add: batch 4
* add intro and section text * correct typos * wrap long lines * add labels to section titles * add references * add circular arrows graph (tikz) * add overlapping sets graph (tikz)
This commit is contained in:
parent
ef40e1da6b
commit
64304a851e
329
tex/text.tex
329
tex/text.tex
@ -1,21 +1,74 @@
|
|||||||
% ============================================================================ %
|
% ============================================================================ %
|
||||||
\nn{Introduction}
|
\nn{Introduction}
|
||||||
What we have commonly seen being used in the wild in recent years may be
|
In this day and age, there has probably been nothing else considered as
|
||||||
called "professionalizing", by which I mean that what would typically be available 10
|
inevitable and impactful on one's personal or professional life, media,
|
||||||
years ago cannot match to practically anything you can get ready in minutes to
|
politics, culture or science as reliable Internet connection, allowing seemless
|
||||||
cause real harm today.
|
interaction and access to information.
|
||||||
|
Networking infrastructure powering the Internet has been the target of various
|
||||||
|
attacks almost since day one. While the early network interconnections had
|
||||||
|
been based on mutual trust and strong sharing spirit for advancement of humanity, with
|
||||||
|
increasing amount of participants from different backgrounds (essentially
|
||||||
|
democratization) and proliferating deeds of mischief, trust could no longer be
|
||||||
|
taken for granted.
|
||||||
|
Although trolling has always been an integral part of the Internet culture, it
|
||||||
|
had not taken long until criminals found their way into the online world with
|
||||||
|
the intention of taking advantage of lacking legislation and collecting easy
|
||||||
|
(though huge) economic profit. Furthermore, another popular activity has become
|
||||||
|
causing real harm to anybody on the way with the sense of lawlessness.
|
||||||
|
|
||||||
|
It is this willful damage in its many shapes and forms brought upon the
|
||||||
|
Internet service providers and users that our thesis deals with. What we have
|
||||||
|
commonly observed as being used in the wild in recent years may be called
|
||||||
|
attack 'professionalizing', by which we mean that the tools typically available
|
||||||
|
10 years ago cannot match to practically anything you can get ready in minutes
|
||||||
|
to cause real harm today. Since the networks compose the medium of
|
||||||
|
communication, it is essential they remained secured and protected, which in
|
||||||
|
fact poses a challenging task for us of coming up with new solutions to rapidly
|
||||||
|
evolving problem.
|
||||||
|
|
||||||
|
On the side of the user, unavailability of the service often means inability to
|
||||||
|
proceed with fulfilling their tasks. For the provider, an attack that cripples
|
||||||
|
the network or its resources means inability to provide the promised service.
|
||||||
|
|
||||||
|
We would like to take a look on some of the conventional methods and tools
|
||||||
|
which attackers resort to as well as methods and tools both users and network
|
||||||
|
operators may (and should) utilise to protect the network. The main objectives
|
||||||
|
of our thesis aim at researching key ways of DoS attack mitigations and
|
||||||
|
performing a DoS attack and a BGP blackhole reaction simulation.
|
||||||
|
|
||||||
|
Our thesis comprises two main parts - theoretical and practical. The
|
||||||
|
theoretical part discusses relevant context, different types of attack methods
|
||||||
|
and tools, mitigation attack methods and tools. The practical part describes a
|
||||||
|
simulated simple topology and an attack in lab conditions.
|
||||||
|
In the first section of the theoretical part, we were focused on attack
|
||||||
|
definition. Section \ref{sec:attack-methods} attempts to categorise attack
|
||||||
|
methods based on several metrics and explain some of the mentioned. The third
|
||||||
|
section presents a list of some of the popular DoS tools that are available.
|
||||||
|
Next on, the \autoref{sec:mitigation-methods} traces various ways to mitigate
|
||||||
|
attacks, both on the user and provider level and the final section of the
|
||||||
|
theoretical part, \autoref{sec:mitigation-tools}, marks out some of the tools
|
||||||
|
that can be used to mitigate an attack.
|
||||||
|
First of the practical part, \autoref{sec:infrastructure-set-up-description} gives an
|
||||||
|
overview of the tools used to construct the lab infrastructure and configure
|
||||||
|
the systems, as well as specifics of the configuration. It also focuses on
|
||||||
|
setting up the infrastructure and the tools and processes to achieve a
|
||||||
|
reproducible outcome. In \autoref{sec:mitigation-tools-set-up}, we set up
|
||||||
|
mitigation tools in preparation of an attack. In
|
||||||
|
\autoref{sec:attack-tools-set-up} we go through the process of preparing attack
|
||||||
|
tools. Section \ref{sec:performing-an-attack} describes performing the attack
|
||||||
|
itself. The final section \ref{sec:monitoring} observes the monitoring feeds.
|
||||||
|
|
||||||
|
|
||||||
% ============================================================================ %
|
% ============================================================================ %
|
||||||
\part{Theoretical part}
|
\part{Theoretical part}
|
||||||
|
|
||||||
|
|
||||||
|
\n{1}{Definition} \label{sec:definition}
|
||||||
While denial of service can be caused in a multitude of different ways and
|
While denial of service can be caused in a multitude of different ways and
|
||||||
impact any part of the stack, we are predominantly going to look at the ones
|
impact any part of the stack, we are predominantly going to look at the ones
|
||||||
pertaining internet networks.
|
pertaining Internet networks. First, we shall define what a denial of service
|
||||||
|
(\it{DoS}) attack in fact \it{is} and we can achieve it by understanding what
|
||||||
\n{1}{Definition}
|
it does.
|
||||||
First we shall define what a denial of service (\it{DoS}) attack \it{is} and that
|
|
||||||
can be achieved by looking at what it does.
|
|
||||||
|
|
||||||
A DoS attack is an action that harms a \it{service} in such a way that it can
|
A DoS attack is an action that harms a \it{service} in such a way that it can
|
||||||
no longer serve legitimate requests as a result of being occupied by bogus or
|
no longer serve legitimate requests as a result of being occupied by bogus or
|
||||||
@ -24,6 +77,17 @@ excessive requests from the attacker.
|
|||||||
A DDoS is a DoS that is distributed among many participant devices (and
|
A DDoS is a DoS that is distributed among many participant devices (and
|
||||||
operators).
|
operators).
|
||||||
|
|
||||||
|
\begin{figure}
|
||||||
|
\centering
|
||||||
|
\begin{tikzpicture}
|
||||||
|
\draw (1,1)[color=red!60,thick,fill=red!15] circle (2.2cm);
|
||||||
|
\draw (0.4,0.2pt) node[below left] {$DoS$};
|
||||||
|
\draw (1,1)[dashed,fill=purple!25] circle (1.2cm);
|
||||||
|
\draw (1,5pt) node[above] {$DDoS$};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\caption{Illustration of relationship between DoS and DDoS attacks.}
|
||||||
|
\end{figure}
|
||||||
|
|
||||||
The devices participating are generally also victims in this, most of the
|
The devices participating are generally also victims in this, most of the
|
||||||
attacks are performed with open DNS resolvers, home routers left to rot by
|
attacks are performed with open DNS resolvers, home routers left to rot by
|
||||||
vendors, misconfigured web services or IoT devices as involuntary
|
vendors, misconfigured web services or IoT devices as involuntary
|
||||||
@ -33,34 +97,37 @@ start probing and then reap the easy harvest. A quick search for devices
|
|||||||
running with port 123 (NTP) open is certain to return a mind-blowing number
|
running with port 123 (NTP) open is certain to return a mind-blowing number
|
||||||
\cite{ShodanNTPd}.
|
\cite{ShodanNTPd}.
|
||||||
|
|
||||||
\n{1}{Context}
|
\n{1}{Context} \label{sec:context}
|
||||||
Only in the past decade we have witnessed many large DoS/DDoS attacks, some of them
|
In the last decade only we have witnessed many large DoS/DDoS attacks, some of
|
||||||
against critical infrastructure services like cloud hosting, DNS, git hosting
|
them against critical infrastructure services like cloud hosting, DNS, git
|
||||||
services or CCTV cameras. All of the attacks weaponized poorly managed
|
hosting services or even CCTV cameras. All of the attacks weaponized poorly
|
||||||
endpoints, unpatched IoT devices or
|
managed endpoints, unpatched IoT devices or
|
||||||
malware-infected-hosts-turned-botnet-zombies. The intensity and frequency has
|
malware-infected-hosts-turned-botnet-zombies. The intensity and frequency have
|
||||||
also been sharply increasing, with the latest of attacks passing over the Tbps
|
also been sharply increasing with the latest of attacks passing over the Tbps
|
||||||
threshold (Akamai mitigated a 1.44Tbps DDoS in 2020
|
threshold (Akamai mitigated a 1.44Tbps DDoS in 2020
|
||||||
\cite{akamai2020ddosretrospect}), data from Cisco noting that overall, there
|
\cite{akamai2020ddosretrospect}), with data from Cisco Annual Internet Report
|
||||||
was a \textbf{776\%} growth in attacks between 100 Gbps and 400 Gbps from 2018 to 2019
|
showing that overall there was a \textbf{776\%} growth in attacks between 100
|
||||||
and predictions for the total number of DDoS attacks to double from 7.9 million
|
Gbps and 400 Gbps from 2018 to 2019, and with predictions for the total number
|
||||||
in 2018 to 15.4 million by 2023 \cite{cisco2020report}. The question is: why?
|
of DDoS attacks to double from 7.9 million in 2018 to 15.4 million by 2023
|
||||||
|
\cite{cisco2020report}. The question is: why?
|
||||||
|
|
||||||
There motifs will probably more often than not stay a mystery, however, a
|
The motifs will probably more often than not stay a mystery; however, a
|
||||||
proliferation of DDoS-for-hire websites \cite{Santanna2018BooterLG} even on
|
proliferation of DDoS-for-hire websites \cite{Santanna2018BooterLG}, even on
|
||||||
\emph{clearnet} points us to a plausible answer.
|
\emph{clearnet}\footnotemark, points us to a plausible answer.
|
||||||
|
|
||||||
|
\footnotetext{the surface web; i.e.\ not even attempting to hide}
|
||||||
|
|
||||||
Somebody is making money selling abusive services that are being used for
|
Somebody is making money selling abusive services that are being used for
|
||||||
putting competitors out of business or just plain extortion. According to
|
putting competitors out of business or just plain extortion. According to
|
||||||
Akamai, extortion attacks have seen a widespread return, with a new wave launching in mid-August
|
Akamai, extortion attacks have seen a widespread return, with a new wave
|
||||||
2020 \cite{akamai2021ddos}.
|
launching in mid-August 2020 \cite{akamai2021ddos}.
|
||||||
|
|
||||||
Akamai went on to note that DDoS attackers are expanding their reach across
|
Akamai went on to note that DDoS attackers are expanding their reach across
|
||||||
geographies and industries, with the number targeted entities now being 57\%
|
geographies and industries, with the number of targeted entities now being 57\%
|
||||||
higher than the year before that.
|
higher than the year before that.
|
||||||
|
|
||||||
|
|
||||||
\n{1}{Attack methods}
|
\n{1}{Attack methods} \label{sec:attack-methods}
|
||||||
There are generally several different ways to categorise a method of
|
There are generally several different ways to categorise a method of
|
||||||
attack:
|
attack:
|
||||||
\begin{description}
|
\begin{description}
|
||||||
@ -109,11 +176,12 @@ attack:
|
|||||||
\item IP fragmentation
|
\item IP fragmentation
|
||||||
\item SYN flood - a rapid sequence of TCP protocol SYN messages
|
\item SYN flood - a rapid sequence of TCP protocol SYN messages
|
||||||
\item volumetric DDoS attack
|
\item volumetric DDoS attack
|
||||||
\item amplification attack (also called "reflection attack")
|
\item amplification attack (also called 'reflection attack')
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item memcached exploit (1:51200)
|
\item memcached (up to 1:51200)
|
||||||
\item DNS (\textasciitilde1:50), with a formula \cite{akamaidnsampl} \[R = answer size / query size\]
|
\item DNS with a formula \cite{akamaidnsampl}
|
||||||
\item SNMP
|
\rov[DNSamplificationformula]{R = answer size / query size}
|
||||||
|
\item SNMP (theoretically 1:650)
|
||||||
\item NTP
|
\item NTP
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item exploits
|
\item exploits
|
||||||
@ -142,9 +210,10 @@ packets, ideally even accompanied by a buffer overflow that the attacker can
|
|||||||
exploit further. Fragmenting TCP segments, on the other hand, targets the TCP
|
exploit further. Fragmenting TCP segments, on the other hand, targets the TCP
|
||||||
mechanism for reassembly. Reasonably recent Linux kernel implements protection
|
mechanism for reassembly. Reasonably recent Linux kernel implements protection
|
||||||
against this \cite{linuxretransmission}.
|
against this \cite{linuxretransmission}.
|
||||||
In either case, this is a network layer attack, since it targets the way the Internet Protocol requires data to be transmitted and processed.
|
In either case, this is a network layer attack, since it targets the way the
|
||||||
|
Internet Protocol requires data to be transmitted and processed.
|
||||||
|
|
||||||
\n{2}{SYN flood}\label{synfloodattack}
|
\n{2}{SYN flood} \label{synfloodattack}
|
||||||
To establish a TCP connection, a \emph{three way handshake} must be
|
To establish a TCP connection, a \emph{three way handshake} must be
|
||||||
performed.\\
|
performed.\\
|
||||||
That is the opening sequence of a TCP connection that any two machines -
|
That is the opening sequence of a TCP connection that any two machines -
|
||||||
@ -163,7 +232,7 @@ A malicious actor is able to misuse the handshake mechanism by posing as a
|
|||||||
legitimate \emph{client} (or rather many legitimate clients) and sending large
|
legitimate \emph{client} (or rather many legitimate clients) and sending large
|
||||||
number of SYN segments to a \emph{server} willing to establish a connection
|
number of SYN segments to a \emph{server} willing to establish a connection
|
||||||
(\it{LISTEN} state). The server replies with a [SYN, ACK], which is a combined
|
(\it{LISTEN} state). The server replies with a [SYN, ACK], which is a combined
|
||||||
acknowledgement of the clients request \it{and} a synchronization request of
|
acknowledgement of the client's request \it{and} a synchronization request of
|
||||||
its own. The client responds back with an ACK and then the connection reaches
|
its own. The client responds back with an ACK and then the connection reaches
|
||||||
the \it{ESTABLISHED} state.
|
the \it{ESTABLISHED} state.
|
||||||
|
|
||||||
@ -194,7 +263,8 @@ the transit provider/ISP) and does not aggregate on a single host's interface.
|
|||||||
For this to be a reality the adoption rate of the subject RFC recommendations
|
For this to be a reality the adoption rate of the subject RFC recommendations
|
||||||
would need to see an proper increase.
|
would need to see an proper increase.
|
||||||
|
|
||||||
As is true for anything, if countermeasures are set up improperly, legitimate traffic could end up being blocked as a result.
|
As is true for anything, if countermeasures are set up improperly, legitimate
|
||||||
|
traffic could end up being blocked as a result.
|
||||||
|
|
||||||
\n{2}{Amplified Reflection Attack}
|
\n{2}{Amplified Reflection Attack}
|
||||||
The name suggests this type of attack is based on two concepts: amplification and
|
The name suggests this type of attack is based on two concepts: amplification and
|
||||||
@ -215,8 +285,9 @@ request with (either a bogus but more commonly) a victim IP address as the
|
|||||||
source address instead of our own that's present there by default.
|
source address instead of our own that's present there by default.
|
||||||
The response is then returned \it{back} - not to the actual sender, but simply
|
The response is then returned \it{back} - not to the actual sender, but simply
|
||||||
according to the source address.\\
|
according to the source address.\\
|
||||||
Since UDP has no concept of a \it{connection} or any verification mechanism, the response arrives at the door of the victim that has never asked for
|
Since UDP has no concept of a \it{connection} or any verification mechanism,
|
||||||
it - in the worst case an unsolicited pile of them.
|
the response arrives at the door of the victim that has never asked for it - in
|
||||||
|
the worst case an unsolicited pile of them.
|
||||||
|
|
||||||
This is why the three-way handshake is used with TCP, which was developed later
|
This is why the three-way handshake is used with TCP, which was developed later
|
||||||
than UDP, as it reduces the possibility of false connections.
|
than UDP, as it reduces the possibility of false connections.
|
||||||
@ -243,7 +314,7 @@ recommendations of RFC 3704 gained greater adoption among ISPs.
|
|||||||
Until then, brace yourselves for the next assault.
|
Until then, brace yourselves for the next assault.
|
||||||
|
|
||||||
|
|
||||||
\n{2}{Slowloris}\label{slowloris}
|
\n{2}{Slowloris} \label{slowloris}
|
||||||
The principle of this attack is to first open as many connections as
|
The principle of this attack is to first open as many connections as
|
||||||
possible, aiming to fill the capacity of the server, and then keep them
|
possible, aiming to fill the capacity of the server, and then keep them
|
||||||
open for as long as possible by sending periodic keep-alive packets.\\
|
open for as long as possible by sending periodic keep-alive packets.\\
|
||||||
@ -282,7 +353,7 @@ remotely from end hosts without access to routers or the ability to send
|
|||||||
traffic directly to them.
|
traffic directly to them.
|
||||||
|
|
||||||
|
|
||||||
\n{1}{Attack tools}
|
\n{1}{Attack tools} \label{sec:attack-tools}
|
||||||
Believe it or not there actually exists a DDoS attack tools topic on
|
Believe it or not there actually exists a DDoS attack tools topic on
|
||||||
GitHub
|
GitHub
|
||||||
\url{https://github.com/topics/ddos-attack-tools?o=desc\&s=stars}.
|
\url{https://github.com/topics/ddos-attack-tools?o=desc\&s=stars}.
|
||||||
@ -311,7 +382,8 @@ server to facilitate them until resources bound by bogus requests are freed,
|
|||||||
i.e. the attack ceases to be.
|
i.e. the attack ceases to be.
|
||||||
|
|
||||||
\n{2}{iperf3}
|
\n{2}{iperf3}
|
||||||
Massive load producing tool sending a packet flood of protocol of choice towards the target.
|
Massive load producing tool sending a packet flood of protocol of choice
|
||||||
|
towards the target.
|
||||||
|
|
||||||
\n{2}{ddosim}
|
\n{2}{ddosim}
|
||||||
DDoS simulator methods of flooding:
|
DDoS simulator methods of flooding:
|
||||||
@ -323,13 +395,13 @@ DDoS simulator methods of flooding:
|
|||||||
|
|
||||||
\n{2}{Metasploit Framework}
|
\n{2}{Metasploit Framework}
|
||||||
Metasploit is a penetration testing framework with an open source community
|
Metasploit is a penetration testing framework with an open source community
|
||||||
version and a commercial version (Metasploit Unleashed) available. It enables security
|
version and a commercial version (Metasploit Unleashed) available. It enables
|
||||||
researchers to automate workflows of probing vulnerable services or devices via
|
security researchers to automate workflows of probing vulnerable services or
|
||||||
use of so called modules - smaller programs with definable inputs that perform
|
devices via use of so called modules - smaller programs with definable inputs
|
||||||
prefined actions. Modules are often community-contributed and one can even
|
that perform prefined actions. Modules are often community-contributed and one
|
||||||
write a module ourselves.a The SYN-flooding funtionality has been implemented -
|
can even write a module ourselves.a The SYN-flooding funtionality has been
|
||||||
\texttt{aux/synflood} an auxiliary module. Auxiliary modules do not execute
|
implemented - \texttt{aux/synflood} an auxiliary module. Auxiliary modules do
|
||||||
payloads and perform arbitrary actions that may not be related to
|
not execute payloads and perform arbitrary actions that may not be related to
|
||||||
exploitation, such as scanning, fuzzing and denial of service attacks
|
exploitation, such as scanning, fuzzing and denial of service attacks
|
||||||
\cite{metasploit}.
|
\cite{metasploit}.
|
||||||
|
|
||||||
@ -345,15 +417,15 @@ thing as discussed above, the only difference is the malicious intent,
|
|||||||
imperceivable to a machine.
|
imperceivable to a machine.
|
||||||
|
|
||||||
|
|
||||||
\n{1}{Mitigation methods}
|
\n{1}{Mitigation methods} \label{sec:mitigation-methods}
|
||||||
Drastic times require drastic measures and since a DDoS attacks coming
|
Drastic times require drastic measures and since a DDoS attacks coming
|
||||||
at us practically every other month classify as
|
at us practically every other month classify as
|
||||||
\it{drastic} quite easily, we're forced to act accordingly
|
\it{drastic} quite easily, we're forced to act accordingly
|
||||||
\cite{akamai2021ddos}.
|
\cite{akamai2021ddos}.
|
||||||
|
|
||||||
Still, it is more reasonable to prepare than to improvise, therefore the
|
Still, it is more reasonable to prepare than to improvise, therefore the
|
||||||
following write-up mentions of commonly used mitigation methods at different levels,
|
following write-up mentions of commonly used mitigation methods at different
|
||||||
from a hobbyist server to an e-commerce service to an ISP. The list is
|
levels, from a hobbyist server to an e-commerce service to an ISP. The list is
|
||||||
inconclusive and of course if reading this at a later date, always cross-check
|
inconclusive and of course if reading this at a later date, always cross-check
|
||||||
with the current best practices at the time.
|
with the current best practices at the time.
|
||||||
|
|
||||||
@ -380,8 +452,9 @@ For the entire time we're announcing it, the victim host stays unreachable.
|
|||||||
|
|
||||||
We should make sure to announce the smallest possible prefix to minimise the
|
We should make sure to announce the smallest possible prefix to minimise the
|
||||||
collateral damage. Generally, a /21 or /22 prefix is assigned to an AS (the
|
collateral damage. Generally, a /21 or /22 prefix is assigned to an AS (the
|
||||||
average prefix per AS being 22.7866 as of 11 May 2021 \cite{prefixavgsize}) announcing a black hole
|
average prefix per AS being 22.7866 as of 11 May 2021 \cite{prefixavgsize})
|
||||||
for such a large space would likely cause more damage than the attack itself.
|
announcing a black hole for such a large space would likely cause more damage
|
||||||
|
than the attack itself.
|
||||||
|
|
||||||
To reduce BGP overhead, prefixes are usually announced aggregated, with the
|
To reduce BGP overhead, prefixes are usually announced aggregated, with the
|
||||||
exception of "a~situation", such as when we wish to only stop receiving traffic
|
exception of "a~situation", such as when we wish to only stop receiving traffic
|
||||||
@ -413,10 +486,12 @@ flowing\footnotemark!
|
|||||||
|
|
||||||
Behold, this is what \it{selective black-holing} actually is. Some upstream
|
Behold, this is what \it{selective black-holing} actually is. Some upstream
|
||||||
providers define multiple different blackhole communities each followed by a
|
providers define multiple different blackhole communities each followed by a
|
||||||
predefined action on the upstream. One is able to announce to these communities as needed.
|
predefined action on the upstream. One is able to announce to these communities
|
||||||
|
as needed.
|
||||||
Assume we would announce to a community that would in response announce the
|
Assume we would announce to a community that would in response announce the
|
||||||
blackhole to internet exchanges in, say, North America and Asia and but allow
|
blackhole to internet exchanges in, say, North America and Asia and but allow
|
||||||
traffic coming from Europe, would be a perfect example of selective black-holing.
|
traffic coming from Europe, would be a perfect example of selective
|
||||||
|
black-holing.
|
||||||
This causes two things to happen. First, our customer's IP is still reachable
|
This causes two things to happen. First, our customer's IP is still reachable
|
||||||
from our local area (e.g. Europe) and since our fictitious customer mostly
|
from our local area (e.g. Europe) and since our fictitious customer mostly
|
||||||
serves European customers that's fine. Second, outside of the prefedined radius
|
serves European customers that's fine. Second, outside of the prefedined radius
|
||||||
@ -429,11 +504,12 @@ it is reasonably automated and quick to respond, in combination with other
|
|||||||
mitigation methods it can provide a viable protection for the network.
|
mitigation methods it can provide a viable protection for the network.
|
||||||
|
|
||||||
\n{2}{Sinkholing}
|
\n{2}{Sinkholing}
|
||||||
Moving on, this method works by diverting only malicious traffic away from its target,
|
Moving on, this method works by diverting only malicious traffic away from its
|
||||||
usually using a predefined list of IP addresses known to be part of malicious
|
target, usually using a predefined list of IP addresses known to be part of
|
||||||
activities to identify DDoS traffic. False positives can occur more rarely and
|
malicious activities to identify DDoS traffic. False positives can occur more
|
||||||
collateral damage is lesser than with black-holing but since botnet IPs can be
|
rarely and collateral damage is lesser than with black-holing but since botnet
|
||||||
also used by legitimate users this is still prone to false positives.
|
IPs can be also used by legitimate users this is still prone to false
|
||||||
|
positives.
|
||||||
Additionally, sinkholing as such is ineffective against IP
|
Additionally, sinkholing as such is ineffective against IP
|
||||||
spoofing, which is a common feature in network layer attacks.
|
spoofing, which is a common feature in network layer attacks.
|
||||||
|
|
||||||
@ -447,8 +523,8 @@ scrubbing at an inline rate without impacting legitimate users.
|
|||||||
|
|
||||||
If outsourced, the scrubber service has the bandwidth capacity (either
|
If outsourced, the scrubber service has the bandwidth capacity (either
|
||||||
on-demand or permanently) to take the hit that we do not have. There are at
|
on-demand or permanently) to take the hit that we do not have. There are at
|
||||||
least two ways to go about this - the BGP and the DNS way, we will cover the BGP
|
least two ways to go about this - the BGP and the DNS way, we will cover the
|
||||||
one. Once an attack is identified, we stop announcing the prefix that is
|
BGP one. Once an attack is identified, we stop announcing the prefix that is
|
||||||
currently being hit, contact our scrubbing provider (usually
|
currently being hit, contact our scrubbing provider (usually
|
||||||
automatically/programatically) to start announcing the subject prefix,
|
automatically/programatically) to start announcing the subject prefix,
|
||||||
receiving all its traffic (including the attack traffic), the scrubbing service
|
receiving all its traffic (including the attack traffic), the scrubbing service
|
||||||
@ -459,10 +535,10 @@ appliance that has to have sufficient bandwidth (usually on par with upstream).
|
|||||||
|
|
||||||
A poor man's scrubber:
|
A poor man's scrubber:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item hardware accelerated ACLs on switches,
|
\item utilizing hardware accelerated ACLs on switches,
|
||||||
\item switches do simple filtering at \it{inline rate} (ASICs)
|
\item switches can do simple filtering at \it{inline rate} (ASICs)
|
||||||
\item can be effective when attack protocol is easily distinguishable from real
|
\item this can be effective when attack protocol is easily distinguishable from
|
||||||
traffic
|
real traffic
|
||||||
\item hit by NTP/DNS/SNMP/SSDP amplification attack
|
\item hit by NTP/DNS/SNMP/SSDP amplification attack
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
@ -472,8 +548,12 @@ our network (such as 123 or 53), we start signalling to our upstream
|
|||||||
providers, since they can probably handle it better than us and have as much
|
providers, since they can probably handle it better than us and have as much
|
||||||
interest in doing so as us (or should).
|
interest in doing so as us (or should).
|
||||||
|
|
||||||
One thing we should do no matter whether we are currently suffering an attack (and
|
Volumetric attacks sending traffic in smaller packet sizes will, however,
|
||||||
scrubbing it ourselves) is to rule out and drop and never receive traffic
|
still result in higher CPU utilization, especially on non-dedicated networking
|
||||||
|
equipment.
|
||||||
|
|
||||||
|
One thing we should do no matter whether we are currently suffering an attack
|
||||||
|
(and scrubbing it ourselves) is to rule out and drop and never receive traffic
|
||||||
appearing to come from \it{our own network}, since such traffic could not exist
|
appearing to come from \it{our own network}, since such traffic could not exist
|
||||||
naturally and is obviously spoofed.
|
naturally and is obviously spoofed.
|
||||||
|
|
||||||
@ -493,13 +573,11 @@ Team Cymru \cite{teamcymru}.
|
|||||||
|
|
||||||
In case we have our own ASN, are connected directly at an IXP, have no
|
In case we have our own ASN, are connected directly at an IXP, have no
|
||||||
RTBH support upstream and basically have no other choice, we just need
|
RTBH support upstream and basically have no other choice, we just need
|
||||||
to find out who is sending the malicious traffic, drop the session and receive
|
to find out who is sending the malicious traffic and, if possible, drop the
|
||||||
traffic from other peers.
|
session and receive traffic from other peers.
|
||||||
|
|
||||||
64B packet size --> lower throughput, high cpu utilization
|
|
||||||
|
|
||||||
|
|
||||||
\n{2}{IP masking}\label{ipmasking}
|
\n{2}{IP masking} \label{ipmasking}
|
||||||
This is technique is widely used (e.g. CloudFlare flagship service), relying
|
This is technique is widely used (e.g. CloudFlare flagship service), relying
|
||||||
solely on not divulging sensitive information - in this case server IP - to
|
solely on not divulging sensitive information - in this case server IP - to
|
||||||
attackers and the capacity of the \it{fronting} service to withstand the attack
|
attackers and the capacity of the \it{fronting} service to withstand the attack
|
||||||
@ -511,7 +589,7 @@ other service performs TLS termination in our behalf and \textbf{sees
|
|||||||
everything} (that was encrypted only \emph{in transit} and is not additionally
|
everything} (that was encrypted only \emph{in transit} and is not additionally
|
||||||
encrypted) that \emph{anyone} sends us, before finally forwarding it back.
|
encrypted) that \emph{anyone} sends us, before finally forwarding it back.
|
||||||
|
|
||||||
\n{2}{WAF}\label{waf}
|
\n{2}{WAF} \label{waf}
|
||||||
WAF - \it{Web Application Firewall} - is an appliance used to protect
|
WAF - \it{Web Application Firewall} - is an appliance used to protect
|
||||||
(as name suggests) web applications. In this day and age, this is
|
(as name suggests) web applications. In this day and age, this is
|
||||||
especially necessary and enables system administrators to craft protection
|
especially necessary and enables system administrators to craft protection
|
||||||
@ -541,7 +619,8 @@ open simultaneously, which can even prevent Slowloris (see \ref{slowloris}).
|
|||||||
Rate-limiting is usually set either on a proxy or a WAF, but some form of
|
Rate-limiting is usually set either on a proxy or a WAF, but some form of
|
||||||
rate-limiting can even be built into an app.
|
rate-limiting can even be built into an app.
|
||||||
|
|
||||||
A well known rate-limiting pluggable solution that can be used with SSHd, HTTP or multitude of other endpoints is \texttt{Fail2Ban}.
|
A well known rate-limiting pluggable solution that can be used with SSHd, HTTP
|
||||||
|
or multitude of other endpoints is \texttt{Fail2Ban}.
|
||||||
|
|
||||||
|
|
||||||
\n{2}{Decreased-TIME\_WAIT connection closing}
|
\n{2}{Decreased-TIME\_WAIT connection closing}
|
||||||
@ -569,7 +648,7 @@ prevent such a situation from occurring easily. In Nginx this is set with a
|
|||||||
single line: \texttt{reset\_timedout\_connection on;}
|
single line: \texttt{reset\_timedout\_connection on;}
|
||||||
|
|
||||||
|
|
||||||
\n{1}{Mitigation tools}
|
\n{1}{Mitigation tools} \label{sec:mitigation-tools}
|
||||||
No tools are going to remedy for a bad design decision and that applies
|
No tools are going to remedy for a bad design decision and that applies
|
||||||
equally to physical and internet engineering.
|
equally to physical and internet engineering.
|
||||||
|
|
||||||
@ -584,10 +663,10 @@ There are two main types of firewalls:
|
|||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
A software firewall is just another program running on the operating
|
A software firewall is just another program running on the operating
|
||||||
system, apart from the fact that it is typically running with
|
system, apart from the fact that it is typically running with system-level
|
||||||
system-level privileges. It can be run on a general-purpose computer. In fact
|
privileges. It can be run on a general-purpose computer. In fact most of the
|
||||||
most of the consumer-grade operating systems nowadays incorporate or by default
|
consumer-grade operating systems nowadays incorporate or by default enable a
|
||||||
enable a firewall solution.
|
firewall solution.
|
||||||
|
|
||||||
In contrast, an appliance firewall is a dedicated piece of hardware
|
In contrast, an appliance firewall is a dedicated piece of hardware
|
||||||
purpose-build specifically for the sole role of behaving as a firewall and
|
purpose-build specifically for the sole role of behaving as a firewall and
|
||||||
@ -611,7 +690,7 @@ and is replacing (in modern distributions has replaced, although
|
|||||||
backward compatibility has been preserved) the former two - the
|
backward compatibility has been preserved) the former two - the
|
||||||
\texttt{nftables} tool.
|
\texttt{nftables} tool.
|
||||||
|
|
||||||
\n{3}{Netfilter}\label{netfilter}
|
\n{3}{Netfilter} \label{netfilter}
|
||||||
The Linux kernel subsystem named \texttt{Netfilter} is part of the internet
|
The Linux kernel subsystem named \texttt{Netfilter} is part of the internet
|
||||||
protocol stack of the kernel and is responsible for packet manipulation and
|
protocol stack of the kernel and is responsible for packet manipulation and
|
||||||
filtering \cite{Boye2012NetfilterCT}. The packet filtering and classification
|
filtering \cite{Boye2012NetfilterCT}. The packet filtering and classification
|
||||||
@ -630,44 +709,42 @@ modules}.
|
|||||||
Part of the \texttt{Netfilter} framework responsible for connection tracking is
|
Part of the \texttt{Netfilter} framework responsible for connection tracking is
|
||||||
fittingly named Conntrack. Connection, or a \it{flow} is a tuple defined by a
|
fittingly named Conntrack. Connection, or a \it{flow} is a tuple defined by a
|
||||||
unique combination of source address, destination address, source port,
|
unique combination of source address, destination address, source port,
|
||||||
destination port a and the transport protocol used [refneeded flow].
|
destination port a and the transport protocol used.
|
||||||
|
|
||||||
Conntrack keeps track of the flows in a special fixed-size
|
Conntrack keeps track of the flows in a special fixed-size
|
||||||
(tunable\footnotemark) in-kernel
|
(tunable\footnotemark) in-kernel
|
||||||
hash table structure with a fixed upper limit.
|
hash table structure with a fixed upper limit.
|
||||||
|
|
||||||
\footnotetext{via \texttt{net.netfilter.nf\_conntrack\_buckets}}
|
\footnotetext{via \texttt{net.netfilter.nf\_conntrack\_buckets}}
|
||||||
|
|
||||||
On Linux devices functioning as router devices a common issue is the depletion
|
On Linux devices functioning as router devices (especially when you add NAT to
|
||||||
of space in the conntrack table. Once the maximum number of connection is
|
the mix) a common issue is the depletion of space in the conntrack table. Once
|
||||||
reached, Linux simply logs an error message "\texttt{nf\_conntrack: table full,
|
the maximum number of connection is reached, Linux simply logs an error message
|
||||||
dropping packet}" to the kernel log and "all further new connection requests
|
\texttt{nf\_conntrack: table full, dropping packet} to the kernel log and
|
||||||
are dropped until the table is below the maximum limit again."
|
"all further new connection requests are dropped until the table is below the
|
||||||
\cite{Westphal2017CT}. That, Westphal further notes, is indeed very
|
maximum limit again." \cite{Westphal2017CT}. That, as Westphal further notes,
|
||||||
unfortunate, especially in DoS scenarios.
|
is indeed very unfortunate, especially in DoS scenarios.
|
||||||
|
|
||||||
Unless the router also functions as a NAT, this can be remedied in two ways:
|
Unless the router also functions as a NAT, this can be remedied in two ways:
|
||||||
decreasing the timeout until an established connection is closed and decreasing
|
decreasing the timeout until an established connection is closed and decreasing
|
||||||
the timeout until an inactive connection in the TIME\_WAIT state is evicted from
|
the timeout until an inactive connection in the TIME\_WAIT state is evicted from
|
||||||
the conntrack table. By default, the TIME\_WAIT timeout is several hours long
|
the conntrack table. By default, the TIME\_WAIT timeout is several hours long
|
||||||
and leaves the router vulnerable to a UDP flood.
|
and leaves the router vulnerable to packet floods or Slowloris.
|
||||||
|
|
||||||
Netfilter is here to help again with conntrack treating entries that have not
|
Netfilter is here to help again with conntrack treating entries that have not
|
||||||
(yet) seen two-way communication specially – they can be evicted early if
|
(yet) seen two-way communication specially – they can be evicted early if
|
||||||
the connection tracking table is full. In case insertion of a new entry fails
|
the connection tracking table is full. In case insertion of a new entry fails
|
||||||
because the table is full, "...the kernel searches the next
|
because the table is full, "...the kernel searches the next 8 adjacent buckets
|
||||||
8 adjacent buckets of the hash slot where the new connection
|
of the hash slot where the new connection was supposed to be inserted at for an
|
||||||
was supposed to be inserted at for an entry that has not seen a
|
entry that has not seen a reply. If one is found, it is discarded and the new
|
||||||
reply. If one is found, it is discarded and the new connection
|
connection entry is allocated."\cite{Westphal2017CT}. Randomised source address
|
||||||
entry is allocated."\cite{Westphal2017CT}. Randomised source address in TCP SYN
|
in TCP SYN floods becomes a non-issue because now most entries can be
|
||||||
floods becomes a non-issue because now most entries can be early-evicted
|
early-evicted because the TCP connection tracker sets the "assured" flag only
|
||||||
because the TCP connection tracker sets the "assured" flag only once the three-way
|
once the three-way handshake has completed.
|
||||||
handshake has completed.
|
|
||||||
|
|
||||||
In case of UDP, the assured flag is set once a packet arrives
|
In case of UDP, the assured flag is set once a packet arrives after the
|
||||||
after the connection has already seen at least one packet in
|
connection has already seen at least one packet in the reply direction, that is
|
||||||
the reply direction, that is the request/response traffic
|
the request/response traffic does not have the assured bit set and can
|
||||||
does not have the assured bit set and can therefore be early-dropped at any time.
|
therefore be early-dropped at any time.
|
||||||
|
|
||||||
|
|
||||||
\n{2}{FastNetMon DDoS Mitigation toolkit}
|
\n{2}{FastNetMon DDoS Mitigation toolkit}
|
||||||
@ -691,8 +768,26 @@ mitigation reactions.
|
|||||||
|
|
||||||
% ============================================================================ %
|
% ============================================================================ %
|
||||||
\part{Practical part}
|
\part{Practical part}
|
||||||
|
The plan:
|
||||||
|
\begin{figure}
|
||||||
|
\centering
|
||||||
|
\begin{tikzpicture}
|
||||||
|
\fill[even odd rule,gray!30] circle (2.3) circle (2.2);
|
||||||
|
\arcarrow{2}{2.25}{2.5}{165}{200}{5}{red!50,
|
||||||
|
draw = red!50!black, very thick}{attack}
|
||||||
|
\arcarrow{2}{2.25}{2.5}{210}{260}{5}{blue!50,
|
||||||
|
draw = blue!50!black, very thick}{detection}
|
||||||
|
\arcarrow{2}{2.25}{2.5}{270}{320}{5}{green!50,
|
||||||
|
draw = green!50!black, very thick}{blackhole}
|
||||||
|
\arcarrow{2}{2.25}{2.5}{330}{460}{5}{blue!50,
|
||||||
|
draw = blue!50!black, very thick}{wait {\&} withdraw blackhole}
|
||||||
|
\arcarrow{2}{2.25}{2.5}{470}{515}{5}{blue!50,
|
||||||
|
draw = blue!50!black, very thick}{analysis}
|
||||||
|
\end{tikzpicture}
|
||||||
|
\caption{cunning plan} \label{fig:cunning-plan}
|
||||||
|
\end{figure}
|
||||||
|
|
||||||
\n{1}{Infrastructure description}
|
\n{1}{Infrastructure Set-Up Description} \label{sec:infrastructure-set-up-description}
|
||||||
% TODO
|
% TODO
|
||||||
Broader infrastructure description HERE.
|
Broader infrastructure description HERE.
|
||||||
|
|
||||||
@ -738,8 +833,8 @@ defender machines.
|
|||||||
\hline
|
\hline
|
||||||
}
|
}
|
||||||
The inner (our edge) and the upstream (our transit provider) routers are
|
The inner (our edge) and the upstream (our transit provider) routers are
|
||||||
each part of different \it{AS}. They are directly connected and communicate using BGP.
|
each part of different \it{AS}. They are directly connected and communicate
|
||||||
The outer router and the inner router are BGP peers.
|
using BGP. The outer router and the inner router are BGP peers.
|
||||||
|
|
||||||
We assume our upstream provider supports RTBH signalling.
|
We assume our upstream provider supports RTBH signalling.
|
||||||
In this scenario the attacker is directly connected to our UPSTREAM router,
|
In this scenario the attacker is directly connected to our UPSTREAM router,
|
||||||
@ -760,8 +855,6 @@ all that with ansible roles
|
|||||||
BIRD for bgp, static routes for a poor man's router
|
BIRD for bgp, static routes for a poor man's router
|
||||||
|
|
||||||
|
|
||||||
\n{1}{Infrastructure set-up}
|
|
||||||
|
|
||||||
\nns{approach 0}
|
\nns{approach 0}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item KVM
|
\item KVM
|
||||||
@ -819,12 +912,19 @@ Notably, the system has also been using the \texttt{nftables} backend of
|
|||||||
\texttt{firewalld}, for which, luckily, \texttt{libvirt} was already
|
\texttt{firewalld}, for which, luckily, \texttt{libvirt} was already
|
||||||
prepared.
|
prepared.
|
||||||
|
|
||||||
\n{1}{Mitigation tools set-up}
|
\n{1}{Mitigation tools set-up} \label{sec:mitigation-tools-set-up}
|
||||||
An open-source DDOS mitigation toolkit named \texttt{fastnetmon} was
|
An open-source DDOS mitigation toolkit named \texttt{fastnetmon} was
|
||||||
picked to serve as an attack detection tool. It supports analysing traffic from
|
picked to serve as an attack detection tool. It supports analysing traffic from
|
||||||
multiple different exporter types, including Netflow (v5 adn v9), sFlow and port
|
multiple different exporter types, including Netflow (v5 and v9), sFlow and port
|
||||||
mirrors.
|
mirrors.
|
||||||
|
|
||||||
|
terraform multi-NIC VMs (or use virsh)\\
|
||||||
|
ansible-gobgp role on fedora routers to set up bgpd\\
|
||||||
|
Netflow exporter to report to fastnetmon\\
|
||||||
|
use iperf3 to attack\\
|
||||||
|
announce to a specified community to shut down the attack (black hole)
|
||||||
|
|
||||||
|
|
||||||
BGP black-holing upsides:
|
BGP black-holing upsides:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item quick and surgically precise way
|
\item quick and surgically precise way
|
||||||
@ -832,10 +932,11 @@ BGP black-holing upsides:
|
|||||||
|
|
||||||
BGP black-holing weak spots:
|
BGP black-holing weak spots:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item requires for our BGP peers to be available and willing to help/cooperate to advertise smaller subnets
|
\item requires for our BGP peers to be available and willing to
|
||||||
|
help/cooperate to advertise smaller subnets
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\n{1}{Attack tools set-up}
|
\n{1}{Attack tools set-up} \label{sec:attack-tools-set-up}
|
||||||
When considering the way to simulate an attack locally, we weren't
|
When considering the way to simulate an attack locally, we weren't
|
||||||
primarily looking for a tool, which would enable a decentralised (the
|
primarily looking for a tool, which would enable a decentralised (the
|
||||||
first "D" of DDOS) attack, instead the objective was mainly to congest
|
first "D" of DDOS) attack, instead the objective was mainly to congest
|
||||||
@ -848,16 +949,18 @@ why we're concerned in the first place).
|
|||||||
|
|
||||||
\n{2}{Metasploit \texttt{aux/synflood module}}
|
\n{2}{Metasploit \texttt{aux/synflood module}}
|
||||||
|
|
||||||
\n{1}{Performing an attack}
|
\n{1}{Performing an attack} \label{sec:performing-an-attack}
|
||||||
run the tools
|
run the tools
|
||||||
|
|
||||||
\n{1}{Monitoring}
|
\n{1}{Monitoring} \label{sec:monitoring}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item fastnetmon metrics
|
\item fastnetmon metrics
|
||||||
\item packet capture on the router interfaces
|
\item packet capture on the router interfaces
|
||||||
\item Netflow signalling
|
\item Netflow signalling
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
juju4/ansible-fprobe netflow role
|
||||||
|
|
||||||
% ============================================================================ %
|
% ============================================================================ %
|
||||||
\nn{Conclusion}
|
\nn{Conclusion}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user