Non-standard protocols as a vector for DDoS attacks Prof. Jon Crowcroft (Cambridge University) Dr. Ian Brown (University C...
Monitoring data flows <ul><li>Data flows using standardised protocols can be analysed and understood using basic flow anal...
Obfuscated protocols <ul><li>Skype an example of software that uses non-standardised protocols that in fact are heavily ob...
Camouflaged Skype traffic <ul><li>Uses HTTP(S) ports for TCP, random for UDP </li></ul><ul><li>Uses RC4 stream cipher pure...
Skype supernodes <ul><li>Skype clients with public IP addresses, no firewall and good CPU can become supernodes </li></ul>...
Camouflaged DDoS zombies <ul><li>Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm ...
Conclusion <ul><li>Enterprises would in most situations be better to use applications that use protocols they can understa...
Upcoming SlideShare
Loading in...5
×

Non-standard protocols as a vector for DDoS attacks

1,206

Published on

Webinar

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,206
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Non-standard protocols as a vector for DDoS attacks

  1. 1. Non-standard protocols as a vector for DDoS attacks Prof. Jon Crowcroft (Cambridge University) Dr. Ian Brown (University College London) Robert Rybnikar / Flickr
  2. 2. Monitoring data flows <ul><li>Data flows using standardised protocols can be analysed and understood using basic flow analysis software and Intrusion Detection Systems. </li></ul><ul><li>Network managers that suspect DoS traffic is originating from their network must be able to check flows and if necessary shut them down (and clean up the originating host). </li></ul>
  3. 3. Obfuscated protocols <ul><li>Skype an example of software that uses non-standardised protocols that in fact are heavily obfuscated (as is the software) in an attempt to resist this type of analysis. </li></ul><ul><li>Also a mechanism to traverse NATs, firewalls </li></ul><ul><li>http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf gives extensive detail </li></ul>
  4. 4. Camouflaged Skype traffic <ul><li>Uses HTTP(S) ports for TCP, random for UDP </li></ul><ul><li>Uses RC4 stream cipher purely for obfuscation </li></ul><ul><li>Data further fragmented and custom-compressed </li></ul><ul><li>Difficult even to block sessions: </li></ul><ul><ul><li>iptables − I FORWARD − p udp − mlength − length 39 − m u32 − u32 ’27&0 x8f =7’ − u32 ’31=0 x527c4833 ’ − j DROP </li></ul></ul><ul><ul><li>Block incoming payloads starting 0x1703010000 </li></ul></ul>
  5. 5. Skype supernodes <ul><li>Skype clients with public IP addresses, no firewall and good CPU can become supernodes </li></ul><ul><li>Typically tunnelling 4-8 TCP connections and at least 1 UDP flow </li></ul><ul><ul><li>http://www1.cs.columbia.edu/~salman/skype/index.html </li></ul></ul><ul><li>How do security admins know what this traffic is doing? </li></ul>
  6. 6. Camouflaged DDoS zombies <ul><li>Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm specific hosts and networks </li></ul><ul><li>Bot controllers can disguise control channel traffic as TCP flows, avoiding firewalls and traversing NATs using a Skype-like supernode system </li></ul>
  7. 7. Conclusion <ul><li>Enterprises would in most situations be better to use applications that use protocols they can understand and control </li></ul><ul><li>Obfuscated protocols can be used as a covert channel and a vector for DoS attacks </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×