discriminating reflective ddos attack tools at the
play

Discriminating reflective DDoS attack tools at the reflector Fons - PowerPoint PPT Presentation

Feb 24, 2024 •11 likes •531 views

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

  1. Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl

  2. 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today.

  3. 3 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. IoT and booter services have increased the bandwidth of DDoS attacks

  4. 4 DoS One attacker ▹ One DoS machine ▹ Bandwidth depletion ▹

  5. 5 DDoS One attacker ▹ Multiple DoS machines ▹ (zombies) Often includes a CnC ▹ machine

  6. 6 Reflective DDoS One attacker ▹ Multiple DoS machines ▹ (zombies) Often includes a CnC ▹ machine One or more reflectors ▹ Can amplify the output ▹

  7. 7 Amplified Reflective DDoS attack

  8. 8 The question Can we discriminate attack tools used in RDDoS attacks at the reflector Analyse network traffic ▹ Extract features ▹ Perform machine ▹ learning

  9. 9 Research question Can RDDoS tools be identified by looking at the network traffic send to a reflector? Do RDDoS attacks leave distinctive traces? ▹ Can a fingerprint be build using these traces? ▹ Can RDDoS attacks be correlated to the same attacker? ▹ Is it possible to identify the tool used in a RDDoS attack? ▹ Can machine learning be utilised to automate the identification process? ▹

  10. Introduction Background Methodology Results 1/2 Results 2/2 Conclusion Methodology Automating attack and collecting data 10

  11. 11 Data Fox-IT data Lab generated data Unlabeled ▹ Labeled ▹ Collected from honeypots ▹ Collected from own server ▹ Unknown number of attack ▹ Known number of attack scripts ▹ scripts Supervised learning ▹ Unsupervised learning ▹

  12. 12 DNS DDoS scripts Flooder Saddam Pastebin.com, written in C, multi-threaded, random UDP GitHub.com, written in Python, multi-threaded, random source port UDP source port Ethan Tsunami GitHub.com, written in C, single-threaded, fixed UDP Infosec-Ninjas, written in C, single-threaded, fixed UDP source port source port

  13. 13 Multiclass classification

  14. 14 Multiclass classification

  15. 15 Multiclass classification

  16. 16 Data collection Fully automated attacks ▹ PCAP’s collected at the resolver ▹

  17. 17 Data collection cont’d

  18. 18 Machine learning Randomly split into 90% train- and 10% test data ▹ 10-fold cross validation ▹

  19. 19 Azure Machine Learning SaaS ▹ Fast prototyping ▹ Visualisations ▹ Data import from HTTP server ▹

  20. Introduction Background Methodology Results 1/2 Results 2/2 Conclusion Results 1/2 Fox-IT data 20

  21. 21 Fox-IT dataset 1 25 packets per PCAP Observations: All packets almost identical ▹ DNS request in particular identical only changing the hostname ▹ Some field frequently change: ▹ DNS ID ▸ IP ID ▸ UDP Source Port ▸ Also the IP Total length and header checksum change ▹

  22. 22 Fox-IT dataset 1 (cont’d) Ignoring the frequently changing data types we find 1 difference: IP DS Field set to No other differences means we need to recognize patterns

  23. Capatalised domains VS non 23 capatalised 4 domains found: 'ARCTIC.GOV', 'NRC.GOV', 'hoffmeister.be', 'leth.cc'

  24. 24 Fox-IT dataset 1 Conclusion: Confident we found at least 2 different tools Need more packets / PCAP to perform pattern analysis

  25. 25 Fox-IT dataset 2 Contains 250 packets per PCAP 1868 PCAPs

  26. 26 Dataset 2: DS-Field PCAPs with at least one packet with a DS field set to 0x40 change DNS ID very little on average

  27. 27 Dataset 2: Malformed packets PCAPs containing 1 DNS ID never have malformed packets or have their DS field set

  28. 28 There is more Large group of PCAPs have not had their DS field set but have a ▹ significantly different DNS ID counts Some packets change the DNS ID, IP ID, and UDP sourceport together, ▹ some do not 3 PCAPs found with static DNS ID, IP ID and UDP sourceport ▹

  29. 29 How many tools did we find? ▹ Tool A: ~2 Unique DNS id's / 250 packets and DS Field set to 0x40 ▹ Tool B: Static DNS ID, UDP source port and IP ID ▹ Tool C: ~1 Unique DNS ID with changing UDP source port and IP ID, no DS Field / malformed packets ▹ Tool D: ~10-13 unique DNS ID's / 250 packets and no DS field set

  30. Introduction Background Methodology Results 1/2 Results 2/2 Conclusion Results 2/2 Lab generated data 30

  31. 31 Accuracy results Multiclass Logistic Multiclass Neural # captures Regression Network accuracy accuracy 100% 100% 1.000.000 100% 100% 10.000 100% 100% 1.000

  32. 32 Training with fewer features Trained with 71 features ▹ Can we work with less? ▹

  33. 33 MLR: Feature weighting flooder ethan saddam tsunami 0.622728 2.57913 -1.90491 -1.29728 dns.qry.class_unique -0.79392 0 1.90643 0 dns.id_unique_len -0.761273 0 1.87811 0 dns.qry.type_unique -0.122946 0 0 1.79175 ip.dsfield.dscp_unique -0.117052 0 1.53162 0 udp.srcport_unique_len -1.4457 0 0.421945 0.0336367 ip.id_longest_cons 0 1.07789 0 -0.249253 udp.checksum_used ... ... ... ... ... 0 0 0 0 dns.flags.z_unique

  34. 34 Training with fewer features Leaves 21 features ▹ Still 100% accuracy ▹

  35. 35 Principal Component Analysis

  36. 36 Multiclass Decision Jungle Builds multiple trees ▹ Downside: probability score ▹ always 100% One tree is enough for 100% accuracy

  37. 37 Decision tree code

  38. Introduction Background Methodology Results 1/2 Results 2/2 Conclusion Conclusion 38

  39. 39 Conclusion Do RDDoS attacks leave distinctive traces? Likely, though not necessarily true In practice, tools appear to be very similar ▹ Individual packets are practically identical ▸ Groups of packets show distinctive patterns ▸ Doable to create a 100% similar behaving tool ▹ Real possibility that one attacker uses multiple tools ▹

  40. 40 Conclusion (cont’d) Can machine learning be utilised to automate the identification process? In practice , clustering algorithms successfully used to identify ▹ different clusters of attacks Recognitions may be incomplete ▸ May be used to detect presence of new attacks ▸ In a lab environment , supervised learning looks promising ▹ May be tools out there that show identical behaviour ▸ Needs trained dataset in order to work ▸

  41. 41 Future work Training more tools Other protocols Combining victim side data Add more attack scripts Test if it’s possible to to the dataset discriminate attacks on Can captures at the other protocols: victim side help to identify more attacks? NTP ▹ SNMP ▹ SSDP ▹ CharGen ▹ etc. ▹

  42. 42 Special thanks Lennart Haagsma from Fox-IT

  43. 43 Thank you Any questions? For more details, drop by or: fons.mijnen@os3.nl ▹ max.grim@os3.nl ▹ This template is free to use under Creative Commons Attribution license and provided by SlidesCarnival.

  44. Extra 44

  45. 45 Distinct IP addresses appear to be openly recursive - The Shadowserver Foundation

  46. DBSCAN cluster of Fox-IT 46 dataset 2 By setting a high ε we ▹ can create clusters

  47. DBSCAN cluster of Fox-IT 47 dataset 2 By setting a high ε we ▹ can create clusters Adding flooder

  48. DBSCAN cluster of Fox-IT 48 dataset 2 By setting a high ε we ▹ can create clusters Adding sadam

  49. DBSCAN cluster of Fox-IT 49 dataset 2 Clustered based on: dns.id_longest_repeat ▹ dns.id_unique_len ▹ dns.rr.udp_payload_size_min ▹ ip.id_longest_repeat ▹ ip.id_unique_len ▹ ip.dsfield_unique_len ▹ udp.srcport_longest_repeat ▹ udp.srcport_unique_len ▹

  50. DBSCAN cluster of self 50 generated dataset 4 clusters for 4 tools ▹

  51. DBSCAN cluster of merged 51 dataset with sadam Shows new cluster for new ▹ attack tool

  52. DBSCAN cluster of merged 52 dataset with dns flooder Does not show new cluster ▹

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides
Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar DDoS Attacks A persistent threat on the global Internet Working from home new online tools for collaboration New tools new attack

405 views • 9 slides
On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
Our My first DDoS attack Velocity Europe 2011 Berlin Cosimo Streppone Operations Lead

Our My first DDoS attack Velocity Europe 2011 Berlin Cosimo Streppone Operations Lead

Our My first DDoS attack Velocity Europe 2011 Berlin Cosimo Streppone Operations Lead <video of Mr. Wolf going to Jimmy's house in Pulp Fiction> this couldn't fit in the PDF... sorry. http://www.youtube.com/watch?v=hsKv5d0sIlU

702 views • 44 slides
Design of a DDoS Attack-Resistant Distributed Spam Blocklist Jem E. Berkes Dept. Electrical and

Design of a DDoS Attack-Resistant Distributed Spam Blocklist Jem E. Berkes Dept. Electrical and

Design of a DDoS Attack-Resistant Distributed Spam Blocklist Jem E. Berkes Dept. Electrical and Computer Engineering University of Manitoba Winnipeg, Canada Introduction Anti-spam blocklists are vital for the Internet Blocklists are

381 views • 16 slides
Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES Suzanne Aldrich Martijn Gonlag Senior Customer Success Engineer - Pantheon Technical Support Engineer - CloudFlare AGENDA Surveying Robots

247 views • 13 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
GEOX GROUP 1Q19 SALES PRESENTATION MAY 10, 2019 1Q19 SALES | HIGHLIGHTS TOTAL SALES:EURO

GEOX GROUP 1Q19 SALES PRESENTATION MAY 10, 2019 1Q19 SALES | HIGHLIGHTS TOTAL SALES:EURO

GEOX GROUP 1Q19 SALES PRESENTATION MAY 10, 2019 1Q19 SALES | HIGHLIGHTS TOTAL SALES:EURO 260.9 MILLION, -1.3% (-1.6% AT COSTANT FOREX) MAINLY EXPLAINED BY: SLIGHT DECREASE FOR WHOLESALE (-1.9%) WITH AN IMPROVING TREND COMPARED TO THE

550 views • 11 slides
THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go

THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go

StreamableU Presentation THE COLLEGE FAIR What is a college fair? When should I attend a fair? Why should I go to one? 1 2 COLLEGE FAIR DOS AND DONTS HOW TO FIND A COLLEGE FAIR DONT DO NACAC - https://www.nacacfairs.org/

551 views • 5 slides
2018 Q3 sales October 30 th , 2018 Daniel Lalonde, CEO Philippe Gautier, CFO & Operations

2018 Q3 sales October 30 th , 2018 Daniel Lalonde, CEO Philippe Gautier, CFO & Operations

2018 Q3 sales October 30 th , 2018 Daniel Lalonde, CEO Philippe Gautier, CFO & Operations Director Disclaimer Certain information contained in this document may include projections and forecasts. These projections and forecasts are based on

607 views • 22 slides
Community Committee Woodfibre Liquefied Natural Gas (WLNG) Project Update February 25, 2015

Community Committee Woodfibre Liquefied Natural Gas (WLNG) Project Update February 25, 2015

Community Committee Woodfibre Liquefied Natural Gas (WLNG) Project Update February 25, 2015 WLNG Committee Process Overview June 7 Fortis Tour Tilbury LNG storage facility & Eagle Mountain Compressor Station June 26

404 views • 38 slides
Strategic Cyber Cost- Effectiveness Analysis Robin Smith Brief Introduction Arke Cost

Strategic Cyber Cost- Effectiveness Analysis Robin Smith Brief Introduction Arke Cost

Strategic Cyber Cost- Effectiveness Analysis Robin Smith Brief Introduction Arke Cost analysis, cost effectiveness and cost benefit Aim to present our thinking Cost-Effectiveness/Cost-Benefit analysis of Cyber security

300 views • 28 slides
Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST

Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST

Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST PAKCON 2004 Denial of Service Attacks Attempts to prevent or disturb legitimate access to co mputer resources Resources like bandwidth, services

557 views • 18 slides
Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have

Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have

Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have become prevalent in almost every aspect of our everyday lives However as the amount of wireless communication Introduction increases, the

817 views • 65 slides
Eclipse Attacks on Bitcoins Peer-to-Peer Netw ork Ethan Heilman, Alison Kendler Aviv Zohar,

Eclipse Attacks on Bitcoins Peer-to-Peer Netw ork Ethan Heilman, Alison Kendler Aviv Zohar,

Eclipse Attacks on Bitcoins Peer-to-Peer Netw ork Ethan Heilman, Alison Kendler Aviv Zohar, Sharon Goldberg Presented by Joonhyuk Lee ( slides adapted from Heilman ) CONTENTS 01. Introduction 02. Eclipse Attacks & Implications 03. How

759 views • 65 slides

More recommend