td fdds dpttitrends of ddos and protection...
Post on 25-Sep-2020
3 Views
Preview:
TRANSCRIPT
T d f DD S d P t tiTrends of DDoS and Protection Technologies
Aldar ChanSecurity & Data SciencesASTRI10 Apr, 2015
ASTRI Proprietary
What’s DDoS?
ASTRI Proprietary
What’s DDoS?
During a Distributed Denial of Service (DDoS) attack, compromised hosts (bots) or vigilante users from distributed
sources overwhelm the target with illegitimate traffic so that the
ASTRI Proprietary3
sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.
Why DDoS?• Ideologically-motivated ‘Hacktivism’ and on-line vandalism DDoS attacks
are the most commonly identified attack motivations• Other: competitors, financial market manipulation• Nearly 15% seeing attacks motivated by extortion, competitive rivalry or as
a cover for data exfiltration. DDoS is now a part of more complex cyber p p yattack campaigns.
ASTRI Proprietary
Source: Arbor Networks (2014)
Who’s the Target?
ASTRI Proprietary
How Serious?
• Reported bandwidth of DDoS attacks100Gbps in 2010– 100Gbps in 2010
– 300Gbps in 2013 (against Spamhaus and Cloudflare)– > 300Gbps in 2014 (Hong Kong)> 300Gbps in 2014 (Hong Kong)
ASTRI Proprietary
The Real Case in Hong Kong
“suspension in trading of sevencompanies with a combined marketvalue of HK$1 5 trillion They includevalue of HK$1.5 trillion. They includeHSBC, Cathay Pacific Airways andHKEx itself.”
ASTRI Proprietary
Identified Key Trends
• Large flood-based Layer 3 DDoS attacks are the “New Normal”Normal– 300 Gbps (Spamhaus, 2013)– > 300 Gbps (2014)
• Increased sophistication and complexity of application layer (Layer 7) DDoS attacks and multi-vector DDoS tt k b iattacks are becoming more common– HTTP and DNS most common application layer targets– Growth in attacks targeting HTTPS– Growth in attacks targeting HTTPS
• Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoScontinue to Fall Short on DDoS
• Data Centers Increasingly Becoming Victimized
Ad d P i t t Th t (APT) tASTRI Proprietary
• Advanced Persistent Threats (APT) a top concern
DDoS at Different Layers
GET and POST app layer attacks on HTTP and HTTPS (pure, Slowloris, authentication failure,
)…)
TCP SYN flooding, TCP ACK forging (Coremelt), …..
ICMP, Smurf,R fl t (DNS NTP )Reflector (DNS, NTP, ….)
Imature backoff in WLAN
Wireless jammingWireless jamming
ASTRI Proprietary
Historical DDoS (1990’s)
• As early as when the Internet became public
• Targeting at the TCP/IP protocol
• Two main attacks– Smurf/ICMP attack– TCP SYN attach
• Has laid down the key principles/conditions for launching a DDoS attack today!g y
ASTRI Proprietary
Smurf/ICMP Attack
1. ICMP Echo ReqSrc: Victim addr
3. ICMP Echo ReplyDest: victim addr
gateway Victim
Src: Victim addrDest: broadcast addr
Attacker g yAttacker
2. Each machine generates a ping reply to the victima ping reply to the victim.
• Send “ping” request to broadcast address (ICMP Echo Req)
• Lots of responses:– Every host on target network generates a ping reply (ICMP Echo
Reply) to victim– Key idea: Amplification
ASTRI Proprietary11
y pPrevention: reject external packets to broadcast address
TCP Handshake
C S
Client Server
C S
SYNC(SNC) Listening
SYN (SN ) ACK(SN )
g
Store data SNC, SNSSYNS(SNS), ACK(SNC)C, S
ACK(SNS)Wait
Connected
ASTRI Proprietary
TCP SYN Flooding (Low Rate)
C SSingle Client Machine:
C t SYN k t ithC S
SYNC1
• Creates many SYN packets with random, spoofed source IP addresses
C1
SYNC2
• Fills up the backlog queue on Server (victim)– Server allocates resources (new
SYNC3
SYN
Server allocates resources (new thread, connection state maintained) for each requestServer’s resources are held upSYNC4
SYNC5
– Server s resources are held up until timeout
• Resources exhausted C5
No further connections from legitimate users possible
ASTRI Proprietary
Resources held up
Defence 1: Random Deletion
121 17 182 45
SYNChalf-open connections
121.17.182.45
231.202.1.16
121.100.20.14
5.17.95.155
• If SYN queue is full, delete random entryq , y– Legitimate connections have a chance to complete– Fake addresses will be eventually deletedy
• Easy to implement
ASTRI Proprietary
Defence 2: Anti-spoofing SYN Cookies[Bernstein, Schenk]
• Main idea: Remove SYN state from Server until Clienthas returned at least 2 messages
• Server responds to Client with SYN-ACK cookie:– T = top 5 bits of a 32-bit counter incremented every 64T top 5 bits of a 32 bit counter incremented every 64
seconds.– L = FKey (SrcAddr, SrcPort, DestAddr, DestPort, T) + SNC
• In practice, FKey (X) = MD5( Key || X || Key )• Key: picked at random during boot-up
– SNS = ( T || L) ( |L| = 24 bits )– Normal TCP response but Server does not save state
• Honest Client responds with ACK(SNS)– Server allocates space for socket only if a valid SNS
is received
ASTRI Proprietary
15
is received.
TCP Connection Establishment with SYN Cookies
C S
SYNC(NC) Listening…
Does not store stateCompatible with standard TCP specification;simply a “weird” sequence number scheme
SYNS(NS), ACKC(NC)sequence # NS = cookie
Cookie must be unforgeable
FKey(source addr, source port, dest addr, dest port, coarse time)
gand tamper-proof
Client should not be ableto invert a cookie
Re-compute the cookie based on the received IP
ACKS(cookie)
header, compare it with the one received, only establish connection if they match
Used in IPSec key establishmentASTRI Proprietary
16
Used in IPSec key establishment,But only solve the spoofed address issue
Core Principles behind DDoS
• No way for the victim to distinguish between legitimate and malicious requestslegitimate and malicious requests.
• For each request, the attacker does a little, the i ti d l tvictim does a lot more.
• The attacker gets helpers to amplify the attack traffic.
• The attacker uses “open connection” to eat up theThe attacker uses open connection to eat up the victim’s resources.
ASTRI Proprietary
Other Attacks beyond these Principles
• Example:TCP Reset attack– TCP Reset attack
– Forged TCP ACK attack (2005), Coremelt attack (2009)
• Less common since requiring more technical know• Less common since requiring more technical know-hows to launch
• TCP Reset attack is still commonly used• TCP Reset attack is still commonly used – To target the infrastructure with long-lived connections,
example, BGP.– By some governments for content filtering
ASTRI Proprietary
DDoS Attacks TodayDDoS Attacks Today
ASTRI Proprietary
TCP SYN Flooding (High Rate)
AttackerAttacker
M t hi (C&C)Get helpers!
Master machines (C&C)
Zombie machines
Victim
TCP SYN packets
ASTRI Proprietary
Victim
DDoS and Gaming
• Paid tools to kick Halo 3 players off the Xbox Live network usingoff the Xbox Live network using DDoS– Need some tricks to discover
victim’s IP address• Botnets for rent
$2 b t– $2 per bot– Takes 40-60 bots
to boot a playerto boot a player
• Video tutorials on YouTube
ASTRI Proprietary
TCP SYN Flooding (High Rate)
• Build or rent a botnet of zombies• Multi layered architecture: attacker uses some of the• Multi-layered architecture: attacker uses some of the
zombies as “masters” (Command & Control centres) to control other zombies
• Command zombies to stage a coordinated attack on the victim– Could be L7 request, but L4 request is more direct – E.g. BetCris.com 2003: 20,000 bots generated 2Gbps of
SYN packetsSYN packets• No need to spoof source IP addresses of attack packets • Even in the case of SYN flood SYN cookies don’t help• Even in the case of SYN flood, SYN cookies don t help• Overwhelm victim with traffic arriving from thousands of
different sources
ASTRI Proprietary
• No (real) systematic solution
Victim’s View of botnet-based DDoSISP
Internet Backbone
ISP
Victim : attack nodes
ASTRI Proprietary
A classic SYN flood example using botnets
• MS Blaster worm (2003)Infected machines at noon on Aug 16th 2003:– Infected machines at noon on Aug 16th, 2003:• SYN flood on port 80 to windowsupdate.com
50 SYN k t d• 50 SYN packets every second. • each packet is 40 bytes.
• Spoofed source IP: w x Y Z where Y Z are random• Spoofed source IP: w.x.Y.Z where Y, Z are random.
• MS solution: – new name: windowsupdate.microsoft.com e a e do supdate c oso t co– Windows update file delivered by Akamai
ASTRI Proprietary24
The Estonian Attack (2007)
• Apr/May 2007: DDoS attacks on Estonia after government relocated Soviet-era war monumentgovernment relocated Soviet era war monument– Lasted for two weeks– 130 distinct ICMP and SYN floods originating g g
from Russian IP addresses, 70-95 Mbps over 10 hrs– Do-it-yourself flood scripts distributed by Russian
b it l id f b t t ti i tiwebsites, also some evidence of botnet participation– Victims: two largest banks, government ministries, etc.
• Solution• Solution– Found all attack traffic was coming from outside of
EstoniaEstonia– Therefore ISPs blocked all foreign traffic until attacks
stopped
ASTRI Proprietary
– Limitations?
Typical Mitigation Efforts
• Firewall– Only allow packets from known hostsOnly allow packets from known hosts– Ingress/egress filtering– Check for reverse path: block packets from IP address X if
there is no reverse connection going out to address X– Limit rate of ICMP packets and/or SYN packets
Protect server not ISP– Protect server, not ISP• IP Traceback
– Find source of attack, used to shut down attack– Sometimes possible to find the culprit , but usually hard– Source IP addresses in packets are not reliable, need to
examine traffic at many points modify traffic or modify routersexamine traffic at many points, modify traffic, or modify routers• Overlay techniques
– Preserve service to authenticated clients
ASTRI Proprietary
Preserve service to authenticated clients
Prolexic/Verisign
• Basic idea is to only forward established TCP connections to siteconnections to site
• Key principle: over-provisioning to pre-screen• DDoS mitigation as a service: share resources among g g
victims to gain statistical multiplexing
l
Lots-of-SYNs
Prolexicproxy
Lots-of-SYN/ACKs
Fe ACKs F d WebsiteFew ACKs Forwardto site
ASTRI Proprietary
Attack Types
Attack Packet Victim Response Rate: attk/dayp y[ATLAS 2013]
TCP SYN to open port TCP SYN/ACK 773
TCP SYN to closed port TCP RST
TCP ACK or TCP DATA TCP RST
TCP RST No response
TCP NULL TCP RSTTCP NULL TCP RST
ICMP ECHO Request ICMP ECHO Response 50
UDP t l d t ICMP P t h bl 387UDP to closed port ICMP Port unreachable 387
ASTRI Proprietary
Stronger Attacks: TCP Connection Flood
• Attacker commands bot army to:
– complete TCP connection to the victim web site– send short HTTP HEAD request
R t– Repeat
• This attack will bypass SYN flood protection proxy
• Basis of some L7 attacks
• BUT– Attacker can no longer use random source IP addresses.
• Reveals the locations of bot zombies
– Proxy can now block or rate-limit bots.
ASTRI Proprietary29
y
Layer 7 Attacks
• Make use of the characteristic, features and implementations of the HTTP protocol, orimplementations of the HTTP protocol, or
• Highly dependent on the applications (mostly web-based)
• Key principle: attacker does little and victim does a lot
ASTRI Proprietary Source: Arbor Networks
HTTP Protocol
Rational to attack using a small request message to request a large response messges. But it is not necessarily true. A large request message could be more destructive in some cases!
ASTRI Proprietary
HTTP GET attack
• Has to survey the web applications before launching the attackattack– If vulnerabilities found in implementation, exploit it– If no vulnerability found, use primitive methodsy , p
• Keep sending HTTP GET for large-sized items• Put Cache-Control to “no-cache”• Lots of variations, e.g. combined with SQL injection
attack (for poorly written applications)I li ti ith h f ti• In applications with search function:
site.com/?s=keyword1site.com/?s=keyword2site.com/?s=keyword3
ASTRI Proprietary
CAPTCHA
• To ensure the search or GET is not initiated by a bot
ASTRI Proprietary
Slowloris and POST variants
• A GET/POST request includes a message body in addition to a URL to specify information for the action being performed.
• The field “Content Length” in the HTTP header tells the• The field “Content-Length” in the HTTP header tells the web server how large the message body is.
• Attacker sends a complete HTTP Header portion in fullAttacker sends a complete HTTP Header portion in full to the web server, thus bypassing server’s check
• Then the message body is sent at, says, 1 byte per 2
ASTRI Proprietary
minutes
Slowloris and POST variants
• The web server will obey the “Content-Length” field to wait for the remaining message body to be received.wait for the remaining message body to be received.
• Very similar to TCP SYN but at Layer 7: based on open connection.
• If HTTP POST is used, the impact is far more devastating.
C f HTTP POST t l i l di– Common uses of HTTP POST requests: login, uploading photos/videos, sending webmails with attachments ….
• Can randomize size character sets and time intervals toCan randomize size, character sets and time intervals to foil recognition at Layer 7 defence mechanisms
• Difficult to differentiate from legitimate connections gwhich are slow
• Mitigation: limiting size of message body, timeout, …
ASTRI Proprietary
Reflector Attack (the New Smurf)
x206 amplification“Give me the addresses of the
last 600 machines you talked to”Spoofed SrcIP: DoS target
600 addresses
(49 000 bytes)(234 bytes) (49,000 bytes)
DoSSource
DoSTarget
NTP(Network Time Protocol)
server
December 2013 – February 2014: 400 Gbps DDoS attacks involving 4 529 NTP servers400 Gbps DDoS attacks involving 4,529 NTP servers
7 million unsecured NTP servers on the Internet (Arbor)
ASTRI Proprietary
( )
Attack Amplification
Controlling x1gMachine
10 Mbps
Bot – Compromised Trigger Machines
Bot – Compromised Trigger Machines
Bot – Compromised Trigger Machines
x10
AMP AMPAMP
AMP
1 Gbps
x100AMP
AMP AMPAMP AMP
AMPAMP
AMPx10 (DNS)
AMP
Victim1 Tbps
ASTRI Proprietary
Attack Amplification
• DNS multiplier is 8x (Request: 64B; Response 512B)• EDNS multiplier is 53x (Request: 64B; Response:• EDNS multiplier is 53x (Request: 64B; Response:
3,364B)• SNMP multiplier is 650x (Request: 100B; Response p ( q ; p
65kB)
ASTRI Proprietary
Spamhaus DDoS
• 1 attacker’s laptop to control10 compromised servers on– 10 compromised servers, on
– 3 networks that allowed spoofing, of– 9 Gbps DNS request to9 Gbps DNS request to– 0.1% of open resolvers resulted in
• 300 Gbps+ of DDoS attack trafficp
ASTRI Proprietary
What Makes L3 DDoS Easy?
• DDoS can be launched in multiple layers, but high bandwidth attacks are at layer 3bandwidth attacks are at layer 3
• Three components to make L3 attacks easy– Shot and run protocolsp
• Anything based on UDP• DNS (request: 64B; response: 512B), NTP are good
choices– No source IP authentication
I A lifi– Internet Amplifiers• Open DNS resolvers (one querying to multitudes)
ASTRI Proprietary
>20% spoofable addresses
ASTRI Proprietary
32 millions open resolvers
ASTRI Proprietary
Potential Mitigation
• Close Open DNS RecursorsBut attackers could find other network services– But, attackers could find other network services.
– The NTP attack is one example.– After all openness is the inherent rationale of theAfter all, openness is the inherent rationale of the
Internet.• Stop IP Spoofing
– For example, implement BCP38 (IETF RFC 2827, since year 2000) and BCP84 (IETF RFC 2704)L k f i i “O h ’ bl i bl !”– Lack of incentive. “Others’ problem is not my problem!”
ASTRI Proprietary
Difficulty for Defence
Ossified fabric not 10 Gbps Legitimate
traffic mostly
Network Fabric
adaptable even to static attacks
ydropped out
Network Fabric
1 Gbps
DDoS victim
P l i ti id d f i t h i i if th l t il li k i
ASTRI Proprietary
Purely victim side defence is not a choice since, if the last mile link is jammed, the victim may only be able to recover 1% of legitimate traffic.
New Attacks, Old Principles
• No way for the victim to distinguish between legitimate and malicious requestslegitimate and malicious requests.
• For each request, the attacker does a little, the victim does a lot morevictim does a lot more. – Botnet DDoS, HTTP GET/POST
• The attacker gets helper to amplify the attack traffic.– Reflector DDoS
• The attacker use “open connection” to eat up p pvictim’s resources.– Slowloris
ASTRI Proprietary
Prolexic (Hidden IP address + Scrubbing) DNS resolver replies with different IP address for www.victim.com
All traffic to www.victim.comis sent in anycast to the scrubbing centres
Traffic scrubbing centre
Traffic scrubbingTraffic scrubbing centre
Traffic scrubbing centre
Clensed trafficcentre
Traffic scrubbing centre
ASTRI Proprietarywww.victim.com
(hidden IP address)
Defence against the DNS Amplification Attack using SDN (Software Defined Networks)
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS Resolver
DNS requests with spoofed IP address
xDrop traffic to and from IP = yy.yy.yy.yy, andUDP_port = 53, except …
2. DesignatedDNS
Resolver
IP = xx xx xx xx
Normal DNS traffic unaffected…
Agile DDoS Protection
IP = xx.xx.xx.xx
ASTRI Proprietary
DDoS victimIP = yy.yy.yy.yyReport DNS attack;
Use IP=xx.xx.xx.xx only1.
Software Defined Networks
• The main initiative of the so-called “Clean-Slate” Internet architectureInternet architecture– Advocated by Nick McKeown, Jennifer Rexford, et. al.– The idea/concept came much earlier in 2000’s from p
David Clark– SDN is just one instantiation
• Ossification of the Internet– Everything adapts to the TCP/IP– A complex distributed system– Even simple tasks could lead to
i t bilit ill tiinstability or oscillation
ASTRI Proprietary
SDN Idea: An OS for Networks
Closed
Specialized Packet
App App App
App App App
OperatingSystem
App App App
Specialized Packet Forwarding Hardware
Specialized Packet Forwarding Hardware
Operating
OperatingSystem
Specialized Packet Forwarding Hardware
OperatingSystem
OperatingSystem
App App App
App App App
Specialized Packet Forwarding Hardware
OperatingSystem 49
ASTRI Proprietary
Specialized Packet Forwarding Hardware
OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center
SDN Idea: An OS for Networks
Control Programs
Network Operating System
og a s
Specialized Packet
App App App
App App App
OperatingSystem
App App App
Specialized Packet Forwarding Hardware
Specialized Packet Forwarding Hardware
Operating
OperatingSystem
Specialized Packet Forwarding Hardware
OperatingSystem
OperatingSystem
App App App
App App App
Specialized Packet Forwarding Hardware
OperatingSystem 50
ASTRI Proprietary
Specialized Packet Forwarding Hardware
OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center
Idea: An OS for Networks
Control Programs
Network Operating System
og a s
Simple Packet Forwarding Hardware Simple Packet
Forwarding Hardware
Simple Packet
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet51
ASTRI Proprietary
Simple Packet Forwarding Hardware
OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center
Idea: An OS for Networks
• Software Defined Networking• Software Defined Networking
Global Network View
Control Programs
Global Network View
C t l i
Network Operating System
Protocols Protocols
Control via forwarding interface
52
ASTRI ProprietaryThe Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown
OpenFlow
Control Path (Software)Control Path (Software)Control Path (Software)Control Path (Software)
53Data Path (Hardware)Data Path (Hardware)ASTRI Proprietary
ata at ( a d a e)ata at ( a d a e)
OpenFlow
OpenFlowOpenFlow ControllerControllerOpenFlowOpenFlow ControllerController
OpenFlow Protocol (SSL/TCP)
Control PathControl Path OpenFlowOpenFlowControl PathControl Path OpenFlowOpenFlow
54Data Path (Hardware)Data Path (Hardware)ASTRI Proprietary
ata at ( a d a e)ata at ( a d a e)
OpenFlow Switching
PC
Controller
PCSoftwareLayer OpenFlow Client
Controller
H d
OpenFlow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
HardwareLayer **5.6.7.8*** port 1
port 4port 3port 2port 1
ASTRI Proprietary
The Stanford Clean Slate Program, http://cleanslate.stanford.edu
1.2.3.45.6.7.8 55
OpenFlow Table Entry
Rule Action Stats
Packet + byte counters
1.Forward packet to port(s)2.Encapsulate and forward to controller3.Drop packetp p4.Send to normal processing pipeline5.…
56
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport
+ mask
ASTRI Proprietary
The Stanford Clean Slate Program, http://cleanslate.stanford.edu
SDN for DDoS
• Open programmableprogrammable Networks and APIs
• A complete view Enterprise apps
Security, load balancing, etc. services
and centralized control
• Fine grainedSoftware-Defined Network (SDN)
Platform , e.g. Openflow
APIs
Open protocols with enablement for proprietary extensions• Fine grained definition of traffic– for monitoring, and
Open protocols with enablement for proprietary extensions
g,– traffic management
• However, Physical Network Physical Network
1) TCAM memory set limit on the rule set2) The Openflow controller could become the attack target to
ASTRI Proprietary
2) The Openflow controller could become the attack target to launch another type of DDoS
Identified Key Trends
• Large flood-based Layer 3 DDoS attacks are the “New Normal”Normal– 300 Gbps (Spamhaus, 2013)– > 300 Gbps (2014)
• Increased sophistication and complexity of application layer (Layer 7) DDoS attacks and multi-vector DDoS tt k b iattacks are becoming more common– HTTP and DNS most common application layer targets– Growth in attacks targeting HTTPS– Growth in attacks targeting HTTPS
• Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoScontinue to Fall Short on DDoS
• Data Centers Increasingly Becoming Victimized
Ad d P i t t Th t (APT) tASTRI Proprietary
• Advanced Persistent Threats (APT) a top concern
Take-Home Message
• Although seemingly new and advanced DDoS attacks keep appearing, the core principles behind do not seemkeep appearing, the core principles behind do not seem very different from those early attacks.
• Sophistication of L7 attacks lie in the vast combination of attack vectors.
• High volume attacks are mainly L3. P di ti• Predictions:– IoT devices will be used in DDoS, mainly L4 TCP SYN
and L7 (bogus authentication message)and L7 (bogus authentication message) – SSO (Single Sign On) system is the new target
• SDN gives some hope to the problem, but has itsSDN gives some hope to the problem, but has its limitation like the constraints on ruleset size.
ASTRI Proprietary
End of PresentationThank you Questions are welcomeThank you. Questions are welcome.
Our corporate website: www.astri.orgp g
ASTRI Proprietary
top related