Last week I wrote a blog post about my experiences at the Black Hat 2013 conference. The conference ended on Thursday, and DefCon started on Thursday night and went through Sunday. Like I said in my previous post, if Black Hat and DefCon were brothers, Black Hat would be the elder son that played by the rules, went to grad school, and got a nice corporate job. DefCon would be the punk younger brother that's smart, creative, but had a few run-ins with the law, and is mending his ways.
DefCon is, of course, a lot more fun to party with. Imagine, if you will...
The scene: the dance floor at DefCon. Loud music, flashy lights, smoke machine, packed dance floor. The DJ: "You are my kind of people! If you have ever spent time sniffing packets, put your hands in the air!" The crowd: puts hands in air, goes wild.
DefCon encompasses a much more diverse set of people and skill sets. It's cheap - $180 cash on the barrelhead - so you get real people from all over, not just security professionals sent by their company. It's not just about computer hacking, either - there's a "Lockpick Village" and a "Tamper Evident Village". The booths reflect all of this: there are T-Shirt vendors, lockpick vendors, "unix surplus", the EFF and ACLU, etc. There are contests - capture the flag (CTF), where teams compete to break into each other's machines. "Capture the packet" where you try to find certain traffic in a hostile environment. And there is of course the "Wall of Sheep", which captures passwords from insecure protocols over the free range wifi - and puts them up on a wall.
All this makes for a con with a lot more than just sessions. The sessions themselves are generally along the same lines as Black Hat, and there is overlap between the two. The best generalization is that they are more irreverent. Case in point:
Matthew Prince, CEO of CrowdStrike, gave a presentation on the DDOS attack on Spamhaus. It was the largest known attack so far, topping out at 300GBps of sustained traffic. It was done through an "Open DNS Resolver" attack. The basic idea is that there are a LOT (28 million right now) of DNS servers on the open internet that are mis-configured to respond to queries outside of their domain. Anyone right now can send a 64-byte query to any of these DNS servers and receive about 3,300 bytes of data - 50x what was put in. Since DNS is a UDP protocol, there is no three-way handshake of TCP, and so the source is pretty easy to spoof. Now normally, networks are configured to not allow packets out of their network with source addresses that aren't inside the network... but it turns out at about 23% of networks are misconfigured to allow this.
So... let's say you want to attack spamhaus.org. You make a UDP packet that's a DNS query, and you put spamhaus's ip address as the source. You then send this packet to any open dns resolver from a network that allows spoofed source ip addresses out. You've just sent a 64-byte packet. Then your recipient, the open DNS resolver, processes your 64-byte request and sends the 3,300-byte reply to... spamhaus.org. You just leveraged someone else's server to send 50x more data than you sent to it. That's pretty cool. The spamhaus attackers used: 1 control laptop, 6-7 rather beefy attack servers, and used 30,000+ open DNS resolvers in their attack. The result: the biggest attack that the internet has seen to date.
What's scary here is actually the smallness of the attack. There are 28 million open dns resolvers out there, this attack used only 33K of them. There are a lot more open networks out there that allow spoofed IP source addresses - this attack used 7. Scale up this attack, and you break the internet.
The presenter then said: "This is what I presented at Black Hat. The recommendations were pretty weak: use our services, work with your provider, blah, blah, blah. But here at DefCon, let's make it interesting. While the attack was going on, one of my employees said 'I think I know how to stop this attack'. His solution? 'What if we had the open DNS resolvers attack each other?' The code for doing this... 50 lines of C code. My lawyers didn't want me to post the code, but (code scrolls by screen really fast, disappears) there it is."
And now you know how to break the internet.
That wasn't the only thing that got broken. IPv6, automobiles, networks, humans, you name it. My award for "best demo" has to go to David Kennedy from Trustedsec. The premise of the demo was that all the latest fancy security technology - NextGen firewalls, whitelisting, blacklisting, DLP - doesn't really stop a motivated hacker. He had flair: a guy in a chicken suit came on stage with a sign saying "Let's pop a box!" He called up the CEO of a "large Fortune 500 company" (one owning all of said products) and asked permission to break in. Since it was all prearranged, the CEO agreed. Then he called Kevin Mitnick (!) onstage to help him with social engineering. They called some poor unsuspecting employee of this company, and live on stage Kevin Mitnick convinced him to click on a popup that he shouldn't have clicked on. It was masterful. On the big screen above him, a metasploit window churned away, and presto! Administrator access to his machine.
The lesson: fancy new security technology won't save you - there are lots of ways to fool even the best security products out there. This was a metaphor for the entire week: a determined hacker can break into nearly anything, given time and patience.