td fdds dpttitrends of ddos and protection...

60
T d fDD S dP t ti T rends of DDoS and Protection Technologies Aldar Chan Security & Data Sciences ASTRI 10 Apr, 2015 ASTRI Proprietary

Upload: others

Post on 25-Sep-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

T d f DD S d P t tiTrends of DDoS and Protection Technologies

Aldar ChanSecurity & Data SciencesASTRI10 Apr, 2015

ASTRI Proprietary

Page 2: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

What’s DDoS?

ASTRI Proprietary

Page 3: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

What’s DDoS?

During a Distributed Denial of Service (DDoS) attack, compromised hosts (bots) or vigilante users from distributed

sources overwhelm the target with illegitimate traffic so that the

ASTRI Proprietary3

sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.

Page 4: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Why DDoS?• Ideologically-motivated ‘Hacktivism’ and on-line vandalism DDoS attacks

are the most commonly identified attack motivations• Other: competitors, financial market manipulation• Nearly 15% seeing attacks motivated by extortion, competitive rivalry or as

a cover for data exfiltration. DDoS is now a part of more complex cyber p p yattack campaigns.

ASTRI Proprietary

Source: Arbor Networks (2014)

Page 5: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Who’s the Target?

ASTRI Proprietary

Page 6: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

How Serious?

• Reported bandwidth of DDoS attacks100Gbps in 2010– 100Gbps in 2010

– 300Gbps in 2013 (against Spamhaus and Cloudflare)– > 300Gbps in 2014 (Hong Kong)> 300Gbps in 2014 (Hong Kong)

ASTRI Proprietary

Page 7: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

The Real Case in Hong Kong

“suspension in trading of sevencompanies with a combined marketvalue of HK$1 5 trillion They includevalue of HK$1.5 trillion. They includeHSBC, Cathay Pacific Airways andHKEx itself.”

ASTRI Proprietary

Page 8: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Identified Key Trends

• Large flood-based Layer 3 DDoS attacks are the “New Normal”Normal– 300 Gbps (Spamhaus, 2013)– > 300 Gbps (2014)

• Increased sophistication and complexity of application layer (Layer 7) DDoS attacks and multi-vector DDoS tt k b iattacks are becoming more common– HTTP and DNS most common application layer targets– Growth in attacks targeting HTTPS– Growth in attacks targeting HTTPS

• Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoScontinue to Fall Short on DDoS

• Data Centers Increasingly Becoming Victimized

Ad d P i t t Th t (APT) tASTRI Proprietary

• Advanced Persistent Threats (APT) a top concern

Page 9: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

DDoS at Different Layers

GET and POST app layer attacks on HTTP and HTTPS (pure, Slowloris, authentication failure,

)…)

TCP SYN flooding, TCP ACK forging (Coremelt), …..

ICMP, Smurf,R fl t (DNS NTP )Reflector (DNS, NTP, ….)

Imature backoff in WLAN

Wireless jammingWireless jamming

ASTRI Proprietary

Page 10: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Historical DDoS (1990’s)

• As early as when the Internet became public

• Targeting at the TCP/IP protocol

• Two main attacks– Smurf/ICMP attack– TCP SYN attach

• Has laid down the key principles/conditions for launching a DDoS attack today!g y

ASTRI Proprietary

Page 11: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Smurf/ICMP Attack

1. ICMP Echo ReqSrc: Victim addr

3. ICMP Echo ReplyDest: victim addr

gateway Victim

Src: Victim addrDest: broadcast addr

Attacker g yAttacker

2. Each machine generates a ping reply to the victima ping reply to the victim.

• Send “ping” request to broadcast address (ICMP Echo Req)

• Lots of responses:– Every host on target network generates a ping reply (ICMP Echo

Reply) to victim– Key idea: Amplification

ASTRI Proprietary11

y pPrevention: reject external packets to broadcast address

Page 12: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

TCP Handshake

C S

Client Server

C S

SYNC(SNC) Listening

SYN (SN ) ACK(SN )

g

Store data SNC, SNSSYNS(SNS), ACK(SNC)C, S

ACK(SNS)Wait

Connected

ASTRI Proprietary

Page 13: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

TCP SYN Flooding (Low Rate)

C SSingle Client Machine:

C t SYN k t ithC S

SYNC1

• Creates many SYN packets with random, spoofed source IP addresses

C1

SYNC2

• Fills up the backlog queue on Server (victim)– Server allocates resources (new

SYNC3

SYN

Server allocates resources (new thread, connection state maintained) for each requestServer’s resources are held upSYNC4

SYNC5

– Server s resources are held up until timeout

• Resources exhausted C5

No further connections from legitimate users possible

ASTRI Proprietary

Resources held up

Page 14: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Defence 1: Random Deletion

121 17 182 45

SYNChalf-open connections

121.17.182.45

231.202.1.16

121.100.20.14

5.17.95.155

• If SYN queue is full, delete random entryq , y– Legitimate connections have a chance to complete– Fake addresses will be eventually deletedy

• Easy to implement

ASTRI Proprietary

Page 15: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Defence 2: Anti-spoofing SYN Cookies[Bernstein, Schenk]

• Main idea: Remove SYN state from Server until Clienthas returned at least 2 messages

• Server responds to Client with SYN-ACK cookie:– T = top 5 bits of a 32-bit counter incremented every 64T top 5 bits of a 32 bit counter incremented every 64

seconds.– L = FKey (SrcAddr, SrcPort, DestAddr, DestPort, T) + SNC

• In practice, FKey (X) = MD5( Key || X || Key )• Key: picked at random during boot-up

– SNS = ( T || L) ( |L| = 24 bits )– Normal TCP response but Server does not save state

• Honest Client responds with ACK(SNS)– Server allocates space for socket only if a valid SNS

is received

ASTRI Proprietary

15

is received.

Page 16: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

TCP Connection Establishment with SYN Cookies

C S

SYNC(NC) Listening…

Does not store stateCompatible with standard TCP specification;simply a “weird” sequence number scheme

SYNS(NS), ACKC(NC)sequence # NS = cookie

Cookie must be unforgeable

FKey(source addr, source port, dest addr, dest port, coarse time)

gand tamper-proof

Client should not be ableto invert a cookie

Re-compute the cookie based on the received IP

ACKS(cookie)

header, compare it with the one received, only establish connection if they match

Used in IPSec key establishmentASTRI Proprietary

16

Used in IPSec key establishment,But only solve the spoofed address issue

Page 17: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Core Principles behind DDoS

• No way for the victim to distinguish between legitimate and malicious requestslegitimate and malicious requests.

• For each request, the attacker does a little, the i ti d l tvictim does a lot more.

• The attacker gets helpers to amplify the attack traffic.

• The attacker uses “open connection” to eat up theThe attacker uses open connection to eat up the victim’s resources.

ASTRI Proprietary

Page 18: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Other Attacks beyond these Principles

• Example:TCP Reset attack– TCP Reset attack

– Forged TCP ACK attack (2005), Coremelt attack (2009)

• Less common since requiring more technical know• Less common since requiring more technical know-hows to launch

• TCP Reset attack is still commonly used• TCP Reset attack is still commonly used – To target the infrastructure with long-lived connections,

example, BGP.– By some governments for content filtering

ASTRI Proprietary

Page 19: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

DDoS Attacks TodayDDoS Attacks Today

ASTRI Proprietary

Page 20: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

TCP SYN Flooding (High Rate)

AttackerAttacker

M t hi (C&C)Get helpers!

Master machines (C&C)

Zombie machines

Victim

TCP SYN packets

ASTRI Proprietary

Victim

Page 21: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

DDoS and Gaming

• Paid tools to kick Halo 3 players off the Xbox Live network usingoff the Xbox Live network using DDoS– Need some tricks to discover

victim’s IP address• Botnets for rent

$2 b t– $2 per bot– Takes 40-60 bots

to boot a playerto boot a player

• Video tutorials on YouTube

ASTRI Proprietary

Page 22: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

TCP SYN Flooding (High Rate)

• Build or rent a botnet of zombies• Multi layered architecture: attacker uses some of the• Multi-layered architecture: attacker uses some of the

zombies as “masters” (Command & Control centres) to control other zombies

• Command zombies to stage a coordinated attack on the victim– Could be L7 request, but L4 request is more direct – E.g. BetCris.com 2003: 20,000 bots generated 2Gbps of

SYN packetsSYN packets• No need to spoof source IP addresses of attack packets • Even in the case of SYN flood SYN cookies don’t help• Even in the case of SYN flood, SYN cookies don t help• Overwhelm victim with traffic arriving from thousands of

different sources

ASTRI Proprietary

• No (real) systematic solution

Page 23: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Victim’s View of botnet-based DDoSISP

Internet Backbone

ISP

Victim : attack nodes

ASTRI Proprietary

Page 24: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

A classic SYN flood example using botnets

• MS Blaster worm (2003)Infected machines at noon on Aug 16th 2003:– Infected machines at noon on Aug 16th, 2003:• SYN flood on port 80 to windowsupdate.com

50 SYN k t d• 50 SYN packets every second. • each packet is 40 bytes.

• Spoofed source IP: w x Y Z where Y Z are random• Spoofed source IP: w.x.Y.Z where Y, Z are random.

• MS solution: – new name: windowsupdate.microsoft.com e a e do supdate c oso t co– Windows update file delivered by Akamai

ASTRI Proprietary24

Page 25: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

The Estonian Attack (2007)

• Apr/May 2007: DDoS attacks on Estonia after government relocated Soviet-era war monumentgovernment relocated Soviet era war monument– Lasted for two weeks– 130 distinct ICMP and SYN floods originating g g

from Russian IP addresses, 70-95 Mbps over 10 hrs– Do-it-yourself flood scripts distributed by Russian

b it l id f b t t ti i tiwebsites, also some evidence of botnet participation– Victims: two largest banks, government ministries, etc.

• Solution• Solution– Found all attack traffic was coming from outside of

EstoniaEstonia– Therefore ISPs blocked all foreign traffic until attacks

stopped

ASTRI Proprietary

– Limitations?

Page 26: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Typical Mitigation Efforts

• Firewall– Only allow packets from known hostsOnly allow packets from known hosts– Ingress/egress filtering– Check for reverse path: block packets from IP address X if

there is no reverse connection going out to address X– Limit rate of ICMP packets and/or SYN packets

Protect server not ISP– Protect server, not ISP• IP Traceback

– Find source of attack, used to shut down attack– Sometimes possible to find the culprit , but usually hard– Source IP addresses in packets are not reliable, need to

examine traffic at many points modify traffic or modify routersexamine traffic at many points, modify traffic, or modify routers• Overlay techniques

– Preserve service to authenticated clients

ASTRI Proprietary

Preserve service to authenticated clients

Page 27: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Prolexic/Verisign

• Basic idea is to only forward established TCP connections to siteconnections to site

• Key principle: over-provisioning to pre-screen• DDoS mitigation as a service: share resources among g g

victims to gain statistical multiplexing

l

Lots-of-SYNs

Prolexicproxy

Lots-of-SYN/ACKs

Fe ACKs F d WebsiteFew ACKs Forwardto site

ASTRI Proprietary

Page 28: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Attack Types

Attack Packet Victim Response Rate: attk/dayp y[ATLAS 2013]

TCP SYN to open port TCP SYN/ACK 773

TCP SYN to closed port TCP RST

TCP ACK or TCP DATA TCP RST

TCP RST No response

TCP NULL TCP RSTTCP NULL TCP RST

ICMP ECHO Request ICMP ECHO Response 50

UDP t l d t ICMP P t h bl 387UDP to closed port ICMP Port unreachable 387

ASTRI Proprietary

Page 29: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Stronger Attacks: TCP Connection Flood

• Attacker commands bot army to:

– complete TCP connection to the victim web site– send short HTTP HEAD request

R t– Repeat

• This attack will bypass SYN flood protection proxy

• Basis of some L7 attacks

• BUT– Attacker can no longer use random source IP addresses.

• Reveals the locations of bot zombies

– Proxy can now block or rate-limit bots.

ASTRI Proprietary29

y

Page 30: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Layer 7 Attacks

• Make use of the characteristic, features and implementations of the HTTP protocol, orimplementations of the HTTP protocol, or

• Highly dependent on the applications (mostly web-based)

• Key principle: attacker does little and victim does a lot

ASTRI Proprietary Source: Arbor Networks

Page 31: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

HTTP Protocol

Rational to attack using a small request message to request a large response messges. But it is not necessarily true. A large request message could be more destructive in some cases!

ASTRI Proprietary

Page 32: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

HTTP GET attack

• Has to survey the web applications before launching the attackattack– If vulnerabilities found in implementation, exploit it– If no vulnerability found, use primitive methodsy , p

• Keep sending HTTP GET for large-sized items• Put Cache-Control to “no-cache”• Lots of variations, e.g. combined with SQL injection

attack (for poorly written applications)I li ti ith h f ti• In applications with search function:

site.com/?s=keyword1site.com/?s=keyword2site.com/?s=keyword3

ASTRI Proprietary

Page 33: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

CAPTCHA

• To ensure the search or GET is not initiated by a bot

ASTRI Proprietary

Page 34: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Slowloris and POST variants

• A GET/POST request includes a message body in addition to a URL to specify information for the action being performed.

• The field “Content Length” in the HTTP header tells the• The field “Content-Length” in the HTTP header tells the web server how large the message body is.

• Attacker sends a complete HTTP Header portion in fullAttacker sends a complete HTTP Header portion in full to the web server, thus bypassing server’s check

• Then the message body is sent at, says, 1 byte per 2

ASTRI Proprietary

minutes

Page 35: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Slowloris and POST variants

• The web server will obey the “Content-Length” field to wait for the remaining message body to be received.wait for the remaining message body to be received.

• Very similar to TCP SYN but at Layer 7: based on open connection.

• If HTTP POST is used, the impact is far more devastating.

C f HTTP POST t l i l di– Common uses of HTTP POST requests: login, uploading photos/videos, sending webmails with attachments ….

• Can randomize size character sets and time intervals toCan randomize size, character sets and time intervals to foil recognition at Layer 7 defence mechanisms

• Difficult to differentiate from legitimate connections gwhich are slow

• Mitigation: limiting size of message body, timeout, …

ASTRI Proprietary

Page 36: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Reflector Attack (the New Smurf)

x206 amplification“Give me the addresses of the

last 600 machines you talked to”Spoofed SrcIP: DoS target

600 addresses

(49 000 bytes)(234 bytes) (49,000 bytes)

DoSSource

DoSTarget

NTP(Network Time Protocol)

server

December 2013 – February 2014: 400 Gbps DDoS attacks involving 4 529 NTP servers400 Gbps DDoS attacks involving 4,529 NTP servers

7 million unsecured NTP servers on the Internet (Arbor)

ASTRI Proprietary

( )

Page 37: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Attack Amplification

Controlling x1gMachine

10 Mbps

Bot – Compromised Trigger Machines

Bot – Compromised Trigger Machines

Bot – Compromised Trigger Machines

x10

AMP AMPAMP

AMP

1 Gbps

x100AMP

AMP AMPAMP AMP

AMPAMP

AMPx10 (DNS)

AMP

Victim1 Tbps

ASTRI Proprietary

Page 38: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Attack Amplification

• DNS multiplier is 8x (Request: 64B; Response 512B)• EDNS multiplier is 53x (Request: 64B; Response:• EDNS multiplier is 53x (Request: 64B; Response:

3,364B)• SNMP multiplier is 650x (Request: 100B; Response p ( q ; p

65kB)

ASTRI Proprietary

Page 39: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Spamhaus DDoS

• 1 attacker’s laptop to control10 compromised servers on– 10 compromised servers, on

– 3 networks that allowed spoofing, of– 9 Gbps DNS request to9 Gbps DNS request to– 0.1% of open resolvers resulted in

• 300 Gbps+ of DDoS attack trafficp

ASTRI Proprietary

Page 40: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

What Makes L3 DDoS Easy?

• DDoS can be launched in multiple layers, but high bandwidth attacks are at layer 3bandwidth attacks are at layer 3

• Three components to make L3 attacks easy– Shot and run protocolsp

• Anything based on UDP• DNS (request: 64B; response: 512B), NTP are good

choices– No source IP authentication

I A lifi– Internet Amplifiers• Open DNS resolvers (one querying to multitudes)

ASTRI Proprietary

Page 41: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

>20% spoofable addresses

ASTRI Proprietary

Page 42: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

32 millions open resolvers

ASTRI Proprietary

Page 43: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Potential Mitigation

• Close Open DNS RecursorsBut attackers could find other network services– But, attackers could find other network services.

– The NTP attack is one example.– After all openness is the inherent rationale of theAfter all, openness is the inherent rationale of the

Internet.• Stop IP Spoofing

– For example, implement BCP38 (IETF RFC 2827, since year 2000) and BCP84 (IETF RFC 2704)L k f i i “O h ’ bl i bl !”– Lack of incentive. “Others’ problem is not my problem!”

ASTRI Proprietary

Page 44: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Difficulty for Defence

Ossified fabric not 10 Gbps Legitimate

traffic mostly

Network Fabric

adaptable even to static attacks

ydropped out

Network Fabric

1 Gbps

DDoS victim

P l i ti id d f i t h i i if th l t il li k i

ASTRI Proprietary

Purely victim side defence is not a choice since, if the last mile link is jammed, the victim may only be able to recover 1% of legitimate traffic.

Page 45: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

New Attacks, Old Principles

• No way for the victim to distinguish between legitimate and malicious requestslegitimate and malicious requests.

• For each request, the attacker does a little, the victim does a lot morevictim does a lot more. – Botnet DDoS, HTTP GET/POST

• The attacker gets helper to amplify the attack traffic.– Reflector DDoS

• The attacker use “open connection” to eat up p pvictim’s resources.– Slowloris

ASTRI Proprietary

Page 46: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Prolexic (Hidden IP address + Scrubbing) DNS resolver replies with different IP address for www.victim.com

All traffic to www.victim.comis sent in anycast to the scrubbing centres

Traffic scrubbing centre

Traffic scrubbingTraffic scrubbing centre

Traffic scrubbing centre

Clensed trafficcentre

Traffic scrubbing centre

ASTRI Proprietarywww.victim.com

(hidden IP address)

Page 47: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Defence against the DNS Amplification Attack using SDN (Software Defined Networks)

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS requests with spoofed IP address

xDrop traffic to and from IP = yy.yy.yy.yy, andUDP_port = 53, except …

2. DesignatedDNS

Resolver

IP = xx xx xx xx

Normal DNS traffic unaffected…

Agile DDoS Protection

IP = xx.xx.xx.xx

ASTRI Proprietary

DDoS victimIP = yy.yy.yy.yyReport DNS attack;

Use IP=xx.xx.xx.xx only1.

Page 48: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Software Defined Networks

• The main initiative of the so-called “Clean-Slate” Internet architectureInternet architecture– Advocated by Nick McKeown, Jennifer Rexford, et. al.– The idea/concept came much earlier in 2000’s from p

David Clark– SDN is just one instantiation

• Ossification of the Internet– Everything adapts to the TCP/IP– A complex distributed system– Even simple tasks could lead to

i t bilit ill tiinstability or oscillation

ASTRI Proprietary

Page 49: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

SDN Idea: An OS for Networks

Closed

Specialized Packet

App App App

App App App

OperatingSystem

App App App

Specialized Packet Forwarding Hardware

Specialized Packet Forwarding Hardware

Operating

OperatingSystem

Specialized Packet Forwarding Hardware

OperatingSystem

OperatingSystem

App App App

App App App

Specialized Packet Forwarding Hardware

OperatingSystem 49

ASTRI Proprietary

Specialized Packet Forwarding Hardware

OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center

Page 50: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

SDN Idea: An OS for Networks

Control Programs

Network Operating  System

og a s

Specialized Packet

App App App

App App App

OperatingSystem

App App App

Specialized Packet Forwarding Hardware

Specialized Packet Forwarding Hardware

Operating

OperatingSystem

Specialized Packet Forwarding Hardware

OperatingSystem

OperatingSystem

App App App

App App App

Specialized Packet Forwarding Hardware

OperatingSystem 50

ASTRI Proprietary

Specialized Packet Forwarding Hardware

OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center

Page 51: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Idea: An OS for Networks

Control Programs

Network Operating  System

og a s

Simple Packet Forwarding Hardware Simple Packet 

Forwarding Hardware

Simple Packet

Simple Packet Forwarding Hardware

Simple Packet Forwarding Hardware

Simple Packet51

ASTRI Proprietary

Simple Packet Forwarding Hardware

OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center

Page 52: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Idea: An OS for Networks

• Software Defined Networking• Software Defined Networking

Global Network View

Control Programs

Global Network View

C t l i

Network Operating  System

Protocols Protocols

Control via forwarding interface

52

ASTRI ProprietaryThe Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown

Page 53: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

OpenFlow

Control Path (Software)Control Path (Software)Control Path (Software)Control Path (Software)

53Data Path (Hardware)Data Path (Hardware)ASTRI Proprietary

ata at ( a d a e)ata at ( a d a e)

Page 54: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

OpenFlow

OpenFlowOpenFlow ControllerControllerOpenFlowOpenFlow ControllerController

OpenFlow Protocol (SSL/TCP)

Control PathControl Path OpenFlowOpenFlowControl PathControl Path OpenFlowOpenFlow

54Data Path (Hardware)Data Path (Hardware)ASTRI Proprietary

ata at ( a d a e)ata at ( a d a e)

Page 55: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

OpenFlow Switching

PC

Controller

PCSoftwareLayer OpenFlow Client

Controller

H d

OpenFlow Table

MACsrc

MACdst

IPSrc

IPDst

TCPsport

TCPdport Action

HardwareLayer **5.6.7.8*** port 1

port 4port 3port 2port 1

ASTRI Proprietary

The Stanford Clean Slate Program, http://cleanslate.stanford.edu

1.2.3.45.6.7.8 55

Page 56: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

OpenFlow Table Entry

Rule Action Stats

Packet + byte counters

1.Forward packet to port(s)2.Encapsulate and forward to controller3.Drop packetp p4.Send to normal processing pipeline5.…

56

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport

+ mask

ASTRI Proprietary

The Stanford Clean Slate Program, http://cleanslate.stanford.edu

Page 57: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

SDN for DDoS

• Open programmableprogrammable Networks and APIs

• A complete view Enterprise apps

Security, load balancing, etc. services

and centralized control

• Fine grainedSoftware-Defined Network (SDN)

Platform , e.g. Openflow

APIs

Open protocols with enablement for proprietary extensions• Fine grained definition of traffic– for monitoring, and

Open protocols with enablement for proprietary extensions

g,– traffic management

• However, Physical Network Physical Network

1) TCAM memory set limit on the rule set2) The Openflow controller could become the attack target to

ASTRI Proprietary

2) The Openflow controller could become the attack target to launch another type of DDoS

Page 58: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Identified Key Trends

• Large flood-based Layer 3 DDoS attacks are the “New Normal”Normal– 300 Gbps (Spamhaus, 2013)– > 300 Gbps (2014)

• Increased sophistication and complexity of application layer (Layer 7) DDoS attacks and multi-vector DDoS tt k b iattacks are becoming more common– HTTP and DNS most common application layer targets– Growth in attacks targeting HTTPS– Growth in attacks targeting HTTPS

• Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoScontinue to Fall Short on DDoS

• Data Centers Increasingly Becoming Victimized

Ad d P i t t Th t (APT) tASTRI Proprietary

• Advanced Persistent Threats (APT) a top concern

Page 59: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

Take-Home Message

• Although seemingly new and advanced DDoS attacks keep appearing, the core principles behind do not seemkeep appearing, the core principles behind do not seem very different from those early attacks.

• Sophistication of L7 attacks lie in the vast combination of attack vectors.

• High volume attacks are mainly L3. P di ti• Predictions:– IoT devices will be used in DDoS, mainly L4 TCP SYN

and L7 (bogus authentication message)and L7 (bogus authentication message) – SSO (Single Sign On) system is the new target

• SDN gives some hope to the problem, but has itsSDN gives some hope to the problem, but has its limitation like the constraints on ruleset size.

ASTRI Proprietary

Page 60: Td fDDS dPttiTrends of DDoS and Protection Technologiesen.hkie.org.hk/Upload/Doc/de81f091-f87a-456b-b5e8-6e3d3a171685... · • No need to spoof source IP addresses of attack packets

End of PresentationThank you Questions are welcomeThank you. Questions are welcome.

Our corporate website: www.astri.orgp g

ASTRI Proprietary