Transcription
DDoS: Undeniably a globalInternet problem looking for aglobal solutionRIPE-41 EOF Tutorial, January 15, 2002, AmsterdamYehuda Afek and Hank NussbacherWanwall Ltd.1
Goede morgen dames en heren,het is fijn om weer in A’dam te zijn! Yehuda Afek!CTO & founder Wanwall Inc. and Professor ofComputer Science at Tel-Aviv University! Hank Nussbacher!Internet and security consultant with over 20years of experience! Wanwall Inc.!A company providing systems to defeat andstop DDoS attacks.- the DDOS Protection Companywww.wanwall.com2
1.2.3.4.5.6.8.9.10.11.OutlineOutlineDDoS: What & HowEvents, History and TodayDDoS attacks, physics & mechanismsMeasurementsStandards & AcademiaDetectionProtection and DefenseDDoS companiesLinks- the DDOS Protection Companywww.wanwall.com3
DDoSZombiesCustomer’s premises:Server/FW/Switch/routerHackerISP EdgeFloodedrouter Pipe Victim(web server)MastersControl trafficDrinking from the fire hoseAttack traffic- the DDOS Protection Companywww.wanwall.com4
Who cares?! 2/2000: 1.2 Billion cost! 100 Million revenue lossto US market 10’s Million damage due to Microsoft attack5/2001: Whitehouse site down six hours6/2001:CERT down twice for seven White House (‘Code Red’)9/2001:Deutsche Bank10/2001: NY Times11/2001: Attacks targeting routers (IDG News)! 1/2001:!!!!!!!!4,000 attacks per week CAIDA- the DDOS Protection Companywww.wanwall.com5
Who cares? (2)! Everybody is vulnerable! ISPs! Hosting centers! ASP’s! Government! Banks, Financial institutions! E-commerce! DNS servers! Email accounts! Easy to mount! Download, click and launch- the DDOS Protection Companywww.wanwall.com6
Background! MotivesShowoff! Terror! Cyberspace demonstrations! Ransom! Blackmailing! Get your aggression out in cyber space! Boredom!! Same as in real life- the DDOS Protection Companywww.wanwall.com7
- the DDOS Protection Companywww.wanwall.com8
DDoS is NOT! Information theft (passwords, credit cards)!Financial fraud! System penetration!Obtain root permission! System crashing by:!Buffer overflow!Bashing the stack! Breaking crypto- the DDOS Protection Companywww.wanwall.com9
Problem on the rise: HackersSysteHighAttacks volume &SophisticationmAdminisPassword crackingtr atorSkPassword guessingSelf loopsLow19801985- the DDOS Protection CompanyOn 990ilitdsta ffy/#n1995etworks2002www.wanwall.com10
3. Events, Historyand Today- the DDOS Protection Companywww.wanwall.com11
Events - prehistory! Shoch & Hupp, "The Worm' Programs--Early Experience with a DistributedComputation," Communications of theACM, March 1982Meant to be a memory diagnostic program! 100 Alto computers brought to a standstill onan Ethernet! Used forced multicast since multicast didn’texist then!- the DDOS Protection Companywww.wanwall.com12
Evolvement of attacks! Sep 1996: Panix under SYN attack! Jan 1997: Romanian hacker SYN floodsUndernet (IRC net)!"We have some of the greatest minds inInternet technology here, and they couldn't doanything [to stop the attack]" -Wired, Jan 14, 1997! Jan 1998: Tribe flooding tool appears for mIRC! Jan 1998: Smurf attacks cripple ISPs! March 1998: Smurf attack on University ofMinnesota! Aug 1999: Trinoo and TFN appearMajor attack not long in coming!- the DDOS Protection Companywww.wanwall.com13
Evolvement of attacks (2)! 02-2000: Infamous DDoS attacks (Yahoo, eBay,!!!!!!CNN), TFN2K, Stacheldracht03-2000: Shaft04-2000: DNS amplification attacks, mstream05-2000: VBS/Loveletter07-2000: Hybris08-2000: Trinity IRC-based DDoS tool (unix)11-2000: Multiple IRC-based DDoS tools(Windows), NAPHTANANOG23: http://www.nanog.org/mtg-0110/ppt/houle- the DDOS Protection Companywww.wanwall.com14
Mafiaboy timeline, Feb 7,8,9 2000! Feb 7! YahooMon 10:20 a.m.! Feb 8! Buy.com! eBay! CNN.com! Amazon.comTues 10:50 a.m. 3 hoursTues 3:20 p.m. 90 minutesTues 4:00 p.m. 110 minutesTues 5:00 p.m. 1 hour! Feb 9! E*Trade! Datek! ZDNetWed 5:00 a.m. 90 minutesWed 6:35 a.m. 30 minutesWed 6:45 a.m. 3 hours- the DDOS Protection Company3 hourswww.wanwall.com15
Tools evolvement: 2001! 01-2001: Ramen worm! 02-2001: VBS/OnTheFly (Anna Kournikova), 1i0n worm! 03-2001: Stick! 04-2001: Adore/Red worm, carko DDoS tool! 05-2001: cheese worm, w0rmkit worm, sadmind/IIS!!!!worm06-2001: Maniac worm, Code Red worm07-2001: W32/Sircam, Leaves, Code Red II, varioustelnetd worms, various IRC-based DDoS tools (knight,kaiten)09-2001: Nimda worm, Code Blue12-2001: Goner wormNANOG23: http://www.nanog.org/mtg-0110/ppt/houle/- the DDOS Protection Companywww.wanwall.com16
Code Red spreadOver 350,000 IIS servers infected is less than 14 hours!CAIDA stats- the DDOS Protection Companywww.wanwall.com17
4.1 DDoS attacks Ammunition- the DDOS Protection Companywww.wanwall.com18
Ammunition: packet crafting! Any field in any header *! Any combination of fields! RandomizationIPTCPHTTPDST SRC Prtcl CRC Port Port SYN FIN SSL GET URL CGI www.victim.com *except DST- the DDOS Protection Companywww.wanwall.com19
Standard ammunitionTCPUDPICMPDNSSYN ACK FIN RSTDiff sizesRedirect UnreachableRequests RepliesSRC SpoofingAmplificationImpossible flagsIllegal headers! Simple! Effective! Why to change?- the DDOS Protection Companywww.wanwall.com20
Additional types of ammunitionHTTP requestsHeavy application rqsts LegalMany connectionsIllegalIncomplete connections- the DDOS Protection Companywww.wanwall.com21
SummarySYNSmurfDNS Reply Queries floodIGMP floodFraggle (UDP loop)TCP floodUDP reflectorsTCP reflectors SYNACKClient (URL) attacks Refreshand Error- the DDOS Protection CompanyTCPICMPUDPIGMPUDPTCP NUL, TCP RST, TCP ACKUDPTCPHTTPwww.wanwall.com22
Generic attacksDST SRC prtcl CRC Port Port SYN FIN SSL GET URL CGI www.victim.com .Name of attackFlooding capabilitiesLandTCP SYN (SRC DST)SYNTCP SYN (spoofed SRC)SmurfICMP via AmplifiersICMP redirectICMPIGMP floodIGMPFraggle (UDP loop)UDP smurfingTCP floodTCP NUL, TCP RST, TCP ACKUDP reflectorsUDP (ICMPs, unreachable, redirect)URL client attacksHTTP over TCPVPN attacksTeardropTCP, GRE or IPIPTCP fragments (overlapping)Ping of deathICMP ( 65536 B)Open/closeTCP, UDP (inetd)ICMP Unreachablespoofed ICMP unreachableIRDPICMP router discovery, mass routing tablesARP redirectARP- the DDOS Protection Companywww.wanwall.com23
TCP SYN floodsyn rqstserverclientsynackSpoofed syn rqstzombieZombiesvictimsynackWaiting bufferoverflows One of the first CERT DDoS advisories issued – 9/1996 http://www.cert.org/advisories/CA-1996-21.html- the DDOS Protection Companywww.wanwall.com24
Teardrop/Land attack! Dec 1997! Land: source and destination IP are thesame causing response to loop! Teardrops: send overlapping IP fragments! http://www.cert.org/advisories/CA-1997-28.html- the DDOS Protection Companywww.wanwall.com25
NAPHTA: TCP connections! Repeatedly establishing a connection andthen abandoning it, an attacker can tie upresources. Fill up the TCP connectionsbuffer.! http://people.internet2.edu/ shalunov/netkill- the DDOS Protection Companywww.wanwall.com26
Smurf AmplificationDirect broadcast addressdstsrcvictimzombieamp.255ping.rqst1 Jan 1998 00500500500victim- the DDOS Protection Companyamp/255.255.255.0www.wanwall.com27
ICMP Unreachablesyn rqstserverclientAttackersynackicmp unreachable clientConnection establishedTESER Causes all legitimate TCP connections to thespoofed IP addresses, to be torn down 4/default.htm- the DDOS Protection Companywww.wanwall.com28
Looping UDP First known CERT DDOS advisory – Feb 1996 http://www.cert.org/advisories/CA-1996-01.html http://www-arc.com/sara/cve/Possible DoS problem.htmlAttacker(Zombie)spoofed pktServerechoService(7)- the DDOS Protection CompanyServerchargenService(19)www.wanwall.com29
DNS attack! DNS requestSpoofing! Random requests! Reflectors!! DNS repliesSpoofing! Junk!- the DDOS Protection Companywww.wanwall.com30
Reflectors - Bandwidth attack! Reflectors returns a packet if one is sent!Web servers, DNS servers and routers Returns SYNACK or RST in response to a SYN orother TCP packets with ACK or query reply in response to a query or ICMP Time Exceeded or Host Unreachable inresponse to particular IP packetsAttackers spoof IP addresses from a zombie! Vern Paxson ors.CCR.01.pdf- the DDOS Protection Companywww.wanwall.com31
ReflectorsSock or-3Reflector-4 .Web server DNS serverRoutervictim- the DDOS Protection Companywww.wanwall.com32
ReflectorsSock proxyzombieProxyzombiezombieWeb serverzombieDNS serverRoutervictim- the DDOS Protection Companywww.wanwall.com33
Client attack! URL attacksRepeated request! Repeated REFRESH! Random URL! Avoids proxy Works hard Large log file!victimcgi, long forms, heavy search requests! http://all.net/journal/netsec/9512.html- the DDOS Protection Companywww.wanwall.com34
- the DDOS Protection Companywww.wanwall.com35
4.2 DDoS attacks tools- the DDOS Protection Companywww.wanwall.com36
Probing stage Most DDOSattack tools arecompromisedcomputers Attackers wouldscan systems fornon-securedservices Many automatedscanning toolsaround- the DDOS Protection Companywww.wanwall.com37
Attack tools 1: FAPI! Spoof IP addresses! UDP packets to random or specified ports! Automatic termination at specified time! One of the first tools available in May1998- the DDOS Protection Companywww.wanwall.com38
Attack tools 2: Trinoo! UDP attacks to random ports! Defaults:120 seconds (max 1999 seconds)! Packet size: 1000 octets!! Master Slave communication clear TCPand UDP! Does not support IP spoofing! Link:http://xforce.iss.net/alerts/advise40.php- the DDOS Protection Companywww.wanwall.com39
Attack tools 3: TFN! Spoof IP addresses! Master Zombie communicate by ICMPecho reply! Flooding: ICMP echo, TCP SYN, UDP flood(trinoo emulation), Smurf! Link:http://xforce.iss.net/alerts/advise43.php- the DDOS Protection Companywww.wanwall.com40
TFN code/* td.c - tribe flood network synflooder (c) 1999 by Mixter - PRIVATE */char synb[8192];voidsyn (u long victim, u short port){struct sockaddr in sin;struct iphdr *ih (struct iphdr *) synb;struct tcphdr *th (struct tcphdr *) (synb sizeof (struct iphdr));srandom ((time (NULL) random ()));ih- version 4;ih- ihl 5;ih- tos 0x00;ih- tot len sizeof (ih) sizeof (th);ih- id htons (random ());ih- frag off 0;ih- ttl 255;ih- protocol 6;- the DDOS Protection Companywww.wanwall.com41
TFN GUIsun17 usage: tfn options [-P protocol]Protocol for server communication. Can be ICMP,UDP or TCP. Uses a random protocol as default[-D n]Send out n bogus requests for each real one to decoytargets[-i target string]Contains options/targets separated by '@', see below[-S host/ip]Specify your source IP. Randomly spoofed by default,use your real IP if you are behind spoof-filtering routers[-f hostlist]Filename with list of hosts with TFN servers to contact[-p port]A TCP destination port can be specified for SYN floods -c command ID 0 - Halt all current floods on server(s) immediately1 - Change IP antispoof-level (evade rfc2267 filtering)usage: -i 0 (fully spoofed) to -i 3 (/24 host bytes spoofed)2 - Change Packet size, usage: -i packet size in bytes 3 - Bind root shell to a port, usage: -i remote port 4 - UDP flood, usage: -i victim@victim2@victim3@.5 - TCP/SYN flood, usage: -i victim@. [-p destination port]6 - ICMP/PING flood, usage: -i victim@.7 - ICMP/SMURF flood, usage: -i victim@broadcast@broadcast2@.8 - MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim@.9 - TARGA3 flood (IP stack penetration), usage: -i victim@.10 - Blindly execute remote shell command, usage -i command- the DDOS Protection Companywww.wanwall.com42
TFN GUI (2)sun18 tfn -r slaves -i victim-ip -c8Mixed attackProtocol: randomSource IP: randomClient input : listTarget(s): 192.168.252.5@192.168.252.5Command: commence syn flood, port: randomSending out packets: ind shell(s) to port 192commence udp floodcommence icmp echo floodcommence icmp broadcast (smurf) floodcommence mix floodcommence targa3 attack- the DDOS Protection Companywww.wanwall.com43
TFN: the result17:21:04.506166 eth0 194.49.187.0.46704 192.168.252.5.1896:S 5170376:5170396(20) win 2671 urg 1256517:21:04.516166 eth0 234.63.125.0.37201 192.168.252.5.30309:S 11047630:11047650(20) win 1997 urg 1901117:21:04.516166 eth0 39.213.139.0.7910 192.168.252.5.43813:S 2125087:2125107(20) win 14958 urg 6072417:21:04.516166 eth0 43.105.6.0.4744 192.168.252.5.3424:S 6254394:6254414(20) win 33694 urg 4225517:21:04.516166 eth0 66.217.70.0.22670 192.168.252.5.6337:S 13843234:13843254(20) win 11437 urg 2473717:21:04.516166 eth0 235.178.30.0.45851 192.168.252.5.30524:17:21:04.516166 eth0 90.254.119.0.25388 192.168.252.5.31123:17:21:04.516166 eth0 119.74.222.0.16422 192.168.252.5.6950:17:21:04.516166 eth0 97.62.6.0.42978 192.168.252.5.10888:17:21:04.516166 eth0 4.205.185.0.54120 192.168.252.5.6432:17:21:04.516166 eth0 217.96.68.0.59220 192.168.252.5.65030:17:21:04.516166 eth0 35.109.153.0.22810 192.168.252.5.15604:17:21:04.516166 eth0 37.200.46.0.32360 192.168.252.5.52882:17:21:04.516166 eth0 60.174.10.0.23938 192.168.252.5.3478:17:21:04.516166 eth0 245.117.36.0.34314 192.168.252.5.61235:17:21:04.516166 eth0 210.91.134.0.20053 192.168.252.5.12545:- the DDOS Protection Companywww.wanwall.com44
Attack tools 4: TFN2K! Like TFN, but Zombie almost always silent! Difficult to spot! Master sends commands 20x to zombies in the hopethat one will get through! Master to zombie communication is encrypted! Attack signatures:! TCP header is always 0 length! UDP packet length (as appears in the UDP header) is3 bytes longer than the actual length of the packet! UDP and TCP checksums do not include 12 bytepseudo-header and therefore checksums will alwaysbe incorrect- the DDOS Protection Companywww.wanwall.com45
Attack tools 5: Stacheldracht! Stacheldracht (v4 and v2.666)! Attacks: UDP, ICMP, TCP SYN, Smurf! Use encryption for communication but not forICMP heartbeat packets that zombie sends tomaster! Auto-update feature via rcp! Has ability to test (via ICMP echo) if it canuse spoofed IP addresses! V2.666 has added TCP ACK and TCP NULattacks! Link: http://xforce.iss.net/alerts/advise61.php- the DDOS Protection Companywww.wanwall.com46
Attack tools 6: Shaft! Optional IP spoofing capabilities! Ports:Master to zombie: 18753/udp! Zombie to master: 20433/udp! An attack timer! Provides statistics to the master! Can set ICMP and UDP packet size!! Link: http://www.adelphi.edu/ spock/lisa2000-shaft.pdf- the DDOS Protection Companywww.wanwall.com47
Attack tools 7: Mstream! TCP port 12754! Master to zombie via telnet!Communication not encrypted! Attack: TCP ACKTarget gets hits by ACK packets and sendsTCP RST packets to non-existent IP addresses! Router returns ICMP unreachable causingmore bandwidth starvation!! Link:http://xforce.iss.net/alerts/advise48.php- the DDOS Protection Companywww.wanwall.com48
Attack tools 8: Omega! Spoof IP addresses! Zombies use “chat”! Attacks:TCP ACK, UDP, ICMP! Introduced IGMP flood (multicast)! Internet Group Management Protocol provides a way for an Internet computer to reportits multicast group membership to adjacentrouters- the DDOS Protection Companywww.wanwall.com49
Attack tools 9: Trinity! Also known as Myserver and Plague! Attacks: UDP, TCP fragments, TCP SYN,TCP RST, TCP random-flag, TCP ACK, TCPestablish, TCP NUL! Listens to TCP port 3370! When zombie is idle it connects toUndernet IRC on port 6667! Link:http://xforce.iss.net/alerts/advise59.php- the DDOS Protection Companywww.wanwall.com50
Attack tools 10: Ramen! Self-propagating worm! Scans /16s for port 21 (FTP)! SYN scanning by ramen causes DDoS onIP multicast range! Link:http://xforce.iss.net/alerts/advise71.php- the DDOS Protection Companywww.wanwall.com51
Attack tools 11: Naphta! Exploits weaknesses in TCP stacks with largenumber of connections in states other than"SYN RECVD," including "ESTABLISHED" and"FIN WAIT-1."! es/adv 21.html- the DDOS Protection Companywww.wanwall.com52
Attack tools 12: IRC botsZombie systems controlled via a central IRCchannel! Uses Sub7 trojan to maintain remote controlon zombies! Links:! http://grc.com/dos/grcdos.htm l http://www.cert.org/advisories/CA-2001-20.html- the DDOS Protection Companywww.wanwall.com53
Attack tools 13: Worms! WormsCode Red, Power Worm, Nimda, SQL Voyager! All exploit Microsoft holes turning systemsinto zombies! Links:! http://www.cert.org/advisories/CA-2001-19.html http://www.cert.org/advisories/CA-2001-23.html http://www.cert.org/advisories/CA-2001-11.html http://www.cert.org/advisories/CA-2001-26.html- the DDOS Protection Companywww.wanwall.com54
Attack tools 14: Routers! Routers are being scanned! Pswd cisco! Using ICMP to packet a victim! Haven’t discovered ttcp, yet!! Juniper is FreeBsd derivative! Use your imaginationHello y'allJan 3, 2002My name is Bubba, and down here in the south, we try some mighty fine thingswith these here Junipers. One day, I sat me down and thought long and hardabout what to do with my router. Hect, you've got yourself a powerfurFreeBSD system on dat dare routing engine, and it's a bitching thing to use.Her are some of my ideas o how to use all of them thar idle cpu cycles:- the DDOS Protection Companywww.wanwall.com55
SmurfCame out in March 1999!Set packet size from 10to 1300 octets- the DDOS Protection Companywww.wanwall.com56
Where toattackHTTP attackClick to getlatest victimwww.victim.comControl howfast to attackwww.proxyserver.comFirst came out in January 1999!- the DDOS Protection Companywww.wanwall.com57
Attack tools! Others not covered:! Blitznet 3k.txtTrank! Carko! ak88 k! Stick! http://xforce.iss.net/alerts/advise74.php- the DDOS Protection Companywww.wanwall.com58
Summary of tools (1)NameTrinooTFN/TFN-2KStacheldracht v4/v2.666FAPICarko (Stacheldrahtv1.666 antigl nitionUDP random portsSpoofed UDP/ICMP/TCP,SYN/SmurfSpoofedUDP, ICMP, TCP SYN, Smurf,TCP ACK, TCP NULUDP, TCP SYN, TCP ACK, ICMPUDP, ICMP, TCP SYN, Smurf, TCPACK, TCP NULICMPUDP, ICMP, TCP SYNTCP ACKSpoofed IP floodsWorm MulticastRandom ALL(TCP, UDP, long headers)Multicast- the DDOS Protection Companywww.wanwall.com59
Summary of tools (2)NameTrinooTFN/TFN-2KStacheldracht v4/v2.666FAPICarko (Stacheldrahtv1.666 antigl nitionUDP random portsSpoofed UDP/ICMP/TCP,SYN/SmurfSpoofedUDP, ICMP, TCP SYN, Smurf,TCP ACK, TCP NULUDP, TCP SYN, TCP ACK, ICMPUDP, ICMP, TCP SYN, Smurf, TCPACK, TCP NULICMPUDP, ICMP, TCP SYNTCP ACKSpoofed IP floodsWorm MulticastRandom ALL(TCP, UDP, long headers)Multicast- the DDOS Protection Companywww.wanwall.com60
5. Statistics- the DDOS Protection Companywww.wanwall.com61
Statistics CAIDA/UCSD! 4,000 attacks per week! 40 - 200 concurrent attacks / hour! Most last 10 min’s - 2 hours (avg 1/2 hour)! Romania (15%) and Brazil (7%)- the DDOS Protection Companywww.wanwall.com62
Backscatter CAIDA/UCSDMoore, Voelker, SavageVictimAttackerMonitor/8 captures1/256 of each attack- the DDOS Protection Companywww.wanwall.com63
Attacks B/WFrom: David Harmelin, DANTE 1000pps 1 Mbps21%13%54%17%0.3 - 1Mbps25%70%500-1000pps100 - 500ppsHighest: 27000 pps 0.3MbpsHighest: 32 MbpsApproximate values only. Low accuracy due to sampling.- the DDOS Protection Companywww.wanwall.com64
Attacks DurationFrom: David Harmelin, DANTE12% 6011%30 - 6019%15 - 30- the DDOS Protection Company 15 Min58%www.wanwall.com65
- the DDOS Protection Companywww.wanwall.com66
Notice some of the attacksabove 10Mb/sec!- the DDOS Protection Companywww.wanwall.com67
Traffic history: Signature- the DDOS Protection Companywww.wanwall.com68
- the DDOS Protection Companywww.wanwall.com69
6. Standards- the DDOS Protection Companywww.wanwall.com70
Standards! Itrace IETF working group! Chaired by Steve Bellovin! Two drafts! ICMP Traceback Messages [Bellovin]! Intention-Driven ICMP Trace-Back [Massey, Mankin]! tml- the DDOS Protection Companywww.wanwall.com71
7. Academia- the DDOS Protection Companywww.wanwall.com72
Lots of academic/research work! Traceback [Bellovin00, Savage et.al.00,Burch&Cheswick99, Wu et.al.00, Snoerenet. al.01]! CenterTrack [Stone]! MULTOPS [Gil&Poletto]! Pushback [Bellovin]- the DDOS Protection Companywww.wanwall.com73
Tracing the attack 9R0R5RaR6RbR7RiRj- the DDOS Protection CompanyR4R2R1VictimR3Rcwww.wanwall.com74
Tracing the attack route1. Hop by hop, router by router [Cisco,Juniper]2. Effect on network [Burch&Cheswick99]3. Auditing / probing the route!Packet marking [Savage et.al.00]!ICMP reports [Bellovin]!Out of band [Stone CenterTrack]4. Logging [Snoeren et. al.]- the DDOS Protection Companywww.wanwall.com75
Hop by hop, router by R7RiRj- the DDOS Protection CompanyR4R2R1VictimR3Rcwww.wanwall.com76
Effect on links 5RaR6RbR7RiRj- the DDOS Protection CompanyR4R2R1VictimR3Rcwww.wanwall.com77
Traceback (1)! ICMP traceback (Bellovin)! For very few packets (1/20000) every router,copy the content into a special ICMP tracebackmessage containing the info about theprevious/next routers along the path! Victim reconstructs the path to the attacker! Problems:!!!!Creates more traffic – about .1%AuthenticationLoad on routersSome firewalls block ICMP traffic- the DDOS Protection Companywww.wanwall.com78
Bellovin, Wu et.al: TraceBack RiRj- the DDOS Protection CompanyR4Every 1000Packets sendICMPR2R1VictimR3Rcwww.wanwall.com79
Traceback Savage et.al.! Savage, Wetherall, Karlin & Anderson! Router marks the packet, with probabilityp, with the next hop the packet will flowthru! For a large flow of packets this methodcan determine the path and source! Marking in the IP header in ID field!Problematic for fragmentation- the DDOS Protection Companywww.wanwall.com80
Savage et. al., aR6RbR7RiRj- the DDOS Protection CompanyP 1/6EDGEMARKINGR4R2R1VictimR3Rcwww.wanwall.com81
Pushback - Bellovin AT&T Authentication Fairness legitimate traffic Implementability- the DDOS Protection Companywww.wanwall.com82
8. Detection- the DDOS Protection Companywww.wanwall.com83
Detection four approaches! Tracing! Netflow! Optical splitters / port mirroring! Remote monitoring- the DDOS Protection Companywww.wanwall.com84
NOCThe #1 way to know there is anattack in progress is when acustomer contacts your NOC!NOCVictim- the DDOS Protection Companywww.wanwall.com85
Backscatter Traceback! Technique designed by Chris Morrow andBrian Gemberling of UUnet!http://www.secsup.org/Tracking/! Concept: Packets whose destination isunreachable will have ICMP Unreachablesent back to the source.This “unreachable noise” is BackscatterTraceback! Requires a large “unused” block to be onlyinternally routed!- the DDOS Protection Companywww.wanwall.com86
Backscatter TracebackICMPUnreachablebackscatter willstart sendingpkts to 96/6In comes attack172.20.1.1 - null0Setuptag forpotentialvictimswith anexthop172.20.1.1 - null0Route 96.0.0.0/6 internally172.20.1.1 - null0Lots ofsetup!Special tag nowcauses nexthop to172.20.1.1Now announce191.1.1.1 tonull0 withspecial tagSinkhole rtrICMP Backscatter to 96/6172.20.1.1 - null0ICMPUnreachableVictim –191.1.1.1But 172.20.1.1goes to null0!- the DDOS Protection Companywww.wanwall.com87
Backscatter Traceback (2)! Routers require ICMP Unreachables working! no ip unreachables has to be turned on! Sinkhole router advertises the prefix underattack (/32)!ip route victimip 255.255.255.255 null0 tag 666! Cons! Complex method! Time consuming! Doesn’t stop the attack – just tells you from where itis coming! Routers meant to forward – not drop packets- the DDOS Protection Companywww.wanwall.com88
Cisco Netflow - 1! Operates in conjunction with CEFEnabled on a per interface basis! If CEF not running then Netflow switching willbe enabled!interface FastEthernet0/0ip route-cache flow!Shows flows into the interface Number of flows, packet size, activity, etc.- the DDOS Protection Companywww.wanwall.com89
Mostpkts aresmallCisco Netflow - 2B2 sho ip cache flowIP packet size distribution (71156M total packets):1-326496 128 160 192 224 256 288 320 352 384 416 448 480.002 .581 .090 .024 .011 .010 .010 .006 .003 .004 .003 .003 .003 .003 .003512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.004 .003 .124 .011 .093 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 4456704 bytes17047 active, 48489 inactive, 4010292907 added2115225614 ager polls, 0 flow alloc failuresProtocolTotalFlowsPackets Bytes Packets Active(Sec) Idle(Sec)-------Flows/Sec/Flow 91445250.455.921.1Total:4010276236933.717275 16566.46.519.3- the DDOS Protection Companywww.wanwall.com90
Cisco Netflow - 3Spot all thosethat areblackholedB2 sho ip cache flow incl NullSrcIfSrcIPaddressDstIfFa2/0192.111.74.153 NullFa2/0192.111.95.253 2/00.0.0.0NullFa1/10.0.0.0NullFa2/0192.111.152.200 NullFa2/0192.111.152.200 NullFa2/0192.111.152.200 NullFa2/0129.92.253.117 6.0.6172.16.0.177172.16.1.410.0.30.24TCP- the DDOS Protection www.wanwall.com91
Cisco Netflow - 4! Can use Unix to find attackers!Capture complete sho ip cache flow data!Sorted by column 2 (source)" awk ‘{print 2}’ /tmp/data sort uniq –c sort –rn head842 123.1.1.1234 191.2.2.2Could be proxy servers212 192.4.4.4!Sorted by column 4 (destination)" awk ‘{print 4}’ /tmp/data sort uniq –c sort –rn head2341 192.111.2.21563 192.110.1.11211 125.2.3.1- the DDOS Protection Companywww.wanwall.com92
Inmon - 1! Traffic Server – simplified Netflowprocessor- the DDOS Protection Companywww.wanwall.com93
Inmon -2! Who is being attacked?- the DDOS Protection Companywww.wanwall.com94
Inmon - 3! Where is the attack coming from?- the DDOS Protection Companywww.wanwall.com95
Inmon - 4! On which interface?- the DDOS Protection Companywww.wanwall.com96
IDS! Cisco Catalyst IDS! Handles 47Kpps- the DDOS Protection Companywww.wanwall.com97
Optical Splitter- the DDOS Protection Companywww.wanwall.com98
Alert services! Keynote!Red sitrunning.com Email or pager alerts if site becomes unavailable! NetMechanic!Server Check Customized by user: server too slowResponse timewent too high!- the DDOS Protection Companywww.wanwall.com99
9. Protection andDefense- the DDOS Protection Companywww.wanwall.com100
At the RoutersR4R5R2peeringR31000 Random Spoofing1000ACLs, CARs,null/rt.R1 Throws away good with bad100 Router degradation1RRFER. . .Server1Victim- the DDOS Protection CompanyServer2www.wanwall.com101
Inline, at the EdgeR4R5R2peeringR31000 Chokepoint1000R1 Single Point of failure100 Not scalableRFEServer1R2Victim- the DDOS Protection CompanyR. . .Server2www.wanwall.com102
Inline, on the Back BoneR4R53R2peeringR3 Throughput10001000R1 Point of failure100 All sufferRRFER. . .Server1Victim- the DDOS Protection CompanyServer2www.wanwall.com103
Router basedprotection- the DDOS Protection Companywww.wanwall.com104
Cisco ACLs - 1! Use ACL to determine which interface is beingattacked and characteristics of attack! Initial ACL toaccess-list 101access-list 101access-list 101access-list 101access-list 101determine what type of attackpermitpermitpermitpermitpermiticmp any any echoicmp any any echo-reply log-inputudp any anytcp any anyip any anyinterface serial 1/1ip access-group 101 out! Wait 10 secondsno ip access-group 101 out- the DDOS Protection Companywww.wanwall.com105
Cisco ACLs - 2! sh access-l 101ExtendedpermitpermitpermitpermitpermitIP access list 101icmp any any echo (2 matches)icmp any any echo-reply (21374 matches)udp any any (18 matches)tcp any any (123 matches)ip any any (5 matches) Indications are that there is some sort ofICMP attack Need to place ACL on each successive routerin upstream path- the DDOS Protection Companywww.wanwall.com106
Cisco ACLs - 3! Next use ‘log-input’ to determine fromwhere – via ‘sho logging’:%SEC-6-IPACCESSLOGDP: list 101 permit icmp 192.168.1.1(Serial1/1) - 1
- the DDOS Protection Company www.wanwall.com 5 Who cares? ! 2/2000: 1.2 Billion cost to US market! 100 Million revenue loss! 1/2001: 10's Million damage due to Microsoft attack! 5/2001: Whitehouse site down six hours! 6/2001: CERT down twice for seven hours! 6/2001: Weather.com ! 7/2001: Lufthansa.com! 8/2001: White House ('Code Red')! 9/2001: Deutsche Bank
