td fdds dpttitrends of ddos and protection...

T d f DD S d P t tiTrends of DDoS and Protection Technologies

Aldar ChanSecurity & Data SciencesASTRI10 Apr, 2015

ASTRI Proprietary

What’s DDoS?

ASTRI Proprietary

What’s DDoS?

During a Distributed Denial of Service (DDoS) attack, compromised hosts (bots) or vigilante users from distributed

sources overwhelm the target with illegitimate traffic so that the

ASTRI Proprietary3

sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.

Why DDoS?• Ideologically-motivated ‘Hacktivism’ and on-line vandalism DDoS attacks

are the most commonly identified attack motivations• Other: competitors, financial market manipulation• Nearly 15% seeing attacks motivated by extortion, competitive rivalry or as

a cover for data exfiltration. DDoS is now a part of more complex cyber p p yattack campaigns.

ASTRI Proprietary

Source: Arbor Networks (2014)

Who’s the Target?

ASTRI Proprietary

How Serious?

• Reported bandwidth of DDoS attacks100Gbps in 2010– 100Gbps in 2010

– 300Gbps in 2013 (against Spamhaus and Cloudflare)– > 300Gbps in 2014 (Hong Kong)> 300Gbps in 2014 (Hong Kong)

ASTRI Proprietary

The Real Case in Hong Kong

“suspension in trading of sevencompanies with a combined marketvalue of HK$1 5 trillion They includevalue of HK$1.5 trillion. They includeHSBC, Cathay Pacific Airways andHKEx itself.”

ASTRI Proprietary

Identified Key Trends

• Large flood-based Layer 3 DDoS attacks are the “New Normal”Normal– 300 Gbps (Spamhaus, 2013)– > 300 Gbps (2014)

• Increased sophistication and complexity of application layer (Layer 7) DDoS attacks and multi-vector DDoS tt k b iattacks are becoming more common– HTTP and DNS most common application layer targets– Growth in attacks targeting HTTPS– Growth in attacks targeting HTTPS

• Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoScontinue to Fall Short on DDoS

• Data Centers Increasingly Becoming Victimized

Ad d P i t t Th t (APT) tASTRI Proprietary

• Advanced Persistent Threats (APT) a top concern

DDoS at Different Layers

GET and POST app layer attacks on HTTP and HTTPS (pure, Slowloris, authentication failure,

)…)

TCP SYN flooding, TCP ACK forging (Coremelt), …..

ICMP, Smurf,R fl t (DNS NTP )Reflector (DNS, NTP, ….)

Imature backoff in WLAN

Wireless jammingWireless jamming

ASTRI Proprietary

Historical DDoS (1990’s)

• As early as when the Internet became public

• Targeting at the TCP/IP protocol

• Two main attacks– Smurf/ICMP attack– TCP SYN attach

• Has laid down the key principles/conditions for launching a DDoS attack today!g y

ASTRI Proprietary

Smurf/ICMP Attack

1. ICMP Echo ReqSrc: Victim addr

3. ICMP Echo ReplyDest: victim addr

gateway Victim

Src: Victim addrDest: broadcast addr

Attacker g yAttacker

2. Each machine generates a ping reply to the victima ping reply to the victim.

• Send “ping” request to broadcast address (ICMP Echo Req)

• Lots of responses:– Every host on target network generates a ping reply (ICMP Echo

Reply) to victim– Key idea: Amplification

ASTRI Proprietary11

y pPrevention: reject external packets to broadcast address

TCP Handshake

C S

Client Server

C S

SYNC(SNC) Listening

SYN (SN ) ACK(SN )

g

Store data SNC, SNSSYNS(SNS), ACK(SNC)C, S

ACK(SNS)Wait

Connected

ASTRI Proprietary

TCP SYN Flooding (Low Rate)

C SSingle Client Machine:

C t SYN k t ithC S

SYNC1

• Creates many SYN packets with random, spoofed source IP addresses

C1

SYNC2

• Fills up the backlog queue on Server (victim)– Server allocates resources (new

SYNC3

SYN

Server allocates resources (new thread, connection state maintained) for each requestServer’s resources are held upSYNC4

SYNC5

– Server s resources are held up until timeout

• Resources exhausted C5

No further connections from legitimate users possible

ASTRI Proprietary

Resources held up

Defence 1: Random Deletion

121 17 182 45

SYNChalf-open connections

121.17.182.45

231.202.1.16

121.100.20.14

5.17.95.155

• If SYN queue is full, delete random entryq , y– Legitimate connections have a chance to complete– Fake addresses will be eventually deletedy

• Easy to implement

ASTRI Proprietary

Defence 2: Anti-spoofing SYN Cookies[Bernstein, Schenk]

• Main idea: Remove SYN state from Server until Clienthas returned at least 2 messages

• Server responds to Client with SYN-ACK cookie:– T = top 5 bits of a 32-bit counter incremented every 64T top 5 bits of a 32 bit counter incremented every 64

seconds.– L = FKey (SrcAddr, SrcPort, DestAddr, DestPort, T) + SNC

• In practice, FKey (X) = MD5( Key || X || Key )• Key: picked at random during boot-up

– SNS = ( T || L) ( |L| = 24 bits )– Normal TCP response but Server does not save state

• Honest Client responds with ACK(SNS)– Server allocates space for socket only if a valid SNS

is received

ASTRI Proprietary

15

is received.

TCP Connection Establishment with SYN Cookies

C S

SYNC(NC) Listening…

Does not store stateCompatible with standard TCP specification;simply a “weird” sequence number scheme

SYNS(NS), ACKC(NC)sequence # NS = cookie

Cookie must be unforgeable

FKey(source addr, source port, dest addr, dest port, coarse time)

gand tamper-proof

Client should not be ableto invert a cookie

Re-compute the cookie based on the received IP

ACKS(cookie)

header, compare it with the one received, only establish connection if they match

Used in IPSec key establishmentASTRI Proprietary

16

Used in IPSec key establishment,But only solve the spoofed address issue

Core Principles behind DDoS

• No way for the victim to distinguish between legitimate and malicious requestslegitimate and malicious requests.

• For each request, the attacker does a little, the i ti d l tvictim does a lot more.

• The attacker gets helpers to amplify the attack traffic.

• The attacker uses “open connection” to eat up theThe attacker uses open connection to eat up the victim’s resources.

ASTRI Proprietary

Other Attacks beyond these Principles

• Example:TCP Reset attack– TCP Reset attack

– Forged TCP ACK attack (2005), Coremelt attack (2009)

• Less common since requiring more technical know• Less common since requiring more technical know-hows to launch

• TCP Reset attack is still commonly used• TCP Reset attack is still commonly used – To target the infrastructure with long-lived connections,

example, BGP.– By some governments for content filtering

ASTRI Proprietary

DDoS Attacks TodayDDoS Attacks Today

ASTRI Proprietary

TCP SYN Flooding (High Rate)

AttackerAttacker

M t hi (C&C)Get helpers!

Master machines (C&C)

Zombie machines

Victim

TCP SYN packets

ASTRI Proprietary

Victim

DDoS and Gaming

• Paid tools to kick Halo 3 players off the Xbox Live network usingoff the Xbox Live network using DDoS– Need some tricks to discover

victim’s IP address• Botnets for rent

$2 b t– $2 per bot– Takes 40-60 bots

to boot a playerto boot a player

• Video tutorials on YouTube

ASTRI Proprietary

TCP SYN Flooding (High Rate)

• Build or rent a botnet of zombies• Multi layered architecture: attacker uses some of the• Multi-layered architecture: attacker uses some of the

zombies as “masters” (Command & Control centres) to control other zombies

• Command zombies to stage a coordinated attack on the victim– Could be L7 request, but L4 request is more direct – E.g. BetCris.com 2003: 20,000 bots generated 2Gbps of

SYN packetsSYN packets• No need to spoof source IP addresses of attack packets • Even in the case of SYN flood SYN cookies don’t help• Even in the case of SYN flood, SYN cookies don t help• Overwhelm victim with traffic arriving from thousands of

different sources

ASTRI Proprietary

• No (real) systematic solution

Victim’s View of botnet-based DDoSISP

Internet Backbone

ISP

Victim : attack nodes

ASTRI Proprietary

A classic SYN flood example using botnets

• MS Blaster worm (2003)Infected machines at noon on Aug 16th 2003:– Infected machines at noon on Aug 16th, 2003:• SYN flood on port 80 to windowsupdate.com

50 SYN k t d• 50 SYN packets every second. • each packet is 40 bytes.

• Spoofed source IP: w x Y Z where Y Z are random• Spoofed source IP: w.x.Y.Z where Y, Z are random.

• MS solution: – new name: windowsupdate.microsoft.com e a e do supdate c oso t co– Windows update file delivered by Akamai

ASTRI Proprietary24

The Estonian Attack (2007)

• Apr/May 2007: DDoS attacks on Estonia after government relocated Soviet-era war monumentgovernment relocated Soviet era war monument– Lasted for two weeks– 130 distinct ICMP and SYN floods originating g g

from Russian IP addresses, 70-95 Mbps over 10 hrs– Do-it-yourself flood scripts distributed by Russian

b it l id f b t t ti i tiwebsites, also some evidence of botnet participation– Victims: two largest banks, government ministries, etc.

• Solution• Solution– Found all attack traffic was coming from outside of

EstoniaEstonia– Therefore ISPs blocked all foreign traffic until attacks

stopped

ASTRI Proprietary

– Limitations?

Typical Mitigation Efforts

• Firewall– Only allow packets from known hostsOnly allow packets from known hosts– Ingress/egress filtering– Check for reverse path: block packets from IP address X if

there is no reverse connection going out to address X– Limit rate of ICMP packets and/or SYN packets

Protect server not ISP– Protect server, not ISP• IP Traceback

– Find source of attack, used to shut down attack– Sometimes possible to find the culprit , but usually hard– Source IP addresses in packets are not reliable, need to

examine traffic at many points modify traffic or modify routersexamine traffic at many points, modify traffic, or modify routers• Overlay techniques

– Preserve service to authenticated clients

ASTRI Proprietary

Preserve service to authenticated clients

Prolexic/Verisign

• Basic idea is to only forward established TCP connections to siteconnections to site

• Key principle: over-provisioning to pre-screen• DDoS mitigation as a service: share resources among g g

victims to gain statistical multiplexing

l

Lots-of-SYNs

Prolexicproxy

Lots-of-SYN/ACKs

Fe ACKs F d WebsiteFew ACKs Forwardto site

ASTRI Proprietary

Attack Types

Attack Packet Victim Response Rate: attk/dayp y[ATLAS 2013]

TCP SYN to open port TCP SYN/ACK 773

TCP SYN to closed port TCP RST

TCP ACK or TCP DATA TCP RST

TCP RST No response

TCP NULL TCP RSTTCP NULL TCP RST

ICMP ECHO Request ICMP ECHO Response 50

UDP t l d t ICMP P t h bl 387UDP to closed port ICMP Port unreachable 387

ASTRI Proprietary

Stronger Attacks: TCP Connection Flood

• Attacker commands bot army to:

– complete TCP connection to the victim web site– send short HTTP HEAD request

R t– Repeat

• This attack will bypass SYN flood protection proxy

• Basis of some L7 attacks

• BUT– Attacker can no longer use random source IP addresses.

• Reveals the locations of bot zombies

– Proxy can now block or rate-limit bots.

ASTRI Proprietary29

y

Layer 7 Attacks

• Make use of the characteristic, features and implementations of the HTTP protocol, orimplementations of the HTTP protocol, or

• Highly dependent on the applications (mostly web-based)

• Key principle: attacker does little and victim does a lot

ASTRI Proprietary Source: Arbor Networks

HTTP Protocol

Rational to attack using a small request message to request a large response messges. But it is not necessarily true. A large request message could be more destructive in some cases!

ASTRI Proprietary

HTTP GET attack

• Has to survey the web applications before launching the attackattack– If vulnerabilities found in implementation, exploit it– If no vulnerability found, use primitive methodsy , p

• Keep sending HTTP GET for large-sized items• Put Cache-Control to “no-cache”• Lots of variations, e.g. combined with SQL injection

attack (for poorly written applications)I li ti ith h f ti• In applications with search function:

site.com/?s=keyword1site.com/?s=keyword2site.com/?s=keyword3

ASTRI Proprietary

CAPTCHA

• To ensure the search or GET is not initiated by a bot

ASTRI Proprietary

Slowloris and POST variants

• A GET/POST request includes a message body in addition to a URL to specify information for the action being performed.

• The field “Content Length” in the HTTP header tells the• The field “Content-Length” in the HTTP header tells the web server how large the message body is.

• Attacker sends a complete HTTP Header portion in fullAttacker sends a complete HTTP Header portion in full to the web server, thus bypassing server’s check

• Then the message body is sent at, says, 1 byte per 2

ASTRI Proprietary

minutes

Slowloris and POST variants

• The web server will obey the “Content-Length” field to wait for the remaining message body to be received.wait for the remaining message body to be received.

• Very similar to TCP SYN but at Layer 7: based on open connection.

• If HTTP POST is used, the impact is far more devastating.

C f HTTP POST t l i l di– Common uses of HTTP POST requests: login, uploading photos/videos, sending webmails with attachments ….

• Can randomize size character sets and time intervals toCan randomize size, character sets and time intervals to foil recognition at Layer 7 defence mechanisms

• Difficult to differentiate from legitimate connections gwhich are slow

• Mitigation: limiting size of message body, timeout, …

ASTRI Proprietary

Reflector Attack (the New Smurf)

x206 amplification“Give me the addresses of the

last 600 machines you talked to”Spoofed SrcIP: DoS target

600 addresses

(49 000 bytes)(234 bytes) (49,000 bytes)

DoSSource

DoSTarget

NTP(Network Time Protocol)

server

December 2013 – February 2014: 400 Gbps DDoS attacks involving 4 529 NTP servers400 Gbps DDoS attacks involving 4,529 NTP servers

7 million unsecured NTP servers on the Internet (Arbor)

ASTRI Proprietary

( )

Attack Amplification

Controlling x1gMachine

10 Mbps

Bot – Compromised Trigger Machines



x10

AMP AMPAMP

AMP

1 Gbps

x100AMP

AMP AMPAMP AMP

AMPAMP

AMPx10 (DNS)

AMP

Victim1 Tbps

ASTRI Proprietary

Attack Amplification

• DNS multiplier is 8x (Request: 64B; Response 512B)• EDNS multiplier is 53x (Request: 64B; Response:• EDNS multiplier is 53x (Request: 64B; Response:

3,364B)• SNMP multiplier is 650x (Request: 100B; Response p ( q ; p

65kB)

ASTRI Proprietary

Spamhaus DDoS

• 1 attacker’s laptop to control10 compromised servers on– 10 compromised servers, on

– 3 networks that allowed spoofing, of– 9 Gbps DNS request to9 Gbps DNS request to– 0.1% of open resolvers resulted in

• 300 Gbps+ of DDoS attack trafficp

ASTRI Proprietary

What Makes L3 DDoS Easy?

• DDoS can be launched in multiple layers, but high bandwidth attacks are at layer 3bandwidth attacks are at layer 3

• Three components to make L3 attacks easy– Shot and run protocolsp

• Anything based on UDP• DNS (request: 64B; response: 512B), NTP are good

choices– No source IP authentication

I A lifi– Internet Amplifiers• Open DNS resolvers (one querying to multitudes)

ASTRI Proprietary

>20% spoofable addresses

ASTRI Proprietary

32 millions open resolvers

ASTRI Proprietary

Potential Mitigation

• Close Open DNS RecursorsBut attackers could find other network services– But, attackers could find other network services.

– The NTP attack is one example.– After all openness is the inherent rationale of theAfter all, openness is the inherent rationale of the

Internet.• Stop IP Spoofing

– For example, implement BCP38 (IETF RFC 2827, since year 2000) and BCP84 (IETF RFC 2704)L k f i i “O h ’ bl i bl !”– Lack of incentive. “Others’ problem is not my problem!”

ASTRI Proprietary

Difficulty for Defence

Ossified fabric not 10 Gbps Legitimate

traffic mostly

Network Fabric

adaptable even to static attacks

ydropped out

Network Fabric

1 Gbps

DDoS victim

P l i ti id d f i t h i i if th l t il li k i

ASTRI Proprietary

Purely victim side defence is not a choice since, if the last mile link is jammed, the victim may only be able to recover 1% of legitimate traffic.

New Attacks, Old Principles

• No way for the victim to distinguish between legitimate and malicious requestslegitimate and malicious requests.

• For each request, the attacker does a little, the victim does a lot morevictim does a lot more. – Botnet DDoS, HTTP GET/POST

• The attacker gets helper to amplify the attack traffic.– Reflector DDoS

• The attacker use “open connection” to eat up p pvictim’s resources.– Slowloris

ASTRI Proprietary

Prolexic (Hidden IP address + Scrubbing) DNS resolver replies with different IP address for www.victim.com

All traffic to www.victim.comis sent in anycast to the scrubbing centres

Traffic scrubbing centre

Traffic scrubbingTraffic scrubbing centre


Clensed trafficcentre


ASTRI Proprietarywww.victim.com

(hidden IP address)

Defence against the DNS Amplification Attack using SDN (Software Defined Networks)

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS Resolver

DNS requests with spoofed IP address

xDrop traffic to and from IP = yy.yy.yy.yy, andUDP_port = 53, except …

2. DesignatedDNS

Resolver

IP = xx xx xx xx

Normal DNS traffic unaffected…

Agile DDoS Protection

IP = xx.xx.xx.xx

ASTRI Proprietary

DDoS victimIP = yy.yy.yy.yyReport DNS attack;

Use IP=xx.xx.xx.xx only1.

Software Defined Networks

• The main initiative of the so-called “Clean-Slate” Internet architectureInternet architecture– Advocated by Nick McKeown, Jennifer Rexford, et. al.– The idea/concept came much earlier in 2000’s from p

David Clark– SDN is just one instantiation

• Ossification of the Internet– Everything adapts to the TCP/IP– A complex distributed system– Even simple tasks could lead to

i t bilit ill tiinstability or oscillation

ASTRI Proprietary

SDN Idea: An OS for Networks

Closed

Specialized Packet

App App App

App App App

OperatingSystem

App App App

Specialized Packet Forwarding Hardware


Operating

OperatingSystem


OperatingSystem

OperatingSystem

App App App

App App App


OperatingSystem 49

ASTRI Proprietary


OpenFlow/SDN tutorial, Srini Seetharaman, Deutsche Telekom, Silicon Valley Innovation Center

SDN Idea: An OS for Networks

Control Programs

Network Operating System

og a s

Specialized Packet

App App App

App App App

OperatingSystem

App App App



Operating

OperatingSystem


OperatingSystem

OperatingSystem

App App App

App App App


OperatingSystem 50

ASTRI Proprietary



Idea: An OS for Networks

Control Programs


og a s

Simple Packet Forwarding Hardware Simple Packet

Forwarding Hardware

Simple Packet

Simple Packet Forwarding Hardware


Simple Packet51

ASTRI Proprietary



Idea: An OS for Networks

• Software Defined Networking• Software Defined Networking

Global Network View

Control Programs

Global Network View

C t l i


Protocols Protocols

Control via forwarding interface

52

ASTRI ProprietaryThe Future of Networking, and the Past of Protocols, Scott Shenker, with Martin Casado, Teemu Koponen, Nick McKeown

OpenFlow

Control Path (Software)Control Path (Software)Control Path (Software)Control Path (Software)

53Data Path (Hardware)Data Path (Hardware)ASTRI Proprietary

ata at ( a d a e)ata at ( a d a e)

OpenFlow

OpenFlowOpenFlow ControllerControllerOpenFlowOpenFlow ControllerController

OpenFlow Protocol (SSL/TCP)

Control PathControl Path OpenFlowOpenFlowControl PathControl Path OpenFlowOpenFlow

54Data Path (Hardware)Data Path (Hardware)ASTRI Proprietary

ata at ( a d a e)ata at ( a d a e)

OpenFlow Switching

PC

Controller

PCSoftwareLayer OpenFlow Client

Controller

H d

OpenFlow Table

MACsrc

MACdst

IPSrc

IPDst

TCPsport

TCPdport Action

HardwareLayer **5.6.7.8*** port 1

port 4port 3port 2port 1

ASTRI Proprietary

The Stanford Clean Slate Program, http://cleanslate.stanford.edu

1.2.3.45.6.7.8 55

OpenFlow Table Entry

Rule Action Stats

Packet + byte counters

1.Forward packet to port(s)2.Encapsulate and forward to controller3.Drop packetp p4.Send to normal processing pipeline5.…

56

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPProt

TCPsport

TCPdport

+ mask

ASTRI Proprietary

The Stanford Clean Slate Program, http://cleanslate.stanford.edu

SDN for DDoS

• Open programmableprogrammable Networks and APIs

• A complete view Enterprise apps

Security, load balancing, etc. services

and centralized control

• Fine grainedSoftware-Defined Network (SDN)

Platform , e.g. Openflow

APIs

Open protocols with enablement for proprietary extensions• Fine grained definition of traffic– for monitoring, and

Open protocols with enablement for proprietary extensions

g,– traffic management

• However, Physical Network Physical Network

1) TCAM memory set limit on the rule set2) The Openflow controller could become the attack target to

ASTRI Proprietary

2) The Openflow controller could become the attack target to launch another type of DDoS

Identified Key Trends

• Large flood-based Layer 3 DDoS attacks are the “New Normal”Normal– 300 Gbps (Spamhaus, 2013)– > 300 Gbps (2014)

• Increased sophistication and complexity of application layer (Layer 7) DDoS attacks and multi-vector DDoS tt k b iattacks are becoming more common– HTTP and DNS most common application layer targets– Growth in attacks targeting HTTPS– Growth in attacks targeting HTTPS

• Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoScontinue to Fall Short on DDoS

• Data Centers Increasingly Becoming Victimized

Ad d P i t t Th t (APT) tASTRI Proprietary

• Advanced Persistent Threats (APT) a top concern

Take-Home Message

• Although seemingly new and advanced DDoS attacks keep appearing, the core principles behind do not seemkeep appearing, the core principles behind do not seem very different from those early attacks.

• Sophistication of L7 attacks lie in the vast combination of attack vectors.

• High volume attacks are mainly L3. P di ti• Predictions:– IoT devices will be used in DDoS, mainly L4 TCP SYN

and L7 (bogus authentication message)and L7 (bogus authentication message) – SSO (Single Sign On) system is the new target

• SDN gives some hope to the problem, but has itsSDN gives some hope to the problem, but has its limitation like the constraints on ruleset size.

ASTRI Proprietary

End of PresentationThank you Questions are welcomeThank you. Questions are welcome.

Our corporate website: www.astri.orgp g

ASTRI Proprietary

td fdds dpttitrends of ddos and protection...

Documents