the other advanced attacks: dns/ntp amplification and careto
DESCRIPTION
This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.TRANSCRIPT
![Page 1: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/1.jpg)
© TechTarget
The Other Advanced Attacks
Mike Chapple, CISSP, Ph.D.Senior Director, IT Service DeliveryUniversity of Notre Dame
@mchapple [email protected]
![Page 2: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/2.jpg)
2© TechTarget
Agenda
• The Threat is Changing
• DNS Threats
• NTP DDoS Amplification
• Unmasking Careto
![Page 3: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/3.jpg)
3© TechTarget
The Threat is Changing
![Page 4: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/4.jpg)
4
Script Kiddies
Are So Nineties
![Page 5: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/5.jpg)
5© TechTarget
The New Threats
• Governments
• Terrorist Organizations
• Organized Crime
![Page 6: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/6.jpg)
6
Cyberwarfare
Is Real
![Page 7: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/7.jpg)
The Participants Are Well-Funded
![Page 8: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/8.jpg)
Inside an Iranian Nuclear Facility
8
Source: Vitaly Shmatikov
And The Targets Are High
Stakes
![Page 10: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/10.jpg)
10
“We're glad they are having trouble with their
centrifuge machine and (we) are doing
everything we can to make sure that we
complicate matters for them.”
Gary Samore
Special Assistant to the President and White House
Coordinator
for Arms Control and WMD
![Page 11: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/11.jpg)
11© TechTarget
Zero Day Vulnerabilities
![Page 12: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/12.jpg)
12© TechTarget
NEED VIGILANCEWe Must Remain
Vigilant
![Page 13: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/13.jpg)
13© TechTarget
DNS Threats
![Page 14: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/14.jpg)
14© TechTarget
Denial of Service Attacks
• Send huge number of requests to a targeted server, seeking to overwhelm it
• Difficult to distinguish legitimate requests from attack traffic
• Several limitations for the attacker– Requires massive bandwidth
– Easy for victims to block based upon IP
![Page 15: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/15.jpg)
15© TechTarget
Distributed Denial of Service Attacks
• Leverage botnets to exhaust all resources on a targeted system
• Difficult to distinguish legitimate requests from attack traffic
![Page 16: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/16.jpg)
16© TechTarget
Amplified DDoS Attacks
• Traditional DDoS still limited by bandwidth of zombie PCs
• Amplification attacks leverage the bandwidth of non-compromised intermediaries
• Requires a service that sends responses that are much larger than the queries
![Page 17: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/17.jpg)
17© TechTarget
Amplification Factor
• Amplification factor is the degree to which the attack is increased in size
• 64 byte query resulting in a 512 byte response is an amplification factor of 8
![Page 18: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/18.jpg)
18© TechTarget
Characteristics of an Amplification Attack
• Use botnets
• Leverage misconfigured services
• Spoof source addresses
• Require connectionless protocol
![Page 19: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/19.jpg)
19© TechTarget
How DNS Should Work
• DNS servers should provide domain name resolution services:
1. To the systems on an organization’s network (for all addresses)
2. To the general Internet (for public names owned by the organization)
• Most DNS communications take place over UDP
• Some systems are configured as “open resolvers”, answering any question from the Internet at large
![Page 20: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/20.jpg)
20© TechTarget
DNS Amplification Attack
Source: Microsoft
Amplification Factor of
60X
![Page 21: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/21.jpg)
21© TechTarget
Don’t Be a Relay
• Ensure that you’re not an open resolver
• Open Resolver Projectopenresolverproject.org
• DNS Inspectdnsinspect.com
![Page 22: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/22.jpg)
22© TechTarget
Be a Good Internet Citizen
![Page 23: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/23.jpg)
23© TechTarget
NTP DDoS Amplification
![Page 24: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/24.jpg)
24© TechTarget
How Dangerous Can a
Clock Be?
![Page 25: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/25.jpg)
25© TechTarget
NTP
• Network Time Protocol used for clock synchronization
• Almost three decades of operation
• Relies upon UDP for sync traffic
![Page 26: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/26.jpg)
26© TechTarget
MON_GETLIST
• System monitoring command
• Retrieves the list of the last 600 systems that interacted with the server
• Ideal for an amplification attack when used with forged source addresses
![Page 27: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/27.jpg)
27© TechTarget
Exploring MON_GETLIST
Source: CloudFlare
Amplification Factor up
to 206X
![Page 28: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/28.jpg)
28© TechTarget
Be a Good Citizen
• Upgrade NTP servers to v4.2.7p26 or later
• Perform egress filtering at the firewall
• Disable MONLIST and related features (see CERT VU#348126)
![Page 29: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/29.jpg)
29© TechTarget
Unmasking
Careto
![Page 30: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/30.jpg)
30© TechTarget
What is Careto?
• Spanish for “The Mask”
• Not a single piece of code, but an advanced threat
• Engaged in espionage activities since at least 2007, undetected until February 2014
• Victimized over 1,000 IPs in 31 countries
• Definite Spanish flavor
![Page 31: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/31.jpg)
31© TechTarget
Naming the Beast
Source: Kaspersky
![Page 32: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/32.jpg)
32© TechTarget
Who is Targeted?
• Government Agencies
• Energy Companies
• Researchers
• Private Equity Firms
• Activists
![Page 33: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/33.jpg)
33© TechTarget
Initial Infection
• Spear phishing messages direct users to a website– linkconf.net
– redirserver.net
– swupdt.com
• Malware hosted in non-indexed folders on those sites
![Page 34: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/34.jpg)
34© TechTarget
Malware Bears a Digital Signature
Source: Kaspersky
![Page 35: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/35.jpg)
35© TechTarget
Variety of Targets
![Page 36: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/36.jpg)
36© TechTarget
Diverse Objectives
• Intercept network traffic
• Perform keylogging
• Monitor Skype conversations
• Steal PGP keys
• Analyze WiFi traffic
• Perform screen captures
![Page 37: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/37.jpg)
37© TechTarget
Stolen File Types
Source: Kaspersky
![Page 38: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/38.jpg)
38© TechTarget
Hides from Kaspersky AV
• Exploits a 2008 vulnerability in Kaspersky
• Attempts to whitelist itself to avoid detection
• Vulnerability patched long ago; relying upon old copies with expired update subscriptions
![Page 39: The Other Advanced Attacks: DNS/NTP Amplification and Careto](https://reader034.vdocuments.us/reader034/viewer/2022052621/55869dc1d8b42a70728b46fb/html5/thumbnails/39.jpg)
39© TechTarget
Protecting Against APTs
• Update, update, update
• Filter at the gateway and defend at the endpoint
• Maintain a defense-in-depth approach that does not rely upon any single layer of control
• Monitor rigorously