Jekyll2023-12-04T22:54:41+00:00https://manta.black/feed.xmlmanta.blackA security researcher and programmer. In this corner of the web, you find my research, notes, and scattered thoughts.
blackmantaDns Tunneling Deep Dive2023-11-11T00:00:00+00:002023-11-11T00:00:00+00:00https://manta.black/dns-tunneling-deep-dive<p>If you are interested in a more formal introduction to the DNS tunneling technique and threat tracking, you may want to check out my previous <a href="https://manta.black/dns-tunneling-and-in-the-wild-attribution.html">post</a>.</p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#getting-started">Getting Started</a></li>
<li><a href="#references">References</a></li>
<li><a href="#updates">Updates</a></li>
</ul>
<h2 id="getting-started">Getting Started</h2>
<p>In this post, we do a deep dive into the requirements to establish a DNS tunnel also referred to as a covert channel. This topic is extensively covered. I am attempting to compiling learning and knowledge in this post to provide the technique knowledge to create a framework for established a covert channel in a custom sample. With that in mind, our goal is to establish communication between a controlled DNS zone in an authoritative server and a program. This can be later expanded to include additional evasion techniques like DNS-over-HTTPS or DNS-over-TLS, but we will start simple. If you are interested in just leveraging a tool to accomplish this goal, I would suggest checking out <a href="https://github.com/yarrick/iodine">iodine</a>.</p>
<p>Now, sense we do not care about speed, given the heuristics of this technique, we will use python for simplicity. From a meta perspective, we will need two application processes, the server and the client. You can find this posts code base <a href="https://github.com/trvon/pit">here</a>.</p>
<h2 id="setting-up-the-environment">Setting Up the Environment</h2>
<ul>
<li>Required tools and libraries (e.g., Python, specific DNS libraries).</li>
<li>Setting up a Python virtual environment.</li>
<li>Installing necessary Python packages (e.g., <code class="language-plaintext highlighter-rouge">dnspython</code>, <code class="language-plaintext highlighter-rouge">requests</code>, <code class="language-plaintext highlighter-rouge">scapy</code>).</li>
</ul>
<h2 id="building-the-server">Building the Server</h2>
<ul>
<li>Designing the server architecture.</li>
<li>Code walkthrough for setting up the DNS server.</li>
<li>Handling DNS queries and embedding data.</li>
</ul>
<h2 id="developing-the-client">Developing the Client</h2>
<ul>
<li>Architecture of the client-side application.</li>
<li>Code for sending requests and receiving data through DNS queries.i9</li>
<li>Integrating the client with the server.</li>
</ul>
<h2 id="testing-the-tunnel">Testing the Tunnel</h2>
<ul>
<li>Steps to test the DNS tunnel.</li>
<li>Monitoring and debugging techniques.</li>
</ul>
<h2 id="evasion-techniques">Evasion Techniques</h2>
<ul>
<li>Introduce DNS-over-HTTPS and DNS-over-TLS.</li>
<li>Discuss how these techniques can be integrated.</li>
<li>Explain the advantages of using these techniques for evasion.</li>
</ul>
<h2 id="security-implications-and-ethical-considerations">Security Implications and Ethical Considerations</h2>
<ul>
<li>Discuss the ethical considerations of using DNS tunneling.</li>
<li>Legal implications and potential misuse.</li>
<li>How to responsibly disclose vulnerabilities.</li>
</ul>
<h2 id="references">References</h2>
<h2 id="updates">Updates</h2>
<ul>
<li>11/17/2023: Updated Readability to post and added scaffolding for later updates.</li>
<li>11/28/2023: Added additional content sections and scaffolding</li>
<li>12/2/2023: Updated post content and removing scaffolded content</li>
</ul>blackmantaIf you are interested in a more formal introduction to the DNS tunneling technique and threat tracking, you may want to check out my previous post.Using Freebsd As A Server2023-10-19T00:00:00+00:002023-10-19T00:00:00+00:00https://manta.black/using-freebsd-as-a-server<p>I have used FreeBSD as a server on and off for a couple years. After recently corrupting a research server running Ubuntu server, I found it imperative to migrate back to FreeBSD, setup ZFS snapshots and segment hosted services using the systems native hypervisor to improve my systems recoverability. If you have not checked out <a href="https://github.com/jimsalterjrs/sanoid/">sanoid</a>, I would highly recommend it. This post has been developed to capture that process and point to helpful resources that I have found along the way.</p>
<p>Freebsd, similar to Linux, has its own native hypervisor, bhyve. This allows for running virtual machines at close to native performance. For more information on bhyve and FreeBSD, you can check out <a href="https://klarasystems.com/articles/from-0-to-bhyve-on-freebsd-13-1/">3</a> and <a href="https://freebsdfoundation.org/wp-content/uploads/2022/03/CBSD-Part-1-Production.pdf">2</a> Now, I love setting things up manually just as much as any other tech enthusiast but I have found the CLI tool, <a href="https://www.bsdstore.ru/en/about.html">cbsd</a> to save me much time. There does exist a wide breadth of jail and host management utilities, but this is my current go to. The setup process is simple and captured in the quick start tutorial provided <a href="https://www.bsdstore.ru/en/cbsd_quickstart.html">1</a>. There is also a FreeBSD distribution, <a href="https://clonos.convectix.com/">clonos</a> that leverages cbsd and provides a web GUI for simplified management.</p>
<p><strong><em>Note</em></strong> After setting up the cbsd tool, I have yet to figure out how to configure permissions to enable the tool to be used by an administrative user without the use of sudo or doas. I have a suspicion that it is related to the location that the jails are initially setup. If I figure that out, I will revisit this post and make an amendment.</p>
<h2 id="getting-started">Getting Started</h2>
<p>There are a couple changes made to the <em>/etc/rc.conf</em> fill but for the most part, the pkg or port package will provide you with the changes that need to be made post installation. Just be sure to not install all the service based packages you need at once unless you are using a GUI environment or redirecting the install output to a log file.</p>
<p>Helpful programs typically installed post installation pre-reboot. I will append any helpful commands that I found to add the setup.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pkg install git vim tailscale does tmux
service tailscaled enable
service tailscaled start
sudo tailscale up
sudo sysrc tailscaled_tun_dev="tailscale0"
</code></pre></div></div>
<p>The next step is the most important, the firewall setup. For that, I will currently direct you to <a href="https://docs.freebsd.org/en/books/handbook/firewalls/">4</a> as I improve my understanding on the firewall options offered and the best configuration for a home server.</p>
<h2 id="pci-passthrough">PCI Passthrough</h2>
<p>If you are an AI researcher or enjoying cracking passwords in your free time, it will save you allot of grief to figure out how to access the devices native GPU in your nearly segmented environment. Some of this guidance is still experiemental, but my current working configuration requires identifiy the pci device in question with <em>pciconf -lv</em>. In my case, I am using <em>pciconf -lv | grep “nvidia” -i -C5</em> to find my nvidia gpu. My output is the following:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ppt0@pci0:1:0:0: class=0x030000 rev=0xa1 hdr=0x00 vendor=0x10de device=0x24b0 subvendor=0x10de subdevice=0x14ad
vendor = 'NVIDIA Corporation'
device = 'GA104GL [RTX A4000]'
class = display
subclass = VGA
</code></pre></div></div>
<p>With the pci device bus/slot/function information, we can now mask the device to allow it to be passed to a bhyve host. More information on this can be found <a href="https://wiki.freebsd.org/bhyve/pci_passthrough">5</a>. In my case, I will append <em>pptdevs=”1/0/0” to my */boot/loader.conf</em> file. I can then use the following command to pass the gpu device to the running or soon to be running bhyve host. You will also need to append <em>hw.vmm.amdvi.enable=”1”</em> to <em>/boot/loader.conf</em>.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cbsd bhyve-ppt mode=attach ppt=1/0/0 jname=[host name]
cbsd bset bhyve_wire_memory=1 jname=research
# verifiable at
cat /usr/jails/vm/[host name]/bhyve.conf
</code></pre></div></div>
<p>A better explain and walk through of GPU passthrough on bhyve was given at <a href="https://www.youtube.com/watch?v=eurBCPj65oI">EuroBSD2023 by Corvin Köhne</a>.</p>
<p>Now if you made it through this whole post and are only interested in running FreeBSD as a workstation, there are additional programs you will want to install. checking out the forums is a good starting point, <a href="https://forums.freebsd.org/threads/software-recommendatios-for-a-new-bie-system.63270/">software recommendation thread</a>.</p>
<h1 id="references">References</h1>
<ul>
<li><a href="https://www.bsdstore.ru/en/cbsd_quickstart.html">CBSD Quickstart</a></li>
<li><a href="https://freebsdfoundation.org/wp-content/uploads/2022/03/CBSD-Part-1-Production.pdf">CBSD Book (freebsd foundation)</a></li>
<li>
<p><a href="https://klarasystems.com/articles/from-0-to-bhyve-on-freebsd-13-1/">From 0 to Bhyve on FreeBSD 13.1</a></p>
</li>
<li><a href="https://docs.freebsd.org/en/books/handbook/firewalls/">Freebsd Handbook Firewalls</a></li>
<li><a href="https://wiki.freebsd.org/bhyve/pci_passthru">bhyve PCI Passthrough</a></li>
</ul>blackmantaI have used FreeBSD as a server on and off for a couple years. After recently corrupting a research server running Ubuntu server, I found it imperative to migrate back to FreeBSD, setup ZFS snapshots and segment hosted services using the systems native hypervisor to improve my systems recoverability. If you have not checked out sanoid, I would highly recommend it. This post has been developed to capture that process and point to helpful resources that I have found along the way.Dns Tunneling And In The Wild Attribution2023-09-27T00:00:00+00:002023-09-27T00:00:00+00:00https://manta.black/dns-tunneling-and-in-the-wild-attribution<p><em>Disclaimer: This post is being actively updated. Updates are tracked at the bottom of this post</em></p>
<p><em>Disclaimer: Much of the information is compiled from my learning and online sources. Please be sure to double-check claims and references if you plan to use them.</em></p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#what-is-dns-tunneling">Introduction</a></li>
<li><a href="#advanced-threats">Advanced Threats</a></li>
<li><a href="#research">Active Research</a></li>
<li><a href="#references">References</a></li>
<li><a href="#updates">Updates</a></li>
</ul>
<h2 id="what-is-dns-tunneling">What is DNS Tunneling</h2>
<p>DNS tunneling is a technique used to evade network security controls. It uses the DNS protocol to allow attackers to hide data in DNS requests or open source tools to allow users to circumvent paid hotel Wi-Fi access control. The DNS protocol defined in <a href="https://www.ietf.org/rfc/rfc1034.txt">RFC 1034</a> <a href="https://www.ietf.org/rfc/rfc1035.txt">RFC 1035</a>, was established to facilitate the naming of network resources and has since then been used in a wide variety of applications and more recently, protocol abuses. A deeper dive of the DNS system can be found in this <a href="https://www.cloudflare.com/learning/dns/what-is-dns">Cloudflare blog</a>.</p>
<p>The earliest documented discussion of DNS Tunneling was by Oskar Pearson on the Bugtraq mailing list in April 1998. As the technology has advanced, more advanced DNS Tunneling approaches leverage DoT (DNS-over-TLS) and DoH (DNS over HTTPS) to evade detection and prevention solutions. We will provide a deeper dive in a later blog post. The proceeding content will provide references to how this technique is used in the wild, tools and malware sources, and researched techniques for detecting and mitigating DNS Tunneling.</p>
<h2 id="advanced-threats">Advanced Threats</h2>
<p>DNS Tunneling is a technique used by a wide range of APT groups which includes <a href="https://attack.mitre.org/groups/G0026/">APT18</a>, <a href="https://attack.mitre.org/groups/G0049/">APT34</a>, the <a href="https://www.group-ib.com/blog/cobalt/">Cobolt Group</a>, the <a href="https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware">Anchor Group</a>, <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf">ShadowPad</a>, <a href="https://attack.mitre.org/groups/G0050/">APT32</a> also known as Denis. A Chinese APT18, also known as Webky, was found using the technique in <a href="https://threatpost.com/wekby-apt-gang-using-dns-tunneling-for-command-and-control/118303/">2016</a>. The DarkyHydrus group is documented using <a href="https://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-google-drive-to-send-commands-to-roguerobin-trojan/">Google Drive for C2 Communication</a> which is both interesting and novel. There are many documented zero-days exploitation and exfiltration techniques used by this group. I also want to note attribution tracking for this group is inconsistent based on sources.</p>
<p>APT34, also known as OilRig, is documented using the technique in their 2017 in <a href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/">BONDUPDATER</a> and a 2018 <a href="https://blog.talosintelligence.com/dnspionage-campaign-targets-middle-east/">DNSpoinage malware</a> campaign. They improve their toolkit in 2020 when they leveraged an open source tool <a href="https://github.com/Arno0x/DNSExfiltrator">DNSExfiltrator</a> to exfiltrate data. There are some very interesting write-ups on the techniques leveraged by this threat group, and I have linked them in the closing section for convenience.</p>
<h3 id="malware">Malware</h3>
<p>Malware samples that use this technique include <a href="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/">GodLua backdoor</a>,</p>
<p>the <a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/">Heyoka Backdoor</a> attributed to Aoqin Dragon and tracked by SentinelLabs,</p>
<p>the <a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/">MoustachedBouncer</a>, FIN6 or <a href="https://www.sentinelone.com/labs/fin6-frameworkpos-point-of-sale-malware-analysis-internals/">FrameworkPOS</a>,</p>
<p><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf">InvisiMole</a>,</p>
<p><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a">Mori</a>, the <a href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf">Snake Malware</a>,</p>
<p>The <a href="https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor">SUNBURST</a> campaign attributed to UNC2452 and APT29,</p>
<p>Snugy found in the <a href="https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/">xHunt Campaign</a> and <a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html">WellMess</a>.</p>
<p>Notably, the GodLua backdoor, named by the discovering researchers based on its obfuscation technique and language of choice, connects infected machines to a larger botnet capable of launching DDoS attacks. The malware campaign is documented using DNS tunneling to communicate back to a C2 server.</p>
<p>If you are interested in finding more APT and other groups using covert channels, additional references to attribution can be referenced from <a href="https://attack.mitre.org/techniques/T1572/">MITRE ATT&CK</a>. A deep dive into attacks is provided from a <a href="https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild/">UNIT 42</a> blog post. Thanks for your interest in this blog. From this point on we will journey deeper into cutting edge defensive mechanisms against DNS tunneling attacks.</p>
<h2 id="research">Research</h2>
<p>To defend against these attacks, there are a couple strategies used in consumer products. End users can leverage access control lists (ACL) to block known malicious domains, traffic analysis techniques to monitor internal DNS activity or intrusion prevention systems (IPS). These techniques are not new. There are great resources and posts on the topic at <a href="https://www.daemon.be/maarten/dnstunnel.html">Maarten Van Horenbeeck’s</a> blog</p>
<p>In this section, we take a survey paper approach to summarize and reference relevant DNS Tunneling research. In order for this work to be complete and relevant, it will be updated regularly until a companion research paper is released.</p>
<h3 id="machine-learning-techniques">Machine Learning Techniques</h3>
<p>Researchers from the University of Brunswich generated the dataset <a href="https://www.unb.ca/cic/datasets/dns-exf-2021.html">CIC-Bell-DNS-EXF-2021</a> and demonstrated how machine learning can be leveraged for detection DNS tunneling attacks in their <a href="https://dl.acm.org/doi/pdf/10.1145/3507509.3507520">paper</a>.</p>
<h3 id="statistical-analysis">Statistical Analysis</h3>
<h3 id="packet-inspection">Packet Inspection</h3>
<h2 id="references">References</h2>
<p><em>Included source were not directly linked in the blog posts or are included for future reference</em></p>
<h3 id="sources">Sources</h3>
<ul>
<li><a href="https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/">Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)</a></li>
<li><a href="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/">An Analysis of Godlua Backdoor</a></li>
<li><a href="https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/">DNS Tunneling: how DNS can be (ab)used by malicious actors</a></li>
<li><a href="https://www.socinvestigation.com/how-the-apt34-uses-saitama-backdoor-for-dns-tunnelling/">How the APT34 uses Saitama Backdoor for DNS tunneling</a></li>
<li><a href="https://github.com/zom3y3/slides/blob/master/ICANN67%20DOH%20in%20Godlua%20Backdoor.pdf">GodLua Presentation</a></li>
<li><a href="https://www.daemon.be/maarten/dnstunnel.html">A Guide to Understanding Covert Channels</a></li>
</ul>
<h3 id="tools">Tools</h3>
<ul>
<li><a href="https://thomer.com/howtos/nstx.html">NSTX</a></li>
<li><a href="https://code.kryo.se/iodine/">iodine</a></li>
<li><a href="https://github.com/alex-sector/dns2tcp">DNS2TCP</a></li>
<li><a href="https://github.com/iagox86/dnscat2">DNScat</a></li>
<li><a href="https://github.com/lnussbaum/tuns">TUNS</a></li>
<li><a href="https://dnstunnel.de/">OzymanDNS</a>
<ul>
<li><a href="https://github.com/mubix/stuff/blob/master/stolen/ozymandns_src_0.1.tgz?raw=true">source</a></li>
</ul>
</li>
<li><a href="https://github.com/Arno0x/DNSExfiltrator">DNSExfiltrator</a></li>
</ul>
<h3 id="malware-1">Malware</h3>
<ul>
<li><a href="https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns">UPDoS</a></li>
<li><a href="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/">GodLua backdoor</a></li>
<li><a href="https://www.malwarebytes.com/blog/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor">Saitama Backdoor</a></li>
</ul>
<h2 id="updates">Updates</h2>
<ul>
<li>9/28/2023: Added research sources to blog</li>
<li>11/13/2023: Made correction based on updated information. Updated content layout. Added/Updated resources, malware references and APT sources</li>
<li>11/17/2023: Added additional sources, research content, and additional links to <a href="#what-is-dns-tunneling">“What is DNS”</a> section</li>
<li>12/2/2023: Added additional commentary for malware sources. Added additional literature for mitigation</li>
</ul>blackmantaDisclaimer: This post is being actively updated. Updates are tracked at the bottom of this postBsides Charlotte Presentation Recap2023-09-23T00:00:00+00:002023-09-23T00:00:00+00:00https://manta.black/BSIDES-charlotte-presentation-recap<p><a href="https://docs.google.com/presentation/d/1UEmxMrytdUhO59EDmx8Hkv7AOp0w571cxmLK_JMEgj8/edit?usp=sharing">slides</a> - <a href="https://www.youtube.com/watch?v=kP1l9K452gU&t=17s">video presentation</a></p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#mitigations-and-trends">Mitigations and Trends</a></li>
<li><a href="#trends-in-security-software">Trends in Security Software</a></li>
<li><a href="#in-network-security">In-Network Security</a></li>
<li><a href="#reflections">Reflections</a></li>
</ul>
<h2 id="introduction">Introduction</h2>
<p>This presentation attempts to provide a quick and simple introduction to the next generation of technologies that will help secure the networks of tomorrow. I believe this topic is important, especially in the age of AI, because all technological stacks need to be improved with security principals in mind and not as second considerations. We are at an inflection point with the maturation of software defined networking (SDN) technology maturing and preparing for the inclusion of more automated systems and verification technologies. If you are interested in any of those <em>briefly</em> referenced topics, please read on.</p>
<h2 id="mitigations-and-trends">Mitigations and Trends</h2>
<p><em>Why would researchers and practitioners even want to automate security provisioning?</em></p>
<p>I am sure those staying up-to-date with vulnerability research, disclosures and advanced threats are very aware that most attackers can be attributed to slow patch cycles and misconfigurations. IT practitioners have envisioned a world of networked systems being able to defend themselves since the late 90s. If you are interested in that history, check out <a href="https://apps.dtic.mil/sti/pdfs/ADA408307.pdf">“Survivable Autonomic Response Architecture”</a> and <a href="https://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/smith04.pdf">“Active Networking”</a>. These are well-thought-out research moonshots.</p>
<p>From a fundamental level, there are a few core network attacks that modern networks face:</p>
<ul>
<li>Malware and the propagation of such malware</li>
<li>Ransomware, which is essentially extortion malware</li>
<li>DNS and Distributed and Denial of Service attacks</li>
</ul>
<p>I included phishing attacks in my presentation and want to note, that is not a network attack, but an initial step attackers may take to deliver malware/ransomware before establishing access into protected networks. There is a meme for defending against described attacks found on slide 5. It explains itself, and it purely placed there for comedic purposes.</p>
<p>No serious mitigations include endpoint and edge security services. Think of anything ranging from antivirus installed on work or personal PC’s to network firewalls and security event and information management (SEIM) systems. Other practices include following best practices as described by the NSA, <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2949885/nsa-details-network-infrastructure-best-practices/">“NSA Details Network Infrastructure Best Practices”</a>, and user education.</p>
<h2 id="trends-in-security-software">Trends in Security Software</h2>
<p>Now, expanding past the common approaches to attack mitigations is motivated by the data that shows that typically, people are not following best practices and zero-day attacks are steadily increasing. When searching trends, the core hypothesis is <em>“How can we leverage current cutting edge technology to slow attackers?”</em>. From a high-level, I am just going to name the trends, perspective, the follow of trending technology/buzz words in security tooling and research.</p>
<ul>
<li>Artificial Intelligence/Machine Learning and its application</li>
<li>Automation. Think SecOps</li>
<li><a href="https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf">Zero Trust Architectures</a></li>
<li><a href="https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF">Diversity of Firewall Solutions</a></li>
<li><em>Move everything to the cloud</em></li>
</ul>
<p>Now when it comes to security solutions, one general shortcoming comes from users. <em>“The security function slowed down my system/network, so I disabled it”</em></p>
<h2 id="in-network-security">In-Network Security</h2>
<p><em>How can we balance the trade-offs of network security solutions and the usability of networks?</em></p>
<p>A newer trend that is attempting to address this problem is the research into in-network security solutions. In-network security solutions feature the embedded of security functionality into the data plane of network switches to provide extremely fast security enforcement and parsing. In-network security solutions leverage the ideas from software defined network, which decouples the control and data plane to simplify network management and increase the ability to program network functionality.</p>
<h3 id="case-study">Case Study</h3>
<p>To understand how to effectively implement an in-network security solution, you must first consider the protocols processed on network switches and the opportunities to parse/process packet information. In the following case study, the DNS protocol is examined as it is a clear text protocol, in most cases.</p>
<p>The case study comes from recent work published in USENIX Security’32, <a href="https://www.usenix.org/conference/usenixsecurity23/presentation/li-xiang">“The Maginot Line”</a> and mitigations <a href="https://www.ndss-symposium.org/wp-content/uploads/madweb2022_23012_paper.pdf">“P4DDPI”</a>. The first describes a novel DNS cache poising attack that poisons the DNS cache of delegation servers, which leads to the hijacking of DNS zones. The second distributes an approach towards defending against similar attacks using an in-network security approach. The findings in the second paper shows that deploying network security functionality exhibits no packet-loss and packet delay. This earlier work does have some shortcomings, described in its conclusion, but the earlier results are promising.</p>
<h2 id="reflections">Reflections</h2>
<p>In reflection, there are legitimate research and product solutions that are trending towards creating the foundations for more automated security enforcement. One such are of research is in-network security solutions. There are additional details for considering leveraging automation in in-network security solutions. The most important is verifiably. An introduction to the vision of verifiable networks can be found <a href="https://youtube.com/watch?v=QDC7ckmioYM">here</a></p>
<h2 id="references">References</h2>
<p><em>Work in Progress</em></p>
<h2 id="updates">Updates</h2>
<ul>
<li>11/17/2023: Added References, additional case study content and improved document language</li>
</ul>blackmantaslides - video presentationIn Band Network Telemetry For Security2023-08-08T00:00:00+00:002023-08-08T00:00:00+00:00https://manta.black/in-band-network-telemetry-for-security<ul>
<li>Work in progress *</li>
</ul>blackmantaWork in progress *Carolina Con Talk 12023-04-22T00:00:00+00:002023-04-22T00:00:00+00:00https://manta.black/carolina-con-talk-1<h1 id="deconstructing-firewalls">Deconstructing Firewalls</h1>
<p><em>Disclaimer: This post is being actively updated. Please check back for additional links</em></p>
<p><a href="https://docs.google.com/presentation/d/13K0gin8WvFkAcHtVUqJVc87cOlTI2bo4/edit?usp=sharing&ouid=116118671620888505246&rtpof=true&sd=true">slides</a> - <a href="https://www.youtube.com/watch?v=rNgpPeuP_kM">video presentation</a></p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#what-is-a-firewall">What is a firewall</a></li>
<li><a href="#firewall-architectures">Firewall Architectures</a></li>
<li><a href="#newer-technology">Newer Technology</a></li>
<li><a href="#takeaways">Takeaways</a></li>
</ul>
<p>This presentation provides a general overview of the past implementations of firewalls, a modern perspective, and a forward look at what they can become. In this blog post, I will fill in any gaps in the presentation with references and helpful commentary. If you find this post useful, feel free to reach out to me at me[@]manta.black.</p>
<h2 id="what-is-a-firewall">What is a Firewall</h2>
<blockquote>
<p>“A guardian of the digital world, standing between the chaos of the internet and the sanctity of our networks. It is a sentinel of order, enforcing the rules of access and denying entry to those who would harm.”</p>
</blockquote>
<p>Generally, firewalls work as a boundary to resources by managing network access through packet filters in dedicated network devices or software appliances. It is easy to think of a firewall as the perimeter defense structure to networks, but as discussed later, there are <a href="#firewall-architectures">well-defined architectures</a> for deploying firewalls to defend against different security models, including defense against network traversal and covert channels. The key idea of a firewall is powered by a packet filter. Now, there is not just one type or program that enables packet filtering. Some examples include <a href="https://www.kernel.org/doc/html/latest/networking/filter.html">eBPF/BPF</a>, <a href="https://netfilter.org/">netfilter</a>, and <a href="https://www.tcpdump.org/manpages/pcap-filter.7.html">libpcap</a>.</p>
<p>Packet filters are leveraged in a wide variety of packet filters that are deployed for different security use cases.</p>
<h2 id="firewall-architectures">Firewall Architectures</h2>
<p>A Rudimentary packet filter is, as its name suggests, a simple packet filter that is usually found on network routers. These packet filters typically filter based on network headers that power the TCP/IP model. Later packet filters discussed expand on this technology to enforce more advanced filtering functions. Two of those packet filters are stateful and stateless packet filters. A simple way to think about these two types of packet filters is that stateful firewalls track network connections, or “state,” whereas stateless firewalls do not. In some sense, a stateless firewall is another way to describe a rudimentary firewall. A more in-depth blog post on stateful vs. stateless packet filters can be found <a href="https://www.lanner-america.com/blog/stateless-vs-stateful-packet-filtering-firewalls-better/">here</a>.</p>
<p>A proxy firewall acts like a border firewall in the sense that it sits between the internet and the user. This is possible because it centralizes network activity on a central server to process the inspection of network packets. Network packets are typically forwarded from endpoint systems to an appliance to enable this functionality. An example of this type of firewall includes <a href="https://balasys.github.io/zorp/about/">zorp</a>. Another novel firewall is a next-generation firewall, also known as a third-generation firewall technology. These firewalls were developed specifically to address the increasing amount of threats targeting large organizations and governments. These firewalls combine technologies previously described and improve application awareness, deep packet inspection, and application filtering to arguably filter out zero-day threats. There is much to be said about next-generation firewalls, especially by firewall vendors. You can find a more in-depth introduction to the topic in the <a href="https://www.cloudflare.com/learning/security/what-is-next-generation-firewall-ngfw/">cloudflare blog post</a></p>
<p>Distributed firewalls were conceived in the late ’90s. Attribution can be tracked earlier, but an informative <a href="https://www.cs.columbia.edu/~smb/papers/distfw.pdf">paper</a> from <a href="https://www.cs.columbia.edu/~smb/papers/">Steven M. Bellovin</a> embodies much of the intuition of the architecture strategy. A distributed firewall filters all ingress and egress traffic from a device placed within the network. This improves the scalability and agility of the security boundary compared to centralized or perimeter-based firewalls. There were shortcomings with this type of implementation at the time, including management complexity and state growth, but these problems are being addressed in the development of network software stacks that take advantage of software-defined networking methodologies.</p>
<h2 id="newer-technology">Newer Technology</h2>
<p>Software-defined networking is the idea of decoupling the control and data planes in computer networks. In traditional networks, you have a network router that hosts and manages how network packets are routed in the network. The act of managing network packet flows is accomplished by the control plane. By decoupling the data and control planes, a logically centralized controller can plan the placement of network flows by leveraging its global view knowledge. In cases of distributed SDN controller placements, the global view is shared amongst physically dispersed controllers, but the scale that requires a distributed controller implementation is significant. On the other hand, it can be thought to be where the packets are forwarded. This typically includes network switches and, inherently, includes extremely fast packet parsing.</p>
<p>Commonly known as Open flow SDN, does not directly support programming the data plane. Proposed specifications such as <a href="https://arxiv.org/abs/1405.0060">POF</a> also known as Open Flow 2.0, propose expanding the standard to provide this ability. Now, why would you even want to program the data plane in the first place if you can directly network traffic using the control plane interface? Earlier, I said that the data plane includes network switches and is inherently fast. This is due to the use of network switches. The data plane bypasses the operating system and directly uses network hardware to process and forward packets without OS intervention. Network switches are designed with dedicated packet processing pipelines to accomplish this task.</p>
<p>Intuitively, there have been research and application technologies, such as eBPF, that have attempted to bypass the slower software stack in the operating system to deploy programs directly into the packet processing pipeline. One language that supports the creation and deployment of data plane programs on supported switches is <a href="https://p4.org/">p4</a>. This is where my area of research resides. To provide a demonstration of why the development of security functionality in the data plane is important, you can take a look at my demo. <em>Disclaimer: The demo is yet to be uploaded</em></p>
<h2 id="takeaways">Takeaways</h2>
<p>The key takeaways from this presentation are the following:</p>
<ul>
<li>Network firewalls are approachable and constantly advancing</li>
<li>No one firewall solution answers every security model</li>
<li>Data plane programming is breathing life into distributed firewall solutions, posed to improve traditional implementations</li>
</ul>
<h2 id="notable-technologies">Notable Technologies</h2>
<ul>
<li><a href="https://cilium.io/get-started/">cilium</a></li>
<li><a href="https://docs.tigera.io/calico/latest/about/">calico</a></li>
<li><a href="https://falco.org/">falco</a></li>
<li><a href="https://blog.cloudflare.com/programmable-packet-filtering-with-magic-firewall/">cloudflare magic firewall</a></li>
</ul>blackmantaDeconstructing FirewallsWireguard in a FreeBSD Jail2020-04-24T13:00:00+00:002020-04-24T13:00:00+00:00https://manta.black/wireguard-in-freebsd-jail<p>I spent the better part of my Friday night reinstalling my NAS server for homelab purposes. Through this experience, I found I wanted to capture what I learned and where I found answers for archiving purposes. I found many answers online that either didn’t work for me or called for a different type of implementation. I link some notable guides and threads in the reference section below.</p>
<h1 id="setup">Setup</h1>
<p>Wireguard is pretty simple and straight forward to install on any unix system. If you have any questions or see a place were an update should be made, send me and email or contact me on keybase.</p>
<blockquote>
<ul>
<li>Create a jail
Create jail conf. More information on creating and controlling jails can be found <a href="https://www.freebsd.org/doc/handbook/jails-build.html">here</a></li>
</ul>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> wireguard_jail {
vnet;
devfs_ruleset = "10";
}
</code></pre></div></div>
<blockquote>
<ul>
<li>Install Wireguard in jail</li>
</ul>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> pkg install wireguard
</code></pre></div></div>
<blockquote>
<ul>
<li>Generate Keys</li>
</ul>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> wg genkey | tee privatekey | wg pubkey > publickey
</code></pre></div></div>
<blockquote>
<ul>
<li>Update rc.conf</li>
</ul>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> # Enable Wireguard
wireguard_enable="YES"
wireguard_interfaces="wg0"
#Enable FireWall
firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="[INTERFACE NAME]"
natd_flags="-dynamic -m"
</code></pre></div></div>
<blockquote>
<ul>
<li>Create wireguard server conf
I created my file in /usr/local/etc/wireguard</li>
</ul>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> # wg0.conf
[Interface]
PrivateKey = [SERVER PRIVATE KEY]
MTU = 1500
Address = 172.16.1.1/24
ListenPort = 51820
[Peer]
PublicKey = [CLIENT PUBLIC KEY]
AllowedIPs = 172.16.1.5/32
</code></pre></div></div>
<blockquote>
<ul>
<li>Start wireguard</li>
</ul>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> service wireguard start
</code></pre></div></div>
<h1 id="references">References</h1>
<ul>
<li><a href="https://www.skyforge.at/posts/an-introduction-to-jails-and-jail-networking/">An Introduction to Jails and Jail Networking</a></li>
<li><a href="https://www.freebsd.org/doc/handbook/firewalls-pf.html">FreeBSD Handbook: Firewall PF</a></li>
<li><a href="https://forums.freebsd.org/threads/nat-in-pf.22590/">FreeBSD: Nat in PF</a></li>
<li><a href="https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/">WireGuard on FreeBSD Quick Look</a></li>
<li><a href="https://www.ixsystems.com/community/threads/wireguard-on-base-system-forward-all-internet.82102/">FreeNAS: Wireguard in Jail</a></li>
<li><a href="https://github.com/pirate/wireguard-docs">Unofficial Wireguard docs</a></li>
</ul>blackmantaI spent the better part of my Friday night reinstalling my NAS server for homelab purposes. Through this experience, I found I wanted to capture what I learned and where I found answers for archiving purposes. I found many answers online that either didn’t work for me or called for a different type of implementation. I link some notable guides and threads in the reference section below.A Brief Recap of my BSides Charlotte Presentation2019-09-29T23:00:00+00:002019-09-29T23:00:00+00:00https://manta.black/BSides-Charlotte-Recap<p>At the conclusion of BSides Charlotte 2019, I realized that I would need to provide a bit more information in regards to the content that was covered in my slides especially for those who were unable to attend. The purpose of this post is to highlight those ideas relative to the presentation and to get any feedback from those interested in this the area of Research.</p>
<h3 id="how-can-one-give-an-overview-of-the-advancements-in-computer-systems-defense-and-what-is-the-scope-of-the-systems-that-we-are-trying-to-defend">How can one give an overview of the advancements in Computer System’s Defense and what is the scope of the systems that we are trying to defend?</h3>
<p>Initially, I thought large enterprise networks or data centers were the only areas where the composition of system and network design would require a drastic reduction in complexity by increasing autonomy, so I sought to find solutions fitting into that scope. Realistically, the optimal goal of systems defense should exhibit the following features:</p>
<blockquote>
<ul>
<li>Respond at the moment of detection, which if automated will allow defenders to focus on building detections that are abnormal when compared to baseline behavior</li>
<li>Respond optimally and in a way that does not decrease the integrity of one’s environment. The response in this case is envisioned to be deployed by the system</li>
<li>Increase the cost of attacking the network.</li>
<li>Ensure that all the resources within the environment are receiving some means of protection from suite of defense implementations</li>
</ul>
</blockquote>
<p>Contemporary system defense is composed of software solutions that protect network and software resources. Some of those solutions require the need for constant maintenance or care whereas others simply require human action when an alert is present. Current advancements of defense techniques such as robust moving target defense, active defense, or automated network management require defends to spend hours configuring custom solutions prior to deployment while also demanding tender love and care.</p>
<h3 id="how-can-manage-these-systems-and-reduce-complexity">How can manage these systems and reduce complexity?</h3>
<p><em>Note: *I am not questioning the merit of these technologies. I am simply asking questions about our approaches to make them usable for our solutions</em></p>
<blockquote>
<p>Should we continue to throw deep or machine learning into all of our products in hopes that it makes our products more autonomous and effective for responding?</p>
</blockquote>
<blockquote>
<p>Should we deploy everything to the cloud and hope the provider manages the security of applications and infrastructure for us?</p>
</blockquote>
<blockquote>
<p>Should we set up a proof of concept blockchain that is inevitably ready for deployment to enable the verification of files, users, or hosts in our systems?</p>
</blockquote>
<blockquote>
<p>Should we just configure everything to utilize containers or some light virtualization to enable higher levels of efficiency in automation.</p>
</blockquote>
<h3 id="or-what-if-we-put-most-if-not-all-of-those-solutions-together-intelligently">Or what if we put most if not all of those solutions together intelligently?</h3>
<p>One may consider (SDN) Software Defense Networks, SecOps, Automation, or Immutable Infrastructure [the D.I.E design strategy] to be bleeding edge technologies and methodologies that are leading the advancements of Cyber Defense strategies, but what if that wasn’t the entire truth?</p>
<h3 id="insert-the-idea-of-autonomic">Insert the idea of Autonomic</h3>
<p>After looking for relevant work of security architecture and design, I came across an idea presented in 2001 by IBM and a DARPA Funded project that described Autonomic Systems. Similarly to neural networks, the idea of autonomic systems was inspired by the autonomic nervous system. The general idea is to create an environment that is self-(x) [4], meaning self-healing, self-diagnosing, self-optimizing, self-“aware” or state aware and able to manage itself with minimal intervention. This idea creating an environment that is able to adapt and protect itself seemed to be what many advancements are driving towards. This can be seen in technologies like <a href="https://www.splunk.com/pdfs/professional-services/2019/splunk-phantom-implementation-success.pdf">Splunk’s Phantom</a> which is conditionally reactive to <a href="https://www.oracle.com/database/autonomous-database.html?bcid=6086922094001">Oracle’s Autonomous Database</a></p>
<h3 id="creating-the-perfect-feedback-loop">Creating the perfect feedback loop</h3>
<p>The most important component of any autonomic system are feedback loops, they drive the behavior of the system. This aspect of autonomic systems, I predict, will be nearly impossible to automate based on how creative attackers are and how effective learning algorithms are at constructing baseline for behavior. Wisdom I gleaned from a research paper [2] specifically mentions the ineffectiveness of applying machine or deep learning to this concept without building a framework for the learning to be built around.</p>
<h3 id="so-what-does-this-mean">So what does this mean?</h3>
<p>It means that autonomic systems are truly on the horizon and this advancement is not stopping any time soon. It is also important for security minded individuals to know what is coming so that they are aware of the benefits of true autonomic systems which can potentially boost the productivity and maturity of implementing businesses.</p>
<p>Currently, I am working on a proof of concept system that utilizes SaltStack’s reactor, SDN technologies (OpenVSwitch, RYU) and LXD containers. After speaking at the conference, I realized that there is a need in the industry to be able to test the marketed “autonomic feature x”. So I plan to use my proof of concept and any access I am given to vendor solutions to test how well these features are implemented.</p>
<h3 id="references">References</h3>
<ul>
<li>[1] <a href="https://www.slideshare.net/sounilyu/distributed-immutable-ephemeral-new-paradigms-for-the-next-era-of-security">Distributed Immutable Ephemeral</a></li>
<li>[2] <a href="https://apps.dtic.mil/dtic/tr/fulltext/u2/a408307.pdf">SARA: Survivable Autonomic Response Architecture</a></li>
<li>[3] <a href="http://dpnm.postech.ac.kr/papers/MANFI/12/96387.pdf">Autonomic Fault Management based on Cognitive Control Loops</a></li>
<li>[4] <a href="https://tools.ietf.org/html/rfc7575">Autonomic Networking: Definitions and Design Goals RFC 7575</a></li>
<li>[5] <a href="https://datatracker.ietf.org/wg/anima/about/">(ANIMA) Autonomic Networking Integrated Model and Approach</a></li>
</ul>blackmantaAt the conclusion of BSides Charlotte 2019, I realized that I would need to provide a bit more information in regards to the content that was covered in my slides especially for those who were unable to attend. The purpose of this post is to highlight those ideas relative to the presentation and to get any feedback from those interested in this the area of Research.Initd2019-01-11T00:00:00+00:002019-01-11T00:00:00+00:00https://manta.black/initd<p>The beginning of a journey. I hope to document findings, ideas and notes for archival purpose weekly on Friday.</p>blackmantaThe beginning of a journey. I hope to document findings, ideas and notes for archival purpose weekly on Friday.