Hell of a Handshake – Abusing TCP for Amplification DDoS
Marc Kührer1 Thomas Hupperich1 Christian Rossow2 Thorsten Holz1
1 Ruhr-University Bochum 2 Saarland University
USENIX WOOT, August 2014 Amplification DDoS Attacks
Attacker Amplifiers Victim
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 2 TCP and Reflection
C S TCP 3-Way Handshake • Reflection • No amplification
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 3 TCP and Reflection
C S SYN/ACK Amplifiers • Keep repeating SYN/ACK until ACK • Default, e.g., in *nix • Against packet loss
…
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 4 TCP and Reflection
C S PSH Amplifiers • Send data before handshake finishes • e.g., FTP server banner info
…
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 5 TCP and Reflection
C S TCP Closed Port • Reflection • No amplification
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 6 TCP and Reflection
C S RST Amplification • Hosts persist sending RST • No rationale?
…
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 7 Methodology
• IPv4 Address Range Scan • TCP SYN Packets
• Amplification >20 Filter • Prevalent Protocols
• Amplifier Classification Stats • Evaluate Countermeasures
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 8 Amplification Statistics
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 9 Attack Frequency
Response packets per X seconds
10 Amplifier Classification
DEVICE TYPE OS Unknown Unknown Linux Misc embedded
Networking Equipment ZyNOS
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 11 Active Defense
SYN/ACK storms: send RST segments Stops about 99.9% of the SYN/ACK streams
RST storm: send ICMP port unreachable messages Stops about 80% of the RST streams
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks 12 Conclusion
Also TCP suffers from amplification vulnerabilities RST, PSH and SYN/ACK storms
We notified vendors, but fixes will take time
Use active countermeasures to mitigate attacks
13 Hell of a Handshake – Abusing TCP for Amplification DDoS
Marc Kührer1 Thomas Hupperich1 Christian Rossow2 Thorsten Holz1
1 Ruhr-University Bochum 2 Saarland University
USENIX WOOT, August 2014