Amplification DDoS Attacks – Defenses for Vulnerable Protocols
description
Transcript of Amplification DDoS Attacks – Defenses for Vulnerable Protocols
Amplification DDoS Attacks – Defenses for Vulnerable Protocols
Christian RossowVU University Amsterdam / Ruhr-University Bochum
RIPE 68, May 2014, Warsaw
Amplification DDoS Attacks
2C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
VictimAttacker Amplifier
Amplification Attacks in Practice
3
Cloudflare Blog post, March 2013
Cloudflare Blog post, February 2014
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Attack
14 Network Protocols Vulnerable to Amplificatioon
5
Network Services
DNS
SNMP
NTP
NetBios
SSDP
Legacy Protocols
CharGen
QOTD
P2P Networks
BitTorrent
Kad
Game Servers
Quake 3
Steam
Botnets
ZeroXS
Sality
Zeus
‘87
’90
‘88
‘87
‘99 ‘83
‘83 ‘99
2003
2001
2002
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Measuring Amplification Rates (1/2)
6
Bandwidth Amplification Factor (BAF)
UDP payload bytes at victimUDP payload bytes from attacker
Packet Amplification Factor (PAF)
# of IP packets at victim# of IP packets from attacker
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Measuring Amplification Rates (2/2)
7
SNMPNTP
DNS-NSDNS-ORNetBios
SSDPCharGen
QOTDBitTorrent
KadQuake 3
SteamZAv2Sality
Gameover
1 10 100 1000 10000
4670x
10x
15x
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Number of Amplifiers
8C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Defense
Let’s Play Defense
Defensive Countermeasures Attack Detection Attack Filtering Hardening Protocols etc.
10C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Further Countermeasures
S.A.V.E. – Source Address Verification Everywhere a.k.a. BCP38 Spoofing is the root cause for amplification attack
Implement proper handshakes in protocols Switch to TCP Re-implement such a handshake in UDP
Rate limiting (with limited success)C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Attack Detection at the Amplifier / Victim
12C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Protocol Hardening: DNS
13
Secure your open recursive resolvers Restrict resolver access to your customers
See: http://www.team-cymru.org/Services/Resolvers/instructions.html
Check your network(s) at http://openresolverproject.org/
Rate-limit at authoritative name servers Response Rate Limiting (RRL) – now also in bind.
See: http://www.redbarn.org/dns/ratelimits
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Protocol Hardening: NTP
14
Disable monlist at your NTP servers Add to your ntp.conf: restrict default noquery
monlist is optional and not necessary for time sync
Check your network(s) at http://openntpproject.org/
Filter monlist response packets UDP source port 123 with IP packet length 468
Only very few (non-killer) monlist legitimate use cases
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Conclusion
Conclusion
16
14+ UDP-based protocols are vulnerable to ampl.
We can mitigate individual amplification vectors NTP: Down to 8% of vulnerable servers in 7 weeks
DNS: Still 25M open resolvers – let’s close them!
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Christian RossowVU University Amsterdam / Ruhr-University Bochum
RIPE 68, May 2014, Warsaw
Amplification DDoS Attacks – Defenses for Vulnerable Protocols
More Slides
Detailed BAF and PAF per Protocol
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Measuring Amplification Rates (2/2)
20C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols