Reducing the Impact of Amplification DDoS Attack

Similar documents
Exit from Hell? Reducing the Impact of Amplification DDoS Attacks

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Denial of Service Attacks

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Characterization and Analysis of NTP Amplification Based DDoS Attacks

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Network Security of Internet Services: Eliminate DDoS Reflection Amplification Attacks

Strategies to Protect Against Distributed Denial of Service (DD

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Amplification Hell: Revisiting Network Protocols for DDoS Abuse

Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks

How to launch and defend against a DDoS

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

How To Mitigate A Ddos Attack

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

AmpPot: Monitoring and Defending Against Amplification DDoS Attacks

How To Understand A Network Attack

NTP Reflection DDoS Attack Explanatory Document

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Looking for Trouble: ICMP and IP Statistics to Watch

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

First Line of Defense

SSDP REFLECTION DDOS ATTACKS

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Analysis of a DDoS Attack

IBM. Vulnerability scanning and best practices

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

DDoS attacks in CESNET2

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Lab Conducting a Network Capture with Wireshark

Cyber Essentials. Test Specification

Security vulnerabilities in the Internet and possible solutions

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Cisco IOS Flexible NetFlow Technology

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

First Line of Defense

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Denial Of Service. Types of attacks

Corero Network Security

AntiDDoS8000 DDoS Protection Systems

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Stateful Firewalls. Hank and Foo

Firewall Firewall August, 2003

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

This chapter covers the following topics:

Firewalls. Chapter 3

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

/ Staminus Communications

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

DNS amplification attacks

Firewall Design Principles

VALIDATING DDoS THREAT PROTECTION

FIREWALLS IN NETWORK SECURITY

CS 356 Lecture 16 Denial of Service. Spring 2013

Network Bandwidth Denial of Service (DoS)

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Classification of Firewalls and Proxies

Gaurav Gupta CMSC 681

Intro to Firewalls. Summary

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

The Nexpose Expert System

Security Toolsets for ISP Defense

7. Firewall - Concept

NETNOD Autumn 2014 October 2, 2014

Regional cyber security considerations for network operations. Eric Osterweil Principal Scientist, Verisign

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

IINS Implementing Cisco Network Security 3.0 (IINS)

CSCE 465 Computer & Network Security

Introducing FortiDDoS. Mar, 2013

A Very Incomplete Diagram of Network Attacks

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Secure Networks for Process Control

DOMAIN NAME SECURITY EXTENSIONS

The ISP Column A monthly column on things Internet. NTP for Evil. The Evolution of Evil. March 2014 Geoff Huston

Firewalls. Network Security. Firewalls Defined. Firewalls

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

DoS/DDoS Attacks and Protection on VoIP/UC

DDoS Mitigation Solutions

Depth-in-Defense Approach against DDoS

Implementing Cisco IOS Network Security

8. Firewall Design & Implementation

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Transcription:

Reducing the Impact of Amplification DDoS Attack

hello! I am Tommy Ngo I am here to present my reading: reducing the impact of amplification DDoS attack 2

1. Background Let s start with what amplification DDoS attack is 3

Amplification DDoS Attack Attackers abused UDP-based network protocols to launch DDoS attacks that exceed hundreds of Gbps in traffic volume. Achieved via reflective attack. Attackers choose reflectors that send back responses that are significantly larger than the requests, leading to an increased (amplified) attack volume. Called amplifier. 4

2. Motivation Let s talk about the motivation behind reducing the impact of amplification DDoS attack 5

Motivation Limited knowledge This paper will address this problem by: Understand the nature of amplifiers and determine which kinds of systems are vulnerable. reduce the number of vulnerable systems on the Internet. An analysis of potential attack vectors that adversaries could abuse in the future. Analysed the root cause behind amplification attacks 6

3. Nature of Amplifier & Vulnerable Systems Let s see who the target amplifiers and what the target systems are 7

Nature of Amplifier & Vulnerable Systems Typically, connectionless protocols in which she can send relatively small requests that result in significantly larger responses. Developed an efficient scanner Vulnerable protocols: DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS. Each protocol, sent request that can be used to amplify traffic. NTP version requests SNMP v2 GetBulk requests DNS A lookups NetBIOS default name lookup The amplification vulnerabilities of these seven protocols can be abused by attackers to launch severe amplification attacks. 8

Nature of Amplifier & Vulnerable Systems (cont) 9

Amplifier Classification Generated device fingerprints by inspecting the replies from the amplifiers during UDP scan Analyse the responses of each host and protocol to classify system in three categories: The underlying hardware The system architecture The operating system 10

Amplifier Classification 11

Amplifier Churn 12

4. Case Studies NTP and TCP Amplification 13

NTP Amplification NTP is a promising amplification vector for an attacker for three reasons NTP server implementations allow for amplification factors of up to 4,670 NTP servers have minimal IP address churn NTP offers even further amplification vectors NTP servers can be configured such that the monlist requests are disabled for unauthorized users 14

NTP Amplifier Notification Datasets: NTPver: all NTP servers reply to version request NTPmon: a subset of NTPver, contains NTP servers that also support the monlist request Campaign: Collaborated with security organisation to create technical advisories such as CERT-CC, MITRE and Cisco s PSIRT Distributed lists of IP addresses of the systems in the NTPmon among trusted institutions. 15

Result 16

TCP-based Amplification Attacks TCP is a connection-oriented protocol in early on (i.e., during the handshake) the IP addresses of both communication parties are implicitly verified via initially-random TCP sequence numbers Abusing TCP bring multiple benefits: providers cannot easily block or filter TCP traffic related to well-known protocols It is hard to distinguish attacks from normal traffic in a stream of TCP control segments there are millions of potential TCP amplifiers out there and fixing them seems like an infeasible operation. 17

TCP Amplification Background 18

5. Spoofer Identification 19

Spoofer Identification IP address spoofing is the root cause for amplification attacks. Spoofed traffic should be blocked at the network edge However, spoofing still possible. Scanned the internet to see if Autonomous Systems allows spoofing More than 2000 networks allow spoofing. 20

6. Criticisms 21

Criticisms Only scan IPv4 address space. Only NTPmon was addressed. Of the 41.9% decrease after 13 weeks, many systems presumable disappeared because of our NTP amplifier notification campaign and not because of IP churn. Only limited number of protocols were scanned and analysed. Did not give a solution for ASes that do not use egress filtering. 22

thanks! Any questions? 23

Measuring TCP Amplification 24

Credits Special thanks to all the people who made and released these awesome resources for free: Presentation template by SlidesCarnival Photographs by Unsplash 25

SlidesCarnival icons are editable shapes. This means that you can: Resize them without losing quality. Change fill color and opacity. Isn t that nice? :) Examples: 26

Extra graphics 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information