 So this was supposed to go on at 10, and I was totally supposed to get like another hour to sober up This is gonna be a really interesting black ops not only is this the first black ops that I've done exploits This is the first black ops where I have been kind of sober. Oh No, no, no, no, there's lots of people here providing booze. Let me tell you So what are we here to do? We got an hour from now Who am I you should know by now? What are we here to do so like last year, you know, I had like one topic just DNS It was kind of fun, and you know left the whole ADD thing alone. Um, yeah, we're back to ADD It's fun. We're gonna talk about a whole bunch of stuff. We're gonna kick MD5 We're gonna play with some IP fragments. We are going to mess with intrusion protection systems, which are being really really abused We're going to do some DNS poisoning, which again is about the most black hat thing I've ever done And if that didn't help we are going to send about four billion packets onto the internet I I have a new toy. It has a hundred and seventy gigabits and permission to use it I've never actually cackled before you know giggled a little laugh, but We're gonna make some pretty pictures because I like pretty pictures You know why I like pretty pictures because I can show them to non geeks and they're like, holy crap That is cool. I have no idea what it is, but it is cool Usually it's just I have no idea what it is It just ends there And finally, you know watch some TV Attacking MD5 Instead of going through all the background Here is the webpage for Lockheed Martin Fun company some of you might have heard of it Here's the webpage for Boeing another fun company. You might have heard of it Let's see what the hashes of these two pages. I did it Let's see what the hashes of those two pages happen to be Do-do-do C0F380 C0F380 Hmm these two web pages have the exact same hash How could that have happened? Oh, I know you like the hash I was wondering how you came up with that shit man, holy crap Okay, I have to actually turn off my email client this time I have people like using their blackberry on me at the last time I did this talk, so That was really annoying So what is MD5 supposed to do? MD5 is supposed to be basically a data fingerprint, you know You got one some file however big it happens to be the end result supposed to come down to a hundred and twenty eight bit Signature and the whole keyword the magic word is Computationally infeasible to find two files with the same hash and we've known since about what was it 96 97 bullshit and You know about two thousand you know two thousand four Jiang Yun Wang over in China said hell yes bullshit Here's two files with the same hash, and you know what the response was from a lot of people Yeah, there you have two hashes, but you could never use that for you know actual production data that had any kind of real life Meaning, you know absolutely not Okay, hi beside I do actually try to have some technical data, so here's what the story is MD5 it's pretty simple You start out with some initial state and they use like magic numbers like pie and you know six seven eight nine one You know numbers decreasing whatever I'm too drunk to go nine eight seven six five four three two one I've got a problem more than that I Got a drink. Oh the way this works at my talks I like questions ask a good one and you get to drink and if I can't answer I have to drink and And you know if I'm not done drinking unless the drinking game So MD5 basically is really simple start with some state You loop over all your data five hundred and twelve bits at a time and it shuffles that state and at the end You end up with some value you mix in like the amount of data that you did some made of data And you end up with what's called the MD5 hash now the idea is Anything's different in the input data. It should change a single bit should cause half the output bits in the hash to change half it's a big number What we have here is a visualization of the internals of MD5, you know, we got 64 sub rounds and three rounds and Half of those things are supposed to be flickering now Maybe you can't see the flicker half of you see those little dots There's supposed to be a hell of a lot more But you know when we've got the Chinese girls so you know guess what almost none of them are different You know first round second round by the third round nothing is different that's this big advance of this you know this new MD5 attack and What's interesting is once you have two files with the same hash because it operates 512 bits at a time Once you do end up at an alignment You can add new stuff and it's not like you know back in time back to earlier in the file Say hey wait It was different earlier in the file because you're never supposed to have a collision because that's what the whole point of a Hash is so in mathematical terms if MD5 of x equals MD5 a y MD5 of x plus q That's gonna equal MD5 a y plus q so that means if we have two files with the same hash We can append anything we want to it including web pages Funny thing about web browsers who here has written a crappy web page. Thank you All of you who haven't raised your hands are fucking liars Web browsers except everything that was one of the big advances you can like put a turd in your fucking web page It's gonna render something and it turns out we can even put like these two files that have the same hash But not only do they render anything. Oh, there's a programming environment. We got JavaScript speaking of turds so The browsers accept everything and they are programmable so guess is what we're gonna do By the way graph this is the code to use all this. It's freaking cool. So what we do is we take some file This is x. This is why these are our two files of the same hash We are going to prepend our file with one of these and we're gonna put some extra crap on remember We can put anything on it'll have the same hash Here's the where'd my mouse go Here we are. Here's the first web page Lockheed Martin. Here's the second page bowing and now we have some JavaScript Now the idea is is that MD5 is blind because you know all this crap is q x y all this crap is q MD5 is blind, but we can put a program in that isn't so The program goes back and goes. Oh fuck. I was put on x. Okay, Lockheed or hey look I just put on y shows bowing and that's your output and so that in a nutshell is how Lockheed Martin and bowing can have the same MD5 hash That was a lot of stuff that had nothing to do with packets. Okay. I better get back to this shit So, oh, no, I need to have my little segue that's all smooth and elite and whatnot, you know We're talking about interpretation speaking of other things I have to do with fucked up interpretation. God damn I really should not be doing this trunk You bastards you move my talk up All right. Yes, you put my talk at the same time it said in the schedule I P fragmentation and I quote fragmentation an interesting early architectural error that shows how much Experimentation was going on while IP was being designed quote by Paul Vixie someone who I truly expected to kick my ass when I first met him But it turns out he's about as fucked up as I am sweet So what is fragmentation all about now IP packets can be like 65 kilobytes long Okay, there is no physical network that can send a 65 kilobyte packet. Well, okay, none That's actually used in common usage So the idea behind IP fragmentation is we can take these ginormous packets and shrink them down into little chunks fragments It's fairly straightforward. Why is this a problem? Whole idea with IP is that it's supposed to be stateless. You got a packet. You send it you move the fuck on With fragments. Hey, you know, you can send fragments and not have to worry about it But when you receive them you have to store these things because you get one fragment and later on you might get another and another And maybe you will and maybe you won't but the point is you got to keep this stuff around in RAM. That's annoying Not as annoying It's about 98 Tim Newsham and Tom Pacheck actually show Look, we can get around like every ideas out there by just doing strange games with our Fragmentation we have overlapping fragments. You know this fragment says it has the same data as that one Which one is going to be? You know, what is the correct interpretation the RFCs are just like if I know and Then frag router comes out. It's just like no really we can kick your ass here watch and So this is like 98 99. This is old shit, right? But IP's been picked clean. There's a reason I moved on to DNS because like later three and four are done So I thought In the crypto realm, you know, I did a lot of stuff with open SSH You know, we've been dealing with timing attacks lately all this crypto is all vulnerable to like how long things take and I'm thinking about this I'm going I wonder if I can apply timing stuff to IP and it turns out. Oh Yes, it turns out there's an IP fragment reassembly timer It turns out that there's only a certain amount of time. Are you pointing at me? What are you pointing me? Oh, now you're the middle finger. What is this shit? I'll take this opportunity. So speaking of pointing. There's all these shirts that have me pointing that say scan ran motherfucker and it's done by the tour con slots and Hey, you got a new title. Would you rather be a goon should have had a better t-shirt? Tour con is absolutely right. I've loved that con for years and you know, they have these shirts for me So speaking of good questions good questions get a shirt And trashed off your ass What I can't be the only one So, okay, look IP fragment reassembly timer Basically these fragments come in and we can't reassemble the packet because we don't have all of them Eventually the system gives up right well How long is it gonna wait before it gives up? Well, it turns out we can fingerprint operating systems with that value You know some things will wait 30 seconds some things will wait two minutes, you know boom OS fingerprint But that's easy. That's cheap. Let's go ahead and do some more hardcore stuff. All right What if you have an IDS an IDS may very well have a different idea of how long a Fragment can live before it just gives up on trying to reassemble it. In fact, this is actually true Linux and free BSD have a 30 second timer snorts frag 2 timer will wait 60 seconds Now if the timer was less that the IDS was gonna keep fragments around for less time Well, hell, you know, we just send fragments too slow for the IDS, but fast enough for the host What if it's the other way around what if the IDS because it's all hard core and you know It's gonna keep things around for as long as it possibly can What if the IDS keeps fragments around longer who we can do some stuff? The problem is it's keeping stuff around longer. How how are we supposed to make the host see one thing and the IDS See another well our problem is the IDS is keeping fragments around for too long our solution Make the IDS drop our fragments. Well, that sounds really easy. How are we gonna do that? Well? There are two ways a fragment leaves the reassembly queue either a it times out or B. It's reassembled against something I Like that B. I like the idea that it's just gonna work, but not the way it plans to Watch this Here's what we're gonna do right look take our payload up to 65 kilobytes We are gonna split it into a whole bunch of fragments. We're gonna take the even numbered fragments We're gonna make a copy of them. We're gonna fill those fragments payload with noise absolute crap And we're gonna send this absolute crap, and you know what we're gonna do We're gonna wait So we send the crap and the host has some crap and the IDS has some crap But you know what happens after 30 seconds the host drops the crap, but the IDS it likes the crap It keeps it around it thinks it might be useful. Oh and indeed it is useful Because we go ahead and we send the odd numbered fragments and the odd numbered fragments go to the host The host has nothing so the host holds on to these odd numbered fragments and says well You know I gotta wait for some stuff in the future IDS no IDS has been holding on to some crap So the IDS has crappy even and good odd it reassembles It's like what the hell is this and it drops it on the floor But now we send the legitimate even numbered fragments and The IDS well it already dropped all that stuff from before on the floor so the IDS now has to keep in its new cache Has to keep in keep it in its cache But the host host has legitimate even host has legitimate odd host reassembles just fine and Then you win and now my favorite line it gets worse Right now. We're giving the IDS crap Well IDS is our meant to look for crap. They might alarm. They might be worried. Is there a way we can instead of giving it crap Can we make the IDS see something completely different? You know like the IDS sees a get slash and the host sees a sequel injection attack Here's what we're gonna do Now get slash has some headers and a sequel injection attack has some headers And it turns out a fair amount of these headers can be exactly the same So what we're gonna do is we're gonna split our stuff into three packets a common header Good stuff and you're gonna die And what we do is the first thing we send is you're gonna die No, no, excuse me. No, no, we're actually not that's later. We're gonna send the good stuff first Good stuff goes first. You know why because I want the IDS to see some good stuff Okay, why don't we give some happy nice feelings? You know, no problem. I would never attack you So here's what we're gonna do So we send the good stuff and we wait and we wait long enough to the host goes fuck this good stuff It drops it But the IDS still has it around and we send the shared common header and the IDS goes I got the header and it's nice and I got the good stuff and it's nice And so it you know assembles and you know says hey, you know this guy just asked her a good slash. She's cool But the host the host still has at this point in time Where's the host app the stuff in his header and then you know the just the header packet because it already dropped the good stuff But it has the header and now we give it the evil packet and what happens when the header meets the evil packet Reassembles a sequel injection exploit you win What's up? Quite a few So what about checksums a prop there's a problem our hosts may actually go ahead and You know sequel injection should not have the same checksum as get slash, right? I mean there's 65,000 possibilities. Why would the things match up? Well turns out there's this great look It's called a TCP IP lean by this guy Jeremy Bentham This is hardcore like I ain't saying it's hardcore like the guy debugs ethernet with an oscilloscope that kind of hardcore So look, he's got this thing. He's dealing with hardware that doesn't have enough RAM to have an entire packet in RAM at the same time holy crap So he talks about how you do this stuff. He said, you know, well, you know You're your checksum. You don't want to have to go and go over all your data and How do we go ahead and stream out a packet and not have to worry about the checksums? Well, the idea is you put in the wrong checksum, but there's a funny thing about IP checksums. They're crap They are they really suck. They're just the ones compliment. They're just like adding numbers, right? So it's a really funny thing you can do at the end of your payload and be like wow I'm like 32,000 off from what my checksum should be and so you like, you know add a little bit of a comment fix by 32,000 and it works So you just do that and now you're you're you're you can have a constant check some for different different payloads We can actually backport this attack to all the original mechanisms used by Pachec and new Sherman song It turns out what we can do and I haven't built this one yet because I really fucked up my arm be happy I'm here at all But it turns out you could actually send a series of packets such that they is on Linux They assemble into a Linux exploit and on Windows They assemble into a Windows exploit and all because there's a whole bunch of different ways that IP stacks can Reorganize data and you could actually and I haven't built this yet I'm fully honest you could actually create a sequence of packets such that when they arrive on the host the Particular host being used will reassemble it into a way that is relevant for that host And you don't even need to get any kind of feedback back. That's kind of cool Now hitting the brakes. There's a couple IPS vendors out there like dude You're full of crap because our stuff is gonna see you it's gonna see these are overlapping fragments We're gonna deal with you and we're gonna shut your session down Shut my session down. That's not nice. And not only is it not nice There's not a lot of people who are gonna be able to do that. That's really unique and Some jackasses actually complete and utter fucking jackasses All right, no, I'm kidding. They're anyway Look There's a funny little thing that happens when you block a session You send a bit of information. I blocked you. I stopped you. I got in your way I'm telling you I'm here and I'm getting in your way Yo, that's a fingerprint It turns out that any time an intrusion detection system or a firewall gets in your way It has actually identified itself because there's about a million different ways that these things can go ahead You know, do they block invalid checksum? So they block invalid options. They block invalid ICMP types How about HGP? How about sequel injection? How about sequel injection of this type? How about invalid DNS packets? How about, you know, like tipping point? Oh, you sent a TCP fragment out of order We're gonna drop you on the floor because we don't like RFCs. They're overrated, you know Or checkpoint. Oh, you're using DNS sec. That's never gonna be feasible Point is you can go ahead and identify pretty much every firewall and every intrusion production system based on whether in a given session if you do something it doesn't like if it kills your session and it turns out you can find out the Precise hop that the IDS and IPS is at by using Mike Schiffman's fire walk method Which is basically you go ahead and you send your nastiest off one hop before the firewall And then you send it one hop after if your session dies one hop after you know the hop where the firewall lives at Hi, how you doing? Not that this is anything wildly new. This is a slide from like 2003 and It basically shows you how you detect a pics firewall and Not giving any details, but if anyone ever tells you it's ever impossible to remotely detect a firewall I do I've been doing it for like two years So I can't say what that's in reference to but you can always detect a firewall remotely There's just too many different variations on how the protocol can be broken so IP shunning Turns out a bunch of intrusion protection systems. They are they're acting all hardcore you mess with them out a little too much they're gonna block your IP entirely because they're like well, well obviously your IP is evil and You know it's not like anyone ever spoof IP addresses Lies about who they are. Oh, nobody ever does that Let me tell you why it's a really bad idea to block traffic that comes from random IP addresses on the internet Anyone ever type dig, you know that whole like domain Internet Gropor DNS thing Here's a couple hosts. You might have heard of them. They're called the root servers. If you can't talk to them. You're fucked So like anyone who's running these IPS. It's like, hello internet Here is my firewall rule set. Would you like to submit new rules? By any chance would you like to knock my stuff down? We'll talk after So it's like seriously now, you know, I'm you know showing this stuff Yeah, you can knock out any of these networks by just like, you know, hi. I'm 128 8 10 90 I'm trying to slammer you but oh, I Can't stop here. I can't stop here because it is too large-scale and more importantly I thought it was all cool, but it's been whispered about for years And you know, I can't go ahead and take full credit for something people have been talking about So let's do a little bit more elegant attack again. It gets worse I've been investigating DNS poisoning. I've been investigating a lot. Did anyone here know? Well, hang on. We'll do about that later, but I've been investigating DNS poisoning quite a bit four billion packets quite a bit Is it possible given these networks that implement automatic network shunning to not just like knock them off the network But to poison their name servers to go ahead and redirect traffic from their network arbitrarily. Oh Yeah Well, it's a funny thing. I showed you before we will block you from the name servers and that's nice But let's do worse. Let's block them from individual name servers Not the root but say hey large ISP She's that big bank all your customers go to yeah We don't want them to do that and how can you do that? Well block the communication between the name server at the ISP and the name server at the bank And there are two sides. You can do the blocking you can cause the IP at the IP the ISP goddamn Humber think I believe I am out. Hey, I drank everything that was there. I think you need to drink So there are you can block at the ISP side you can block at the bank side both ways. Oh No, so only if I really screw up In which case you're having a shot with me up here So General theme is the block communication between any two name servers can block it either server or the client side All right, let's say you spoof malicious traffic from the client network to the server network So say the big bank no longer likes podunk ISP All right, that means podunk ISP sending out requests and nothing's coming back All right, you know, let's think about that for a second. We got about Assuming a fixed port. We'll talk about that in a second. We got about 65,000 possibilities for what the transaction ID is going to be the transaction ID of course controls whether or not when I Spoof a packet it actually is going to get blindly accepted Well kind of funny. There's usually it's called a race condition. I would have to get my My fake reply back before the real reply comes back But you know what happens when the intrusion protection systems are in place. Well, it's a race, but I Took a bat knocked out the other guy's kneecap. So he's not running anymore So I got about an average of 32,000 packets to do and instead of in about like a hundred milliseconds I can do it like about as long as I freaking want More all the story do not automatically shun IPs But you know, I can do the other side I could also spoof malicious traffic from the server network to the client network So, you know, you some podunk ISP and it's like holy crap. The bank is trying to kill me. I paid my loan man Well, so there's a little difference here because you think if the ISP is no longer talking to the bank Well, you know, the ISP sends out the request and the reply comes back and the reply is blocked But if the reply, you know, you think well when I spoof stuff, oh, it also has to be blocked, right? Funny thing about IP. There's no affinity and by that I mean IP addresses, you know You can actually return a DNS when you send out a DNS request about 15% of the time some other guy replies and it works That means the legitimate host can't send you back replies But the entire internet can be spoofing replies back They'll all work if their transaction ID is correct Oops again, do not implement automated network shunning But there are people who like it and I'll go ahead and I'll say okay Make sure you can talk to name servers See if you can make it so your outbound communications override any automatic shunning and you know again Do not touch name servers But seriously, don't do this stuff. There's just 80 million ways that automatic shunning you're giving They're giving you guys access to the firewall table. What is wrong with these people? So don't do that Go to the next slide. But what about complaint emails? You know funny thing, you know aren't they gonna send complaint emails and negotiate and find out the stuff's going on Well funny thing happens when you block someone's name server. You can't send mail to that domain anymore Oops Now what would I know about complaints? Well, when you send four billion IP packets people can tend to notice I've been working with these guys called prolexic and what's up? All right, look so Basically none of these like third-party spam filters, you know, they get your mail and you know They send you the good stuff. You know, these guys do that for IP Like they announce your route and they take all the crap that you guys send and be like, you know That's a very nice 10 gig UDP flood. I'm good to filter that these guys have just ridiculous amounts of extra bandwidth and they gave it to me I've never actually been able to like I can't send packets faster than this network can route them I feel like less of a man I've been working with all sorts of cool people and you know, I've been doing all sorts of stuff to be all legitimate You know, don't do this at home. Your colo will die. I Tried it was out in an hour. You will get complaints and Very scary people will be calling you personally be like, what the hell are you doing? So seriously? I can't emphasize this enough I'm doing this because there's a little problem with you know large-scale network attackers having better intelligence on the network Then like I do that's not cool But yeah, don't do this at home. I've set up, you know reverse lookups and I've said I'm an Aaron There's Dan Kaminsky security research. How rad is that? Like abuse mails someone has hacked in your box. Yeah, dude. That's me Um, so yeah, you know, oh best emails like you know, thank you for your information We will see you in Vegas like oh crap handcuffs So what do I want to do? I wanted to go ahead and find you know Google's taken out by some DNS poisoning attack You know who's actually hit by this thing? So, you know, we scan the world the entire world and we find somewhere between we find actually nine million Name servers, but after the scan only about two and a half million of them would actually talk to me shit I Want I need to find because it turns out you had to have a Microsoft server talking to a Windows server I know excuse me Microsoft server talking damn it Okay, the problem with this plan is like the more I drink the more mistakes I'll make Okay, so I'm totally getting that ever clear So look you have to have Windows servers who are linking to bind eight servers fairly obscure situation, right? Okay, well, how do we find that one server is linking to another by linking? I mean instead of going out and resolving it itself. It asks its buddy. How do we find these links and The bet the way that I ended up using is basically to just ask Everyone hey, you know Hey you go ahead, you know, what's your name? You know Bob go ahead and look up Bob dot madness dot net and madness is a domain I own If some guy named Charlie walks up to me, okay I know Bob asked Charlie to look something up So I know there's a link between those two domains and those name servers. That's how I did it What were the end results? Well, we got about two and a half million verified name servers meaning they were still talked to me and Of those two and a half million we Used the tool called fpdns fingerprint DNS and we fingerprinted every single one of them. Oh I got some emails out of that one Okay, there are a lot of ideas. These are like you try to check version. How could you possibly do that? You know your attack is detected by 100% You know it without fail Like seriously people did not like it, but you know what we're dealing with security and you know We found about 230,000 hosts that are possibly broken 13,000 that are definitely broken and you know what? I'm gonna be sending some emails and we're gonna get this problem dealt with and Incidentally scan was done in under a day It's good to be the author of scan Randison packets fast. Fuck. Yeah. Oh, oh, who said that? Who said oh? Hell, yeah, well, maybe not Hey, someone get him that shirt I'm not replying So look Kind of a reversing the thing normally with an exploit. You're like, I've got this box I wonder what it's vulnerable to reverse Um, I wonder if someone fucked this up. Let's ask everyone So I'm like, you know, I wonder, you know, there's these transaction IDs And if there's a known transaction ID you can DNS spoof on demand I wonder is anyone using the same transaction ID when I make a request today You know when they go out to the outside world does anyone use the same thing because I'd be really insecure. That'd be Dumb you'd have to be like, you know, one in a hundred thousand to be this dumb But there's a funny thing that happens when you ask two and a half million people a question you find the dumb ones So there's like so we asked everyone with fixed, you know transaction ID I had the data anyway, and we found about a hundred and ten hosts that are dumb and of these hundred and ten hosts It's a major idea major vendors ADSL modem. So wow, look at all these networks I can completely own on demand And the name server that I was using to host my own data God damn it in my defense. It was an old version So, oh fuck that God damn it fucking assholes. I need to do the drinking game All right, I'm liking this. I mean do all my talk smash Hello, sir. I'm drunk. I don't know how we never noticed this before You know how in TCP you can scan for servers Well, UDP is a little different. There really is no difference between a client and a server How did we not realize until? 2005 that you can scan for client ports as well Name servers very often have fixed ports that they send all their requests from they use a single socket and It turns out you can scan for this client socket You can find out who they're sending requests out to and I'm like, well, what are these ports? I bet there's lots of servers that send out questions from a source port of 53 But you see that's I think the nice thing about having assloads of data is you can know Let's look at the data. Oh look at that 823,000 times the source port was 32,768 on an outgoing request and 195,000 times it was 32 769 and 54,000 times have it. Oh, you're telling me on a large portion of the internet infrastructure I can monitor load levels on remote name servers sweet So yeah You should be running a name server that actually varies its local port Other stuff. There's like a 15 minute chunk of DNS poisoning things I can't tell you about but holy crap someone's up to some nasty shit Wow And I wasn't even looking forward. It just accidentally came back. Hey, by the way, we're spoofing these guys You're what? And it turns out there's all these like systems that automatically investigate what the hell you're doing When you are sending four billion packets, but when they investigate they have no idea that the investigation comes back to you So I've got like traffic from really really dark networks. We're such like Hi, there's no one within the rest of my class a but who are you? No, no, no, no. Who are you? So um As long as we're sending ass loads of traffic Can we make some pretty pictures because you know people like that? and so I've actually generated a methodology that goes ahead and Create maps all internet routes in about a couple hours it's really really fast and You know rather than just like hype this I'll show you the raw data as it's collected and Before anyone from Defcon has a heart attack the scan is happening from the 170 gigabit pipes So we go ahead we go into it Hi internet. How are you doing? We're sending out about 20,000 packets a second right now and Work trace routing in this massive Uncontrolled manner and lots and lots and lots and lots and lots of hosts are talking to us. That's a mouse, right? How are we going to filter it? Well? Welcome to sequel fun little language lets us organize things once we run this stupid little query, you know Show me what you know reorder this until it makes sense. Oh look on the way to twelve dot ten dot forty one dot one seventy eight Here's all of our hops and here's hop one hop two hop three hop four what you were seeing before was wildly Disordered and now we have it in order and how do we define that two things are linked? Well if that number is three and that number is four then 67 you know this host is probably connected to this host mind you we're scanning the internet over a range of like two hours so this is actually kind of cool to see it in some degree of order and What is this crap look well hang on? What does this look like when we actually get it said and done? Finally I get to show some pretty pictures. I know I'm well aware so this data has been around for a while but being able to zoom in on it is kind of new and Being able to like tilt it down and you know Raise it up and like fly around Everyone you know Hollywood really wants someone to do this so fine here. I'm flying around the internet ain't that rad Now the eventual goal and this will happen sometime in the next couple of months. Yeah, I really broke my arm But the goal is that we can go ahead and we can take live data and we can go ahead and plot it So this is all black and white and as you actually use the net goes you're going over this path They're going over this path. Here's all the constraints and all that kind of stuff And that's the kind of data. I want to be able to you know collect It turns out when you do this kind of large mapping. There's a couple things you can do extra Whenever you know we have to scan up to a certain range if we actually find someone you know At the you know the farthest away possible. We can go back fill in the gaps We can actually go ahead and you know put out senders all over the internet and have all the trend all the reception Reception happen at the same point. So you can say here's how the net looks from China Here's how the net looks from Japan Here's how the net looks from Abu Dhabi and all of it will come back to the same collector and we can go ahead We can integrate the data And the results look pretty cool, but there is there is a weakness Yeah, how are you gonna make this useful and beyond that I don't want to have to do this big pre-processing phase I would like to graph live data. How could I do that? Well, there's these guys They wrote some code in C++ It makes my nose bleed, but it's really really cool It's really really cool to the level of like it will handle like two million node networks and be like, huh sweet You got more It's really cool. It's called the boost graph library. It's rad and not only is it rad But their developers are like, okay, we're going to support Dan Sweet They're getting like updates like here is your code here are the answers to the test like struggle with this stuff Like four days and then a male here you go so What kind of stuff can we do now that we have like, you know real graph logical stuff? Hmm, let's see here This is a router trace on a small network. That's a little dark, isn't it? We'll set the next one to be a little lighter This is a fairly large-scale network and Actually, this is a router trace. We're watching traffic and It's actually animating out in front of us in real time and we're watching basically nodes that aren't talking to anyone else Here's a cluster right here. That's just one server talking to lots of hosts. Here are servers that have a multi-tier relationship This is all very early code written in the last week or two, but whoo, it's pretty and The idea is you can actually like stream random data in if I had any faith in the networks at these things I could actually do live TCP dump with all interrelationships shown on that kind of map And is this useful? Well, I made a discovery on it I took all my DNS interrelationship data and put it into that graph and what did we find? Interestingly enough. Oh crap. There's a whole bunch of hosts that are all coming back to one That I expected what it did not expect and it'll take actually a few seconds for it to show up on this But you'll just have to believe me my expectation Was that you would have you know lots and lots of hosts that were actually went to one back end that talked to me What you actually see is a pretty complex multi-tier relationship one name server We'll talk to another name server. We'll talk to another name server to talk to another name server This was something that I Would not have expected. I actually don't know the layouts that create this but Having seen the data having seen it visually I could now Build my systems around that assumption the goal of my adventure of all of this is that when I do mass Internet scale scans every time I send a packet. I can know the route that packet is going to probably take I can know the routers is probably going to go over. I can know what the bandwidth implications are I can look at my pipe as a water hose as a not a hose as a pipe of just high-pressure water And I can go ahead and build taps on that based on what the implications are on the underlying network So I can say here's a t1 packets who there can only go at this rate Here's an OC 48 packets on here can only go on this rate and most interestingly I can put monitors on every single router that I'm sending traffic through and the moment those monitors I call it canaries you send five or ten packets a second to each router You expect to go through as soon as these canaries stop responding. You know you killed them so I'm gonna start killing canaries ain't that fun and now the last thing I have no idea if I've gone over but I hope you guys have had fun Who here was at my a talk here last year? Hey, I haven't screwed up yet So you're wearing a power glove. How can I resist? We anyone got shot glasses I get some shot glasses up here. What's your name? Patrick Patrick, this is why I fucking come to Defconn because people will get me really fucked up Mind you, I've never had overclay before Hey, am I shy and away from this? No cuz I'm trashed. I am so fucked. Hey, I am drinking Alright, we're here. You know what we're drinking to we're drinking to work on probably my favorite small con in the world It is just the shit Defconn is rad to her con is just Hikari is awesome. Is it car even here dude fucking Hikari? Dude, we have a third shot glass. Any chance? Hey, Kari get the fuck up here here. You're drinking this shit. I'm drinking ever clear. You could drink the fucking morgans Just drink alright To a great fucking con you guys all rule. Thank you so much for coming here Billings was actually working. Holy hell. I didn't think it would actually work All right, I'm putting audio out through the PC interface this better work guys I'm warning you audio is coming any minute Oh, so I had to put on a huge cash on this thing because the black hat network was broken beyond all description It was like why your list from like 20 feet away Darth Vader is the Lord of the Sith Okay, robot chicken is the best fucking show in the world Crystal like supposedly haunted by a machete wielding spook named Jason Borgie should make like hockey sticks in Robot chicken rocks and that's all about all I have for you fucking guys Just fucking come up here. I want people to hear your shit Seriously, I really want people to come up and ask questions. Can I fucking have your babies? Dude, you're a guy Seriously, someone came up with some auto shunning question. Come on. Come here. All right. What'd you got man? Do the IPS is the ear aware of are will they auto shun their loop back interface? I Had totally not thought of that That would I seem to have nothing to drink you guys are falling down on the job. I bring you here What you want me to drink sir? Okay? That's a really interesting question If the okay, so here's the idea and this is fucked This is really really impressively fucked up The idea is is that you spoof a whole bunch of traffic to some network from the address one two seven 101 which is of course the loop back address on a host will the idea IPS actually block Local host because if it does all sorts of shit's going down IPS vendors in this room test like now because there's like a thousand people who have the idea of testing it Hey, you had your hand up get the fuck up here. No, no come up come up Seriously, come on up. There's like booze and books and like good shit and like god damn it Now let's just a repuddle to the the earlier question is if you've got your router set up right your edge router 127 shouldn't get in if your edge routers automatic already blocking one two seven oh one then of course yeah, you're not going to go ahead and get Nazi traffic, but um a lot of people have the attitude well I got an IPS. What do I need to put custom firewalls rules in for the internet will be giving me firewall rules Actually, honestly, probably a lot of IPS has already have blocks against one two seven and have blocks against RFC 1918 space But I'm sure there's one that doesn't because there's some really crappy IPS is out there What's up hang on hang on him you have you're trying to kick my ass and so of course I have to give you the mic What happens overlapping segments then what do you mean? What happens to overlapping segments? What happens to the segments the timeout values with the sevens are overlapping then? Ah, yes Yes, yes, that's one of the things I pointed out. There are some very good. Okay There are some relatively good IPSs because they're all shit, but there are some relatively good IPSs that will notice Hey look this they basically will go ahead and have their timing value for how long the fragment can live But fragments have a particular IP ID associated with them and there will be a separate timer a much longer timer that notes Hey, I may have flushed this from my queue, but This is a fragment on a session from an old This is an old fry. This is a fragment that could have be applied to an old session In other words, someone could be trying to mess with me. Hmm. Why would I try to be messing with anyone? Yeah, I guess they can bust me those Those IPSs are really easy to fingerprint and there is a problem in this industry. There are vulnerabilities in security code itself Really, I am so screwed in TC baby drinking game. Hey come up here Well, you definitely are a girl new comment Later all the fragmenting stuff does that work if they're filtering fragmented packets? No, it doesn't but that's a problem because fragments are a legitimate part of the IP spec. They're actually No, there's quite a few networks that are tunneled inside of tunnels and they end up with much small You know in the multi tunneling end up with packets larger than the MTU because there's a lot of packets that will be sent with an MTU of 1500 so Fragmentation happens it's supposed to be limited by TCP's MSS value But sometimes it really does happen and it does happen entirely legitimately now small fragments This is very obscure But small fragments at the beginning of a packet should not happen and those things are legitimately dropped and that's good As I've seen networks that do that they filter out the fragmented packets. What are they missing out on and what? Is there anything interesting about them? Well, there's an interesting thing a lot of people say hey You know I can drop one percent of traffic no problem It's just you know one percent, but you get you know this one percent this one percent this one percent And suddenly the internet doesn't work very well anymore and that happens and that's ultimately you know We have this thing called like congestion collapse when there are too much there's too much traffic that doesn't back off There's another kind of collapse It's firewall collapse when there's too many overlapping rules from people who think well are one little variation on the IP Spec is okay, and you know we're just going to do it and you know who cares if we drop one percent of traffic and then the internet no longer works and Tipping point. I'm talking to you. I can't remember the general service attack is it's either new dawn or teardrop where it's based on Fragmented TCP packets. How would that work against a IPS? The fragmented packet that I dream up paying a death Maybe where you have a packet that or that reassembles larger than the maximum IP size the TCP packet reassembles and it's broken and it causes the It causes various problems at this point, you know, it's really sad. It's 2005, right? What the hell did teardrop come out wasn't like 97 or 98? Okay, so so very well-known vendor that screen actually goes ahead and has like in you know on their thing We blocked this many teardrop attacks Dude, it's the 21st century. We aren't worried about that shit anymore. It doesn't work even if it's unblocked We're not running Windows 95 So I don't know. I mean teardrop. I mean it's a great brand. Oh Incidentally, you guys know how names are done in the virus industry It's like, you know, they're all like named by the guys who find them So just like you know, we're gonna call this attack teardrop We're gonna call this attack code red because you know, hey, you know They didn't like put a big brand to copyright on it when they attacked our network So we're gonna name it whatever gets us the most attention possible and that's why they all have sexy names Of course, there was a real problem when one of them named in their thing. Um Docs par Because I do Docs para network Docs para research and Docs par caused me all sorts of problems Especially when the variant happened Docs par dot a You bastards All right other questions What? Hey, uh-oh, what do you think of the recent ICMP base attacks? There's so much over. So it's really funny Yes, you can kill ICMP sessions if you can figure out the four tuple of source IP test IP source port Desport you totally can but I went on deja news and I found a post from 1993 calling this shit old Dear God No, I mean, okay, the actual attacks are real but old to his credit. He's right They still work and they shouldn't His stuff about slow it. There's this guy. He has this stuff about slowing down networks. Why am I drinking? I was right Okay his Funny guy you should test the ship So I went you know, he has this whole thing well I can slow down communication of BGP sessions. I can reduce a session down to one packet cent per round trip time So BGP sessions, I don't know if you guys know they're about three kilobytes a second Three kilobytes a second. Okay, so um you reduce the session down to one packet per round trip time on a session that has somewhere between one millisecond and a tenth of a millisecond Latency. Oh, no, I can only send a thousand to ten thousand packets a second on my three Kilobytes a second link It's ridiculous Any other questions seriously, you don't even have to come up if I can somehow hear you Says the guy from Prolexic that took some balls here have a book Prolexic's been rad by the way. I mean seriously They've been giving me shit tons of bandwidth and taking calls from DOD Rad Oh Shit is George It's scan ran motherfucker George hate you So I'm going to the T2 con out in Finland. So who here's from Europe? Dude, you're all guys. I'm coming out to you guys most. That's the plan so T2 I didn't intend to give him props because Torcon is the shit, but Yeah, T2 should be good. Hey, someone get these fucker's drinks. They need to be drunk so they'll shut up All right, do we have anything else that should probably give this shit up to hacker jeopardy? Okay, go ahead. You have a good question. No, dude. Hang on. I want this guy to ask a question You said that your one-year tax is based on the difference between IDS timing and host timing Well in Linux and free VSD isn't it possible even in extreme situations just to rebuild the stack So if you know your vendor in advance just to match your IDS timings and your host timings Man gets a book. Man gets both books That is an excellent point Those of you who are very smart admins can go ahead Adapt your host to your shit-ass IDS and make things align perfectly absolutely correct fantastic point Are you advocating we break our host to match our IDS? Hey, I'm advocating we adapt our host to agree with our IDS is fucked up view of the universe. Thank you very much. Absolutely What's up? And I think unless there's any more questions. I think I am done here. You guys are fantastic I love you guys as a note. I talk at black hat as practice for you guys You guys are awesome. I cannot even say thank you so much for all And oh, there's one last thing that is really important that you all know I have an insane network pipe and I'm taking proposals for how to use it If you have an idea for what will help secure the internet I will take the shit of spreading it everywhere Talk to me Don't do it yourself. No not porn You sick fuck especially for the kind of porn you want All right, I'm off to the drinking game where I will puke my guts out. Thank you