Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Hell of a Handshake –
Abusing TCP for Amplification DDoS
Marc Kührer1
Thomas Hupperich1
Christian Rossow2
Thorsten Holz1
1 Ruhr-University Bochum2 Saarland University
USENIX WOOT, August 2014
2
Amplification DDoS Attacks
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
VictimAttacker Amplifiers
3
TCP and Reflection
TCP 3-Way Handshake
• Reflection
• No amplification
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
4
TCP and Reflection
…
SYN/ACK Amplifiers
• Keep repeatingSYN/ACK until ACK
• Default, e.g., in *nix
• Against packet loss
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
5
TCP and Reflection
…
PSH Amplifiers
• Send data beforehandshake finishes
• e.g., FTP serverbanner info
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
6
TCP and Reflection
TCP Closed Port
• Reflection
• No amplification
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
7
TCP and Reflection
RST Amplification
• Hosts persistsending RST
• No rationale?
C S
…
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
8
Methodology
• IPv4 Address Range
• TCP SYN PacketsScan
• Amplification >20
• Prevalent ProtocolsFilter
• Amplifier Classification
• Evaluate CountermeasuresStats
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
9
Amplification Statistics
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
10
Attack Frequency
Response packets per X seconds
11
Amplifier Classification
Networking Equipment
Misc embedded
Unknown
DEVICE TYPE
Linux
ZyNOS
Unknown
OS
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
12
Active Defense
SYN/ACK storms: send RST segments Stops about 99.9% of the SYN/ACK streams
RST storm: send ICMP port unreachable messages Stops about 80% of the RST streams
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
13
Conclusion
Also TCP suffers from amplification vulnerabilities RST, PSH and SYN/ACK storms
We notified vendors, but fixes will take time
Use active countermeasures to mitigate attacks
Hell of a Handshake –
Abusing TCP for Amplification DDoS
Marc Kührer1
Thomas Hupperich1
Christian Rossow2
Thorsten Holz1
1 Ruhr-University Bochum2 Saarland University
USENIX WOOT, August 2014