DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS



Similar documents
How To Mitigate A Ddos Attack

TDC s perspective on DDoS threats

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

How To Block A Ddos Attack On A Network With A Firewall

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

How To Protect A Dns Authority Server From A Flood Attack

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CS 356 Lecture 16 Denial of Service. Spring 2013

Analysis of a DDoS Attack

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Cloud Security In Your Contingency Plans

DDoS Protection on the Security Gateway

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Denial of Service Attacks, What They are and How to Combat Them

VALIDATING DDoS THREAT PROTECTION

Denial of Service Attacks

DDoS attacks in CESNET2

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

DDoS Overview and Incident Response Guide. July 2014

SSDP REFLECTION DDOS ATTACKS

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

How to launch and defend against a DDoS

Stop DDoS Attacks in Minutes

Stop DDoS Attacks in Minutes

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

/ Staminus Communications

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY

How To Protect Yourself From A Dos/Ddos Attack

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

SECURING APACHE : DOS & DDOS ATTACKS - I

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

SecurityDAM On-demand, Cloud-based DDoS Mitigation

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Arbor s Solution for ISP

Strategies to Protect Against Distributed Denial of Service (DD

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

FortiDDos Size isn t everything

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

How To Stop A Ddos Attack On A Website From Being Successful

Firewalls. Chapter 3

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

DDoS Mitigation Solutions

Firewall Firewall August, 2003

First Line of Defense

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

Firewall Defaults and Some Basic Rules

Chapter 8 Security Pt 2

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview. Firewall Security. Perimeter Security Devices. Routers

Technical Series. A Prolexic White Paper. 12 Questions to Ask a DDoS Mitigation Provider

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

DDoS Attacks Can Take Down Your Online Services

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Check Point DDoS Protector

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Network Bandwidth Denial of Service (DoS)

A Layperson s Guide To DoS Attacks

About Firewall Protection

Architecture Overview

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

VERISIGN DDoS PROTECTION SERVICES CUSTOMER HANDBOOK

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

How Cisco IT Protects Against Distributed Denial of Service Attacks

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

DoS/DDoS Attacks and Protection on VoIP/UC

Security Toolsets for ISP Defense

Transcription:

: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s Internet traffic passing through the global public NTT network. As a provider with world-wide coverage managing this much bandwidth, one of NTT s important tasks is to mitigate large distributed denial of service attacks (DDoS). These attacks historically have focused on flooding a victim s networks with so much data or activity that legitimate services are rendered unavailable. These volume-based attacks are very different from application DDoS attacks (such as that described in the Web Application DDoS Attack case study in Section F.4 of this report), which consume application processing resources. The distribution of DDoS attacks (by type of attack) observed by NTT in 2014 is presented in the following chart. DDOS BY TYPE NTP Amplification Multi-vector TCP SYN SSDP Amplification DNS Amplification Other 0% 7% 14% 21% 28% 35% Caption: NTP amplification leads the number of attacks by type of attack. 2

63 percent of all DDoS attacks observed were related to UDP based protocols and services (NTP, SSDP and DNS). Discussions of different DDoS attack types observed in 2014 are presented below. NTP Amplification Attacks With 32 percent of all DDoS attacks during 2014, the most common type of attack we observed was the Network Time Protocol (NTP) amplification attack. In this attack, an attacker changes the source address of an NTP query to the intended victim s address, then sends the maliciously spoofed query to one or more NTP servers. The NTP servers respond to the IP address of the victim (the spoofed source address). The amplification components of the attack are what make it interesting. A very small query to an NTP server can produce a very large response if using particular NTP options. TCP SYN Flood Attacks Another of the largest types of DDoS attacks, with 16 percent of the total, is also one of the oldest and most consistently observed over the years. The TCP SYN flood attack is performed by flooding the target network with a large number of TCP SYN requests which results in the exhaustion of available resources. If mitigating controls are not put in place, a malicious attacker can use this tactic to create a large number of partially-open connections to a server. This can exhaust all available sessions, preventing users from connecting to ports which would normally be accessible for legitimate services. Attackers can further ensure the success of SYN floods by employing different techniques to exhaust resources. This may include spoofing the source IP addresses, targeting multiple ports, attacking from multiple distributed sources, and the use of botnets. 3

SSDP Amplification Attacks Another type of DDoS traffic observed in 2014 was Simple Service Discovery Protocol (SSDP) amplification, which made up 9 percent of all DDoS attacks observed. SSDP was created to help devices discover and connect to each other, and is part of the Universal Plug and Play (UPnP) protocol. The protocol was first introduced in 1999 and by default uses UDP port 1900 for communication. Similar to other attacks such as DNS and NTP amplification, attackers send specially crafted requests to an SSDP enabled device and direct the response to the targeted system. Although the service defaults to UDP/1900 it can be directed to send responses to other ports and services. Since there is no shortage of SSDP enabled devices it is a good candidate for attackers to use during reflection and amplification based attacks. Several tools allow attackers to identify SSDP enabled devices and launch attacks. Botnets capable of performing SSDP DDoS attacks may use compromised home computing, network and residential applications to conduct attacks. Due to the wide use of SSDP, especially in residential applications such as network modem/ router bundles, wireless access points, and many home entertainment appliances and gaming systems, it is likely that SSDP DDoS attacks will continue. Unfortunately, most devices which implement SSDP enable this feature by default and it is unlikely that residential users will patch or disable these services. Multi-Vector Attacks In multi-vector attacks, combinations of different DDoS attack types are used during a single incident. Attackers will often initiate attacks using one method but may adapt their approach during the attack if the primary method of attack is not as effective as anticipated. 4

Alternatively, attackers may elect to use multiple methods of attack simultaneously to ensure their success. For example, attackers may start with NTP amplification but then use methods such as SYN flood, SSDP, application specific or other methods to amplify the effect of the attack. Multi-vector attacks can be a powerful tactic since this increases the chances of success. These attacks are also designed to overwhelm defenses and organizational staff. It can be a challenge for organizations to respond to multivector attacks since different attack techniques require different mitigation and defensive approaches. DDoS Mitigation Recommendations DDoS attacks have been around for some time. Preventive measures have had a chance to mature, and some measures have proven to be more reliable than others. While they must be evaluated in each organization s unique environment, NTT Group offers the following recommendations: Technical Recommendations: Organizations should look at implementing a layered approach to DDoS mitigation controls leveraging multiple technologies. Implement onsite application DoS mitigation services such as a web application firewall. Filter traffic at multiple points of ingress including the upstream ISP and via content distribution networks or scrubbing services. Third-party traffic scrubbing and filtering services can be valuable because they often anticipate the need to address multiple types of DDoS attacks. Implement dynamic bandwidth services which can scale bandwidth as an attack unfolds. This is not optimal as a long term solution but can help absorb some of the initial impact of an attack. 5

Many network firewalls, load balancers and servers support rate limiting or session timeouts. Ensure organizational staff understands the environment and tools which are already available. Understand the capabilities of the organizations and the ISP to handle TCP SYN flood attacks. Many ISPs implement detection for spoofed IP addresses and filter these by default. Keep in mind that ISPs often do a great job at filtering high-volume attacks, but smaller attacks may go unnoticed and not be filtered. Depending on the focus of the attack, host or application-based controls can help mitigate session or connection exhaustion. Ensure the organization follows system and service hardening guidelines to reduce misconfiguration issues and limit services running. Non-technical Recommendations: Ensure the organization understands not only its ability to detect a DDoS attack, but its ability to respond. Account for DDoS attacks in the organization s business continuity and disaster recovery plans. Evaluate the financial impact a DDoS attack would have on organizational operations and services. DDoS attacks are often used to mask other criminal activities. In the event of a DDoS attack, ensure the organization is remaining alert for other malicious activities which may be occurring (fraudulent wire transfers, other breaches, and data exfiltration from other network segments). Know who to call for support during a DDoS attack (SOC, vendors, ISPs, incident response teams). 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information