23 February 2013. Add response.
22 February 2013
Blocking China and Bots
Date: Fri, 22 Feb 2013 13:31:11 +0100
From: Eugen Leitl <eugen[at]leitl.org>
To: cypherpunks[at]al-qaeda.net, info[at]postbiota.org,
zs-p2p[at]googlegroups.com
Subject: Re: NYT covers China cyberthreat
----- Forwarded message from Rich Kulawiec <rsk[at]gsp.org> -----
From: Rich Kulawiec <rsk[at]gsp.org>
Date: Thu, 21 Feb 2013 11:00:24 -0500
To: nanog[at]nanog.org
Subject: Re: NYT covers China cyberthreat
On Thu, Feb 21, 2013 at 01:34:13AM +0000, Warren Bailey wrote:
> I can't help but wonder what would happen if US Corporations
simply
> blocked all inbound Chinese traffic. Sure it would hurt their
business,
> but imagine what the Chinese people would do in response.
Would it hurt their business? Really?
Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants
in Omaha, then probably not, because nobody, NOBODY in China is ever actually
going to purchase a truckload of dirt or a tasty croissant from Joe. So would
it actually matter if they couldn't get to Joe's web site or Joe's mail server
or especially Joe's VPN server? Probably not.
Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time
soon either.
This is why I've been using geoblocking at the network and host levels for
over a decade, and it works. But it does require that you make an effort
to study and understand your own traffic patterns as well as your organizational
requirements. [1]
I use it on a country-by-country basis (thank you ipdeny.com) and on a
service-by-service basis: a particular host might allow http from anywhere,
but ssh only from the country it's in. I also deny selected networks access
to selected services, e.g., Amazon's cloud doesn't get access to port 25
because of the non-stop spam and Amazon's refusal to do anything about it.
Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not
part of my view of the Internet. And so on. Combined, all this achieves lossless
compression of abusive traffic.
This is not a security fix, per se; any services that are vulnerable are
still vulnerable. But it does cut down on the attack surface as measured
along one axis, which in turn reduces the scope of some problems and renders
them more tractable to other approaches.
An even better approach, when appropriate, is to block everything and then
only enable access selectively. This is a particularly good idea when defending
things like ssh. Do you *really* need to allow incoming ssh from the entire
planet? Or could "the US, Canada, the UK and Germany" suffice? If so, then
why aren't you enforcing that? Do you really think it's a good idea to give
someone with a 15-million member global botnet 3 or 5 or 10 brute-force attempts
*per bot* before fail2ban or similar kicks in? I don't. I think 0 attempts
per most bots is a much better idea. Let 'em eat packet drops while they
try to figure out which subset of bots can even *reach* your ssh server.
Which brings me to the NYTimes, and the alleged hacking by the Chinese. Why,
given that the NYTimes apparently handed wads of cash over to various consulting
firms, did none of those firms get the NYTimes to make a first-order attempt
at solving this problem? Why in the world was anything in their corporate
infrastructure accessible from the 2410 networks and 143,067,136 IP addresses
in China? Who signed off on THAT?
(Yes, yes, I *know* that the NYTimes has staff there, some permanently and
some transiently. A one-off solution crafted for this use case would suffice.
I've done it. It's not hard. And I doubt that it would need to work for more
than, what, a few dozen of the NYTimes' 7500 employees? Clone and customize
for Rio, Paris, Moscow, and other locations. This isn't hard either. Oh,
and lock it out of everything that a field reporter/editor/photographer doesn't
need, e.g., there is absolutely no way someone coming in through one of those
should be able to reach the subscriber database.)
Two more notes: first, blocking inbound traffic is usually not enough. Blocks
should almost always be bidirectional. [2] This is especially
important for things like the DROP/EDROP lists, because then spam payloads,
phishes, malware, etc. won't be able to phone home quite so readily, and
while your users will still be able to click on links that lead to bad
things...they won't get there.
Second, this may sound complex. It's not. I handle my needs with make, rsync,
a little shell, a little perl, and other similar tools, but clearly you could
do the same thing with any system configuration management setup. And with
proper logging, it's not hard to discover the mistakes and edge cases, to
apply suitable fixes and temporary point exceptions, and so on.
---rsk
[1] 'Now, your typical IT executive, when I discuss this
concept with him or her, will stand up and say something like, "That sounds
great, but our enterprise network is really complicated. Knowing about all
the different apps that we rely on would be impossible! What you're saying
sounds reasonable until you think about it and realize how absurd it is!"
To which I respond, "How can you call yourself a 'Chief Technology Officer'
if you have no idea what your technology is doing?" A CTO isn't going to
know detail about every application on the network, but if you haven't got
a vague idea what's going on it's impossible to do capacity planning, disaster
planning, security planning, or virtually any of the things in a CTO's charter.'
--- Marcus Ranum
[2] "We were so concerned with getting out that we never
stopped to consider what we might be letting in, until it was too late."
Let's see who recognizes that one. ;-)
----- End forwarded message -----
--
Eugen* Leitl http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820
http://www.ativel.com
http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Date: Fri, 22 Feb 2013 13:56:53 +0100
From: Eugen Leitl <eugen[at]leitl.org>
To: cypherpunks[at]al-qaeda.net, info[at]postbiota.org,
zs-p2p[at]googlegroups.com
Subject: [liberationtech] Chinese Hacking, Mandiant & Cyber War
----- Forwarded message from Yosem Companys
<companys[at]stanford.edu> -----
From: Yosem Companys <companys[at]stanford.edu>
Date: Thu, 21 Feb 2013 08:27:39 -0800
To: Liberation Technologies
<liberationtech[at]lists.stanford.edu>
Cc: Bruce Schneier <schneier[at]counterpane.com>, Gary McGraw
<gem[at]cigital.com>, Ross Anderson
<Ross.Anderson[at]cl.cam.ac.uk>
Subject: [liberationtech] Chinese Hacking, Mandiant & Cyber War
From: Gary McGraw <gem[at]cigital.com>
No doubt all of you have seen the NY Times article about the Mandiant report
that pervades the news this week:
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-
hacking-against-us.html
I believe it is important to understand the difference between cyber espionage
and cyber war. Because espionage unfolds over months or years in realtime,
we can triangulate the origin of an exfiltration attack with some certainty.
During the fog of a real cyber war attack, which is more likely to happen
in milliseconds, the kind of forensic work that Mandiant did would not be
possible. (In fact, we might just well be "Gandalfed" and pin the attack
on the wrong enemy as explained here:
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-
defense-prudent-alternative-to-cyberwarfare
.)
Sadly, policymakers seem to think we have completely solved the attribution
problem. We have not. This article published in Computerworld does an adequate
job of stating my position:
http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9
Those of us who work on security engineering and software security can help
educate policymakers and others so that we don't end up pursuing the folly
of active defense.
gem
company
http://www.cigital.com
podcast
http://www.cigital.com/silverbullet
blog
http://www.cigital.com/justiceleague
book http://www.swsec.com
--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
----- End forwarded message -----
Date: Sat, 23 Feb 2013 12:25:43 +0100
From: Eugen Leitl <eugen@leitl.org>
To: cypherpunks@al-qaeda.net, info@postbiota.org, Liberation Technologies
<liberationtech@mailman.stanford.edu>
Subject: RE: NYT covers China cyberthreat
----- Forwarded message from "Naslund, Steve" <SNaslund@medline.com>
-----
From: "Naslund, Steve" <SNaslund@medline.com>
Date: Thu, 21 Feb 2013 11:47:44 -0600
To: nanog@nanog.org
Subject: RE: NYT covers China cyberthreat
> I can't help but wonder what would happen if US Corporations simply
> blocked all inbound Chinese traffic. Sure it would hurt their
> business, but imagine what the Chinese people would do in response
First thing is the Chinese government would rejoice since they don't want
their citizens on our networks (except the ones they recruit for cyber warfare,
they can get other address ranges for those guys).
Second thing is someone will make a ton of money bouncing Chinese traffic
through somewhere else (and someone will create a SPAMHAUS like service to
detect that, and so on, and so on, and so on)
Third thing is all the companies that do business in and around China would
be screaming because tons of them use VPNs that are sourced from Chinese
IP address space. Some people even like to travel and access things back
home, you know weird stuff, like email, news, music, videos.
One of the biggest problems with geoblocking is that often the addresses
do not reveal the true source of the traffic. If you block everything from
China, you miss attacks sourced from China that are bouncing through bot
networks with hosts worldwide. Remember Tor, it is built to defeat just that
sort of security by obscuring source locations. Corporations also often have
egress points to the Internet in countries other than the one the user is
in. If you block everything from China, then you are locking out any of your
own personnel that travel Internationally or any of your customers that travel.
Who here has not surfed the web from a hotel room on business. Anyone with
malicious intent has a zillion ways to bypass that sort of security. Obscuring
your source address is child's play. The management of the geoblocking will
not be worth the minimal protection it provides. Trying to locate someone
by address is a complete PITA in my opinion. If you go to Europe you will
often get sent to the wrong Google sites because they attempt to locate you
instead of just letting you put in the correct URL (if you are in the UK,
it is not that hard to include .co.uk in your URL. I have been in the UK
and gotten Google Germany and Google Spain for no apparent reason (except
that carriers in Europe have addresses from all over the place because of
mergers, alliances, and all sort of other arrangements).
Blocking networks by service will also be a management nightmare since addresses
often change and new blocks get assigned and companies offer different services.
Who manages all of that and who is going to tell you when something changes
(the answer is nobody, you will know when stuff breaks). If my network security
guy had enough time to keep track of all of Amazon's address space and what
services they are offering this week and all the services they host in their
datacenters, I would fire him for having that much time on his hands. Can
you keep track of all the stuff coming from Akamai and where all their servers
are at on a continuing basis? Cloud services will make blocking by service
nearly impossible since the network can reconfigure at any time.
I would love to see this implementation in a large corporate or government
network. What a huge game of whack a mole that is. Seems to me that the time
would be much better spent tuning up firewalls and securing hosts properly.
I think geoblocking gives you nothing but a false sense of security. I also
believe that if you see an attack coming from China in particular it is because
they WANT you to know it is coming from China. I would think any state sponsor
conducting a very serious attack would conceal themselves better than that.
I also believe that a lot of attacks that look like they are coming from
China are actually coming from elsewhere. Think about this, if I am a hacker
in the US, attacking a US victim, it would be a big advantage to look like
I was coming from China because it almost guarantees no attempt to prosecute
or track me down since everyone in this business knows that if it comes out
of China you can't do anything about it. I would not be surprised to find
out China is letting their capabilities be known just to remind everyone
of what the implications of messing with them is. Remember Doctor Strangelove,
"what good is a doomsday bomb if you don't tell anyone about it ?!?!?"
Steven Naslund
|