Non-standard protocols as a vector for DDoS attacks
Upcoming SlideShare
Loading in...5
×
 

Non-standard protocols as a vector for DDoS attacks

on

  • 1,810 views

Webinar

Webinar

Statistics

Views

Total Views
1,810
Views on SlideShare
1,810
Embed Views
0

Actions

Likes
1
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Non-standard protocols as a vector for DDoS attacks Non-standard protocols as a vector for DDoS attacks Presentation Transcript

  • Non-standard protocols as a vector for DDoS attacks Prof. Jon Crowcroft (Cambridge University) Dr. Ian Brown (University College London) Robert Rybnikar / Flickr
  • Monitoring data flows
    • Data flows using standardised protocols can be analysed and understood using basic flow analysis software and Intrusion Detection Systems.
    • Network managers that suspect DoS traffic is originating from their network must be able to check flows and if necessary shut them down (and clean up the originating host).
  • Obfuscated protocols
    • Skype an example of software that uses non-standardised protocols that in fact are heavily obfuscated (as is the software) in an attempt to resist this type of analysis.
    • Also a mechanism to traverse NATs, firewalls
    • http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf gives extensive detail
  • Camouflaged Skype traffic
    • Uses HTTP(S) ports for TCP, random for UDP
    • Uses RC4 stream cipher purely for obfuscation
    • Data further fragmented and custom-compressed
    • Difficult even to block sessions:
      • iptables − I FORWARD − p udp − mlength − length 39 − m u32 − u32 ’27&0 x8f =7’ − u32 ’31=0 x527c4833 ’ − j DROP
      • Block incoming payloads starting 0x1703010000
  • Skype supernodes
    • Skype clients with public IP addresses, no firewall and good CPU can become supernodes
    • Typically tunnelling 4-8 TCP connections and at least 1 UDP flow
      • http://www1.cs.columbia.edu/~salman/skype/index.html
    • How do security admins know what this traffic is doing?
  • Camouflaged DDoS zombies
    • Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm specific hosts and networks
    • Bot controllers can disguise control channel traffic as TCP flows, avoiding firewalls and traversing NATs using a Skype-like supernode system
  • Conclusion
    • Enterprises would in most situations be better to use applications that use protocols they can understand and control
    • Obfuscated protocols can be used as a covert channel and a vector for DoS attacks