Encrypted Traffic on Unexpected Ports: A Warning Sign
As a member of InfraGard — an information and news dissemination list maintained in part by the U.S. Federal Bureau of Investigation — I will periodically post on common themes seen in these infrastructure attacks. This month I will be discussing a clever malware exploit that leverages human expectations.
Most people associate encrypted traffic with port 443 for HTTPS, that being encrypted web traffic. However, this is purely a convention, and any port could be used for HTTPS traffic. Additionally, HTTPS is not the only protocol that can use TLS, some examples being secure IMAP on 993 or secure SMTP on 465. Monitoring for secured traffic is not as simple as looking for HTTPS or looking for known protocols on expected ports. Malicious actors make use of this expectation by hiding their exploits in encrypted traffic on unexpected ports.
This month’s exploit is the Slipstream NAT bypass attack. Here is the FBI alert of November 9, 2020:
New Slipstream NAT Bypass Attacks to Be Blocked by Browsers
Excerpt: “Web browser vendors are planning to block a new attack technique that would allow attackers to bypass a victim’s NAT, firewall, or router to gain access to any TCP/UDP service hosted on their devices. The attack method, dubbed NAT Slipstreaming, was discovered by security researcher Samy Kamkar and it requires the victims to visit the threat actor’s malicious website (or a site with maliciously crafted ads). To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously crafted HTTP requests camouflaged as valid SIP requests. Kamkar also provides proof-of-concept exploit code to demonstrate the validity of this newly disclosed NAT/firewall/router bypass technique. To block such attacks, web browser vendors are planning to block the 5060 and 5061 TCP ports used in this attack by adding them to the restricted list. ‘As a workaround for the “Slipstream” NAT bypass attack, we will be blocking HTTP and HTTPS connections to the SIP ports 5060 and 5061.’”
The reason many of these exploits succeed is because IT organizations are building their firewall, IDS and SIEM rules based on their (human) expectations, not on completely unexpected approaches to exploitation. Rules based on expected traffic will fail to detect traffic on random ports.
In creating a secure environment, you cannot predict where new exploits can come from. Instead, you can focus on identifying unusual or unexpected activity and flag that for your security team to look at.
So, can your Gigamon infrastructure provide you with any help in identifying unexpected encrypted attacks? Yes, absolutely. The Gigamon GigaVUE-OS has the built-in ability to detect encrypted traffic on any port, using the GigaSMART® Traffic Intelligence Engine. The Application Intelligence feature of GigaVUE-OS allows you to create a filter that identifies both datagram encrypted traffic as well as (SSL) TLS/TCP traffic on any port in the traffic stream.
For unusual traffic patterns, you can send a copy of the traffic to inspection tools for potential intermediation. The ability to identify unexpected secure traffic adds a substantial leg up for your teams!
Be safe!
Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.
CONTINUE THE DISCUSSION
People are talking about this in the Gigamon Community’s Security group.
Share your thoughts today