Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble
Distributed Denial-of-Service (DDoS) Attacks Known problem for many ● years – Diffjcult to distinguish between an attack and simple overloading (“Slashdot efgect”) – Many solutions proposed ● Simple DDoS attacks like SYN fmooding are well-understood http://upload.wikimedia.org/wikip edia/commons/3/3f/Stachledraht_ DDos_Attack.svg
Evolving DDoS Attacks ● Many DDoS attacks now employ amplifjcation attacks – Abuse of UDP-based network protocols via refmection – Attacker sends spoofed packets to a large number of refmectors who send responses to the intended victim – Responses are often much larger than the requests, https://www.cert.be/fjles/dnsbad- leading to amplifjcation large.png
Understanding the Problem ● As this type of attack is relatively new, the authors wish to learn more about it – Performed Internet-wide scans to identify potential amplifjers – Fingerprinted and categorized these systems – Peformed a global security notifjcation campaign – Analyzed potential for TCP amplifjcation attacks – Deploy remote scanning technique for identifying systems that allow IP spoofjng
Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng
Threat Model ● Prior work has identifjed 14 vulnerable UDP- based protocols – Ofger severe amplifjcation rates, up to a factor of 4,670 ● Authors performed Internet-wide scan for systems using seven of these protocols – DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS – All run server-side, implying better connectivity and with less IP address churn
Scanning Setup ● Authors developed an effjcient scanner to identify amplifjers, following practices suggested by Durumeric et al. ● Scans run on a weekly basis from Nov. 22, 2013 – Feb. 21, 2014 – Scans spread out over 48 hour periods to avoid being blacklisted ● Set up a reverse DNS record of the scanner pointing to a web server presenting the project and opt-out information
Scanning Setup ● Sent a request for each protocol that can be used to amplify traffjc – NTP version , SSDP search , DNS A lookups, etc. ● During course of scans, received 90 emails from administrators – Excluded 91 IP prefjxes and 30 individual IP addresses (~3.7 million total) – Such addresses excluded from analysis, even if they were not blacklisted in the beginning ● Discovered nearly 46 million potential amplifjers
Scanning Results
Amplifjer Classifjcation
Amplifjer Churn
Amplifjer Churn
Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng
NTP Case Study ● NTP promising for amplifjcation attack – monlist feature can be amplifjed by a factor of 4,670 – Very minimal IP address churn – Multiple amplifjcation vectors ● version feature can be amplifjed by a factor of 24 – Attackers have already used NTP ● A French hosting provider sufgered a 400 Gbps amplifjcation attack in February, 2014
NTP Notifjcation Campaign ● Defjned two datasets of NTP amplifjers – NTP ver and NTP mon representing NTP servers vulnerable to version and monlist requests, respectively ● Collaborated with many security organizations – T echnical advisories from CERT-CC, MITRE, Cisco's PSIRT ● Describe how to disable monlist and version ● Distributed lists of IP addresses in NTP mon dataset among trusted institutions
Analyzing Campaign Success ● At end of weekly scanning in February, 2014 – NTP ver dropped from 7,364,792 to 4,802,212 (33.9%) – NTP mon dropped from 1,651,199 to 126,080 (92.4%) ● Another scan performed in June, 2014 showed a further decrease in NTP mon by ~40,000
Analyzing Campain Success
Geographic Distribution
Lessons Learned ● Such security notifjcation campaigns can be very efgective – Could potentially be applied to other security- critical issues (e.g., heartbleed ) ● CERT s not as well connected as they need to be
Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng
TCP-based Amplifjcation Attacks ● Authors have shown it is potentially possible to stop UDP-based amplifjcation attacks ● Attackers have shown they are capable of evolving their attacks as this occurs ● Can TCP-based protocols be abused similarly? – UDP works well due to its connectionless nature – TCP is connection-oriented, making it less intuitively susceptible
TCP Three-way-handshake ● General Process – Client sends SYN packet to server – Server responds with SYN/ACK packet – Client completes setup with fjnal ACK packet ● Does not seem to allow for amplifjcation – At most, one SYN/ACK packet will be sent to victim ● Traffjc not amplifjed
Handshake Problems ● TCP will retransmit segments that are not acknowledged – Many popular TCP stacks will retransmit SYN/ACK packets until : (i) an ACK is received (ii) the connection times out (iii) The connection is closed via a RST packet
Handshake Problems ● Victims may not be able to send a RST packet – Could be overloaded – Attacker could target an unassigned IP Address within a network
TCP Scanning ● Performed two Internet-wide SYN scans – First without RST s and the second with RST s – Performed for HTTP, T elnet, and CUPS ● Reached 66,785,451 HTTP hosts, 23,519,493 T elnet hosts, and 1,845,346 CUPS hosts.
TCP Results
TCP Results
Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng
IP Address Spoofjng ● IP address spoofjng is the root cause for amplifjcation attacks ● Up to now, only way to check if a system allows IP address spoofjng is for an admin to test it themselves ● Authors work to deploy a scanner that works remotely – Enables them to identify thousands of systems that support IP address spoofjng
IP Spoofjng Scanner
IP Spoofjng Scanner
Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses
Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses ● Only tells us which networks allow spoofjng, not if they actually are – Left as future work
Conclusion ● Identifjed and organized UDP-based protocols that can be used for amplifjcation DDoS attacks ● Performed a successful campaign notifying the public of vulnerabilities within NTP ● Identifjed potential amplifjcation attacks from TCP-based protocols ● Deployed a scanner capable of identifying IP address spoofjng-enabled networks
Questions?
Recommend
More recommend