Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Transcription

1 Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble

2 Distributed Denial-of-Service (DDoS) Attacks Known problem for many years Difficult to distinguish between an attack and simple overloading ( Slashdot effect ) Many solutions proposed Simple DDoS attacks like SYN flooding are well-understood edia/commons/3/3f/stachledraht_ DDos_Attack.svg

3 Evolving DDoS Attacks Many DDoS attacks now employ amplification attacks Abuse of UDP-based network protocols via reflection Attacker sends spoofed packets to a large number of reflectors who send responses to the intended victim Responses are often much larger than the requests, leading to amplification

4 Understanding the Problem As this type of attack is relatively new, the authors wish to learn more about it Performed Internet-wide scans to identify potential amplifiers Fingerprinted and categorized these systems Peformed a global security notification campaign Analyzed potential for TCP amplification attacks Deploy remote scanning technique for identifying systems that allow IP spoofing

5 Outline Introduction Threat Model and Scanning NTP Case Study TCP-based Amplification IP Address Spoofing

6 Threat Model Prior work has identified 14 vulnerable UDPbased protocols Offer severe amplification rates, up to a factor of 4,670 Authors performed Internet-wide scan for systems using seven of these protocols DNS, SNMP, SSDP, CharGen, QOTD, NTP, and NetBIOS All run server-side, implying better connectivity and with less IP address churn

7 Scanning Setup Authors developed an efficient scanner to identify amplifiers, following practices suggested by Durumeric et al. Scans run on a weekly basis from Nov. 22, 2013 Feb. 21, 2014 Scans spread out over 48 hour periods to avoid being blacklisted Set up a reverse DNS record of the scanner pointing to a web server presenting the project and opt-out information

8 Scanning Setup Sent a request for each protocol that can be used to amplify traffic NTP version, SSDP search, DNS A lookups, etc. During course of scans, received 90 s from administrators Excluded 91 IP prefixes and 30 individual IP addresses (~3.7 million total) Such addresses excluded from analysis, even if they were not blacklisted in the beginning Discovered nearly 46 million potential amplifiers

9 Scanning Results

10 Amplifier Classification

11 Amplifier Churn

12 Amplifier Churn

13 Outline Introduction Threat Model and Scanning NTP Case Study TCP-based Amplification IP Address Spoofing

14 NTP Case Study NTP promising for amplification attack monlist feature can be amplified by a factor of 4,670 Very minimal IP address churn Multiple amplification vectors version feature can be amplified by a factor of 24 Attackers have already used NTP A French hosting provider suffered a 400 Gbps amplification attack in February, 2014

15 NTP Notification Campaign Defined two datasets of NTP amplifiers NTPver and NTPmon representing NTP servers vulnerable to version and monlist requests, respectively Collaborated with many security organizations Technical advisories from CERT-CC, MITRE, Cisco's PSIRT Describe how to disable monlist and version Distributed lists of IP addresses in NTPmon dataset among trusted institutions

16 Analyzing Campaign Success At end of weekly scanning in February, 2014 NTPver dropped from 7,364,792 to 4,802,212 (33.9%) NTPmon dropped from 1,651,199 to 126,080 (92.4%) Another scan performed in June, 2014 showed a further decrease in NTPmon by ~40,000

17 Analyzing Campain Success

18 Geographic Distribution

19 Lessons Learned Such security notification campaigns can be very effective Could potentially be applied to other securitycritical issues (e.g., heartbleed) CERTs not as well connected as they need to be

20 Outline Introduction Threat Model and Scanning NTP Case Study TCP-based Amplification IP Address Spoofing

21 TCP-based Amplification Attacks Authors have shown it is potentially possible to stop UDP-based amplification attacks Attackers have shown they are capable of evolving their attacks as this occurs Can TCP-based protocols be abused similarly? UDP works well due to its connectionless nature TCP is connection-oriented, making it less intuitively susceptible

22 TCP Three-way-handshake General Process Client sends SYN packet to server Server responds with SYN/ACK packet Client completes setup with final ACK packet Does not seem to allow for amplification At most, one SYN/ACK packet will be sent to victim Traffic not amplified

23 Handshake Problems TCP will retransmit segments that are not acknowledged Many popular TCP stacks will retransmit SYN/ACK packets until : (i) an ACK is received (ii) the connection times out (iii) The connection is closed via a RST packet

24 Handshake Problems Victims may not be able to send a RST packet Could be overloaded Attacker could target an unassigned IP Address within a network

25 TCP Scanning Performed two Internet-wide SYN scans First without RSTs and the second with RSTs Performed for HTTP, Telnet, and CUPS Reached 66,785,451 HTTP hosts, 23,519,493 Telnet hosts, and 1,845,346 CUPS hosts.

26 TCP Results

27 TCP Results

28 Outline Introduction Threat Model and Scanning NTP Case Study TCP-based Amplification IP Address Spoofing

29 IP Address Spoofing IP address spoofing is the root cause for amplification attacks Up to now, only way to check if a system allows IP address spoofing is for an admin to test it themselves Authors work to deploy a scanner that works remotely Enables them to identify thousands of systems that support IP address spoofing

30 IP Spoofing Scanner

31 IP Spoofing Scanner

32 Finding Spoofing-Enabled Networks Authors found 581,777 DNS proxies which had mismatched source IP addresses Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses

33 Finding Spoofing-Enabled Networks Authors found 581,777 DNS proxies which had mismatched source IP addresses Even with extremely conservative estimates, this implies there are thousands of systems out there that allow for spoofed IP addresses Only tells us which networks allow spoofing, not if they actually are Left as future work

34 Conclusion Identified and organized UDP-based protocols that can be used for amplification DDoS attacks Performed a successful campaign notifying the public of vulnerabilities within NTP Identified potential amplification attacks from TCP-based protocols Deployed a scanner capable of identifying IP address spoofing-enabled networks

35 Questions?