The Joys of DDoS - Global Peering Forum
Transcription
The Joys of DDoS - Global Peering Forum
The Joys of DDoS Barrett Lyon Prolexic Technologies Jay Adelson Digg Network Terrorist Motivations • Extortionists: Many Based in Asia / Eastern Europe _ Most common motivation for DDoS attacks; ransom sites for thousands, and sometimes hundreds of thousands, of dollars _ Once operator agrees to pays, the attacker simply redirects the DDoS at another site (usually in the same industry sector) • Competitive Sabotage _ Rival businesses employ attackers to eliminate competition _ Harm to brand • Hackers Pride _ To gain notoriety, often target high-profile sites _ Censorship • Network Warfare _ Recent attacks to the National Security Agency in the United States show that the Internet can be used to attack government interests. © Prolexic Technologies, 2006 2 Recap: Extortion • Anonymous EMAIL systems • Rude, use poor English • Attempt to establish communication with president/principals of the Company © Prolexic Technologies, 2006 3 Recap: Extortion © Prolexic Technologies, 2006 4 Competitive Sabotage •DVD Sales during Christmas •Rx Sales due to Ad-Words competition •Shutting down payment processing: HYIP / Stormpay.com © Prolexic Technologies, 2006 5 The attack: Mixed GET/SYN Flood to port 80 © Prolexic Technologies, 2006 6 The attack: PPS rates © Prolexic Technologies, 2006 7 Hackers Pride •Digg.com: Bad guy (Fred Ghosn of Canada) vs. Kevin Rose © Prolexic Technologies, 2006 8 Digg and IRC <A> digg.com / revision3.com. <A> tonight. <A> :<. <B> we wull see. <A> fucking kevin rose. <A> i miss. <A> my old bots. <A> from like. <A> 2 years. <A> i had. <A> 1.8 million. <A> :<. <A> my biggest. <A> channel. <A> was. <A> 980k. © Prolexic Technologies, 2006 9 Digg and IRC Why isn't his attack succeeding? He claims: <A> now i got shit. <B> lol. He has some help, which would explain the changing nature of the attack. <C> gimme the ips you need nulled/fucked with. <A> lets just wait. <A> till later. <A> nothing big is happenin now. <C> ok. <A> well. <A> www.digg.com. <A> if u want. <C> kk np. <C> kk done. © Prolexic Technologies, 2006 10 Digg and IRC <B> stop doss <B> so i can read a bit <B> lol <A> rofl. <A> no. © Prolexic Technologies, 2006 11 Most Corporate Networks break “Black-holing” completes the attackers’ objective by taking the site offline Router / firewall filtering does not scale and is useless when spoofed IDS simply detects, but does not protect IPS devices present a static solution to a dynamic problem and cannot help when attack consumes all available bandwidth Overcommitted ISP router fails with high PPS rate. Bandwidth is saturated taking ISP offline Edge router fails high PPS and ACLs consume CPU. No bandwidth Firewall fails. Filled client table and CPU max. DMZ and office off-line Web farm hit. Memory and resource limits of kernels hit. Not serving web pages © Prolexic Technologies, 2006 12 Tracking x3m1st/Ivan/eXe 7 6 Zombie machines, mixed in general internet, make up part of botnet 5 8 ISP Router overloaded. Severe packet loss to all customers 1 Attacker Computer 2 Hacked Computer masks Attacker’s location Internet IRC Server at co-lo facility. Zombies connect here. Attacker has control 3 4 © Prolexic Technologies, 2006 Target of attack. Infrastructure saturated and fails. 3rd Computer to hide real source IP 13 Attacker uses 2nd Hacked Computer to hide identity Tracking x3m1st/Ivan/eXe © Prolexic Technologies, 2006 14 Tracking Pkeglhema Japan Utah California Japan Japan China © Prolexic Technologies, 2006 15 DNS Reflective Attacks • NS record from a cancer research from points off to ns1.321blowjob.com over at EV1. • The x.p.ctrc.cc TXT RR responded with a truncated response with a 3 day TTL allowing cache to stick around for a while. • The botnet queried x.p.ctrc.cc TXT any with the spoofed source of the target resulting in massive sourced UDP 53 and fragmented UDP to hit the target. © Prolexic Technologies, 2006 16 The Query 13:40:20.333131 IP 207.65.135.138.53 > 216.69.163.150.53: 5976+[1au] ANY ANY? x.p.ctrc.cc. (40) 0x0000: 4500 0044 6f40 4000 ed11 4bc0 cf41 878aE..Do@@...K..A.. 0x0010: d845 a396 0035 0035 0030 0000 1758 0100 .E...5.5.0...X.. 0x0020: 0001 0000 0000 0001 0178 0170 04637472 .........x.p.ctr 0x0030: 6302 6363 0000 ff00 ff00 0029 2710 0000c.cc.......)'... 0x0040: 0000 0000 .... © Prolexic Technologies, 2006 17 The Reply 13:40:20.636943 IP 216.69.178.147 > 207.65.135.138: udp 0x0000: 4500 0436 6096 4172 4011 f309 d845 b293 E..6`.Ar@....E.. 0x0010: cf41 878a 2e2e 2e2e 2e2e 2e2e 2e2e2e2e .A.............. 0x0020: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0030: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0040: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0050: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0060: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0070: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0080: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0090: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x00a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x00b0: 2e2e 2e2e 2eff 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x00c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x00d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x00e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x00f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0100: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0110: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0120: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0130: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0140: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0150: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0160: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0170: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0180: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0190: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x01a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x01b0: 2e2e 2e2e 2eff 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x01c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x01d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x01e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x01f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0200: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0210: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0220: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0230: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0240: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0250: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0260: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0270: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0280: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0290: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x02a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x02b0: 2e2e 2e2e 2eff 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x02c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x02d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x02e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x02f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0300: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0310: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0320: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0330: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0340: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0350: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0360: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0370: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0380: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0390: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x03a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x03b0: 2e2e 2e2e 2e59 2e2e 2e2e 2e2e 2e2e2e2e .....Y.......... 0x03c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x03d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x03e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x03f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................ 0x0400: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2ec0 ................ 0x0410: 0e00 0200 0100 0013 e200 100a 33323162 ............321b 0x0420: 6c6f 776a 6f62 0363 6f6d 0000 0029 1000lowjob.com...).. 0x0430: 0000 0000 0000 ...... © Prolexic Technologies, 2006 18 The Reply © Prolexic Technologies, 2006 19 Tracking these attacks • DDoS tracking software _ We were able to create software based on assumptions could track and locate the source of a DDoS attack. • Law enforcement and research affiliations • A long game of Cat and Mouse _ We follow their every move until they make a mistake! _ Pain staking reports and research • © Prolexic Technologies, 2006 20 Dealing with 5-10Gbps And keeping the destination up! • Get the traffic in without latency _ Spread the attack out over as many transit providers as possible. _ Spread the attack out over as many peers as possible. _ Use networks that are not overlapping with important customers. • Give notice and prepare _ _ _ _ Warn upstream and peers about possible attacks to router interfaces. Groom customer to specific portable prefixes Have customer lower TTL on DNS Monitor authoritive DNS servers © Prolexic Technologies, 2006 21 Dealing with 5-10Gbps And keeping the destination up! • Get a feel for the traffic _ Setup and monitor discard ports to get pcaps. _ Send small levels of traffic to scrubbing hardware to test performance. • Create a compact ACL and push the traffic away. _ _ Have the routers do as much work as possible. Involve providers © Prolexic Technologies, 2006 22 Dealing with 5-10Gbps And keeping the destination up! • Get the community involved: NANOG _ _ _ _ Feed as much information as possible to the public Get on the phone and alert law enforcement: Be descriptive! Correctly formatted prefix lists are best: Team Cymru Get on the phone and call the worst offenders © Prolexic Technologies, 2006 23 When everything goes right… © Prolexic Technologies, 2006 24 Where is DDoS evolving? • Attacks are emulating true traffic flow • Command & Control is utilizing protocols that are less obvious such as DNS. • Botnets are using Linux and Unix systems to have larger bandwidth impact. • Bot code is becoming polymorphic • New “reflection” attacks are making things more difficult to filter. More attack vectors. © Prolexic Technologies, 2006 25 Where is DDoS mitigation heading? **Shutting the customer down is no longer an option** • DDoS mitigation must be integrated into the wire • DDoS mitigation is a 24/7 network operation not hardware solution • Large scale collaboration and attack processing • Mitigation must be done in the 10+ gig range. © Prolexic Technologies, 2006 26 Thank You For Your Time www.prolexic.com Contact me at: blyon@prolexic.com © Prolexic Technologies, 2006 27