1000 days of udp amplification ddos attacks
play

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , - PowerPoint PPT Presentation

Jan 10, 2024 •240 likes •434 views

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52

  1. 1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52 A8B9 ECFB Alastair: 9217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B3

  2. UDP scanning Refmector 8.8.8.8 big.gov IN TXT big.gov IN TXT " src: 192.168.25.4 Extremely long dst: 8.8.8.8 response.............. (2) (1) ........................... ........................... Attacker .........................." 192.168.25.4 src: 8.8.8.8 dst: 192.168.25.4 2

  3. UDP refmectjon DDoS atuacks big.gov IN TXT " Refmector Extremely long response.............. 8.8.8.8 ........................... big.gov IN TXT ........................... .........................." src: src: 8.8.8.8 dst: 8.8.8.8 dst: 172.16.6.2 Victim Attacker 172.16.6.2 192.168.25.4 3

  4. We run lots of UDP honeypots ● Median 65 nodes since 2014 ● Hopscotch emulates abused protocols – QOTD, CHARGEN, DNS, NTP, SSDP, SQLMon, Portmap, mDNS, LDAP ● Snifger records all resultjng UDP traffjc ● (try to) Only reply to black hat scanners 4

  5. Estjmatjng total atuacks using capture-recapture B=200 A=160 80 80 Estimated population: 400 ± 62 5

  6. 100000 Estimated number of attacks per day (log) CHARGEN DNS NTP SSDP 10000 1000 100 10 2014-07 2014-10 2015-01 2015-04 2015-07 2015-10 2016-01 2016-04 2016-07 2016-10 2017-01 2017-04 2017-07 6

  7. 1 90 Proportion of all attacks that we observe 80 0.8 70 60 0.6 50 40 0.4 30 20 CHARGEN 0.2 DNS 10 NTP SSDP 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 4 4 5 5 5 5 6 6 6 6 7 7 7 - - - - - - - - - - - - - 0 1 0 0 0 1 0 0 0 1 0 0 0 7 0 1 4 7 0 1 4 7 0 1 4 7 7

  8. 1 90 80 Number of honeypots in operation 0.8 70 60 0.6 50 40 0.4 30 20 0.2 10 # A+B # A 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 4 4 5 5 5 5 6 6 6 6 7 7 7 - - - - - - - - - - - - - 0 1 0 0 0 1 0 0 0 1 0 0 0 7 0 1 4 7 0 1 4 7 0 1 4 7 8

  9. 1 90 Proportion of all attacks that we observe 80 Number of honeypots in operation 0.8 70 60 0.6 50 40 0.4 30 # A+B # A 20 CHARGEN 0.2 DNS 10 NTP SSDP 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 4 4 5 5 5 5 6 6 6 6 7 7 7 - - - - - - - - - - - - - 0 1 0 0 0 1 0 0 0 1 0 0 0 7 0 1 4 7 0 1 4 7 0 1 4 7 9

  10. NTP 1 Frequency of attacks (millions) 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 60 120 Duration of attack (minutes) 10

  11. NTP P(attack ends in <5min | duration) 0.6 0.5 0.4 0.3 0.2 0.1 0 60 120 Duration of attack (minutes) 11

  12. Vdos coverage NTP 1400 Seen Missing Number of attacks 1200 1000 800 600 400 200 0 2015-09 2015-11 2016-01 2016-03 2016-05 2016-07 2016-09 12

  13. Vdos coverage SSDP 900 Seen 800 Missing Number of attacks 700 600 500 400 300 200 100 0 2 2 2 2 2 2 2 0 0 0 0 0 0 0 1 1 1 1 1 1 1 5 5 6 6 6 6 6 - - - - - - - 0 1 0 0 0 0 0 9 1 3 7 1 5 9 13

  14. This was ethical ● We reduce harm by absorbing atuack traffjc ● We don’t reply to white hat scanners (no tjmewastjng) ● We used leaked data for validatjon, this was necessary and did not increase harm. ● We have a paper under submission on the ethics of using leaked data for research. 14

  15. Running a honeypot network is cheap (but we do it for you) ● Median of 65 nodes. ● 200GB/month inbound per node. ● Hostjng costs of $170/month (+stafg costs) ● Need 10 to 100 sensors depending on protocol. ● Our collectjon is ongoing and you can use our data. You can also contribute. 15

  16. This is a solvable problem ● BCP38/SAVE ● Follow the money ● Enforce the law ● Warn customers it is illegal 16

  17. Ongoing work ● Selectjve reply (like Krupp et al. 2016) ● More cross validatjon ● Estjmate atuack volume ● Collaboratjon – What do you want to do with this data? – You can run our code. – Do you have ground truth for atuack volumes? 17

  18. Data is available through the Cambridge Cybercrime Centre https://cambridgecybercrime.uk/ Daniel R. Thomas Richard Clayton Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52 A8B9 ECFB Alastair: 9217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

731 views • 27 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013 Reflection and Amplification Attacks DNS abused as DDoS Tool Spamhaus hit with 300 Gigabit/second DDoS Reflected Amplification Attack

429 views • 23 slides
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1 DDoS attacks Volumetric DDoS

604 views • 56 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By: Sean Rijs Agenda I am going to do my presentation DNS amplification attacks 2 1 Stub resolver Recursive server Authoritative server

1.42k views • 21 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos &amp; https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin &amp; Peter Reiher Manu Shantharam &amp; David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks Known problem for many

660 views • 35 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides
Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu Li 1 , Shicheng Wang 1 , Chang Liu 1 , Ang Chen 2 , Hongxin Hu 3 , Guofei Gu 4 , Qi Li 1 , Mingwei Xu 1 , Jianping Wu 1 1 4 2 3 DDoS Attacks are

480 views • 23 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
Enhancing Multimedia QoE via More Effective Time Synchronisation over 802.11 Networks Jonathan

Enhancing Multimedia QoE via More Effective Time Synchronisation over 802.11 Networks Jonathan

Enhancing Multimedia QoE via More Effective Time Synchronisation over 802.11 Networks Jonathan Shannon Padraig OFlaithearta Yusaf Cinar Hugh Melvin Disc. of Information Technology, National University of Ireland, Galway. 1 Outline

427 views • 28 slides
Install and run chef-solo in minutes benjaminrtz@gmail.com Install chef ============ curl -L

Install and run chef-solo in minutes benjaminrtz@gmail.com Install chef ============ curl -L

Install and run chef-solo in minutes benjaminrtz@gmail.com Install chef ============ curl -L https://www.opscode.com/chef/install.sh | bash Check ===== # chef-solo -v Chef: 11.6.2 Setup chef repository ===================== #wget

571 views • 4 slides
One-way Delay Measurement Using NTP Synchronization Vladimir Smotlacha TNC-2003 One-way Delay

One-way Delay Measurement Using NTP Synchronization Vladimir Smotlacha TNC-2003 One-way Delay

One-way Delay Measurement Using NTP Synchronization Vladimir Smotlacha TNC-2003 One-way Delay theory (RFC 2679): difference between time of last bit of packet on-wire at receiver and first bit of packet on-wire at sender

642 views • 18 slides
Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of resources Reduce costs Run workloads in isolation Cannot observe others Security Isolation Running apps as different user not enough - privilege

274 views • 15 slides
An Evaluation of Distributed Concurrency Control Harding, Aken, Pavlo and Stonebraker Presented

An Evaluation of Distributed Concurrency Control Harding, Aken, Pavlo and Stonebraker Presented

An Evaluation of Distributed Concurrency Control Harding, Aken, Pavlo and Stonebraker Presented by: Thamir Qadah For CS590-BDS 1 Outline Motivation System Architecture Implemented Distributed CC protocols 2PL TO

684 views • 56 slides
Some remarks on ! 2 e 00 E ! 2 e 00 E w equivalence of graph-to-graph

Some remarks on ! 2 e 00 E ! 2 e 00 E w equivalence of graph-to-graph

E e E e 0 E Some remarks on ! 2 e 00 E ! 2 e 00 E w equivalence of graph-to-graph transducers inc( w, e 0 ) inc( w, e 00 ) Schmude, J. Boja czyk, M. University of Warsaw Highlights of Logic,

692 views • 22 slides
Physics Analysis Concepts with PandaRoot (4) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (4) PANDA Computing Week 2017 Nakhon Ratchasima,

Physics Analysis Concepts with PandaRoot (4) PANDA Computing Week 2017 Nakhon Ratchasima, Thailand, July 3 - 7, 2017 Klaus Gtzen GSI Darmstadt Topics Event Filtering ( FairFilteredPrimaryGenerator ) Useful Event and Kinematic Variables (

2.26k views • 44 slides
Design and Evaluation of a 2048 Introduction Core Cluster System The CHiC Project Benchmarks

Design and Evaluation of a 2048 Introduction Core Cluster System The CHiC Project Benchmarks

CHiC 2007 Frank Mietke Design and Evaluation of a 2048 Introduction Core Cluster System The CHiC Project Benchmarks Summary Frank Mietke , Torsten Hfler, Torsten Mehlan and Wolfgang Rehm Computer Architecture Group Department of Computer

594 views • 20 slides

More recommend