The Joys of DDoS - Global Peering Forum

Transcription

The Joys of DDoS - Global Peering Forum
The Joys of DDoS
Barrett Lyon
Prolexic Technologies
Jay Adelson
Digg
Network Terrorist Motivations
•
Extortionists: Many Based in Asia / Eastern Europe
_ Most common motivation for DDoS attacks; ransom sites for thousands,
and sometimes hundreds of thousands, of dollars
_ Once operator agrees to pays, the attacker simply redirects the DDoS at
another site (usually in the same industry sector)
•
Competitive Sabotage
_ Rival businesses employ attackers to eliminate competition
_ Harm to brand
•
Hackers Pride
_ To gain notoriety, often target high-profile sites
_ Censorship
•
Network Warfare
_ Recent attacks to the National Security Agency in the United States show
that the Internet can be used to attack government interests.
© Prolexic Technologies, 2006
2
Recap: Extortion
• Anonymous EMAIL systems
• Rude, use poor English
• Attempt to establish
communication with
president/principals of the
Company
© Prolexic Technologies, 2006
3
Recap: Extortion
© Prolexic Technologies, 2006
4
Competitive Sabotage
•DVD Sales during Christmas
•Rx Sales due to Ad-Words competition
•Shutting down payment processing:
HYIP / Stormpay.com
© Prolexic Technologies, 2006
5
The attack: Mixed GET/SYN Flood to port 80
© Prolexic Technologies, 2006
6
The attack: PPS rates
© Prolexic Technologies, 2006
7
Hackers Pride
•Digg.com:
Bad guy (Fred Ghosn of Canada) vs. Kevin Rose
© Prolexic Technologies, 2006
8
Digg and IRC
<A> digg.com / revision3.com.
<A> tonight.
<A> :<.
<B> we wull see.
<A> fucking kevin rose.
<A> i miss.
<A> my old bots.
<A> from like.
<A> 2 years.
<A> i had.
<A> 1.8 million.
<A> :<.
<A> my biggest.
<A> channel.
<A> was.
<A> 980k.
© Prolexic Technologies, 2006
9
Digg and IRC
Why isn't his attack succeeding? He claims:
<A> now i got shit.
<B> lol.
He has some help, which would explain the changing nature of the attack.
<C> gimme the ips you need nulled/fucked with.
<A> lets just wait.
<A> till later.
<A> nothing big is happenin now.
<C> ok.
<A> well.
<A> www.digg.com.
<A> if u want.
<C> kk np.
<C> kk done.
© Prolexic Technologies, 2006
10
Digg and IRC
<B> stop doss
<B> so i can read a bit
<B> lol
<A> rofl.
<A> no.
© Prolexic Technologies, 2006
11
Most Corporate Networks break
“Black-holing” completes the attackers’
objective by taking the site offline
Router / firewall filtering does not scale
and is useless when spoofed
IDS simply detects, but does not protect
IPS devices present a static solution to a
dynamic problem and cannot help when
attack consumes all available
bandwidth
Overcommitted ISP
router fails with
high PPS rate.
Bandwidth is
saturated taking
ISP offline
Edge router fails high PPS and ACLs
consume CPU. No
bandwidth
Firewall fails.
Filled client
table and
CPU max.
DMZ and
office off-line
Web farm hit.
Memory and
resource limits
of kernels hit.
Not serving
web pages
© Prolexic Technologies, 2006
12
Tracking x3m1st/Ivan/eXe
7
6
Zombie
machines,
mixed in
general
internet, make
up part of
botnet
5
8
ISP Router
overloaded. Severe
packet loss to all
customers
1
Attacker
Computer
2
Hacked Computer
masks Attacker’s
location
Internet
IRC Server at
co-lo facility.
Zombies
connect here.
Attacker has
control
3
4
© Prolexic Technologies, 2006
Target of
attack.
Infrastructure
saturated and
fails.
3rd Computer to
hide real source IP
13
Attacker uses 2nd
Hacked Computer
to hide identity
Tracking x3m1st/Ivan/eXe
© Prolexic Technologies, 2006
14
Tracking Pkeglhema
Japan
Utah
California
Japan
Japan
China
© Prolexic Technologies, 2006
15
DNS Reflective Attacks
•
NS record from a cancer research from points off to ns1.321blowjob.com
over at EV1.
•
The x.p.ctrc.cc TXT RR responded with a truncated response with a 3 day
TTL allowing cache to stick around for a while.
•
The botnet queried x.p.ctrc.cc TXT any with the spoofed source of the target
resulting in massive sourced UDP 53 and fragmented UDP to hit the target.
© Prolexic Technologies, 2006
16
The Query
13:40:20.333131 IP 207.65.135.138.53 > 216.69.163.150.53:
5976+[1au] ANY ANY? x.p.ctrc.cc. (40)
0x0000: 4500 0044
6f40 4000 ed11 4bc0 cf41 878aE..Do@@...K..A..
0x0010: d845
a396 0035 0035 0030 0000 1758 0100 .E...5.5.0...X..
0x0020:
0001 0000 0000 0001 0178 0170 04637472 .........x.p.ctr
0x0030: 6302 6363 0000 ff00 ff00 0029 2710 0000c.cc.......)'...
0x0040: 0000 0000
....
© Prolexic Technologies, 2006
17
The Reply
13:40:20.636943 IP 216.69.178.147 > 207.65.135.138: udp
0x0000: 4500 0436 6096 4172 4011 f309 d845 b293 E..6`.Ar@....E..
0x0010:
cf41 878a 2e2e 2e2e 2e2e 2e2e 2e2e2e2e .A..............
0x0020: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0030: 2e2e
2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0040: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0050: 2e2e 2e2e
2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0060: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0070: 2e2e 2e2e 2e2e
2e2e 2e2e 2e2e 2e2e2e2e ................
0x0080: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0090: 2e2e 2e2e 2e2e 2e2e
2e2e 2e2e 2e2e2e2e ................
0x00a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x00b0: 2e2e 2e2e 2eff 2e2e 2e2e
2e2e 2e2e2e2e ................
0x00c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x00d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x00e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x00f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0100: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0110: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0120: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0130: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0140: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0150: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0160: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0170: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0180: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0190: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x01a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x01b0: 2e2e 2e2e 2eff 2e2e 2e2e 2e2e
2e2e2e2e ................
0x01c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x01d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x01e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x01f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0200: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0210: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0220: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0230: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0240: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0250: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0260: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0270: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0280: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0290: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x02a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x02b0: 2e2e 2e2e 2eff 2e2e 2e2e 2e2e
2e2e2e2e ................
0x02c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x02d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x02e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x02f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0300: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0310: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0320: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0330: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0340: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0350: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0360: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0370: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0380: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x0390: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x03a0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x03b0: 2e2e 2e2e 2e59 2e2e 2e2e 2e2e
2e2e2e2e .....Y..........
0x03c0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x03d0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x03e0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2e2e ................
0x03f0: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e
2e2e2e2e ................
0x0400: 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e 2e2e2ec0 ................
0x0410: 0e00 0200 0100 0013 e200 100a
33323162 ............321b
0x0420: 6c6f 776a 6f62 0363 6f6d 0000 0029 1000lowjob.com...)..
0x0430: 0000 0000 0000
......
© Prolexic Technologies, 2006
18
The Reply
© Prolexic Technologies, 2006
19
Tracking these attacks
•
DDoS tracking software
_ We were able to create software based on assumptions could track and
locate the source of a DDoS attack.
•
Law enforcement and research affiliations
•
A long game of Cat and Mouse
_ We follow their every move until they make a mistake!
_ Pain staking reports and research
•
© Prolexic Technologies, 2006
20
Dealing with 5-10Gbps
And keeping the destination up!
•
Get the traffic in without latency
_ Spread the attack out over as many transit providers as possible.
_ Spread the attack out over as many peers as possible.
_ Use networks that are not overlapping with important customers.
• Give notice and prepare
_
_
_
_
Warn upstream and peers about possible attacks to router interfaces.
Groom customer to specific portable prefixes
Have customer lower TTL on DNS
Monitor authoritive DNS servers
© Prolexic Technologies, 2006
21
Dealing with 5-10Gbps
And keeping the destination up!
•
Get a feel for the traffic
_ Setup and monitor discard ports to get pcaps.
_ Send small levels of traffic to scrubbing hardware to test performance.
• Create a compact ACL and push the traffic away.
_
_
Have the routers do as much work as possible.
Involve providers
© Prolexic Technologies, 2006
22
Dealing with 5-10Gbps
And keeping the destination up!
• Get the community involved: NANOG
_
_
_
_
Feed as much information as possible to the public
Get on the phone and alert law enforcement: Be descriptive!
Correctly formatted prefix lists are best: Team Cymru
Get on the phone and call the worst offenders
© Prolexic Technologies, 2006
23
When everything goes right…
© Prolexic Technologies, 2006
24
Where is DDoS evolving?
• Attacks are emulating true traffic flow
• Command & Control is utilizing protocols that are less obvious such as
DNS.
• Botnets are using Linux and Unix systems to have larger bandwidth
impact.
• Bot code is becoming polymorphic
• New “reflection” attacks are making things more difficult to filter.
More attack vectors.
© Prolexic Technologies, 2006
25
Where is DDoS mitigation heading?
**Shutting the customer down is no longer an option**
• DDoS mitigation must be integrated into the wire
• DDoS mitigation is a 24/7 network operation not hardware solution
• Large scale collaboration and attack processing
• Mitigation must be done in the 10+ gig range.
© Prolexic Technologies, 2006
26
Thank You For Your Time
www.prolexic.com
Contact me at:
blyon@prolexic.com
© Prolexic Technologies, 2006
27