Packet Capture on AWS
Download as PPTX, PDF9 likes11,029 views
The document discusses packet capture on AWS, detailing what packet capture is, its importance for network analysis, and methods for implementing it. It highlights typical packet capture techniques, including using NAT instances and proxy architectures, as well as challenges faced when capturing packets on AWS. Additionally, it suggests leveraging existing tools like tcpdump and Wireshark and provides a proof of concept using AWS Lambda for packet capture.
Packet Capture on AWS
- 1. Packet Capture on AWS Teri Radichel | @teriradichel https://www.sans.org/reading-room/whitepapers/detection/packet-capture-aws-37905 (A SANS Gold Paper)
- 2. Largest Security Training Organization in World… SANS.org
- 3. What’s a packet? • Data is split into packets or small pieces to send over the network • Follows a protocol – the devices on both ends must understand • Packets are reassembled at the destination, if protocol requires • Some protocols resend failed packets (TCP) others do not (UDP) Source DestinationNetwork
- 4. What Is Packet Capture? • Capture the details about packets as they traverse the network. • For example, if you have tcpdump installed can run this on mac/linux: sudo tcpdump –x -n • You’ll get a number of packets rolling by on your screen like this: 23:56:50.183837 ARP, Reply 192.168.1.95 is-at f4:5c:89:b6:7b:7f, length 28 0x0000: 1491 829a 0b62 f45c 89b6 7b7f 0806 0001 0x0010: 0800 0604 0002 f45c 89b6 7b7f c0a8 015f 0x0020: 1491 829a 0b62 c0a8 0101 • That’s a packet displayed in hex format (-x), and with IPs instead of domain names (-n) • http://www.tcpdump.org/tcpdump_man.html
- 5. Network Layers and Headers • OSI or TCP model – network layers • Different headers for each layer • Example – IPv4 header • Devices at source wrap the packet in a headers • Devices at the destination unwrap the headers http://websitenotebook.blogspot.com/2014/05/decoding-ip-header-example.html
- 6. Decoding Packets • Packets are sent over the network in hex • Decoding a packet header: http://websitenotebook.blogspot.com/2014/05/decoding-ip-header- example.html • Hex to Binary Cheat Sheet: • http://websitenotebook.blogspot.com/2014/05/hexadecimal-to- binary-to-decimal-cheat.html • Note that on AWS there are some AWS specific headers you don’t see • https://www.youtube.com/watch?v=St3SE4LWhKo
- 7. Why do we care about packets? • VPC Flow Logs only capture source, destination, protocol, timestamp and a few other things; Web traffic logs only capture certain details pertaining to web requests. • A full packet has much more data that a other types of network logs • Sometimes the full packet is required to resolve network issues • Attackers obfuscate packet data to pass through security appliances undetected – some of these attacks are only visible at packet level • Data hidden in unused packet fields can exfiltrate data on channels in undetected manner only visible when looking at raw packets
- 8. Captured packets can be stored and analyzed • Many programs store packets in a format call “pcap” files • Programs such as Wireshark can read these files and help security professionals analyze the data • An IDS/IPS can alert on or block packets that match nefarious patterns (Snort, Bro, Suricata) • Yara files can be used to match packet capture patterns and alert or block malicious traffic • Some devices like a WatchGuard Firebox with security services provide this service so you don’t have to do it yourself
- 9. Typical Way to Capture Packets • Span port on switch “mirrors” the data • Send packets to IDS/IPS and/or logs • So…how do we do this on AWS? • Can’t plug into the switch… https://wiki.wireshark.org/CaptureSetup/Ethernet
- 10. Tcpdump on every machine < instances bucket
- 11. A better way… • Route All the Packets Through Packet Capture Host(s) • Capture host(s) must be able to receive the traffic, log it, and forward the traffic to the destination • Network configuration must force all packets through the capture host(s) • Any extraneous routes let packets bypass capture host(s)
- 12. AWS NAT Example http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html Note that the web server traffic would not pass through the NAT instance and this is typically only for outbound traffic. We want to capture all traffic…
- 13. NAT Architecture Security groups and route tables can force all traffic through the NAT. NAT instance can be modified to handle all traffic, in and out.
- 14. Proxy Architecture with Load Balancing This shows architecture for Squid proxy. Squid proxy would only handle layer 7 traffic but we could modify these instances to capture all traffic. Load balancing provides scaling. Would need to handle inbound and outbound. https://aws.amazon.com/articles/6463473546098546
- 15. Proxy Architecture – Peered VPCs Instances can only talk to other instances in a directly peered VPC. A proxy will allow traffic to pass through one VPC to another. This can be used for nefarious purposes but in our case we can leverage this to capture as it crosses network boundaries, which could be useful. More on that in an upcoming slide.
- 16. Packet Capture Via Security Appliance A security appliance designed to capture and pass through network traffic after analyzing it might be a good way to capture packets as they traverse network boundaries. Noticed the network design which separates the packet capture functionality and storage from the rest of the network.
- 17. Transit VPC We could use a transit VPC to capture all traffic coming into and leaving AWS, or traversing the network from one account to another. This is a very interesting idea because not only does it make managing connections between different networks easier, it provides a way to ensure all packets must pass through our packet capture architecture. https://aws.amazon.com/blogs/aws/aws-solution-transit-vpc/
- 18. POC – Capture Packets in Lambda Function https://github.com/tradichel/PacketCaptureAWS Here’s the POC using WatchGuard Firebox Cloud’s CLI command to capture packets. Clone the code, execute the run file and it will ask a couple questions. You will get this… Note the protection of the key in S3 with stringent bucket policy. Could make it even more stringent by creating the key on the fly in AWS with no access to it outside the AWS network.
- 19. Packets! Please read the paper for details. Must have packets flowing when you run the lambda to capture.
- 20. What Next? Suggestions? • This was a POC Only! • Lambda is short lived – would want a source that stays online • Need to test performance over time of this solution and others • Scalability • Storage • Potentially set up an open source IDS/IPS to analyze packets • Store as PCAP • Or store to CloudWatch and use some other type of parser to pull the data out into PCAP or desired format