1 / 20

Amplification DDoS Attacks – Defenses for Vulnerable Protocols

Amplification DDoS Attacks – Defenses for Vulnerable Protocols. Christian Rossow VU University Amsterdam / Ruhr-University Bochum. RIPE 68, May 2014, Warsaw. Amplification DDoS Attacks. Attacker. Amplifier. Victim.

garan
Download Presentation

Amplification DDoS Attacks – Defenses for Vulnerable Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Amplification DDoS Attacks – Defenses for Vulnerable Protocols Christian Rossow VU University Amsterdam / Ruhr-University Bochum RIPE 68, May 2014, Warsaw

  2. Amplification DDoS Attacks Attacker Amplifier Victim • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  3. Amplification Attacks in Practice Cloudflare Blog post, February 2014 Cloudflare Blog post, March 2013 • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  4. Attack

  5. 14 Network Protocols Vulnerable to Amplificatioon ‘87 ’90 ‘83 2001 ‘99 ‘88 ‘87 ‘99 ‘83 2003 2002 • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  6. Measuring Amplification Rates (1/2) • Bandwidth Amplification Factor (BAF) UDP payload bytes at victim UDP payload bytes from attacker • Packet Amplification Factor (PAF) # of IP packets at victim # of IP packets from attacker • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  7. Measuring Amplification Rates (2/2) 4670x 10x 15x • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  8. Number of Amplifiers • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  9. Defense

  10. Let’s Play Defense • Defensive Countermeasures • Attack Detection • Attack Filtering • Hardening Protocols • etc. • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  11. Further Countermeasures • S.A.V.E. – Source Address Verification Everywhere • a.k.a. BCP38 • Spoofing is the root cause for amplification attack • Implement proper handshakes in protocols • Switch to TCP • Re-implement such a handshake in UDP • Rate limiting (with limited success) • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  12. Attack Detection at the Amplifier / Victim • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  13. Protocol Hardening: DNS • Secure your open recursive resolvers • Restrict resolver access to your customers • See: http://www.team-cymru.org/Services/Resolvers/instructions.html • Check your network(s) at http://openresolverproject.org/ • Rate-limit at authoritative name servers • Response Rate Limiting (RRL) – now also in bind.See: http://www.redbarn.org/dns/ratelimits • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  14. Protocol Hardening: NTP • Disable monlist at your NTP servers • Add to your ntp.conf: restrictdefaultnoquery • monlistis optional and not necessary for time sync • Check your network(s) at http://openntpproject.org/ • Filter monlist response packets • UDP source port 123 with IP packet length 468 • Only very few (non-killer) monlist legitimate use cases • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  15. Conclusion

  16. Conclusion • 14+ UDP-based protocols are vulnerable to ampl. • We can mitigate individual amplification vectors • NTP: Down to 8% of vulnerable servers in 7 weeks • DNS: Still 25M open resolvers – let’s close them! • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  17. Amplification DDoS Attacks – Defenses for Vulnerable Protocols Christian Rossow VU University Amsterdam / Ruhr-University Bochum RIPE 68, May 2014, Warsaw

  18. More Slides

  19. Detailed BAF and PAF per Protocol • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

  20. Measuring Amplification Rates (2/2) • C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols

More Related