Large Scale DDoS Attacks Update CF Chui Solutions Architect Arbor Networks Sept 2014 Worldwide Infrastructure Security Report WISR Q2 2014 Update The Arbor ATLAS Initiative Internet Trends ID: 932161
Download Presentation The PPT/PDF document "Worldwide Infrastructure Security Report" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Worldwide Infrastructure Security ReportLarge Scale DDoS Attacks Update
CF Chui – Solutions Architect, Arbor Networks
Sept
2014
Slide2Worldwide Infrastructure Security Report (WISR) Q2 2014 Update
Slide3The Arbor ATLAS Initiative: Internet Trends
290
+
ISPs sharing real-
time
data - > ATLAS Internet TrendsAutomated hourly export of XML file to Arbor server (HTTPS)File is anonymous, only tagged withUser Specified Region e.g. EuropeProvider Type (self categorized) e.g. Tier 1 Data derived from Flow / BGP / SNMP correlationArbor Peakflow SP productCorrelates Sampled Flow / BGP in real-timeDistributed in natureNetwork / Router / Interface etc. Traffic ReportingThreat Detection (DDoS / infected sub) Multiple detection mechanisms
ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents.
A significant proportion of Internet traffic
Slide4ATLAS Global Threat Analysis System
The ATLAS Global Threat Analysis and Monitoring System is actively
monitoring more than
90
Tbps or 1/3 of all internet traffic 24/
7
Slide5The Arbor ATLAS Initiative: Internet Trends 2014
Key Findings :
Q1 2014 saw probably the most concentrated burst of large volumetric DDoS attacks ever, things have calmed down again in Q2.
NTP reflection attacks still significant, but reduced numbers / size compared to Q1. NTP traffic volumes falling globally, but still not back to ‘normal’.
Largest attack in Q2 is NTP reflection, but ‘ONLY’ 154Gbps, target in Spain.
Already seen more than 2x the number of events over 20Gbps compared to 2013. Already seen more than 100 events over 100Gb/sec this year. Non Initial Fragment attacks still the most common, but big increase in proportion of attacks targeting DNS (53) in Q2.
Slide6Second quarter of new ATLAS data-set
Focus on providing baseline data for future comparisons
Comparisons to Q1 2014
2014 Q2 Summary :
2014 ATLAS
:
World
-Wide
2014 Q2 Average:
759.83 Mb
/
sec (
- 47%
from Q1)
199.85
Kpps
(
- 36%
from Q1)
2014 Q2 Peak:
154.69
Gb
/
sec (
-101%
from Q1)
80
Mpps
(
-18%
from Q1)
Slide72014 Q2 Summary :
2014 ATLAS: Hong Kong
2014 Q2 Average:
713.26
M
b
/
sec (
+20.4%
from Q1)
232.46
Kpps
(
+40.5%
from
Q1)
2014 Q2 Peak:
47.24
Gb
/
sec (
+67%
from Q1)
8.52
Mpps
(
+32
%
from Q1)
Slide82014 ATLAS
:
World
-Wide
NTP Reflection / Amplification
NTP attacks clearly shown in ATLAS traffic data.
Average of
1.29
Gbps
NTP traffic globally in November 2013
Average of
351.64
Gbps
in February 2014
Average of
32.3
Gbps
in June 2014
NTP cooling off through the end of March and into Q2
Still significantly above 2013 levels
6
% of events overall (down from 14% in Q1)
34
% of events over 10Gbps (down from 56%)
48.7
% of events over 100Gbps (down 84.7%)
Proportion of Events
with Source Port 123
Slide92014 ATLAS: Hong Kong
Majority of the attacks seen were NOT NTP reflection attacks
Most attacks were TCP SYN to port 80
Slide102014 ATLAS
:
World
-Wide
Other Protocols for Amplification
Given the huge storm of NTP reflection activity, there has been some focus (in the media) on other protocols that can be used in this way.
Only two protocols show any significant activity
Virtually nothing on QOTD, SSDP, Quake3.
NOTE: Some of these attacks make use of non-initial-fragments which are not accounted for below.
Protocol
UDP Port
Percentage
of Attacks in Q2
Max Size
Average Size
SNMP
161
0.1%
18.61Gbps
765.6Mbps
Chargen
19
1.4%
54.4Gbps
1.18Gbps
Slide112014 ATLAS
:
World-Wide
Largest Monitored Attack Sizes Year on Year
BPS
PPS
2012
100.84Gb/sec, destination unknown
Lasted 20
mins
82.36Mpps, destination unknown
Lasted 24
mins
2013
245Gb/sec (TCP SYN)
Lasted 16
mins
202Mpps (UDP/9656)
Lasted 8
mins
2014
(so
far)
325Gb/sec (NTP), France
Lasted 4 h 22
mins
94.42Mpps, port 80, US
Lasted 7
mins
Slide12DDoS Amplification Attacks
Slide13What are Reflection/Amplification Attacks?
Amplification
DDoS
Attack
Is when
an attacker makes a relatively small request that generates a larger response/reply. Reflection DDoS AttackA DDoS attack in which forged requests are sent to a very large number of devices that reply to the requests. Using IP address spoofing, the ‘source’ address is set to the actual target of the attack, where all replies are sent. A Reflection/Amplification DDoS Attack combines both techniques to create a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin.
Slide14Abbreviation
Protocol
Ports
Amplification
Factor
# AbusableServersCHARGENCharacter Generation ProtocolUDP / 19~17.75xTens of thousands(~90K)DNSDomain Name SystemUDP / 53~160xMillions (~30M)NTPNetwork Time ProtocolUDP / 123~1000xOver One Hundred Thousand(~128K)SNMPSimple Network Management ProtocolUDP / 161~880xMillions(~5M)
Why NTP for These Attacks?
Slide15Danger of NTP Reflection/Amplification Attacks
Implemented
in
all
major
operating systems, network infrastructure, and embedded devicesAvailability of over a hundred thousand of abusable NTP servers with admin functions incorrectly open to the general InternetGaps in anti-spoofing deployment at network edgesHigh amplification ratioLow difficulty of executionReadily-available attack toolsHigh impact = Significant risk for any potential targets
Slide16Sharp Rise in Popularity & Size of NTP Reflection/Amplification Attacks
~128K insecurely-configured
NTP servers on the
Internet
Observed NTP Reflection/Amplification attacks
exceeding 300 Gbps in Q1 2014Attacks often mimic others’ techniques, especially when popularized by newsNTP traffic from Dec 2013-Jan 2014
% NTP Attacks vs. All Attacks
% of All
% of All
ASERT’s
Recent NTP Observations
Slide17Attack Detection, Classification, Traceback, and Mitigation for Amplified DDoS attacks
Slide18Characteristics of an NTP Reflection/Amplification AttackThe attacker spoofs the IP address of the target of the attack, sends
monlist
,
showpeers
, or other NTP level-6/-7 administrative queries to multiple misconfigured,
abusable NTP services running on servers, routers, home CPE devices, etc.The attacker chooses the UDP port which he’d like to target – typically, UDP/80 or UDP/123, but it can be any port of the attacker’s choice – and uses that as the source port. The destination port is UDP/123The NTP services ‘reply’ to the attack target with streams of ~468-byte packets sourced from UDP/123 to the` target; the destination port is the source port the attacker chose while generating the NTP queries.
Slide19The Two Factors Which Make These Attacks PossibleFailure to deploy
anti-spoofing mechanisms
such as Unicast Reverse-Path Forwarding (
uRPF
), ACLs, DHCP Snooping & IP Source Guard, Cable IP Source Verify, ACLs, etc. on the edges of ISP and enterprise networks.
Misconfigured, abusable NTP services running on servers, routers, switches, home CPE devices, etc.
Slide20Additional Contributing FactorsFailure of some ISPs to utilize flow telemetry
(e.g.,
NetFlow
,
cflowd/jflow, et. al.) collection and analysis for attack detection/classification/traceback.Failure of some ISPs to proactively scan for and remediate abusable NTP services on their networks and to scan for and alert customers running abusable NTP services – blocking abusable services until they are remediated, if necessary.Failure of some ISPs to deploy and effectively utilize DDoS reaction/mitigation tools such as Source-Based Remotely-Triggered Blackholing (S/RTBH), flowspec, and Intelligent DDoS Mitigation Systems (IDMSes).Failure of many enterprises/ASPs/etc. to fund and prioritize availability to the degree that they do confidentiality and integrity in the security sphere.Failure of many enterprises/ASPs/etc. to utilize flow telemetry, deploy DDoS reaction/mitigation tools.Failure of many enterprises/ASPs/etc. to subscribe to ‘Clean Pipes’ DDoS mitigation services offered by ISPs/MSSPs.
Slide21How Can ISPs Defend Against These Attacks?Deploy antispoofing
at
all
network edges.
uRPF
Loose-Mode at the peering edgeuRPF Strict Mode at customer aggregation edgeACLs at the customer aggregation edgeuRPF Strict-Mode and/or ACLs at the Internet Data Center (IDC) aggregation edgeDHCP Snooping (works for static addresses, too) and IP Source Verify at the IDC LAN access edgePACLs & VACLs at the IDC LAN access edgeCable IP Source Verify, etc. at the CMTSOther DOCSIS & DSL mechanismsUtilize flow telemetry (NetFlow, cflowd/jflow, etc.) exported from all network edges for attack detection/classification/tracebackOpen-source flow telemetry collection/analysis tools allow basic visibility; can be sufficient for high-volume attacks, once impact is evidentArbor Peakflow SP, which provides automated detection/classification/traceback and alerting of DDoS attacks via anomaly-detection technology
Slide22How Can ISPs Defend Against These Attacks? (cont.)Deploy network infrastructure-based reaction/mitigation techniques such as
S/RTBH
and
flowspec
at all network edges to mitigate attacks
Deploy IDMSes such as Arbor Peakflow TMS in mitigation centers located at topologically-appropriate points within the ISP network to mitigate attacksDeploy Quality-of-Service (QoS) mechanisms at all network edges to police non-timesync NTP traffic down to an appropriate level (i.e., 1mb/sec).NTP timesync packets are 76 bytes in length (all sizes are minus layer-2 framing)NTP monlist replies are ~468 bytes in lengthObserved NTP monlist requests utilized in these attacks are 50, 60, and 234 bytes in lengthOption 1 – police all non-76-byte UDP/123 traffic (source, destination, or both) down to 1mb/sec. This will police both attack source – reflector/amplifier traffic as well as reflector/amplifier – target trafficOption 2 – police all 400-byte or larger UDP/123 traffic (source) down to 1mb/sec. This will police only reflector/amplifier – target trafficNTP timesync traffic will be unaffectedAdditional administrative (rarely-used) NTP functions such as ntptrace will only be affected during an attack
Slide23How Can ISPs Defend Against These Attacks? (cont.)Proactively scan
for and remediate abusable NTP services on the
ISP network
.
Proactively scan
for and remediate abusable NTP services on customer networks, including blocking traffic to/from abusable services if necessary in order to attain complianceCheck http://www.openntpproject.org to see if abusable NTP services have been identified on ISP and/or customer networks.
Slide24Detection/Classification/Traceback
Slide25Detection/Classification/Traceback
Slide26Detection/Classification/Traceback
Slide27Detection/Classification/Traceback
Slide28Detection/Classification/Traceback
Slide29Detection/Classification/Traceback
Slide30Detection/Classification/Traceback
Slide31Detection/Classification/Traceback
Slide32Detection/Classification/Traceback
Slide33Detection/Classification/Traceback
Slide34Detection/Classification/Traceback
Slide35Detection/Classification/Traceback
Slide36Detection/Classification/Traceback
Slide37Detection/Classification/Traceback
Slide38Mitigation – S/RTBH or
Flowspec
Peer B
Peer
A
Upstream A
Upstream B
NOC
IXP-W
Upstream B
IXP-E
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
Upstream B
Slide39Mitigation – S/RTBH or
Flowspec
Peer B
Peer A
Upstream A
Upstream B
NOC
IXP-W
Upstream B
IXP-E
Upstream B
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
Slide40Mitigation – S/RTBH or
Flowspec
Peer B
Peer A
Upstream A
Upstream B
NOC
IXP-W
Upstream B
IXP-E
Upstream B
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
NTP reflection/amplification attack traffic ingresses network, saturating core links
NTP reflection/amplification attack traffic ingresses network, saturating core links
NTP reflection/amplification attack traffic ingresses network, saturating core links
Slide41Mitigation – S/RTBH or
Flowspec
Peer B
Peer A
Upstream A
Upstream B
NOC
Peakflow
SP
advertises
l
ist
of
blackholed
prefixes
b
ased
on
s
ource
or d
estination addresses,
or layer-4
flowspec
classifier
IXP-W
Upstream B
IXP-E
Upstream B
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
Slide42Mitigation – S/RTBH or
Flowspec
Peer B
Peer A
Upstream A
Upstream B
NOC
Peakflow
SP advertises list of
blackholed
prefixes based on
source or destination addresses,
or layer-4
flowspec
classifier
IXP-W
Upstream B
IXP-E
Upstream B
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
Slide43Mitigation – S/RTBH or
Flowspec
Peer B
Peer A
Upstream A
Upstream B
NOC
Peakflow
SP advertises list of
blackholed
prefixes based on
source or destination addresses,
or
flowspec
layer-4 classifier
IXP-W
Upstream B
IXP-E
Upstream B
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
Edge
routers
d
rop attack traffic packets
b
ased
on
s
ource
or d
estination
a
ddress, or layer-4 classifier (
flowspec
)
Edge routers drop attack traffic packets based on
source or destination
address, or layer-4 classifier (
flowspec
)
Edge routers drop attack traffic packets based on
source or destination
address, or layer-4 classifier (
flowspec
)
Slide44Mitigation – S/RTBH or
Flowspec
Peer B
Peer A
Upstream A
Upstream B
NOC
Peakflow
SP advertises list of
blackholed
prefixes based on
source or destination addresses,
or layer-4
flowspec
classifier
IXP-W
Upstream B
IXP-E
Upstream B
Video, Music, Gaming etc.)
Mobile Infrastructure
Arbor CP
Edge routers drop attack traffic packets based on
source or destination
address, or layer-4 classifier (
flowspec
)
Edge routers drop attack traffic packets based on
source or destination
address, or layer-4 classifier (
flowspec
)
Edge routers drop attack traffic packets based on
source or destination
address, or layer-4 classifier (
flowspec
)
Slide45ASERT Threat Intelligence
Slide46Global Intelligence. Local Protection.
We see things others can’t
Slide47Arbor Networks’ Product Portfolio
Slide48Arbor Cloud DDoS Protection
Arbor Cloud DDoS Service
Arbor supported (Arbor’s SOC)
Integrates with Pravail APS
Accepts cloud signals
Pricing based on volume ofpeace-time (clean) trafficGlobal cloud scrubbing capacity with 4 centersBGP and/or DNS diversion optionsSSL decryption option
Pravail APS
Enterprise
Cloud Signaling
Cloud Signaling capable Cloud DDoS service
Cloud Portal available for under-attack reporting
Slide49Thank You