exit from hell
play

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks - PowerPoint PPT Presentation

Nov 25, 2022 •295 likes •660 views

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks Known problem for many

  1. Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble

  2. Distributed Denial-of-Service (DDoS) Attacks Known problem for many ● years – Diffjcult to distinguish between an attack and simple overloading (“Slashdot efgect”) – Many solutions proposed ● Simple DDoS attacks like SYN fmooding are well-understood http://upload.wikimedia.org/wikip edia/commons/3/3f/Stachledraht_ DDos_Attack.svg

  3. Evolving DDoS Attacks ● Many DDoS attacks now employ amplifjcation attacks – Abuse of UDP-based network protocols via refmection – Attacker sends spoofed packets to a large number of refmectors who send responses to the intended victim – Responses are often much larger than the requests, https://www.cert.be/fjles/dnsbad- leading to amplifjcation large.png

  4. Understanding the Problem ● As this type of attack is relatively new, the authors wish to learn more about it – Performed Internet-wide scans to identify potential amplifjers – Fingerprinted and categorized these systems – Peformed a global security notifjcation campaign – Analyzed potential for TCP amplifjcation attacks – Deploy remote scanning technique for identifying systems that allow IP spoofjng

  5. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  6. Threat Model ● Prior work has identifjed 14 vulnerable UDP- based protocols – Ofger severe amplifjcation rates, up to a factor of 4,670 ● Authors performed Internet-wide scan for systems using seven of these protocols – DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS – All run server-side, implying better connectivity and with less IP address churn

  7. Scanning Setup ● Authors developed an effjcient scanner to identify amplifjers, following practices suggested by Durumeric et al. ● Scans run on a weekly basis from Nov. 22, 2013 – Feb. 21, 2014 – Scans spread out over 48 hour periods to avoid being blacklisted ● Set up a reverse DNS record of the scanner pointing to a web server presenting the project and opt-out information

  8. Scanning Setup ● Sent a request for each protocol that can be used to amplify traffjc – NTP version , SSDP search , DNS A lookups, etc. ● During course of scans, received 90 emails from administrators – Excluded 91 IP prefjxes and 30 individual IP addresses (~3.7 million total) – Such addresses excluded from analysis, even if they were not blacklisted in the beginning ● Discovered nearly 46 million potential amplifjers

  9. Scanning Results

  10. Amplifjer Classifjcation

  11. Amplifjer Churn

  12. Amplifjer Churn

  13. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  14. NTP Case Study ● NTP promising for amplifjcation attack – monlist feature can be amplifjed by a factor of 4,670 – Very minimal IP address churn – Multiple amplifjcation vectors ● version feature can be amplifjed by a factor of 24 – Attackers have already used NTP ● A French hosting provider sufgered a 400 Gbps amplifjcation attack in February, 2014

  15. NTP Notifjcation Campaign ● Defjned two datasets of NTP amplifjers – NTP ver and NTP mon representing NTP servers vulnerable to version and monlist requests, respectively ● Collaborated with many security organizations – T echnical advisories from CERT-CC, MITRE, Cisco's PSIRT ● Describe how to disable monlist and version ● Distributed lists of IP addresses in NTP mon dataset among trusted institutions

  16. Analyzing Campaign Success ● At end of weekly scanning in February, 2014 – NTP ver dropped from 7,364,792 to 4,802,212 (33.9%) – NTP mon dropped from 1,651,199 to 126,080 (92.4%) ● Another scan performed in June, 2014 showed a further decrease in NTP mon by ~40,000

  17. Analyzing Campain Success

  18. Geographic Distribution

  19. Lessons Learned ● Such security notifjcation campaigns can be very efgective – Could potentially be applied to other security- critical issues (e.g., heartbleed ) ● CERT s not as well connected as they need to be

  20. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  21. TCP-based Amplifjcation Attacks ● Authors have shown it is potentially possible to stop UDP-based amplifjcation attacks ● Attackers have shown they are capable of evolving their attacks as this occurs ● Can TCP-based protocols be abused similarly? – UDP works well due to its connectionless nature – TCP is connection-oriented, making it less intuitively susceptible

  22. TCP Three-way-handshake ● General Process – Client sends SYN packet to server – Server responds with SYN/ACK packet – Client completes setup with fjnal ACK packet ● Does not seem to allow for amplifjcation – At most, one SYN/ACK packet will be sent to victim ● Traffjc not amplifjed

  23. Handshake Problems ● TCP will retransmit segments that are not acknowledged – Many popular TCP stacks will retransmit SYN/ACK packets until : (i) an ACK is received (ii) the connection times out (iii) The connection is closed via a RST packet

  24. Handshake Problems ● Victims may not be able to send a RST packet – Could be overloaded – Attacker could target an unassigned IP Address within a network

  25. TCP Scanning ● Performed two Internet-wide SYN scans – First without RST s and the second with RST s – Performed for HTTP, T elnet, and CUPS ● Reached 66,785,451 HTTP hosts, 23,519,493 T elnet hosts, and 1,845,346 CUPS hosts.

  26. TCP Results

  27. TCP Results

  28. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  29. IP Address Spoofjng ● IP address spoofjng is the root cause for amplifjcation attacks ● Up to now, only way to check if a system allows IP address spoofjng is for an admin to test it themselves ● Authors work to deploy a scanner that works remotely – Enables them to identify thousands of systems that support IP address spoofjng

  30. IP Spoofjng Scanner

  31. IP Spoofjng Scanner

  32. Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses

  33. Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses ● Only tells us which networks allow spoofjng, not if they actually are – Left as future work

  34. Conclusion ● Identifjed and organized UDP-based protocols that can be used for amplifjcation DDoS attacks ● Performed a successful campaign notifying the public of vulnerabilities within NTP ● Identifjed potential amplifjcation attacks from TCP-based protocols ● Deployed a scanner capable of identifying IP address spoofjng-enabled networks

  35. Questions?

Recommend

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical Basis signs, which God did by him, in the midst of you, as you also 2) hell, as it was impossible that he should be holden by it. (Acts have

824 views • 7 slides
THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and

THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and

THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and the Doubting sins are just natural human traits punishing unbelievers is unbelievable cruelty eternal punishment cannot be

217 views • 20 slides
I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION TIME! WE NEED TO SETTLE ON A PROPOSED ACTION Follow-up from June 7 th Public Informational Meeting EXIT 7 Exit 7 Relocated Interchange EXIT 6

253 views • 23 slides
Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and make it grow. But they often neglect the need for Exit Planning in their Business. In absence of Exit Strategy, they often forget that the decisions

247 views • 11 slides
Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health

Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health

Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health Katie McCurdy @katiemccurdy Ive got some autoimmune stuff Ive got some autoimmune stuff leading to symptom soup leading to

519 views • 30 slides
How can a loving god send people to hell? Let me say at the outset that I consider the concept

How can a loving god send people to hell? Let me say at the outset that I consider the concept

How can a loving god send people to hell? Let me say at the outset that I consider the concept of hell as endless torment in body and mind an outrageous doctrine, a theological and moral enormity, a bad doctrine of the tradition which needs to

258 views • 23 slides
Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

The Exit Planning Executive Briefing Presented by Geoffrey S. Gallo, ChFC, CExP TR Moore & Company, PC Member of Business Enterprise Institutes Network Of Exit Planning Professionals Story Agenda Exit Planning Collaboration

590 views • 37 slides
Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct contrast to the modular nature of the Briton 560 - 570 Series, the Features & Benefits long established Briton 376 Series is supplied as a

182 views • 7 slides
Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases today! What is an Exit Plan? Exit Planning is business strategy. Exit Planning builds, harvests and Personal Goals preserves wealth while

598 views • 36 slides
J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

f17 d b lJ t fJ fr u 9 J9r @ J J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19 INTERCHANGE AREA MANAGEMENT PLANS lAMP ODors Mission Provide a safe efficient transportation system that

422 views • 10 slides
Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a one-day writing event for seniors. The first round of writing events will occur during the winter Keystone testing period. Senior Exit Project

500 views • 12 slides
Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes

629 views • 34 slides
From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd

From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd

From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd Paysan, net2o [] exit execute Exit not tickable in Gforth 0.7 Standard-conforming, but Several complaints over the years Traditionally

594 views • 14 slides
EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE

EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE

EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE EU Exit Chemicals Programme Defra policy lead REACH, PPP, MRLs, Detergents, POPs, Mercury HSE policy lead CLP, PIC, BPR HSE is

629 views • 21 slides
Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29

Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29

Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29 September, 2011 Issues When Optimizing for Exit A Lifecycle Approach 1. When investing - with a view to exit 2. When carrying and managing in

569 views • 28 slides
Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems

Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems

Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems boolean find_exit(int x, int y) /* 2 nd try */ { if ( we have been here before ) return false; /* dont try same spot again */ if ( x,y is an exit )

611 views • 17 slides
Hashimotos Go To Hell-Part II Diving Deeper Into The Underlying Cause Keri Topouzian,

Hashimotos Go To Hell-Part II Diving Deeper Into The Underlying Cause Keri Topouzian,

Hashimotos Go To Hell-Part II Diving Deeper Into The Underlying Cause Keri Topouzian, D.O., FACOEP, FAAAM In Part I you learned: How you can reverse Hashimotos & Graves Disease and tell them to go to Hell. What Hashimotos &

765 views • 29 slides
Microservices and the art of taming the Dependency Hell Monster Michael Bryzek Cofounder &

Microservices and the art of taming the Dependency Hell Monster Michael Bryzek Cofounder &

Microservices and the art of taming the Dependency Hell Monster Michael Bryzek Cofounder & ex-CTO Gilt @mbryzek mbryzek@alum.mit.edu Dependency Hell What is it and how does it happen? How do we mitigate? API design must be

972 views • 47 slides
Fluoreszenz-Mikroskopie Stefan W. Hell MPI Biophys. Chemie, Gttingen, Germany NP Chemie 2014

Fluoreszenz-Mikroskopie Stefan W. Hell MPI Biophys. Chemie, Gttingen, Germany NP Chemie 2014

Fluoreszenz-Mikroskopie Stefan W. Hell MPI Biophys. Chemie, Gttingen, Germany NP Chemie 2014 mit E. Betzig und W. Moerner Pictures/Movies of the S. W. Hell group: www.nanoscopy.de

531 views • 14 slides
So what the hell is an enzyme anyway? Whats an enzyme Where do they come from

So what the hell is an enzyme anyway? Whats an enzyme Where do they come from

So what the hell is an enzyme anyway? Whats an enzyme Where do they come from How do they work Adrian Dinsdale PhD National Olive Conference, 2017 What is an enzyme? Enzymes are biological catalysts They make

102 views • 6 slides
EU Exit Business Readiness Forum: Information for businesses on a no deal exit from the EU

EU Exit Business Readiness Forum: Information for businesses on a no deal exit from the EU

EU Exit Business Readiness Forum: Information for businesses on a no deal exit from the EU Thursday 11th April 2019 These slides reflect government policy as of 11th April 2019 Objectives for these forums Share the key information businesses

459 views • 21 slides
the subject of hell a concept that comes from the same source as all the other lies about

the subject of hell a concept that comes from the same source as all the other lies about

Pathway of Responsibility We are going to continue to look at the subject of hell a concept that comes from the same source as all the other lies about God from the deceiver who originally fooled Adam We will find that the

1.01k views • 78 slides
Entry and exit: Firms decisions 1 Firms are price-takers (Perfect competition) Fixed firms

Entry and exit: Firms decisions 1 Firms are price-takers (Perfect competition) Fixed firms

P1 SepOct 2012 Timothy Van Zandt Prices & Markets Page 1 Session 4 & 5 Entry/Exit Entry and exit: Firms decisions 1 Firms are price-takers (Perfect competition) Fixed firms Entry in market & exit Firms

599 views • 12 slides
Manufacturing in China, what the hell! The problem is we dont understand the problem

Manufacturing in China, what the hell! The problem is we dont understand the problem

Introduction My experience And despite that! Credits Manufacturing in China, what the hell! The problem is we dont understand the problem Yoann Sculo ParisEmbedded Jan 07, 2014 Yoann Sculo Manufacturing in China, what the hell! 1

576 views • 21 slides

More recommend