Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Measuring Global Denialof Service Attacks
Jose Nazario, Ph.D.
KAIST, Daejeon, KR 2009
Page 2
Attack Spectrum
August 12th, 2007, Via Giorgio Maone
Website defacements: Integrity
Targeted malware, e.g.Gh0stnet: Confidentiality
DDoS, e.g. Estonia2007: Availability
Page 3
Page 4
Internet Attack Scale - 2007
o Unique attacks exceeding indicated BPS threshold for single ISPo Average of three 1-Gbps or larger attacks per day over 485 days of collectiono Two ~25 Gbps attacks reported by a single ISP (on same day, about one hour apart,
duration of ~35 minutes)
Page 5
2008 Survey: Attack Sizes - Growing
March, 2009: 48 Gbps attack observed on Internet
Page 6
Data from March and April 2009
Page 7
o Rate alerts
o Botnet/malcodetracking
o BGP information
o Server logs
Page 8
Traffic Rate Alerts
o Flow or inline measurement
o Dynamic, against learned baselineo N standard deviations above normalo PPS, BPS, destination CIDR
o Static, basic misuse categorieso SYN floods, fragments, etco Hard PPS limits
o System summarizes, characterizes
Page 9
Time
Tra
ffic
Page 10
Time
Tra
ffic !
Page 11
Global aggregation in ATLAS from field systems
Page 12
Global DDoS Traffic Q2 2009
DDoS victims, measured traffic (Peakflow)
Page 13
Attacker mapping via attack flows
Page 14
Active Botnet Tracking
o Project Bladerunner
o Collect malware
o Dynamic analysis
o Characterize as DDoS bot
o Identify server
o Send in Bladerunner (Py) continuously
Page 15
http://bizus-kokovs.cc/cgi-bin/get.cgi
Page 16
FREQ 1800000DDOS 0 5999940000 www.president.gov.ge / 0 win+love+in+Rusia 80 7DDOS 3 5999940000 www.president.gov.ge 80 7DDOS 2 5999940000 www.president.gov.ge 80 7DDOS 1 5999940000 www.president.gov.ge 7DDOS 0 5999940000 www.president.gov.ge / 1 win+love+in+Rusia 80 7
http://bizus-kokovs.cc/cgi-bin/get.cgi
www.president.gov.ge | 62.168.168.9 | AS28751| GE
Page 17
Botnet DDoS Activity - Q2 2009
DDoS Botnet C&C DDoS Victims
Based on active botnet tracking, logging
Page 18
Backbone Routes (BGP)
o Routeviews, Peakflow sources
o Monitor destination address announcements
o Response to an attack
o (GE) Part of the attack?
o Related: DNS tracking of targets
Page 19
Page 20
Community Tracking
o Blogs
o Forums
o Twitter
o Alerts for important events
o Keyword triggers
o Screen for additional sites, chatter
Page 21
Cyberattack
DDoS
EstoniaBlack Energy
Botnet
Page 22
Page 23
Page 24
o Assemble all data
o Store in databases,query
o Join on targets
o Analyst melds together
o Nearly completepicture
Page 25
Value of Data
o Operational value– Which links are affected– Which C&Cs to target for shutdown– What kind of attacks, targets are being hit
o Investigative value (long term)– Who may be behind attacks
Page 26
DDoS Tools
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Attribution
Page 34
“Cyber warfare”?
o Attacks appear to follow diplomatic issues, notlead
o Attack damage not on par with loss of life (GE, etc)– Inconvenience only
o Therefore, in general …– We assume non-state actors– We assume “right wing” political motivations– We assume news reports stir public
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
58.65.237.49
79.135.167.22
83.229.186.70
190.183.60.83
194.67.33.81
203.131.211.244
207.10.234.244
bizus-kokovs.cc
turkeyonline.name
ad.yandexshit.com
supportonline.mcdir.ru
Killgay.com, incasher.net, prosto.pizdos.net, vse.ohueli.net, a-nahui-vse-zaebalo-v-pizdu.com,
googlecomaolcomyahoocomaboutcom.net
newsgeorgia.ru
mk.ru
os-inform.com
apsny.ge
news.ge
osmp.ge
www.president.gov.ge
hacking.ge
caucasus.net
Page 41
Motivation
Page 42
Elections - Intimidation
Page 43
Critics - Censorship
Page 44
Diplomatic Tensions - Support of One Nation
Page 45
“Sit In” Protest
o September, 2009
o “Anonymous” attempts DDoS on AU PM, ACMAwebsites– Protesting Internet filtering in AU– Effects were minimal
Page 46
Unknown Motivation - 77DDoS (KR, US)
o July 4-10, 2009, attacks on KR, US gov andcommercial targets
o Technical details known, actors and motivationsnot
o KR-centric botnet (96%+)o Early concerns of KP-state action
Page 47
Response
Page 48
Page 49
Page 50
Page 51
Announced Cyber Attack Programs
o Several countries openly said they are exploringoffensive tools in this arena
o DDoS may be a part of it
o Details unknown
o True state capabilities unknown
Page 52
Biggest Political Threats from Cyber Conflict
o Dissidents’ organizations
o Freedom of speech– Critics– Press– Opposition candidates
o Elections– Fairness
o Internet is a communications medium
o These attacks threaten growth of liberties
Page 53
Rising Popularity
o Few incidents in 1999-2002– Hainan Island– Israel-Palestinian clashes– NATO-Balkan conflict
o Massive growth since 2007– Estonia, Georgia best known– UA, RU domestic, RU-ex USSR, Belarus, Ingushetia,
Chechnya– PS-IL– US– CN, Burma– IR
o No region is immune in 2009
Page 54
Terima kesih
Dank uSpasibo Gracias
GrazieArigato
Merci
DankëKiitosThank you
Tänan
Kamsahamnida 감사합니다