INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Transcription

1 INTRODUCTION: DDOS ATTACKS 1

2 DDOS ATTACKS Though Denial of Service (DoS) and Distributed Denial of Service (DDoS) have been common attack techniques used by malicious actors for some time now, organizations still struggle to properly mitigate these threats. Such attacks can have a significant impact on a victimized organization. For years now, NTT Group has been helping prepare clients for such attacks. Every year, new capabilities to mitigate DoS and DDoS threats enter the security marketplace. From application layer appliances to the capabilities of content distribution networks, there has been a great focus on managing the impact of these attacks. The following sections present analyses of DDoS attacks, and a case study of a DDoS attack which used a legitimate application feature against the targeted organization. Read more at the Global Threat Intelligence Report Online at: 2

3 DDOS ATTACKS: DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1

4 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s Internet traffic passing through the global public NTT network. As a provider with world-wide coverage managing this much bandwidth, one of NTT s important tasks is to mitigate large distributed denial of service attacks (DDoS). These attacks historically have focused on flooding a victim s networks with so much data or activity that legitimate services are rendered unavailable. These volume-based attacks are very different from application DDoS attacks (such as that described in the Web Application DDoS Attack case study in Section F.4 of this report), which consume application processing resources. The distribution of DDoS attacks (by type of attack) observed by NTT in 2014 is presented in the following chart. DDOS BY TYPE NTP Amplification Multi-vector TCP SYN SSDP Amplification DNS Amplification Other 0% 7% 14% 21% 28% 35% Caption: NTP amplification leads the number of attacks by type of attack. 2

5 63 percent of all DDoS attacks observed were related to UDP based protocols and services (NTP, SSDP and DNS). Discussions of different DDoS attack types observed in 2014 are presented below. NTP Amplification Attacks With 32 percent of all DDoS attacks during 2014, the most common type of attack we observed was the Network Time Protocol (NTP) amplification attack. In this attack, an attacker changes the source address of an NTP query to the intended victim s address, then sends the maliciously spoofed query to one or more NTP servers. The NTP servers respond to the IP address of the victim (the spoofed source address). The amplification components of the attack are what make it interesting. A very small query to an NTP server can produce a very large response if using particular NTP options. TCP SYN Flood Attacks Another of the largest types of DDoS attacks, with 16 percent of the total, is also one of the oldest and most consistently observed over the years. The TCP SYN flood attack is performed by flooding the target network with a large number of TCP SYN requests which results in the exhaustion of available resources. If mitigating controls are not put in place, a malicious attacker can use this tactic to create a large number of partially-open connections to a server. This can exhaust all available sessions, preventing users from connecting to ports which would normally be accessible for legitimate services. Attackers can further ensure the success of SYN floods by employing different techniques to exhaust resources. This may include spoofing the source IP addresses, targeting multiple ports, attacking from multiple distributed sources, and the use of botnets. 3

6 SSDP Amplification Attacks Another type of DDoS traffic observed in 2014 was Simple Service Discovery Protocol (SSDP) amplification, which made up 9 percent of all DDoS attacks observed. SSDP was created to help devices discover and connect to each other, and is part of the Universal Plug and Play (UPnP) protocol. The protocol was first introduced in 1999 and by default uses UDP port 1900 for communication. Similar to other attacks such as DNS and NTP amplification, attackers send specially crafted requests to an SSDP enabled device and direct the response to the targeted system. Although the service defaults to UDP/1900 it can be directed to send responses to other ports and services. Since there is no shortage of SSDP enabled devices it is a good candidate for attackers to use during reflection and amplification based attacks. Several tools allow attackers to identify SSDP enabled devices and launch attacks. Botnets capable of performing SSDP DDoS attacks may use compromised home computing, network and residential applications to conduct attacks. Due to the wide use of SSDP, especially in residential applications such as network modem/ router bundles, wireless access points, and many home entertainment appliances and gaming systems, it is likely that SSDP DDoS attacks will continue. Unfortunately, most devices which implement SSDP enable this feature by default and it is unlikely that residential users will patch or disable these services. Multi-Vector Attacks In multi-vector attacks, combinations of different DDoS attack types are used during a single incident. Attackers will often initiate attacks using one method but may adapt their approach during the attack if the primary method of attack is not as effective as anticipated. 4

7 Alternatively, attackers may elect to use multiple methods of attack simultaneously to ensure their success. For example, attackers may start with NTP amplification but then use methods such as SYN flood, SSDP, application specific or other methods to amplify the effect of the attack. Multi-vector attacks can be a powerful tactic since this increases the chances of success. These attacks are also designed to overwhelm defenses and organizational staff. It can be a challenge for organizations to respond to multivector attacks since different attack techniques require different mitigation and defensive approaches. DDoS Mitigation Recommendations DDoS attacks have been around for some time. Preventive measures have had a chance to mature, and some measures have proven to be more reliable than others. While they must be evaluated in each organization s unique environment, NTT Group offers the following recommendations: Technical Recommendations: Organizations should look at implementing a layered approach to DDoS mitigation controls leveraging multiple technologies. Implement onsite application DoS mitigation services such as a web application firewall. Filter traffic at multiple points of ingress including the upstream ISP and via content distribution networks or scrubbing services. Third-party traffic scrubbing and filtering services can be valuable because they often anticipate the need to address multiple types of DDoS attacks. Implement dynamic bandwidth services which can scale bandwidth as an attack unfolds. This is not optimal as a long term solution but can help absorb some of the initial impact of an attack. 5

8 Many network firewalls, load balancers and servers support rate limiting or session timeouts. Ensure organizational staff understands the environment and tools which are already available. Understand the capabilities of the organizations and the ISP to handle TCP SYN flood attacks. Many ISPs implement detection for spoofed IP addresses and filter these by default. Keep in mind that ISPs often do a great job at filtering high-volume attacks, but smaller attacks may go unnoticed and not be filtered. Depending on the focus of the attack, host or application-based controls can help mitigate session or connection exhaustion. Ensure the organization follows system and service hardening guidelines to reduce misconfiguration issues and limit services running. Non-technical Recommendations: Ensure the organization understands not only its ability to detect a DDoS attack, but its ability to respond. Account for DDoS attacks in the organization s business continuity and disaster recovery plans. Evaluate the financial impact a DDoS attack would have on organizational operations and services. DDoS attacks are often used to mask other criminal activities. In the event of a DDoS attack, ensure the organization is remaining alert for other malicious activities which may be occurring (fraudulent wire transfers, other breaches, and data exfiltration from other network segments). Know who to call for support during a DDoS attack (SOC, vendors, ISPs, incident response teams). Read more at the Global Threat Intelligence Report Online at: 6

9 DDOS ATTACKS: CALENDAR VIEW OF THE DDOS ATTACK TYPES 1

10 CALENDAR VIEW OF THE DISTRIBUTION OF DDOS ATTACK TYPES NTT Group analyzed DDoS attack data for the most common attack methods witnessed during UDP protocol based attacks (NTP, DNS, SSDP and others) were observed throughout the year. The most notable and impactful attack methods observed during 2014 were NTP and SSDP amplification attacks. During the first quarter of 2014 DDoS mitigation providers and the general media recognized significant spikes in NTP based DDoS activity. NTT Group saw the same result in the data we collected. As depicted in the following chart, the majority of NTP amplification activity for the year was observed from January through April 2014, with only a small reoccurrence of similar attacks in the fourth quarter. One of the primary reasons for this dramatic increase in NTP related attacks was the availability of toolkits allowing attackers to initiate powerful attacks without requiring extensive skills. One of the toolkits providing this capability is NTP-AMP. PERCENTAGE OF DDOS ATTACK TYPES BY MONTH 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% DNS Amplification SSDP Amplification Multi-Vector TCP SYN Other NTP Amplification Month Caption: Percentage of attack types by month. 2

11 Not quite as high volume, NTT Group observed SSDP amplification attacks growing in July and continuing to gain momentum during the fourth quarter, peaking in December The rise of SSDP based attacks in the last quarter of 2014 was rapid and widespread. This jump in observed attacks is likely due to the increased visibility of reflectionbased DDoS capability awareness and the availability of tools supporting these attack methods. With the global availability of UPnP and SSDP enabled devices it is likely we will continue to observe SSDP based attacks for the near future. For specific recommendations and more information on the DDoS attack types covered in this section, please also read the Distributed Denial of Service Observation section of the report. Read more at the Global Threat Intelligence Report Online at: 3