Re: Over a decade of DDOS--any progress yet?
On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
Date: Wed, 8 Dec 2010 12:53:51 +0000 From: "Dobbins, Roland" <rdobbins@arbor.net> Subject: Re: Over a decade of DDOS--any progress yet? To: North American Operators' Group <nanog@nanog.org> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net> Content-Type: text/plain; charset="us-ascii"
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
The technology exists to detect and classify this attack traffic, and is deployed in production networks today.
Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out?
And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes.
In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.
Actually, there're lots of things they can do.
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.
It already exists.
If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete. Regards, -as
On Dec 8, 2010, at 10:33 PM, Arturo Servin wrote:
If you have an URL would be good.
You may wish to do a bit more research on the topic of DDoS in general, as the state of the art in detection/classification/traceback/mitigation is considerably advanced beyond what you've described. <https://files.me.com/roland.dobbins/y4ykq0> <https://files.me.com/roland.dobbins/k54qkv> <https://files.me.com/roland.dobbins/dweagy> <https://files.me.com/roland.dobbins/prguob> <https://files.me.com/roland.dobbins/k4zw3x ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
We have seen a recent trend of attackers "legitimately" purchasing servers to use for attacks. They'll setup a front company, attempt to make the traffic look legitimate, and then launch attacks from their "legitimate" botnet. Jeff On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin@gmail.com> wrote:
On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
Date: Wed, 8 Dec 2010 12:53:51 +0000 From: "Dobbins, Roland" <rdobbins@arbor.net> Subject: Re: Over a decade of DDOS--any progress yet? To: North American Operators' Group <nanog@nanog.org> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net> Content-Type: text/plain; charset="us-ascii"
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
The technology exists to detect and classify this attack traffic, and is deployed in production networks today.
Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out?
And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes.
In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.
Actually, there're lots of things they can do.
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.
It already exists.
If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete.
Regards, -as
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP. But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. Cheers, .as On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote:
We have seen a recent trend of attackers "legitimately" purchasing servers to use for attacks. They'll setup a front company, attempt to make the traffic look legitimate, and then launch attacks from their "legitimate" botnet.
Jeff
On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin@gmail.com> wrote:
On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
Date: Wed, 8 Dec 2010 12:53:51 +0000 From: "Dobbins, Roland" <rdobbins@arbor.net> Subject: Re: Over a decade of DDOS--any progress yet? To: North American Operators' Group <nanog@nanog.org> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net> Content-Type: text/plain; charset="us-ascii"
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
The technology exists to detect and classify this attack traffic, and is deployed in production networks today.
Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out?
And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes.
In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.
Actually, there're lots of things they can do.
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.
It already exists.
If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete.
Regards, -as
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote:
But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams.
This is demonstrably incorrect. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
On 12/8/2010 9:52 AM, Dobbins, Roland wrote:
On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote:
But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams.
This is demonstrably incorrect.
+1 For IPs that don't matter, automated /32 blackholes are usually supported by most providers. For critical infrastructure, I've not had a problem with the security/abuse/noc departments working with me to resolve the issue. The first step to DOS mitigation is being able to shut down the attack vector. If they hit an IP, shut it down, let the 50 other distributed systems take care of it. It's all a matter of perspective, and it has to be handled on a case by case basis. I had a dialup modem bank IP get DOS's due to a customer off it. Well, the modem bank itself doesn't need to talk to the outside world (outside of traceroutes), so a quick blackhole of it stopped the DDOS (which was a small 300mb/s). I've talked with several providers who will gladly redirect a subset of IP's through their high end filters, so in event of DOS, I can drop that /24 down to 1 transit peer, have them redirect it through their filter servers, and get clean traffic back to my network. Jack
The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network. It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..) What valid application actually uses UDP 80? You could literally wipe out a large amount of these attacks by simply filtering this. -Drew -----Original Message----- From: Arturo Servin [mailto:arturo.servin@gmail.com] Sent: Wednesday, December 08, 2010 10:48 AM To: Jeffrey Lyon Cc: nanog@nanog.org Subject: Re: Over a decade of DDOS--any progress yet? And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP. But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. Cheers, .as On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote:
We have seen a recent trend of attackers "legitimately" purchasing servers to use for attacks. They'll setup a front company, attempt to make the traffic look legitimate, and then launch attacks from their "legitimate" botnet.
Jeff
On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin@gmail.com> wrote:
On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
Date: Wed, 8 Dec 2010 12:53:51 +0000 From: "Dobbins, Roland" <rdobbins@arbor.net> Subject: Re: Over a decade of DDOS--any progress yet? To: North American Operators' Group <nanog@nanog.org> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net> Content-Type: text/plain; charset="us-ascii"
On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
The technology exists to detect and classify this attack traffic, and is deployed in production networks today.
Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out?
And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for nefarious purposes.
In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or contacting one by one the whole path of providers to try to minimize the effect.
Actually, there're lots of things they can do.
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
I know that this has many security concerns, but would it be good a signalling protocol between ISPs to inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as the source? Of course that this is more complex that these three or two lines, but I wonder if this has been considerer in the past.
It already exists.
If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but nothing really concrete.
Regards, -as
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On 12/8/2010 10:13 AM, Drew Weaver wrote:
The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network.
It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..)
What valid application actually uses UDP 80?
You could literally wipe out a large amount of these attacks by simply filtering this.
-Drew
You mean silly things like: Warning, it is an 87160 line flow capture. http://www.brightok.net/~abuse/ddos/flows.txt Jack
We see a lot of the UDP dest 0. Depending on what you're hosting/protecting you can ACL a lot of the unneeded ports and protocols (easy) then focus on using appliances (commercially available or home grown if you're so inclined) to identify and scrub out the ambiguous traffic (a lot more difficult). Jeff On Wed, Dec 8, 2010 at 11:17 AM, Jack Bates <jbates@brightok.net> wrote:
On 12/8/2010 10:13 AM, Drew Weaver wrote:
The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network.
It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..)
What valid application actually uses UDP 80?
You could literally wipe out a large amount of these attacks by simply filtering this.
-Drew
You mean silly things like:
Warning, it is an 87160 line flow capture.
http://www.brightok.net/~abuse/ddos/flows.txt
Jack
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Wed, 8 Dec 2010 11:13:01 -0500 Drew Weaver <drew.weaver@thenap.com> wrote:
The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network.
It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..)
What valid application actually uses UDP 80?
The Cisco NAC client for Macs, for the purpose of "VLAN change detection", sends UDP/80 packets to the host's reversed default gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets to 4.3.2.1) once every five seconds. mc
I should've "qualified" my question by saying "What valid application which traverses the Internet and could be seen at the edge of a network actually uses UDP 80?" I can't imagine there is too much Cisco NAC client for macs carrying on over the Internet, although I have been wrong in the past. -Drew -----Original Message----- From: Michael Costello [mailto:mc3401@columbia.edu] Sent: Wednesday, December 08, 2010 11:59 AM To: nanog@nanog.org Subject: Re: Over a decade of DDOS--any progress yet? On Wed, 8 Dec 2010 11:13:01 -0500 Drew Weaver <drew.weaver@thenap.com> wrote:
The most common attacks that I have seen over the last 12 months, and let's say I have seen a fair share have been easily detectable by the source network.
It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..)
What valid application actually uses UDP 80?
The Cisco NAC client for Macs, for the purpose of "VLAN change detection", sends UDP/80 packets to the host's reversed default gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets to 4.3.2.1) once every five seconds. mc
On Fri, 10 Dec 2010 15:32:10 -0500 Drew Weaver <drew.weaver@thenap.com> wrote:
I should've "qualified" my question by saying "What valid application which traverses the Internet and could be seen at the edge of a network actually uses UDP 80?"
I'll grant that my response was a bit pedantic: there is no legitimate reason for such traffic to leave a network.
I can't imagine there is too much Cisco NAC client for macs carrying on over the Internet, although I have been wrong in the past.
I imagine you're right, and that any network that detects any significant amount would be one whose first octet is a common fourth-octet-of-a-gateway (1, 65, 129, etc). mc
On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote:
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
Hmm. What would be really cool is if you could use Snort, NetFlow/NBAR, or some other sort of DPI tech to find specifically the IP addresses of the DDoS bots, and then pass that information back upstream via BGP communities that tell your peer router to drop traffic from those addresses. That way the target of the traffic can continue to function if the DDoS traffic doesn't closely mimic the normal traffic. Your BGP peer router would need to have lots of memory for /32 or /64 routes though. Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing? --Chris
On Dec 9, 2010, at 2:19 AM, Chris Boyd wrote:
Your BGP peer router would need to have lots of memory for /32 or /64 routes though.
Any modern router can handle this.
Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing?
This can be done with open-source tools or with some commercial tools. [Full disclosure - I work for a vendor which produces commercial tools in this category.] ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
Upstream providers generally have a hard time allowing you to write routes that you don't own into their table(s). thanks, -Drew -----Original Message----- From: Chris Boyd [mailto:cboyd@gizmopartners.com] Sent: Wednesday, December 08, 2010 2:19 PM To: NANOG Subject: Re: Over a decade of DDOS--any progress yet? On Dec 8, 2010, at 9:33 AM, Arturo Servin wrote:
Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input interface of 10Mbps there is not much that you can do.
Hmm. What would be really cool is if you could use Snort, NetFlow/NBAR, or some other sort of DPI tech to find specifically the IP addresses of the DDoS bots, and then pass that information back upstream via BGP communities that tell your peer router to drop traffic from those addresses. That way the target of the traffic can continue to function if the DDoS traffic doesn't closely mimic the normal traffic. Your BGP peer router would need to have lots of memory for /32 or /64 routes though. Anyone heard of such a beast? Or is this how the stuff from places like Arbor Networks do their thing? --Chris
participants (7)
-
Arturo Servin -
Chris Boyd -
Dobbins, Roland -
Drew Weaver -
Jack Bates -
Jeffrey Lyon -
Michael Costello