a first joint look at dos attacks and bgp blackholing in
play

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild - PowerPoint PPT Presentation

Apr 20, 2023 •411 likes •750 views

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

  1. A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente)

  2. Denial-of-Service attacks A conceptually simple, yet effective class of attacks ● … that have gained a lot in popularity over the last years … are also offered “as-a-Service” (Booters) Some well-known incidents stipulate threat/risks ● – e.g., attacks on Dyn & GitHub (memcached) DoS has become one of the biggest threats to Internet ● stability & reliability A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  3. BGP blackholing Is a technique that can be used to mitigate DoS attacks ● Leverages the BGP control plane to drop network traffic ● BGP communities are used to signal blackholing requests ● – by “tagging” prefix announcements with <asn: value > – 666 is is a common value for blackholing Is very “coarse-grained”, meaning all network traffic destined ● to a prefix is indiscriminately dropped A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  4. A missing piece of the puzzle Given its coarse-grained nature, we wonder if blackholing is used only in extreme cases A clear understanding of how blackholing is used in practice when DoS attacks occur is missing We use large-scale, longitudinal (3y) data sets on DoS attacks and blackholing to get more insights into operational practices A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  5. Part 1: Blackholed Attacks A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  6. UCSD Network Telescope [data set 1/3] A large, /8 network telescope operated by UC San Diego ● Captures backscatter from DoS activity in which source IP ● addreses are randomly and uniformly spoofed We use the classification methodology by Moore et al. to infer ● DoS attacks [1] [1] Moore et al.,“Inferring Internet Denial-of-service Activity”, in ACM TOCS 2006 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  7. Amplification Honeypots [data set 2/3] Honeypots ● ... mimick reflectors abused in reflection attacks (e.g., NTP) … try to be appealing to attackers by offering large amplification … capture attempts at reflection We use logs from 24 honeypot instances that are geographically & ● logically distributed – From the AmpPot project (Christian Rossow, CISPA) [1] [1] Krämer al.,“AmpPot: Monitoring and Defending Against Amplification DDoS Attacks”, in RAID 2015 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  8. Inferred blackholing events [data set 3/3] Scan BGP collector data for blackholing activity, using public ● BGP data: RIPE RIS and UO Route Views Use BGPStream framework for BGP data analysis [1] ● Match BGP updates against dictionary of known BH ● communities [2] [1] Orsini et al., "BGPStream: A Software Framework for Live and Historical BGP Data Analysis", in IMC 2016 [2] Giotsas et al., “Inferring BGP blackholing activity in the internet”, in IMC 2017 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  9. Measurement systems placement provider AS Attacking host(s) victim AS (e.g., botnet) Interconnecting link Victim IP: victim-addr A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  10. Measurement systems placement SYN provider AS Attacking host(s) victim AS RANDOML Y Src: 123.4.5.6 (e.g., botnet) Interconnecting SPOOFED Dst: victim-addr link Victim IP: victim-addr SYN | ACK Src: victim-addr Dst: 123.4.5.6 UCSD-NT 123.0.0.0/8 Network Telescope A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  11. Measurement systems placement provider AS Attacking host(s) victim AS (e.g., botnet) Interconnecting link Victim IP: victim-addr DNS query Src: victim-addr Dst: reflector-addr DNS answer Src: reflector-addr Dst: victim-addr REFLECTION & AMPLIFICATION Abused amplifiers AmpPot A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  12. Measurement systems placement SYN provider AS Attacking host(s) victim AS RANDOMLY Src: 123.4.5.6 (e.g., botnet) Interconnecting SPOOFED Dst: victim-addr link Victim IP: victim-addr DNS query Src: victim-addr Dst: reflector-addr SYN | ACK DNS answer Src: victim-addr Src: reflector-addr Dst: 123.4.5.6 Dst: victim-addr REFLECTION & AMPLIFICATION Abused amplifiers UCSD-NT 123.0.0.0/8 AmpPot Network Telescope A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  13. Measurement systems placement SYN provider AS Attacking host(s) victim AS RANDOML Y Src: 123.4.5.6 (e.g., botnet) Interconnecting SPOOFED Dst: victim-addr link Blackholing request Victim IP: victim-addr prefix: victim-addr/32 DNS query Src: victim-addr Dst: reflector-addr SYN | ACK DNS answer Src: victim-addr Src: reflector-addr Dst: 123.4.5.6 Dst: victim-addr BGP collector REFLECTION & AMPLIFICATION Abused amplifiers UCSD-NT 123.0.0.0/8 AmpPot Network Telescope A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  14. Attacks are mitigated within minutes More than half of attacks mitigated within minutes ● – 84.2% within ten minutes – takes longer than six hours for only 0.02% Suggest use of automated, rapid detection and mitigation ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  15. Blackholing endures after attacks end Deactivated within three hours following 74.8% of BH’d attacks ● For 3.9% it takes more than 24 hours ● – Suggests lack of automation in recovery Side effects of coarse-grained technique extend well beyond ● duration of attack A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  16. Less intense attacks are also BH’d ~2/3rd of BH’d attacks (against ~9/10th of all attacks) have an ● intensity of up to ~300Mbps (100pps), 13.1% see at most 3Mbps (1pps), showing that operators take ● drastic measures for less intense attacks Similar findings for reflection attacks (see paper) ● Results confirm Moore et al. methodology at scale (USENIX ‘01) ● Corroborates our previous finding of ~30k attacks/day (IMC ‘17) [1] ● [1] Jonker et al., “Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem”, in IMC 2017 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  17. Attacks we do not see Match blackholing events with preceding attacks ● source #BH events #BH’d prefixes 45.2k / 146.2k UCSD-NT ⋃ AmpPot 363.0k / 1.3M (27.8%) (30.9%) We match 27.8% of BH events with DoS attacks ● Results do not allow us to infer the fraction of other types of ● attacks (e.g., direct and unspoofed) However, highlights that reflection and randomly spoofed ● DoS represent a significant share of DoS that operators had to deal with A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  18. Part 2: Service Collateral A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  19. DNS Measurements [data set 1/2] Large dataset of active DNS measurements ● Provides mappings from IPv4 to: ● Websites (www. → A RR) – Mail exchangers (MX → A) – Authoritative nameservers (NS → A) – We use .com, .net & .org (~50% of global namespace) ● #names associated type #prefixes overall no-alt ratio Web 13.7k (9.3%) 782k 670k 0.86 Mail 2247 (1.5%) 180k 177k 0.98 NS 1176 (0.8%) 10k 10k 0.99 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  20. Reactive measurements [data set 2/2] Reactively measure blackholed /32s ● Upon BH activation (i.e., announcement) and deactivation – (i.e., withdrawal/re-announcement) Subject to various heuristics (max 4 in /24, spacing, ...) – Use RIPE Atlas to send traceroutes ● From probes in peer , customer & provider networks – Scan a handful of IANA-assigned ports ● For Web, mail and DNS – From a single VP – A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  21. Inferring blackhole (in)efficacy Port probes Exclusively open state on deactivation → infer efficacy ● Open on activation → infer inefficacy ● Other cases → inconclusive ● Traceroutes Exclusively last_hop_is_destination on deactivation → infer efficacy ● last_hop_is_destination on activation → infer inefficacy ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  22. Port probe inferences #service response Web Mail DNS a ⋃ d 2886 464 528 a ⋂ d 6.98% 8.41% 11.36% a \ d 0.38% 0.43% 0.76% d \ a 92.64% 91.16% 87.88% Jointly, we infer efficacy in 95.25% of “coverable” cases ● The a \ d category is near-zero, which supports the chosen methodology ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  23. Trace route inferences inferrence Probe #groups network Efficacy Inefficacy ⋂ 5.0k peer 29% 8% 1.0% provider 5.4k 29% 6% 0.8% 2.0k customer 17% 8% 2.1% Jointly, we infer efficacy significantly more often than inefficacy ● But our “coverage” is limited (i.e., last hops never respond) ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

Recommend

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019 University of Strasbourg AS 20 AS 10 AS 30 P: 192.0.2.0/24 BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . 1

1.19k views • 93 slides
Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias Wichtlhuber*, Georgios Smaragdakis , Anja Feldmann TU Berlin, *DE-CIX, MPI Volumetric DDoS Attacks ? Tbps 1.7 Tbps 1 Tbps 200 Gbps 15

571 views • 22 slides
Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph

Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph

Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai DDoS A&amp;acks are a Serious Threat 2 AS1

956 views • 54 slides
Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Whlisch Christmas is near!

1.15k views • 80 slides
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply keybase.io/admrply Who am I? 3nd year Ethical Hacking student at Abertay. Does web things. Artist/Musician. Building and Breaking IoT. What is BGP

334 views • 29 slides
Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck,

Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck,

Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck, Marina Minkin , Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx March 2019 Mark

1.07k views • 70 slides
Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan Kumar, Riazat Ryan, Ming Shao Department of Computer and Information Science, University of Massachusetts, Dartmouth Data Leakage: Limited time

294 views • 27 slides
Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc Juarez , Sadia Afroz, Gunes Acar, Rachel Greenstadt, Mohsen Imani, Mike Perry, Matthew Wright Post-Snowden Cryptography Workshop Brussels, December

754 views • 52 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio Faonio Gianluca Brian Maciej Obremski IMDEA Software Institute Sapienza University of Rome National University of Singapore Madrid, Spain Rome,

1.02k views • 74 slides
Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c)

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c)

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) University of Luxembourg, Luxembourg February 15, 2011 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) Boomerang attacks on BLAKE-32

396 views • 27 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin Ozman, and Katherine Stange UC Irvine, August 31, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork: public-key crypto based

500 views • 27 slides
Cache Attacks on the Cloud Thomas Eisenbarth Joint work with Gorka Irazoqui, Mehmet Sinan Inci,

Cache Attacks on the Cloud Thomas Eisenbarth Joint work with Gorka Irazoqui, Mehmet Sinan Inci,

Cache Attacks on the Cloud Thomas Eisenbarth Joint work with Gorka Irazoqui, Mehmet Sinan Inci, Berk Gulmezoglu and Berk Sunar Real World Cryptography 1/8/2016 Outline Cloud Computing and Isolation Extracting Information from Co-located

640 views • 24 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping

Key-Recovery Attacks on Keccak-Based Constructions Ling Song Joint work with Jian Guo, Danping Shi and San Ling 10 October, 2018 @ Milano, Italy Ling Song Key-Recovery Attacks on Keccak-Based Constructions Milano, Italy 1 / 41 Outlines 1

603 views • 59 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

599 views • 46 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides

More recommend