DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Transcription

1 DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014

2 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist based attacks BCP 38 and the importance of source address filtering Are your hosts acting as reflectors?

3 Origins of DDoS attacks Attacker uses a set of compromised hosts (zombies) to attack a particular target Compromised hosts address attack traffic directly towards target destination IP address Source address could be the real IP of compromised host or a spoofed IP address Spoofed addresses more difficult to track/block Enables certain classes of attacks (TCP SYN attack) Early attacks generally targeted specific services rather than flooding bandwidth

4 A traditional DDoS attack Zombie 1:1 Traffic ratio from Zombies to target Attacker Zombie Target Zombie Scaling requires adding more zombies

5 Earliest Large DDoS PANIX - one of the Internet s earliest ISP s was hit with TCP SYN flood attack in early Sept, 1996 TCP SYN packets with random source addresses sent to a service (http, smtp, etc) which quickly fills TCP connection table slots "The hacker has been sending up to 150 requests a second to Panix's computers, seeking to establish a connection... the requests, presumably generated by a malicious computer program, contain fake Internet addresses, which the computer must sort out before they can discard them. The computers have choked under the deluge."

6 DRDoS Attacks Distributive Reflective Denial of Service A particular variant of DDoS attacks Attacker does not address packets directly towards target Spoofs the target s address as the source and sends to third party ICMP/UDP services which reflect responses back towards the actual target Depending on the service, this form of attack can greatly amplify the zombie s attack traffic Does not target any particular service on the target - works by flooding available bandwidth

7 DRDoS Attack Diagram Zombies spoof target s address as their source IP Zombie Reflectors Reflectors amplify traffic (larger/multiple packets) towards target Attacker Target Zombie Zombie Scaling can be accomplished by adding more reflectors

8 Early DRDoS attacks Examples of ICMP/UDP services which may be leveraged for DRDoS attacks include ICMP Echo, DNS, SNMP, NTP, and certain UDP simple services (Chargen, Echo, and QotD) One of the earliest examples was the Smurf attack which utilized ICMP Echo/Responses Originated in 1997, named for smurf.c program Sent ICMP Echo messages to subnet broadcast addresses with spoofed source address of target All hosts on subnet would see the broadcast and send Echo Responses towards target

9 Early DRDoS cont d Amplification factor varied with number of hosts on subnet Variant of the Smurf attack was Fraggle attack Like the Smurf attack, it used directed subnet broadcast addresses to the UDP echo (7) and chargen (19) ports These forms of attacks were largely addressed by disabling directed broadcasts and disabling simple services on Unix hosts and routers Router(config-if)# no ip directed-broadcast Router(config-if)# no service udp-small-servers

10 Open DNS resolvers Attackers began leveraging open DNS resolvers for DRDoS around 2005 Initially, attackers used TXT records (up to 4000 bytes) created on a compromised DNS server Compromised zombie hosts then queried for TXT record using spoofed source address of target 60 byte query yields can yield a 4000 byte response for roughly 70:1 amplification effect

11 Open DNS resolvers (cont d) As DNSSEC deployment began recently, attackers begin leveraging DNSSEC signed zones DNSSEC uses relatively large DNSKEY, NSEC, and RRSIG record types to secure zones Early adopters began signing zones in 2008 isc.org and ripe.net are two early examples Attackers can simply query for type ANY for DNSSEC signed zones to generate large responses Difficult to block as they are legitimate records The root zone was recently signed can now also be used to generate large responses

12 Example query/response $ dig +edns=0. any ;; ANSWER SECTION: IN RRSIG NSEC htmogfei1ecx4zkfzjhhrzg6s1qtfjnlbjvq+oapx+2fnacqpz7i1qbv XGeBsv9LhalkqSW/rBNOVW2O+5lEk2FuOl4bvoBRwYy7oUac4I1Yscf0 AH2zePNYBhDN0FHjbHl/hMVcv4UwAdlNotRWyh2NA7yJA5V6otNjN9b3 Ia8=.. ;; Query time: 17 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Mar 31 23:11: ;; MSG SIZE rcvd: 1603

13 Evolution of DNS attacks There have been ongoing efforts over recent year to get operators to close open recursive resolvers Resolvers only need to respond to queries from local network clients and there has been some success in getting operators to restrict access Authoritative DNS servers, however must be open to queries from the entire Internet More restrictive than resolvers as they will only answer queries for zone that they are authoritative for Recent attacks are exploiting authoritative servers Response Rate Limiting (RRL) being deployed on servers to limit effectiveness of amplification

14 Protocols other than DNS Researchers have been studying if there are other UDP protocols which can be used for amplification They have also been looking for any evidence of new attacks in the wild A recent paper examined various protocols and their potential amplification ratio The researchers noted that a particular NTP command yields a very high amplification ratio However, at the time of their analysis (mid 2013), they had yet to notice any attacks employing NTP

15 Amplification factors Protocol Amplification Details ======== ============= ======= DNS 28 to 54 Domain name NTP NTP Monlist SNMPv2 6.3 GetBulk request NetBIOS 3.8 Name resolution SSDP 30.8 SEARCH request CharGEN Character generation QOTD Quote request BitTorrent 3.8 File search Kad 16.3 Peer list exchange Quake 63.9 Server info exchange Steam 5.5 Server info exchange

16 NTP Monlist details Part of the ntp.org implementation (used widely) Provides statistics from last N connections Where N is often 100 DRDoS attack potential first noted in byte NTP query == bytes ea. Monlist removed in NTP version in 2011 However, many distributions and devices still based on version or earlier Linux distros RedHat/Centos/Ubuntu/etc., FreeBSD JunOS, SuperMicro IPMI controller, etc

17 NTP Monlist attack activity Initial large scale attacks began in December 2013 On Feb 10, 2014, hosting provider CloudFlare experienced a 400 GBps attack Attacker employed 4529 unique NTP servers on 1298 different network Average flow per NTP server was 87Mbps For comparison, Spamhaus experienced 300 GBps attack in 2013 that involved 30,956 DNS resolvers The good news is that the attacks may have peaked in February as open NTP servers have been closed in recent weeks

18 NTP recent traffic trends Aggregate NTP traffic as seen from Arbor Network s ATLAS system over recent months Source:

19 Example monlist output >ntpdc -n -c monlist remote address port local address count ============== ===== =============== =====

20 NTP amplification example Host (FreeBSD) being used as amplifier with NTP monlist command -- Peak = 6 Mbps Traffic graph for February 2014

21 BCP 38 IETF BCP 38 was published in 2000 in response to DDOS attacks and recommends networks perform filtering to prevent address spoofing If such filtering were implemented pervasively, it would block the ongoing DRDoS attacks Several sources publish recommended configurations to prevent source address spoofing For example, the Team Cymru templates at Merit has deployed anti-spoofing filters in it s core routers

22 Testing for BCP 38 The Spoofer Project maintains software to test whether or not your network blocks spoofing Unfortunately, recent stats indicate roughly 25% of Autonomous Systems still do not filter

23 Do you have open hosts? openresolverproject.org was established in the wake of the open DNS resolver based attacks Regularly scans for open recursive DNS resolvers You can enter your network blocks to see if you have any open servers on your network A parallel project has been started to check for open NTP servers at openntpproject.org A recent check of networks behind Merit s AS237 yielded the following numbers 200 open DNS resolvers (down from 400+ last year) 1600 open NTP servers (monlist disabled on most)

24 Conclusions DRDoS attacks will likely be on ongoing issue for many years There have been some successes in closing down open DNS resolvers, NTP servers, SNMP agents, etc. but there are still significant numbers open Unfortunately, not much improvement in getting networks to implement BCP 38 over the years some discussions in recent operator meetings about improving outreach and education efforts Please do your part and regularly check for open UDP services and close/restrict if possible