Donate for the Cryptome archive of files from June 1996 to the present

23 February 2013. Add response.

22 February 2013

Blocking China and Bots


Date: Fri, 22 Feb 2013 13:31:11 +0100
From: Eugen Leitl <eugen[at]leitl.org>
To: cypherpunks[at]al-qaeda.net, info[at]postbiota.org, zs-p2p[at]googlegroups.com
Subject: Re: NYT covers China cyberthreat

----- Forwarded message from Rich Kulawiec <rsk[at]gsp.org> -----

From: Rich Kulawiec <rsk[at]gsp.org>
Date: Thu, 21 Feb 2013 11:00:24 -0500
To: nanog[at]nanog.org
Subject: Re: NYT covers China cyberthreat

On Thu, Feb 21, 2013 at 01:34:13AM +0000, Warren Bailey wrote:

> I can't help but wonder what would happen if US Corporations simply
> blocked all inbound Chinese traffic. Sure it would hurt their business,
> but imagine what the Chinese people would do in response.

Would it hurt their business? Really?

Well, if they're eBay, probably. If they're Joe's Fill Dirt and Croissants in Omaha, then probably not, because nobody, NOBODY in China is ever actually going to purchase a truckload of dirt or a tasty croissant from Joe. So would it actually matter if they couldn't get to Joe's web site or Joe's mail server or especially Joe's VPN server? Probably not.

Nobody in Peru, Egypt, or Romania is likely to be buying from Joe any time soon either.

This is why I've been using geoblocking at the network and host levels for over a decade, and it works. But it does require that you make an effort to study and understand your own traffic patterns as well as your organizational requirements. [1]

I use it on a country-by-country basis (thank you ipdeny.com) and on a service-by-service basis: a particular host might allow http from anywhere, but ssh only from the country it's in. I also deny selected networks access to selected services, e.g., Amazon's cloud doesn't get access to port 25 because of the non-stop spam and Amazon's refusal to do anything about it. Anything on the Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part of my view of the Internet. And so on. Combined, all this achieves lossless compression of abusive traffic.

This is not a security fix, per se; any services that are vulnerable are still vulnerable. But it does cut down on the attack surface as measured along one axis, which in turn reduces the scope of some problems and renders them more tractable to other approaches.

An even better approach, when appropriate, is to block everything and then only enable access selectively. This is a particularly good idea when defending things like ssh. Do you *really* need to allow incoming ssh from the entire planet? Or could "the US, Canada, the UK and Germany" suffice? If so, then why aren't you enforcing that? Do you really think it's a good idea to give someone with a 15-million member global botnet 3 or 5 or 10 brute-force attempts *per bot* before fail2ban or similar kicks in? I don't. I think 0 attempts per most bots is a much better idea. Let 'em eat packet drops while they try to figure out which subset of bots can even *reach* your ssh server.

Which brings me to the NYTimes, and the alleged hacking by the Chinese. Why, given that the NYTimes apparently handed wads of cash over to various consulting firms, did none of those firms get the NYTimes to make a first-order attempt at solving this problem? Why in the world was anything in their corporate infrastructure accessible from the 2410 networks and 143,067,136 IP addresses in China? Who signed off on THAT?

(Yes, yes, I *know* that the NYTimes has staff there, some permanently and some transiently. A one-off solution crafted for this use case would suffice. I've done it. It's not hard. And I doubt that it would need to work for more than, what, a few dozen of the NYTimes' 7500 employees? Clone and customize for Rio, Paris, Moscow, and other locations. This isn't hard either. Oh, and lock it out of everything that a field reporter/editor/photographer doesn't need, e.g., there is absolutely no way someone coming in through one of those should be able to reach the subscriber database.)

Two more notes: first, blocking inbound traffic is usually not enough. Blocks should almost always be bidirectional. [2] This is especially important for things like the DROP/EDROP lists, because then spam payloads, phishes, malware, etc. won't be able to phone home quite so readily, and while your users will still be able to click on links that lead to bad things...they won't get there.

Second, this may sound complex. It's not. I handle my needs with make, rsync, a little shell, a little perl, and other similar tools, but clearly you could do the same thing with any system configuration management setup. And with proper logging, it's not hard to discover the mistakes and edge cases, to apply suitable fixes and temporary point exceptions, and so on.

---rsk

[1] 'Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, "That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is!" To which I respond, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO's charter.' --- Marcus Ranum

[2] "We were so concerned with getting out that we never stopped to consider what we might be letting in, until it was too late."

Let's see who recognizes that one. ;-)

----- End forwarded message -----

--

Eugen* Leitl http://leitl.org

______________________________________________________________

ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE


Date: Fri, 22 Feb 2013 13:56:53 +0100
From: Eugen Leitl <eugen[at]leitl.org>
To: cypherpunks[at]al-qaeda.net, info[at]postbiota.org, zs-p2p[at]googlegroups.com
Subject: [liberationtech] Chinese Hacking, Mandiant & Cyber War

----- Forwarded message from Yosem Companys <companys[at]stanford.edu> -----

From: Yosem Companys <companys[at]stanford.edu>
Date: Thu, 21 Feb 2013 08:27:39 -0800
To: Liberation Technologies <liberationtech[at]lists.stanford.edu>
Cc: Bruce Schneier <schneier[at]counterpane.com>, Gary McGraw <gem[at]cigital.com>, Ross Anderson <Ross.Anderson[at]cl.cam.ac.uk>
Subject: [liberationtech] Chinese Hacking, Mandiant & Cyber War

From: Gary McGraw <gem[at]cigital.com>

No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week:

http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-
hacking-against-us.html

I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy as explained here:

http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-
defense-prudent-alternative-to-cyberwarfare

.)

Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position:

http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9

Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense.

gem

company http://www.cigital.com
podcast http://www.cigital.com/silverbullet
blog http://www.cigital.com/justiceleague
book http://www.swsec.com

--

Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----


Date: Sat, 23 Feb 2013 12:25:43 +0100
From: Eugen Leitl <eugen@leitl.org>
To: cypherpunks@al-qaeda.net, info@postbiota.org, Liberation Technologies <liberationtech@mailman.stanford.edu>
Subject: RE: NYT covers China cyberthreat

----- Forwarded message from "Naslund, Steve" <SNaslund@medline.com> -----

From: "Naslund, Steve" <SNaslund@medline.com>
Date: Thu, 21 Feb 2013 11:47:44 -0600
To: nanog@nanog.org
Subject: RE: NYT covers China cyberthreat

> I can't help but wonder what would happen if US Corporations simply
> blocked all inbound Chinese traffic. Sure it would hurt their
> business, but imagine what the Chinese people would do in response

First thing is the Chinese government would rejoice since they don't want their citizens on our networks (except the ones they recruit for cyber warfare, they can get other address ranges for those guys).

Second thing is someone will make a ton of money bouncing Chinese traffic through somewhere else (and someone will create a SPAMHAUS like service to detect that, and so on, and so on, and so on)

Third thing is all the companies that do business in and around China would be screaming because tons of them use VPNs that are sourced from Chinese IP address space. Some people even like to travel and access things back home, you know weird stuff, like email, news, music, videos.

One of the biggest problems with geoblocking is that often the addresses do not reveal the true source of the traffic. If you block everything from China, you miss attacks sourced from China that are bouncing through bot networks with hosts worldwide. Remember Tor, it is built to defeat just that sort of security by obscuring source locations. Corporations also often have egress points to the Internet in countries other than the one the user is in. If you block everything from China, then you are locking out any of your own personnel that travel Internationally or any of your customers that travel. Who here has not surfed the web from a hotel room on business. Anyone with malicious intent has a zillion ways to bypass that sort of security. Obscuring your source address is child's play. The management of the geoblocking will not be worth the minimal protection it provides. Trying to locate someone by address is a complete PITA in my opinion. If you go to Europe you will often get sent to the wrong Google sites because they attempt to locate you instead of just letting you put in the correct URL (if you are in the UK, it is not that hard to include .co.uk in your URL. I have been in the UK and gotten Google Germany and Google Spain for no apparent reason (except that carriers in Europe have addresses from all over the place because of mergers, alliances, and all sort of other arrangements).

Blocking networks by service will also be a management nightmare since addresses often change and new blocks get assigned and companies offer different services. Who manages all of that and who is going to tell you when something changes (the answer is nobody, you will know when stuff breaks). If my network security guy had enough time to keep track of all of Amazon's address space and what services they are offering this week and all the services they host in their datacenters, I would fire him for having that much time on his hands. Can you keep track of all the stuff coming from Akamai and where all their servers are at on a continuing basis? Cloud services will make blocking by service nearly impossible since the network can reconfigure at any time.

I would love to see this implementation in a large corporate or government network. What a huge game of whack a mole that is. Seems to me that the time would be much better spent tuning up firewalls and securing hosts properly.

I think geoblocking gives you nothing but a false sense of security. I also believe that if you see an attack coming from China in particular it is because they WANT you to know it is coming from China. I would think any state sponsor conducting a very serious attack would conceal themselves better than that. I also believe that a lot of attacks that look like they are coming from China are actually coming from elsewhere. Think about this, if I am a hacker in the US, attacking a US victim, it would be a big advantage to look like I was coming from China because it almost guarantees no attempt to prosecute or track me down since everyone in this business knows that if it comes out of China you can't do anything about it. I would not be surprised to find out China is letting their capabilities be known just to remind everyone of what the implications of messing with them is. Remember Doctor Strangelove, "what good is a doomsday bomb if you don't tell anyone about it ?!?!?"

Steven Naslund