Measuring Global Denialof Service Attacks

Jose Nazario, Ph.D.

jose@arbor.net

KAIST, Daejeon, KR 2009

Page 2

Attack Spectrum

August 12th, 2007, Via Giorgio Maone

Website defacements: Integrity

Targeted malware, e.g.Gh0stnet: Confidentiality

DDoS, e.g. Estonia2007: Availability

Page 3

Page 4

Internet Attack Scale - 2007

o Unique attacks exceeding indicated BPS threshold for single ISPo Average of three 1-Gbps or larger attacks per day over 485 days of collectiono Two ~25 Gbps attacks reported by a single ISP (on same day, about one hour apart,

duration of ~35 minutes)

Page 5

2008 Survey: Attack Sizes - Growing

March, 2009: 48 Gbps attack observed on Internet

Page 6

Data from March and April 2009

Page 7

o Rate alerts

o Botnet/malcodetracking

o BGP information

o Server logs

Page 8

Traffic Rate Alerts

o Flow or inline measurement

o Dynamic, against learned baselineo N standard deviations above normalo PPS, BPS, destination CIDR

o Static, basic misuse categorieso SYN floods, fragments, etco Hard PPS limits

o System summarizes, characterizes

Page 9

Time

Tra

ffic

Page 10

Time

Tra

ffic !

Page 11

Global aggregation in ATLAS from field systems

Page 12

Global DDoS Traffic Q2 2009

DDoS victims, measured traffic (Peakflow)

Page 13

Attacker mapping via attack flows

Page 14

Active Botnet Tracking

o Project Bladerunner

o Collect malware

o Dynamic analysis

o Characterize as DDoS bot

o Identify server

o Send in Bladerunner (Py) continuously

Page 15

http://bizus-kokovs.cc/cgi-bin/get.cgi

Page 16

FREQ 1800000DDOS 0 5999940000 www.president.gov.ge / 0 win+love+in+Rusia 80 7DDOS 3 5999940000 www.president.gov.ge 80 7DDOS 2 5999940000 www.president.gov.ge 80 7DDOS 1 5999940000 www.president.gov.ge 7DDOS 0 5999940000 www.president.gov.ge / 1 win+love+in+Rusia 80 7

http://bizus-kokovs.cc/cgi-bin/get.cgi

www.president.gov.ge | 62.168.168.9 | AS28751| GE

Page 17

Botnet DDoS Activity - Q2 2009

DDoS Botnet C&C DDoS Victims

Based on active botnet tracking, logging

Page 18

Backbone Routes (BGP)

o Routeviews, Peakflow sources

o Monitor destination address announcements

o Response to an attack

o (GE) Part of the attack?

o Related: DNS tracking of targets

Page 19

Page 20

Community Tracking

o Blogs

o Forums

o Twitter

o Alerts for important events

o Keyword triggers

o Screen for additional sites, chatter

Page 21

Cyberattack

DDoS

EstoniaBlack Energy

Botnet

Page 22

Page 23

Page 24

o Assemble all data

o Store in databases,query

o Join on targets

o Analyst melds together

o Nearly completepicture

Page 25

Value of Data

o Operational value– Which links are affected– Which C&Cs to target for shutdown– What kind of attacks, targets are being hit

o Investigative value (long term)– Who may be behind attacks

Page 26

DDoS Tools

Page 27

Page 28

Page 29

Page 30

Page 31

Page 32

Page 33

Attribution

Page 34

“Cyber warfare”?

o Attacks appear to follow diplomatic issues, notlead

o Attack damage not on par with loss of life (GE, etc)– Inconvenience only

o Therefore, in general …– We assume non-state actors– We assume “right wing” political motivations– We assume news reports stir public

Page 35

Page 36

Page 37

Page 38

Page 39

Page 40

58.65.237.49

79.135.167.22

83.229.186.70

190.183.60.83

194.67.33.81

203.131.211.244

207.10.234.244

bizus-kokovs.cc

turkeyonline.name

ad.yandexshit.com

supportonline.mcdir.ru

Killgay.com, incasher.net, prosto.pizdos.net, vse.ohueli.net, a-nahui-vse-zaebalo-v-pizdu.com,

googlecomaolcomyahoocomaboutcom.net

newsgeorgia.ru

mk.ru

os-inform.com

apsny.ge

news.ge

osmp.ge

www.president.gov.ge

hacking.ge

caucasus.net

Page 41

Motivation

Page 42

Elections - Intimidation

Page 43

Critics - Censorship

Page 44

Diplomatic Tensions - Support of One Nation

Page 45

“Sit In” Protest

o September, 2009

o “Anonymous” attempts DDoS on AU PM, ACMAwebsites– Protesting Internet filtering in AU– Effects were minimal

Page 46

Unknown Motivation - 77DDoS (KR, US)

o July 4-10, 2009, attacks on KR, US gov andcommercial targets

o Technical details known, actors and motivationsnot

o KR-centric botnet (96%+)o Early concerns of KP-state action

Page 47

Response

Page 48

Page 49

Page 50

Page 51

Announced Cyber Attack Programs

o Several countries openly said they are exploringoffensive tools in this arena

o DDoS may be a part of it

o Details unknown

o True state capabilities unknown

Page 52

Biggest Political Threats from Cyber Conflict

o Dissidents’ organizations

o Freedom of speech– Critics– Press– Opposition candidates

o Elections– Fairness

o Internet is a communications medium

o These attacks threaten growth of liberties

Page 53

Rising Popularity

o Few incidents in 1999-2002– Hainan Island– Israel-Palestinian clashes– NATO-Balkan conflict

o Massive growth since 2007– Estonia, Georgia best known– UA, RU domestic, RU-ex USSR, Belarus, Ingushetia,

Chechnya– PS-IL– US– CN, Burma– IR

o No region is immune in 2009

Page 54

Terima kesih

Dank uSpasibo Gracias

GrazieArigato

Merci

DankëKiitosThank you

Tänan

Kamsahamnida 감사합니다