Presentation is loading. Please wait.

Presentation is loading. Please wait.

DRDoS Attacks Jacob Wood.

Published byValérie Robert Modified over 6 years ago

Similar presentations

Presentation on theme: "DRDoS Attacks Jacob Wood."— Presentation transcript:

1 DRDoS Attacks Jacob Wood

2 Information for this presentation is from Christian Rossow’s Paper Amplification Hell: Revisiting Network Protocols for DDoS Abuse

3 Background Info for DRDoS Attacks

4 DoS Attack Denial of Service (DoS) attacks flood a server with request to drown out legitimate traffic The key is being able to send enough packets to overwhelm the target There are many subcategories of a DoS attack that try to accomplish this efficiently

5 DDoS Attacks Distributed Denial of Service attacks (DDoS) use a botnet of slave computers to send packets to the target The number of packets that can be sent to a target is limited by the upload bandwidth of the attack party This upload bandwidth is normally much smaller than the download bandwidth Distributing the attack over a botnet allows the attack to combine the upload capabilities of many networks

6 DRDoS Attacks A Distributed Reflective Denial of Service (DRDoS) attack takes this a step further Instead of going directly from the botnet to the target, each bot sends requests to other services while pretending to be the target The valid responses of these services are sent to the target victim and flood bandwidth. The key is finding services that will respond with packets far larger than the requests These services are typically called reflectors

7 Mailbox Example Pretend you are trying to flood a targets mailbox with junk mail A DoS attack would be similar to you sending as much junk mail to the target as possible in hopes of making it harder to sort though the mail A DDoS attack would be similar to you enlisting or tricking a bunch of other people to also send as much junk mail as possible to the target

8 Mailbox cont. A DRDoS attack would be similar to you getting each of these people to subscribe to magazines in the target’s name The key here is that subscribing to a magazine takes no more that one page of paper, but the magazines sent to fulfil the subscription are 30 to 100 times larger. The magazine services would be acting as an unknowing reflector

9 Introduction

10 Introduction UDP-based network protocols do not validate identity beyond the IP Attacker only needs to be able to spoof the target’s IP This gives the attacker many desired features Disguises identity because traffic to target comes through the reflectors A highly-distributed DoS attack can be conducted by a single uplink through abuse of multiple amplifiers Traffic to the target is significantly larger than the traffic that must be sent

11 14 Protocols The paper evaluates 14 UDP-based network protocols
Network SVC SNMP v2, NTP, DNS, NetBios, SSDP Legacy CharGen, QOTD Peer-to-Peer BitTorrent, Kad Gaming Quake 3, Steam Bots ZAv2, Sality, Gameover

12 Threat Model

13 Basic Threat Model Attack sends small requests to multiple amplifiers pretending to be the Victim The Amplifiers try to fulfil the requests and send the Victim responses that are significantly larger than the request This causes the Victim to experience bandwidth congestion This is figure 1 from the paper

14 Amplification Vulnerabilities

15 Key features of abusable networks
Small request create large responses Reflection of traffic with spoofed IP is possible Normally due to lack of proper handshake. Excludes all TCP-based Protocols TCP is reflective, but cannot be used for amplification because the TCP ACK packet is not larger than the SYN packet

16 More Detail on the 14 Protocols
This table gives some more detail on the 14 protocols examined in this paper This excludes protocols that can be used as reflectors, but do not work as amplifiers Such as ECHO and ISAKMP This is table 1 in the paper

17 Finding amplifiers Amplifiers in this publication were found through three processes Scanning: It is possible to scan through advertised IP addresses to find amplifiers It is possible to run a complete /0 IPv4 scan for one protocol in less than two hours using a 1 Gb/s uplink and efficient scanner implementation. Crawling: Use an iterative search through peer list exchanges that can be used for the P2P protocols. Crawling can only find internet facing peers, but that is all that is relevant for this type of attack Query Master Server: For the game server protocols it is possible to query the master server list. Registering to this master list is not mandatory, but it very typical

18 Results for Search The results show the number of amplifiers per protocol It also shows how long it took to find 1,000 and 100,000 amplifiers Notice that finding these amplifiers does not take very long and it is possible to find 1,000 amplifiers in less than one minute for most protocols. This is table II in the paper

19 Amplification Factors
We now know how many possible amplifiers are available for each protocol. Now we need to find which ones are the best Define the bandwidth amplification factor (BAF) as the bandwidth multiplier in terms of the number of UDP payload bytes that an amplifiers sends to respond to the request compared to the number of UDP payload bytes of the request For this paper some headers such as the Ethernet, IP, and UDP headers are excluded so the results say valid even after a migration from IPv4 to IPv6

20 Amplification Factors cont.
The publication also measures the packet amplification factor(PAF) as the packet multiplier in terms of number of IP packets the amplifier sends to answer a request.

21 Results This table shows how much each protocol can amplify a message.
It also shows how much each protocol amplifies on average, then for the top 50% of amplifiers, and finally the top 10% Notice that the worst offenders for NTP amplify close to times the request. This is table III in the paper

22 NTP Amplification NTP servers support a “monlist”
When there is a monlist request, the server shares its recent client list in up to 100 UDP datagrams of 440 bytes each This request is only 8 bytes.

23 Real-World Observations

24 Real-World Observations
This publication goes on to try to catch real world examples They try to do this in three ways: Netflow data, darknet traffic, and publishing amplification bait.

25 Netflow data Netflow data was obtained by an unnamed European ISP with 1 million end users. It was found the ISP hosts multiple servers that are vulnerable to amplification attacks This data was sampled, and processed to find instances of incoming DRDos attacks and abuses of amplifiers

26 Darknet traffic Darknets are unused IP address ranges
Because there is nothing located at these address any activity can be considered background Internet traffic such as scans. Monitoring these ranges can be used to detect scans. The author had access to two darknet ranges and monitored all traffic for a few weeks to gather data.

27 Amplifier baits Bait services that would work as great amplifiers were published and made public to appear attractive to attackers. They all operated through public IPv4 addresses free from firewalls or NAT gateways. It should be noted while there was no way to avoid participating in an attack and still find potential attacks, the uplink of each bait service was limited to 1Mb/s to minimize potential damage, and the author hopes that the insight gained will compensate for any potential harm caused by this experiment.

28 Finding Real-world Victims
This figure shows how DRDoS attacks were classified and found in the netflow data. Nodes a and b are considered legitimate traffic because the ratio of incoming to outgoing traffic is close to 1 The M nodes are considered attacking nodes because their ratio is much more in favor of incoming traffic. This is figure 2 in the paper

29 Results of Finding Victims
This table shows the results found from examining the netflow data. The IP addresses of the victims is excluded for privacy and instead represented by a single letter in the V column. |M| is the number of amplifiers in the attack Volume is the total MB in the attack BW is the average attack bandwidth in Mbits/s This is table V in the paper

30 Results of Finding Victims cont.
The ISP that provided the netflow data was contacted with the results. Most of the attacks were already known by the ISP through their own basic alerting system. However, some of the smaller attacks had not be found These results were mostly about getting an idea for how often these types of attacks occur.

31 Results of Bait Services
The CharGen bait server was used as an amplifier within 15 minutes of it being discovered. The Quake server was abused 7 times None of the P2P networks were abused.

32 Countermeasures

33 Preventing IP Spoofing
IP spoofing is the key technique that allows for reflection, so preventing IP spoofing will prevent DRDoS attacks. A common technique for preventing spoofing is to drop any packets that don’t have a source IP an exit router is responsible for. Unfortunately, not all providers prevent IP spoofing As long as any provider allows IP spoofing DRDoS attacks will still be possible, albeit harder.

34 Protocol Hardening Another approach would be to upgrade the UDP protocol Remember TCP is not susceptible to reflection due to the three-way handshake Adding similar features as an upgrade to UDP could help prevent reflection. It would also be possible to try to prevent the amplification instead of the reflection Requiring that incoming and outgoing traffic be similar in size could be implemented Instead of always sending the entire response only send a portion close to the request size and require some type of next command.

35 Rate Limiting Limiting the size of responses or the number of responses a client can use This won’t outright prevent amplification Instead it will limit how much amplification can happen This can also be bypassed by spoofing various IP that all belong to the victim

36 Packet Based Filtering
It is possible to reactive begin filtering out packets that are detect as part of an attack When you realize an attack is happening signal an upstream router to begin dropping packets from the attack source

Download ppt "DRDoS Attacks Jacob Wood."

Similar presentations

CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Examining IP Header Fields

Examining IP Header Fields
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Similar presentations

Ads by Google