This article is published by NetEase Cloud .
Original address: Principles and preventive measures of reflective DDoS attacks - NetEase Cloud Blog
With the rise of botnets, and due to the characteristics of simple attack methods, great influence, and difficult to trace, distributed denial of service (DDoS, Distributed Denial of Service) attacks have grown rapidly and become increasingly widespread.
The botnet composed of thousands of hosts provides the bandwidth and hosts required for DDoS attacks, resulting in massive attacks and network traffic, causing great harm to the attacked network. What is even more frightening is that DDoS does not have a complete solution, and can only be mitigated by various means and various levels of protection.
1 Background
In December 2015, a domestic cloud manufacturer claimed that a well-known game company deployed on its cloud platform suffered a DDoS attack with a peak traffic of 453.8Gbps per second.
In September 2016, the founder and CTO of OVH, a French company that provides website hosting services around the world, posted a screenshot on Twitter showing that multiple OVH servers were simultaneously hit by a DDoS attack with a peak value of nearly 1Tbps. . As shown in the figure below, it can be found that the throughput of a single attack in this DDoS attack can reach up to 93 million packets per second, or 799Gbps.
In October 2016, hackers controlled a large number of web cameras and related DVR recorders in the United States through the Internet, and then manipulated these broilers to attack many well-known websites in the United States, including Twitter, Paypal, Spotify and other websites were forced to interrupt services. The attack affected more than half of the US Internet.
It can be seen that DDoS attacks are becoming more and more serious, and attacks of hundreds of Gbps are very common, and such attacks will only become larger and larger. Moreover, as the network security community and black hats master more and more Internet resources, the complexity of attacks has been increasing, and accordingly, the network DDoS challenges faced by businesses and applications are also increasing.
Therefore, we must detect and clean the traffic before DDoS threats affect key services and applications, so as to ensure the normal and stable operation of the network and the normal development of the business.
2 Reflex attack
Generally speaking, we divide DDoS into various attack types such as SYN Flood, ACK Flood, UDP Flood, NTP Flood, SSDP Flood, DNS Flood, HTTP Flood, ICMP Flood, CC, etc. .
Each attack type has its own characteristics, and the reflection-type DDoS attack is a new variant. The attacker does not directly attack the IP of the target service, but uses the server with some special services on the Internet to forge the IP address of the attacker and sends the constructed request message to the server with the open service. The reply data that is twice as large as the request message is sent to the attacked IP, thereby indirectly forming a DDoS attack on the latter.
As shown in the figure below, the attacker here (Attacker, in practice, more use of puppet machines to attack) does not directly send the attack packet to the victim, but pretends to be the victim to send packets to the amplifiers (Amplifiers), and then passes the amplifier reflect back to the victim.
In the reflection attack, the attacker takes advantage of the flaws or vulnerabilities of the network protocol for IP spoofing, mainly because many protocols (such as ICMP, UDP, etc.) do not authenticate the source IP. At the same time, in order to achieve better attack effect, hackers generally choose protocol services with amplification effect to attack. To sum up, it is to use IP spoofing for reflection and amplification, so as to achieve the effect of four or two.
3 Smurf Attacks
Smurf attack is a classic DDoS attack. Smurf attack is named after the program name Smurf that originally launched this attack. This attack method uses a combination of IP spoofing and ICMP reply methods to flood the target system with a flood of network traffic, causing the target system to deny service to normal systems.
The attack process is roughly like this: Attacker sends a spoofed Ping packet to a network broadcast address with a large number of hosts and Internet connections, and the source address of the spoofed Ping packet is the target Victim (9.9.9.9) wishes to attack. After the router receives the packet sent to the IP broadcast address (1.1.1.255), since ICMP does not perform a handshake to verify the source IP address, the router considers this to be a broadcast packet, and will then respond to all hosts in the local network segment (1.1 .1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6) to broadcast. All hosts on the segment will send echo responses to the IP address of the spoofed packet. If this is a large Ethernet segment, there may be hundreds of hosts replying to the echo request received, and these target systems will quickly be swallowed up by a large number of echo messages, which can easily prevent the system from processing Any other network transmission, so as to achieve the result of refusing to serve the normal system.
This attack affects not only the target system, but also the Internet connection of the target company. So how to prevent this type of attack?
a. Block the source of the Smurf attack. Smurf attacks rely on the attacker's power to send echo requests with deceptive source addresses. Users can use router's access control to ensure that all transmissions sent out in the internal network have legitimate source addresses to prevent such attacks.
b. Block Smurf's bounce site. Users have two options to block bounce sites for Smurf attacks. The first method blocks all inbound echo requests through an ACL, which prevents these packets from reaching your own network. If you can't block all inbound echo requests, you need to have your router map the network broadcast address to the LAN broadcast address.
4 DNS reflection attacks
DNS service is the basic service of the entire Internet. When we connect to the Internet, we need to convert domain names into corresponding IP addresses through DNS resolution. Theoretically an ISP's DNS server only responds to DNS Query responses from its own client IPs, but in fact the default configuration of a large number of DNS services on the Internet is missing, resulting in DNS Query requests from all IPs being responded to.
At the same time, DNS mostly uses the UDP protocol, and the UDP protocol does not have a handshake process for it to verify the source IP of the request. As shown in the figure below, the attacker (actually a puppet controlled by the attacker) sends a large number of requests spoofing Victim IP to the DNS server, and the DNS server becomes the amplifier and replies the DNS response to the victim.
Let's take a look at how DNS amplifies the request data packet, and input (xxxx is the DNS server IP):
dig ANY isc.org @xxxx
returns the result. To save space, we omit most of the response content. We can see that the content of the response is much larger than the content of the requested data packet, and the effect of amplification is here.
; <<>> DiG 9.7.3 <<>> ANY isc.org @xxxx
;; global options: +cmd
;; Got answer:
………………………………….Omit the specific request here SUMMARY ................................................
isc.org. the RRSIG the IN A 484. 5 2 4442 7200 20,121,125,230,752 20,121,026,230,752 isc.org. ViS + qg95DibkkZ5kbL8vCBpRUqI2 / M9UwthPVCXl8ciglLftiMC9WUzq Ul3FBbri5CKD / YNXqyvjxyvmZfkQLDUmffjDB + E + =. 8 ZGqBxSpG8j1fDwK6n1 hWbKf7QSe4LuJZyEgXFEkP16CmVyZCTITUh2TNDmRgsoxrvrOqOePWhp
Unfortunately, there are a large number of DNS servers that can be exploited on the Internet, and hackers can easily find and exploit these DNS servers using network scanner tools. This requires:
a. If you are a DNS administrator and need to harden the DNS server, you can disable the recursion function and limit the IP addresses that can be queried according to the following configuration.
options { recursion no;};
options { allow-query {192.168.1.0/24;};};
b. If it is a victim, it can be defended by ACL rules at the network layer first, or the anti-DDoS system can be used for traffic cleaning. At present, most cloud service providers have There are such functions.
5 NTP reflection attack
NTP, short for Network Time Protocol, is a network protocol used to synchronize computer time. NTP includes a monlist function, also known as MON_GETLIST, which is mainly used to monitor the NTP server. After the NTP server responds to the monlist, it will return the IPs of the last 600 clients that have been time synchronized with the NTP server. Split, with a maximum of 100 response packets. We can use the ntpdc command to send monlist to an NTP server and combine the packet capture to see the actual effect.
ntpdc -n -c monlist xxxx | wc -l
602
In the above command line, we can see that a request containing monlist received 602 lines of data, except the first two lines are invalid data, it is exactly 600 client IP list , and from the wireshark in the figure above, we can also see that there are 101 NTP protocol packets, except for one request packet, which is exactly 100 response packets.
a. If you are an NTP administrator and need to harden the NTP service, upgrade the NTP server to version 4.2.7p26 or later. Turn off the monlist function of the current NTP service, and add the option
disable monitor to the ntp.conf configuration file.
b. If it is a victim, how to defend against NTP reflection and amplification attacks? First, it can be defended by ACL rules at the network layer, or the anti-DDoS system can be used for traffic cleaning. At present, most cloud service providers have such functions.
6 SSDP reflection attack
Smart devices such as home routers, web cameras, printers, and smart home appliances on the Internet generally use the UPnP (Plug and Play) protocol as the network communication protocol, and the discovery of UPnP devices is performed through SSDP (Simple Service Discovery Protocol) with a source port of 1900. mutual perception.
The principle of using SSDP protocol for reflection attack is similar to that of using DNS service and NTP service. Both are forged as the IP address of the attacker to initiate SSDP requests to a large number of smart devices on the Internet, and the smart devices that receive the request will respond according to the source IP address. The packet is returned to the victim. With the rapid development and popularization of the Internet of Things and smart devices, DDoS attacks using smart devices will become more and more common. An example of the request message of SSDP is as follows:
M-SEARCH * HTTP/1.1
HOST: 1.2.2.3:1900
MAN: “ssdp:discover”
MX: 1
ST: urn:dial-multiscreen-org:service:dial:1
Returned message The text is as follows:
HTTP/1.1 200 OK
CACHE-CONTROL: max-age = 60
EXT:
LOCATION: 1.2.3.4:5200/Printer.xml
SERVER: Network Printer Server UPnP/1.0 OS 1.29.00.44 06-17-2009 ST
: upnp:rootdevice
USN: uuid:Samsung-Printer-1_0-mrgutenberg::upnp:rootdevice
So how to protect against SSDP attacks?
a. For devices that do not require plug-and-play service, turn off the plug-and-play service.
b. When attacked by SSDP DDoS, filter SSDP fingerprint filtering through ACL rules of network devices. Or introduce a DDoS protection system.
7 Summary
Here we introduce an academic term, Bandwidth Amplification Factor (BAF, Bandwidth Amplification Factor), which represents the ratio of request packets to response packets. For the reflection amplification attack of various protocols, due to the different implementation mechanisms of different versions and the diversity of request data support, the BAF value of the same service will also have certain differences. We compared various protocols through experiments. The experimental BAF of the protocol can let you intuitively feel the power of various reflection attacks and understand the multiplier of attack amplification.
Reflective DDoS attacks are becoming more and more popular because they are difficult to trace and do not require a large number of broilers, and are bound to pose a great threat to business. In addition to the need for all parties to cooperate in the security management and security configuration of devices and services on the Internet to eliminate reflection sites, it is also necessary to prepare defenses on the server side, such as adding ACL filtering rules and DDoS cleaning services. At present, a large number of cloud vendors provide DDoS traffic cleaning services, which can be used directly.
Learn about NetEase Cloud:
NetEase Cloud Official Website: https://www.163yun.com/
New User Gift Package: https://www.163yun.com/gift
NetEase Cloud Community: https://sq.163yun.com/