exit from hell
play

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks - PowerPoint PPT Presentation

Nov 25, 2022 •295 likes •660 views

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks Known problem for many

  1. Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble

  2. Distributed Denial-of-Service (DDoS) Attacks Known problem for many ● years – Diffjcult to distinguish between an attack and simple overloading (“Slashdot efgect”) – Many solutions proposed ● Simple DDoS attacks like SYN fmooding are well-understood http://upload.wikimedia.org/wikip edia/commons/3/3f/Stachledraht_ DDos_Attack.svg

  3. Evolving DDoS Attacks ● Many DDoS attacks now employ amplifjcation attacks – Abuse of UDP-based network protocols via refmection – Attacker sends spoofed packets to a large number of refmectors who send responses to the intended victim – Responses are often much larger than the requests, https://www.cert.be/fjles/dnsbad- leading to amplifjcation large.png

  4. Understanding the Problem ● As this type of attack is relatively new, the authors wish to learn more about it – Performed Internet-wide scans to identify potential amplifjers – Fingerprinted and categorized these systems – Peformed a global security notifjcation campaign – Analyzed potential for TCP amplifjcation attacks – Deploy remote scanning technique for identifying systems that allow IP spoofjng

  5. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  6. Threat Model ● Prior work has identifjed 14 vulnerable UDP- based protocols – Ofger severe amplifjcation rates, up to a factor of 4,670 ● Authors performed Internet-wide scan for systems using seven of these protocols – DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS – All run server-side, implying better connectivity and with less IP address churn

  7. Scanning Setup ● Authors developed an effjcient scanner to identify amplifjers, following practices suggested by Durumeric et al. ● Scans run on a weekly basis from Nov. 22, 2013 – Feb. 21, 2014 – Scans spread out over 48 hour periods to avoid being blacklisted ● Set up a reverse DNS record of the scanner pointing to a web server presenting the project and opt-out information

  8. Scanning Setup ● Sent a request for each protocol that can be used to amplify traffjc – NTP version , SSDP search , DNS A lookups, etc. ● During course of scans, received 90 emails from administrators – Excluded 91 IP prefjxes and 30 individual IP addresses (~3.7 million total) – Such addresses excluded from analysis, even if they were not blacklisted in the beginning ● Discovered nearly 46 million potential amplifjers

  9. Scanning Results

  10. Amplifjer Classifjcation

  11. Amplifjer Churn

  12. Amplifjer Churn

  13. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  14. NTP Case Study ● NTP promising for amplifjcation attack – monlist feature can be amplifjed by a factor of 4,670 – Very minimal IP address churn – Multiple amplifjcation vectors ● version feature can be amplifjed by a factor of 24 – Attackers have already used NTP ● A French hosting provider sufgered a 400 Gbps amplifjcation attack in February, 2014

  15. NTP Notifjcation Campaign ● Defjned two datasets of NTP amplifjers – NTP ver and NTP mon representing NTP servers vulnerable to version and monlist requests, respectively ● Collaborated with many security organizations – T echnical advisories from CERT-CC, MITRE, Cisco's PSIRT ● Describe how to disable monlist and version ● Distributed lists of IP addresses in NTP mon dataset among trusted institutions

  16. Analyzing Campaign Success ● At end of weekly scanning in February, 2014 – NTP ver dropped from 7,364,792 to 4,802,212 (33.9%) – NTP mon dropped from 1,651,199 to 126,080 (92.4%) ● Another scan performed in June, 2014 showed a further decrease in NTP mon by ~40,000

  17. Analyzing Campain Success

  18. Geographic Distribution

  19. Lessons Learned ● Such security notifjcation campaigns can be very efgective – Could potentially be applied to other security- critical issues (e.g., heartbleed ) ● CERT s not as well connected as they need to be

  20. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  21. TCP-based Amplifjcation Attacks ● Authors have shown it is potentially possible to stop UDP-based amplifjcation attacks ● Attackers have shown they are capable of evolving their attacks as this occurs ● Can TCP-based protocols be abused similarly? – UDP works well due to its connectionless nature – TCP is connection-oriented, making it less intuitively susceptible

  22. TCP Three-way-handshake ● General Process – Client sends SYN packet to server – Server responds with SYN/ACK packet – Client completes setup with fjnal ACK packet ● Does not seem to allow for amplifjcation – At most, one SYN/ACK packet will be sent to victim ● Traffjc not amplifjed

  23. Handshake Problems ● TCP will retransmit segments that are not acknowledged – Many popular TCP stacks will retransmit SYN/ACK packets until : (i) an ACK is received (ii) the connection times out (iii) The connection is closed via a RST packet

  24. Handshake Problems ● Victims may not be able to send a RST packet – Could be overloaded – Attacker could target an unassigned IP Address within a network

  25. TCP Scanning ● Performed two Internet-wide SYN scans – First without RST s and the second with RST s – Performed for HTTP, T elnet, and CUPS ● Reached 66,785,451 HTTP hosts, 23,519,493 T elnet hosts, and 1,845,346 CUPS hosts.

  26. TCP Results

  27. TCP Results

  28. Outline ● Introduction ● Threat Model and Scanning ● NTP Case Study ● TCP-based Amplifjcation ● IP Address Spoofjng

  29. IP Address Spoofjng ● IP address spoofjng is the root cause for amplifjcation attacks ● Up to now, only way to check if a system allows IP address spoofjng is for an admin to test it themselves ● Authors work to deploy a scanner that works remotely – Enables them to identify thousands of systems that support IP address spoofjng

  30. IP Spoofjng Scanner

  31. IP Spoofjng Scanner

  32. Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses

  33. Finding Spoofjng-Enabled Networks ● Authors found 581,777 DNS proxies which had mismatched source IP addresses – Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses ● Only tells us which networks allow spoofjng, not if they actually are – Left as future work

  34. Conclusion ● Identifjed and organized UDP-based protocols that can be used for amplifjcation DDoS attacks ● Performed a successful campaign notifying the public of vulnerabilities within NTP ● Identifjed potential amplifjcation attacks from TCP-based protocols ● Deployed a scanner capable of identifying IP address spoofjng-enabled networks

  35. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical

Hell Defeated The Harrowing of Hell Figure: The harrowing of hell, s. xv (cc0: source) Biblical Basis signs, which God did by him, in the midst of you, as you also 2) hell, as it was impossible that he should be holden by it. (Acts have

824 views • 7 slides
THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and

THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and

THE REALITY OF HELL How We Sometimes See Hell As Something Not Real The Unbelieving and the Doubting sins are just natural human traits punishing unbelievers is unbelievable cruelty eternal punishment cannot be

217 views • 20 slides
I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 & 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION TIME! WE NEED TO SETTLE ON A PROPOSED ACTION Follow-up from June 7 th Public Informational Meeting EXIT 7 Exit 7 Relocated Interchange EXIT 6

253 views • 23 slides
Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and make it grow. But they often neglect the need for Exit Planning in their Business. In absence of Exit Strategy, they often forget that the decisions

247 views • 11 slides
Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health

Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health

Spreadsheet from hell preadsheet from hell What I learned in 18 months of tracking my health Katie McCurdy @katiemccurdy Ive got some autoimmune stuff Ive got some autoimmune stuff leading to symptom soup leading to

519 views • 30 slides
How can a loving god send people to hell? Let me say at the outset that I consider the concept

How can a loving god send people to hell? Let me say at the outset that I consider the concept

How can a loving god send people to hell? Let me say at the outset that I consider the concept of hell as endless torment in body and mind an outrageous doctrine, a theological and moral enormity, a bad doctrine of the tradition which needs to

258 views • 23 slides
Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

Story Agenda Exit Planning Collaboration Financial Planners & TR Moore &

The Exit Planning Executive Briefing Presented by Geoffrey S. Gallo, ChFC, CExP TR Moore & Company, PC Member of Business Enterprise Institutes Network Of Exit Planning Professionals Story Agenda Exit Planning Collaboration

590 views • 37 slides
Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct

Exit Hardware 376 Series - Push Bar Exit Hardware 376 Series - Push Bar Exit Hardware In distinct contrast to the modular nature of the Briton 560 - 570 Series, the Features & Benefits long established Briton 376 Series is supplied as a

182 views • 7 slides
Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases

Valuation Acceleration and Exit Planning January 23, 2020 The Value of Your Business Increases today! What is an Exit Plan? Exit Planning is business strategy. Exit Planning builds, harvests and Personal Goals preserves wealth while

598 views • 36 slides
J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19

f17 d b lJ t fJ fr u 9 J9r @ J J tIN i fJy I l f 1 x C r Green Springs Interchange Exit 14 North Ashland Interchange Exit 19 INTERCHANGE AREA MANAGEMENT PLANS lAMP ODors Mission Provide a safe efficient transportation system that

422 views • 10 slides
Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a

Senior Exit Project Senior Exit Project The written portion of the Senior Project will be a one-day writing event for seniors. The first round of writing events will occur during the winter Keystone testing period. Senior Exit Project

500 views • 12 slides
Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes Exit nodes Exit nodes are constrained

Resident Evil: Understanding Residential IP Proxy as a Dark Service Xianghang Mi , Xuan Feng, Xiaojing Liao Baojun Liu, XiaoFeng Wang, Feng Qian Zhou Li, Sumayah Alrwais, Limin Sun , Ying Liu Background: Web Proxies HTTP/HTTPS /SOCKS Exit nodes

629 views • 34 slides
From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd

From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd

From exit to set-does> A Story of Gforth Re-Implementation M. Anton Ertl, TU Wien Bernd Paysan, net2o [] exit execute Exit not tickable in Gforth 0.7 Standard-conforming, but Several complaints over the years Traditionally

594 views • 14 slides
EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE

EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE

EU Exit & Chemicals Regulation 5 December 2018 Preparations for EU Exit Joint Defra/HSE EU Exit Chemicals Programme Defra policy lead REACH, PPP, MRLs, Detergents, POPs, Mercury HSE policy lead CLP, PIC, BPR HSE is

629 views • 21 slides
Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29

Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29

Optimizing Portfolio Companies for Exit - A VC/PE Lifecycle Viewpoint - Copenhagen, Denmark 29 September, 2011 Issues When Optimizing for Exit A Lifecycle Approach 1. When investing - with a view to exit 2. When carrying and managing in

569 views • 28 slides
Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems

Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems

Maze exit finder (cont.) Maze exit finder (cont.) Solution must lead to smaller problems boolean find_exit(int x, int y) /* 2 nd try */ { if ( we have been here before ) return false; /* dont try same spot again */ if ( x,y is an exit )

611 views • 17 slides
IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke

IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke

Chair for Network Architectures and Services Technische Universitt Mnchen IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke Supervisor : Prof. Dr.-Ing. Georg Carle Advisors : Quirin Scheitle,

663 views • 16 slides
ENUM Technical Aspects National Information Technology Center National Information Technology

ENUM Technical Aspects National Information Technology Center National Information Technology

3/9/2010 ENUM Technical Aspects National Information Technology Center National Information Technology Center ENUM Task Force History Voice transmitted over PABX All signals are analog Both ends are physical telephones Voice

590 views • 12 slides
IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

775 views • 46 slides
NOMAD - media professionals most versatile companion Ideal desktop analytics tool for the

NOMAD - media professionals most versatile companion Ideal desktop analytics tool for the

NOMAD - media professionals most versatile companion Ideal desktop analytics tool for the technician on the move In-depth analytics for IP, OTT and DVB signal behaviorisms Interfaces - WiFi zone, Ethernet, ASI, DVB-C, DVB-T/T2, DVB-S/S2 and

383 views • 9 slides
DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim.

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim.

DDoS Jeff Chase Duke University Flood Attacks Direct a stream of packets toward a victim. Require the victim to do work per packet. Classic: TCP SYN floods (2000pps sufficient) ICMP floods Victim has insufficient

382 views • 6 slides
The Problem IP Spoofing CS 239 Existing Internet protocols and Advanced Topics in Network

The Problem IP Spoofing CS 239 Existing Internet protocols and Advanced Topics in Network

The Problem IP Spoofing CS 239 Existing Internet protocols and Advanced Topics in Network infrastructure allow forgery of some IP Security packet header fields Peter Reiher In particular, the source address field can often be

400 views • 3 slides
In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers

In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers

In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers Maciej Korczyski*, Yevheniya Nosyk*, Qasim Lone , Marcin Skwarek*, Baptiste Jonglez*, and Andrzej Duda* *Universit Grenoble Alpes, CNRS, Grenoble

546 views • 16 slides
Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J.

Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J.

Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation J. Garcia, F . Autrel, J. Borrell, S. Castillo, F . Cuppens, G. Navarro { jgarcia,jborrell,scastillo,gnavarro } @ccd.uab.es, {

291 views • 17 slides

More recommend