DDoS Attacks, The worrying rise of cyber warfare

Transcript

1. DDoS Attacks The worrying rise of cyber warfare Sara Rodríguez

   Cubillas

2. What is a DDoS Attack? A Distributed Denial of Service

   (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.

3. •$150, can buy a week-long DDoS attack on the black

   market. • More than 2000 daily DDoS Attacks are observed world-wide •1/3 of all downtime incidents are attributed to DDoS attacks.

4. Building Capacity • Attackers build networks of infected computers, known

   as 'botnets', by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners' knowledge, and used like an army to launch an attack against any target. Some botnets are millions of machines strong.

5. Botnet • Robot and network • The controller of a

   botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol (HTTP). • Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes. • Recruitment: Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive- by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. • The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping"

6. Launching Attacks • Botnets can generate huge floods of traffic

   to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, or having computers send the victim huge amounts of random data to use up the target’s bandwidth. Some attacks are so big they can max out a country's international cable capacity.

7. Selling Silence • Specialized online marketplaces exist to buy and

   sell botnets or individual DDoS attacks. Using these underground markets, anyone can pay a nominal fee to silence websites they disagree with or disrupt an organization’s online operations. A week-long DDoS attack, capable of taking a small organization offline can cost as little as $150.

8. Attack Techniques There are two general forms of DoS attacks:

   • those that crash services • and those that flood services. ! • The most serious attacks are distributed and involve forging of IP sender addresses (IP address spoofing) so that the location of the attacking machines cannot easily be identified.

9. Attack Categories • TCP Connection Attacks - Occupying connections These

   attempt to use up all the available connections to infrastructure devices such as load- balancers, firewalls and application servers. Even devices capable of maintaining state on millions of connections can be taken down by these attacks. • Volumetric Attacks - Using up bandwidth These attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion. • Fragmentation Attacks - Pieces of packets These send a flood of TCP or UDP fragments to a victim, overwhelming the victim's ability to re-assemble the streams and severely reducing performance. • Application Attacks - Targeting applications These attempt to overwhelm a specific aspect of an application or service and can be effective even with very few attacking machines generating a low traffic rate (making them difficult to detect and mitigate).

10. Attack Tools A wide array of programs are used to

    launch DoS-attacks. Stacheldraht: (German for barbed wire) written by Random for Linux and Solaris systems which acts as a distributed denial of service (DDoS) agent. This tool detects and automatically enables source address forgery. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents! LOIC: In other cases a machine may become part of a DDoS attack with the owner's consent, for example, in Operation Payback, organized by the group Anonymous. UK's GCHQ has tools built for DDOS, named PREDATORS FACE and ROLLING THUNDER.

11. • DNS Reflection - Small request, big reply. By forging

    a victim's IP address, an attacker can send small requests to a DNS server and ask it to send the victim a large reply. This allows the attacker to have every request from its botnet amplified as much as 70x in size, making it much easier to overwhelm the target. • Chargen Reflection - Steady streams of text Most computers and internet connected printers support an outdated testing service called Chargen, which allows someone to ask a device to reply with a stream of random characters. Chargen can be used as a means for amplifying attacks similar to DNS attacks above. Amplification: Two ways attacks can multiply traffic they can send

12. NTP Flood NTP is the Network Time Protocol that is

    used by machines connected to the Internet to set their clocks accurately: For example, the address time.euro.apple.com seen in the clock configuration on my Mac is actually the address of an NTP server run by Apple. ! Similar DNS-based reflection and amplification attacks attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately: source of the attack is hidden they are also amplified, send large replies to the victim ! command called monlist: It returns the addresses of up to the last 600 machines that the NTP server has interacted with.

13. NTP Flood The request packet is 234 bytes long. The

    response is split across 10 packets totaling 4,460 bytes. That's an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate.

14. SSDP Flood • Simple Service Discovery Protocol. It is often

    used for discovery of Plug & Play (UPnP) devices. It was introduced in 1999 and is used by many routers and network devices. • Attackers have found that Simple Object Access Protocol (SOAP) – used to deliver control messages to UPnP devices and pass information – requests “can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target” • The most effective part of this tactic is the millions of possible reflectors (IoT) that could be used to launch DDoS attacks • This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based attacks

15. Case Study: DD4BC Group What is the DD4BC Group, and

    How Does it Operate? • The DD4BC group has been responsible for a large number of Bitcoin extortion campaigns dating back to 2014. • In the past year, the group expanded its extortion and DDoS campaigns to target a wider array of business sectors – including financial services, media and entertainment, online gaming and retailers. • The group used multi-vector DDoS attacks including NTP floods, SSDP floods, UDP floods, SYN floods, UDP fragment floods, ICMP floods, DNS floods, GET floods, SNMP floods and CHARGEN floods • Layer 7 DDoS attacks used the WordPress pingback vulnerability

16. Case Study: DD4BC Group What is the DD4BC Group, and

    How Does it Operate? • The group has used e-mail to inform its target that a low-level DDoS attack will be launched against the victim’s website. The group would then demand a Bitcoin ransom to protect the company from a larger DDoS attack designed to make its website inaccessible. • The group threatened to expose targeted businesses via social media • From June through July 2015, the attacks increased from low-level to more than 20 Gbps in some cases.

17. THREAT COMPONENTS Motivation: DDoS attacks for ransom.! Objective: Obtain bitcoins

    as payment. Some of the bitcoin hash addresses are advertised for ransom payment on public forums as a mean of transmitting payments.! Members: Membership is unknown at this point. However, some of the statements are made using first person expressions.! Resources: DD4BC is likely using anonymizing network services and anonymous digital crypto currency to evade trace. Matching sources of DDoS activity suggest use of DDoS- for-hire botnets.! Knowledge source: DD4BC is likely using publicly available tools to launch attacks. The initial assessment of source IPs suggests use of rented botnets from the DDoS-for-hire underground.! Victimology: The earlier targets were typically unregulated bitcoin exchanges and gaming sites, which are unlikely to reach out to law enforcement for help. More recent attacks now include reputable business operations.! Typology: Based on available open source intelligence (OSINT), the attacks are only using publicly available DDoS toolkits, plus resources from rented botnets in the underground.

18. Case Study: Summary of Operation DD4BC Attack timeline of bandwidth

    and packets per second for DD4BC events ! • Total number of confirmed attacks: 141! • Average peak bandwidth for all attacks: 13.34 Gbps! • Average peak packets per second for all Attacks: 3.13 Mpps! • Largest DDoS attack recorded: 56.2 Gbps
19. None

20. SAMPLE EXTORTION CAMPAIGN

21. None

22. A sample email from DD4BC offering protection in exchange for

    one bitcoin
23. None

24. Payload samples of the DDoS attack traffic

25. Payload samples of the DDoS attack traffic

26. Payload samples for a UDP flood attack vector launched against

    Organization A Payload samples of the DDoS attack traffic

27. Payload samples for a multi-vector attack launched against Organization B

    Payload samples of the DDoS attack traffic

28. Defense techniques Defensive responses to denial-of-service attacks typically involve the

    use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. • Firewalls: In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses. More complex attacks will however be hard to block with simple rules • Switches: Most switches have some rate-limiting and ACL(acces control list) capability. Some switches provide automatic schemes and some DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using filtering. • Routers: Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has optional features that can reduce the impact of flooding. • Application front end hardware: Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. • Application level Key Completion Indicators: application layer analysis, to indicate whether an incoming traffic bulk is legitimate or not and thus enable the triggering of elasticity decisions without the economical implications of a DDoS attack.

29. Defense techniques ! • IPS based prevention: Intrusion-prevention systems (IPS)

    are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. • DDS based defense: More focused on the problem than IPS, a DoS Defense System (DDS) can block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate- based attacks (such as ICMP floods and SYN floods). • Blackholing and sinkholing: With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP. Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks. • Clean pipes: All traffic is passed through a "cleaning center" or a "scrubbing center" via various methods such as proxies, tunnels or even direct circuits, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server.

30. Don't be part of the problem (NTP flood) ! If

    you're running an ntpd server that needs to be on the public Internet then it's vital that it's upgraded to at least version If you are running an ntpd server and still need something like monlist there's the mrulist command which now requires a nonce (a proof that the command came from the IP address in the UDP packet). Neither of these changes are recent, ntpd v4.2.7p26 was released in March 24, 2010, so upgrading doesn't require using bleeding edge code. If you're running a network (or are a service provider) then it's vital that you implement BCP-38(RFC2827: Network Ingress Filtering). Implementation of it (and the related BCP-84) would eliminate source IP spoofed attacks of all kinds (DNS, NTP, SNMP, ...).

31. Don't be part of the problem (SSDP flood) • As

    a home user, disable UPnP (Plug & Play) on your routers and public facing devices that don't require it • As a device manufacturer, push firmware updates that properly scope UPnP functionality to the LAN where it belongs • One method would be to block incoming UDP traffic from port 1900 on public facing services if your organization can handle the overall bandwidth

32. References • www.stateoftheinternet.com/dd4bc-case. • https://www.stateoftheinternet.com/resources-web-security-threat-advisories-2014-ssdp-reflection-ddos- attacks-cybersecurity.html • http://www.scmagazine.com/ssdp-reflection-ddos-attacks-on-the-rise-akamai-warns/article/377754/ • http://blog.nexusguard.com/ssdp-ddos-attacks/

    • https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/ • Digital Attack Map: http://goo.gl/yCxKbJ • Cloud Flare DDos attack: http://cnet.co/1OPLXVL • Inside DDos attacks: http://ubm.io/1SNQb0F • Banks targeted by DDos attacks: http://goo.gl/dQZb0Y • Wells Fargo attack: http://goo.gl/es3yPP • Wikipedia Distributed Denial of Service attacks: https://goo.gl/VkSMuH • Average DDOS attack strength growing:http://goo.gl/EEFoZY