Lehrstuhl für Systemsicherheit Amplification DDoS Attacks Marc Kührer SPRING 9 Bochum, 31. Juli 2014
Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background Publications [1] Christian Rossow . "Amplification Hell: Revisiting Network Protocols for DDoS Abuse". 2014 Network and Distributed System Security Symposium , NDSS 2014, San Diego, CA, USA. [2] Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz . "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks". 23rd USENIX Security Symposium , USENIX Sec '14, San Diego, CA, USA. [3] Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz . "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks". 8th USENIX Workshop on Offensive Technologies , WOOT '14, San Diego, CA, USA. 3 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background Amplification Attack Attacker Amplifier Victim 4 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background Scanning in IPv4 • Internet-wide scans (4.294.967.296 IP addresses) • No aggressive scanning – distributed scans over time • Linear feedback shift register to compute order of IP addresses • Reverse DNS record + web server for project information • Explanation how to opt-out from repeated scans 5 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 6 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification Vulnerable Protocols • 14 UDP-based protocols vulnerable to amplification [1] • Highest amplification found for the NTP monlist feature: 4,670x • Selected the five most severe protocols: DNS, NetBIOS, NTP, SNMP, and SSDP • Performed scans to enumerate hosts vulnerable to amplification 7 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification Amplifier Magnitude • Scans performed for three months • Observed more than 5 million amplifiers for 4 of the 5 protocols 8 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification IP Churn (1 / 3) • How fast does a set of amplifiers change? • Enumerated amplifiers based on IP address on Nov 22, 2013 • Checked if amplifiers were still reachable the following weeks 9 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification IP Churn (2 / 3) • For most protocols the churn is high (~50% after a week) • Amplifiers outdated within a week: mostly routing devices - validated via device fingerprinting and reverse DNS (82.8% include „dyn“, „dialup“, „pool“) • Amplifiers reachable after 13 weeks: located in countries with longer IP-lease times (Korea, United States, Canada) 10 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification IP Churn (3 / 3) • 90% of the NTP amplifiers are still reachable after four weeks • Hosts still available after 13 weeks: • 40% run Cisco IOS • 53% are located in United States, South Korea, and Japan 11 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification NTP monlist Campaign • Collaborated with organizations to create technical advisories • Published lists of hosts vulnerable to monlist amplification to security organizations (ShadowServer / NTP Pool Project) 12 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 13 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification Amplifier Magnitude (1 / 2) • Send a single SYN to a target host and record the traffic (no ACK / RST is sent back) 14 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification Amplifier Magnitude (2 / 2) • Consider hosts that amplify our SYN by a factor > 20x (including Ethernet, IP, TCP headers) • Almost 2 % of responsive FTP / Telnet hosts amplify a single SYN by factor > 20x • In total 4.8 million amplifiers 15 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification Amplification Type • Distribution of TCP flags shows three main amplification types • Traffic volume • NetBIOS • 8,863 SYN/ACK amplifiers: 25 MB of traffic • 3,087 RST amplifiers: 12 GB of traffic • FTP • 2,907,279 SYN/ACK amplifiers: 3.2 GB of traffic • 5,577 RST amplifiers: 15.1 GB of traffic 16 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification Packet Frequency • High number of packets that reach the target simultaneously is import for a high impact • We measured the number of packets that reach the target within 10, 30, and 60 seconds after observing the first response of a host • Besides a high amplification factor, RST amplifiers also cause a high packet frequency 17 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification Real-World Attacks • Can TCP-based amplifiers be used in real-world attacks, in which an attacker would repeatedly send spoofed SYN packets to the amplifiers to flood the victim’s network? • We forwarded 1, 5, and 10 SYN packets to different types of amplifiers and measured the traffic that arrived up to 60 seconds after sending the last SYN segment: • SYN/ACK amplifiers: • 1x SYN - 34.2 MB • 5x SYN - 55.1 MB • 10x SYN - 76.0 MB (increase of factor 2.2x) • PSH amplifiers: • 1x SYN - 11.2 MB • 10x SYN - 110.8 MB (increase of factor 10x) • RST amplifiers: • 1x SYN - 89.6 MB • 5x SYN - 392.4 MB (increase of factor 4.4x) • 10x SYN - 789.2 MB (increase of factor 8.8x) 18 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 19 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Comparison UDP-based vs. TCP-based Amplification (1 / 2) • Amplification factor • UDP-based protocols: • 3.8x (NetBIOS) • 98.3x (DNS) • 4,670x (NTP monlist ) • Actual bandwidth amplification much lower (<1,000 for NTP) • TCP-based protocols: • Allow much higher bandwidth amplification • Up to 80,000x for RST amplifiers 20 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Comparison UDP-based vs. TCP-based Amplification (2 / 2) • Number of amplifiers • UDP-based protocols: • 2.8 million (NetBIOS) • 30.5 million (DNS) • 87,463 (NTP monlist ) • TCP-based protocols: • Low number of amplifiers (particularly for RST ) • DNS amplifiers can cause higher impact (about 10x compared to an attack using FTP) • Attackers currently stick to UDP-based attacks • TCP attacks presumably much harder to block, though 21 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Questions? Contact: Marc Kührer marc.kuehrer@rub.de More Information: http://syssec.rub.de 22 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background Reflection Attack Attacker Reflector Victim 23 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification Intersection of Amplifiers • Largest overlap between SNMP and DNS • Almost 46 million amplifiers for all scanned protocols 24 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification Device Fingerprinting • Device fingerprinting based on 1,873 manually compiled regular expressions, applied to the returned UDP payload data (+ performed TCP scans) • Majority of vulnerable hosts are routing devices (NTP: 40.8% Cisco IOS) • 1,267,008 amplifiers (17.4%) running Linux on MIPS and 357,076 devices (4.9%) running Linux on PowerPC • Smaller clusters: 695 devices running Miele Logic, 51,351 DVRs, 20,927 NAS 25 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification NTP monlist Campaign (2 / 2) • On Feb 24, 2014, the number of monlist amplifiers reached 126,080 (a decrease of 92.4%) • As of Jun 2014, 87,463 amplifiers still reachable (a decrease of almost 40,000 hosts since Feb 2014) 26 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Recommend
More recommend