Next Generation Solutions for Modern Network Attacks

okay um good afternoon my name is Siobhan and I'll be giving my presentation on Next Generation solutions for modern Network attacks uh so who am I I'm a graduate student at UNC Charlotte um I'm a security Enthusiast and I'm also a member of the fortnite skater division so because I'm a graduate student a lot of my presentation is going to be a little bit forward-thinking research-based so I think it should be interesting for you guys okay so when we think about attacks common Architects um there's the mixture of thinking about how attacks happen and then how you know the entry points of attacks what the effects the artifacts um so a good way to think about Network

protects is you can think about malware as it's propagating through a computer network you can think about ransomware as it's also propagating and locking computers you can think about phishing phishing emails targeted attacks um that are the basically the first step of some type of initial presence of an attacker inside of a network and then you can also think about Dawes denial of service attacks um so what are the kind of the current approaches to mitigating these type of attacks um or what is the common knowledge for mitigating these type of attacks conventional wisdom of Twitter says to just use Linux I really thought this um tweet was funny so I wanted to include it but it's not really serious you can't

just use Linux and avoid Network attacks um but would you you know can do with conventional wisdom is deploy some type of endpoint software on your laptops you know think about antivirus think about employee protection systems that are kind of correlating these events happening on um your system and then kind of propagating it to some security information management system and then that's you know changing policy based upon what it sees happening in the network that depending on the maturity of the I guess you could say Enterprise or business leads to either robust Edge security system with network Next Generation uh firewalls which you know kind of marketing for including packet filters that are able to do Deepak

inspection on the packages are flying into the network and filtering out zero days as they come into your network there's also the um basic General wisdom of the field following best practices to be able to you know stop these attacks you don't necessarily have every port open you only have um ports open that you need your network is segmented uh you're leveraging um authenticated access and you know zero trust zero trust I think is a current approach and is also like one of those approaches that's still being defined and outlined and uh improved you can also educate you these years I think there's a big discussion you could say maybe it's not a big discussion insecurity

where it's like oh you know we should be able to protect uh Enterprise networks without user education or we need the users to stop making mistakes user education is important how important I think it depends on the person but it is also part of a way that you can mitigate attacks so um more forward facing forward looking what are the trends we see kind of security software going towards or trying to include in terms of marketing or just like in terms of specific technology we see the introduction of machine learning and artificial intelligence specifically for deception trying to deceive attackers of assets that are in environments that are not actually there but then also using machine learning for

advanced measures of detection being able to find patterns anomalies and network traffic to be able to stop those specific attacks we also see advancements in the automation VMware acquired salt stack like three years ago so automation is important to these industry providers and how they're integrating it into their stack how they're allowing you to automate you know the provisioning the reprovisioning of your assets based upon what's affected what's not affected is of a very much active area development and research like I said earlier zero zero trust architectures are still kind of being well defined being improved so that's kind of like a big area of uh the security um what's it called field is trending towards and then

there's also the diversity of solutions the NSA put out the best practices um guideline for networks and essentially it was use a bunch of different firewalls these a bunch of different switches don't use the same thing because it is the same thing and it gets act in your home envance basically and get hacked pretty easily and then the other trend is move everything to the cloud I'm not going to have you know much comments on that you know but that's kind of what it seems to to be people are cut are are offloading security um responsibility to cloud service providers and realizing that you know cloud service providers also have to have best practices when it comes to

security and you have to make sure that you tune your access controls correctly so that you aren't um on the other end of uh a data breach okay so there are some shortcomings and I think there's this is a generally true shortcoming uh for the field of security is you know you take a non-security person you say like these are all the great things that you can do to protect yourself and just like oh this security function this antivirus slow down my computer this firewall Next Generation firewall slow down my network got the gig Network and it's you know forcing me to have a hundred bit speeds there's no reason for me to you know pay for fiber

if I'm only getting 100 megabytes speed um so I just disabled it because I wanted the usability um and in some ways it's kind of generally true for where we are in security so how can we kind of improve the math the trade-off math Network Security Solutions and this is kind of the meat and potatoes of my talk and that requires us to think about what are the base level um improvements what are the base level places uh where we have room for for improvement and that's really kind of like the network stack how we deploy how we think about the network is changing in terms of network design and it's slowly propagating over to Security but the

idea is software-defined network is being leveraged by a lot of security researchers and kind of take a step back and think about software-defined networking software-defined networking is this idea that you can decouple the control and data plane traditionally before you have you know sdn control is introduced into the environment using routers these routers are communicating to each other saying hey this computer is over here to this router so that the packets can flow within the network routers are also connected to firewalls in the software defined Network architecture of the network you have the controller the network controller having um this global view of the control plan where it doesn't necessarily have to communicate to other controllers unless

you're you know maintaining this internet-wide network um which allows you to basically as the controller communicate to switches directly not to other routers that you want to move this packet here or there's a better path of of uh a better path that has less congestion essentially and so what this basically enables is the introduction of data plane programs a good way to think about data plan programs is to think about eppf which is the Berkeley extended Berkeley packet filter that we see in Linux which basically allows you to write programs that go into kernel kernel uh drivers and they're basically really fast programs that do this you know inline processing of data coming in providing Observer observability but

then also you see ebpf used in packet filters like iptables etc etc so this has the potential using in-network Security on switches has the potential to handle the expensive part of parsing or implementing functions of packets that are in Flight within your network so it's important to think about in network security being the ability to take this idea of eppf hooking not necessarily hooking but having a program within the pipeline of a switch to be able to do some parsing some checking of packets as they're propagating through your network so some examples because there's a lot of information there's only three bullets talk to me okay so there's some helpful patterns uh to you know understand when

it comes to implementing a network security one you know the protocol the protocols are very important um and one of the you know the protocols that we see leveraged um the most in terms of research is DNS why DNS because since the beginning of the internet when um they realized that a phone book for the internet for websites was important one of the implementing requirements of DNS is that it has to be clear text it has to be fast and it has to work so because DNS is clear text it's fast and has to work that means that everything can see DNS records you can have switches see DNS records there is no TLS to protect it I mean of course there's

dnsic right but um there is no encryption for DNS also has a lot of attack vectors we see a lot of DDOS attacks that leverage DNS and we also see DNS cache poisoning attacks um interesting enough those attacks are very bad in terms of networks uh I guess now we're security departure so to understand kind of the opportunities for implementing network security um functions you have to kind of understand like what are the contents of your packets um can your switch even see the package right if you have a TCP packet in this TLS encrypted there's no way that you're going to be able to do any you know cool jazz on your switch for those specific

TCP packets but if you are trying to solve DNS attacks yes you have a great opportunity there so to understand kind of some DNS attacks I mean I'm sure everyone is familiar if you're not familiar there was a really big um Daws attack using a botnet the Mirai but now I think I'm saying it right um basically is leveraging you know uh this protocol to take things down um but you know to take a step back into better understand DNS attacks there's DNS reflection attacks um and there's DNS amplification attacks basically both of these are leveraging um Behavior within the protocol in specific and specifically for the DNS amplification attacks you're leveraging sending packets to a DNS server and then

getting a larger response from the server redirecting that to another machine and now you have thousands of multiplication multiplicative packets going to that endpoint machine than you send to that machine is also you know these non-volumetric volumetric types of DNS attacks um in this similar type of vein that leverage non-volumetric meaning that it's abusing behaviors within a protocol similar to the amplification attack and then volumetric is just it's literally just spamming a user and once the user's resources cannot um continue to expand to handle the that traffic it basically just you know kills over and can no longer do anything it can even provide you know usability to users okay the another type of attack is Cash

poisoning so um there's this really Advanced uh paper that was published in usinex um Houston X32 uh outlining how you can abuse uh cash poisoning on conditional DNS servers which basically are you know forwarders in resolvers um but the basic idea to know about DNS cast poisoning is like in the cash poisoning attack you're essentially trying to get the forwarder to think that google.com actually points to whatever malicious domain that you have access to so what this basically enables is an attacker to redirect uh users to malicious sites that they probably shouldn't have been redirected to and also provides the ability to disrupt services that you know you probably don't want to have disrupted so there's a lot of different examples

of how these attacks are um are able to be implemented there's a lot of you know discussion about how you know most of the DNS major DNS service providers and even Unbound buy-in servers that could be implemented in-house were all vulnerable to this type of attack which is abusing uh the DNS protocol so going back to those helpful patterns um I think yeah so DNS is an open protocol it is abused by attackers every day honestly for exfil trading but then also you know for setting up persistence inside of environments is a lot of different tax main tax that I covered were does and DNS cash poisoning attacks and then the opportunities for um parsing these packets for security

specifically relies in the openness of the DNS protocol so when it comes to implementing in-network security there's a couple things that you kind of have to know one you have to be able to do some type of data plane programming and so to do data plan programming and my research have been looking into P4 P4 is this language that allows you to write how you want your switch to process packets so you can say Hey you see this DNS packet I want you to handle this DNS packet this specific way you see this mod bass packet I want you to handle this modbus pack in a specific way TCP UDP I don't really have the ability to do that so

I'm not going to do that you can Define all of those actions within um P4 and then you can deploy it to a switch and you can communicate between your switches and P4 using P4 runtime through all really cool and there's a foundation behind it the open networking Foundation that's continuing to develop on top of this platform so once again it allows this inline packet processing of whatever you know predefined functions that you deploy and then it also provides this opportunity to bring balance to middleware you don't have to forward packets to this Appliance and they're doing all this cool Jazz within Appliance and then forwarding it to the in-host like for example snort you know sending all your

packets to snort so that snort can do deep back in inspection do some uh signature analysis you don't necessarily have to you know send it all to the middleware Appliance you can now you know think about how can we balance what middleware does and what you can do with these low-level uh functionality within switches on the device so what are the performance differences why is in networking security important this is the Meetup of the potatoes right so if you were this is uh from a paper called P4 dtpi so it's P4 dnsd packing inspection and what in their paper what they're essentially doing is they're taking this idea that hey we can use P4 to

extract all the domains from records in um DNS records as they're passing through the switch because we can see them and then we can basically forward them to this Access Control list and we use Access Control list every day in firewalls and say is this uh URL part of this Access Control list yes or no if it is we can drop this packet if not we can you know allow it to propagate through with the network this is comparing um its ability to stop a DNS cache poisoning attack versus psn's psn's you know is kind of uh representing the send everything through one kind of machine and so what we see is that in terms of

like pack delay as you increase um the packets sent into the network with PSNS of course as you're increasing the amount of network traffic sent through it that it has to process eventually there's going to be delay that's kind of incurring but with this program on switches you aren't necessarily seeing this rapid growth delay like there is no um like there is no delay with the growing amount of packets which is a really good feature to have in terms of packet loss you know people commonly don't like you know for example using vpns because sometimes when you use a VPN you have like this weird Jitter and then you're if you're watching a video the video

starts buffering and then it's just like what happens to the video do I have to disable this VPN or no um similarly psn's when doing DNS uh record resolving trying to you know parse and filter out these records it starts to lose packets over time the more package it has to process but with this program in switches there is literally no packet loss so that means that um you can you know essentially Implement these kind of rudimentary access controls within switches and have the same performance as you would as if you didn't have these security functions enabled users don't will not necessarily you know notice that hey there's a security function enabled so kind of looking forward

to you know what is the future of In-N-Out work security so like there are a lot of great opportunities there's a lot of great potential but it requires you know an understanding of these protocols these underlying protocols how can you know we leverage um this type of thinking and networks security to offload a lot of packet um what is the word I'm trying to think about uh packet parsing um without you know doing all packet parsing on the switch and that's kind of where I'm at from a research how can we make more generalized solutions that you know take uh trade-offs right we're using the switch for more processing in the packets and then sending these

already process packets to some Appliance metal or Appliance to do the rest of the processing to reduce latency to reduce packet loss but then also to increase the robustness of network securities it also kind of requires this deep understanding of how to compartmentalize functions you wouldn't necessarily want to try to extract every DNS record from these DNS packets because as the paper shows um there there's a limitation of how long of domains you can extract so if you know in this cat and mouse game of security uh people are going to eventually realize that hey you can just create a domain that's 64 characters long send it into a system and we still have the same cash poisoning attack it

it doesn't stop um the attacker but with a good balance you can introduce the ability to one extract and decouple these packets and then send it to an appliance to be able to get the the benefit of a trade-off of Speed without the packet loss so those are kind of the things that um kind of want you to take away from this talk so in conclusion you can find me online I post my my research I have a personal blog um where I sometimes post my research security talks and then I have a more academic blog where I post papers um teaching stuff and then I'm on Macedon I'm on Twitter uh not really on anything else but I

have an email and that's my talk thank you