• Like
Non-standard protocols as a vector for DDoS attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Non-standard protocols as a vector for DDoS attacks

  • 1,132 views
Published

Webinar

Webinar

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,132
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
14
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Non-standard protocols as a vector for DDoS attacks Prof. Jon Crowcroft (Cambridge University) Dr. Ian Brown (University College London) Robert Rybnikar / Flickr
  • 2. Monitoring data flows
    • Data flows using standardised protocols can be analysed and understood using basic flow analysis software and Intrusion Detection Systems.
    • Network managers that suspect DoS traffic is originating from their network must be able to check flows and if necessary shut them down (and clean up the originating host).
  • 3. Obfuscated protocols
    • Skype an example of software that uses non-standardised protocols that in fact are heavily obfuscated (as is the software) in an attempt to resist this type of analysis.
    • Also a mechanism to traverse NATs, firewalls
    • http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf gives extensive detail
  • 4. Camouflaged Skype traffic
    • Uses HTTP(S) ports for TCP, random for UDP
    • Uses RC4 stream cipher purely for obfuscation
    • Data further fragmented and custom-compressed
    • Difficult even to block sessions:
      • iptables − I FORWARD − p udp − mlength − length 39 − m u32 − u32 ’27&0 x8f =7’ − u32 ’31=0 x527c4833 ’ − j DROP
      • Block incoming payloads starting 0x1703010000
  • 5. Skype supernodes
    • Skype clients with public IP addresses, no firewall and good CPU can become supernodes
    • Typically tunnelling 4-8 TCP connections and at least 1 UDP flow
      • http://www1.cs.columbia.edu/~salman/skype/index.html
    • How do security admins know what this traffic is doing?
  • 6. Camouflaged DDoS zombies
    • Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm specific hosts and networks
    • Bot controllers can disguise control channel traffic as TCP flows, avoiding firewalls and traversing NATs using a Skype-like supernode system
  • 7. Conclusion
    • Enterprises would in most situations be better to use applications that use protocols they can understand and control
    • Obfuscated protocols can be used as a covert channel and a vector for DoS attacks