a first joint look at dos attacks and bgp blackholing in
play

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild - PowerPoint PPT Presentation

Apr 20, 2023 •411 likes •750 views

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

  1. A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente)

  2. Denial-of-Service attacks A conceptually simple, yet effective class of attacks ● … that have gained a lot in popularity over the last years … are also offered “as-a-Service” (Booters) Some well-known incidents stipulate threat/risks ● – e.g., attacks on Dyn & GitHub (memcached) DoS has become one of the biggest threats to Internet ● stability & reliability A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  3. BGP blackholing Is a technique that can be used to mitigate DoS attacks ● Leverages the BGP control plane to drop network traffic ● BGP communities are used to signal blackholing requests ● – by “tagging” prefix announcements with <asn: value > – 666 is is a common value for blackholing Is very “coarse-grained”, meaning all network traffic destined ● to a prefix is indiscriminately dropped A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  4. A missing piece of the puzzle Given its coarse-grained nature, we wonder if blackholing is used only in extreme cases A clear understanding of how blackholing is used in practice when DoS attacks occur is missing We use large-scale, longitudinal (3y) data sets on DoS attacks and blackholing to get more insights into operational practices A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  5. Part 1: Blackholed Attacks A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  6. UCSD Network Telescope [data set 1/3] A large, /8 network telescope operated by UC San Diego ● Captures backscatter from DoS activity in which source IP ● addreses are randomly and uniformly spoofed We use the classification methodology by Moore et al. to infer ● DoS attacks [1] [1] Moore et al.,“Inferring Internet Denial-of-service Activity”, in ACM TOCS 2006 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  7. Amplification Honeypots [data set 2/3] Honeypots ● ... mimick reflectors abused in reflection attacks (e.g., NTP) … try to be appealing to attackers by offering large amplification … capture attempts at reflection We use logs from 24 honeypot instances that are geographically & ● logically distributed – From the AmpPot project (Christian Rossow, CISPA) [1] [1] Krämer al.,“AmpPot: Monitoring and Defending Against Amplification DDoS Attacks”, in RAID 2015 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  8. Inferred blackholing events [data set 3/3] Scan BGP collector data for blackholing activity, using public ● BGP data: RIPE RIS and UO Route Views Use BGPStream framework for BGP data analysis [1] ● Match BGP updates against dictionary of known BH ● communities [2] [1] Orsini et al., "BGPStream: A Software Framework for Live and Historical BGP Data Analysis", in IMC 2016 [2] Giotsas et al., “Inferring BGP blackholing activity in the internet”, in IMC 2017 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  9. Measurement systems placement provider AS Attacking host(s) victim AS (e.g., botnet) Interconnecting link Victim IP: victim-addr A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  10. Measurement systems placement SYN provider AS Attacking host(s) victim AS RANDOML Y Src: 123.4.5.6 (e.g., botnet) Interconnecting SPOOFED Dst: victim-addr link Victim IP: victim-addr SYN | ACK Src: victim-addr Dst: 123.4.5.6 UCSD-NT 123.0.0.0/8 Network Telescope A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  11. Measurement systems placement provider AS Attacking host(s) victim AS (e.g., botnet) Interconnecting link Victim IP: victim-addr DNS query Src: victim-addr Dst: reflector-addr DNS answer Src: reflector-addr Dst: victim-addr REFLECTION & AMPLIFICATION Abused amplifiers AmpPot A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  12. Measurement systems placement SYN provider AS Attacking host(s) victim AS RANDOMLY Src: 123.4.5.6 (e.g., botnet) Interconnecting SPOOFED Dst: victim-addr link Victim IP: victim-addr DNS query Src: victim-addr Dst: reflector-addr SYN | ACK DNS answer Src: victim-addr Src: reflector-addr Dst: 123.4.5.6 Dst: victim-addr REFLECTION & AMPLIFICATION Abused amplifiers UCSD-NT 123.0.0.0/8 AmpPot Network Telescope A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  13. Measurement systems placement SYN provider AS Attacking host(s) victim AS RANDOML Y Src: 123.4.5.6 (e.g., botnet) Interconnecting SPOOFED Dst: victim-addr link Blackholing request Victim IP: victim-addr prefix: victim-addr/32 DNS query Src: victim-addr Dst: reflector-addr SYN | ACK DNS answer Src: victim-addr Src: reflector-addr Dst: 123.4.5.6 Dst: victim-addr BGP collector REFLECTION & AMPLIFICATION Abused amplifiers UCSD-NT 123.0.0.0/8 AmpPot Network Telescope A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  14. Attacks are mitigated within minutes More than half of attacks mitigated within minutes ● – 84.2% within ten minutes – takes longer than six hours for only 0.02% Suggest use of automated, rapid detection and mitigation ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  15. Blackholing endures after attacks end Deactivated within three hours following 74.8% of BH’d attacks ● For 3.9% it takes more than 24 hours ● – Suggests lack of automation in recovery Side effects of coarse-grained technique extend well beyond ● duration of attack A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  16. Less intense attacks are also BH’d ~2/3rd of BH’d attacks (against ~9/10th of all attacks) have an ● intensity of up to ~300Mbps (100pps), 13.1% see at most 3Mbps (1pps), showing that operators take ● drastic measures for less intense attacks Similar findings for reflection attacks (see paper) ● Results confirm Moore et al. methodology at scale (USENIX ‘01) ● Corroborates our previous finding of ~30k attacks/day (IMC ‘17) [1] ● [1] Jonker et al., “Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem”, in IMC 2017 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  17. Attacks we do not see Match blackholing events with preceding attacks ● source #BH events #BH’d prefixes 45.2k / 146.2k UCSD-NT ⋃ AmpPot 363.0k / 1.3M (27.8%) (30.9%) We match 27.8% of BH events with DoS attacks ● Results do not allow us to infer the fraction of other types of ● attacks (e.g., direct and unspoofed) However, highlights that reflection and randomly spoofed ● DoS represent a significant share of DoS that operators had to deal with A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  18. Part 2: Service Collateral A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  19. DNS Measurements [data set 1/2] Large dataset of active DNS measurements ● Provides mappings from IPv4 to: ● Websites (www. → A RR) – Mail exchangers (MX → A) – Authoritative nameservers (NS → A) – We use .com, .net & .org (~50% of global namespace) ● #names associated type #prefixes overall no-alt ratio Web 13.7k (9.3%) 782k 670k 0.86 Mail 2247 (1.5%) 180k 177k 0.98 NS 1176 (0.8%) 10k 10k 0.99 A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  20. Reactive measurements [data set 2/2] Reactively measure blackholed /32s ● Upon BH activation (i.e., announcement) and deactivation – (i.e., withdrawal/re-announcement) Subject to various heuristics (max 4 in /24, spacing, ...) – Use RIPE Atlas to send traceroutes ● From probes in peer , customer & provider networks – Scan a handful of IANA-assigned ports ● For Web, mail and DNS – From a single VP – A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  21. Inferring blackhole (in)efficacy Port probes Exclusively open state on deactivation → infer efficacy ● Open on activation → infer inefficacy ● Other cases → inconclusive ● Traceroutes Exclusively last_hop_is_destination on deactivation → infer efficacy ● last_hop_is_destination on activation → infer inefficacy ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  22. Port probe inferences #service response Web Mail DNS a ⋃ d 2886 464 528 a ⋂ d 6.98% 8.41% 11.36% a \ d 0.38% 0.43% 0.76% d \ a 92.64% 91.16% 87.88% Jointly, we infer efficacy in 95.25% of “coverable” cases ● The a \ d category is near-zero, which supports the chosen methodology ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

  23. Trace route inferences inferrence Probe #groups network Efficacy Inefficacy ⋂ 5.0k peer 29% 8% 1.0% provider 5.4k 29% 6% 0.8% 2.0k customer 17% 8% 2.1% Jointly, we infer efficacy significantly more often than inefficacy ● But our “coverage” is limited (i.e., last hops never respond) ● A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019

A Taxonomy of Attacks Using BGP Blackholing Loc Miller and Cristel Pelsser September 23, 2019 University of Strasbourg AS 20 AS 10 AS 30 P: 192.0.2.0/24 BGP Blackholing Blackholing is a DDoS mitigation technique signaled via BGP 1 . 1

1.19k views • 93 slides
Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias Wichtlhuber*, Georgios Smaragdakis , Anja Feldmann TU Berlin, *DE-CIX, MPI Volumetric DDoS Attacks ? Tbps 1.7 Tbps 1 Tbps 200 Gbps 15

571 views • 22 slides
Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph

Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph

Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai DDoS A&amp;acks are a Serious Threat 2 AS1

956 views • 54 slides
Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin

Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs Marcin Nawrocki, Jeremias Blendin, Christoph Dietzel, Thomas C. Schmidt, Matthias Whlisch Christmas is near!

1.15k views • 80 slides
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply

Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply keybase.io/admrply Who am I? 3nd year Ethical Hacking student at Abertay. Does web things. Artist/Musician. Building and Breaking IoT. What is BGP

334 views • 29 slides
Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck,

Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck,

Foreshadow: speculative attacks on SGX and beyond Mark Silberstein Joint work with Jo Van Bulck, Marina Minkin , Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Thomas F. Wenisch, Yuval Yarom, and Raoul Strackx March 2019 Mark

1.07k views • 70 slides
Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan

Adversary for Social Good: Protecting Familial Privacy through Joint Adversarial Attacks Chetan Kumar, Riazat Ryan, Ming Shao Department of Computer and Information Science, University of Massachusetts, Dartmouth Data Leakage: Limited time

294 views • 27 slides
Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc

Website fingerprinting on Tor: attacks and defenses Claudia Diaz KU Leuven Joint work with: Marc Juarez , Sadia Afroz, Gunes Acar, Rachel Greenstadt, Mohsen Imani, Mike Perry, Matthew Wright Post-Snowden Cryptography Workshop Brussels, December

754 views • 52 slides
Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work

Stronger and Faster Wasserstein Adversarial Attacks Kaiwen Wu kaiwen.wu@uwaterloo.ca Joint work with Allen Wang and Yaoliang Yu K.Wu, A.Wang and Y.Yu Wasserstein Adversarial Attacks July 29, 2020 1 / 18 Adversarial Examples Adversarial

1.04k views • 38 slides
Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with

Masking against Side-Channel Attacks: a Formal Security Proof Matthieu Rivain Joint work with Emmanuel Prouff EUROCRYPT 2013 May 27th Outline 1 Introduction and Previous Works 2 Our Contribution 3 Model of Leaking Computation 4

526 views • 36 slides
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic

On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg University; California Institute

511 views • 24 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio

Non-Malleable Secret Sharing against Bounded Joint-Tampering Attacks in the Plain Model Antonio Faonio Gianluca Brian Maciej Obremski IMDEA Software Institute Sapienza University of Rome National University of Singapore Madrid, Spain Rome,

1.02k views • 74 slides
Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c)

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c)

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) University of Luxembourg, Luxembourg February 15, 2011 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) Boomerang attacks on BLAKE-32

396 views • 27 slides
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks joint work with Pierre-Alain Fouque Asiacrypt 01 Gold Coast - Australia December 2001 David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr

436 views • 9 slides
Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin Ozman, and Katherine Stange UC Irvine, August 31, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork: public-key crypto based

500 views • 27 slides
CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7 The Web Application Hackers Handbook, 2/e WWW Evolution Past vs. Future In the past web was made of static pages Today, highly

1.09k views • 63 slides
Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh Govindan, Madanlal Musuvathi Manipulation Attacks Adversaries induce victim into undesirable behavior by lying in their messages Exploit partial

216 views • 19 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali

TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali

TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali Shafahi, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein * equal contribution ^ presenter WHAT IS POISONING? Training data Testing

218 views • 19 slides
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1 DDoS attacks Volumetric DDoS

604 views • 56 slides
Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and Shaolei Ren UC Riverside Acknowledgement: This work was supported in part by the U.S. NSF under grants CNS-1551661 and ECCS-1610471. Cloud data

1.15k views • 75 slides
Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona) Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) Technical

429 views • 30 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides

More recommend