Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

TBD - To Block Connection from Suspicious IP addresses by using "DICE"

324 vues

Publié le

Original Title "TBD" is a kind of joke :-)

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

TBD - To Block Connection from Suspicious IP addresses by using "DICE"

  1. 1. TBD Kunio Miyamoto a.k.a wakatono @wakatono Copyright by wakatono 1
  2. 2. TBD →To Block connection from suspicious IP addresses by using “DICE” Copyright by wakatono 2
  3. 3. Content. • What is DICE? • DICE for TCP deepdive • Conclusion Copyright by wakatono 3
  4. 4. What is DICE? Copyright by wakatono 4
  5. 5. What is DICE? • Abbrev of: Deception of InterCommunication to Enemies Copyright by wakatono 5 Gartner Security & Risk Management Summit 2016 Important!
  6. 6. DICE concept detail is: • http://hitcon.org/2016/CMT/slide/day1-r2- d-1.pdf Copyright by wakatono 6
  7. 7. DICE presentation in 2016: • Detail about DNS response Deception • Overview of TCP Deception(not detail) Copyright by wakatono 7 Today’s topic: TCP deception detail and effect
  8. 8. DICE for TCP deepdive Copyright by wakatono 8
  9. 9. To block outside TCP access from suspicious (internal) IP address? • Configure Firewall rule or ACL of L3SW – Sometimes with too heavy process • Tell the owner of suspicious IP address – Sometimes with too heavy process Copyright by wakatono 9 • Place and operate DICE for TCP – One time heavy process(to place DICE for TCP)
  10. 10. TCP 3way handshake Response - easily Deceptable Protocol Response • Normal TCP Response of Connection Initiation can be decepted easily – Signed and/or encrypted Packet (e.g. IPsec) is hard to be decepted. • Applicable to various of deception – After Decepted, connection is “hijacked” ☺ – After Connection Decepted, we can decept interaction to enemies by using Hijacked connection ☺ Copyright by wakatono 10
  11. 11. I want to terminate malicious connection to specific “client(s)” • RST packet may be filtered(and connection may be still alive ) – Many IPS have function of sending RST packet(and may be filtered). • ACK, SYN+ACK packet of Connection initiation state to proper port must not be filtered ☺ – If filtered every packet, that computer turned to useless object ☺ Copyright by wakatono 11
  12. 12. Blocking TCP Connection • Very easy – Only send decepted SYN+ACK packet related to Initial SYN packet • To send decepted SYN+ACK packet – DICE for TCP need to know only pair of IP addresses, pair of Port number, sequence number, and ack number Copyright by wakatono 12
  13. 13. TCP Connection Interaction - easily Deceptable Protocol Response Copyright by wakatono 13 Reference: RFC793 TRANSMISSION CONTROL PROTOCOL
  14. 14. Block TCP connection by using Decepted SYN+ACK packet • ACK packet related to ④ is useless for External IP • SYN+ACK Packet ⑤ is useless for Suspicious IP →Connection cannot be established between Suspicious IP and External IP DICE for TCP is placed appropriate place in Network Copyright by wakatono 14 Suspicious IP ①Send SYN packet ②DICE for TCP captures packet of ① ③Check IP address is suspicious or not ④Send Decepted SYN+ACK packet related to ① ⑥ Send ACK packet related to ④ ⑤ Send real SYN+ACK packet External IP
  15. 15. To check IP address is suspicious or not • Use function pointer table ☺ Copyright by wakatono 15 ・Read IP and TCP header ・Get IP address from IP header ・Execute func[IP address] func[IP address] contains a pointer to “Decepted SYN+ACK respond function” or “do nothing function”. void *func[2^32]; func[0] = donothing; … func[suspip] = decepted_response; … func[2^32-1] = donothing; void donothing(){} void decepted_response() { make decepted response function } Ex: pseudo code(like C) of function table
  16. 16. TCP Connction Step Summary Decepted by DICE for TCP • 1. SYN packet is sent • 2. Decepted SYN+ACK packet is sent by DICE for TCP • 3. Real SYN+ACK packet is sent Copyright by wakatono 16 Omitted One SYN for Two SYN+ACK!
  17. 17. Real TCP response too slow? • Slow (most case of oversea) – e.g. Tokyo – San Francisco • Round trip: 18,000km – Speed of Light: 300,000km/s – At least, about 60msec is required as a time between IP packet round trip - Traffic initiated from Tokyo to San Francisco and Response sent from San Francisco to Tokyo reaches to traffic initiator(in Tokyo) Copyright by wakatono 17
  18. 18. Conclusion Copyright by wakatono 18
  19. 19. Conclusion • DICE for TCP is easier than DICE (for DNS) • IP address check can be made faster • DICE for TCP is placed proper point • DICE for DNS and DICE for TCP now work a certain company ☺ • Speed of Light is Slow Copyright by wakatono 19
  20. 20. Copyright by wakatono Thank you! wakatono@gmail.com @wakatono(Twitter) https://www.facebook.com/wakatono If possible, any questions are welcome via email or Twitter. Of course, in banquet or any networking time ☺ Special thanks to: My friends (they are illustrator in Japan) 20