1000 days of udp amplification ddos attacks
play

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , - PowerPoint PPT Presentation

Jan 10, 2024 •240 likes •434 views

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52

  1. 1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52 A8B9 ECFB Alastair: 9217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B3

  2. UDP scanning Refmector 8.8.8.8 big.gov IN TXT big.gov IN TXT " src: 192.168.25.4 Extremely long dst: 8.8.8.8 response.............. (2) (1) ........................... ........................... Attacker .........................." 192.168.25.4 src: 8.8.8.8 dst: 192.168.25.4 2

  3. UDP refmectjon DDoS atuacks big.gov IN TXT " Refmector Extremely long response.............. 8.8.8.8 ........................... big.gov IN TXT ........................... .........................." src: src: 8.8.8.8 dst: 8.8.8.8 dst: 172.16.6.2 Victim Attacker 172.16.6.2 192.168.25.4 3

  4. We run lots of UDP honeypots ● Median 65 nodes since 2014 ● Hopscotch emulates abused protocols – QOTD, CHARGEN, DNS, NTP, SSDP, SQLMon, Portmap, mDNS, LDAP ● Snifger records all resultjng UDP traffjc ● (try to) Only reply to black hat scanners 4

  5. Estjmatjng total atuacks using capture-recapture B=200 A=160 80 80 Estimated population: 400 ± 62 5

  6. 100000 Estimated number of attacks per day (log) CHARGEN DNS NTP SSDP 10000 1000 100 10 2014-07 2014-10 2015-01 2015-04 2015-07 2015-10 2016-01 2016-04 2016-07 2016-10 2017-01 2017-04 2017-07 6

  7. 1 90 Proportion of all attacks that we observe 80 0.8 70 60 0.6 50 40 0.4 30 20 CHARGEN 0.2 DNS 10 NTP SSDP 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 4 4 5 5 5 5 6 6 6 6 7 7 7 - - - - - - - - - - - - - 0 1 0 0 0 1 0 0 0 1 0 0 0 7 0 1 4 7 0 1 4 7 0 1 4 7 7

  8. 1 90 80 Number of honeypots in operation 0.8 70 60 0.6 50 40 0.4 30 20 0.2 10 # A+B # A 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 4 4 5 5 5 5 6 6 6 6 7 7 7 - - - - - - - - - - - - - 0 1 0 0 0 1 0 0 0 1 0 0 0 7 0 1 4 7 0 1 4 7 0 1 4 7 8

  9. 1 90 Proportion of all attacks that we observe 80 Number of honeypots in operation 0.8 70 60 0.6 50 40 0.4 30 # A+B # A 20 CHARGEN 0.2 DNS 10 NTP SSDP 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 4 4 5 5 5 5 6 6 6 6 7 7 7 - - - - - - - - - - - - - 0 1 0 0 0 1 0 0 0 1 0 0 0 7 0 1 4 7 0 1 4 7 0 1 4 7 9

  10. NTP 1 Frequency of attacks (millions) 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 60 120 Duration of attack (minutes) 10

  11. NTP P(attack ends in <5min | duration) 0.6 0.5 0.4 0.3 0.2 0.1 0 60 120 Duration of attack (minutes) 11

  12. Vdos coverage NTP 1400 Seen Missing Number of attacks 1200 1000 800 600 400 200 0 2015-09 2015-11 2016-01 2016-03 2016-05 2016-07 2016-09 12

  13. Vdos coverage SSDP 900 Seen 800 Missing Number of attacks 700 600 500 400 300 200 100 0 2 2 2 2 2 2 2 0 0 0 0 0 0 0 1 1 1 1 1 1 1 5 5 6 6 6 6 6 - - - - - - - 0 1 0 0 0 0 0 9 1 3 7 1 5 9 13

  14. This was ethical ● We reduce harm by absorbing atuack traffjc ● We don’t reply to white hat scanners (no tjmewastjng) ● We used leaked data for validatjon, this was necessary and did not increase harm. ● We have a paper under submission on the ethics of using leaked data for research. 14

  15. Running a honeypot network is cheap (but we do it for you) ● Median of 65 nodes. ● 200GB/month inbound per node. ● Hostjng costs of $170/month (+stafg costs) ● Need 10 to 100 sensors depending on protocol. ● Our collectjon is ongoing and you can use our data. You can also contribute. 15

  16. This is a solvable problem ● BCP38/SAVE ● Follow the money ● Enforce the law ● Warn customers it is illegal 16

  17. Ongoing work ● Selectjve reply (like Krupp et al. 2016) ● More cross validatjon ● Estjmate atuack volume ● Collaboratjon – What do you want to do with this data? – You can run our code. – Do you have ground truth for atuack volumes? 17

  18. Data is available through the Cambridge Cybercrime Centre https://cambridgecybercrime.uk/ Daniel R. Thomas Richard Clayton Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52 A8B9 ECFB Alastair: 9217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B3

Recommend

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

731 views • 27 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013 Reflection and Amplification Attacks DNS abused as DDoS Tool Spamhaus hit with 300 Gigabit/second DDoS Reflected Amplification Attack

429 views • 23 slides
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1 DDoS attacks Volumetric DDoS

604 views • 56 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By: Sean Rijs Agenda I am going to do my presentation DNS amplification attacks 2 1 Stub resolver Recursive server Authoritative server

1.42k views • 21 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos &amp; https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter Reiher Manu Shantharam &amp; David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks Known problem for many

660 views • 35 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides
Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu Li 1 , Shicheng Wang 1 , Chang Liu 1 , Ang Chen 2 , Hongxin Hu 3 , Guofei Gu 4 , Qi Li 1 , Mingwei Xu 1 , Jianping Wu 1 1 4 2 3 DDoS Attacks are

480 views • 23 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Outline Distributed Denial of Service Introduction Attacks Characteristics of DDoS

Outline Distributed Denial of Service Introduction Attacks Characteristics of DDoS

Outline Distributed Denial of Service Introduction Attacks Characteristics of DDoS attacks CS 239 Some examples Security for Networks and Proposed prevention methods System Software May 15, 2002 Lecture 12 Lecture 12

421 views • 9 slides
DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan

DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan

DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan Duse Scope High volume DDoS attacks Electronic payment systems Low bandwidth requirements: 5 from account X to account Y 2 Research

321 views • 28 slides
Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl

Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl 08.06.2015 Agenda Motivation

296 views • 16 slides
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

358 views • 18 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
Evaluation of Amplification attacks in large-scale networks to improve detection performance

Evaluation of Amplification attacks in large-scale networks to improve detection performance

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Kpferl Interdisciplinary Project Final

517 views • 49 slides

More recommend