Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Amplification DDoS Attacks – Defenses for Vulnerable Protocols
Christian Rossow VU University Amsterdam / Ruhr-University Bochum
RIPE 68, May 2014, Warsaw
Amplifica)on DDoS A/acks
2 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Victim Attacker Amplifier
Amplifica)on A/acks in Prac)ce
3
Cloudflare Blog post, March 2013
Cloudflare Blog post, February 2014
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
A/ack
14 Network Protocols Vulnerable to Amplifica)oon
5
‘87
’90
‘88
‘87
‘99 ‘83
‘83 ‘99
2003
2001
2002
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Measuring Amplifica)on Rates (1/2)
6
} Bandwidth AmplificaBon Factor (BAF)
UDP payload bytes at victim UDP payload bytes from attacker
} Packet AmplificaBon Factor (PAF)
# of IP packets at victim # of IP packets from attacker
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Measuring Amplifica)on Rates (2/2)
7
1 10 100 1000 10000
SNMP NTP
DNS-‐NS DNS-‐OR NetBios
SSDP CharGen
QOTD BitTorrent
Kad Quake 3 Steam ZAv2 Sality
Gameover
4670x
10x
15x
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Number of Amplifiers
8 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Defense
Let’s Play Defense
} Defensive Countermeasures } ATack DetecBon } ATack Filtering } Hardening Protocols } etc.
10 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Further Countermeasures
} S.A.V.E. – Source Address VerificaBon Everywhere } a.k.a. BCP38 } Spoofing is the root cause for amplificaBon aTack
} Implement proper handshakes in protocols } Switch to TCP } Re-‐implement such a handshake in UDP
} Rate limiBng (with limited success)
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
A/ack Detec)on at the Amplifier / Vic)m
12 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Protocol Hardening: DNS
13
} Secure your open recursive resolvers
} Restrict resolver access to your customers
} See: hTp://www.team-‐cymru.org/Services/Resolvers/instrucBons.html
} Check your network(s) at hTp://openresolverproject.org/
} Rate-‐limit at authoritaBve name servers
} Response Rate LimiBng (RRL) – now also in bind.
See: hTp://www.redbarn.org/dns/ratelimits
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Protocol Hardening: NTP
14
} Disable monlist at your NTP servers
} Add to your ntp.conf: restrict default noquery
} monlist is opBonal and not necessary for Bme sync
} Check your network(s) at hTp://openntpproject.org/
} Filter monlist response packets
} UDP source port 123 with IP packet length 468
} Only very few (non-‐killer) monlist legiBmate use cases
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Conclusion
Conclusion
16
} 14+ UDP-‐based protocols are vulnerable to ampl.
} We can miBgate individual amplificaBon vectors
} NTP: Down to 8% of vulnerable servers in 7 weeks
} DNS: SBll 25M open resolvers – let’s close them!
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Christian Rossow VU University Amsterdam / Ruhr-University Bochum
RIPE 68, May 2014, Warsaw
Amplification DDoS Attacks – Defenses for Vulnerable Protocols
More Slides
Detailed BAF and PAF per Protocol
C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols
Measuring Amplifica)on Rates (2/2)
20 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols