Protect yourself from Cisco Smart Install Attack and others. ToDo list

I can see a lot of publications about Cisco Smart Install attack on Aprl 6, 2018. Vedor and researchers started some interesting war of words as rap battle. Let's try to be independent side in this battle. I want to share my experience how to protect your infrastructure from such attacks.

On March 28, 2018 Cisco published 2 Smart Install vulnerabilities:

• Denial of Service (DoS) CVE-2018-0156.
• Remote code execution (RCE) CVE-2018-0171.

But community forgot another vulnerabilities from March 28, 2018:

• RCE of QoS service CVE-2018-0151. 
• Unauthenticated attacker can login to device using default username "cisco" CVE-2018-0150. 

Exploit is not published for free yet but it is not a reason to ignore these vulnerabilities. Some people have this exploit, one can be sure. And you must protect your devices now because it is not too late yet.

NZNOG18: Protect yourselves and others from DDoS

Видеозапись моего выступления на заморской конференции NZNOG18.
Картинка в теле видна, но по требованию правообладателя встроенное видео не воспроизводится. Придется перейти на YouTube (начало моего выступления на 28й минуте, но послушать Geoff Huston тоже не помешает).
===
My lecture video streaming on NZNOG18.
You have to be redirected to YouTube because embedded video is not allowed by organizer. My slides start is on 28th minute but Geoff Huston presentation is also interesting.

Firefox fix for Meltdown and Spectre

If you believe Firefox "it’s fast. Really fast. It’s over twice as fast as Firefox from 6 months ago". 

It will be as fast as any browser soon.

But the main feature is fix for Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715):

See in deed. This post is written with Firefox 57.0.4...

IoT and Enterprise Infrastructure Cybersecurity Level with SANS TOP20 CSC

My previous note(RU) contains IoT components must be protected. Another one (RU) lists the action plan needed from IoT vendors. Let's try to evaluate IoT solutions' influence on the company infrastructure after implementation. Evaluation is qualitative and it checks enterprise for SANS TOP20 CSC list compliance.

New Year: SNMP default community quantity dynamics

In summer 2016 I provided brief analysis of IPv4-addresses with SNMP default community (DDoS attacks type SNMP Amplification sources) by countries (Russian article). The year is new but security holes are old.



New Year SNMP report by shodan, was compared with June one and shows such dynamics in integral TOP-10:

	2016	2017	Fixed, %
Brazil	1430670	1041122	27,23
USA	326735	240677	26,34
India	307155	210282	31,54
Korea	170979	173178	-1,29
China	121235	92019	24,10
Thailand	120263	61077	49,21
Colombia	104903	59178	43,59
Italy	87020	78970	9,25
Turkey	80880	50824	37,16
Iran	79506	57866	27,22

New Year: DNS open resolvers quantity dynamics

In summer 2016 I provided brief analysis of open DNS-resolvers (DDoS-attacks type DNS Amplification sources) by countries. Using the same shodan I decided to make NY report and to calculate the dynamics. The year is new but security holes are old.

So, NY report for DNS with open recursion has such behavior as to June one in integral TOP-10 for the world:

	2016	2017	Fixed, %
China	1066365	604080	43,35
Taiwan	308033	244719	20,55
USA	254265	206442	18,81
Korea	252341	232386	7,91
Russia	172123	131060	23,86
India	160751	115616	28,08
Brazil	155392	155889	-0,32
Turkey	97970	74572	23,88
Japan	58950	49473	16,08
Italy	46168	54122	-17,23

Protect You and Others from DDoS. Make Your Network "Cleaner" Part 2. NTP Amplification

Сводка недоступна. Нажмите эту ссылку, чтобы открыть запись.

IPv6 Security: to NAT or not to NAT?

It was interesting article on SGNOG3 conference in Singapore presented with the topic Security in an IPv6 World: Myths and Reality.

In spite of a large useful information amount I found one slide pointed NAT as a "myth" of security. It also points that NAT can even reduce security and statefull firewall is a Bruce Willis for IPv6.

It is a point for discussion.

It is clear that NAT and other technologies is not a "secure all" button. It is a tool. One can use it in a right way and another may use it in a wrong way. So it is possible to increase and decrease security level using the same technology with different approach.

Let's examine firewall. It is a security device and it must make network safer if used. If you swap some L3 device in the network part to stateful firewall you don't become protected a lot with its' default functions. If you don't use ACL, uRPF and another features you can feel a false safety. This state of the false safety is a very harmful factor. It is the same situation as if some man buys a gun to protect himself but he can't shoot psychologically. The result may be more tragic than in the case of gun absense.

DDoS protection articles

Something wrong with direct hyperlinks on some resources, so I'll try to collect my antiDDoS articles here.

English:
Protect You and Others from DDoS. Make Your Network "Cleaner" Part 1. DNS Amplification
Protect You and Others from DDoS. Make Your Network "Cleaner" Part 2. NTP Amplification


Russian:
Защита от DDoS подручными средствами. Часть 1. DNS Amplification
Защита от DDoS подручными средствами. Часть 2. NTP Amplification
Защита от DDoS подручными средствами. Часть 3. SNMP Amplification

Protect You and Others from DDoS. Make Your Network "Cleaner" Part 1. DNS Amplification

This article was published in the May issue of the "System Administrator" journal (Russian). Original text is also available in Russian.

If you want to make a contribution to the wold-wide cyberspace security and DDoS-protection it is not necessary to buy expensive equipment or service. Any Internet-faced server admin may participate in such a noble action with no additional money but time and knowledge investment only.

Let's analyze DDoS-attacks type "amplification" using DNS.

EPICBANANA exploit for Cisco firewalls: checklist and fix

The article in Cisco blog with the EXTRABACON description has also information about EPICBANANA exploit executed via CLI.
Vulnerable devices list is much less that SNMP one and it consists of ASA 5500 series, ASA 5500-x series, PIX and FWSM.
Exploit is able to cause a denial if service condition or arbitrary code execution by invoking certain invalid commands in an affected device. But an attacker must:

• Know ASA interface IP-address with ssh or telnet permission.
• Know login and password.
• Connect to the box from trusted IP-address.

So, it is not very hard-to-protect situation but this bug is also a bug.

EXTRABACON SNMP-exploit for Cisco firewalls - diagnostics, workaround and fix

There are lot of discussions about Shadow Brokers' published exploits NSA for a last time. But the situation became interesting when Cisco alerted to the information posted with exploits confirmation.

Cisco blog contains article about Shadow Brokers' exploits. It provides some clarity in the context of danger: to fear ot not to fear, who must be afraid of this, what is the topic of the fair and how to fear.
Additional thank to Maxim Zimovets (Cisco lvl80 engineer) for emergency analysis and vendor-side conclusion.

Does DNS use TCP or UDP? RFC says...

Usually we mean DNS uses UDP port 53 but TCP port 53 is reserved for DNS too.
After some time the one question may become interesting for any specialist working with information technologies or information security:

When does DNS use UDP or TCP?

Answer is provided by  RFC5966, section 4. Transport Protocol Selection, where you may find such statements:

Most DNS [RFC1034] transactions take place over UDP [RFC0768].  TCP
[RFC0793] is always used for zone transfers and is often used for
messages whose sizes exceed the DNS protocol's original 512-byte
limit.

So, every request except zone transfer (query type AXFR) and the large message (more than 512 bytes) containing one is processed by UDP.
One can ask: "Why AXFR and large messages must use TCP?". The reason is ability to use UDP-based services with large responses for DDoS-attacks.

All general-purpose DNS implementations MUST support both UDP and TCP
transport.

It means that each DNS-server implementation must support both transport protocols.

Routing and ACL direction

Sometimes I can see questions related to the ACL directions needed for the traffic filtering on the network equipment.

Let's suppose a case when PC is located in the network 10.0.10.0/24 and DNS server - in the 10.0.20.0/24 one. See the picture.

Linux "show mac-address-table" analogue

Few days ago I could see a user question about Linux analogue for Cisco "show mac-address-table" command. He wo'nt use the "arp"or "arp -a" command for some hidden reasons. And I think it may be interesting for other users.

SPAN-aggregation and packet brokers. Protocol Stripping

Why you may need protocol stripping function?

As you know there are 7 OSI model levels. Each one adds some particular volume header to the packet. 

SPAN-aggregation and packet brokers. Packets deduplication

One may ask: is it real to be so stupid implementing TAPs and brokers that packets are duplicated? Yes, of course, and it doesn't indicate architects' stupidity. E.g. we need the datacenter traffic analysis. So, it is necessary to mirror datacenter uplinks (no matter Internet or corporate) to have an incoming/outgoing traffic visibility, and aggregation/service layer links according to the datacenter network design. Inbound/outbound packet has no duplicates if it is going to some segment connected via dedicated physical lines, no router/firewall on a stick etc.

IDS/IPS implementation phase 3. Open source vs proprietary

The previous part called "Throughput Metering" was described here.

According to the calculations it is possible to define which solution may be appropriate for some network segment with the bandwidth requirements. Then we must decide if we implement some proprietary solution or use an open source one. Commercial product must satisfy the functional requirements and it's weight points also contain such parameters as a solution price, technical support level, conditions and cost. We also need to decide what to use: hardware appliance, software product or a virtual appliance. In the case of soft/VM we must include an additional money for the hardware resources used by the solution. In the case of hardware it is important to understand a government import/export policy and a vendor ability to provide a faulty device replacement in the SLA-defined terms.

IXIA ThreatArmor: how does it work

No advertisement (unfortunately, vendor doesn't pay me for it :) ) but for technology review only: one more IXIA solution analysis.

IDS/IPS implementation. Phase 2. Throughput metering

Usually traffic intrusion detection in the corporate network is provided without an ability to affect the productive services. This mode is named IDS (Intrusion Detection System). IDS also may be integrated with the active network equipment for an ability to block the attacker host or network (IDS shun). Another way is the sensor usage in the active protection mode called inline IPS (Intrusion Prevention System) or with an ability to terminate the TCP-sessions by the way of RST-packet sending to the source and destination host of the malicious session. Let's make some analysis of the IDS and IPS modes according to the network integration requirements.