[PPT] - 1000 days of UDP amplification DDoS attacks Daniel R. Thomas , PowerPoint Presentation

SLIDE 1

1000 days of UDP amplification DDoS attacks

Daniel R. Thomas, Richard Clayton, Alastair R. Beresford

Firstname.Lastname@cl.cam.ac.uk

Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52 A8B9 ECFB Alastair: 9217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B3

SLIDE 2

UDP scanning

Refmector 8.8.8.8 Attacker 192.168.25.4

big.gov IN TXT src: 192.168.25.4 dst: 8.8.8.8

big.gov IN TXT " Extremely long response.............. ........................... ........................... .........................." src: 8.8.8.8 dst: 192.168.25.4

(1) (2)

2

SLIDE 3

UDP refmectjon DDoS atuacks

Refmector 8.8.8.8 Attacker 192.168.25.4 Victim 172.16.6.2

big.gov IN TXT src: dst: 8.8.8.8

big.gov IN TXT " Extremely long response.............. ........................... ........................... .........................." src: 8.8.8.8 dst: 172.16.6.2

3

SLIDE 4

4

We run lots of UDP honeypots

Median 65 nodes since 2014
Hopscotch emulates abused protocols

– QOTD, CHARGEN, DNS, NTP, SSDP, SQLMon, Portmap,

mDNS, LDAP

Snifger records all resultjng UDP traffjc
(try to) Only reply to black hat scanners

SLIDE 5

Estjmatjng total atuacks using capture-recapture

A=160 B=200

Estimated population: 400 ± 62 80 80

5

SLIDE 6

10 100 1000 10000 100000 2014-07 2014-10 2015-01 2015-04 2015-07 2015-10 2016-01 2016-04 2016-07 2016-10 2017-01 2017-04 2017-07 Estimated number of attacks per day (log) CHARGEN DNS NTP SSDP

6

SLIDE 7

0.2 0.4 0.6 0.8 1 2 1 4

7

2 1 4

1

2 1 5

1

2 1 5

4

2 1 5

7

2 1 5

1

2 1 6

1

2 1 6

4

2 1 6

7

2 1 6

1

2 1 7

1

2 1 7

4

2 1 7

7

10 20 30 40 50 60 70 80 90 Proportion of all attacks that we observe CHARGEN DNS NTP SSDP

7

SLIDE 8

0.2 0.4 0.6 0.8 1 2 1 4

7

2 1 4

1

2 1 5

1

2 1 5

4

2 1 5

7

2 1 5

1

2 1 6

1

2 1 6

4

2 1 6

7

2 1 6

1

2 1 7

1

2 1 7

4

2 1 7

7

10 20 30 40 50 60 70 80 90 Number of honeypots in operation # A+B # A

8

SLIDE 9

0.2 0.4 0.6 0.8 1 2 1 4

7

2 1 4

1

2 1 5

1

2 1 5

4

2 1 5

7

2 1 5

1

2 1 6

1

2 1 6

4

2 1 6

7

2 1 6

1

2 1 7

1

2 1 7

4

2 1 7

7

10 20 30 40 50 60 70 80 90 Proportion of all attacks that we observe Number of honeypots in operation # A+B # A CHARGEN DNS NTP SSDP

9

SLIDE 10

NTP

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 60 120 Frequency of attacks (millions) Duration of attack (minutes)

10

SLIDE 11

NTP

0.1 0.2 0.3 0.4 0.5 0.6 60 120 P(attack ends in <5min | duration) Duration of attack (minutes)

11

SLIDE 12

200 400 600 800 1000 1200 1400 2015-09 2015-11 2016-01 2016-03 2016-05 2016-07 2016-09 Number of attacks Seen Missing

Vdos coverage NTP

12

SLIDE 13

Vdos coverage SSDP

100 200 300 400 500 600 700 800 900 2 1 5

9

2 1 5

1

1 2 1 6

1

2 1 6

3

2 1 6

5

2 1 6

7

2 1 6

9

Number of attacks Seen Missing

13

SLIDE 14

14

This was ethical

We reduce harm by absorbing atuack traffjc
We don’t reply to white hat scanners (no

tjmewastjng)

We used leaked data for validatjon, this was

necessary and did not increase harm.

We have a paper under submission on the

ethics of using leaked data for research.

SLIDE 15

15

Running a honeypot network is cheap (but we do it for you)

Median of 65 nodes.
200GB/month inbound per node.
Hostjng costs of $170/month (+stafg costs)
Need 10 to 100 sensors depending on

protocol.

Our collectjon is ongoing and you can use our
data. You can also contribute.

SLIDE 16

16

This is a solvable problem

BCP38/SAVE
Follow the money
Enforce the law
Warn customers it is illegal

SLIDE 17

17

Ongoing work

Selectjve reply (like Krupp et al. 2016)
More cross validatjon
Estjmate atuack volume
Collaboratjon

– What do you want to do with this data? – You can run our code. – Do you have ground truth for atuack volumes?

SLIDE 18

Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52 A8B9 ECFB Alastair: 9217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B3

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , - - PowerPoint PPT Presentation

1000 days of UDP amplification DDoS attacks

Daniel R. Thomas, Richard Clayton, Alastair R. Beresford

UDP scanning

Refmector 8.8.8.8 Attacker 192.168.25.4

big.gov IN TXT src: 192.168.25.4 dst: 8.8.8.8

(1) (2)

UDP refmectjon DDoS atuacks

Refmector 8.8.8.8 Attacker 192.168.25.4 Victim 172.16.6.2

big.gov IN TXT src: dst: 8.8.8.8

We run lots of UDP honeypots

mDNS, LDAP

Estjmatjng total atuacks using capture-recapture

A=160 B=200

Estimated population: 400 ± 62 80 80

NTP

NTP

Vdos coverage NTP

Vdos coverage SSDP

This was ethical

tjmewastjng)

necessary and did not increase harm.

ethics of using leaked data for research.

Running a honeypot network is cheap (but we do it for you)

protocol.

This is a solvable problem

Ongoing work

Daniel R. Thomas Richard Clayton Alastair R. Beresford

Firstname.Lastname@cl.cam.ac.uk

Data is available through the Cambridge Cybercrime Centre

https://cambridgecybercrime.uk/