(Distributed) Denial-of-Service in theory and in practice
About SURFnet National Research and Education Network (NREN) Founded in 1986, incorporated 1988 > 11000km dark-fibre network Shared ICT innovation centre ~200 connected institutions over 1 million end users
Who am I? M.Sc. in Computer Science from the UT Worked in security past 15 years Ph.D. student (part-time) in the DACS group Love scuba diving ;-)
In the news
The scale of DDoS attacks source: http://www.digitalattackmap.com/
The scale of DDoS attacks Primary effect: service disruption for the victim e.g. ebanking services unavailable Secondary effect: disruption for dependent organisations e.g. IDEAL or credit card transaction processing not available means missed e-commerce transactions Tertiary effect: service degradation for carriers ISPs, Internet Exchanges,
Definition of Denial-of-Service Goal: disrupt a service to point of starvation Two types: Attacks that flood services Attacks that crash services Means: Resource starvation (CPU, disk, network, ) image source: toronto.ctvnews.ca Disruption of configuration (e.g. routing) Disruption of state (e.g. TCP connections) Disruption of physical components (cutting the cable)
Common theme To perform a successful attack, you need to have more resources than the other guy Either a bigger gun e.g. more bandwidth Or more guns e.g. access to a botnet with thousands of machines this is called distributed denial-of-service
Two network-based approaches Network-based denial-of-service can be done two ways: By flooding the application e.g. TCP SYN flood By flooding the pipe to the application e.g. reflection/amplification attacks DNS, SNMP, chargen amplification Smurf attack (ping flooding)
TCP SYN flood (1) Client Server SYN SYN/ACK ACK
TCP SYN flood (2) Client Attacker Server SYN SYN
Reflection attack Attacker Victim spoofed sender IP (victim s IP) Reflectors
Reflection and amplification Reflection attacks leverage connectionless protocols (e.g. based on UDP) DNS SNMP Chargen Reflection is more effective when amplification is also achieved Send a small request -> get a big response
Amplification attack Attacker Victim spoofed sender IP (victim s IP) Amplifiers
Example: DNS amplification $ tcpdump -n -v -i en0 host xxxx... 11:00:19.411981 IP (... proto UDP (17), length 68) yyyy.55023 > xxxx.53: 36075+ [1au] MX? comcast.net.... 11:00:19.430637 IP (... proto UDP (17), length 1500) xxxx.53 > yyyy.55023: 36075$ 3/6/29 comcast.net. MX... 11:00:19.430640 IP (... length 1500) xxxx > yyyy: udp 11:00:19.430641 IP (... length 297) xxxx > yyyy: udp Send: 68 bytes, recv: 3297 bytes, amp. 48.5x!
Interlude: DNSSEC in 1 slide DNS Security Extensions (DNSSEC) Development started in 90s, large scale roll-out since Kaminsky vulnerability in 2008 Goal: add authenticity and integrity to the DNS Solution: add digital signatures to DNS Problem: makes DNS responses much bigger To quote a critic (Daniel Bernstein): DNSSEC is a remote-controlled double barreled shotgun, the worst DDoS amplifier on the Internet
Research results percentage of domains 30% 25% 20% 15% 10% without DNSSEC combined.com.net.org with DNSSEC.uk.se.nl theoretical maximum amplification of regular DNS 5% 0% 0 10 20 30 40 50 60 70 80 Amplification factor [bin=0.1]
Blast from the past: chargen Recently, we have seen a revival of a positively ancient vector for DDoS attacks: chargen To quote RFC 864 (from May 1983): UDP Based Character Generator Service Another character generator service is defined as a datagram based application on UDP. A server listens for UDP datagrams on UDP port 19. When a datagram is received, an answering datagram is sent containing a random number (between 0 and 512) of characters (the data in the received datagram is ignored).
The perfect drive-by malware! Step 1: enable a default Windows component
The perfect drive-by malware! Step 2: start the chargen service
The perfect drive-by malware! Step 3: ET phone home My IP address is 192.87
Holy face palm #FAIL
Man man man
Case study In May 2012 we saw a large increase in the number of queries to SURFnet s infrastructure 3 out of 4 name servers getting large numbers of ANY queries for gigaport.nl ( DNSSEC signed!) Not to the server in Switzerland (neutral?) (we still don't know why, 4 years later!)
Quite visible in our statistics Attempt #1, attack not very effective Tweak some bits in the DNS query, and boom!
Profiling the attack Queries use EDNS0 With a very exotic maximum response size of 9000 bytes And we are not the only ones being abused... 3 name servers of SURFnet customers Also in the UK and across the globe Largest common denominators: queries for DNSSEC-signed zones all with EDNS0, buffer size 9000, DNSSEC OK = 0 (!) fixed query ID, 25 subsequent queries, spoofed sender IP Takeaway: we can filter this traffic!
But where is it coming from? IP packets contain a time-to-live field Maximum value is 255, is lowered on every hop (or every second) If you know the starting value: good measure for distance All query packets in the attack had a TTL 250 That almost certainly means they set the initial value to 255, so the packets traversed at most 6 hops That is very close in network terms E.g. route from ns1.surfnet.nl to www.xs4all.nl has 6 hops
Let s look at AMS-IX graphs
Let s drop a peering on AMS-IX Bingo :-)
There s another twist to the story We see this attack being used against our customers One of our customers appeared in a list of spoofed IP addresses for this particular attack And was the victim of a number of DDoS attacks The timing of the attacks was rather suggestive... Always during school hours! Let s have a look at what the school found
What if The external NAT IP address is changed Will the attack follow? We look at the time lines Comparing attack times against class schedule We ask teachers about suspicious behaviour Are there signs that the culprit is among the students? We use Policy-Based Routing (PBR) Giving a suspected class a different external IP address with thanks to Graafschap College!
Ladies & gentlemen: we got him! Time to have a sit-down with someone CENSORED
Booters
How do you stop a DDoS? Firewall Usually not a good solution The traffic is already on your network; does not help against pipe flooding Partially effective against things like SYN flooding (rate limiting) Upstream on the network (SURFnet!) Use a washing machine to filter traffic (more in part 2 of the lecture) Block or rate limit attack traffic on core routers Using a DDoS Protection Service (commercial)
Prevention DDoS research SURFnet works with a number of research groups to analyse traffic, to better separate attacks from real traffic Show that we take this seriously! Collaborate with THTC, NCSC and public prosecution service ( OM ) to collect relevant evidence Chase down attackers in our own network
Research at DACS Detection of attacks, so we can better filter them Improving DNSSEC so it s not such a bad amplifier Learn how Booters work, and what their infrastructure is, so we can stop them Crawl the Internet for Booter websites to create blacklists Study and improve DDoS Protection Services
Thank you for your attention! Questions? F nl.linkedin.com/in/rolandvanrijswijk L @reseauxsansfil roland.vanrijswijk@surfnet.nl r.m.vanrijswijk@utwente.nl