{"id":2060,"date":"2016-10-03T07:05:25","date_gmt":"2016-10-03T06:05:25","guid":{"rendered":"https:\/\/www.ofcourseimright.com\/?p=2060"},"modified":"2016-10-03T09:12:17","modified_gmt":"2016-10-03T08:12:17","slug":"how-mud-could-help-against-the-krebs-attack","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=2060","title":{"rendered":"How MUD could help against the Krebs Attack"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-26\" src=\"https:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\" alt=\"Cybercrime\" width=\"96\" height=\"132\" \/>In the attack against <a href=\"https:\/\/krebsonsecurity.com\">krebsonsecurity.com<\/a>, one of the systems that <a href=\"https:\/\/blog.sucuri.net\/2016\/06\/large-cctv-botnet-leveraged-ddos-attacks.html\">is said to have been used<\/a> was the &#8220;<a href=\"http:\/\/www.l-com.com\/multimedia\/manuals\/M_VNC-DK4-C2404CM.PDF\">H.264 Network DVR<\/a>&#8220;.\u00a0 This device accepts HTTP connections, and communicates outbound using FTP and EMail.\u00a0 There may also be an undocumented protocol for a proprietary interface.<\/p>\n<p>As I\u2019ve previously discussed, use of <a href=\"https:\/\/www.ofcourseimright.com\/?p=1859\">Manufacturer Usage Descriptions<\/a> (MUD) can limit the attack surface of a device, and it can also prevent devices from being used to source an attack.\u00a0\u00a0\u00a0 MUD allows for manufacturers to define classes, and now one simply needs to fill them in on deployment.\u00a0 From the manufacturer\u2019s side, one needs to provide the file.\u00a0 For the DVR in question, I used <a href=\"https:\/\/www.ofcourseimright.com\/mudmaker\">MudMaker<\/a> to create a description that a network device could use to create appropriate network protections:<\/p>\n<pre>{\r\n  \"ietf-mud:meta-info\": {\r\n    \"lastUpdate\": \"2016-10-02T08:28:19+02:00\",\r\n    \"systeminfo\": \"DVR H.264\",\r\n    \"cacheValidity\": 1440\r\n  },\r\n  \"ietf-acl:access-lists\": {\r\n    \"ietf-acl:access-list\": [\r\n      {\r\n        \"acl-name\": \"mud-65333-v4in\",\r\n        \"acl-type\": \"ipv4-acl\",\r\n        \"ietf-mud:packet-direction\": \"to-device\",\r\n        \"access-list-entries\": {\r\n          \"ace\": [\r\n            {\r\n              \"rule-name\": \"entout0-in\",\r\n              \"matches\": {\r\n                \"ietf-mud:controller\": \"http:\/\/dvr264.example.com\/controller\"\r\n              },\r\n              \"actions\": {\r\n                \"permit\": [\r\n                  null\r\n                ]\r\n              }\r\n            },\r\n            {\r\n              \"rule-name\": \"entin0-in\",\r\n              \"matches\": {\r\n                \"ietf-mud:controller\": \"http:\/\/dvr264.example.com\/controller\",\r\n                \"protocol\": 6,\r\n                \"source-port-range\": {\r\n                  \"lower-port\": 80,\r\n                  \"upper-port\": 80\r\n                }\r\n              },\r\n              \"actions\": {\r\n                \"permit\": [\r\n                  null\r\n                ]\r\n              }\r\n            }\r\n          ]\r\n        }\r\n      },\r\n      {\r\n        \"acl-name\": \"mud-65333-v4out\",\r\n        \"acl-type\": \"ipv4-acl\",\r\n        \"ietf-mud:packet-direction\": \"from-device\",\r\n        \"access-list-entries\": {\r\n          \"ace\": [\r\n            {\r\n              \"rule-name\": \"entout0-in\",\r\n              \"matches\": {\r\n                \"ietf-mud:controller\": \"http:\/\/dvr264.example.com\/controller\"\r\n              },\r\n              \"actions\": {\r\n                \"permit\": [\r\n                  null\r\n                ]\r\n              }\r\n            },\r\n            {\r\n              \"rule-name\": \"entin0-in\",\r\n              \"matches\": {\r\n                \"ietf-mud:controller\": \"http:\/\/dvr264.example.com\/controller\",\r\n                \"protocol\": 6,\r\n                \"source-port-range\": {\r\n                  \"lower-port\": 80,\r\n                  \"upper-port\": 80\r\n                }\r\n              },\r\n              \"actions\": {\r\n                \"permit\": [\r\n                  null\r\n                ]\r\n              }\r\n            }\r\n          ]\r\n        }\r\n      }\r\n    ]\r\n  }\r\n}<\/pre>\n<p>What is left for the controller to do that is specific to this device is define which devices are in the class <strong>http:\/\/dvr64.example.com<\/strong>.\u00a0 That might include the FTP-based logging system that this model uses, for instance, as well as those systems that are authorized to connect to the HTTP port.<\/p>\n<p>The important part of that description is what you <strong>don\u2019t<\/strong> see.\u00a0 You don\u2019t see any of the attack vectors used, because through this <a href=\"https:\/\/en.wikipedia.org\/wiki\/Whitelist\">whitelist<\/a> approach, you only specify what is permitted, and everything else aside from name service and time queries is explicitly denied.\u00a0 This device uses a good few services, and so I haven&#8217;t specified each one in the example for brevity\u2019s sake.<\/p>\n<p>This may well have stopped the hacker from gaining access to the device in the first place, and would have stopped the device from being able to attack the blogger, and many other attacks as well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the attack against krebsonsecurity.com, one of the systems that is said to have been used was the &#8220;H.264 Network DVR&#8220;.\u00a0 This device accepts HTTP connections, and communicates outbound using FTP and EMail.\u00a0 There may also be an undocumented protocol for a proprietary interface. As I\u2019ve previously discussed, use of Manufacturer Usage Descriptions (MUD) can &hellip; <a href=\"https:\/\/ofcourseimright.com\/?p=2060\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How MUD could help against the Krebs Attack&#8221;<\/span><\/a><\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[87,9],"tags":[540,288,541,518,496],"class_list":["post-2060","post","type-post","status-publish","format-standard","hentry","category-internet","category-security","tag-krebs","tag-malware","tag-manufacturer-usage-descriptions","tag-mud","tag-security"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2060","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2060"}],"version-history":[{"count":4,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2060\/revisions"}],"predecessor-version":[{"id":2073,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2060\/revisions\/2073"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}