»So you think IoT DDoS botnets are dangerous - Bypassing ISP and Enterprise Anti-DDoS with 90's technology«
2018-10-16, 17:45–18:05, Europe

Stressers/Booter services is providing "DDoS as A Service" and they are getting more and more powerfull, measured in amount of traffic, but the current resources they use could be improved, and optimized, and perform a much more dangerous and advanced attack patterns that can bypass large Anti-DDoS solutions through pre-analysis and data-mining with big data analysis and OSINT informaiton as source.

The research will show a framework on how attackers can optimize attacks based on a combination of big-data analysis and pre-attack analysis, that will show that terabit attacks are not necessarily needed, and why 90's technology can be prefered over IoT Worms and other fancy gadgets.

DISCLAIMER: THIS IS NOT A TALK TO RECOMMEND DDoS ATTACKS, OR SHOW HOW THEY ARE PERFORMED

Since start 2016 I've collected data on UDP services as base ground for the reseach and I will discuss the pro's and con's between the different protocols from an attackers perspective, as well as why using these well known UDP services is an advantage from an attackers perspective. However the core problem can be also used by infected machines and IoT devices. - TFTP tftp - RRQ - Steam STEAM A2S_INFO request - SSDP ssdp - M-SEARCH * HTTP/1.1 - SNMP snmp - v2c public - getBulkRequest - SIP SIP OPTIONS Request - Sentinel sentinel license - RIP rip - RIPv1 request - Quake QUAKE3 getstatus - QOTD qotd - Single carriage return/newline - Portmap portmap - V2 DUMP Call - NTP ntp - readvar - NTP ntp - monlist - Netbios netbios - Name query NBSTAT - MSSQL MSSQL CLNT_BCAST_EX message - MDNS mdns - List all currently registered services - LDAP LDAP objectClass= with 0 attributes - Citrix Citrix Requesting Published Applications list - DNS dns - Standard query ANY - CHARGEN chargen - Single byte - CoAP CoAP Resource Discovery - /.well-known/core

My research included recording the responses sent back from the list of services after I sent each a collection of well known attack patterns. My analysis combines the geo-distribution of these vulnerable services, anywhere from VPS's to ISP with misconfigured CPE(Customer provided Equipment). The collection of the data is only as a sub-set of my research in this case collection of amplifiers, however other attack platforms ("Mirai" infected equipment/Botnets infections) could just as well have been added.

Reason to collect Service amplifiers are that in all new reports they are underestimated, however they are quite potent as the research will show.

Related research:

There has been alot of research of UDP based Amplification DDoS, however main focus has usually been specific services and the statistics behind amplification or the stressers/booters using the protocols for attacks. My talk will use the UDP amplification data approach however there has been no public research on the threats provided and shown in my research.

Christian Rossow has previously done alot of research on the protocols themself http://www.christian-rossow.de/publications/amplification-ndss2014.pdf

There has also been alot of research on individual protocols however no one as large a dataset as collected in this research. https://scholar.google.dk/scholar?q=ddos+amplification+and+reflection&hl=en&as_sdt=0&as_vis=1&oi=scholart&sa=X&ved=0ahUKEwjmmOSprrPRAhVDPBQKHQ-oB1YQgQMIGjAA

This research will focus on how based on big-data analysis, it will be posisble to optimise the attacks through the usage of pre-evaluation of the attack scenario and with focus on volumetric attacks not especially needs to be that volumetric: - Geo-Based - ASN based - Service Based

Also previous research has not analyzed how much the people behind stressers/booters do pre-analysis on the services they use in attacks.

Take away:

The audience will understand that the internet community has an old "legacy" protocol problem and will see several ways to bypass a large variety of Anti-DDoS solutions on the market. It will also be clear that new solutions will need to be invented in combination to taking more drastic measures towards servers that provide vulnerable services.

The audience will also take away that we as a community needs to take more action towards ISP or service providers to does not do the "takedown" they could.

A raw data set of collected data will be made freely avaliable for anyone to perform additional research into the topic. The data is collected since start 2016 and has been continuously been collected since.

----------------------------------------------------- Output Example -------------------------------- { "base": { "attack_type": "dns - Standard query ANY", "victim": "<redacted>", "port": 53, "protocol": "dns", "domain": "cpsc.gov", "runtime_start": 1477250347773, "runtime_stop": 1477262324373, "data_entries": 735929 }, "data": [ { "start_time": 1477250357847, "stop_time": 1477250358040, "soldier": "192.254.143.164", "sent": 37, "recieved": 820, "amp_factor": 22, "sent_data": "HjABAAABAAAAAAABBGNwc2MDZ292AAD/AP8AACkQAAAAAAAAAA==", "recvd_data": "HjCBAAABAAAADQAbBGNwc2MDZ292AAD/AP8AAAIAAQAFv70AFAFjDHJvb3Qtc2VydmVycwNuZXQAAAACAAEABb+9AAQBZMAnAAACAAEABb+9AAQBZcAnAAACAAEABb+9AAQBZsAnAAACAAEABb+9AAQBZ8AnAAACAAEABb+9AAQBaMAnAAACAAEABb+9AAQBacAnAAACAAEABb+9AAQBasAnAAACAAEABb+9AAQBa8AnAAACAAEABb+9AAQBbMAnAAACAAEABb+9AAQBbcAnAAACAAEABb+9AAQBYcAnAAACAAEABb+9AAQBYsAnwNoAAQABAAcRPQAExikABMDaABwAAQAHET0AECABBQO6PgAAAAAAAAACADDA6QABAAEABxE9AATA5E/JwOkAHAABAAcRPQAQIAEFAACEAAAAAAAAAAAAC8AlAAEAAQAHET0ABMAhBAzAJQAcAAEABxE9ABAgAQUAAAIAAAAAAAAAAAAMwEQAAQABAAcRPQAExwdbDcBEABwAAQAHET0AECABBQAALQAAAAAAAAAAAA3AUwABAAEABxE9AATAy+YKwFMAHAABAAcRPQAQIAEFAACoAAAAAAAAAAAADsBiAAEAAQAHET0ABMAFBfHAYgAcAAEABxE9ABAgAQUAAC8AAAAAAAAAAAAPwHEAAQABAAcRPQAEwHAkBMBxABwAAQAHET0AECABBQAAEgAAAAAAAAAADQ3AgAABAAEABxE9AATGYb41wIAAHAABAAcRPQAQIAEFAAABAAAAAAAAAAAAU8CPAAEAAQAHET0ABMAklBHAjwAcAAEABxE9ABAgAQf+AAAAAAAAAAAAAABTwJ4AAQABAAcRPQAEwDqAHsCeABwAAQAHET0AECABBQMMJwAAAAAAAAACADDArQABAAEABxE9AATBAA6BwK0AHAABAAcRPQAQIAEH/QAAAAAAAAAAAAAAAcC8AAEAAQAHET0ABMcHUyrAvAAcAAEABxE9ABAgAQUAAJ8AAAAAAAAAAABCwMsAAQABAAcRPQAEygwbIcDLABwAAQAHET0AECABDcMAAAAAAAAAAAAAADUAACkQAAAAAAAAAA==" }, { "start_time": 1477250358023, "stop_time": 1477250358077, "soldier": "85.235.131.89", "sent": 37, "recieved": 248, "amp_factor": 6, "sent_data": "QvABAAABAAAAAAABBGNwc2MDZ292AAD/AP8AACkQAAAAAAAAAA==", "recvd_data": "QvCBAAABAAAADQABBGNwc2MDZ292AAD/AP8AAAIAAQA27oAAFAFDDFJPT1QtU0VSVkVSUwNORVQAAAACAAEANu6AAAQBRMAnAAACAAEANu6AAAQBRcAnAAACAAEANu6AAAQBRsAnAAACAAEANu6AAAQBR8AnAAACAAEANu6AAAQBSMAnAAACAAEANu6AAAQBScAnAAACAAEANu6AAAQBSsAnAAACAAEANu6AAAQBS8AnAAACAAEANu6AAAQBTMAnAAACAAEANu6AAAQBTcAnAAACAAEANu6AAAQBQcAnAAACAAEANu6AAAQBQsAnAAApEAAAAAAAAAA=" }, { "start_time": 1477250357971, "stop_time": 1477250358109, "soldier": "204.58.246.159", "sent": 37, "recieved": 660, "amp_factor": 17, "sent_data": "A3EBAAABAAAAAAABBGNwc2MDZ292AAD/AP8AACkQAAAAAAAAAA==", "recvd_data": "A3GBAAABAAAADQAOBGNwc2MDZ292AAD/AP8AAAIAAQAADhAAFAFnDHJvb3Qtc2VydmVycwNuZXQAwBoAAgABAAAOEAAUAWgMcm9vdC1zZXJ2ZXJzA25ldADAGgACAAEAAA4QABQBaQxyb290LXNlcnZlcnMDbmV0AMAaAAIAAQAADhAAFAFqDHJvb3Qtc2VydmVycwNuZXQAwBoAAgABAAAOEAAUAWsMcm9vdC1zZXJ2ZXJzA25ldADAGgACAAEAAA4QABQBbAxyb290LXNlcnZlcnMDbmV0AMAaAAIAAQAADhAAFAFtDHJvb3Qtc2VydmVycwNuZXQAwBoAAgABAAAOEAAUAWEMcm9vdC1zZXJ2ZXJzA25ldADAGgACAAEAAA4QABQBYgxyb290LXNlcnZlcnMDbmV0AMAaAAIAAQAADhAAFAFjDHJvb3Qtc2VydmVycwNuZXQAwBoAAgABAAAOEAAUAWQMcm9vdC1zZXJ2ZXJzA25ldADAGgACAAEAAA4QABQBZQxyb290LXNlcnZlcnMDbmV0AMAaAAIAAQAADhAAFAFmDHJvb3Qtc2VydmVycwNuZXQAwCUAAQABAAAOEAAEwHAkBMBFAAEAAQAADhAABIA/AjXAZQABAAEAAA4QAATAJJQRwIUAAQABAAAOEAAEwDqAHsClAAEAAQAADhAABMEADoHAxQABAAEAAA4QAATGIEAMwOUAAQABAAAOEAAEygwbIcEFAAEAAQAADhAABMYpAATBJQABAAEAAA4QAASACQBrwUUAAQABAAAOEAAEwCEEDMFlAAEAAQAADhAABIAIClrBhQABAAEAAA4QAATAy+YKwaUAAQABAAAOEAAEwAUF8QAAKQ+gAAAAAAAA" } ] } ----------------------------------------------------- Output Example --------------------------------</redacted>

Several tools will be released as part of the presentaiton of the research: - A Json2PCAP converter for people who eats pcap's over json files for breakfast. - Core setup of Elastic Search and Logstash in order to swiftly to be able to consume the collected data, will be shared.