Worldwide Infrastructure Security Report - PowerPoint Presentation

342 views
Uploaded On 2022-08-02

Worldwide Infrastructure Security Report - PPT Presentation

Large Scale DDoS Attacks Update CF Chui Solutions Architect Arbor Networks Sept 2014 Worldwide Infrastructure Security Report WISR Q2 2014 Update The Arbor ATLAS Initiative Internet Trends ID: 932161

attacks ntp attack upstream ntp attacks upstream attack traffic detection 2014 source flowspec ddos classification traceback arbor amplification reflection

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/932161" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "Worldwide Infrastructure Security Report" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Worldwide Infrastructure Security ReportLarge Scale DDoS Attacks Update

CF Chui – Solutions Architect, Arbor Networks

Sept

2014

Slide2

Worldwide Infrastructure Security Report (WISR) Q2 2014 Update

Slide3

The Arbor ATLAS Initiative: Internet Trends

290

ISPs sharing real-

time

data - > ATLAS Internet TrendsAutomated hourly export of XML file to Arbor server (HTTPS)File is anonymous, only tagged withUser Specified Region e.g. EuropeProvider Type (self categorized) e.g. Tier 1 Data derived from Flow / BGP / SNMP correlationArbor Peakflow SP productCorrelates Sampled Flow / BGP in real-timeDistributed in natureNetwork / Router / Interface etc. Traffic ReportingThreat Detection (DDoS / infected sub) Multiple detection mechanisms

ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents.

A significant proportion of Internet traffic

Slide4

ATLAS Global Threat Analysis System

The ATLAS Global Threat Analysis and Monitoring System is actively

monitoring more than

Tbps or 1/3 of all internet traffic 24/

Slide5

The Arbor ATLAS Initiative: Internet Trends 2014

Key Findings :

Q1 2014 saw probably the most concentrated burst of large volumetric DDoS attacks ever, things have calmed down again in Q2.

NTP reflection attacks still significant, but reduced numbers / size compared to Q1. NTP traffic volumes falling globally, but still not back to ‘normal’.

Largest attack in Q2 is NTP reflection, but ‘ONLY’ 154Gbps, target in Spain.

Already seen more than 2x the number of events over 20Gbps compared to 2013. Already seen more than 100 events over 100Gb/sec this year. Non Initial Fragment attacks still the most common, but big increase in proportion of attacks targeting DNS (53) in Q2.

Slide6

Second quarter of new ATLAS data-set

Focus on providing baseline data for future comparisons

Comparisons to Q1 2014

2014 Q2 Summary :

2014 ATLAS

World

-Wide

2014 Q2 Average:

759.83 Mb

sec (

- 47%

from Q1)

199.85

Kpps

(

- 36%

from Q1)

2014 Q2 Peak:

154.69

sec (

-101%

from Q1)

Mpps

(

-18%

from Q1)

Slide7

2014 Q2 Summary :

2014 ATLAS: Hong Kong

2014 Q2 Average:

713.26

sec (

+20.4%

from Q1)

232.46

Kpps

(

+40.5%

from

Q1)

2014 Q2 Peak:

47.24

sec (

+67%

from Q1)

8.52

Mpps

(

+32

from Q1)

Slide8

2014 ATLAS

World

-Wide

NTP Reflection / Amplification

NTP attacks clearly shown in ATLAS traffic data.

Average of

1.29

Gbps

NTP traffic globally in November 2013

Average of

351.64

Gbps

in February 2014

Average of

32.3

Gbps

in June 2014

NTP cooling off through the end of March and into Q2

Still significantly above 2013 levels

% of events overall (down from 14% in Q1)

% of events over 10Gbps (down from 56%)

48.7

% of events over 100Gbps (down 84.7%)

Proportion of Events

with Source Port 123

Slide9

2014 ATLAS: Hong Kong

Majority of the attacks seen were NOT NTP reflection attacks

Most attacks were TCP SYN to port 80

Slide10

2014 ATLAS

World

-Wide

Other Protocols for Amplification

Given the huge storm of NTP reflection activity, there has been some focus (in the media) on other protocols that can be used in this way.

Only two protocols show any significant activity

Virtually nothing on QOTD, SSDP, Quake3.

NOTE: Some of these attacks make use of non-initial-fragments which are not accounted for below.

Protocol

UDP Port

Percentage

of Attacks in Q2

Max Size

Average Size

SNMP

161

0.1%

18.61Gbps

765.6Mbps

Chargen

1.4%

54.4Gbps

1.18Gbps

Slide11

2014 ATLAS

World-Wide

Largest Monitored Attack Sizes Year on Year

BPS

PPS

2012

100.84Gb/sec, destination unknown

Lasted 20

mins

82.36Mpps, destination unknown

Lasted 24

mins

2013

245Gb/sec (TCP SYN)

Lasted 16

mins

202Mpps (UDP/9656)

Lasted 8

mins

2014

(so

far)

325Gb/sec (NTP), France

Lasted 4 h 22

mins

94.42Mpps, port 80, US

Lasted 7

mins

Slide12

DDoS Amplification Attacks

Slide13

What are Reflection/Amplification Attacks?

Amplification

DDoS

Attack

Is when

an attacker makes a relatively small request that generates a larger response/reply. Reflection DDoS AttackA DDoS attack in which forged requests are sent to a very large number of devices that reply to the requests. Using IP address spoofing, the ‘source’ address is set to the actual target of the attack, where all replies are sent. A Reflection/Amplification DDoS Attack combines both techniques to create a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin.

Slide14

Abbreviation

Protocol

Ports

Amplification

Factor

# AbusableServersCHARGENCharacter Generation ProtocolUDP / 19~17.75xTens of thousands(~90K)DNSDomain Name SystemUDP / 53~160xMillions (~30M)NTPNetwork Time ProtocolUDP / 123~1000xOver One Hundred Thousand(~128K)SNMPSimple Network Management ProtocolUDP / 161~880xMillions(~5M)

Why NTP for These Attacks?

Slide15

Danger of NTP Reflection/Amplification Attacks

Implemented

all

major

operating systems, network infrastructure, and embedded devicesAvailability of over a hundred thousand of abusable NTP servers with admin functions incorrectly open to the general InternetGaps in anti-spoofing deployment at network edgesHigh amplification ratioLow difficulty of executionReadily-available attack toolsHigh impact = Significant risk for any potential targets

Slide16

Sharp Rise in Popularity & Size of NTP Reflection/Amplification Attacks

~128K insecurely-configured

NTP servers on the

Internet

Observed NTP Reflection/Amplification attacks

exceeding 300 Gbps in Q1 2014Attacks often mimic others’ techniques, especially when popularized by newsNTP traffic from Dec 2013-Jan 2014

% NTP Attacks vs. All Attacks

% of All

ASERT’s

Recent NTP Observations

Slide17

Attack Detection, Classification, Traceback, and Mitigation for Amplified DDoS attacks

Slide18

Characteristics of an NTP Reflection/Amplification AttackThe attacker spoofs the IP address of the target of the attack, sends

monlist

showpeers

, or other NTP level-6/-7 administrative queries to multiple misconfigured,

abusable NTP services running on servers, routers, home CPE devices, etc.The attacker chooses the UDP port which he’d like to target – typically, UDP/80 or UDP/123, but it can be any port of the attacker’s choice – and uses that as the source port. The destination port is UDP/123The NTP services ‘reply’ to the attack target with streams of ~468-byte packets sourced from UDP/123 to the` target; the destination port is the source port the attacker chose while generating the NTP queries.

Slide19

The Two Factors Which Make These Attacks PossibleFailure to deploy

anti-spoofing mechanisms

such as Unicast Reverse-Path Forwarding (

uRPF

), ACLs, DHCP Snooping & IP Source Guard, Cable IP Source Verify, ACLs, etc. on the edges of ISP and enterprise networks.

Misconfigured, abusable NTP services running on servers, routers, switches, home CPE devices, etc.

Slide20

Additional Contributing FactorsFailure of some ISPs to utilize flow telemetry

(e.g.,

NetFlow

cflowd/jflow, et. al.) collection and analysis for attack detection/classification/traceback.Failure of some ISPs to proactively scan for and remediate abusable NTP services on their networks and to scan for and alert customers running abusable NTP services – blocking abusable services until they are remediated, if necessary.Failure of some ISPs to deploy and effectively utilize DDoS reaction/mitigation tools such as Source-Based Remotely-Triggered Blackholing (S/RTBH), flowspec, and Intelligent DDoS Mitigation Systems (IDMSes).Failure of many enterprises/ASPs/etc. to fund and prioritize availability to the degree that they do confidentiality and integrity in the security sphere.Failure of many enterprises/ASPs/etc. to utilize flow telemetry, deploy DDoS reaction/mitigation tools.Failure of many enterprises/ASPs/etc. to subscribe to ‘Clean Pipes’ DDoS mitigation services offered by ISPs/MSSPs.

Slide21

How Can ISPs Defend Against These Attacks?Deploy antispoofing

all

network edges.

uRPF

Loose-Mode at the peering edgeuRPF Strict Mode at customer aggregation edgeACLs at the customer aggregation edgeuRPF Strict-Mode and/or ACLs at the Internet Data Center (IDC) aggregation edgeDHCP Snooping (works for static addresses, too) and IP Source Verify at the IDC LAN access edgePACLs & VACLs at the IDC LAN access edgeCable IP Source Verify, etc. at the CMTSOther DOCSIS & DSL mechanismsUtilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported from all network edges for attack detection/classification/tracebackOpen-source flow telemetry collection/analysis tools allow basic visibility; can be sufficient for high-volume attacks, once impact is evidentArbor Peakflow SP, which provides automated detection/classification/traceback and alerting of DDoS attacks via anomaly-detection technology

Slide22

How Can ISPs Defend Against These Attacks? (cont.)Deploy network infrastructure-based reaction/mitigation techniques such as

S/RTBH

and

flowspec

at all network edges to mitigate attacks

Deploy IDMSes such as Arbor Peakflow TMS in mitigation centers located at topologically-appropriate points within the ISP network to mitigate attacksDeploy Quality-of-Service (QoS) mechanisms at all network edges to police non-timesync NTP traffic down to an appropriate level (i.e., 1mb/sec).NTP timesync packets are 76 bytes in length (all sizes are minus layer-2 framing)NTP monlist replies are ~468 bytes in lengthObserved NTP monlist requests utilized in these attacks are 50, 60, and 234 bytes in lengthOption 1 – police all non-76-byte UDP/123 traffic (source, destination, or both) down to 1mb/sec. This will police both attack source – reflector/amplifier traffic as well as reflector/amplifier – target trafficOption 2 – police all 400-byte or larger UDP/123 traffic (source) down to 1mb/sec. This will police only reflector/amplifier – target trafficNTP timesync traffic will be unaffectedAdditional administrative (rarely-used) NTP functions such as ntptrace will only be affected during an attack

Slide23

How Can ISPs Defend Against These Attacks? (cont.)Proactively scan

for and remediate abusable NTP services on the

ISP network

Proactively scan

for and remediate abusable NTP services on customer networks, including blocking traffic to/from abusable services if necessary in order to attain complianceCheck http://www.openntpproject.org to see if abusable NTP services have been identified on ISP and/or customer networks.

Slide24