Amplification DDoS Attacks – Defenses for Vulnerable
Amplification DDoS Attacks – Defenses for Vulnerable Protocols Christian Rossow VU University Amsterdam / Ruhr-University Bochum RIPE 68, May 2014, Warsaw Amplifica)on DDoS A/acks Attacker Amplifier C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols Victim 2 Amplifica)on A/acks in Prac)ce Cloudflare Blog post, February 2014 Cloudflare Blog post, March 2013 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 3 A/ack 14 Network Protocols Vulnerable to Amplifica)oon ‘87 ’90 ‘83 2001 ‘99 ‘83 2002 2003 ‘88 ‘87 ‘99 C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 5 Measuring Amplifica)on Rates (1/2) } Bandwidth AmplificaBon Factor (BAF) UDP payload bytes at victim UDP payload bytes from attacker } Packet AmplificaBon Factor (PAF) # of IP packets at victim # of IP packets from attacker C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 6 Measuring Amplifica)on Rates (2/2) 1 SNMP NTP DNS-‐NS DNS-‐OR NetBios SSDP CharGen QOTD BitTorrent Kad Quake 3 Steam ZAv2 Sality Gameover 10 100 1000 10000 4670x 10x 15x C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 7 Number of Amplifiers C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 8 Defense Let’s Play Defense } Defensive Countermeasures } } } } ATack DetecBon ATack Filtering Hardening Protocols etc. C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 10 Further Countermeasures } S.A.V.E. – Source Address VerificaBon Everywhere } } a.k.a. BCP38 Spoofing is the root cause for amplificaBon aTack } Implement proper handshakes in protocols } } Switch to TCP Re-‐implement such a handshake in UDP } Rate limiBng (with limited success) C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols A/ack Detec)on at the Amplifier / Vic)m C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 12 Protocol Hardening: DNS } } Secure your open recursive resolvers } Restrict resolver access to your customers } See: hTp://www.team-‐cymru.org/Services/Resolvers/instrucBons.html } Check your network(s) at hTp://openresolverproject.org/ Rate-‐limit at authoritaBve name servers } Response Rate LimiBng (RRL) – now also in bind. See: hTp://www.redbarn.org/dns/ratelimits C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 13 Protocol Hardening: NTP } } Disable monlist at your NTP servers } Add to your ntp.conf: restrict } monlist is opBonal and not necessary for Bme sync } Check your network(s) at hTp://openntpproject.org/ default noquery Filter monlist response packets } UDP source port 123 with IP packet length 468 } Only very few (non-‐killer) monlist legiBmate use cases C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 14 Conclusion Conclusion } 14+ UDP-‐based protocols are vulnerable to ampl. } We can miBgate individual amplificaBon vectors } NTP: Down to 8% of vulnerable servers in 7 weeks } DNS: SBll 25M open resolvers – let’s close them! C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 16 Amplification DDoS Attacks – Defenses for Vulnerable Protocols Christian Rossow VU University Amsterdam / Ruhr-University Bochum RIPE 68, May 2014, Warsaw More Slides Detailed BAF and PAF per Protocol C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols Measuring Amplifica)on Rates (2/2) C.Rossow – Amplification DDoS Attacks: Defenses for Vulnerable Protocols 20
© Copyright 2024