymore – The source network will not be able to identify the actual offender(s) just based on the source IPv4 address • ISPs will need source port data to actually track any abusers • Law enforcement also needs to realize what this means – Judges now need to look at an additional number before jailing a person
  • 10. Jeez, what do we do now ? • First of all, accept that now your life as an incident response or site administrator will be harder – Hopefully for a short time, until the world gets its IPv6 act together • Additional requirements for post-IPv4 logging – Logging of source ports – Using the highest possible timing resolution – Time sync on distributed logging platforms becomes critical
  • 11. Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files # # The following directives define some format nicknames for use # with a CustomLog directive (see below). # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common
  • 12. Example configuration, Source Port Logging in Apache • [Ref: http://draft.scyphus.co.jp/articles/20110815.html] – Default logging in Apache only provides basic client data – Apache uses a printf()-like format for including additional log fields in custom log files <VirtualHost [2001:13c7:7001:4000::10]:80> ServerAdmin carlos@lacnic.net DocumentRoot /var/www/html/ ServerName w6.labs.lacnic.net LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined CustomLog logs/w6.labs.lacnic.net-access_log "[%h]:%{remote}p %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" # LogFormat "[%h]:%{remote}p %l %u %t "%r" %>s %b" common ErrorLog logs/w6.labs.lacnic.net-error_log
  • 13. Example configuration, Source Port Logging in Apache • Must enable “mod_log_config” if not already enabled [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57366 - [31/Oct/2013:15:01:33 -0200] "GET /site/modules/openid/openid.js?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36" [2001:13c7:7003:89:fcda:8bea:3e8a:cedd]:57365 - [31/Oct/2013:15:01:33 -0200] "GET /site/themes/newlabs/print.css?A HTTP/1.1" 304 "http://w6.labs.lacnic.net/site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36”
  • 14. Example configuration, Exim4 logging • Sample configuration: – [ http://www.exim.org/exim-htmlcurrent/doc/html/spec_html/ch-log_files.html ] # uncomment this for debugging # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all subject -arguments .ifdef MAIN_LOG_SELECTOR log_selector = MAIN_LOG_SELECTOR +incoming_port .endif 2013-10-28 17:22:17 1VasOD-0005hG-KT <= carlos@lacnic.net H=localhost (coco) [127.0.0.1]:47264 P=esmtp S=474 2013-10-28 17:22:17 1VasOD-0005hG-KT => marcelo <marcelo@localhost> R=local_user T=maildir_home 2013-10-28 17:22:17 1VasOD-0005hG-KT Completed
  • 15. Distributed logging • Did I say ‘time sync’ before ?  • Use NTP Luke, You Must. – It was invented for a reason • Look into fast data stores and mining tools – Splunk – ElasticSearch – NoSQL databases (Redis, MongoDB)
  • 16. Key Takeaways • Yes, our sys/netadmin life will be harder, at least until IPv6 is widely deployed – Let’s embrace it with a smile • Do not assume that a source attack IPv4 address uniquely identifies an attacker anymore – Or a victim, in some cases, like phishing sites • Start logging source ports now. If you are a CSIRT, do not forget to reach out to your constituency and let them know this • Send source ports when reporting incidents. Ask for source ports when receiving incident reports
  • 17. Key Takeaways (ii) • Log with the highest timing resolution your equipment allows • And repeat with me… – I will time sync my systems – I will time sync my systems – I will time sync my systems
  • 18. Thank you very much! Questions? @carlosm3011

Notas do Editor

  1. Depletion del iana pool primeroAhora, depletion de los pools de los rirs
  2. Collecting this information may involve a back and forth exchange with the victim