Shulou(Shulou.com)05/31 Report--

This article introduces how to understand DDoS reflection attack analysis based on IPMI protocol, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Preface of 0x00

IPMI (Intelligent Platform ManagementInterface) intelligent platform management interface is originally an industry standard adopted by peripherals of enterprise systems based on Intel architecture. IPMI is also an open free standard that users can use without paying an extra fee.

IPMI can span different operating systems, firmware and hardware platforms, and can intelligently monitor, control and automatically report the health of a large number of servers to reduce server system costs. IPMI is transmitted based on UDP protocol, and the remote management and control service established based on this protocol is bound to port 623 by default.

0x01 attack analysis

The attack lasted 15 minutes and peaked over 2Gbps. There are 54828 attack source IP, the attack source port is 623, using the protocol IPMI, the length is 72 bytes. Based on the specific analysis of the contents of the data packets, it is concluded that almost all the attack packets are ping response packets of IPMI protocol. As shown in the figure:

At first, it was suspected that the attacker faked the source IP to carry out the Flood attack, but verified that the port 623 of the 54828 attack source IP has a survival rate of more than 98%, which is obviously a reflection attack. Analyze the address location characteristics of the reflection source, and the global distribution is shown as follows:

The United States accounts for nearly 40% of the countries in the top 30. The ranking is as follows:

0x02 Associated risk Analysis

The IPMIping attack packet used in this attack is similar to the conventional ping, except that the ping uses the ICMP protocol to transmit.

IPMI protocol is widely used in on-board card management systems of Supermicro, Dell, HP and IBM. These have default passwords, and some even have long-standing Web vulnerabilities to obtain passwords directly. After authentication, you can operate more operations in addition to ping, such as monitoring data. At this point, the number of bytes of data returned will be much larger than the requested data.

Device distribution:

A total of 133000 IPMI devices are exposed in the public network. Among them, HP iLO, Supermicro IPMI and Dell iDARC account for more than 75% of the total. Therefore, the security problems exposed before also basically revolve around these devices.

IPMI device attack surface:

1. Web management interface

Usually port 80 or port 443 of HTTP, there have been loopholes: default account password login, Webserver interface overflow and other vulnerabilities. Details are as follows:

CVE-2013-4782 Supermicro arbitrary IPMI command execution

CVE-2013-3623 Supermicro cgi/close_window.cgi buffer overflow arbitrary command execution

CVE-2013-3622 Supermicro logout.cgi buffer overflow arbitrary command execution

CVE-2013-3609 Supermicro privilege Bypass vulnerability

CVE-2013-3607 Supermicro arbitrary code execution

CVE-2013-4037 IBM IPMI plaintext voucher disclosed

CVE-2014-0860 IBM BladeCenter Advanced Management Module IPMI plaintext credential leakage

2. KVM console interface

Usually TCP 5900 port, there has been a vulnerability: weak password.

3. IPMI communication interface

Usually UDP port 623, there have been loopholes: there are default account password login, protocol vulnerabilities. Details are as follows:

CVE-2014-8272 IPMI 1.5 session ID is not random enough

CVE-2013-4786 IPMI2.0 offline password burst vulnerability

CVE-2013-4037 IPMI password hash disclosure vulnerability

CVE-2013-4031 IPMI user default account login vulnerability

CVE-2013-4782 Supermicro authentication bypass results in arbitrary code execution

CVE-2013-4783 Dell iDRAC6 authentication bypass results in arbitrary code execution

CVE-2013-4784 Hp iLO arbitrary password Bypass

4. SMASH interface

Usually port 22 of TCP, there has been a vulnerability: weak password.

Vulnerability statistics:

Make statistics on the vulnerabilities that are rated as high-risk. A total of 24500 IP have high risk vulnerabilities. The overall proportion is 18.5%.

1 、 IPMI 2.0 Cipher Zero Authentication Bypass . Remote attackers can exploit this vulnerability to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and arbitrary passwords. When IPMI 2.0 uses the cipher zero encryption component, an attacker only needs to know a valid user name to take over the functionality of IPMI. Most devices have default accounts and passwords.

Device default account default password DELLrootcalvinHPAdministrator random password IBMUSERIDPASSW0RDSUPERMICROADMINADMINORACLErootchangemeASUSadminadminFUJITSUadminadminHuaweirootHuawei12#$

Network-wide scan results:

17716 IP have Cipher Zero Authentication Bypass vulnerabilities.

2. IPMI V1.5 session ID is not random enough.

IPMI v1.5 uses Session-ID for authentication, and the value range of Session-ID is (2 ^ 32). In the implementation process of some remote control cards, the Session-ID format is 0x0200XXYY. Among them, XX can directly predict that hackers can forge the value of YY and enable the new session to execute arbitrary commands with low privileges or without authentication.

Network-wide scan results:

There is a vulnerability of insufficient randomness of session ID in 2918 IP.

3. Open an anonymous account to log in or disclose your plaintext password

Older versions of SuperMicro placed plaintext password files in 49152. By requesting the / PSBlock file on port 49152 of the server, an attacker can obtain the password for the port 80 web administrative interface, which is placed in the PSBlock file.

Network-wide scan results:

Clear text passwords were disclosed in 390 IP, and anonymous accounts were allowed to log in in 3776 IP.

Geographical distribution of vulnerabilities:

Board card management systems often do not pay attention to Web security, update also need to upgrade firmware, many companies often ignore these work, resulting in many vulnerable platforms exposed in the public network, it is very easy to become the target of hackers.

By scanning the DDoS attack source for analysis, nearly half of the IP belongs to the Supermicro IPMI management platform. The Supermicro IPMI management platform has also been exposed many loopholes, among which the "plaintext format storage password file PSBlock loophole" has a greater impact. Machines with such vulnerabilities are hijacked by hackers and are often used as "broilers" for DDoS attacks. According to the analysis of security personnel, in August 2014, attackers hijacked as many as 100000 of such "broilers" and launched a mixed DDoS attack against ComputerworldUK.com, which peaked at 300Gbps and lasted for more than a day.

Analysis of 0x03 reflection attack trend

The IPMIping package used in this attack

The IPMIping transmission is as follows:

Req requests 65 bytes and returns 72 bytes. The magnification is 1.1 times.

However, in terms of magnification, IPMI's ping packet is not a good "reflection" amplification protocol.

However, due to the small attack packet and a wide range of sources, IPMIping may penetrate some traditional devices.

From the recent reflection attacks, some medium-sized UDP services are gradually used by hackers, including the previous Memcached reflection, the magnification interest rate is up to 50000 times, which is very amazing. Even if the number of public openings on the Internet is only more than 100,000, it can still generate traffic attacks greater than 1T.

Without authentication logic or weak authentication logic (including default passwords), uncommon UDP services have gradually become the first choice for hackers to launch attacks.

This is the end of the analysis on how to understand DDoS reflection attacks based on IPMI protocol. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.