DRDoS Attacks Jacob Wood
Information for this presentation is from Christian Rossow’s Paper Amplification Hell: Revisiting Network Protocols for DDoS Abuse
Background Info for DRDoS Attacks
DoS Attack Denial of Service (DoS) attacks flood a server with request to drown out legitimate traffic The key is being able to send enough packets to overwhelm the target There are many subcategories of a DoS attack that try to accomplish this efficiently
DDoS Attacks Distributed Denial of Service attacks (DDoS) use a botnet of slave computers to send packets to the target The number of packets that can be sent to a target is limited by the upload bandwidth of the attack party This upload bandwidth is normally much smaller than the download bandwidth Distributing the attack over a botnet allows the attack to combine the upload capabilities of many networks
DRDoS Attacks A Distributed Reflective Denial of Service (DRDoS) attack takes this a step further Instead of going directly from the botnet to the target, each bot sends requests to other services while pretending to be the target The valid responses of these services are sent to the target victim and flood bandwidth. The key is finding services that will respond with packets far larger than the requests These services are typically called reflectors
Mailbox Example Pretend you are trying to flood a targets mailbox with junk mail A DoS attack would be similar to you sending as much junk mail to the target as possible in hopes of making it harder to sort though the mail A DDoS attack would be similar to you enlisting or tricking a bunch of other people to also send as much junk mail as possible to the target
Mailbox cont. A DRDoS attack would be similar to you getting each of these people to subscribe to magazines in the target’s name The key here is that subscribing to a magazine takes no more that one page of paper, but the magazines sent to fulfil the subscription are 30 to 100 times larger. The magazine services would be acting as an unknowing reflector
Introduction
Introduction UDP-based network protocols do not validate identity beyond the IP Attacker only needs to be able to spoof the target’s IP This gives the attacker many desired features Disguises identity because traffic to target comes through the reflectors A highly-distributed DoS attack can be conducted by a single uplink through abuse of multiple amplifiers Traffic to the target is significantly larger than the traffic that must be sent
14 Protocols The paper evaluates 14 UDP-based network protocols Network SVC SNMP v2, NTP, DNS, NetBios, SSDP Legacy CharGen, QOTD Peer-to-Peer BitTorrent, Kad Gaming Quake 3, Steam Bots ZAv2, Sality, Gameover
Threat Model
Basic Threat Model Attack sends small requests to multiple amplifiers pretending to be the Victim The Amplifiers try to fulfil the requests and send the Victim responses that are significantly larger than the request This causes the Victim to experience bandwidth congestion This is figure 1 from the paper
Amplification Vulnerabilities
Key features of abusable networks Small request create large responses Reflection of traffic with spoofed IP is possible Normally due to lack of proper handshake. Excludes all TCP-based Protocols TCP is reflective, but cannot be used for amplification because the TCP ACK packet is not larger than the SYN packet
More Detail on the 14 Protocols This table gives some more detail on the 14 protocols examined in this paper This excludes protocols that can be used as reflectors, but do not work as amplifiers Such as ECHO and ISAKMP This is table 1 in the paper
Finding amplifiers Amplifiers in this publication were found through three processes Scanning: It is possible to scan through advertised IP addresses to find amplifiers It is possible to run a complete /0 IPv4 scan for one protocol in less than two hours using a 1 Gb/s uplink and efficient scanner implementation. Crawling: Use an iterative search through peer list exchanges that can be used for the P2P protocols. Crawling can only find internet facing peers, but that is all that is relevant for this type of attack Query Master Server: For the game server protocols it is possible to query the master server list. Registering to this master list is not mandatory, but it very typical
Results for Search The results show the number of amplifiers per protocol It also shows how long it took to find 1,000 and 100,000 amplifiers Notice that finding these amplifiers does not take very long and it is possible to find 1,000 amplifiers in less than one minute for most protocols. This is table II in the paper
Amplification Factors We now know how many possible amplifiers are available for each protocol. Now we need to find which ones are the best Define the bandwidth amplification factor (BAF) as the bandwidth multiplier in terms of the number of UDP payload bytes that an amplifiers sends to respond to the request compared to the number of UDP payload bytes of the request For this paper some headers such as the Ethernet, IP, and UDP headers are excluded so the results say valid even after a migration from IPv4 to IPv6
Amplification Factors cont. The publication also measures the packet amplification factor(PAF) as the packet multiplier in terms of number of IP packets the amplifier sends to answer a request.
Results This table shows how much each protocol can amplify a message. It also shows how much each protocol amplifies on average, then for the top 50% of amplifiers, and finally the top 10% Notice that the worst offenders for NTP amplify close to 5000 times the request. This is table III in the paper
NTP Amplification NTP servers support a “monlist” When there is a monlist request, the server shares its recent client list in up to 100 UDP datagrams of 440 bytes each This request is only 8 bytes.
Real-World Observations
Real-World Observations This publication goes on to try to catch real world examples They try to do this in three ways: Netflow data, darknet traffic, and publishing amplification bait.
Netflow data Netflow data was obtained by an unnamed European ISP with 1 million end users. It was found the ISP hosts multiple servers that are vulnerable to amplification attacks This data was sampled, and processed to find instances of incoming DRDos attacks and abuses of amplifiers
Darknet traffic Darknets are unused IP address ranges Because there is nothing located at these address any activity can be considered background Internet traffic such as scans. Monitoring these ranges can be used to detect scans. The author had access to two darknet ranges and monitored all traffic for a few weeks to gather data.
Amplifier baits Bait services that would work as great amplifiers were published and made public to appear attractive to attackers. They all operated through public IPv4 addresses free from firewalls or NAT gateways. It should be noted while there was no way to avoid participating in an attack and still find potential attacks, the uplink of each bait service was limited to 1Mb/s to minimize potential damage, and the author hopes that the insight gained will compensate for any potential harm caused by this experiment.
Finding Real-world Victims This figure shows how DRDoS attacks were classified and found in the netflow data. Nodes a and b are considered legitimate traffic because the ratio of incoming to outgoing traffic is close to 1 The M nodes are considered attacking nodes because their ratio is much more in favor of incoming traffic. This is figure 2 in the paper
Results of Finding Victims This table shows the results found from examining the netflow data. The IP addresses of the victims is excluded for privacy and instead represented by a single letter in the V column. |M| is the number of amplifiers in the attack Volume is the total MB in the attack BW is the average attack bandwidth in Mbits/s This is table V in the paper
Results of Finding Victims cont. The ISP that provided the netflow data was contacted with the results. Most of the attacks were already known by the ISP through their own basic alerting system. However, some of the smaller attacks had not be found These results were mostly about getting an idea for how often these types of attacks occur.
Results of Bait Services The CharGen bait server was used as an amplifier within 15 minutes of it being discovered. The Quake server was abused 7 times None of the P2P networks were abused.
Countermeasures
Preventing IP Spoofing IP spoofing is the key technique that allows for reflection, so preventing IP spoofing will prevent DRDoS attacks. A common technique for preventing spoofing is to drop any packets that don’t have a source IP an exit router is responsible for. Unfortunately, not all providers prevent IP spoofing As long as any provider allows IP spoofing DRDoS attacks will still be possible, albeit harder.
Protocol Hardening Another approach would be to upgrade the UDP protocol Remember TCP is not susceptible to reflection due to the three-way handshake Adding similar features as an upgrade to UDP could help prevent reflection. It would also be possible to try to prevent the amplification instead of the reflection Requiring that incoming and outgoing traffic be similar in size could be implemented Instead of always sending the entire response only send a portion close to the request size and require some type of next command.
Rate Limiting Limiting the size of responses or the number of responses a client can use This won’t outright prevent amplification Instead it will limit how much amplification can happen This can also be bypassed by spoofing various IP that all belong to the victim
Packet Based Filtering It is possible to reactive begin filtering out packets that are detect as part of an attack When you realize an attack is happening signal an upstream router to begin dropping packets from the attack source