Professional Documents
Culture Documents
Mitigating Threats
BRKSEC-2004
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Mitigation
Access Control
Spoofing Prevention
Packet Conformance
Application Inspection
Flexible Packet Matching
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Use of established
State ACLs Have State
Keyword
ttl-evasion-
TTL Filtering protection ttl Keyword 12.4(2)T
via MPF
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Spoofing Prevention
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
int 2 int 2
int 1 int 3 int 1 int 3
Sx D data Sx D data Sy D data
Sy
D d
FIB FIB
ata
sourceIP = rx int?
9 sourceIP != rx int?
8
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
int 2 int 2
int 1 int 3 int 1 int 3
Sy D data Sy D data Sz D data
Sz
D d
FIB FIB
ata
Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sz ???
LAN
ISP 192.168.2/24
LAN
192.168.3/24
Block Entering Source = Own Network
access-list 101 deny ip 192.168.0.0 0.0. 255.255 any
access-list 101 permit ip any any Block Sources That Do Not Belong to Subnet
or access-list 102 permit ip 192.168.X.0 0.0.0.255 any
ip verify unicast source reachable-via rx allow-default access-list 102 deny ip any any
or
ip verify unicast source reachable-via rx
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
SYN ACK
Generate unique cookie
for IP 192.168.1.1
ie;ack=x+1)
(seq=cook
ACK
(seq=x+1;a If cookie is valid,
ck=cookie
+1)
authenticate IP 192.168.1.1
Is IP 192.168.1.1
Connection Authenticated ? YES
Established SYN
(seq=y)
SYN ACK
(seq=z;ack=y+1)
ACK
(seq=y+1;a ACK
ck =z+1)
DATA (seq=y+1;a
ck =z+1)
DATA
DATA
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Spoofing References
Understanding Unicast Reverse Path Forwarding
http://www.cisco.com/web/about/security/intelligence/un
icast-rpf.html
http://www.cymru.com/Documents/tracking-
spoofed.html
http://www.cymru.com/Documents/bogon-dd.html
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
Router(config)# no ip source-route
Router(config)#
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Configuration requires:
Class-map: Identifies the traffic that needs a specific type of
control; class-maps have specific names which bind them to a
policy-map
Policy-map: Describes the actions to be taken on the traffic
described in the class-map; policy-maps have specific names
which bind them to the service-policy
Service-policy: Describes where the traffic should be intercepted
for control; only one service-policy can exist per interface; an
additional service-policy called “global-service-policy,” is defined
for traffic and general policy application; this policy applies to traffic
on all interfaces
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
;; ANSWER SECTION:
www.google.com. 118837 IN CNAME www.l.google.com.
www.l.google.com. 37 IN A 209.85.165.147
www.l.google.com. 37 IN A 209.85.165.99
www.l.google.com. 37 IN A 209.85.165.103
www.l.google.com. 37 IN A 209.85.165.104
[user@linux ~]$
[user@linux ~]$ dig www.google.com
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Frame
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Frame
L2 L3 L4 First… Second… Payload… Payload… Payload…
Header Header Header
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Filter Type 1,000 pps 2,000 pps 3,000 pps 4,000 pps 5,000 pps
No Filter 13% 14% 15% 16% 17%
FPM 1st Match 38% 42% 43% 43% 43%
ACL 1st Match 30% 36% 37% 37% 37%
FPM 5th Match 42% 50% 59% 59% 59%
ACL 5th Match 32% 39% 40% 41% 41%
FPM 10th Match 42% 50% 50% 50% 50%
ACL 10th Match 32% 39% 39% 39% 39%
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Monitoring and
Identification
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Syslog
NetFlow
Embedded Event Manager
CS-MARS
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Syslog
Router# show logging | include 185
Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp Router
192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:14.445 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55619) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:16.389 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55620) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:24.429 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55621) -> 192.168.150.77(139), 1 packet
Aug 29 2007 15:58:27.373 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55622) -> 192.168.150.77(139), 1 packet
Aug 29 2007 15:58:29.661 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55623) -> 192.168.150.77(139), 1 packet
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
NetFlow: Scalability
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
NetFlow 2
Key Fields
3 NetFlow
Export
Reporting Packets
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
White Paper
Embedded Event Manager in a Security Context
http://www.cisco.com/web/about/security/intelligence/embedded-event-mgr.html
*Detailed information in BRKSEC-3007 Solving Security Challenges with Embedded Event Manager
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
EEM Example
Interface Input Queue Monitor
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=scri
pt&scriptId=981
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
CS-MARS Rules
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
File Execution
Security Application Network Configuration
System Space
Distributed Firewall 9
Host Intrusion Detection 9 9 9
Spyware and Malware
Prevention 9 9 9
Network Worm Prevention 9 9
File Integrity Assurance 9 9
Wireless Policy Controls 9 9
Traffic Marking 9
IPS and NAC Integration 9
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
0111111010101010000111000100111110010001000100100010001001
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
85
Threat Rating
Threat Rating: Attack 1:
Dynamic adjustment of event Risk Rating No Action Configured
based on success of response action Risk Rating = 85
Threat Rating = 85
55
If Response Action was applied, then Risk
Rating is deprecated (TR < RR)
If Response Action was not applied, then
Risk Rating remains unchanged (TR = RR)
Attack 2:
Benefit: Action Configured
Prioritizes alerts for Operator attention Attack Mitigated
Operator can focus incident response Risk Rating = 85
activities on those threats that have not Threat Rating = 55
been mitigated
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Service
Provider
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
Case Study:
MS-RPC-DNS
(CVE 2007-1748)
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
2 Penetrate
Download and copy malicious
code to C:\U.exe
Victim 3 Persist [Exploit Dependent]
Create back door access
4 Propagate [Exploit Dependent] Connect to Command and
W32/Nirbot.worm!8 Control on TCP port 8080
5 3E1220A
Paralyze
Exploit Specific
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
ACLs
Mitigation to L3 boundary where deployed, VLAN maps,
Port ACLs for L2 access control if needed
If application is required ACLs provide no value to those
allowed access
IPS Signatures
Understand Application/Vulnerability better when application
is required or ACLs do not suffice
Provides no mitigation unless directed to do so
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
Mitigation: CSA
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
The Exploits
W32/Nirbot.worm!83E1220A
Download worm on random HTTP server port
Connect via IRC over port 8080
IRC servers include:
{blocked}.rofflewaffles.us
{blocked}.anti-viral.us
{blocked}.wayne.brady.gonna.have.to.{blocked}.us
Exploits are sort of like chasing your tail, but there are
several patterns we can catch (this time) or ways in
which these can be mitigated
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
References (cont…)
W32.Rinbot.BC [Symantec]
http://www.symantec.com/security_response/writeup.jsp?docid=2007-
041701-3720-99&tabid=2
New Rinbot Scanning for Port 1025 DNS/RPC [SANS]
http://www.isc.sans.org/diary.html?storyid=2643
W32/Delbot-AI [Sophos]
http://www.sophos.com/security/analyses/viruses-and-
spyware/w32delbotai.html
W32/Nirbot.worm!83E1220A [McAfee]
http://vil.nai.com/vil/content/v_142025.htm
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
Vulnerabilities
Windows Kernel TCP/IP IGMPv3 and MLDv2 Vulnerability –
CVE-2007-0069
Remote Code Execution or Denial of Service utilizing crafted packets
over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server
2003) or MLDv2/IPv6 (Windows Vista)
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
!-- Cisco PIX security appliances, Cisco ASA adaptive security appliances, and
!-- (FWSMs) will, by default, drop all source-routed packets received on any
!-- interface and create an informational-level (severity 6) syslog message
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing"
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
Download malicious
software to end host
Probe [Exploit Dependent]
1
2 Penetrate [Exploit Dependent]
Download software
Victim 3 Persist [Exploit Dependent] Join P2P network
Open up UDP port on local
4 Propagate [Exploit Dependent] host above 1024
Spam
5 DDos
Paralyze
Update
Exploit Specific
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
1. BotHerder updates 4
malcode on webtrap
2. Initiate new spam
pointing to webtrap 3
3. User reads the spam
and clicks link Infected
4. User machine infected
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
Mitigating CME711
Infected BotHerder
Webserver
2
1. Break initial
exploitation vector 1
2. Break infection
vector
3. Break joining botnet 3
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102
Mitigation: ACLs
!-- Router Router
Router(config)#ip access-list extended tACL
!-- Deny UDP packets in Range 1024 - 65535
Router(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 range 1024
65535 any range 1024 65535
Firewall
!-- Firewall Configuration
Firewall(config)# access-list storm-udp extended deny udp
192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104
Source: EmergingThreats.net
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109
Schneier on Security
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
Antirootkit.com blog
http://www.antirootkit.com/blog/category/storm-worm/
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111
Test Yourself
Metasploit is an exploitation framework that provides lot of flexibility to
test yourself – it’s very easy to test client and service exploits; more
information is at www.metasploit.com
Scapy is a powerful packet manipulation program – requires some python
knowledge but is useful for creating specific types of network traffic; more
information is at http://www.secdev.org/projects/scapy/
>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200)
>>> x[1].frag=145
>>> send(x) Changed the Fragment Offset
17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length
1200
17:52:13.119594 IP (tos 0x0, ttl 64, id 1, offset 1160, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.125617 IP (tos 0x0, ttl 64, id 1, offset 2400, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP
(1), length 28) 192.168.2.63 > 192.168.15.60: icmp
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112
Deceptive Defense
Darknets and illegal IP space (dark space) monitoring
provides ability to more easily identify outbreaks and aid in
detecting probing that may fall under the normal radar
Honeypots low interaction: Deployed
inside the network these help quickly
identify compromised systems and
miscreants; real world studies have
shown a ratio of 1/1000 IP space
is effective
Honeytokens: A purposefully set
piece of information that should
only be accessed by illegal activity
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10
Attacker
10.10.10.100 IPS Sensor
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117
Attacker Blocked
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10
Attacker
10.10.10.100 IPS Sensor
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 124
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 125
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 127
Complementary Sessions
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 128
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 129
Recommended Reading
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 131
BRKSEC-2004
14344_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 132