Shulou(Shulou.com)06/01 Report--

In addition to DNS, there are other basic network protocols that can also become weapons for attackers. How to protect them?

When attacks involving basic Internet protocols are reported in the newspapers, people tend to focus on Web, and HTTP or DNS is the absolute protagonist. But history tells us that other agreements can also be used as weapons and entrances to attack vulnerable companies.

For example, BGP (Border Gateway Protocol), NTP (Network time Protocol) and FTP (File transfer Protocol) are powerful weapons that attackers use to destroy operations or steal data assets. The recent frequent cipher wallet hijackings fully demonstrate the effectiveness of BGP hijacking as part of the attack chain. From the point of view of most users, the mystery of BGP stems from its complexity, and most companies only consider using BGP when their networks become very large, adding to the company's risk.

NTP is often seen as a protocol that only provides timing convenience, freeing users from the hassle of self-timing and manually entering the system. But in fact, transactions ranging from data encryption to file transfer rely on the NTP protocol to obtain authoritative time from standard servers. As a result, the NTP protocol is ubiquitous and valuable to attackers.

In addition, although users prefer to use HTTP to transfer files between systems, many applications and systems still use FTP as the basic file transfer mechanism. Because it is often used to transfer large files, FTP is a powerful weapon for cyber criminals as long as it can be used against targets.

For most companies, "stopping using these protocols" is not realistic; there are too many applications and users to rely on these protocols and can't give up any of them for a long time. And BGP and NTP don't even have alternatives available. Therefore, it is necessary for companies to find ways to protect these protocols so that they can be used by companies as tools rather than as weapons for attackers.

Of course, there are many ways to protect network basic protocols, some of which can stimulate thinking and promote the development of defense strategies. Here are several effective ways to protect the basic network protocols for our readers.

1. BGP: protect the speaker

BGP is a protocol for routers to tell each other where they are, and it can also be used by router groups to establish the best path for sending packets. During its implementation, it is necessary to make sure that the router is still connected to the Internet: the speaker (Speaker) sends a TCP message on port 179 every 60 seconds to maintain the connection with its neighboring nodes. If the speaker is taken down, not only will the router be offline, but it will also open the door for the illegal router to take its place.

It is clear that the critical network link that communicates regularly on known ports is fragile and the network owner needs to take special precautions to protect it. Experts from the Internet Engineering Task Force (IETF) suggest that access control lists (ACL) can be used to block traffic from non-neighboring router nodes.

In addition, the network administrator should also impose rate limits on the control and data layers to prevent packet flooding from crowding out the speaker. Not only does it attack the flood, but excessive legal traffic can also squeeze the network off the Internet. Therefore, a preset rate limit is a good precaution.

2. BGP:TTL is safe.

ACL is the primary method to protect BGP, followed by the use of a broader mechanism in network protection: time to live (TTL).

TTL security is described in the Common TTL Security Mechanism (GTSM) of IETF RFC 5082. The idea is that packets that take too long to arrive cannot come from neighboring nodes, and packets that are not from neighboring nodes can be discarded.

The basic operation of TTL security is to set the TTL to 255 (the maximum), that is, to require the packet to come from a direct connection. Because every time a layer 3 device touches a packet, it will lead to the attenuation of TTL, so the packets that go around cannot meet the requirements of TTL.

3. BGP: prefix filter

To protect BGP and its functions in the network, you must ensure that the router that advertises a specific route has permission to advertise that route. For example, if a router advertises that "access to AWS is through a router in a small chainsaw repair shop", then the router must be a malicious router and should be prohibited from routing advertisements. One of the ways to prevent malicious route advertisements is prefix filtering-- a bit complex, with some real-world limitations, but a very effective one.

Prefix filtering determines whether a router has permission to advertise a route. The basic method is to filter prefixes based on the information contained in the Internet routing Registry (IRR). However, because IRR may not be updated in time, the practical application of this method is a little complicated.

Prefix filtering should only allow the router to accept routes from legitimate neighbor nodes and send only legitimate routes to downstream neighbor nodes. Although very effective, network administrators must constantly maintain and update the list of legitimate nodes. When the network (or customer network) has many redundant internal and external routes, the work of the administrator becomes quite complex. However, in situations where security is very important, it is worth the effort.

4. BGP: protect the session

Because BGP uses TCP for transport, protecting BGP sessions also means protecting TCP sessions, and many of the mechanisms used to protect generic TCP can also be used to protect BGP sessions. You can use the recommendations in RFC 2827 and RFC 3704 to block obvious spoofing packets at the network boundary.

With packet blocking, the MD-5 or TCP authentication option (TCP-AO) provides effective protection.

These session protection measures increase the cost of deployment and maintenance. Personal network owners need to measure the cost-effectiveness of their security benefits against the costs they spend. However, these four steps will make BGP safer and stronger.

5. NTP: NTPsec

Protecting NTP is important, but it is obvious that the "classic" NTP should be replaced with NTPsec first. As a more secure NTP,NTPsec, it is directly compatible with classic code, and users should not feel any change. NTPsec just makes the basic service more difficult for hackers to use. With NTPsec, it is difficult for hackers to use NTP to carry out DDoS magnification attacks. In addition, it is widely believed that NTPsec can also clean the code and add basic management and reporting functions.

It must be pointed out that both NTP and NTPsec are open source projects that attract a lot of volunteers and supporters. It is not difficult to find people who support and oppose NTPsec online, but on balance, the basic functions of the agreement are worthy of serious consideration.

6. NTP: updates are important

As an attack weapon, the main value of NTP is that the data returned by a particular query can be many times more than the data sent from the original attack system. One of the problems with the NTP protocol is that it is often not updated after it is deployed on the system, putting many older servers at risk of attack.

Every version of NTP server software ntpd, as long as it is prior to 4.2.7, can be used by hackers to launch attacks. Newer versions may also have vulnerabilities, but they are generally robust as long as they are not changed to the default configuration. To enhance security, it is best to make sure that ntpd is the latest version.

7. NTP: pay attention to the Monlist instruction

The Monlist instruction, which returns the details of the600 clients that recently connected to the NTP server, is the root cause that ntpd can be used as a powerful magnification attack weapon.

If you want to prevent NTP from being weaponized by hackers, you must restrict the execution of monlist instructions. Versions of ntpd after 4.2.7 restrict the execution of monlist instructions by default; if you must use a previous version, you can explicitly add this restriction to its configuration file ntp.conf.

8. FTP: don't use the standard version

FTP is useful, but its basic form is too old-fashioned and rigid. The most fundamental problem with the protocol is that everything from authentication to file transfer is not encrypted. If an application or workflow requires file transfer capabilities, an alternative version can provide more secure function execution.

The two most common alternatives are FTPS and SFTP. Both versions perform the same function: transfer files (and pre-transfer credentials) through an encrypted tunnel. However, the implementation of the two is not the same.

SFTP is the FTP in SSH. FTPS is a FTP with SSL added. There is no difference between the two in terms of security. Which one should be realized depends on the security requirements of FTP in file presentation and transfer. Or, as many teams choose, both can be implemented.

9. FTP: behind the correct gateway

In many cases, FTP implementations need to allow partners, suppliers, or customers to transfer files to and from the company. This means that FTP servers have to face the Internet, usually the demilitarized zone (DMZ) in the network.

Servers that face the Internet are often more vulnerable than servers in isolated networks. Therefore, if the FTP function must be preserved, the FTP gateway must be set up to protect the FTP server. In most cases, the gateway is another form of reverse proxy: the external client initiates a session with the gateway, and then the gateway establishes a secure tunnel from the server to the external client.

FTP gateways are available in a wide range of options: AWS, IBM, Barracuda, Ipswitch are companies that can provide a variety of implementations, and there are many other companies that can also provide this feature.

10. FTP: directory and file security

In the early days of the Internet age, when people were simple, companies sometimes set up subdirectories dedicated to sending and receiving files through FTP. Anonymous FTP can also send and receive files in this subdirectory with full read and write access, and files can be saved for a long time.

A series of measures should be taken to protect the FTP server and the files it sends and receive: restrict the read and write permissions of the subdirectory, restrict the read and write permissions of the files in the subdirectory, and limit the contents of the subdirectory to those files that have just been uploaded or need to be downloaded immediately.

Any activity on the public network may be risky. But with the right technologies and strategies, companies can make many online activities more secure.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.