Reducing the Impact of Amplification DDoS Attack

Transcription

1 Reducing the Impact of Amplification DDoS Attack

2 hello! I am Tommy Ngo I am here to present my reading: reducing the impact of amplification DDoS attack 2

3 1. Background Let s start with what amplification DDoS attack is 3

4 Amplification DDoS Attack Attackers abused UDP-based network protocols to launch DDoS attacks that exceed hundreds of Gbps in traffic volume. Achieved via reflective attack. Attackers choose reflectors that send back responses that are significantly larger than the requests, leading to an increased (amplified) attack volume. Called amplifier. 4

5 2. Motivation Let s talk about the motivation behind reducing the impact of amplification DDoS attack 5

6 Motivation Limited knowledge This paper will address this problem by: Understand the nature of amplifiers and determine which kinds of systems are vulnerable. reduce the number of vulnerable systems on the Internet. An analysis of potential attack vectors that adversaries could abuse in the future. Analysed the root cause behind amplification attacks 6

7 3. Nature of Amplifier & Vulnerable Systems Let s see who the target amplifiers and what the target systems are 7

8 Nature of Amplifier & Vulnerable Systems Typically, connectionless protocols in which she can send relatively small requests that result in significantly larger responses. Developed an efficient scanner Vulnerable protocols: DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS. Each protocol, sent request that can be used to amplify traffic. NTP version requests SNMP v2 GetBulk requests DNS A lookups NetBIOS default name lookup The amplification vulnerabilities of these seven protocols can be abused by attackers to launch severe amplification attacks. 8

9 Nature of Amplifier & Vulnerable Systems (cont) 9

10 Amplifier Classification Generated device fingerprints by inspecting the replies from the amplifiers during UDP scan Analyse the responses of each host and protocol to classify system in three categories: The underlying hardware The system architecture The operating system 10

11 Amplifier Classification 11

12 Amplifier Churn 12

13 4. Case Studies NTP and TCP Amplification 13

14 NTP Amplification NTP is a promising amplification vector for an attacker for three reasons NTP server implementations allow for amplification factors of up to 4,670 NTP servers have minimal IP address churn NTP offers even further amplification vectors NTP servers can be configured such that the monlist requests are disabled for unauthorized users 14

15 NTP Amplifier Notification Datasets: NTPver: all NTP servers reply to version request NTPmon: a subset of NTPver, contains NTP servers that also support the monlist request Campaign: Collaborated with security organisation to create technical advisories such as CERT-CC, MITRE and Cisco s PSIRT Distributed lists of IP addresses of the systems in the NTPmon among trusted institutions. 15

16 Result 16

17 TCP-based Amplification Attacks TCP is a connection-oriented protocol in early on (i.e., during the handshake) the IP addresses of both communication parties are implicitly verified via initially-random TCP sequence numbers Abusing TCP bring multiple benefits: providers cannot easily block or filter TCP traffic related to well-known protocols It is hard to distinguish attacks from normal traffic in a stream of TCP control segments there are millions of potential TCP amplifiers out there and fixing them seems like an infeasible operation. 17

18 TCP Amplification Background 18

19 5. Spoofer Identification 19

20 Spoofer Identification IP address spoofing is the root cause for amplification attacks. Spoofed traffic should be blocked at the network edge However, spoofing still possible. Scanned the internet to see if Autonomous Systems allows spoofing More than 2000 networks allow spoofing. 20

21 6. Criticisms 21

22 Criticisms Only scan IPv4 address space. Only NTPmon was addressed. Of the 41.9% decrease after 13 weeks, many systems presumable disappeared because of our NTP amplifier notification campaign and not because of IP churn. Only limited number of protocols were scanned and analysed. Did not give a solution for ASes that do not use egress filtering. 22

23 thanks! Any questions? 23

24 Measuring TCP Amplification 24

25 Credits Special thanks to all the people who made and released these awesome resources for free: Presentation template by SlidesCarnival Photographs by Unsplash 25

26 SlidesCarnival icons are editable shapes. This means that you can: Resize them without losing quality. Change fill color and opacity. Isn t that nice? :) Examples: 26

27 Extra graphics 27