Вы находитесь на странице: 1из 8

US I N G T HE EX PLORER S U ITE

TO A N A LY ZE D DOS ATTACKS

TEC H BRIEF
Table of Contents

DDOS attacks 3

SSDP increasingly used for attacks 3

DDOS analytics with the Explorer products 4

Analyzing an SSDP attack 4

Benefits of using the Explorer products to analyze DDOS attacks 7

Summary Benefits 7

Copyright © 2016, Packet Design, LLC


Page 2 of 8
Using the Explorer Suite to Analyze DDOS Attacks

DDOS attacks
Distributed Denial-Of-Service (DDOS) attacks continue
to be the most frequent attacks seen on the Internet.
More than 65% of the attacks are currently distributed
volumetric attacks.

One class of DDOS attack is the reflection and


amplification attack. Reflection refers to an attacker that
is using a third party device to bounce traffic off and
towards a target, typically spoofing the target’s (victim)
IP address. Amplification refers to the fact that the
response to the spoofed request is larger – up to 800
times – than the originally spoofed request. See Figure 1.

SSDP increasingly used for attacks Figure 1. An Amplification Attack


(Source: Cloudflare blog)
Open and recursive DNS resolvers available on the
public Internet used to be, and continue to be, popular
sources of reflection and amplification attacks. Publicly
available, open Network Time Protocol (NTP) servers
are also frequently used to craft these attacks. However,
as awareness of the deficiencies of these protocols
increases, these servers are becoming better protected,
making it more difficult to use them for DDOS attacks.

Attackers are constantly looking for new ways to craft


attacks and the Simple Service Discovery Protocol
(SSDP) is becoming popular for crafting amplification
and reflection attacks.

SSDP is the basis for the Universal Plug and Play (UPnP)
functionality. Typically, it is used in residential homes
and small office environments, and uses UDP port 1900.
It is formally described in a now-expired Internet Draft,
but it was included in the final standards documents for
UPnP which made the protocol popular in embedded
systems and modern operating systems.

Currently, there are about ten million publicly reachable Figure 2. Amplification Factors
SSDP devices that potentially can be exploited for use (Source: US-CERT)

Copyright © 2016, Packet Design, LLC


Page 3 of 8
Using the Explorer Suite to Analyze DDOS Attacks

in DDOS attacks. Many of these devices are residential CPE routers/small office routers where the
public-facing interface responds to SSDP requests.

When using SSDP attacks, the initiating packet is amplified about 30 times, well below the
amplification of NTP attacks that amplify approximately 500 times (see Figure 2). However, since
NTP is more and more difficult to exploit for attacks, a protocol like SSDP will likely be vulnerable for
quite a long time, especially since typical users of CPE routers upgrade their home or office routers
infrequently.

DDOS analytics with the Explorer products


Traditional DDOS detection and mitigation devices do not know the IP/MPLS path that attack traffic
takes through the internal network. Nor do they help network operators to simulate attacks by
modeling incoming traffic from other ingress points and seeing the impact on links. It is also hard to
determine the impact of an attack if it is multiplied by a factor. Augmenting the existing mitigation
devices with the DDOS analytics and simulation capabilities in Packet Design’s Explorer Suite can
greatly help in preventing and solving DDOS problems.

The Traffic Explorer module uses NetFlow v5/v9 or IPFIX to monitor, analyze and simulate traffic
utilizations and paths in IP networks. Traffic matrices can be created for aggregated traffic demands,
CoS-based demands or per-service-based demands, such as Layer3 MPLS VPN or Layer2 VPN
services. Highly customized matrices can also be created using easy-to-create Traffic Groups. Traffic
Groups can be based on router-to-router traffic within regions of the network, AS Peerings, IP prefix
grouping, application ports or a combination of these.

Analyzing an SSDP attack


The example below highlights how Traffic Explorer can aid in the analysis of DDOS traffic. Specifically,
the use case shows how to analyze SSDP traffic. It also serves as an example that can easily be
copied and used for other traffic types, capturing any port number or combination of port numbers,
and other traffic grouping functionality, such as IP prefixes.

By defining an SSDP Traffic Group in Traffic Explorer (”TestPorts” in Figure 3), then viewing its
associated traffic report and drilling down to a history graph, it is possible to examine SSDP traffic
over any specified time range (one week in the example below). Hovering over the spike shows the
time it occurred. This time (2016-06-04 23:45:00 in the example) can then be entered in the lower left
corner of the screen to produce a more granular, five-minute view. All drill-down views will now reflect
this five-minute traffic report allowing the SSDP traffic to be further examined.

Figure 4 shows the drill-down to view the FlowRecords reports which reveals the source and
destination IP addresses of the attack. The path of the attack is also displayed in a mini-map.

Copyright © 2016, Packet Design, LLC


Page 4 of 8
Using the Explorer Suite to Analyze DDOS Attacks

Figure 3. SSDP traffic spike over a one-week monitoring period

Figure 4. FlowRecords drill-down view showing the hop-by-hop path for the attack

Copyright © 2016, Packet Design, LLC


Page 5 of 8
Using the Explorer Suite to Analyze DDOS Attacks

Figure 5. FlowRecords Browser, showing IP conversations and AS Source/Destination information

Another useful report is the FlowRecords browser. It shows conversations between end-point IP
addresses and source and destination AS information for the attack traffic. See Figure 5.

Copyright © 2016, Packet Design, LLC


Page 6 of 8
Using the Explorer Suite to Analyze DDOS Attacks

Benefits of using the Explorer products to analyze DDOS attacks


The Packet Design Route Explorer and Traffic Explorer products are widely used in IP networks for
real-time monitoring, troubleshooting and planning. IP networks are dynamic in nature and, therefore,
it is very hard to determine the exact paths and traffic matrices for various traffic types. The Packet
Design products can be invaluable for mitigating the risk from DDOS attacks by enabling network
teams to go back in time for forensic analysis, monitor in real time the path and volumetric size of an
attack, and simulate future events to enhance preparedness.

Summary Benefits
Using Route Explorer and Traffic Explorer before, during, and after DDOS attacks will enable you to:

−− Determine the volumetric size of the attack


−− Determine when the attack happened
−− Determine how long the attack lasted
−− See the hop-by-hop path of the attack
−− View the Source AS of the attack
−− View the Destination AS of the Target under attack
−− View the IP conversation end-points of the attack
−− Simulate the impact to your network of a similar size attack, using another entry point in your
network
−− Simulate the impact when increasing the attack amplification factor
−− Simulate other attacks
−− Create reports of the above for use by operations, security, and other functional areas

Copyright © 2016, Packet Design, LLC


Page 7 of 8
Using the Explorer Suite to Analyze DDOS Attacks

To learn more about Packet Design and the Explorer Suite, please visit
www.packetdesign.com

Copyright © 2016, Packet Design, LLC


Page 8 of 8

Вам также может понравиться