DDo : eparating Friend from Foe

Transcription

1 DDo : eparating Friend from Foe Y A L X H N T H O R N - I W A N, V P M A R K T I N G N O V 2 3, Full tra c vi i ilit to diagno e tho e na t attack In man organization, network are at the core of the u ine, ena ling not onl internal function uch a HR, uppl chain, and nance ut al o the ervice and tran action on which the u ine depend for revenue. That make network availa ilit critical. An interruption of acce from the out ide world turn o the revenue pigot, impacting pro t and creating a ad u er experience that can damage cu tomer ati faction and re ult in permanent lo of patronage. The wor e the outage, the wor e the damage. That wh peed i o important in detecting, diagno ing, and re ponding to Denial of ervice (Do ) and Di tri uted Denial of ervice (DDo ) attack. One of the chief challenge in re ponding to an attack i to di tingui h friend from foe. Without a wa to drill down into tra c detail and examine ho t-level tra c ehavior, it can e di cult to tell the di erence. That wh it critical to have a network vi i ilit tool like Kentik Detect, which allow ou to quickl lter for ke attack metric. The ooner ou can determine where a tra c pike i coming from and going to, the ooner ou can decide on the appropriate re pon e. And even after an attack ha pa ed, examining full re olution tra c data from that attack can till reveal information that can e applied to etter prepare for future event. A out Do and DDo Ju t to e ure we re on the ame page, a Do attack i an attempt to make computing or network re ource unavaila le for normal u age, uch a interrupting a ho t acce to the Internet or u pending it ervice to the Internet. Do ecome DDo when the ource of the attack i di tri uted, meaning that the attack come from more than one unique IP addre. DDo attack are commonl launched from otnet of compromi ed ho t that can num er up into the thou and. KENTIK TECHNOLOGIES 733 FRONT ST, C1A SAN FRANCISCO, CA

2 It widel known that DDo attack are rapidl increa ing in frequenc and ize. DDo attack are While mega attack that la t for man hour and reach 200 G p or more make the rapidl increa ing in new, the va t majorit of attack la t under an hour and are le than 1 G p in oth frequenc and ize. volume. maller attack often happen without eing noticed, though the ma e har inger of larger attack to come. Mid- ized attack are more readil felt, ut di tingui hing etween a friendl urge in normal tra c and an attack i ke to timel re pon e. Large attack are fairl o viou, and in the e ca e diagno ing the tra c i important to under tand network entr point and ource. In all ca e, a clear a e ment i important to under tand the e t wa to mitigate the attack. The mo t common form of DDo i the volumetric attack, in which the intent i to conge t all of the target network andwidth. Roughl 90% of all DDo attack are volumetric, with application-la er attack making up the remaining 10%. According to Akamai Q tate of the Internet report, over 50% of volumetric attack are IP ood attack involving a high volume of poofed packet uch a TCP YN, UDP, or UDP fragment. A growing percentage of attack are re ection and ampli cation attack u ing mall, poofed NMP, DN, or NTP reque t to man di tri uted erver to om ard a target with the much more andwidth-heav re pon e to tho e reque t. In the la t few quarter, oth Akamai and other Internet ecurit o erver have noted rapid growth of re ection attack a ed on poofed imple ervice Di cover Protocol ( DP) reque t ent to IP-ena led home device with poorl protected Univer al Plug-n-Pla (UPnP) protocol tack. DP re ection now account over 20% of all volumetric DDo attack. DDo anal i ca e Depending on our organization t pe (e.g. I P, ho ting compan, content provider, or end-u er organization), ou ma e concerned onl with attack that directl a ect our re ource. Or ou might want to know a out an attack tra c that pa ed or i pa ing through our network. ither wa, there are two general ca e of DDo anal i : Diagno ing You ve alread detected that omething i ami, for example one of our re ource i experiencing ervice degradation, ou re eeing anomalou erver log entrie, or a circuit i unu uall full. In thi ca e, ou ll need to identif the tra c that cau ing the pro lem, and, if it not legitimate, to characterize the attack clearl enough to ena le peci c mitigating action. pelunking In thi ca e ou re not aware of an current attack ut ou want to explore our network tra c data to learn more a out previou attack (and ma e even nd an attack in progre ). We ll cover thi econd mode of DDo anal i in a eparate forthcoming po t. Metrics for Microservices - 2

3 Kentik Detect ig data data tore give ou man wa to anal ze volumetric tra c In oth of the e anal i ca e, the NetFlow and GP information in Kentik Detect ig data data tore give ou man wa to anal ze volumetric tra c. In the following example we ll look at how thi data can help ou eparate an attack from an innocent pike. Diagno i De tination IP For thi r t example, let a that ou re uddenl eing alerted e.g. erver overload alarm from our network management oftware, or alert noti cation from Kentik Detect that the IP addre (anon mized here to protect the innocent) i getting hammered anomalou tra c, indicating that it i po i l under attack. You ll want to rapidl drill down on ke characteri tic of the u pect tra c to determine if it actuall an attack, and if o to gather information that will help ou to mitigate the attack quickl. A a tarting point, we would go to the Data xplorer in the Kentik Detect portal. clicking All in the device election pane in the ide ar at left, and then the Appl utton, we can ee total network-wide tra c for all of the li ted device( ). ince we know the IP addre that we u pect i under attack, we ll can then u e the Filter pane in the left-hand ide ar to lter the total tra c for that addre : 1. Click Add Group. The Filter pane expand, howing the r t lter group (Group 1). 2. De ne a lter for tra c who e de tination IP i : From the drop-down metric menu, we choo e De t IP/CIDR. We leave the operator etting at = (default). In the value eld, we enter /32. The Filter pane then appear a hown at left. 3. Click the Appl utton at the upper right of the page. A graph i rendered (Fig. 2) and a corre ponding ta le i populated elow the graph (Fig. 3). Once we ve applied thi de tination IP addre lter, the re ulting graph how clearl that there i a igni cant, anomalou pike of tra c for over 20 minute and continuing. Metrics for Microservices - 3

4 Viewing ource IP Now we need to characterize thi tra c. An a normall large num er of ource IP addre e from at pical countrie i indicative of a otnet, o we ll look at tra c ource countr to unique ource IP addre e : 1. In the Group Metric drop-down a ove the graph, choo e ource» Countr. 2. In the Unit drop-down, choo e Unique rc Ip, then click Appl. We can now ee that there i a huge num er of unique ource IP from China, U.., Vietnam and other countrie that are generating nearl a million packet per econd in aggregate. ince thi IP happen to e the U.. and doe n t t picall get tra c from A ia, that clearl u piciou. China i the igge t contri utor to thi u pect tra c, o we ll i olate China and look at packet per econd per ource IP: 1. In the Group Metric drop-down, choo e ource» IP/CIDR. 2. In the Unit drop-down, choo e Packet /, then click Appl. Thi view validate that we re looking at a rather large num er of ource IP addre e that are ending equivalent packet per econd, which i indicative of a otnet. Additional attack characteri tic Now that we re prett ure we re under DDo attack, it would e helpful to know a it more a out the tra c we re eing hit with. o next we ll look at the protocol and de tination port # of the tra c. Fir t, in the Group Metric drop-down, choo e Full» Proto. We can ee that the tra c i primaril UDP: Next we ll et the Group Metric drop-down to De tination» Port to look at the de tination port num er. Metrics for Microservices - 4

5 A e ing mitigation option When we look at the de tination port # of the tra c, we can ee that there i remarka le con i tenc, in that the va t majorit of the UDP packet are going to port 3074, which i the X ox protocol. Now we can e prett certain that thi i a otnet attack. ince thi addre otherwi e doe n t receive tra c from A ia, we can mitigate the majorit of the attack dropping thi tra c from China and ome of the other A ian countrie. Remem er, though, that our look at ource countrie li ted the U.. right after China, with over a hundred thou and packet per econd. o to develop a complete mitigation plan we need to explore that i ue next. ince thi IP get tra c from the U.. under normal condition, impl dropping tra c from the U.. i n t a good idea. ut what we can do i to look at packet ource IP, ut thi time in tead of /32 ho t ource IP, we ll look at /24. We can ee that there i a good num er of /24 that are ending a fair amount of pp. o, one po i le mitigation approach would e to rate-limit the pp from each of the e /24. Another mitigation would e to redirect tra c from the e /24 to an internal or cloud- a ed cru ing center. Conclu ion There a large- cale dark market that trade in DDo, and that market continuou l innovate and evolve to meet new demand. With the nature of DDo attack con tantl changing, network-centric organization need an agile approach approach to DDo detection. o ering complete vi i ilit into network tra c anomalie, including oth alerting and full-re olution drill-down on raw ow record, Kentik Detect ena le operator to re pond rapidl and e ectivel to each DDo threat. Ready for more information? Please us at info@kentik.com or visit us at Reprinted from the Kentik blog at Kentik Technologies. All rights reserved.