Your SlideShare is downloading. ×
Non-standard protocols as a vector for DDoS attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Non-standard protocols as a vector for DDoS attacks

1,151
views

Published on

Webinar

Webinar

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,151
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Non-standard protocols as a vector for DDoS attacks Prof. Jon Crowcroft (Cambridge University) Dr. Ian Brown (University College London) Robert Rybnikar / Flickr
  • 2. Monitoring data flows
    • Data flows using standardised protocols can be analysed and understood using basic flow analysis software and Intrusion Detection Systems.
    • Network managers that suspect DoS traffic is originating from their network must be able to check flows and if necessary shut them down (and clean up the originating host).
  • 3. Obfuscated protocols
    • Skype an example of software that uses non-standardised protocols that in fact are heavily obfuscated (as is the software) in an attempt to resist this type of analysis.
    • Also a mechanism to traverse NATs, firewalls
    • http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf gives extensive detail
  • 4. Camouflaged Skype traffic
    • Uses HTTP(S) ports for TCP, random for UDP
    • Uses RC4 stream cipher purely for obfuscation
    • Data further fragmented and custom-compressed
    • Difficult even to block sessions:
      • iptables − I FORWARD − p udp − mlength − length 39 − m u32 − u32 ’27&0 x8f =7’ − u32 ’31=0 x527c4833 ’ − j DROP
      • Block incoming payloads starting 0x1703010000
  • 5. Skype supernodes
    • Skype clients with public IP addresses, no firewall and good CPU can become supernodes
    • Typically tunnelling 4-8 TCP connections and at least 1 UDP flow
      • http://www1.cs.columbia.edu/~salman/skype/index.html
    • How do security admins know what this traffic is doing?
  • 6. Camouflaged DDoS zombies
    • Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm specific hosts and networks
    • Bot controllers can disguise control channel traffic as TCP flows, avoiding firewalls and traversing NATs using a Skype-like supernode system
  • 7. Conclusion
    • Enterprises would in most situations be better to use applications that use protocols they can understand and control
    • Obfuscated protocols can be used as a covert channel and a vector for DoS attacks