exit from hell
play

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks - PowerPoint PPT Presentation

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks Known problem for many


  1. Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble

  2. Distributed Denial-of-Service (DDoS) Attacks Known problem for many ● years – Diffjcult to distinguish between an attack and simple overloading (“Slashdot efgect”) – Many solutions proposed ● Simple DDoS attacks like SYN fmooding are well-understood http://upload.wikimedia.org/wikip edia/commons/3/3f/Stachledraht_ DDos_Attack.svg

  3. Evolving DDoS Attacks ● Many DDoS attacks now employ amplifjcation attacks – Abuse of UDP-based network protocols via refmection – Attacker sends spoofed packets to a large number of refmectors who send responses to the intended victim – Responses are often much larger than the requests, https://www.cert.be/fjles/dnsbad- leading to amplifjcation large.png

  4. Understanding the Problem ● As this type of attack is relatively new, the authors wish to learn more about it – Performed Internet-wide scans to identify potential amplifjers – Fingerprinted and categorized these systems – Peformed a global security notifjcation campaign – Analyzed potential for TCP amplifjcation attacks – Deploy remote scanning technique for identifying systems that allow IP spoofjng

  5. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  6. Threat Model ● Prior work has identifjed 14 vulnerable UDP- based protocols – Ofger severe amplifjcation rates, up to a factor of 4,670 ● Authors performed Internet-wide scan for systems using seven of these protocols – DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS – All run server-side, implying better connectivity and with less IP address churn

  7. Scanning Setup ● Authors developed an effjcient scanner to identify amplifjers, following practices suggested by Durumeric et al. ● Scans run on a weekly basis from Nov. 22, 2013 – Feb. 21, 2014 – Scans spread out over 48 hour periods to avoid being blacklisted ● Set up a reverse DNS record of the scanner pointing to a web server presenting the project and opt-out information

  8. Scanning Setup ● Sent a request for each protocol that can be used to amplify traffjc – NTP version , SSDP search , DNS A lookups, etc. ● During course of scans, received 90 emails from administrators – Excluded 91 IP prefjxes and 30 individual IP addresses (~3.7 million total) – Such addresses excluded from analysis, even if they were not blacklisted in the beginning ● Discovered nearly 46 million potential amplifjers

  9. Scanning Results

  10. Amplifjer Classifjcation

  11. Amplifjer Churn

  12. Amplifjer Churn

  13. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  14. NTP Case Study ● NTP promising for amplifjcation attack – monlist feature can be amplifjed by a factor of 4,670 – Very minimal IP address churn – Multiple amplifjcation vectors ● version feature can be amplifjed by a factor of 24 – Attackers have already used NTP ● A French hosting provider sufgered a 400 Gbps amplifjcation attack in February, 2014

  15. NTP Notifjcation Campaign ● Defjned two datasets of NTP amplifjers – NTP ver and NTP mon representing NTP servers vulnerable to version and monlist requests, respectively ● Collaborated with many security organizations – T echnical advisories from CERT-CC, MITRE, Cisco's PSIRT ● Describe how to disable monlist and version ● Distributed lists of IP addresses in NTP mon dataset among trusted institutions

  16. Analyzing Campaign Success ● At end of weekly scanning in February, 2014 – NTP ver dropped from 7,364,792 to 4,802,212 (33.9%) – NTP mon dropped from 1,651,199 to 126,080 (92.4%) ● Another scan performed in June, 2014 showed a further decrease in NTP mon by ~40,000

  17. Analyzing Campain Success

  18. Geographic Distribution

  19. Lessons Learned ● Such security notifjcation campaigns can be very efgective – Could potentially be applied to other security- critical issues (e.g., heartbleed ) ● CERT s not as well connected as they need to be

  20. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  21. TCP-based Amplifjcation Attacks ● Authors have shown it is potentially possible to stop UDP-based amplifjcation attacks ● Attackers have shown they are capable of evolving their attacks as this occurs ● Can TCP-based protocols be abused similarly? – UDP works well due to its connectionless nature – TCP is connection-oriented, making it less intuitively susceptible

  22. TCP Three-way-handshake ● General Process – Client sends SYN packet to server – Server responds with SYN/ACK packet – Client completes setup with fjnal ACK packet ● Does not seem to allow for amplifjcation – At most, one SYN/ACK packet will be sent to victim ● Traffjc not amplifjed

  23. Handshake Problems ● TCP will retransmit segments that are not acknowledged – Many popular TCP stacks will retransmit SYN/ACK packets until : (i) an ACK is received (ii) the connection times out (iii) The connection is closed via a RST packet

  24. Handshake Problems ● Victims may not be able to send a RST packet – Could be overloaded – Attacker could target an unassigned IP Address within a network

  25. TCP Scanning ● Performed two Internet-wide SYN scans – First without RST s and the second with RST s – Performed for HTTP, T elnet, and CUPS ● Reached 66,785,451 HTTP hosts, 23,519,493 T elnet hosts, and 1,845,346 CUPS hosts.

  26. TCP Results

  27. TCP Results

  28. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  29. IP Address Spoofjng ● IP address spoofjng is the root cause for amplifjcation attacks ● Up to now, only way to check if a system allows IP address spoofjng is for an admin to test it themselves ● Authors work to deploy a scanner that works remotely – Enables them to identify thousands of systems that support IP address spoofjng

  30. IP Spoofjng Scanner

  31. IP Spoofjng Scanner

  32. Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses

  33. Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses ● Only tells us which networks allow spoofjng, not if they actually are – Left as future work

  34. Conclusion ● Identifjed and organized UDP-based protocols that can be used for amplifjcation DDoS attacks ● Performed a successful campaign notifying the public of vulnerabilities within NTP ● Identifjed potential amplifjcation attacks from TCP-based protocols ● Deployed a scanner capable of identifying IP address spoofjng-enabled networks

  35. Questions?

Recommend


More recommend