DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014"

Transcription

1 DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014

2 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist based attacks BCP 38 and the importance of source address filtering Are your hosts acting as reflectors?

3 Origins of DDoS attacks Attacker uses a set of compromised hosts (zombies) to attack a particular target Compromised hosts address attack traffic directly towards target destination IP address Source address could be the real IP of compromised host or a spoofed IP address Spoofed addresses more difficult to track/block Enables certain classes of attacks (TCP SYN attack) Early attacks generally targeted specific services rather than flooding bandwidth

4 A traditional DDoS attack Zombie 1:1 Traffic ratio from Zombies to target Attacker Zombie Target Zombie Scaling requires adding more zombies

5 Earliest Large DDoS PANIX - one of the Internet s earliest ISP s was hit with TCP SYN flood attack in early Sept, 1996 TCP SYN packets with random source addresses sent to a service (http, smtp, etc) which quickly fills TCP connection table slots "The hacker has been sending up to 150 requests a second to Panix's computers, seeking to establish a connection... the requests, presumably generated by a malicious computer program, contain fake Internet addresses, which the computer must sort out before they can discard them. The computers have choked under the deluge."

6 DRDoS Attacks Distributive Reflective Denial of Service A particular variant of DDoS attacks Attacker does not address packets directly towards target Spoofs the target s address as the source and sends to third party ICMP/UDP services which reflect responses back towards the actual target Depending on the service, this form of attack can greatly amplify the zombie s attack traffic Does not target any particular service on the target - works by flooding available bandwidth

7 DRDoS Attack Diagram Zombies spoof target s address as their source IP Zombie Reflectors Reflectors amplify traffic (larger/multiple packets) towards target Attacker Target Zombie Zombie Scaling can be accomplished by adding more reflectors

8 Early DRDoS attacks Examples of ICMP/UDP services which may be leveraged for DRDoS attacks include ICMP Echo, DNS, SNMP, NTP, and certain UDP simple services (Chargen, Echo, and QotD) One of the earliest examples was the Smurf attack which utilized ICMP Echo/Responses Originated in 1997, named for smurf.c program Sent ICMP Echo messages to subnet broadcast addresses with spoofed source address of target All hosts on subnet would see the broadcast and send Echo Responses towards target

9 Early DRDoS cont d Amplification factor varied with number of hosts on subnet Variant of the Smurf attack was Fraggle attack Like the Smurf attack, it used directed subnet broadcast addresses to the UDP echo (7) and chargen (19) ports These forms of attacks were largely addressed by disabling directed broadcasts and disabling simple services on Unix hosts and routers Router(config-if)# no ip directed-broadcast Router(config-if)# no service udp-small-servers

10 Open DNS resolvers Attackers began leveraging open DNS resolvers for DRDoS around 2005 Initially, attackers used TXT records (up to 4000 bytes) created on a compromised DNS server Compromised zombie hosts then queried for TXT record using spoofed source address of target 60 byte query yields can yield a 4000 byte response for roughly 70:1 amplification effect

11 Open DNS resolvers (cont d) As DNSSEC deployment began recently, attackers begin leveraging DNSSEC signed zones DNSSEC uses relatively large DNSKEY, NSEC, and RRSIG record types to secure zones Early adopters began signing zones in 2008 isc.org and ripe.net are two early examples Attackers can simply query for type ANY for DNSSEC signed zones to generate large responses Difficult to block as they are legitimate records The root zone was recently signed can now also be used to generate large responses

12 Example query/response $ dig +edns=0. any ;; ANSWER SECTION: IN RRSIG NSEC htmogfei1ecx4zkfzjhhrzg6s1qtfjnlbjvq+oapx+2fnacqpz7i1qbv XGeBsv9LhalkqSW/rBNOVW2O+5lEk2FuOl4bvoBRwYy7oUac4I1Yscf0 AH2zePNYBhDN0FHjbHl/hMVcv4UwAdlNotRWyh2NA7yJA5V6otNjN9b3 Ia8=.. ;; Query time: 17 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Mar 31 23:11: ;; MSG SIZE rcvd: 1603

13 Evolution of DNS attacks There have been ongoing efforts over recent year to get operators to close open recursive resolvers Resolvers only need to respond to queries from local network clients and there has been some success in getting operators to restrict access Authoritative DNS servers, however must be open to queries from the entire Internet More restrictive than resolvers as they will only answer queries for zone that they are authoritative for Recent attacks are exploiting authoritative servers Response Rate Limiting (RRL) being deployed on servers to limit effectiveness of amplification

14 Protocols other than DNS Researchers have been studying if there are other UDP protocols which can be used for amplification They have also been looking for any evidence of new attacks in the wild A recent paper examined various protocols and their potential amplification ratio The researchers noted that a particular NTP command yields a very high amplification ratio However, at the time of their analysis (mid 2013), they had yet to notice any attacks employing NTP

15 Amplification factors Protocol Amplification Details ======== ============= ======= DNS 28 to 54 Domain name NTP NTP Monlist SNMPv2 6.3 GetBulk request NetBIOS 3.8 Name resolution SSDP 30.8 SEARCH request CharGEN Character generation QOTD Quote request BitTorrent 3.8 File search Kad 16.3 Peer list exchange Quake 63.9 Server info exchange Steam 5.5 Server info exchange

16 NTP Monlist details Part of the ntp.org implementation (used widely) Provides statistics from last N connections Where N is often 100 DRDoS attack potential first noted in byte NTP query == bytes ea. Monlist removed in NTP version in 2011 However, many distributions and devices still based on version or earlier Linux distros RedHat/Centos/Ubuntu/etc., FreeBSD JunOS, SuperMicro IPMI controller, etc

17 NTP Monlist attack activity Initial large scale attacks began in December 2013 On Feb 10, 2014, hosting provider CloudFlare experienced a 400 GBps attack Attacker employed 4529 unique NTP servers on 1298 different network Average flow per NTP server was 87Mbps For comparison, Spamhaus experienced 300 GBps attack in 2013 that involved 30,956 DNS resolvers The good news is that the attacks may have peaked in February as open NTP servers have been closed in recent weeks

18 NTP recent traffic trends Aggregate NTP traffic as seen from Arbor Network s ATLAS system over recent months Source:

19 Example monlist output >ntpdc -n -c monlist remote address port local address count ============== ===== =============== =====

20 NTP amplification example Host (FreeBSD) being used as amplifier with NTP monlist command -- Peak = 6 Mbps Traffic graph for February 2014

21 BCP 38 IETF BCP 38 was published in 2000 in response to DDOS attacks and recommends networks perform filtering to prevent address spoofing If such filtering were implemented pervasively, it would block the ongoing DRDoS attacks Several sources publish recommended configurations to prevent source address spoofing For example, the Team Cymru templates at Merit has deployed anti-spoofing filters in it s core routers

22 Testing for BCP 38 The Spoofer Project maintains software to test whether or not your network blocks spoofing Unfortunately, recent stats indicate roughly 25% of Autonomous Systems still do not filter

23 Do you have open hosts? openresolverproject.org was established in the wake of the open DNS resolver based attacks Regularly scans for open recursive DNS resolvers You can enter your network blocks to see if you have any open servers on your network A parallel project has been started to check for open NTP servers at openntpproject.org A recent check of networks behind Merit s AS237 yielded the following numbers 200 open DNS resolvers (down from 400+ last year) 1600 open NTP servers (monlist disabled on most)

24 Conclusions DRDoS attacks will likely be on ongoing issue for many years There have been some successes in closing down open DNS resolvers, NTP servers, SNMP agents, etc. but there are still significant numbers open Unfortunately, not much improvement in getting networks to implement BCP 38 over the years some discussions in recent operator meetings about improving outreach and education efforts Please do your part and regularly check for open UDP services and close/restrict if possible

Surviving a DDoS Attack:

Surviving a DDoS Attack: Surviving a DDoS Attack: What every host needs to know Maria Karaivanova, Business Development David Koston, Platform www.cloudflare.com DDoS Attacks are becoming massive, and easier to initiate!2 Major

More information

NETNOD Autumn 2014 October 2, 2014

NETNOD Autumn 2014 October 2, 2014 Surviving a DDoS Attack: Securing CDN traffic at CloudFlare NETNOD Autumn 2014 October 2, 2014 Martin J. Levy, Network Strategy www.cloudflare.com DDoS Attacks are becoming massive, and easier to initiate

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Reducing the Impact of Amplification DDoS Attack

Reducing the Impact of Amplification DDoS Attack Reducing the Impact of Amplification DDoS Attack hello! I am Tommy Ngo I am here to present my reading: reducing the impact of amplification DDoS attack 2 1. Background Let s start with what amplification

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

How to launch and defend against a DDoS

How to launch and defend against a DDoS How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website DDoSing web sites is... easy Motivated groups of non-technical individuals

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

DNS Amplification Are YOU Part of the Problem?

DNS Amplification Are YOU Part of the Problem? DNS Amplification Are YOU Part of the Problem? (RIPE66 Dublin, Ireland - May 13, 2013) Merike Kaeo Security Evangelist, Internet Identity merike@internetidentity.com INTRO Statistics on DNS Amplification

More information

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect Defeating DNS Amplification Attacks Ralf Weber Senior Infrastructure Architect History DNS amplification attacks aren't new Periodically reemerge as attackers read history books J NANOG 56 Reports of unusual

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different

More information

Introduction to DDoS Attacks. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter

Introduction to DDoS Attacks. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter Introduction to DDoS Attacks Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News Q1 2014 DDoS Attack Trends DDoS Attack Trends Q4 2013 Mobile devices

More information

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider

More information

Technical White Paper June 2016

Technical White Paper June 2016 Technical White Paper June 2016 Guide to DDoS Attacks Authored by: Lee Myers, Senior Manager of Security Operations Christopher Cooley, Cyber Intelligence Analyst This Multi- State Information Sharing

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS : DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s

More information

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Characterization and Analysis of NTP Amplification Based DDoS Attacks Characterization and Analysis of NTP Amplification Based DDoS Attacks L. Rudman Department of Computer Science Rhodes University Grahamstown g11r0252@campus.ru.ac.za B. Irwin Department of Computer Science

More information

- Basic Router Security -

- Basic Router Security - 1 Enable Passwords - Basic Router Security - The enable password protects a router s Privileged mode. This password can be set or changed from Global Configuration mode: Router(config)# enable password

More information

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,

More information

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014 DNS, DNSSEC and DDOS Geoff Huston APNIC February 2014 The Evolu3on of Evil It used to be that they sent evil packets to their chosen vic3m but this exposed the abacker, and limited the damage they could

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

DDoS attacks in CESNET2

DDoS attacks in CESNET2 DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities

More information

Analysis of a DDoS Attack

Analysis of a DDoS Attack Analysis of a DDoS Attack December 2014 CONFIDENTIAL CORERO INTERNAL USE ONLY Methodology around DDoS Detection & Mitigation Corero methodology for DDoS protection Initial Configuration Monitoring and

More information

DOMAIN NAME SECURITY EXTENSIONS

DOMAIN NAME SECURITY EXTENSIONS DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions

More information

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014 CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5

More information

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE 51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;

More information

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS Threat Report Insights on Finding, Fighting, and Living with DDoS Attacks v1.1 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News - 2014 DDoS Trends

More information

DNS amplification attacks

DNS amplification attacks amplification attacks Matsuzaki Yoshinobu 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1 amplification attacks Attacks using IP spoofed dns query generating a traffic overload

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

8 steps to protect your Cisco router

8 steps to protect your Cisco router 8 steps to protect your Cisco router Daniel B. Cid daniel@underlinux.com.br Network security is a completely changing area; new devices like IDS (Intrusion Detection systems), IPS (Intrusion Prevention

More information

Denial Of Service. Types of attacks

Denial Of Service. Types of attacks Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) 5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep) survey says: There are things that go bump in the night, and things that go bump against your DNS security. You probably know

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

Linux MDS Firewall Supplement

Linux MDS Firewall Supplement Linux MDS Firewall Supplement Table of Contents Introduction... 1 Two Options for Building a Firewall... 2 Overview of the iptables Command-Line Utility... 2 Overview of the set_fwlevel Command... 2 File

More information

NTP Reflection DDoS Attack Explanatory Document

NTP Reflection DDoS Attack Explanatory Document NTP Reflection DDoS Attack Explanatory Document 3/13/2015 Edition 1 JANOG NTP Information Exchange WG ntp-talk-wg@janog.gr.jp Translation Contributed by SEIKO Solutions Inc. 1 2 Table of Contents 1. Overview...

More information

Characterizing Optimal DNS Amplification Attacks and Effective Mitigation

Characterizing Optimal DNS Amplification Attacks and Effective Mitigation Characterizing Optimal DNS Amplification Attacks and Effective Mitigation Douglas C. MacFarland 1, Craig A. Shue 1(B), and Andrew J. Kalafut 2 1 Worcester Polytechnic Institute, Worcester, MA, USA {dcmacfarland,cshue}@cs.wpi.edu

More information

DNSSEC and DNS Proxying

DNSSEC and DNS Proxying DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Defending against DNS reflection amplification attacks

Defending against DNS reflection amplification attacks University of Amsterdam System & Network Engineering RP1 Defending against DNS reflection amplification attacks February 14, 2013 Authors: Thijs Rozekrans Javy de Koning

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Theoretical Analysis and Experimental Evaluation of Bandwidth Amplification Attacks to Legitimate Websites

Theoretical Analysis and Experimental Evaluation of Bandwidth Amplification Attacks to Legitimate Websites Theoretical Analysis and Experimental Evaluation of Bandwidth Amplification Attacks to Legitimate Websites Dimitrios P. Iracleous, Kristofer E. Bourro, and Nikolaos Doukas Abstract Internet has turned

More information

JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015]

JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015] JPCERT-IA-2015-02 Issued: 2015-04-27 JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015] 1 Overview JPCERT/CC has placed multiple sensors across the Internet for monitoring to

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

Use Domain Name System and IP Version 6

Use Domain Name System and IP Version 6 Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of

More information

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Protect your network: planning for (DDoS), Distributed Denial of Service attacks Protect your network: planning for (DDoS), Distributed Denial of Service attacks Nov 19, 2015 2015 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product

More information

Corero Network Security

Corero Network Security 1 st Slovenian Network Operators Group Corero Network Security Peter Cutler, Systems Engineer EMEA Hello Peter Cutler, Corero Systems Engineer BEng (Hons) Skype: petercutler_s peter.cutler@corero.com +44

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Frequent Denial of Service Attacks

Frequent Denial of Service Attacks Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

More information

The curse of the Open Recursor. Tom Paseka Network Engineer tom@cloudflare.com

The curse of the Open Recursor. Tom Paseka Network Engineer tom@cloudflare.com The curse of the Open Recursor Tom Paseka Network Engineer tom@cloudflare.com Recursors Why? Exist to aggregate and cache queries Not every computer run its own recursive resolver. ISPs, Large Enterprises

More information

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2

More information

A Very Incomplete Diagram of Network Attacks

A Very Incomplete Diagram of Network Attacks A Very Incomplete Diagram of Network Attacks TCP/IP Stack Reconnaissance Spoofing Tamper DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link 1) HTML/JS files 2)Banner Grabbing

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

DDoS Attacks & Mitigation

DDoS Attacks & Mitigation DDoS Attacks & Mitigation Sang Young Security Consultant ws.young@stshk.com 1 DoS Attack DoS & DDoS an attack render a target unusable by legitimate users DDoS Attack launch the DoS attacks from various

More information

Blocking DNS Messages is Dangerous

Blocking DNS Messages is Dangerous Blocking DNS Messages is Dangerous Florian Maury, Mathieu Feuillet October 5-6, 2013 F Maury, M Feuillet Blocking DNS Messages is Dangerous October 5-6, 2013 1/25 ANSSI Created in 2009, the ANSSI is the

More information

Reducing the impact of DoS attacks with MikroTik RouterOS

Reducing the impact of DoS attacks with MikroTik RouterOS Reducing the impact of DoS attacks with MikroTik RouterOS Alfredo Giordano Matthew Ciantar WWW.TIKTRAIN.COM 1 About Us Alfredo Giordano MikroTik Certified Trainer and Consultant Support deployment of WISP

More information

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl page 2 One slide DNS Root www.nlnetlabs.nl A Referral: nl NS www.nlnetlabs.nl A 213.154.224.1 www.nlnetlabs.nl A www.nlnetlabs.nl A 213.154.224.1

More information

Gaurav Gupta CMSC 681

Gaurav Gupta CMSC 681 Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the

More information

AmpPot: Monitoring and Defending Against Amplification DDoS Attacks

AmpPot: Monitoring and Defending Against Amplification DDoS Attacks AmpPot: Monitoring and Defending Against Amplification DDoS Attacks Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, Christian Rossow( ) CISPA, Saarland

More information

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service

More information

/ Staminus Communications

/ Staminus Communications / Staminus Communications Global DDoS Mitigation and Technology Provider Whitepaper Series True Cost of DDoS Attacks for Hosting Companies The most advanced and experienced DDoS mitigation provider in

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities

More information

Arbor s Solution for ISP

Arbor s Solution for ISP Arbor s Solution for ISP Recent Attack Cases DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard

More information

DDoS Mitigation Solutions

DDoS Mitigation Solutions DDoS Mitigation Solutions The Real Cost of DDOS Attacks Hosting, including colocation at datacenters, dedicated servers, cloud hosting, shared hosting, and infrastructure as a service (IaaS) supports

More information

Denial of Service. Tom Chen SMU tchen@engr.smu.edu

Denial of Service. Tom Chen SMU tchen@engr.smu.edu Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types

More information

Amplification Hell: Revisiting Network Protocols for DDoS Abuse

Amplification Hell: Revisiting Network Protocols for DDoS Abuse Amplification Hell: Revisiting Network Protocols for DDoS Abuse Christian Rossow VU University Amsterdam, The Netherlands Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany {firstname.lastname}@rub.de

More information

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0) US-CERT Summary US-CERT has been alerted to an increase in distributed denial of service (DDoS) attacks using spoofed recursive DNS

More information

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and

More information

TDC s perspective on DDoS threats

TDC s perspective on DDoS threats TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)

More information

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer 2012 Infrastructure Security Report 8th Annual Edition Kleber Carriello Consulting Engineer Key Findings in the Survey* Advanced Persistent Threats (APT) a top concern for service providers and enterprises

More information

Introducing FortiDDoS. Mar, 2013

Introducing FortiDDoS. Mar, 2013 Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline

More information

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS Classification: TLP-GREEN RISK LEVEL: MEDIUM Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS Release Date: 6.1.16 1.0 / OVERVIEW / Akamai SIRT is investigating a new DDoS reflection

More information

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends 3. The Environment Surrounding DNS DNS is used in many applications, serving as an important Internet service. Here we discuss name collision issues that have arisen with recent TLD additions, and examine

More information

Denial of Service (DoS)

Denial of Service (DoS) Intrusion Detection, Denial of Service (DoS) Prepared By:Murad M. Ali Supervised By: Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT), Amman s campus-2006 Denial of Service (DoS) What is DoS

More information

Network Bandwidth Denial of Service (DoS)

Network Bandwidth Denial of Service (DoS) Network Bandwidth Denial of Service (DoS) Angelos D. Keromytis Department of Computer Science Columbia University Synonyms Network flooding attack, packet flooding attack, network DoS Related Concepts

More information

1. Firewall Configuration

1. Firewall Configuration 1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

More information

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

General Network Security

General Network Security 4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those

More information

First Line of Defense

First Line of Defense First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive

More information

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach Anurag Kochar 1 1 Computer Science Engineering Department, LNCT, Bhopal, Madhya Pradesh, India, anuragkochar99@gmail.com

More information

SURE 5 Zone DDoS PROTECTION SERVICE

SURE 5 Zone DDoS PROTECTION SERVICE SURE 5 Zone DDoS PROTECTION SERVICE Sure 5 Zone DDoS Protection ( the Service ) provides a solution to protect our customer s sites against Distributed Denial of Service (DDoS) attacks by analysing incoming

More information

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015 Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,

More information

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION. Mohammad Fakrul Alam. bdhub. SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION. Mohammad Fakrul Alam. bdhub. SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh Mohammad Fakrul Alam bdhub fakrul [at] bdhub [dot] com AGENDA 1. Overview of (D)DoS 2. How to (D)DoS

More information

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS TLP: GREEN Issue Date: 2015.10.28 Risk Factor- Medium Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS 1.0 / OVERVIEW / In the third quarter of 2015, Akamai mitigated and

More information

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including

More information

Denial of Service Attacks, What They are and How to Combat Them

Denial of Service Attacks, What They are and How to Combat Them Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

More information

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

shortcut Tap into learning NOW! Visit www.informit.com/shortcuts for a complete list of Short Cuts. Your Short Cut to Knowledge

shortcut Tap into learning NOW! Visit www.informit.com/shortcuts for a complete list of Short Cuts. Your Short Cut to Knowledge shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically

More information

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection Oğuz YILMAZ CTO Labris Networks 1 Today Labris Networks L7 Attacks L7 HTTP DDoS Detection Problems Case Study: Deep DDOS Inspection (DDI

More information

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION Mohammad Fakrul Alam bdhub fakrul [at] bdhub [dot] com AGENDA 1. Overview of (D)DoS 2. How to (D)DoS 3. Motivation 4. Attack Type 5. Detection 6. Preparation

More information

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network.

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network. DDoS Basics Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade services provided by a computer at a given Internet Protocol 1 (IP) address. This paper will explain,

More information

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks Enabling Precise Defense against New DDoS Attacks 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against

More information