sign in sign up
<<
Home , Ruhr University Bochum

Hell of a Handshake – Abusing TCP for Amplification DDoS

Marc Kührer1 Thomas Hupperich1 Christian Rossow2 Thorsten Holz1

1 -University 2 University

USENIX WOOT, August 2014 Amplification DDoS Attacks

Attacker Amplifiers Victim

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 2 TCP and Reflection

C S TCP 3-Way Handshake • Reflection • No amplification

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 3 TCP and Reflection

C S SYN/ACK Amplifiers • Keep repeating SYN/ACK until ACK • Default, e.g., in *nix • Against packet loss

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 4 TCP and Reflection

C S PSH Amplifiers • Send data before handshake finishes • e.g., FTP server banner info

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 5 TCP and Reflection

C S TCP Closed Port • Reflection • No amplification

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 6 TCP and Reflection

C S RST Amplification • Hosts persist sending RST • No rationale?

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 7 Methodology

• IPv4 Address Range Scan • TCP SYN Packets

• Amplification >20 Filter • Prevalent Protocols

• Amplifier Classification Stats • Evaluate Countermeasures

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 8 Amplification Statistics

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 9 Attack Frequency

 Response packets per X seconds

10 Amplifier Classification

DEVICE TYPE OS Unknown Unknown Linux Misc embedded

Networking Equipment ZyNOS

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 11 Active Defense

 SYN/ACK storms: send RST segments  Stops about 99.9% of the SYN/ACK streams

 RST storm: send ICMP port unreachable messages  Stops about 80% of the RST streams

Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 12 Conclusion

 Also TCP suffers from amplification vulnerabilities  RST, PSH and SYN/ACK storms

 We notified vendors, but fixes will take time

 Use active countermeasures to mitigate attacks

13 Hell of a Handshake – Abusing TCP for Amplification DDoS

Marc Kührer1 Thomas Hupperich1 Christian Rossow2 Thorsten Holz1

1 Ruhr-University Bochum 2

USENIX WOOT, August 2014