NZNOG 2010 – Day 1 – Session 3

NZ Internet Task Force – Paul McKitrick

  • Out of Cyberstorm planning session – “what to do about botnets?”
  • Task Force has Steering Committee
  • Trust is essential – New members vetted – slow growth of membership
  • Protocol on how widely specific pieces of information can be shared
  • Information sharing – networking – training courses ( honeynet, shadow server foundation, team cymru )
  • Focus areas – Telecommunications (telecom honeynet, Uni grads seconded to telecom, Walled Gardens)  – Research (Botsearch.py , VUW honeynet , data Brokerage ) – Stretegy ( Phishing site takedowns, Nat Cyber Security day 2010 , NZ Computer crime and Secuity project )
  • NZ Ips sending 110 million spams per day
  • Why – good for “.nz inc” , Opportunities for research, networking, conduit for disclosure

Bits on a Budget – Perry and Jamie

  • chellenging the belief that PCs running linux useful only for slow, small, un-important routing jobs
  • changes in last few years means this may need to be re-evaluated
  • What changed – PC Arch, Intel stopped sucking , Quick Path Interconnect , PCIe , Multicore – Substantial improvement in Linux – Multiqueue RX/TX to take advatage of multicore
  • Intel x520 10 GigE cards – Significant hardwareoffload – TCP segmentation, generic receive offload , checksumming , multiple input/output queues, input flow director
  • Well over 10Gb/s to hardware from CPU to IOwith PCIe
  • Server $9k – Dual intel x5570 – 6 x 4GB DDR3 – SuperMicro X8DTE with 1 io hub – Server grade redundant PSU – NIC $3k , 2x Dual port Intel x520 10GE Nic + optics – Debian Lenny – Linux 3.6.32.5 vanilla
  • created traffic generators as test setup – 45 machines
  • 1 sender 1 receiver ( 11 boxes to 11 boxes ) – 9.8Gb/s – 1.2Mpps
  • 2 senders , 2 receivers – 18Gb/s [ missed getting other stats but saturated links ]
  • 3.5Mpps before collapse , PCIe thrashing, NUMA inefficiencies , Young NIC drivers
  • Bridging instead of routing – L2 filters – performance approx same as IP routing
  • firewalling – Stress box with lots of small TCP connections (hard to create, generator needs to hold up 100s thousands of sessions) – Open, receive 4k data, close  – lots of tweaks to create traffic – Conntrack entrydefaults to 65k, upped to 10mil-
  • firewalling – 150,000 connections/second reached ( 5Gb/s)
  • firewalling – without contrack – saturates 10Gb/s
  • Number of Rules in Fw – 10Gb bi-directional , packetloss at 128-256 rules , no tuning – double that for single-direction – test has each packet going through each rule
  • Do you need to be an expert ? – If very fast, very cheap, then yes
  • Vyatta busy making this very easy – only pay for support, software is free
  • GigE (even lots of ports) is pretty easy
  • What experts do – Results over 90GB/s ( 40 in , 40 out ) on current hardware – People investigating for commercial reasons

Secure BGP – Geoff Huston

  • Anything evil is possible on the Internet
  • If I was evil , Through routing I’d attack DNS and forward to interceptor web server. Attack NZ based banks overseas so appears ok here
  • Through routing attack – route registry system, DNS root, trust anchors for TLS, critcal public servers, overwhelm routing system
  • Large networks advertised ( /8s etc) by various networks with no ovious reasons why. Same with AS numbers – v6 too
  • Nobody notices or cares about bogus routes beingoriginated
  • today’s networking is very insecure
  • Easy to – grab traffic , drop traffic , added false addresses to routing system , isolating or removing router from system . Don’t need to hack router just inject false routing information
  • what to do – protect you routers – standard security ( ssh access, maintain filter lists, user accts mngt, access log maintenance, snmp acls , etc )
  • what to do – bgp filters, md5 , passwords, prefix limits, watch out for errors causing bgp session to reset or come down – look at Rod Thomas’ BGP config templates
  • what to do – Check validity of routes your customers as you to route before adding to access control
  • alternatively – can BGP check each update to make sure it reflects the way things actually
  • RIRs sign who owns IPs , so routing changes for that network are in turned signed, resource certifcates. sign derivtive certs for sub-delegations of that resource
  • “AS 65000 can route 192.2.200.0/24” signed by the owner of that network.
  • What about path validation (signed AS above can just be prepended). A bit harder. – some progress and funding and test implimentations
  • Solution must cope with “partial use and deployment” , some good players will not use it any time soon.
  • Partially secured enviroment may be more operationally expensive but no more secure than what we have today.
  • Trust hierarchy is a “concentrating of vulnerability” – single point of attack
  • Only what to achieve useful outcomes?
  • Perhaps just anomaly detection to spot a large percentage of the problems
  • Will need key management systems and processes within companies like with website SSL certs

Trends in Cybercrime – Marcel van der Berg

  • Plenty of bots in NZ
  • Few comand and control servers in NZ
  • Approx 5000 unique IPs in NZ seen each day – trending up slightly long term
  • Increase in http botnets vs IRC botnets more static – around 500 controllers
  • C&C servers – IRC based in US and Eu – http based US , China , Russia
  • 1 million open recursive DNS servers just used in 1 attack
  • Resurgance of “pay per install” business – stable botnet platforms offer lucrative models
  • “dumps” – information on magnetic stripe card – reseller network – from ATMs / POS / Payment processors / personally / In transit / Any datbase holding data
  • “CVV” – personal data (addresses, names, etc )
  • Make credits cards to match info from dump
  • “201” cards with chip on them harder to write/use and numbers are worth less. Perhaps $50 for the blank card
  • It’s all about the people. It’s all about the money
Share