[PPT] - Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks PowerPoint Presentation

SLIDE 1

Exit from Hell?

Reducing the Impact of Amplifjcation DDoS Attacks

Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Presented By : Richie Noble

SLIDE 2

Distributed Denial-of-Service (DDoS) Attacks

Known problem for many

years

– Diffjcult to distinguish

between an attack and simple overloading (“Slashdot efgect”)

– Many solutions proposed

Simple DDoS attacks

like SYN fmooding are well-understood

http://upload.wikimedia.org/wikip edia/commons/3/3f/Stachledraht_ DDos_Attack.svg

SLIDE 3

Evolving DDoS Attacks

Many DDoS attacks now

employ amplifjcation attacks

– Abuse of UDP-based network

protocols via refmection

– Attacker sends spoofed

packets to a large number of refmectors who send responses to the intended victim

– Responses are often much

larger than the requests, leading to amplifjcation

https://www.cert.be/fjles/dnsbad- large.png

SLIDE 4

Understanding the Problem

As this type of attack is relatively new, the

authors wish to learn more about it

– Performed Internet-wide scans to identify

potential amplifjers

– Fingerprinted and categorized these systems – Peformed a global security notifjcation campaign – Analyzed potential for TCP amplifjcation attacks – Deploy remote scanning technique for

identifying systems that allow IP spoofjng

SLIDE 5

Outline

Introduction
Threat Model and Scanning
NTP Case Study
TCP-based Amplifjcation
IP Address Spoofjng

SLIDE 6

Threat Model

Prior work has identifjed 14 vulnerable UDP-

based protocols

– Ofger severe amplifjcation rates, up to a factor of

4,670

Authors performed Internet-wide scan for

systems using seven of these protocols

– DNS, SNMP, SSDP, CharGen, QOTD, NTP, and

NetBIOS

– All run server-side, implying better connectivity and

with less IP address churn

SLIDE 7

Scanning Setup

Authors developed an effjcient scanner to

identify amplifjers, following practices suggested by Durumeric et al.

Scans run on a weekly basis from Nov. 22, 2013 –
Feb. 21, 2014

– Scans spread out over 48 hour periods to avoid being

blacklisted

Set up a reverse DNS record of the scanner

pointing to a web server presenting the project and opt-out information

SLIDE 8

Scanning Setup

Sent a request for each protocol that can be used

to amplify traffjc

– NTP version, SSDP search, DNS A lookups, etc.

During course of scans, received 90 emails from

administrators

– Excluded 91 IP prefjxes and 30 individual IP addresses

(~3.7 million total)

– Such addresses excluded from analysis, even if they

were not blacklisted in the beginning

Discovered nearly 46 million potential amplifjers

SLIDE 9

Scanning Results

SLIDE 10

Amplifjer Classifjcation

SLIDE 11

Amplifjer Churn

SLIDE 12

Amplifjer Churn

SLIDE 13

Outline

Introduction
Threat Model and Scanning
NTP Case Study
TCP-based Amplifjcation
IP Address Spoofjng

SLIDE 14

NTP Case Study

NTP promising for amplifjcation attack

– monlist feature can be amplifjed by a factor

f 4,670

– Very minimal IP address churn – Multiple amplifjcation vectors

version feature can be amplifjed by a factor of 24

– Attackers have already used NTP

A French hosting provider sufgered a 400 Gbps

amplifjcation attack in February, 2014

SLIDE 15

NTP Notifjcation Campaign

Defjned two datasets of NTP amplifjers

– NTPver and NTPmon representing NTP servers vulnerable

to version and monlist requests, respectively

Collaborated with many security organizations

– T

echnical advisories from CERT-CC, MITRE, Cisco's PSIRT

Describe how to disable monlist and version
Distributed lists of IP addresses in NTPmon dataset

among trusted institutions

SLIDE 16

Analyzing Campaign Success

At end of weekly scanning in February,

2014

– NTPver dropped from 7,364,792 to 4,802,212

(33.9%)

– NTPmon dropped from 1,651,199 to 126,080

(92.4%)

Another scan performed in June, 2014

showed a further decrease in NTPmon by ~40,000

SLIDE 17

Analyzing Campain Success

SLIDE 18

Geographic Distribution

SLIDE 19

Lessons Learned

Such security notifjcation campaigns can

be very efgective

– Could potentially be applied to other security-

critical issues (e.g., heartbleed)

CERT

s not as well connected as they need to be

SLIDE 20

Outline

Introduction
Threat Model and Scanning
NTP Case Study
TCP-based Amplifjcation
IP Address Spoofjng

SLIDE 21

TCP-based Amplifjcation Attacks

Authors have shown it is potentially possible

to stop UDP-based amplifjcation attacks

Attackers have shown they are capable of

evolving their attacks as this occurs

Can TCP-based protocols be abused similarly?

– UDP works well due to its connectionless nature – TCP is connection-oriented, making it less

intuitively susceptible

SLIDE 22

TCP Three-way-handshake

General Process

– Client sends SYN packet to server – Server responds with SYN/ACK packet – Client completes setup with fjnal ACK packet

Does not seem to allow for amplifjcation

– At most, one SYN/ACK packet will be sent to

victim

Traffjc not amplifjed

SLIDE 23

Handshake Problems

TCP will retransmit

segments that are not acknowledged

– Many popular TCP

stacks will retransmit SYN/ACK packets until :

(i) an ACK is received (ii) the connection times out (iii) The connection is closed via a RST packet

SLIDE 24

Handshake Problems

Victims may not be

able to send a RST packet

– Could be overloaded – Attacker could

target an unassigned IP Address within a network

SLIDE 25

TCP Scanning

Performed two Internet-wide SYN scans

– First without RSTs and the second with RSTs – Performed for HTTP, T

elnet, and CUPS

Reached 66,785,451 HTTP hosts,

23,519,493 T elnet hosts, and 1,845,346 CUPS hosts.

SLIDE 26

TCP Results

SLIDE 27

TCP Results

SLIDE 28

Outline

Introduction
Threat Model and Scanning
NTP Case Study
TCP-based Amplifjcation
IP Address Spoofjng

SLIDE 29

IP Address Spoofjng

IP address spoofjng is the root cause for

amplifjcation attacks

Up to now, only way to check if a system

allows IP address spoofjng is for an admin to test it themselves

Authors work to deploy a scanner that works

remotely

– Enables them to identify thousands of systems

that support IP address spoofjng

SLIDE 30

IP Spoofjng Scanner

SLIDE 31

IP Spoofjng Scanner

SLIDE 32

Finding Spoofjng-Enabled Networks

Authors found 581,777 DNS proxies which

had mismatched source IP addresses

– Even with extremely conservative estimates,

this implies there are thousands of systems

ut there that allow for spoofed IP addresses

SLIDE 33

Finding Spoofjng-Enabled Networks

Authors found 581,777 DNS proxies which

had mismatched source IP addresses

– Even with extremely conservative estimates,

this implies there are thousands of systems

ut there that allow for spoofed IP addresses
Only tells us which networks allow

spoofjng, not if they actually are

– Left as future work

SLIDE 34

Conclusion

Identifjed and organized UDP-based protocols

that can be used for amplifjcation DDoS attacks

Performed a successful campaign notifying the

public of vulnerabilities within NTP

Identifjed potential amplifjcation attacks from

TCP-based protocols

Deployed a scanner capable of identifying IP

address spoofjng-enabled networks

SLIDE 35