Академический Документы
Профессиональный Документы
Культура Документы
TO A N A LY ZE D DOS ATTACKS
TEC H BRIEF
Table of Contents
DDOS attacks 3
Summary Benefits 7
DDOS attacks
Distributed Denial-Of-Service (DDOS) attacks continue
to be the most frequent attacks seen on the Internet.
More than 65% of the attacks are currently distributed
volumetric attacks.
SSDP is the basis for the Universal Plug and Play (UPnP)
functionality. Typically, it is used in residential homes
and small office environments, and uses UDP port 1900.
It is formally described in a now-expired Internet Draft,
but it was included in the final standards documents for
UPnP which made the protocol popular in embedded
systems and modern operating systems.
Currently, there are about ten million publicly reachable Figure 2. Amplification Factors
SSDP devices that potentially can be exploited for use (Source: US-CERT)
in DDOS attacks. Many of these devices are residential CPE routers/small office routers where the
public-facing interface responds to SSDP requests.
When using SSDP attacks, the initiating packet is amplified about 30 times, well below the
amplification of NTP attacks that amplify approximately 500 times (see Figure 2). However, since
NTP is more and more difficult to exploit for attacks, a protocol like SSDP will likely be vulnerable for
quite a long time, especially since typical users of CPE routers upgrade their home or office routers
infrequently.
The Traffic Explorer module uses NetFlow v5/v9 or IPFIX to monitor, analyze and simulate traffic
utilizations and paths in IP networks. Traffic matrices can be created for aggregated traffic demands,
CoS-based demands or per-service-based demands, such as Layer3 MPLS VPN or Layer2 VPN
services. Highly customized matrices can also be created using easy-to-create Traffic Groups. Traffic
Groups can be based on router-to-router traffic within regions of the network, AS Peerings, IP prefix
grouping, application ports or a combination of these.
By defining an SSDP Traffic Group in Traffic Explorer (”TestPorts” in Figure 3), then viewing its
associated traffic report and drilling down to a history graph, it is possible to examine SSDP traffic
over any specified time range (one week in the example below). Hovering over the spike shows the
time it occurred. This time (2016-06-04 23:45:00 in the example) can then be entered in the lower left
corner of the screen to produce a more granular, five-minute view. All drill-down views will now reflect
this five-minute traffic report allowing the SSDP traffic to be further examined.
Figure 4 shows the drill-down to view the FlowRecords reports which reveals the source and
destination IP addresses of the attack. The path of the attack is also displayed in a mini-map.
Figure 4. FlowRecords drill-down view showing the hop-by-hop path for the attack
Another useful report is the FlowRecords browser. It shows conversations between end-point IP
addresses and source and destination AS information for the attack traffic. See Figure 5.
Summary Benefits
Using Route Explorer and Traffic Explorer before, during, and after DDOS attacks will enable you to:
To learn more about Packet Design and the Explorer Suite, please visit
www.packetdesign.com