Abuse of CPE Devices and Recommended Fixes

Presented at Black Hat USA 2014, Aug. 7, 2014, 9:35 a.m. (25 minutes).

Consumer Premise Equipment (CPE) has become common, nearly ubiquitous, home and small office attire. Many homes have a router/modem device that mediates access between home devices and the ISP. Abuse of these devices is particularly problematic both because the owner has difficulty interfacing with (and fixing) the device and because the static code provided by the vendor is generally rotted (and vulnerable) by the time the consumer unpacks the device. The poor management of CPE has created an Internet-scale problem and potential for abuse. For example, the plurality of open DNS resolvers accessible on the Internet are on medium-speed DSL connections, the sorts of connections leased to home and small-business users. These devices are available for abuse in reflected and amplified DDoS attacks. The vulnerable devices themselves can also be leveraged against the consumer in middleperson attacks. In this presentation, we quantify this problem and provide recommendations for how the Internet community can address this public-health-like problem.

Presenters:

  • Paul Vixie - Farsight Security, Inc.
    Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman, and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX, and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his PhD from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).
  • Jonathan Spring - Carnegie Mellon University
    Jonathan Spring is a member of the technical staff with the CERT Threat Analysis Group of the Software Engineering Institute, Carnegie Mellon University. He began working at CERT in 2009. He is the co-author of an information security textbook "Introduction to Information Security: A Strategic-Based Approach." He also serves as an Adjunct Professor at the University of Pittsburgh's School of Information Sciences. His research topics include monitoring cloud computing, DNS traffic analysis, and game theory. He holds a master's degree in information security and a bachelor's degree in Philosophy from the University of Pittsburgh.
  • Chris Hallenbeck - US-CERT
    In his current role, Mr. Hallenbeck provides technical leadership to personnel in Network Analysis and Digital Analysis in addition to directly overseeing the Incident Response Team's deployments. He is responsible for providing technical mentorship to a cadre of employees who monitor, analyze, evaluate, and respond to network security anomalies across the unclassified Federal Executive Branch network sensor grid and established Critical Infrastructure and Key Resource Sectors. In 2014 he has passed the 5 year mark for service at DHS. Prior to joining US-CERT, Mr. Hallenbeck worked for RSA Security and EMC as a security engineer in their then fledgling Consumer Solutions Division. Previous to RSA Mr. Hallenbeck worked for 6 years at AOL first as a systems administrator then as part of the AOL/TW global incident response team. When not chasing electrons, Mr. Hallenbeck much prefers to be someplace tropical 50-100 feet under the water.

Links:

Similar Presentations: