Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS Christian - - PowerPoint PPT Presentation

beyond 400 gbps abusing ntp and other protocols for ddos
SMART_READER_LITE
LIVE PREVIEW

Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS Christian - - PowerPoint PPT Presentation

Feb 11, 2024 729 likes •963 views

Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS Christian Rossow VU University Amsterdam FIRST TC, April 2014, Amsterdam About me: Christian Rossow PostDoc at VU Amsterdam Syssec group of Herbert Bos PostDoc at Ruhr

slide-1
SLIDE 1

Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS

Christian Rossow

VU University Amsterdam FIRST TC, April 2014, Amsterdam

slide-2
SLIDE 2

About me: Christian Rossow

 PostDoc at VU Amsterdam

 Syssec group of Herbert Bos

 PostDoc at Ruhr University Bochum

 Syssec group of Thorsten Holz

 Other affiliations

 2006 – 2013: Institute for Internet Security  Internships at ICSI (Berkeley), TU Vienna, Symantec  Symantec fellowship award 2013

2

slide-3
SLIDE 3

Amplification DDoS Attacks

3

Victim Attacker Amplifier

slide-4
SLIDE 4

Amplification Attacks in Practice

4

Cloudflare Blog post, March 2013 Cloudflare Blog post, February 2014

slide-5
SLIDE 5

Attack

slide-6
SLIDE 6

14 Network Protocols Vulnerable to Amplificatioon

6

‘87 ’90 ‘88 ‘87 ‘99 ‘83 ‘83 ‘99 2003 2001 2002

slide-7
SLIDE 7

Measuring Amplification Rates (1/2)

7

 Bandwidth Amplification Factor (BAF)

UDP payload bytes at victim UDP payload bytes from attacker

 Packet Amplification Factor (PAF)

# of IP packets at victim # of IP packets from attacker

slide-8
SLIDE 8

Measuring Amplification Rates (2/2)

8

1 10 100 1000 10000 SNMP NTP DNS-NS DNS-OR NetBios SSDP CharGen QOTD BitTorrent Kad Quake 3 Steam ZAv2 Sality Gameover

4670x 10x 15x

slide-9
SLIDE 9

Number of Amplifiers

9

slide-10
SLIDE 10

Defense

slide-11
SLIDE 11

Let’s Play Defense

 Defensive Countermeasures

 Attack Detection  Attack Filtering  Hardening Protocols  etc.

11

slide-12
SLIDE 12

Attack Detection at the Victim

12

slide-13
SLIDE 13

Attack Detection at the Amplifier

13

slide-14
SLIDE 14

Attack traffic filtering

slide-15
SLIDE 15

Protocol Hardening: DNS

15

 Secure your open recursive resolvers

 Restrict resolver access to your customers  See: http://www.team-cymru.org/Services/Resolvers/instructions.html  Check your network(s) at http://openresolverproject.org/

 Rate-limit at authoritative name servers

 Response Rate Limiting (RRL) – now also in bind

See: http://www.redbarn.org/dns/ratelimits

slide-16
SLIDE 16

Protocol Hardening: NTP

16

 Disable monlist at your NTP servers

 Add to your ntp.conf: restrict default noquery  monlist is optional and not necessary for time sync  Check your network(s) at http://openntpproject.org/

 Filter monlist response packets

 UDP source port 123 with IP packet length 468  Only very few (non-killer) monlist legitimate use cases

slide-17
SLIDE 17

Further Countermeasures

 S.A.V.E. – Source Address Verification Everywhere

 a.k.a. BCP38  Spoofing is the root cause for amplification attack

 Implement proper handshakes in protocols

 Switch to TCP  Re-implement such a handshake in UDP

 Rate limiting (with limited success)

slide-18
SLIDE 18

Conclusion

slide-19
SLIDE 19

Conclusion

19

 14+ UDP-based protocols are vulnerable to ampl.  We can mitigate individual amplification vectors

 NTP: Down to 8% of vulnerable servers in 7 weeks  DNS: Still 25M open resolvers – let’s close them!

 S.A.V.E. would kill the problem at its root

slide-20
SLIDE 20

Acknowledgements

 Thanks to

 SURFnet, DFN-CERT, CERT/CC  John Kristoff (Team Cymru)  Jared Mauch (OpenXXXProject.org)  Harlan Stenn (NTF)  Alfred Reynolds (Valve Software)  Marc Kührer (Ruhr-University Bochum)  And many others.

20

slide-21
SLIDE 21

Christian Rossow

VU University Amsterdam FIRST TC, April 2014, Amsterdam

Beyond 400 Gbps: Abusing NTP and Other Protocols for DDoS