DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Similar documents
How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

CloudFlare advanced DDoS protection

Acquia Cloud Edge Protect Powered by CloudFlare

Reducing the Impact of Amplification DDoS Attack

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How to launch and defend against a DDoS

Denial of Service Attacks

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

How To Understand A Network Attack

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

CS 356 Lecture 16 Denial of Service. Spring 2013

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Characterization and Analysis of NTP Amplification Based DDoS Attacks

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

SECURING APACHE : DOS & DDOS ATTACKS - I

How To Protect A Dns Authority Server From A Flood Attack

- Basic Router Security -

Analysis of a DDoS Attack

DDoS attacks in CESNET2

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

How To Mitigate A Ddos Attack

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

DOMAIN NAME SECURITY EXTENSIONS

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

co Characterizing and Tracing Packet Floods Using Cisco R

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

8 steps to protect your Cisco router

DNS amplification attacks

NTP Reflection DDoS Attack Explanatory Document

How To Mitigate A Large Volume Of Dns Amplification Attacks

Strategies to Protect Against Distributed Denial of Service (DD

Denial Of Service. Types of attacks

Linux MDS Firewall Supplement

Abstract. Introduction. Section I. What is Denial of Service Attack?

Seminar Computer Security

Use Domain Name System and IP Version 6

Attack and Defense Techniques

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Defending against DNS reflection amplification attacks

Corero Network Security

Security of IPv6 and DNSSEC for penetration testers

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Firewall Firewall August, 2003

DNSSEC and DNS Proxying

A Very Incomplete Diagram of Network Attacks

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

CMPT 471 Networking II

Reducing the impact of DoS attacks with MikroTik RouterOS

AmpPot: Monitoring and Defending Against Amplification DDoS Attacks

Frequent Denial of Service Attacks

/ Staminus Communications

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

CSCE 465 Computer & Network Security

CS5008: Internet Computing

Arbor s Solution for ISP

The curse of the Open Recursor. Tom Paseka Network Engineer

DDoS Mitigation Solutions

DDoS Attacks & Mitigation

Amplification Hell: Revisiting Network Protocols for DDoS Abuse

Gaurav Gupta CMSC 681

TDC s perspective on DDoS threats

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Denial of Service. Tom Chen SMU

Network Bandwidth Denial of Service (DoS)

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Introducing FortiDDoS. Mar, 2013

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Denial of Service (DoS)

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

1. Firewall Configuration

How To Block A Ddos Attack On A Network With A Firewall

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

First Line of Defense

General Network Security

Chapter 8 Security Pt 2

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION. Mohammad Fakrul Alam. bdhub. SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Transcription:

DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014

Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist based attacks BCP 38 and the importance of source address filtering Are your hosts acting as reflectors?

Origins of DDoS attacks Attacker uses a set of compromised hosts (zombies) to attack a particular target Compromised hosts address attack traffic directly towards target destination IP address Source address could be the real IP of compromised host or a spoofed IP address Spoofed addresses more difficult to track/block Enables certain classes of attacks (TCP SYN attack) Early attacks generally targeted specific services rather than flooding bandwidth

A traditional DDoS attack Zombie 1:1 Traffic ratio from Zombies to target Attacker Zombie Target Zombie Scaling requires adding more zombies

Earliest Large DDoS PANIX - one of the Internet s earliest ISP s was hit with TCP SYN flood attack in early Sept, 1996 TCP SYN packets with random source addresses sent to a service (http, smtp, etc) which quickly fills TCP connection table slots "The hacker has been sending up to 150 requests a second to Panix's computers, seeking to establish a connection... the requests, presumably generated by a malicious computer program, contain fake Internet addresses, which the computer must sort out before they can discard them. The computers have choked under the deluge."

DRDoS Attacks Distributive Reflective Denial of Service A particular variant of DDoS attacks Attacker does not address packets directly towards target Spoofs the target s address as the source and sends to third party ICMP/UDP services which reflect responses back towards the actual target Depending on the service, this form of attack can greatly amplify the zombie s attack traffic Does not target any particular service on the target - works by flooding available bandwidth

DRDoS Attack Diagram Zombies spoof target s address as their source IP Zombie Reflectors Reflectors amplify traffic (larger/multiple packets) towards target Attacker Target Zombie Zombie Scaling can be accomplished by adding more reflectors

Early DRDoS attacks Examples of ICMP/UDP services which may be leveraged for DRDoS attacks include ICMP Echo, DNS, SNMP, NTP, and certain UDP simple services (Chargen, Echo, and QotD) One of the earliest examples was the Smurf attack which utilized ICMP Echo/Responses Originated in 1997, named for smurf.c program Sent ICMP Echo messages to subnet broadcast addresses with spoofed source address of target All hosts on subnet would see the broadcast and send Echo Responses towards target

Early DRDoS cont d Amplification factor varied with number of hosts on subnet Variant of the Smurf attack was Fraggle attack Like the Smurf attack, it used directed subnet broadcast addresses to the UDP echo (7) and chargen (19) ports These forms of attacks were largely addressed by disabling directed broadcasts and disabling simple services on Unix hosts and routers Router(config-if)# no ip directed-broadcast Router(config-if)# no service udp-small-servers

Open DNS resolvers Attackers began leveraging open DNS resolvers for DRDoS around 2005 Initially, attackers used TXT records (up to 4000 bytes) created on a compromised DNS server Compromised zombie hosts then queried for TXT record using spoofed source address of target 60 byte query yields can yield a 4000 byte response for roughly 70:1 amplification effect

Open DNS resolvers (cont d) As DNSSEC deployment began recently, attackers begin leveraging DNSSEC signed zones DNSSEC uses relatively large DNSKEY, NSEC, and RRSIG record types to secure zones Early adopters began signing zones in 2008 isc.org and ripe.net are two early examples Attackers can simply query for type ANY for DNSSEC signed zones to generate large responses Difficult to block as they are legitimate records The root zone was recently signed can now also be used to generate large responses

Example query/response $ dig +edns=0. any ;; ANSWER SECTION:. 63761 IN RRSIG NSEC 8 0 86400 20140407000000 20140330230000 33655. htmogfei1ecx4zkfzjhhrzg6s1qtfjnlbjvq+oapx+2fnacqpz7i1qbv XGeBsv9LhalkqSW/rBNOVW2O+5lEk2FuOl4bvoBRwYy7oUac4I1Yscf0 AH2zePNYBhDN0FHjbHl/hMVcv4UwAdlNotRWyh2NA7yJA5V6otNjN9b3 Ia8=.. ;; Query time: 17 msec ;; SERVER: ::1#53(::1) ;; WHEN: Mon Mar 31 23:11:14 2014 ;; MSG SIZE rcvd: 1603

Evolution of DNS attacks There have been ongoing efforts over recent year to get operators to close open recursive resolvers Resolvers only need to respond to queries from local network clients and there has been some success in getting operators to restrict access Authoritative DNS servers, however must be open to queries from the entire Internet More restrictive than resolvers as they will only answer queries for zone that they are authoritative for Recent attacks are exploiting authoritative servers Response Rate Limiting (RRL) being deployed on servers to limit effectiveness of amplification

Protocols other than DNS Researchers have been studying if there are other UDP protocols which can be used for amplification They have also been looking for any evidence of new attacks in the wild A recent paper examined various protocols and their potential amplification ratio http://www.internetsociety.org/doc/amplification-hellrevisiting-network-protocols-ddos-abuse The researchers noted that a particular NTP command yields a very high amplification ratio However, at the time of their analysis (mid 2013), they had yet to notice any attacks employing NTP

Amplification factors Protocol Amplification Details ======== ============= ======= DNS 28 to 54 Domain name NTP 556.9 NTP Monlist SNMPv2 6.3 GetBulk request NetBIOS 3.8 Name resolution SSDP 30.8 SEARCH request CharGEN 358.8 Character generation QOTD 140.3 Quote request BitTorrent 3.8 File search Kad 16.3 Peer list exchange Quake 63.9 Server info exchange Steam 5.5 Server info exchange

NTP Monlist details Part of the ntp.org implementation (used widely) Provides statistics from last N connections Where N is often 100 DRDoS attack potential first noted in 2009 http://lists.ntp.org/pipermail/pool/2011-december/005616.html 8 byte NTP query == 100 pkts @ 440 bytes ea. Monlist removed in NTP version 4.2.7 in 2011 However, many distributions and devices still based on version 4.2.6 or earlier Linux distros RedHat/Centos/Ubuntu/etc., FreeBSD JunOS, SuperMicro IPMI controller, etc

NTP Monlist attack activity Initial large scale attacks began in December 2013 On Feb 10, 2014, hosting provider CloudFlare experienced a 400 GBps attack Attacker employed 4529 unique NTP servers on 1298 different network Average flow per NTP server was 87Mbps For comparison, Spamhaus experienced 300 GBps attack in 2013 that involved 30,956 DNS resolvers The good news is that the attacks may have peaked in February as open NTP servers have been closed in recent weeks

NTP recent traffic trends Aggregate NTP traffic as seen from Arbor Network s ATLAS system over recent months Source: http://www.arbornetworks.com/asert/2014/03/ntp-attacks-continue-a-quick-look-at-traffic-over-the-past-few-months/

Example monlist output >ntpdc -n -c monlist 141.217.152.178 remote address port local address count ============== ===== =============== ===== 198.108.62.151 43786 141.217.152.178 3 77.221.130.41 80 141.217.152.178 335 156.154.166.223 80 141.217.152.178 9777 5.254.113.2 4000 141.217.152.178 6252 198.50.241.72 2311 141.217.152.178 10427 82.124.61.235 21 141.217.152.178 20 85.114.135.181 13002 141.217.152.178 5530 197.221.60.26 80 141.217.152.178 23866 94.242.253.107 7777 141.217.152.178 408 74.91.127.25 43594 141.217.152.178 8727 141.101.116.111 80 141.217.152.178 9154...

NTP amplification example Host (FreeBSD) being used as amplifier with NTP monlist command -- Peak = 6 Mbps Traffic graph for February 2014

BCP 38 IETF BCP 38 was published in 2000 in response to DDOS attacks and recommends networks perform filtering to prevent address spoofing If such filtering were implemented pervasively, it would block the ongoing DRDoS attacks Several sources publish recommended configurations to prevent source address spoofing For example, the Team Cymru templates at www.team-cymru.org/readingroom/templates/ Merit has deployed anti-spoofing filters in it s core routers

Testing for BCP 38 The Spoofer Project maintains software to test whether or not your network blocks spoofing http://spoofer.cmand.org/index.php Unfortunately, recent stats indicate roughly 25% of Autonomous Systems still do not filter

Do you have open hosts? openresolverproject.org was established in the wake of the open DNS resolver based attacks Regularly scans for open recursive DNS resolvers You can enter your network blocks to see if you have any open servers on your network A parallel project has been started to check for open NTP servers at openntpproject.org A recent check of networks behind Merit s AS237 yielded the following numbers 200 open DNS resolvers (down from 400+ last year) 1600 open NTP servers (monlist disabled on most)

Conclusions DRDoS attacks will likely be on ongoing issue for many years There have been some successes in closing down open DNS resolvers, NTP servers, SNMP agents, etc. but there are still significant numbers open Unfortunately, not much improvement in getting networks to implement BCP 38 over the years some discussions in recent operator meetings about improving outreach and education efforts Please do your part and regularly check for open UDP services and close/restrict if possible

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information