Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Published byConstance Bailey Modified over 6 years ago

Similar presentations

Presentation on theme: "Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)"— Presentation transcript:

1 Identifying the scan and attack infrastructures behind amplification DDoS attacks
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016) Presented by - Aditya Walanj

2 Motivation Amplification DDoS attacks have become serious threat to Internet users. Attack bandwidths can be several 100’s of Gbit/s Attackers can spoof source IP of requests sent to Open Internet Services. Victims don’t know who to contact to prevent these attacks. Goal is to render a network unusable by flooding target network with huge traffic.

3 Background All amplification attacks are UDP based since it’s a connection-less protocol. Four parties: Attacker: Sends requests with spoofed IP Amplifiers: Servers which act as reflectors Victim: Source IP specified in request Scanner: Used to find amplifiers by sending requests and recording responses. Attacker leverages the amplification vectors in Network Protocols

4 Problem A little is known about origin of attack
Revealing attack sources is a significant problem Spoofed nature of traffic makes it difficult False source address provided to hide identity or impersonate another system Solution: Attributing attacks to Scan infrastructures using honeypot techniques. Mapping Scan infrastructure to attackers using TTL trilateration techniques.

5 Solution Background Method fulfils three important goals:
Works at real time so we can attribute attacks on the fly Attribution does not require cooperation between ISP’s Provides probabilistic guarantees showing confidence levels of attribution outcomes. A honeypot is computer security mechanism that contains valuable data which is monitored to detect unauthorised use. AMPPOT emulates a server offering 7 different UDP protocols that are abused. E.g. NTP, DNS Selective response scheme AMPPOT only selectively replies to requests Each scanner will see a different set of deployed honeypots  Distinct attribution feature Implement by fixing fraction of network to respond to scan  fraction set to 0.5

6 Solution Background (cont)
Three /28 Networks  48 Honeypot IPs Each Scanner scans all 48 Honeypot IPs and has unique reply set of 24 IPs In real world, may not query with one source but with multiple sources Confidence levels determine how robust attribution is in real world conditions Two sets: Query set and Reply set Find probability p to falsely accuse a scanner Confidence = 1- p

7 Methodology: Step 1 Potential Scanner behind attack In attack set
Attack: A stream of at least 100 packets from same source to same port within 1 hour. Amplifier set depends greatly on scan prior to attack. For every honeypot IP, maintain all aware sources (scanners). Potential Scanner behind attack In attack set

8 Results Three cases: Zero candidates: No scanner was aware of amplifiers  Non Attributable (2.5 %) Exactly one candidate: Single scanner was aware of amplifiers  Attributable (79.9 %) More than one candidate: Multiple scanners were aware of amplifiers  Non Unique (17.6 %) Most attributed attacks and scanners were from US, Netherlands, and Lithuania.

9 Methodology: Step 2 Were the infrastructure used to perform scans also used to launch attacks ? Distance (source, receiver) = TTL at source (Attacker) – TTL at receiver (Honeypot) Assumption: Initial TTL is fixed and equal hop distance from same source to same honeypot. Compare hop distances to identify if two packets originate from same source. Validate TTL metric using RIPE Atlas: Select 200 random probes to send packets to 11 most prominent honeypots Honeypots record TTL values Compute minimal distance from every pair of source using recorded TTL values Derive thresholds from distances

10 Methodology: Step 2 (cont)
Measurements < threshold  same source Measurements > threshold  different sources True Positive: 1 Probe had two measurements below threshold False Positive: 2 different Probes have two measurements below threshold Apply methodology to dataset of scanners by comparing TTL vectors of scan event and attributed attacks. 34 out of 286 scanner were found malicious with 99.9 % confidence.

11 Criticism Limitations Improvements
Amplifier set used in attack was scanned with single public IP Attackers may identify AMPPOT by its behaviour Initial TTL is fixed  Randomization is possible. All networks considered Scanner doesn’t spoof source address during scanning Increase Network size and decrease response ratio Run AMPPOT in “proxy” mode Better approach  IP traceback (marking packets) Ignore Networks provided by ISP that prevent spoofing Extend method to further validate scan infrastructures before mapping

12 Thankyou for listening

Download ppt "Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)"

Similar presentations

CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Pi : A Path Identification Mechanism to Defend against DDos Attacks.

Pi : A Path Identification Mechanism to Defend against DDos Attacks.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Similar presentations

Ads by Google