Distributed Denial of Service Attacks

Similar documents
SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

A Fair Solution to DNS Amplification Attacks

How to launch and defend against a DDoS

Attack and Defense Techniques

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks Can Take Down Your Online Services

DOMAIN NAME SECURITY EXTENSIONS

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

DNS amplification attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Network attack and defense

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

SECURING APACHE : DOS & DDOS ATTACKS - I

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Acquia Cloud Edge Protect Powered by CloudFlare

CS5008: Internet Computing

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Denial of Service Attacks

CloudFlare advanced DDoS protection

Computer Networks: Domain Name System

Harness Your Internet Activity!

Strategies to Protect Against Distributed Denial of Service (DD

Denial of Service (DoS) Technical Primer

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

Detecting DNS Amplification Attacks

DDoS attacks in CESNET2

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

How To Protect A Dns Authority Server From A Flood Attack

Denial of Service. Tom Chen SMU

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION

Security vulnerabilities in the Internet and possible solutions

Korea s experience of massive DDoS attacks from Botnet

Surviving DDoS. SANOG X 5 September ed.lewis@neustar.biz. 5 Sep '07, SANOG X ed.lewis@neustar.biz 1

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

DoS/DDoS Attacks and Protection on VoIP/UC

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

/ Staminus Communications

Prolexic Quarterly Global DDoS Attack Report Q1 2013

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

STATE OF DNS AVAILABILITY REPORT

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

TLP WHITE. Denial of service attacks: what you need to know

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Overview of computer and communications security

Denial of Service (DoS)

Gaurav Gupta CMSC 681

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Securing DNS Infrastructure Using DNSSEC

DDoS Overview and Incident Response Guide. July 2014

How To Mitigate A Ddos Attack

DNSSEC in stats. GC-SEC Global Cyber Security Center. Andrea Rigoni. CENTR Bruxelles, 7th October Global Cyber Security Center Director General

Kick starting science...

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Four Steps to Defeat a DDoS Attack

Taxonomic Modeling of Security Threats in Software Defined Networking

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Distributed Denial of Service (DDoS)

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

LTE transport network security Jason S. Boswell Head of Security Sales, NAM Nokia Siemens Networks

SECURITY FLAWS IN INTERNET VOTING SYSTEM

DDoS Attacks & Mitigation

Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems

CSCE 465 Computer & Network Security

First Line of Defense

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Revealing Botnets Using Network Traffic Statistics

Transcription:

Distributed Denial of Service Attacks Steve Crocker Chair, SSAC June 25, 2007 San Juan, Puerto Rico 1

Agenda Types of Attacks DDoS attacks Amplified DDoS attacks - 2006 Estonia - May 2007 What do Do 2

Types of Attacks Penetration Eavesdropping Man-in-the-Middle Flooding 3

Penetration Attacker gets inside your machine Can take over machine and do whatever he wants Achieves entry via software flaw(s), stolen passwords or insider access 4

Eavesdropping Attacker gains access to same network Listens to traffic going in and out of your machine 5

Man-in-the-Middle ( MITM ) Attacker listens to output and controls output Can substitute messages in both directions 6

Flooding Attack Attacker sends an overwhelming number of messages at your machine; great congestion The congestion may occur in the path before your machine Messages from legitimate users are crowded out Usually called a Denial of Service (DoS) attack, because that s the effect. Usually involves a large number of machines, hence Distributed Denial of Service (DDoS) attack 7

Effects of Attacks Modification of internal data, change of programs Includes defacement of web sites Destruction of data Unauthorized Disclosure Denial of Service (DoS) 8

Attacks and Effects Mod Des Disc DoS Penetration X X X X MITM X X Eavesdropping X Flooding X 9

Denial of Service Attacks A Denial of Service (DoS) attack is an orchestrated traffic jam Purpose is to shut down a site, not penetrate it. Purpose may be vandalism, extortion or social action (including terrorism) Sports betting sites often extorted Large numbers of attacks -- few visible Estonia Root servers, TLD operations 10

Distributed DoS (DDoS) Most common DoS attacks use thousands of computers Sometimes hundreds of thousands Individual computers ( zombies ) are penetrated and marshaled into common force ( bot armies ) Tools easily available Bot armies available for rent 11

Amplified DDoS Attacks New wrinkle observed last year Bots send DNS queries with false return addresses Responses are aimed at target Responses are much larger than queries 12

January - February, 2006 Authoritative TLD DNS servers attacked Variant of a well-known DDoS attack Attacks generated from 2-8 Gbps Failures occurred at multiple points Resulted in disruption of DNS services Included many TLDs without any apparent motive in most cases 13

Anatomy of the Amplification Attack Attacker (1) Attacker directs zombies to begin attack Zombies... (2) All zombies send DNS query for record foo in domain bar.<tld> to open recursive servers and set source IP=10.10.1.1 (3) Open resolvers ask bar.<tld> for record foo... Target name server at IP = 10.10.1.1 (5) Open resolvers send DNS response with (4000 byte DNS TXT RR) to target name server Open recursive servers (4) bar.<tld> responds with record foo (4000 byte DNS TXT RR) Name server bar.<tld> 14

One Attack Graph of responses to monitoring probes by the authoritative nameservers for a TLD before, during, and after an attack in February 2006. Vertical Axis shows the six TLD Server IP addresses. Red shows complete failure to answer, yellow indicates slow answers. For reference, Servers 1 and 4 show lesser impact than Servers 2, 3, 5, and 6. The horizontal axis shows actual time. This attack lasted 14 minutes. Graphs courtesy of RIPE NCC. 15

Attack Metrics (1) 51,000 open recursive servers were involved 55 byte query resulted in a 4,200 byte response, for a 1:76 amplification 8 gbps attack requires a total of 108 mbps of queries. Each recursive server saw 2,100 bytes of queries, or 38 qps, and responded with 160 kbps in answers Assuming compromised hosts have minimum 512kb DSL modem, only 200 compromised hosts were required 16

Attack Metrics (2) Source networks would see no effect Recursive servers saw minimal traffic or query increase Victim network providers had catastrophic experience Victim DNS provider was sent the equivalent of 150 million qps At best, 1 in 100 real queries were answered 17

Estonia Attack Estonia Protests & Cyber Attacks Response 18

Estonia 1.4 million people Substantial ethnic Russian minority Extensive Internet use Banking, voting, petrol purchase, etc. 60% use Internet daily Real life and Internet intermingled Only a few connections to other countries 19

Protests & Cyber Attacks Relocation of Russian statue triggered protests Outside Estonia as well as inside Defacement and DDoS Attacks were dominated by bot armies Almost all traffic came from outside 20

Response Excellent coordination inside Estonia CERT, ISPs Technical people and government institutions communicated, cooperated Help from outside External traffic to government stopped 21

References mp3 talk from Hillar Aarelaid http://www.ripe.net/ripe/meetin gs/ripe- 54/presentations/friday.html. mp3: http://www.ripe.net/ripe/meetin gs/ripe-54/podcasts/plenary- 10.mp3 (talk is at 38 minutes) 22

Comments & Possible Policy Options DDoS attacks are a serious problem Good hygiene protects against penetration No good protection against DDoS Coordinated community action required CERTs, etc. good for response Need better design and operation 23

Two Specific Actions Require address validation All packets coming into a network must have a valid return address Won t solve the full problem but will reduce a large range of attacks Label and prioritize traffic coming from protected sources Reward non-zombie sites 24

References SAC004 SAC008 Securing The Edge (17 October 2002) DNS Distributed Denial of Service (DDoS) Attacks (31 March 2006) http://www.icann.org/committees/ security/ssac-documents.htm 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information