• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Non-standard protocols as a vector for DDoS attacks
 

Non-standard protocols as a vector for DDoS attacks

on

  • 1,758 views

Webinar

Webinar

Statistics

Views

Total Views
1,758
Views on SlideShare
1,758
Embed Views
0

Actions

Likes
1
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Non-standard protocols as a vector for DDoS attacks Non-standard protocols as a vector for DDoS attacks Presentation Transcript

    • Non-standard protocols as a vector for DDoS attacks Prof. Jon Crowcroft (Cambridge University) Dr. Ian Brown (University College London) Robert Rybnikar / Flickr
    • Monitoring data flows
      • Data flows using standardised protocols can be analysed and understood using basic flow analysis software and Intrusion Detection Systems.
      • Network managers that suspect DoS traffic is originating from their network must be able to check flows and if necessary shut them down (and clean up the originating host).
    • Obfuscated protocols
      • Skype an example of software that uses non-standardised protocols that in fact are heavily obfuscated (as is the software) in an attempt to resist this type of analysis.
      • Also a mechanism to traverse NATs, firewalls
      • http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf gives extensive detail
    • Camouflaged Skype traffic
      • Uses HTTP(S) ports for TCP, random for UDP
      • Uses RC4 stream cipher purely for obfuscation
      • Data further fragmented and custom-compressed
      • Difficult even to block sessions:
        • iptables − I FORWARD − p udp − mlength − length 39 − m u32 − u32 ’27&0 x8f =7’ − u32 ’31=0 x527c4833 ’ − j DROP
        • Block incoming payloads starting 0x1703010000
    • Skype supernodes
      • Skype clients with public IP addresses, no firewall and good CPU can become supernodes
      • Typically tunnelling 4-8 TCP connections and at least 1 UDP flow
        • http://www1.cs.columbia.edu/~salman/skype/index.html
      • How do security admins know what this traffic is doing?
    • Camouflaged DDoS zombies
      • Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm specific hosts and networks
      • Bot controllers can disguise control channel traffic as TCP flows, avoiding firewalls and traversing NATs using a Skype-like supernode system
    • Conclusion
      • Enterprises would in most situations be better to use applications that use protocols they can understand and control
      • Obfuscated protocols can be used as a covert channel and a vector for DoS attacks