Issue Date:

Revision:

Security Overview, Threat Pragmatics

&Cryptography

Overview

• Security Overview

• Goal of Security

• Threat Pragmatics

• Cryptography Basics

2

3

4

Where is the Security Layer?

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application (HTTP, DNS, FTP)

Transport (TCP/UDP)

Internet (IPv4/IPv6)

Network Access

(Ethernet, PPP)

DataTransport Header

IP Header

DataTransport Header

Data

DataTransport Header

IP Header

Frame Header

0011010100000111

Transport (TCP/UDP)

Internet (IPv4/IPv6)

Network Access

(Ethernet, PPP)

Application (HTTP, DNS, FTP)

Why Security?

• The Internet was designed for connectivity – Trust was assumed

– Security protocols added on top of the TCP/IP

• The Internet has become fundamental to our daily activities (business, work, and personal)

5

Internet Evolution

Security (threats and challenges) change as the Internet evolves!

LAN connectivity Content driven (email, web, music, video)

Data on the Cloud

6

Recent Incidents

• Facebook (March 2019)

– announced that it was storing user passwords (~600 million) in plain text • since 2012!

• Could be read by FB employees

– April• Oops.. Wasn’t just Facebook

accounts, but also some Instagram accts

7

https://about.fb.com/news/2019/03/keeping-passwords-secure/

https://about.fb.com/news/2019/03/keeping-passwords-secure/

Recent Incidents

• WhatsApp spyware (May 2019)

– Exploited voice call feature• Caller could install spyware on the

target device

• Even if the call wasn’t answered!

• Spy emails/messages, locations

– Versions prior to:• v2.19.134 (android)

• v2.19.51 (iOS)

• v2.18.348 (Windows)

– ~1.5 Billion users

8

https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers-

install-government-grade-spyware-on-phones/

https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers-install-government-grade-spyware-on-phones/

Not-so Recent Incidents

• Slingshot (March 2018) - APT

– Active since 2012!

– Compromise MikroTik routers• not much clarity to on how they do it, but assumed to be based on the

ChimayRed exploit - https://github.com/BigNerd95/Chimay-Red

– replace one of the dll in the router's file system with a malicious one (ipv4.dll)• loaded into user's computer when they run the Winbox tool

– Once infected• capture screenshots, collect network info, passwords on browsers,. key

strokes etc

9

https://github.com/BigNerd95/Chimay-Red

Not-so Recent Incidents

• Meltdown/Spectre (Jan 2018)

– Exploits processor vulnerabilities!• Intel, AMD, ARM

– Meltdown (CVE-2017-5754):• Breaks the isolation between programs & OS

• An application could read kernel memory locations

– Spectre (CVE-2017-5753/CVE-2017-5715)• Breaks isolation between applications

• An application could read other application memory

10

Not-so Recent Incidents

• (Not)Petya Ransomware/Wiper (June 2017)– Exploited a backdoor in MeDoc accounting suite

• Update pushed on June 22 from an update server (stolen credentials)

• proxied to the attacker’s machine (176.31.182.167)

– Spread laterally across the network (June 27)• EternalBlue exploit (SMB exploit: MS17-010)

• through PsExec/WMIC using clear-text passwords from memory

• C:\Windows\perfc.dat hosted the post-exploit code (called by rundll32.exe)

11

Not-so Recent Incidents

• WannaCry Ransomware (May 2017)– As of 12 May, 45K attacks across 74 countries

– Remote code execution in SMBv1 using EternalBlue exploit• TCP 445, or via NetBIOS (UDP/TCP 135-139)

– Patch released on 14 March 2017 (MS17-010)• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

– Exploit released on 14 April 2017

12

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Not-so Recent Incidents

• SHA-1 is broken (Feb 23, 2017)– Hash collision: obtain same SHA-1 hash for two different pdf

files (inputs)• which can be abused as a valid signature on the second PDF file.

• https://shattered.io

13

https://shattered.io/

Find any device

14

• shodan.io

haveibeenpwned.com

15

• Have you been compromised?– Tracks compromised accounts and released into the wild

• 364 pwned websites

• >7 million pwned accounts

• ~100K pastes

abc@test.com

Acknowledgment

• Most of the content from:

Steven M.Bellovin’s “Thinking Security”

https://www.cs.columbia.edu/~smb/

16

https://www.cs.columbia.edu/~smb/

Before we start…

• What are we protecting - asset? and

• From whom?

17

• All security system designs should be based on these questions!

Attack Motivation (Who are your Enemies?)

• Nation states want SECRETS

• Organized criminals want MONEY

• Protesters or activists want ATTENTION

• Hackers and researchers want KNOWLEDGE

18

Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014

http://cartoonsmix.com/cartoons/national-security-agency-cartoon.html

http://cartoonsmix.com/cartoons/national-security-agency-cartoon.html

Who are your Enemies?

19

• Script kiddies:– little real ability, but can cause

damage if you’re careless

• Money makers:– Hack into machines, turn them

into spam engines, etc.

• Government intelligence agencies, AKA Nation State Adversaries

The Threat Matrix

20

Degree of Focus

Opportunistic

hacks

Joy hacks Targeted

attacks

Advanced Persistent

Threats

Source: Thinking Security – Steve M. Bellovin

Joy Hacks

• For fun – with little skill using known exploits

• Minimal damage– especially unpatched machines

• Random targets– anyone they can hit

• Most hackers start this way– learning curve

21

Opportunistic Hacks

• Skilled (often very skilled) - also don’t care whom they hit– Know many different vulnerabilities and techniques

• Profiting is the goal - bank account thefts, botnets, ransomwares….– WannaCry? Petya?

• Most phishers, virus writers, etc.

22

Targeted Attacks

• Have a specific target!

• Research the target and tailor attacks– physical reconnaissance

• At worst, an insider (behind all your defenses)– Not-so happy employee

• Watch for tools like “spear-phishing”

• May use 0-days

23

Advanced Persistent Threats

• Highly skilled (well funded) - specific targets– Mostly 0-days

• Sometimes (not always) working for a nation-state– Think Stuxnet (up to four 0-days were used)

• May use non-cyber means:– burglary, bribery, and blackmail

• Note: many lesser attacks blamed on APTs

24

Are you a Target?

• Biggest risk?– assuming you are not interesting enough!

• Vendors/System Integrators and their take on security:– Either Underwhelming or Overwhelming

25

Defense Strategies

• Depends on what you’re trying to protect– Assets

• Tactics that keep out teenagers won’t keep out a well-funded agency

• But stronger defenses are often much more expensive and cause great inconvenience

26

What Are You Protecting?

• Identify your critical Assets– Both tangible and intangible (patents, methodologies) assets

• Hardware, software, data, people, documents

– Who would be interested?

• Place a Value on the Asset– Different assets require different level of protection

– Security measures must be in proportion with asset value• How much can you afford?

• Determine Likelihood of breaches– threats and vulnerabilities?

27

• Imagine you had a bar of gold to protect

– What container would you put it in?

– What room would the container be in?

– What locks are on the doors?

– Where is the room located in the building?

– What cameras are watching the room and building?

– What humans are watching the cameras?

– Who will respond with force to a theft attempt?

– How much did all of these cost?

28

Exercise

Threats, Vulnerability, and Risks

• Threat– circumstance or

event with potential to cause harm to an asset

29

• Vulnerability– A weakness in an asset that can

be exploited• Software bugs

• Design flaws/protocol bugs

• Configuration mistakes

• Lack of encryption

• Lack of or no physical security

• Risk– The likelihood that a particular vulnerability will be exploited

Risk = Threat x Vulnerability

Risk = Impact (Consequence) x Threat x Vulnerability

Risk Assessment Matrix

• Managing risks– Probability-Impact matrix to define the

level of risk• Commonly used in real-world risk assessment

30

IMPACT

High Medium High High

Medium Low Medium High

Low Low Low Medium

Low Medium High

LIKELIHOOD

Exercise

31

• Discuss: – Some recent vulnerabilities

– How does it fit into the risk matrix?

• Place a risk in the matrix by assigning ratings to its– Severity/impact, and

– Probability

IMPACT

High Medium High High

Medium Low Medium High

Low Low Low Medium

Low Medium High

LIKELIHOOD/

PROBABILITY

Against Joy Hacks

• By definition, joy hackers use known exploits

• Patches exist for known exploits:– Security updates/system patches

– Update antivirus database

• Ordinary enterprise-grade firewalls– Closer to users/services

32

Against Opportunistic Hacks

• Sophisticated techniques used

• You need multiple layers of defense– Firewalls near users and services

– Host hardening• Apply security updates, patches, AVs

– Monitoring• Intrusion detection

• attention to log files

33

Against Targeted Attacks

• Targeted attacks exploit knowledge of target– Try to block or detect reconnaissance

– Security policies and procedures matter a lot• How do you respond to phone callers?

• What do people do with unexpected email attachments?

• USB sticks in the parking lot?

• Hardest case: disgruntled employee or ex-employee– Already behind your defenses

– Think Manning & Snowden

34

Against APTs

• VERY VERY hard to defend against!

• Use all of the previous defenses– There are no sure answers

• Pay special attention to policies and procedures

• Investigate all oddities

35

Defense in Depth

• Layer your security controls– Provides redundancy in case of failure

36

https://commons.wikimedia.org/wiki/File:Caerphilly_aerial.jpg

https://commons.wikimedia.org/wiki/File:Caerphilly_aerial.jpg

Example of Security Controls

37

Category Example of Controls Purpose

Policy &

Procedure

Cyber Security Policy, Incident

Handling Procedure

Make everyone aware of the

importance of security, define

role and responsibilities (pre and

post incident), understand scope

of the problem

Technical Firewall, Intrusion Detection

System, AV, Logging Systems

Prevent and detect potential

attacks, mitigate risk of breach

Physical CCTV, Locks, Biometrics, Secure

working space

Prevent physical theft of

information assets or

unauthorized physical

access

However…

• Every machine (connected) is valuable

• They could be turned into bots– Send spam, launch DDoS, host phishing sites

– Sniff your local traffic

• Defense: – watch outbound traffic from your network

38

Summary

• Use proper crypto

• Layer your defenses:– Policies, Procedures, and Awareness

• Strictly follow

• Revise and audit frequently

– Physical security

– Firewalls closer to services/users

– Host hardening• Updated patches and AVs

– Application Hardening

– Backup important data

– IDS/IPS (anomaly detection)

39

Overview

• Security Overview

• Goal of Security

• Threat Pragmatics

• Cryptography Basics

40

Goals of Security

Confidentiality Integrity Availability

SEC

UR

ITY

prevent unauthorized use

or disclosure of

information

safeguard the accuracy and

completeness of

information

authorized users have reliable and

timely access to

information

41

Access Control

• To permit or deny the use of resource(s)

• All about:– Authentication (who is the user)

– Authorization (who is allowed to use what)

– Accountability (what did the user do)

Authentication

• Verify a user’s identity– “User” may refer to:

• a person

• an application or process

• a machine or device

• Identification comes before authentication– Ex: username to establish user’s identity

• To prove identity, a user must present either:– What you know (passwords, passphrase, PIN)

– What you have (token, smart cards, passcodes, RFID)

– Who you are (biometrics such as fingerprints and iris scan, signature or voice)

Strong Authentication

• An absolute requirement!

• Two-factor authentication – Passwords (something only you know)

– Tokens (something only you have)

• Examples:– Passwords

– Tokens

– PINs

– Biometrics

– Certificates

Two-factor Authentication

• At least two authentication ‘factors’ to prove user’s identity– something you know

• Username/password

– something “only” you have• Token using a one-time password (OTP), or a SMS code

• OTP is generated using a device in physical possession of the user– generated each time and expires after some time

– through applications on your device• Authy/Google Authenticator

Authorization

• Defines the user’s rights and permissions on a system– Typically ‘if authenticated’

• Grants a user access to a resource and actions they are permitted to perform on that resource

Authorisation Concepts

• Authorisation Creep– When users may possess unnecessarily high access

privileges within an organisation

• Default to Zero (Zero trust)– Start with zero access and build on top of that

• Principle of least privilege– give access only to information that the user absolutely need

Authorization - Single Sign On

• User logs in only once and gains access to all authorized resources within a system

• Benefits:– Ease of use

– Reduces logon cycle (time spent re-entering passwords for the same identity)

• Common SSO technologies:– Kerberos (prevents replays – T_REQ:timestamp/lifetime)

– RADIUS

– OTP Token

– SAML/OpenID

• Disadvantage: Single point of attack– May need to mix with MFA

Accounting

• What did the user do with the resource?

• Actions of an entity to be traced back uniquely to that entity – Senders cannot deny sending information

– Receivers cannot deny receiving it

– Users cannot deny performing a certain action

• Supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention and after-action recovery and legal action

Source: NIST Risk Management Guide for Information Technology Systems

Types of Access Control

• Centralized Access Control– RADIUS

• Encrypts the password

– TACACS+• Encrypts the entire message

– Diameter (TCP)• Enhanced RADIUS (reliable and secure channel)

• Decentralized Access Control– User database maintained on the resource

• Not scalable

• No method for consistent control

Overview

• Security Overview

• Goal of Security

• Threat Pragmatics

• Cryptography Basics

51

Target

• Targets could be:– Network infrastructure

– Network services

– Application services

– End user machines

Uneven Playing Field

• The defender has to think about the entire perimeter– all the weakness

• The attacker has to find only one weakness

• This is not good news for defenders

53

Attack Surface

• Entire Perimeter you have to Defend

54

Web ServerDNS

SMTP

Power Fiber

Application

Firewall

Soft Gooey Inside

• But it is not just the perimeter!

55

Web Server DNS

SMTP

PowerFiber

Application

Firewall

USB SticksSpearfishingPasswords

Ex-EmployeesSysAdmins

Attacks on Different Layers

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Transport

Internet

Network Access (Link Layer)

Layer 2: Ethernet, PPP, ARP, NDP, OSPF

Layer 4: TCP, UDP, SCTP

Layer 5: NFS, Socks

Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP

DNS Poisoning, Phishing, SQL injection, Spam/Scam

ARP spoofing, MAC flooding

OSI Reference Model TCP/IP Model

Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP

TCP attacks, Routing attack, SYN flooding

Ping/ICMP Flood, Sniffing

56

Layer 2 Attacks

• ARP Spoofing

• MAC attacks

• DHCP attacks

• VLAN hopping

57

ARP Spoofing

ARP Cache poisoned. Machine A

connects to Machine D (not C)

I want to connect to

10.0.0.3. I don’t know the

MAC address

10.0.0.1

AA-AA-AA-AA-AA-AA

10.0.0.2

BB-BB-BB-BB-BB-BB

10.0.0.3

CC-CC-CC-CC-CC-CC

10.0.0.4

DD-DD-DD-DD-DD-DD

ARP Request

ARP Reply

Wait, I am 10.0.0.3!

I am 10.0.0.3. This is my

MAC address

58

MAC Flooding

• Exploits the limitation of all switches – CAM stores mapping of individual MAC addresses to source

ports

– Finite memory

• Attacker floods the CAM table using spoofed source MAC addresses

59

DHCP Attacks

• DHCP Starvation Attack– Broadcasting vast number of DHCP requests with spoofed

MAC address simultaneously.

• DHCP Spoofing– Rogue DHCP

60

Wireless Attacks- MITM

• Creates a fake access point and have clients authenticate to it instead of a legitimate one.

• Capture traffic (usernames, passwords)

61

Wireless Attacks

• WEP (wired equivalent privacy) – first go at wireless security

• 104-bit WEP key:– 50% of the time broken with 45k packets

– 95% of the time with 85k packets (in less than 60 seconds)

• Use WPA2 (wired protected access)– WPA – 256-bit key

– WPA2 - AES

62

Tews,Weinmann, and Pyshkin, "Breaking 104 bit WEP in less than 60 seconds",

Proceedings of the 8th international conference on Information security

applications, 2007

Link-Layer Defence

• Dynamic ARP Inspection– Protects against ARP spoofing

– uses DHCP Snooping

– forward ARP packets on Trusted interfaces without checks

– intercept all ARP packets on Untrusted ports and check against IP-to-MAC binding• Drop (and log) if no valid binding

63

Link-Layer Defence

• Port Security– Protects the MAC table

– Limit the number of MACs per port (static or sticky learning)• Forwards valid frames (valid source MACs), and drops invalid frames

– Violation could trigger:• Dropping of invalid frames and port shutdown, or

• Drop frames with/without notification

64

Link-Layer Defence

• 802.1X– Identity based network access control

– Protection against rogue devices (DHCP or AP) attaching to a LAN

65

Client Authenticator AAA Server

Access-Request

Access-Challenge

Access-Request

EAP-Request/Id

EAP-Response/Id

EAP-Request/pw

EAP-Response/pw

Access-AcceptEAP-Success

Port Authorized

Image Source: www.en.wikipedia.org/wiki/IEEE_802.1X

http://www.en.wikipedia.org/wiki/IEEE_802.1X

Layer 3 Attacks

• ICMP Attacks– ICMP Smurf/Flood

– Ping of death

• Routing (control plane) attacks

66

ICMP Flood/Smurf

NetworkBroadcast

Address

Victim

Other forms of ICMP attack:

-Ping of death

Attacker

Echo requestEcho request

Echo reply to actual

destination

67

• Defense:– Disable directed broadcast

no ip directed-broadcast

Routing Protocol Attacks

• Malicious route insertion– Poison routing table

– To divert traffic and eavesdrop• Analyse/Modify/Drop packets

• BGP attacks– hijack prefixes

– Tamper the path information

68

Defence- Routing Attacks

• Authenticate source of routing updates– Peer authentication

• Origin Validation– Rolled out today as RPKI

– ROA (resource certificate) signed by the owner• Verifies the origin AS (signed route

announcement)

• Path Validation– Sign the full path (ASNs traversed)

• In IETF process as BGPsec

69

X.509 Cert

RFC 3779

Extension

IP Resources

(Addr & ASN)

SIA – URI (repository) for

where this Publishes

Subject Public Key

(algorithm and key)

CA

Sig

ned b

y P

are

nt’s P

rivate

Key

SYN Flooding

• Exploits the TCP 3-way handshake

• Attacker sends a series of SYN packets • No ACK

• Retains state for bogus half-open connections – Finite SYN_RECV queue size

– no more resources (memory) to for new legitimate connections – drops!

Server(Victim)

Attacker

SYN

SYN+ACK

ACK?

70

SYN Flood - Defense

• SYN Cookies– MD5 hash (src IP, src port, dst IP, dst port, and ISN in SYN)

• Sent back as ISN in its SYN-ACK

– no states for half-open connections in memory• until valid ACK: SEQ = ISN+1

• Store state after valid ACK

71

Enable:vi /etc/sysctl.conf net.ipv4.tcp_syncookies = 1

Verify: cat /proc/sys/net/ipv4_tcpsyncookies sysctl –n net ipv4.tcp_syncookies

Application Layer Attacks

• Very common:– Scripting vulnerabilities

– Buffer overflow

– Cookie poisoning• Tamper session information

– X-site scripting• Client-side code injection

– SQL injection

72

Application Layer - Defense

• User input validation– SQL injection, X-site scripting

• Pen-test or vulnerability scan by experts– Scripting vulnerabilities

– Buffer overflow (bounds checking)

73

Layer 7 DDoS Attack

• Traditional DoS attacks focus on L3 and L4

• On L7, DoS attack targets applications disguised as legitimate packets – exhaust application resources (bandwidth, ports, protocol

weakness)

• Includes:– Slowloris

– RUDY (R-U-Dead Yet)• POST request with long content length and write forms slowly

– LOIC/HOIC (Low/high orbit Ion canon)• TCP/UDP/HTTP requests (H-only HTTP with scripts)

74

Layer 7 DDoS – Slowloris

• Incomplete HTTP requests– No blank line (\r\n) in request header

• Properties– Low bandwidth

– Keep threads active• Only affects threaded web servers (Apache)

• Doesn’t work through load balancers

– Keepalives to reset timeout

75

Layer 7 DDoS – Defense

• Load balancers– Delayed binding

– Perform HTTP Request header completeness check• Request not sent to server until the final \r\n (CRLF) received from client

• Non-threaded webservers– not vulnerable to slow header attacks

• ModSecurity– Open source WAF plugin for Apache

– embedded or reverse proxy mode • In front of the web server

76

DNS Changer

• Anyone who controls your DNS controls what you see!

• How: – infect computers with

malware

– malware changes the user’s DNS settings • to attacker’s resolvers (specific

address blocks)

77

Countries affected by DNSChanger (2012):

Image Source: Kaspersky

DNS Changer - Defense

• Find out if you are infected– FBI:

• forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

• 64.28.176.0/20; 67.210.0.0/20; 77.67.83.0/24; 85.255.112.0/20; 93.188.160.0/23; 213.109.64.0/20

– DNSChanger Working Group:• www.dcwg.org/fix/

• Clean up:– Run free anti-malware tools

• DNSChanger WG site maintains clean-up guides and list of free tools to remove the malware

– firewall rules to only allow queries to legitimate servers

78

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNShttp://www.dcwg.org/fix/

DNS Cache Poisoning

• Resolvers caching incorrect records that did not originate from authoritative DNS servers

• Result: – redirect to sites (controlled by the attacker)

79

DNS Cache Poisoning

(pretending to be the authoritative zone)

ns.tashi.comWebServer

(192.168.1.1)

DNS Caching Server

Client

I want to access www.tashi.com

1

QID=645712

QID=64569

QID=64570

QID=64571

www.tashi.com 192.168.1.1

match!

www.tashi.com 192.168.1.99

3

3

Root/GTLD

QID=64571

80

Cache Poisoning - Defense

• DNSSEC – DNS security extensions– Uses public-key crypto

• Records (RRset) signed with private key (authenticity and integrity)

• Signatures (RRSIG) published in DNS responses

• Public key published (DNSKEY) to verify signatures

• Child zones sign their records with their pvt key

• Parent sings the hash of child’s public key - DS (chain-of-trust)

81

Cache Poisoning - Defense

82

Where is www.apnic.net?

www.apnic.netis at 61.45.255.100 (Secure resolution)

Cache

Recursive Server(root’s public key)

Client (stub Resolver)

RRSIG, DNSKEY , DS(Signed referral)

🔑

🗝

Root Server

.net TLD

apnic.net (authoritative)

1

2

3

4

5

6

8www.apnic.net

(DO bit)

7

http://www.apnic.net/http://www.apnic.net/http://www.apnic.net/http://www.apnic.net/http://www.apnic.net/

Amplification Attacks

• Exploits UDP protocol to return large amplified amounts of data– small request, LARGE reply

• Examples:– DNS

– NTP

– Memcached

83

DNS Amplification Attack

• A type of reflection attack combined with amplification– Source of attack is reflected off other machine(s)

– Traffic received is bigger (amplified) than the traffic sent by the attacker

• UDP packet’s source address is spoofed

84

DNS Amplification

Bots

85

Attacker

ns.example.com

Victim

Open DNS Resolvers

Root/GTLD

www.example.com 192.168.1.1

Queries (ANY) with

spoofed (victim’s) IP

dig ANY www.example.com @8.8.8.8

+edns=0 +notcp +bufsize=4096 +dnssec

Source IP spoofing – Defense

• BCP38 (RFC2827)– Since 1998!

– https://tools.ietf.org/html/bcp38

• Only allow traffic with valid source addresses to– Leave your network

• Only from your own address space

– To enter/transit your network• Only from downstream customer address space

86

https://tools.ietf.org/html/bcp38

uRPF – Unicast Reverse Path

• Unicast Reverse Path Forwarding (uRPF)– Router verifies if the source address of any packets received

is in the FIB table and reachable (routing table)• Drop if not valid!

– Recommended on customer facing interfaces

87

NTP Amplification

• UDP 123

• NTP versions older than v4.2.7p26 vulnerable to “monlist” attack (CVE-2013-5211)

– made easier by Open NTP servers (time.google.com)

– Monlist fetches the MRU list of NTP (600) associations

ntpdc -c -n monlist

• Several incidents in 2014– 400Gbps attack on cloud provider

88

http://www.time.google.com/

NTP Amplification - Defense

• BCP38

• Upgrade NTP (ntpd) server– to v4.2.7p26 or later

– Removes/disables “monlist” command; replaced with “mrulist”• Requires proof that the command came from the address in the NTP

packet

• In older versions:– disable ntp monitor and do not answer ntpq/ntpdc queries

89

vi /etc/ntp.conf

disable monitorrestrict default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noquery

Transport Layer Security

• SSL/TLS

• Secure Shell (SSH)

90

Application Layer Security -Encryption

• HTTPS– PKI/centralised trust

• PGP (Pretty Good Privacy)– Web of trust (decentralised trust)

• SMIME (Secure Multipurpose Internet Mail Extensions)– Chain of trust (centralised trust/CA)

91

92