Amplification DDoS Attacks – Defenses for Vulnerable Protocols - … · 2014-05-13 · Amplification DDoS Attacks – Defenses for Vulnerable Protocols Christian Rossow VU University

Amplification DDoS Attacks – Defenses for Vulnerable Protocols

Christian Rossow VU University Amsterdam / Ruhr-University Bochum

RIPE 68, May 2014, Warsaw

Amplifica)on DDoS A/acks

2 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

Victim Attacker Amplifier

Amplifica)on A/acks in Prac)ce

3

Cloudflare Blog post, March 2013

Cloudflare Blog post, February 2014

C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

A/ack

14 Network Protocols Vulnerable to Amplifica)oon

5

‘87

’90

‘88

‘87

‘99 ‘83

‘83 ‘99

2003

2001

2002


Measuring Amplifica)on Rates (1/2)

6

}  Bandwidth AmplificaBon Factor (BAF)

UDP payload bytes at victim UDP payload bytes from attacker

}  Packet AmplificaBon Factor (PAF)

# of IP packets at victim # of IP packets from attacker



7

1 10 100 1000 10000

SNMP NTP

DNS-‐NS DNS-‐OR NetBios

SSDP CharGen

QOTD BitTorrent

Kad Quake 3 Steam ZAv2 Sality

Gameover

4670x

10x

15x


Number of Amplifiers


Defense

Let’s Play Defense

}  Defensive Countermeasures }  ATack DetecBon }  ATack Filtering }  Hardening Protocols }  etc.


Further Countermeasures

}  S.A.V.E. – Source Address VerificaBon Everywhere }  a.k.a. BCP38 }  Spoofing is the root cause for amplificaBon aTack

}  Implement proper handshakes in protocols }  Switch to TCP }  Re-‐implement such a handshake in UDP

}  Rate limiBng (with limited success)


A/ack Detec)on at the Amplifier / Vic)m


Protocol Hardening: DNS

13

}  Secure your open recursive resolvers

}  Restrict resolver access to your customers

}  See: hTp://www.team-‐cymru.org/Services/Resolvers/instrucBons.html

}  Check your network(s) at hTp://openresolverproject.org/

}  Rate-‐limit at authoritaBve name servers

}  Response Rate LimiBng (RRL) – now also in bind.

See: hTp://www.redbarn.org/dns/ratelimits


Protocol Hardening: NTP

14

}  Disable monlist at your NTP servers

}  Add to your ntp.conf: restrict default noquery

}  monlist is opBonal and not necessary for Bme sync

}  Check your network(s) at hTp://openntpproject.org/

}  Filter monlist response packets

}  UDP source port 123 with IP packet length 468

}  Only very few (non-‐killer) monlist legiBmate use cases


Conclusion

Conclusion

16

}  14+ UDP-‐based protocols are vulnerable to ampl.

} We can miBgate individual amplificaBon vectors

}  NTP: Down to 8% of vulnerable servers in 7 weeks

}  DNS: SBll 25M open resolvers – let’s close them!


Christian Rossow VU University Amsterdam / Ruhr-University Bochum

RIPE 68, May 2014, Warsaw

Amplification DDoS Attacks – Defenses for Vulnerable Protocols

More Slides

Detailed BAF and PAF per Protocol




Documents

Amplification DDoS Attacks – Defenses for Vulnerable Protocols - … · 2014-05-13 · Amplification DDoS Attacks – Defenses for Vulnerable Protocols Christian Rossow VU University