backbone network drdos attack monitoring and analysis
play

Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, - PowerPoint PPT Presentation

Sep 13, 2022 •18 likes •238 views

Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202 @suqitian Network Security Research Lab, Qihoo 360 http://netlab.360.com/ FloCon 2017 Backbone Network DRDoS Attack Monitoring and Analysis Thread

  1. Backbone Network DRDoS Attack Monitoring and Analysis YANG XU, QITIAN SU Twitter: @xuy1202 @suqitian Network Security Research Lab, Qihoo 360 http://netlab.360.com/ FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  2. Thread Research, Security Basic Data, See More: Our Team, Our Goal - DDoS monitoring - Scanner tracking - Bot-Net tracking - DGA cracking - Fast-flux - Phishing - ⋯⋯ FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  3. WHY DRDoS Most Popular DDoS Method Un-control Side Effects Hard To Trace Lasting Damage FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  4. Corporate Network Exported Corporate Network Corporate Network Analyser NetFlow Collector NetFlow NetFlow NetFlow Collecting Corporate Network Data Center Data Center Large Tier-1 ISP Internet Backbone Network FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  5. PDNS Collecting 1: small data; clean data 2: with client info; know query to me, NO know query to others; src port; query transaction id 3: client focused perspective, richer info Recursive Server Authoritative Server More Details See: https://blog.opendns.com/2014/07/16/difference-authoritative-recursive-dns-nameservers/ FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  6. BIIIIG Data NetFlow - 30B/day on average, 3M/second at peak PDNS - 300B/day on average, 5M/second at peak 200 M IP’s Activities / per day 1/10 of Chinese DNS data, 99% coverage of Chinese Domain IPv6 only accounts less than 5% of all traffic in China, now we don't take it into consideration. FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  7. Case in Netflow https://ddosmon.net/explore/35.161.1.80 FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  8. Case in DNS https://ddosmon.net/explore/171.13.38.152 FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  9. cpsc.gor\013 Attack Fail Case ICMP Unreachable (0x0300 - 0x030f) FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  10. Daily Average DDoS Events 37w+, for 5w+ victim IPs Attack Events Statistic Daily Average DRDoS Events 25w+, for 3w+ victim IPs DRDoS accounted for 65%+ of all DDoS attacks FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  11. Cross Validation DDoS in Netflow DRDoS in Netflow DNS Reflection in DNS DNS Reflection in Netflow DDoS in Netflow DRDoS in Netflow DNS Reflection in Netflow DNS Reflection in DNS FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  12. 0% NTP 15.00% 29.92% 32.60% 8.13% 14.35% DNS CharGEN 100.0% 2.99% Others SSDP Others 32.60% 62.52% 77.52% 85.65% 100% DETAILS 97.01% 0.53% LDAP DRDoS Attack Vector 87.69% 2.04% NTP + DNS Big Head / Stable Proportion Detection of New Vector, like TFTP / LDAP 32.60% 32.60% DNS 62.52% 29.92% NTP 77.52% 15.00% CharGEN 85.65% 8.13% SSDP 89.65% 1.96% BitTorrent 96.48% 0.54% SSDP + CharGEN 91.18% 1.53% L2TP 92.17% 0.99% NTP + SSDP 93.14% 0.97% NTP + SNMP 93.99% 0.85% NTP + TFTP + SNMP 94.74% 0.75% L2TP + DNS 95.40% 0.66% SNMP 95.94% 0.54% NTP + SNMP FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  13. 0% 96.58% 0.24% leth.cc 17.97% Others defcon.org 100% 80.22% 62.52% cpsc.gov 19.78% 62.25% DETAILS 100.0% 3.03% Others 96.97% 0.16% defcongroups.org 96.81% 0.23% d51.ru 96.34% 0.27% activum.nu DNS Reflection Attack Vector 96.07% 0.30% doc.gov 95.77% 0.34% hoffmeister.be 95.43% 0.42% wapa.gov 95.01% 0.59% isc.org 94.42% 1.21% commerce.gov 93.21% 1.83% nih.gov 91.38% 2.42% kth.se 88.96% 3.98% 1x1.cz 84.98% 4.76% aids.gov 80.22% 17.97% defcon.org 65.25% 65.25% cpsc.gov Some new domain will appear from time to time: hrsa.gov Big Big Head FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  14. DNS Reflection Attack Vector FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  15. Change DNS Records? Block Domain Query? Normal Query vs. Spoofed Attack Query? Block “ANY Query”? FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  16. 6444 1804 Others Events Unique IPs Service 97265531 4111887 ALL 89749356 3928766 SSDP 4860920 58404 NTP 1345522 85237 DNS 517370 9970 Portmap 679896 8330 CharGEN 52162 8858 SNMP 22206 10013 Kad 19067 505 TFTP 12588 4100 mDNS ALL Amplifier In Netflow DETAILS Occurs LifeTime count == 1 count == 2 time == 0 count == 3 3 < count < 10 0 < time <= 1 hour count >= 10 1 hour < time <= 12 hours 12 hours < time <= 24 hours time > 1 day FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  17. DNS Amplifier In Netflow In Last 6 Months:1345522 DNS Amplifier Events ,85237 Unique Amplifier IPs 39.68% 61.53% 22.53% Unique IPs Attack Events TOP1000 1.2% 303088 22.53% TOP3000 3.5% 533893 39.68% TOP9000 10.5% 827821 61.53% FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  18. 78.25% DNS Amplifier In DNS 88.11% 62.17% In Last 30 days:143491 DNS Amplifier Events ,6175 Unique Amplifier IPs Unique IPs Attack Events TOP100 1.6% 89205 62.17% TOP200 3.2% 112283 78.25% TOP500 8.1% 126434 88.11% FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  19. DNS Amplifier validated in PDNS data All DNS Amplifier dig scan All Unknown statistic of 30 days data “Live”Open Resolver “Live” Open Resolver Authority Server Attack Queries Only Dead UnKnown Combined Queries Unknown Authority Server FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  20. Near Source vs. Near Target? Block Amplifier? Block or “Partial Block”? Self Block? FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  21. https://ddosmon.net/ // realtime DDoS attcks Further Work http://data.netlab.360.com/ // all kinds of open data Share ideas, share data, hands together, for better cyber. FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

  22. Thanks FloCon 2017 | Backbone Network DRDoS Attack Monitoring and Analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysis of link failures in an Analysis of link failures in an IP backbone network IP backbone

Analysis of link failures in an Analysis of link failures in an IP backbone network IP backbone

Analysis of link failures in an Analysis of link failures in an IP backbone network IP backbone network Gianluca Iannaccone Gianluca Iannaccone Sprint ATL Sprint ATL joint work with: Chen-Nee Chuah, UC Davis Richard Mortier, Microsoft

231 views • 10 slides
Introduction Attack Graphs Model Creation Analysis of Attack Graphs

Introduction Attack Graphs Model Creation Analysis of Attack Graphs

EVA Evolutionary Vulnerability Analyzer A Framework for Network Analysis and Risk Assessment Dr. Melissa Danforth Department of Computer Science California State University, Bakersfield Introduction Attack Graphs Model Creation

684 views • 50 slides
INFINIBAND NETWORK ANALYSIS AND MONITORING USING OPENSM N. Dandapanthula 1 , H. Subramoni 1 , J.

INFINIBAND NETWORK ANALYSIS AND MONITORING USING OPENSM N. Dandapanthula 1 , H. Subramoni 1 , J.

INFINIBAND NETWORK ANALYSIS AND MONITORING USING OPENSM N. Dandapanthula 1 , H. Subramoni 1 , J. Vienne 1 , K. Kandalla 1 , S. Sur 1 , D. K. Panda 1 , and R. Brightwell 2 Presented By Xavier Besseron 1 Date: 08/30/2011 1 Network-Based Computing

878 views • 26 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

760 views • 21 slides
Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

782 views • 37 slides
Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil

Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil

Network Telescope Data Analysis: IBR Monitoring telescope/darknets/darkspace, 22 Mar 11 Nevil Brownlee IBR Monitoring CAIDA, 2011 p.1/17 Background, Earlier Work Moore, Shannon et al, CAIDA/UCSD, 2000..2006 telescope gives a whole-world

321 views • 17 slides
Collective Impact Network 2016 PAN Fall Conference Presented By: J. Evin Jones Backbone Support

Collective Impact Network 2016 PAN Fall Conference Presented By: J. Evin Jones Backbone Support

Provincial HIV and HCV Collective Impact Network 2016 PAN Fall Conference Presented By: J. Evin Jones Backbone Support for Collective Impact Network PAN has signed a contract with the PHSA to provide backbone support in developing a

311 views • 9 slides
Analysis, and Monitoring Developed by the SEEP Network Financial Services Working Group and

Analysis, and Monitoring Developed by the SEEP Network Financial Services Working Group and

Measuring Performance of Microfinance Institutions: A Framework for Reporting, Analysis, and Monitoring Developed by the SEEP Network Financial Services Working Group and Alternative Credit Technologies, LLC OVERVIEW Presentation

794 views • 48 slides
Attacks on the global financial network SWIFT: A case analysis and Detection of Payment Fraud

Attacks on the global financial network SWIFT: A case analysis and Detection of Payment Fraud

Attacks on the global financial network SWIFT: A case analysis and Detection of Payment Fraud Global Readiness Hiscox Cyber Readiness Report 2017 57% Experienced an attack in the past year The incidence of cyber-attack is 42% have to

738 views • 15 slides
Metadata Management of Terabyte Datasets from an IP Backbone Network: Experience and Challenges

Metadata Management of Terabyte Datasets from an IP Backbone Network: Experience and Challenges

Metadata Management of Terabyte Datasets from an IP Backbone Network: Experience and Challenges Sue B. Moon and Timothy Roscoe Sprint Advanced Technology Laboratories 1 Adrian Court Burlingame, CA 94010 { sbmoon,troscoe } @sprintlabs.com

60 views • 5 slides
Monitoring backbone networks Manuel ubredu , Valeriu Vraciu RoEduNet Chiinu , September

Monitoring backbone networks Manuel ubredu , Valeriu Vraciu RoEduNet Chiinu , September

R O E N M A N I A N D U C A T I O N E T W O R K Ro Net Edu Monitoring backbone networks Manuel ubredu , Valeriu Vraciu RoEduNet Chiinu , September 9, 2014 Agenda Why ? What ? How ? Tools ? Facts !

423 views • 20 slides
Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey Williamson Department of Computer Science University of Calgary Outline Introduction (Carey: 20 minutes) Internet TCP/IP protocol stack

959 views • 48 slides
Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C

List decoding of RM(1,m) and Multi-linear cryptanalysis Application to Power Analysis attacks : MLPA Conclusion and Open persp Yet another side-channel attack: Multi-linear Power Analysis attack (MLPA) Thomas Roche , C edric Tavernier

625 views • 29 slides
Design and Construction of a Variable Gain Amplifier for Tunable Diode Laser Spectroscopy Robert

Design and Construction of a Variable Gain Amplifier for Tunable Diode Laser Spectroscopy Robert

Design and Construction of a Variable Gain Amplifier for Tunable Diode Laser Spectroscopy Robert Moffatt Thomas Jefferson High School for Science and Technology Laboratory:NRL Mentor: Dr. James W. Fleming Introduction My project

338 views • 15 slides
Investor Relations Update As of May 1, 2019 Safe Harbor Statement Except for historical

Investor Relations Update As of May 1, 2019 Safe Harbor Statement Except for historical

Investor Relations Update As of May 1, 2019 Safe Harbor Statement Except for historical information contained herein, the matters set forth in this presentation contain forward- looking statements, including industry market projections; our

674 views • 28 slides
A CASE STUDY TO APPREHEND A CASE STUDY TO APPREHEND RF SUSCEPTIBILITY OF RF SUSCEPTIBILITY OF

A CASE STUDY TO APPREHEND A CASE STUDY TO APPREHEND RF SUSCEPTIBILITY OF RF SUSCEPTIBILITY OF

A CASE STUDY TO APPREHEND A CASE STUDY TO APPREHEND RF SUSCEPTIBILITY OF RF SUSCEPTIBILITY OF OPERATIONAL AMPLIFIERS OPERATIONAL AMPLIFIERS A. Boyer 1,2 , Etienne Sicard 1 1 INSA Toulouse, University of Toulouse, 31077 Toulouse, France 2

379 views • 22 slides
Remaining useful life prediction of IGBTs Date: 2018-06-14 in MRI gradient amplifiers

Remaining useful life prediction of IGBTs Date: 2018-06-14 in MRI gradient amplifiers

Reference: P1806141249 Remaining useful life prediction of IGBTs Date: 2018-06-14 in MRI gradient amplifiers Author(s): Martijn Patelski Distribution: PE Event 2018 attendees Reference: P1806141249R01 Template PN: 6001-1246-5511 a

487 views • 22 slides
Suren Singh Lead Application Engineer Millimeter and THz Solutions Agilent Technologies Agenda

Suren Singh Lead Application Engineer Millimeter and THz Solutions Agilent Technologies Agenda

Active Device Characterization At Millimeter Wave Frequencies Suren Singh Lead Application Engineer Millimeter and THz Solutions Agilent Technologies Agenda Millimeter wave and THz applications Measurement Solution Basic system

653 views • 52 slides
All-Optical Wavelength Conversion for NRZ-OOK Signal based on Four-Wave Mixing in a Silicon

All-Optical Wavelength Conversion for NRZ-OOK Signal based on Four-Wave Mixing in a Silicon

All-Optical Wavelength Conversion for NRZ-OOK Signal based on Four-Wave Mixing in a Silicon Waveguide Simon Lindsthl &amp; Elias Riedel Grding Supervisors: Prof. Gao Shiming and Yang Xiong, Laser group Centre for Optical and Electromagnetic

137 views • 13 slides
Build your own RTL tools ! E2v Satcom product range acquired in April 14 Located in Hook

Build your own RTL tools ! E2v Satcom product range acquired in April 14 Located in Hook

Satellite Uplink Amplifier Specialists EUROPES DEDICATED SATELLITE AMPLIFIER MANUFACTURER Build your own RTL tools ! E2v Satcom product range acquired in April 14 Located in Hook (45mins LHR Airport) Private, British Company, run by

624 views • 35 slides
Ultrasound Brain Imaging, Drive Circuitry Team Information Client and Faculty Adviser Info

Ultrasound Brain Imaging, Drive Circuitry Team Information Client and Faculty Adviser Info

Ultrasound Brain Imaging, Drive Circuitry Team Information Client and Faculty Adviser Info Dr. Timothy Bigelow DEC1619 Team Members Miguel Mondragon, Team Leader and Communications Zechariah Pettit, Webmaster

579 views • 41 slides

More recommend