1 / 52

Network Protocol Tunneling

Network Protocol Tunneling. Network Security’s Friend or Foe Spyridon Dossis / DSV, Stockholm University. Outline. Description & Concerns Tunneling Protocols & Protocol Tunneling Network Tunneling Tools & Setup Demo Conclusions. Network Protocol Tunneling.

iniko
Download Presentation

Network Protocol Tunneling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Protocol Tunneling Network Security’s Friend or Foe SpyridonDossis / DSV, Stockholm University

  2. Outline • Description & Concerns • Tunneling Protocols & Protocol Tunneling • Network Tunneling Tools & Setup • Demo • Conclusions

  3. Network Protocol Tunneling • A delivery network protocol encapsulates a payload network protocol • The delivery protocol usually operates at the same or higher level (e.g. in the TCP/IP stack) than the payload protocol

  4. Protocol Tunneling & Covert Channels • Protocol Tunneling • Order in Protocol Encapsulation • Obfuscation rather than hiding • Practical use cases & misuse • Covert Channels • Channels not intended for information transfer • Hiding in unused protocol fields, utilizing fields such as IP ID, TCP Sequence number etc. • Network Steganography

  5. Common Uses • Carry data over incompatible delivery-networks • Provide a (encrypted) path through a public network • Monitoring vs Anti-Censorship • Allowing “some kind” of traffic may lead to “any kind”

  6. Misuse of Network Tunneling • Pre-existing network-based security tools (firewalls, IDS) may not be able to apply the controls to the tunneled traffic • Evading traffic regulation • Lack of host-based security controls • Defense in depth • Inability for ingress and egress filtering • ‘Open-ended’ tunnel may forward traffic to other internal hosts

  7. Network Tunneling – Rising Concerns • Advanced Persistent Threats (APTs) - Remote Control & Data exfiltration • Backdoors with OS commands, file transfer capabilities are installed in target systems. • Upload collected files using common ports such as HTTP (80), HTTPS (443) and DNS (53) bypassing detection. • Covert channels for malware • e.g. C&C communications over DNS (i.e. Feederbot, W32.Morto )

  8. Outline • Description & Concerns • Tunneling Protocols & Protocol Tunneling • Network Tunneling Tools & Setup • Demo • Conclusions

  9. IPSec Tunnel Mode • The original IP packet is encrypted • The ESP header indicates that the entire packet is the payload (IP-in-IP) • Inserts a new IP header (next header is ESP) Image taken from http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html

  10. IPSec Tunnel Mode • Security services from gateway to gateway or from host to gateway over an insecure network • The entire original packet is encrypted • Internal traffic behind the gateways is not protected • Often used to implement Virtual Private Networks (IPsec VPNs) • Site-to-site • Client-to-site

  11. GRE – Generic Routing Encapsulation • “GRE (Generic Routing Encapsulation) specifies a protocol for encapsulation of an arbitrary protocol over another arbitrary network layer protocol” – RFC 2784 and 2890 • Point-to-point links Image taken from http://netwild.ru/pptp/

  12. GRE and IP • Ethernet over IPv4/IPv6 (e.g. Openstack Neutron) • Support for tunneling broadcasting/multicasting • e.g. Delivering routing updates to multiple sites • IPv4/IPv6 over IPv4/IPv6 • No default encryption/security services • IPSec Tunnel/Transport over GRE

  13. IPv6 over IPv4 Transition Mechanisms • Tunnel Brokers provide a network tunneling service • 6in4 – IPv6 over IPv4 • 4in6 – IPv4 over IPv6 • ISATAP • Teredo – IPv6 over UDP over IPv4 • …and others

  14. SSH (Secure Shell) Protocol • Secure channel over an insecure network between an SSH client and an SSH server (e.g. OpenSSH) typically listening at TCP port 22 • Public-key cryptography for server (and client) authentication • Remote command execution, file transfer (SCP, SFTP), TCP port and X forwarding, tunneling

  15. SSH Local-port forwarding • Local-port forwarding when traffic coming to a local port is forwarded to a specified remote host/port • Destination is relative to the SSH server’s location and mostly unrestricted • SSH client can be configured to act either as a local-only service or public to other hosts

  16. SSH Remote-port forwarding • Remote-port forwarding when traffic coming to a remote port is forwarded to a specified local host/port • Destination is relative to the SSH client’s location and mostly unrestricted • SSH server can be configured to act either as a local-only service or public to other hosts

  17. SSH Static Forwards Limitations • Performs successfully for single-host/port communications • Simple Web (HTTP) • Mail (SMTP, POP3, IMAP) • SSH • Fails for more complex network services • Web with External References / Surfing • Solution: Chain to a Web Proxy • FTP • Peer-to-Peer

  18. SSH Dynamic-port Forwarding • The SOCKS protocol proxies TCP connections/forwards UDP packets from client to server through a proxy • A local SOCKS proxy is created on the SSH client’s side and can forward traffic to arbitrary remote hosts and ports • Firewall Traversal / Content-filtering circumvention

  19. SSH X forwarding • Run remote X Window System based applications but displayed locally • Need for X server for Windows • Secure the X protocol by tunneling it over SSH • ssh –X user@host <application> • Run a remote browser visiting a blocked website

  20. ICMP Tunneling • “An ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an arbitrary-amount of data” – ping(8) man page • LOKI (Phrack Issue 49) utilized it to establish a covert channel between client/server • IP over ICMP • TCP over ICMP

  21. ICMP Tunneling – A Sample

  22. HTTP Tunneling • Various network protocols are encapsulated using the HTTP protocol • HTTP is rarely blocked • Bypass restrictions • Firewalls • Proxy server / Content-filtering

  23. HTTP Tunneling – A Sample

  24. DNS Tunneling - Overview • Transport arbitrary data by encoding them into DNS messages • Wide support and availability of the global DNS infrastructure • Few organizations block DNS traffic from individual clients to the Internet (e.g. captive portals in public Wi-Fi) • Effective for bypassing security measures such as firewalls or ACLs • Used for two-way communication or data exfiltration

  25. DNS Tunneling - History • Around since 1998 • NSTX (Nameserver Transfer Protocol) • OzymanDNS (Dan Kaminsky) – “Tunneling Audio, Video and SSH over DNS” • Used mostly for bypassing paywalls

  26. DNS Primer • Mapping domain names and IP addresses • Record types • A, AAAA, CNAME, MX, NS, PTR, TXT, NULL • EDNS for UDP payloads larger than 512 bytes • Increased bandwidth • Internal users can contact arbitrary external domains through the organization’s DNS servers/resolvers

  27. DNS Recursive Resolution Image taken from http://nirlog.com/2006/03/28/dns-amplification-attack/

  28. DNS Tunneling – A Sample

  29. DNS Tunneling - Limitations • Maximum 253 characters in domain • Maximum 63 characters per subdomain • Case-insensitive (Base32 encoding) • TXT requests allow for maximum characters in response + Base64 encoding • Bandwidth up to 110KB/s, 150ms latency (Van Leijenhorst, 2008)

  30. Outline • Description & Concerns • Tunneling Protocols & Protocol Tunneling • Network Tunneling Tools & Setup • Demo • Conclusions

  31. SSH Local-port forwarding

  32. SSH Remote-port forwarding

  33. UDP over SSH Static Forwards • Combined with NetCat • Establish a local/remote port forward over SSH with an SSH server • Create a FIFO special file (a named pipe) on both sides • Listen for UDP requests / Relay through the SSH tunnel • Forward UDP requests / Relay through the SSH tunnel • tcp_to_udp & udp_to_tcp • socat Relay & UDPTunnel (UDP over TCP)

  34. SSH Dynamic-port Forwarding

  35. SSH Dynamic-port Forwarding • In the case of HTTP browsing, DNS requests are still submitted by the client • Monitoring can reveal DNS requests for common websites along SSH traffic. • Solution: forward DNS requests also to the SSH server. • (e.g. Firefox network.proxy.socks_remote_dns) • Multi-hop setups • Client (SSH lpf) -> Host 1 (SSH dpf) -> Host 2 -> Web

  36. SSH Tunneling Detection / Mitigation • SSH Traffic Volume & SSH Tunnel Endpoints • Tunnel Hunter (Dusi et al., 2008) • Naïve Bayes Classifier • Packet size & Packet inter-arrival time • Detect Tunneling & Classify the actual protocol (BitTorrent, POP, SMTP, HTTP) with high accuracy • Limitations with respect to multiple SSH authentication types, data compression, login failures, network protocols • SSH server in non-standard ports (e.g. 443) • EmergingThreats Snort Rules, Cisco IDS • Degrade SSH performance (TCP over TCP )

  37. ICMP Tunneling Technique Image taken from http://www.sectechno.com/2010/10/31/bypassing-firewalls-using-icmp-tunnel/

  38. SSH Tunnel over ICMP Tunnel

  39. ICMP Tunneling Tools • ICMPTX (IP over ICMP) • ICMP Tunnel (IP over ICMP) • Hans (IP over ICMP) • itun (IP over ICMP) • Ptunnel (TCP over ICMP) • Droid-VPN , Troid-VPN (Android Apps, need root) • PD-Proxy, Wi-Free, Tunnel Guru • +++++++++++++++++++++++++++++++++++++++++++++++

  40. ICMP Tunneling Detection / Mitigation • Detection Signatures • ICMP_PingTunnel_Detected • LOKI ICMP tunneling back door • ICMP Raw Sockets • Non-standard average packet size • High ICMP traffic volume between tunnel endpoints • Disallow ICMP traffic

  41. HTTP Tunneling Technique • The Tunnel Client initiates an HTTP connection to the Tunnel Server • The application encapsulates the application requests in HTTP requests destined to the Tunnel Server • The Tunnel Server unwraps and forwards

  42. HTTP Tunneling Tools • GNU httptunnel • htc – Tunnel Client component • hts – Tunnel Server component • Syntax • Server: hts –F remote:<remote_port> 80 • Client: htc –F <local_port> server:80ssh –p <local_port>user@localhost

  43. SSH Tunnel over HTTP Tunnel

  44. DNS Tunneling - Technique

  45. DNS Tunneling - Tools • OzymanDNS • Dns2tcp • Iodine • Heyoka (+ source IP spoofing) • DNSCat • NSTX • DNScapy • MagicTunnel, Element53, VPN-over-DNS (Android) • iodine for iOS • “VPN over DNS”

  46. DNS Tunneling – Detection / Mitigation • Increased DNS traffic (network traffic profiling) • Maximum DNS request packet size • Large number of DNS TXT requests • Number of DNS requests, unique hostnames to a single domain • Composition of hostnames • Length, unique characters, character frequency analysis • Split DNS • Web proxies (but not clients) can resolve external domains

  47. DNS Tunneling - Challenges • Determining which tunneling messages are malicious • Real-time Blackhole Lists (DNSBL lookups) • 23.42.168.192.dnsbl.example.net • example.net.dnslist.example.com • NIST National Software Reference Library • 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.org • Mail server performs DNS TXT requests (SPF)

  48. Outline • Description & Concerns • Tunneling Protocols & Protocol Tunneling • Network Tunneling Tools & Setup • Demo • Conclusions

  49. Demo Topology

  50. Outline • Description & Concerns • Tunneling Protocols & Protocol Tunneling • Network Tunneling Tools & Setup • Demo • Conclusions

More Related