What’s in a Denial of Service (DoS) Attack? </attack> <attack id="122002" start="2006-10-14 02:21:47" stop="2006-10-14 03:36:11" > # About an hour and 15 minutes duration <severity importance="1" lrm="0.9077" red_rate="1e+06" unit="pps"/> <type class="3" subclass="5" /> # Misuse Null TCP <direction type="Incoming" name="anonymous" gid="756"/> <protocols> 6 </protocols> # IP Protocol 6, TCP <tcpflags></tcpflags> # No Flags - Null TCP <source> <ips> 0.0.0.0/0 </ips> # Very well distributed or Source-spoofed IPs <ports> 0-65535 </ports> # Very well distributed source ports </source> <dst> <ips> xx.xx.X.X/32 </ips> # Surprise, undernet IRC Server… <ports> 6667 </ports> # 6667 IRC </dst> <infrastructure num_routers="19" num_interfaces="52" sum_bps="622878440000" sum_pps="15571961000" max_bps="1980325333" max_pps="6188517" /> </attack> Source: ISC
Threat Time Line: NBA is Another Layer of Defense Time Discover Vulnerability AV/IDS Available New Version Advisory Patch PATCH MANAGEMENT NETWORK ADMISSION Network Behavioral Analysis with PEAKFLOW X zero-day Exploit Variant Released Reverse Engineer/ new exploit
A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm.
Communicates with a handler or controller via public IRC servers or other compromised systems.
A botmaster or botherder commands bots to perform any of an number of different functions.
System of bots and controller(s) is referred to as a botnet or zombie network.
Anatomy of a DDoS Attack Internet Backbone B UK Broadband US Corp US Broadband B JP Corp. Provider B B The Peaceful Village B B B B B B Systems Become Infected Bots connect to a C&C to create an overlay network ( botnet ) Controller Connects Botnet master Issues attack Command BM C&C Bots attack Bye Bye!
Reflective Amplification Attacks Attacker - a Victim - v Resolver - r A botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity. Source IP of Victim (v) spoofed when query sent to resolver, resolver receives, responds to v. 55-byte query elicits 4200-byte response r v Response v r Query
‘ 01 - ‘03 data projections based on public and private information regarding prominent attacks
Largest attacks (22 & 24 Gbps) reported by large content provider and hosting providers
Both >20 Gbps attacks reported to have been DNS reflective amplification attacks
Most backbone link speeds have 10G maximum capacity today
DDoS Attacks: Taking Advantage of Our Broadband
Botnets take advantage of “our” unlimited broadband pipes and PCs for amplification attacks and brute-force flooding attacks
ISPs are taken offline in the process of trying to mitigate these attacks.
1 2 3 4 5 6 ISP A T1 AGG RTR T1 Transit ISP GE Target 3 Mbps DDoS - teeny tiny attack - well, to Transit ISP, not ISP A 512k Attack Target Gone Collateral Damage ISP n Much BIGGER Attack
DNS Attacks - When & What? OCT 2002 JUN 2004 OCT 2004 JAN-FEB 2006 NOV 2004 NOV 2002 FEB 2007 Root Server Attacked Duration:1 hour Multi-modal: smurf, ICMP, port 53 “ 7” Root Servers appear unreachable Impact: No noticeable user effect UltraDNS TLD Servers Attacked Duration: 24 hours + ICMP 0,8 and then port Easily filtered -- uses pure volume of packets to disable Results in 2-way traffic load Impact: No noticeable user effect Akamai attacked Duration: 4 hours No mitigation possible Port 53, UDP, valid queries Multi-millions queries per second Impact: Global Impact DDoS for hire (extortion) The golden age for worms/trojans The perfect DNS DDoS in the wild No protocol based defense or mitigation Attack on Bandwidth, not applications or servers - 11 Gbps+ Impact: Significant collateral damage January-February .com, .net (Verisign), .org (UltraDNS) Utilized open recursive servers Average attack 7-10 Gbps TLD Operators have no successful defense Impact: Considerable user impact G, L & M Root Servers, Other TLDs (UltraDNS)? Utilized large bogus DNS UDP queries from many bots Aggregate attacks 10 Gbps+ Mitigate: Special Hardware Impact: 90% Traffic dropped localized user impact NOV 2006 UUNet Attack - 2nd Level DNS UDP/53, auth servers for bank.foo Spoofed source IPs - 800 Kpps Impact: End-user/customer Mitigated with Cisco Guard-XT Collateral damage: 2x .gov & 2 7206s in network path Root & TLD Attacks Spoofed source IPs Large Bogus Queries 10+ Gbps Regionalized User Impact
“ investigators say they found some 37,000 stolen credit card numbers. Alongside each credit card record was other information on the ID theft victims, such as the account holder's address, date of birth, credit balances and limits.”
“ ..jihadists might need for their battle against the American and allied forces in Iraq, including global positioning satellite (GPS) devices, night-vision goggles, sleeping bags, telephones, survival knives and tents.”
･ On Friday, Dec. 15, 2006, shares in Apparel Manufacturing Associates, Inc. (APPM) closed at $.06, with a trading volume of 3,500 shares. After a weekend spam campaign distributed emails proclaiming, "Huge news expected out on APPM, get in before the wire, We're taking it all the way to $1.00," trading volume on Monday, Dec. 18, 2006, hit 484,568 shares with the price spiking to over 19 cents a share. Two days later the price climbed to $.45. By Dec. 27, 2006, the price was back down to $.10 on trading volume of 65,350 shares.
On Dec. 19, 2006, trading in Goldmark Industries, Inc. (GDKI) , closed at $.17 on trading volume of 126,286 shares. On Dec. 20, 2006, the spam campaign started, with e-mail proclaiming "GDKI IS MAKING EVERYONE BANK!," and setting a 5-day price target of $2. By Dec. 28, 2006, spam emails boasted of the price spike that had already been achieved -- "$.28 (Up 152% in 2 days!!!)" -- and promised a 5-day price target of $1. That same day, GDKI closed at $.35 on a volume of more than 5 million shares. By January 9, 2007, the closing share price was back down to $.15.
Inteligent Mitigation The system talk with the scrub to clean the traffic Mitigation process is started Flows sent to the collector system System detects the attack Inject BGP route (off-ramping) Scrub inspects each packet against its rules and network behavior Peakflow SP TMS Peakflow SP
N packets/bytes, subsequent to TCP/135 activity, from vulnerable
Single stage threats much simpler (e.g., SYN to known botnet C&C)
Think of the Possibilities Internet Backbone B UK Broadband US Corp US Broadband B Anti-Bot/Spam.com Provider B B The Peaceful Village B B B B B B Systems Become Infected Bots connect to a C&C to create an overlay network ( botnet ) Controller Connects Botnet master Issues attack Command BM Bots attack Bye Bye! Phishing Site Phishing Site Drop Site Drop Site C&C Spam Relay Spam Relay Open Proxy Open Proxy Phishing Data CD Keys Keylogger Personal ID Video Email CC & PW Financial data
Miscreant Feuding - Bot on Bot Attacks http://asert.arbor.net
Mpack & Storm (Trojan.Srizbi)
Upon compromise by MPack malware is downloaded, checks for other root kits and uninstalls
Storm folks get perturbed, attack MPack malware distribution sites