political ddos
play

Political DDoS: Estonia and Beyond Jose Nazario, Ph.D. - PowerPoint PPT Presentation

Mar 18, 2024 •468 likes •1.22k views

Political DDoS: Estonia and Beyond Jose Nazario, Ph.D. jose@arbor.net USENIX Security, 2008 Jose Nazario, Ph.D. o Arbor 2002 - Present o ATLAS, ASERT, ATF o Research, analysis, engineering Page 2 DDoS Background Exhaust resources Overwhelm

  1. Political DDoS: Estonia and Beyond Jose Nazario, Ph.D. jose@arbor.net USENIX Security, 2008

  2. Jose Nazario, Ph.D. o Arbor 2002 - Present o ATLAS, ASERT, ATF o Research, analysis, engineering Page 2

  3. DDoS Background Exhaust resources Overwhelm target Dispersed origins Page 3

  4. Page 4

  5. DDoS Background Page 5

  6. DDoS Types o Bandwidth exhaustion – UDP floods – ICMP floods o Server resource exhaustion – HTTP GET request floods – SYN floods o Spoofed or not o Protocol abuse (ie DNS amplification) Page 6

  7. DDoS History 25 Gbps 200 Mbps 1998 2001 2004 2007 Primitive Worms Botnets Cyberwar TFN, etc Code Red IRC Dedicated Nimda Botnets Page 7

  8. Trivial Requires human coordination Page 8

  9. Power to the People Page 9

  10. More Sophisticated Page 10

  11. Measuring Global Attacks Page 11

  12. Internet Attack Scale o Unique attacks exceeding indicated BPS threshold for single ISP o Average of three 1-Gbps or larger attacks per day over 485 days of collection o Two ~25 Gbps attacks reported by a single ISP (on same day, about one hour apart, duration of ~35 minutes) Page 12

  13. 21 Days Y/Y o Significant Y/Y growth o Identify additional trends: Holiday Season typically slow time for attackers Page 13

  14. Attack Intensity 2-3% Backbone Traffic Page 14

  15. Attack Subtypes • 1 year of global measured attack data • 1128 attacks per day average • 30 attacks per deployment per day reporting Attack Subtype Percent of Total Attacks DNS 0.23% IP Fragment 14.41% Private IP Space 1.22% IP NULL Protocol 0.78% TCP NULL Flag 0.57% TCP Reset 6.45% TCP SYN 15.53 Page 15

  16. Attacks over Time Page 16

  17. By Protocol Page 17

  18. 24 Hours of DDoS Around the World Page 18

  19. 24 Hours of DDoS Targets AP designates Asia-Pacific region Page 19

  20. Attack Command Victims - June 2008 Page 20

  21. Attacking Botnet C&C Locations - June 2008 Page 21

  22. DNS Attacks - When & What? Akamai attacked Duration: 4 hours No mitigation possible G, L & M Root Servers, Other Port 53, UDP, valid queries TLDs Multi-millions queries per second Utilized large bogus DNS UDP Impact: Global Impact queries from many bots DDoS for hire (extortion) Aggregate attacks 10 Gbps+ The golden age for worms/trojans Root Server Attacked Mitigate: Special Hardware The perfect DNS DDoS in the wild Duration:1 hour Impact: 90% Traffic dropped No protocol based defense or mitigation Multi-modal: smurf, ICMP, port 53 localized user impact Attack on Bandwidth, not applications or “7” Root Servers appear servers - 11 Gbps+ unreachable Impact: Significant collateral damage Impact: No noticeable user effect OCT 2002 NOV 2002 JUN 2004 OCT 2004 NOV 2004 JAN-FEB 2006 NOV 2006 FEB 2007 Root & TLD Attacks Spoofed source IPs UUNet Attack - 2nd Level DNS Large Bogus Queries UltraDNS TLD Servers Attacked UDP/53, auth servers for bank.foo 10+ Gbps Duration: 24 hours + Spoofed source IPs - 800 Kpps January-February Regionalized User Impact ICMP 0,8 and then port Impact: End-user/customer gTLD targets Easily filtered -- uses pure volume Mitigated with Cisco Guard-XT of packets to disable Utilized open recursive servers Collateral damage: 2x .gov & 2 Results in 2-way traffic load 7206s in network path Average attack 7-10 Gbps Impact: No noticeable user effect TLD Operators have no successful defense Impact: Considerable user impact Page 22

  23. DDoS Motivations, Goals Political, religious Extortion, financial Retribution, competition Fun, personal Not to scale Page 23

  24. Political Attack Arenas o International o Regional o Domestic Page 24

  25. Political Attack Methodologies o Website defacement o E-mail bombing o Spam Popularity o Malcode o DDoS o Site hijacking (DNS) Page 25

  26. UN Site Hack - 2007 August 12th, 2007 Via Giorgio Maone Page 26

  27. Political Attack Motivations o Anger, frustration o Protest o Censorship o Strategic Page 27

  28. Political Attacks Defined o Target political visibility – Presidential website o Carry political message – URL arguments – Mailbomb messages o Attack national, critical infrastructure Usually inferred intent, purpose Based on attacks, “chatter” Page 28

  29. iWar is distinct from what the United States (US) calls ‘cyber war’ or from what China calls ‘informationalized war’… [Cyberwar] refers to attacks carried out over the internet that target the consumer internet infrastructure, such as the websites providing access to online services. … iWar exploits the ubiquitous, low security infrastructure. It refers to attacks carried out over the internet that target the consumer internet infrastructure, such as the websites providing access to online services. While nation states can engage in “cyber” and “informationalized” warfare, iWar can be waged by individuals, corporations, and communities . “iWar”: A new threat, its convenience – and our increasing vulnerability (NATO Review, Winter, 2007), Johnny Ryan Page 29

  30. Increasing Cyber Attack Capabilities o China o US o France France prepares to fight future cyber wars People's Daily Online, June 19, 2008 Page 30

  31. Cyber Attack Responses and Responsibilities o NATO o EU o US Page 31

  32. Pre-History o Kosovo, late 1990’s o Israeli-Palestinian hacking, Fall 2000 o China pilot “incident”, Spring 2001 o Korea, Winter Olympics, 2002 Page 32

  33. “In late April and early May 2001 Pro-Chinese hacktivists and cyber protesters began a cyber assault on US web sites. This resulted from an incident in early April where a Chinese fighter was lost at sea after colliding wide a US naval reconnaissance airplane. It also coincided with the two-year anniversary of the Chinese embassy bombing by the United States in Belgrade and the traditionally celebrated May Day and Youth Day in China. Led by the Honkers Union of China (HUC), Pro-Chinese hackers defaced or crashed over 100 seemingly random web sites, mainly .gov, and .com, through DoS attacks and similar exploits. Although some of the tools used were sophisticated, they were readily available to both sides on the Internet.” National Infrastructure Protection Center, Cyber Protests: The Threat to the U.S. Information Infrastructure, Oct ‘01 Page 33

  34. Recent Global Politically Motivated DDoS o Estonia - April-May 2007 o Delfi.EE (Estonia, January 2008) o CNN.com - April 2008 o Ukraine president’s site - Fall 2007 o Party of Regions (Ukraine) - Fall 2007 o Dissident politicians (Russia) - Fall, Winter 2007 o Radio Free Europe/Radio Liberty - April 2008 o Ukraine anti-NATO protests - June 2008 o Georgia President Website - July 2008 o Democratic Voice of Burma - July 2008 Page 34

  35. Measuring Specific Attacks o Internet statistics project o Botnet infiltration, command tracking o Flow data, if possible o News monitoring o Keyword triggers (ie ‘.gov’ in a command) Page 35

  36. Estonian DDoS Attacks Page 36

  37. The Statue Page 37

  38. Page 38

  39. Page 39

  40. 100 Mbps Page 40

  41. 100 % Page 41

  42. 10 hours Page 42

  43. Page 43

  44. Translated Comments Running and ... Estonian amateur server. So today in Moscow or 23.00 to 22.00 on Kiev hit on all servers. Just among friends, the more people the more likely hang them. Gov server. http://w8lk8dlaka.livejournal.com/52383.html Estonia and fascism So straight to the point. in the light of recent events ... shorter propose pomoch Ddos attack on government sites Estonia. Russian Belarus has blocked sites will soon rise but not desirable. http://rusisrael.com/forum/?forum_id=10425 Page 44

  45. Page 45

  46. Our Conclusions o Widely dispersed attacks Sources aggregate to 0.0.0/0 – Could be the result of spoofing BUT sources we – analyze are legitimate Botnets most likely – o ATLAS didn’t see all attacks Started before May 3, lasted beyond May 11 – o Attribution impossible to ANYONE with our data Page 46

  47. Why is Estonia So Interesting? o David and Goliath story o Estonia is a model o Estonia was vulnerable to such attacks Page 47

  48. Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic, political, and military organizations may increase in the future. Clay Wilson, US State Dept Analyst, Jan 2008 Page 48

  49. What Worked in Estonia Collaboration Filtering traffic Outreach Research, investigations Page 49

  50. Roles in International Cyber Attacks o ISPs Defense o CERT teams Coordination – National, international o Law enforcement Domestic o State department International o Military Offensive Hat tip: Bill Woodcock, Estonia Lessons Page 50

  51. DDoS Remediation Cut traffic off here Not here Requires global outreach Page 51

  52. Remediation in Estonia o Cisco (formerly Riverhead) o Panoptis o Arbor Peakflow SP o Narus Insight Manager o Lancope Stealthwatch o Q1 Labs Q1 Radar o All flow-based, direct measurements tools o Source-based uRPF filtering o Arbor TMS trial installed Hat tip: Bill Woodcock, Estonia Lessons Page 52

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides
Synthesis and electrochemical redox properties of arylated p benzoquinones, naphthoquinones and

Synthesis and electrochemical redox properties of arylated p benzoquinones, naphthoquinones and

Synthesis and electrochemical redox properties of arylated p benzoquinones, naphthoquinones and alkylamidoalkyl p benzoquinones naphthoquinones and alkylamidoalkyl p benzoquinones Mariam al Azani, Mazen al Sulaibi, Thies Thiemann, Miguel

311 views • 5 slides
multi-functional nanodevices for bio- inspired computing Julie Grollier - CNRS/Thales lab,

multi-functional nanodevices for bio- inspired computing Julie Grollier - CNRS/Thales lab,

multi-functional nanodevices for bio- inspired computing Julie Grollier - CNRS/Thales lab, Palaiseau, France NanoBrain UM CNRS/Thales Condensed matter physics laboratory High Tc Superconductors Spintronics and Nanomagnetism

935 views • 46 slides
Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running

Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running

Unix Development Data Structures Lab: Comp Sci 1585 Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running Code::Blocks Environments Integrated philosophy Kate Notepad++ Atom Emacs Vim nano Text

579 views • 38 slides
Lecture 10 Equality and Hashcode Zach Tatlock / Spring 2018 Object equality A simple idea??

Lecture 10 Equality and Hashcode Zach Tatlock / Spring 2018 Object equality A simple idea??

CSE 331 Software Design and Implementation Lecture 10 Equality and Hashcode Zach Tatlock / Spring 2018 Object equality A simple idea?? Two objects are equal if they have the same value A subtle idea: intuition can be misleading

595 views • 42 slides
vlkerrechtlicher Perspektive Janine Schmoldt, Universitt Erfurt Charta der Vereinten

vlkerrechtlicher Perspektive Janine Schmoldt, Universitt Erfurt Charta der Vereinten

Hacking-Back aus vlkerrechtlicher Perspektive Janine Schmoldt, Universitt Erfurt Charta der Vereinten Nationen Artikel 2 (4) Alle Mitglieder unterlassen in ihren internationalen Beziehungen jede gegen die territoriale

249 views • 21 slides
WELCOME Urban Greening CALIF IFORNIA C A CLIMATE I TE INVES ESTM TMEN ENTS Congrat atulat

WELCOME Urban Greening CALIF IFORNIA C A CLIMATE I TE INVES ESTM TMEN ENTS Congrat atulat

WELCOME Urban Greening CALIF IFORNIA C A CLIMATE I TE INVES ESTM TMEN ENTS Congrat atulat ation ons t to Round 1 1 Awardees Craig Brad Carol Jocelyn Stacey Diane Teresa Cristelle Julie Larelle Larelle Polly Melissa AGENDA

714 views • 40 slides
The Web-COSI project www.webcosi.eu Donatella Fazio, Istat Master QoLexity, 26 September2014

The Web-COSI project www.webcosi.eu Donatella Fazio, Istat Master QoLexity, 26 September2014

Communication and policy use of indicators The Web-COSI project www.webcosi.eu Donatella Fazio, Istat Master QoLexity, 26 September2014 Summary The presentation will focus on Communication issues on the new measurements beyond GDP in a wide

390 views • 28 slides
Superposition: Extensions Extensions and improvements: simplification techniques, selection

Superposition: Extensions Extensions and improvements: simplification techniques, selection

Superposition: Extensions Extensions and improvements: simplification techniques, selection functions (when, what), redundancy for inferences, constraint reasoning, decidable first-order fragments. 554 Theory Reasoning Superposition vs.

278 views • 17 slides

More recommend