SLIDE 1
2 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
- Background
- UDP-based Amplification
- TCP-based Amplification
- Comparison UDP- / TCP-based Amplification
Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer - - PowerPoint PPT Presentation
Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer - - PowerPoint PPT Presentation
Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION
SLIDE 2
SLIDE 3
3 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
[1] Christian Rossow. "Amplification Hell: Revisiting Network Protocols for DDoS Abuse". 2014 Network and Distributed System Security Symposium, NDSS 2014, San Diego, CA, USA. [2] Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz. "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks". 23rd USENIX Security Symposium, USENIX Sec '14, San Diego, CA, USA. [3] Marc Kührer, Thomas Hupperich, Christian Rossow, Thorsten Holz. "Hell
- f a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks". 8th
USENIX Workshop on Offensive Technologies, WOOT '14, San Diego, CA, USA.
Background
Publications
SLIDE 4
4 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background
Amplification Attack Attacker Amplifier Victim
SLIDE 5
5 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background
Scanning in IPv4
- Internet-wide scans (4.294.967.296 IP addresses)
- No aggressive scanning – distributed scans over time
- Linear feedback shift register to compute order of IP addresses
- Reverse DNS record + web server for project information
- Explanation how to opt-out from repeated scans
SLIDE 6
6 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
- Background
- UDP-based Amplification
- TCP-based Amplification
- Comparison UDP- / TCP-based Amplification
Outline
SLIDE 7
7 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
Vulnerable Protocols
- 14 UDP-based protocols vulnerable to amplification [1]
- Highest amplification found for the NTP monlist feature: 4,670x
- Selected the five most severe protocols:
DNS, NetBIOS, NTP, SNMP, and SSDP
- Performed scans to enumerate hosts vulnerable to amplification
SLIDE 8
8 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
Amplifier Magnitude
- Scans performed for three months
- Observed more than 5 million amplifiers for 4 of the 5 protocols
SLIDE 9
9 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
IP Churn (1 / 3)
- How fast does a set of amplifiers change?
- Enumerated amplifiers based on IP address on Nov 22, 2013
- Checked if amplifiers were still reachable the following weeks
SLIDE 10
10 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
IP Churn (2 / 3)
- For most protocols the churn is high (~50% after a week)
- Amplifiers outdated within a week: mostly routing devices - validated via
device fingerprinting and reverse DNS (82.8% include „dyn“, „dialup“, „pool“)
- Amplifiers reachable after 13 weeks: located in countries with longer IP-lease
times (Korea, United States, Canada)
SLIDE 11
11 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
IP Churn (3 / 3)
- 90% of the NTP amplifiers are still reachable after four weeks
- Hosts still available after 13 weeks:
- 40% run Cisco IOS
- 53% are located in United States, South Korea, and Japan
SLIDE 12
12 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
NTP monlist Campaign
- Collaborated with organizations to create technical advisories
- Published lists of hosts vulnerable to monlist amplification to security
- rganizations (ShadowServer / NTP Pool Project)
SLIDE 13
13 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
- Background
- UDP-based Amplification
- TCP-based Amplification
- Comparison UDP- / TCP-based Amplification
Outline
SLIDE 14
14 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification
Amplifier Magnitude (1 / 2)
- Send a single SYN to a target host and record the traffic (no ACK / RST is sent back)
SLIDE 15
15 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification
Amplifier Magnitude (2 / 2)
- Consider hosts that amplify our SYN by a factor > 20x
(including Ethernet, IP, TCP headers)
- Almost 2 % of responsive FTP / Telnet hosts amplify a single SYN by factor > 20x
- In total 4.8 million amplifiers
SLIDE 16
16 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification
Amplification Type
- Distribution of TCP flags shows three main amplification types
- Traffic volume
- NetBIOS
- 8,863 SYN/ACK amplifiers: 25 MB of traffic
- 3,087 RST amplifiers: 12 GB of traffic
- FTP
- 2,907,279 SYN/ACK amplifiers: 3.2 GB of traffic
- 5,577 RST amplifiers: 15.1 GB of traffic
SLIDE 17
17 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification
Packet Frequency
- High number of packets that reach the target simultaneously is import for a high impact
- We measured the number of packets that reach the target within 10, 30, and 60
seconds after observing the first response of a host
- Besides a high amplification factor, RST amplifiers also cause a high packet frequency
SLIDE 18
18 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification
Real-World Attacks
- Can TCP-based amplifiers be used in real-world attacks, in which an attacker would
repeatedly send spoofed SYN packets to the amplifiers to flood the victim’s network?
- We forwarded 1, 5, and 10 SYN packets to different types of amplifiers and measured
the traffic that arrived up to 60 seconds after sending the last SYN segment:
- SYN/ACK amplifiers:
- 1x SYN - 34.2 MB
- 5x SYN - 55.1 MB
- 10x SYN - 76.0 MB (increase of factor 2.2x)
- PSH amplifiers:
- 1x SYN - 11.2 MB
- 10x SYN - 110.8 MB (increase of factor 10x)
- RST amplifiers:
- 1x SYN - 89.6 MB
- 5x SYN - 392.4 MB (increase of factor 4.4x)
- 10x SYN - 789.2 MB (increase of factor 8.8x)
SLIDE 19
19 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
- Background
- UDP-based Amplification
- TCP-based Amplification
- Comparison UDP- / TCP-based Amplification
Outline
SLIDE 20
20 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Comparison
UDP-based vs. TCP-based Amplification (1 / 2)
- Amplification factor
- UDP-based protocols:
- 3.8x (NetBIOS)
- 98.3x (DNS)
- 4,670x (NTP monlist)
- Actual bandwidth amplification much lower (<1,000 for NTP)
- TCP-based protocols:
- Allow much higher bandwidth amplification
- Up to 80,000x for RST amplifiers
SLIDE 21
21 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Comparison
UDP-based vs. TCP-based Amplification (2 / 2)
- Number of amplifiers
- UDP-based protocols:
- 2.8 million (NetBIOS)
- 30.5 million (DNS)
- 87,463 (NTP monlist)
- TCP-based protocols:
- Low number of amplifiers (particularly for RST)
- DNS amplifiers can cause higher impact
(about 10x compared to an attack using FTP)
- Attackers currently stick to UDP-based attacks
- TCP attacks presumably much harder to block, though
SLIDE 22
22 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Contact:
Marc Kührer marc.kuehrer@rub.de
More Information:
http://syssec.rub.de
Questions?
SLIDE 23
23 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
Background
Reflection Attack Attacker Reflector Victim
SLIDE 24
24 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
Intersection of Amplifiers
- Largest overlap between SNMP and DNS
- Almost 46 million amplifiers for all scanned protocols
SLIDE 25
25 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
Device Fingerprinting
- Device fingerprinting based on 1,873 manually compiled regular expressions,
applied to the returned UDP payload data (+ performed TCP scans)
- Majority of vulnerable hosts are routing devices (NTP: 40.8% Cisco IOS)
- 1,267,008 amplifiers (17.4%) running Linux on MIPS and 357,076 devices
(4.9%) running Linux on PowerPC
- Smaller clusters: 695 devices running Miele Logic, 51,351 DVRs, 20,927 NAS
SLIDE 26
26 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
UDP-based Amplification
NTP monlist Campaign (2 / 2)
- On Feb 24, 2014, the number of monlist amplifiers reached 126,080
(a decrease of 92.4%)
- As of Jun 2014, 87,463 amplifiers still reachable
(a decrease of almost 40,000 hosts since Feb 2014)
SLIDE 27
27 AMPLIFICATION DDOS ATTACKS | HORST GÖRTZ INSTITUT FÜR IT-SICHERHEIT | BOCHUM | 31.07.2014
TCP-based Amplification
Amplifier Magnitude (2 / 3)
- Consider hosts that amplify our SYN by a factor > 20x
(including Ethernet, IP, TCP headers)