DDOS – a Nuisance or Threat?

DDOS — Nuisance or Threat?

Harold Teunissen & Roland van Rijswijk-Deij TECHEX14, Indianapolis, October 2014

© Norse

DDOS Nuisance or Threat — TECHEX14— Indianapolis, IN — October 2014

Serving Dutch research & education

2


SURF as umbrella

3

• All ICT activities for Higher Education and Research in the Netherlands are under the SURF umbrella

Scientific Computing & Big Data

Commercial ICT Products & Services

National Research & Education Network

eScience Collaboration and Tools


Absolute awareness

4


We take security serious

5


Vision

6


Immunity

7


Level of protection

8


Security & Privacy Program

9

AWARENESS

COMMUNITIES SERVICES

STANDARDS

FREE INTERNET

SAFE AND SECURE ENVIRONMENT


What do we see?

10

AttacksUniversities

Attacks

Vocational Education

AttacksHigh Schools

FAIR SHARE?


Regular user

11

DUTCH PUBLIC BROADCASTER


Regular user

12


Winter Olympics

World Cup Soccer


Regular user

13


MH17

A Large University


Not every spike is an attack

14

DDOS Astronomers


What do we see?

• DDoS attacks mostly directed against schools • Majority are Bandwidth Denial-of-Service attacks

- Usually some form of amplification, mostly NTP, DNS, CharGen, we also now see some UPnP based stuff

• Not every traffic spike is an attack - Monitor for anomalous events (e.g. excess UDP/ICMP

traffic) - Manual analysis by our CSIRT

• Attacks in Tens-of-Gigabits order of magnitude • Many attacks rely on “DDoS-for-Hire” a.k.a.

Booters and are often inside jobs

15


Keep your friends close...

•We were monitoring for a particular attack (because it abused some of our infrastructure)

•One of our customers appeared in a list of spoofed IP addresses for this particular attack

•And was the victim of a number of DDoS attacks •The timing of the attacks was rather suggestive...

Always during school hours!

•Let’s have a look at what the school found

16


Let’s see what happens if...

•The external NAT IP address is changed –Will the attack follow?

•We look at the time lines –Comparing attack times against class schedule

•We ask teachers about suspicious behaviour –Are there signs that the culprit is among the students?

•Policy-Based Routing (PBR) –Giving a suspected class a different external IP address

17


Caught after bragging

18

Courtesy: Graafschap College


Is this a problem?

• If an attack originates from our network that is very bad — we have big pipes…

• The example inside job caused 1000s of students and 100s of staff to go home because they could no longer work

• Students need to learn that they are committing a criminal offense

19


What do we do?

• Our CSIRT keeps vigil 24x7 • We constantly monitor our and our

constituency’s infrastructure for abuse - Concerted efforts to combat e.g. open DNS resolvers and

vulnerable NTP servers

• We report criminal offenses to the authorities and encourage our constituency to do so too - We collaborate with law enforcement and the public

prosecutor’s office

• We (pre-)wash traffic - using rate limiting, filters, …

20


Cybersave Yourself

21


• We actively collaborate with academic groups and non-profit organisations on DDoS research

• Study on “DDoS-for-Hire” services • Support DDoS Defense research • Legal expert opinions on e.g. botnet

take-downs • Share operational network data with researchers

and develop policy for ethical data sharing • Software Defined Security

Research

22


Upcoming Services

• Protection as a Service a.k.a. DIY Cyber Laundry • Centralised firewall • Pentesting • Maturity scans and auditing (ISO2700x) • Security games

23

[email protected] haroldteunissen

mailto:[email protected]

mailto:[email protected]

Economy & Finance

DDOS – a Nuisance or Threat?