lehrstuhl f r systemsicherheit
play

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer - PowerPoint PPT Presentation

Dec 14, 2023 •448 likes •731 views

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

  1. Lehrstuhl für Systemsicherheit Amplification DDoS Attacks Marc Kührer SPRING 9 Bochum, 31. Juli 2014

  2. Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  3. Background Publications [1] Christian Rossow . "Amplification Hell: Revisiting Network Protocols for DDoS Abuse". 2014 Network and Distributed System Security Symposium , NDSS 2014, San Diego, CA, USA. [2] Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz . "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks". 23rd USENIX Security Symposium , USENIX Sec '14, San Diego, CA, USA. [3] Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz . "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks". 8th USENIX Workshop on Offensive Technologies , WOOT '14, San Diego, CA, USA. 3 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  4. Background Amplification Attack Attacker Amplifier Victim 4 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  5. Background Scanning in IPv4 • Internet-wide scans (4.294.967.296 IP addresses) • No aggressive scanning – distributed scans over time • Linear feedback shift register to compute order of IP addresses • Reverse DNS record + web server for project information • Explanation how to opt-out from repeated scans 5 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  6. Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 6 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  7. UDP-based Amplification Vulnerable Protocols • 14 UDP-based protocols vulnerable to amplification [1] • Highest amplification found for the NTP monlist feature: 4,670x • Selected the five most severe protocols: DNS, NetBIOS, NTP, SNMP, and SSDP • Performed scans to enumerate hosts vulnerable to amplification 7 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  8. UDP-based Amplification Amplifier Magnitude • Scans performed for three months • Observed more than 5 million amplifiers for 4 of the 5 protocols 8 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  9. UDP-based Amplification IP Churn (1 / 3) • How fast does a set of amplifiers change? • Enumerated amplifiers based on IP address on Nov 22, 2013 • Checked if amplifiers were still reachable the following weeks 9 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  10. UDP-based Amplification IP Churn (2 / 3) • For most protocols the churn is high (~50% after a week) • Amplifiers outdated within a week: mostly routing devices - validated via device fingerprinting and reverse DNS (82.8% include „dyn“, „dialup“, „pool“) • Amplifiers reachable after 13 weeks: located in countries with longer IP-lease times (Korea, United States, Canada) 10 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  11. UDP-based Amplification IP Churn (3 / 3) • 90% of the NTP amplifiers are still reachable after four weeks • Hosts still available after 13 weeks: • 40% run Cisco IOS • 53% are located in United States, South Korea, and Japan 11 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  12. UDP-based Amplification NTP monlist Campaign • Collaborated with organizations to create technical advisories • Published lists of hosts vulnerable to monlist amplification to security organizations (ShadowServer / NTP Pool Project) 12 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  13. Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 13 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  14. TCP-based Amplification Amplifier Magnitude (1 / 2) • Send a single SYN to a target host and record the traffic (no ACK / RST is sent back) 14 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  15. TCP-based Amplification Amplifier Magnitude (2 / 2) • Consider hosts that amplify our SYN by a factor > 20x (including Ethernet, IP, TCP headers) • Almost 2 % of responsive FTP / Telnet hosts amplify a single SYN by factor > 20x • In total 4.8 million amplifiers 15 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  16. TCP-based Amplification Amplification Type • Distribution of TCP flags shows three main amplification types • Traffic volume • NetBIOS • 8,863 SYN/ACK amplifiers: 25 MB of traffic • 3,087 RST amplifiers: 12 GB of traffic • FTP • 2,907,279 SYN/ACK amplifiers: 3.2 GB of traffic • 5,577 RST amplifiers: 15.1 GB of traffic 16 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  17. TCP-based Amplification Packet Frequency • High number of packets that reach the target simultaneously is import for a high impact • We measured the number of packets that reach the target within 10, 30, and 60 seconds after observing the first response of a host • Besides a high amplification factor, RST amplifiers also cause a high packet frequency 17 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  18. TCP-based Amplification Real-World Attacks • Can TCP-based amplifiers be used in real-world attacks, in which an attacker would repeatedly send spoofed SYN packets to the amplifiers to flood the victim’s network? • We forwarded 1, 5, and 10 SYN packets to different types of amplifiers and measured the traffic that arrived up to 60 seconds after sending the last SYN segment: • SYN/ACK amplifiers: • 1x SYN - 34.2 MB • 5x SYN - 55.1 MB • 10x SYN - 76.0 MB (increase of factor 2.2x) • PSH amplifiers: • 1x SYN - 11.2 MB • 10x SYN - 110.8 MB (increase of factor 10x) • RST amplifiers: • 1x SYN - 89.6 MB • 5x SYN - 392.4 MB (increase of factor 4.4x) • 10x SYN - 789.2 MB (increase of factor 8.8x) 18 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  19. Outline • Background • UDP-based Amplification • TCP-based Amplification • Comparison UDP- / TCP-based Amplification 19 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  20. Comparison UDP-based vs. TCP-based Amplification (1 / 2) • Amplification factor • UDP-based protocols: • 3.8x (NetBIOS) • 98.3x (DNS) • 4,670x (NTP monlist ) • Actual bandwidth amplification much lower (<1,000 for NTP) • TCP-based protocols: • Allow much higher bandwidth amplification • Up to 80,000x for RST amplifiers 20 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  21. Comparison UDP-based vs. TCP-based Amplification (2 / 2) • Number of amplifiers • UDP-based protocols: • 2.8 million (NetBIOS) • 30.5 million (DNS) • 87,463 (NTP monlist ) • TCP-based protocols: • Low number of amplifiers (particularly for RST ) • DNS amplifiers can cause higher impact (about 10x compared to an attack using FTP) • Attackers currently stick to UDP-based attacks • TCP attacks presumably much harder to block, though 21 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  22. Questions? Contact: Marc Kührer marc.kuehrer@rub.de More Information: http://syssec.rub.de 22 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  23. Background Reflection Attack Attacker Reflector Victim 23 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  24. UDP-based Amplification Intersection of Amplifiers • Largest overlap between SNMP and DNS • Almost 46 million amplifiers for all scanned protocols 24 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  25. UDP-based Amplification Device Fingerprinting • Device fingerprinting based on 1,873 manually compiled regular expressions, applied to the returned UDP payload data (+ performed TCP scans) • Majority of vulnerable hosts are routing devices (NTP: 40.8% Cisco IOS) • 1,267,008 amplifiers (17.4%) running Linux on MIPS and 357,076 devices (4.9%) running Linux on PowerPC • Smaller clusters: 695 devices running Miele Logic, 51,351 DVRs, 20,927 NAS 25 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

  26. UDP-based Amplification NTP monlist Campaign (2 / 2) • On Feb 24, 2014, the number of monlist amplifiers reached 126,080 (a decrease of 92.4%) • As of Jun 2014, 87,463 amplifiers still reachable (a decrease of almost 40,000 hosts since Feb 2014) 26 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 -

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 -

Lehrstuhl fr Systemsicherheit Virtual Machine-based Fingerprints SPRING 9 Bochum, 31.07 - 01.08.2014 Table of Contents 1. Background 1. Fingerprinting 2. Virtual Machines 2. Implemented Schemes 1. Permutation-based Fingerprints 2. Dynamic

223 views • 18 slides
Autonomous Vehicles - Relations to Human Intelligence Lehrstuhl fr Ergonomie Technische

Autonomous Vehicles - Relations to Human Intelligence Lehrstuhl fr Ergonomie Technische

Lehrstuhl fr Ergonomie Technische Universitt Mnchen Autonomous Vehicles - Relations to Human Intelligence Lehrstuhl fr Ergonomie Technische Universitt Mnchen Prof. Klaus Bengler 13.11.2015 Lehrstuhl fr Ergonomie Technische

523 views • 30 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
Motivation / Problem Optimization of behavior in respect of explicit evaluation function

Motivation / Problem Optimization of behavior in respect of explicit evaluation function

Lehrstuhl fr Knstliche Intelligenz - Univ. Wrzburg Optimization of simulated biological multi-agent systems by means of evolutionary processes Alexander Hrnlein Christoph Oechslein Frank Puppe Lehrstuhl fr Knstliche Intelligenz -

693 views • 12 slides
Lehrstuhl fr Theoretische Informationstechnik Lehr- und Forschungseinheit 1 fr

Lehrstuhl fr Theoretische Informationstechnik Lehr- und Forschungseinheit 1 fr

Lehrstuhl fr Theoretische Informationstechnik Lehr- und Forschungseinheit 1 fr Nachrichtentechnik Let H and be finite-dimensional complex Hilbert spaces. We consider the channels W: A S(H) V: A S ( ) (W,V) is

364 views • 25 slides
Design and Architectures for Embedded Systems Maik Scheer Scheer ( (Lehrstuhl Lehrstuhl Prof.

Design and Architectures for Embedded Systems Maik Scheer Scheer ( (Lehrstuhl Lehrstuhl Prof.

Design and Architectures for Embedded Systems Maik Scheer Scheer ( (Lehrstuhl Lehrstuhl Prof. Dr. J. Prof. Dr. J. Henkel Henkel) ) Maik CES - - Chair for Embedded Systems Chair for Embedded Systems CES University of Karlsruhe, Germany

426 views • 41 slides
Network Models in Thermoacoustics Ph.D. Camilo Silva Prof. Wolfgang Polifke 1 Lehrstuhl fr

Network Models in Thermoacoustics Ph.D. Camilo Silva Prof. Wolfgang Polifke 1 Lehrstuhl fr

Lehrstuhl fr THERMODYNAMIK Network Models in Thermoacoustics Ph.D. Camilo Silva Prof. Wolfgang Polifke 1 Lehrstuhl fr THERMODYNAMIK Acoustics flame coupling Entropy-Acoustics coupling Acoustic BC downstream Acoustic BC upstream Fuel

1.15k views • 93 slides
Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl

Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Exploring DDoS Defense Mechanisms Patrick Holl Seminar Future Internet SS14-WS14/15 Lehrstuhl Netzarchitekturen und Netzdienste Fakultt

622 views • 29 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

784 views • 54 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
S.T.A.R.S. Kickoff Dipl.-Inform. Rafael K. Kobylinski Lehrstuhl fr Angewandte Softwaretechnik

S.T.A.R.S. Kickoff Dipl.-Inform. Rafael K. Kobylinski Lehrstuhl fr Angewandte Softwaretechnik

S.T.A.R.S. Kickoff Dipl.-Inform. Rafael K. Kobylinski Lehrstuhl fr Angewandte Softwaretechnik Institut fr Informatik 19. October 2000 Agenda Current visionary scenario Top level design and team structure Registration and next

345 views • 21 slides
I4 Reading Group Tobias Distler Lehrstuhl f ur Informatik 4 Verteilte Systeme und

I4 Reading Group Tobias Distler Lehrstuhl f ur Informatik 4 Verteilte Systeme und

I4 Reading Group Tobias Distler Lehrstuhl f ur Informatik 4 Verteilte Systeme und Betriebssysteme Friedrich-Alexander-Universit at Erlangen-N urnberg May 13, 2016 Windows Azure Storage Goals Strong consistency Global and scalable

374 views • 3 slides
iLabX Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLabX Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLabX Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen August 19, 2019 Based on slides of Lukas Schwaighofer 1

783 views • 56 slides
Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with

Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with

Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with Sivakanth Gopi, Swastik Kopparty, Or Meir, Rafael Oliveira, Noga Ron- Zewi, Mary Wootters This talk Error-correcting codes with: low redundancy

905 views • 54 slides
Data Management Design for Interlaced Magnetic Recording Fenggang Wu , Baoquan Zhang, Zhichao Cao,

Data Management Design for Interlaced Magnetic Recording Fenggang Wu , Baoquan Zhang, Zhichao Cao,

Data Management Design for Interlaced Magnetic Recording Fenggang Wu , Baoquan Zhang, Zhichao Cao, Hao Wen, Bingzhe Li, Jim Diehl, Guohua Wang*, David H.C. Du University of Minnesota, Twin Cities *South China University of Technology C enter

182 views • 17 slides
Small Index Large Table Author: Hyeontaek Lim, Bin Fan, D. G. Andersen, M. Kaminsky Presenter:

Small Index Large Table Author: Hyeontaek Lim, Bin Fan, D. G. Andersen, M. Kaminsky Presenter:

Small Index Large Table Author: Hyeontaek Lim, Bin Fan, D. G. Andersen, M. Kaminsky Presenter: Xiaoyu Zhang Motivation To achieve low latency, Aggressive usage of Dram-based index key value storage system to avoid bottleneck, caused by

755 views • 23 slides
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5

482 views • 27 slides
Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &amp;

Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &amp;

Swing Amplification James Binney University of Oxford Saas Fee, January 2019 Goldreich &amp; Lynden Bell (1965) Julian &amp; Toomre (1966) Shearing sheet Consider large m and study small near-Cartesian patch that rotates with

797 views • 20 slides
Tracing Your Matrilineal Ancestry: Mitochondrial DNA PCR and Sequencing BABECs Curriculum

Tracing Your Matrilineal Ancestry: Mitochondrial DNA PCR and Sequencing BABECs Curriculum

Tracing Your Matrilineal Ancestry: Mitochondrial DNA PCR and Sequencing BABECs Curriculum Rewrite Curriculum to Align with NGSS Standards NGSS work group Your ideas for incorporating NGSS Feedback from you (evaluation at end

567 views • 27 slides
DNA amplification George Kokkoris, g.kokkoris@inn.demokritos.gr, 2106503238 1 Fabrication and

DNA amplification George Kokkoris, g.kokkoris@inn.demokritos.gr, 2106503238 1 Fabrication and

National Center for Scientific Research Demokritos Institute of Microelectronics Athens, Greece Fabrication and modeling of a continuous-flow microfluidic device for on-chip DNA amplification George Kokkoris,

327 views • 22 slides
Biomedical Data I Kelly Ruggles, PhD Methods in Quantitative Biology Biomedical Data Types Next

Biomedical Data I Kelly Ruggles, PhD Methods in Quantitative Biology Biomedical Data Types Next

Biomedical Data I Kelly Ruggles, PhD Methods in Quantitative Biology Biomedical Data Types Next Generation Sequencing Mass Spectrometry Clinical Imaging Biomedical Data Types Molecular Data Next Generation Sequencing Mass Spectrometry

1.02k views • 79 slides

More recommend