DDoS defences in the terabit era: Pre-deployed filters, future initiatives

By on 6 Dec 2018

Category: Tech matters

Tags: , ,

Blog home

DDoS defenses in the Terabit era: exploitable port filters, the need for increased visibility

This post is the second in a three-part series surveying recent DDoS attack trends, and detection and mitigation techniques.

Exploitable port filters

Many of the attack vectors that are used for DDoS attacks use services that are usually not sent across the Internet. Among those are SSDP, memcached, chargen and others. In addition, protocols like NTP, which are commonly used across the Internet, generate very little traffic and should not be allowed at high volumes.

One approach that has been adopted by the industry is ‘exploitable port filters’. This means that the network operator pre-deploys access lists, which are used to rate-limit (or block) these well-known attack vectors. These access lists are always active, resulting in a dramatic reduction in the impact of these kinds of attacks.

An example of this was published by Job Snijders on the NANOG mailing lists:

ipv4 access-list exploitable-ports
   permit udp any eq ntp any
   permit udp any eq 1900 any
   permit udp any eq 19 any
   permit udp any eq 11211 any
ipv6 access-list exploitable-ports-v6
   permit udp any eq ntp any
   permit udp any eq 1900 any
   permit udp any eq 19 any
   permit udp any eq 11211 any
class-map match-any exploitable-ports
   match access-group ipv4 exploitable-ports
   match access-group ipv6 exploitable-ports-v6
policy-map ntt-external-in    
  class exploitable-ports     
    police rate percent 1      
      conform-action transmit      
      exceed-action drop          
    set precedence 0     
    set mpls experimental topmost 0       
  class class-default     
    set mpls experimental imposition 0     
    set precedence 0    
interface Bundle-Ether19    
  description Customer: the best customer    
  service-policy input ntt-external-in
interface Bundle-Ether20
  service-policy input ntt-external-in

In addition to this, a number of other approaches can be used. More information can be found at Barry Green’s website at: http://www.senki.org.

The need for increased visibility

As the situation is today, any organization can expect to be hit with a devastating DDoS attack at any time. The attack can be a single vector or as is more common, multi-vectored and being a mix of reflected and directed attacks.

In many ways, this can be compared to living in a castle surrounded by ever-lasting fog, with no visibility of who is out there and their goals or intentions.

increased visibility
Figure 1 — Increased visibility can increase operators awareness of attackers’ goals and intentions. Source:  Jens Ottoson/Shutterstock.com

In order to see through the fog, work has started on a number of initiatives, which might help to gain a better understanding of the attackers, the attack tools they use, and when and how those tools are used.

Among those initiatives are:

  • Detecting attacks and attack parameters as they happen in realtime by using botnet infiltration and reflector honeypots. This will provide the defender with the exact details of the attack tools and their parameters in realtime.
  • Scanning for potential DDoS reflectors and correlating their attack activity. This will allow the defenders to block known DDoS reflectors, potentially dramatically reducing the attack volume.
  • Using IoT honeypots to capture information on how attackers scan for and infect vulnerable IoT devices. During the infection process, the attackers will inject the malware into the IoT honeypots, allowing DDoS researchers to inspect and reverse-engineer the attack tools.
  • Using DNS sinkholes to masquerade as Command and Control (C&C) servers, making it possible to gather information on infected devices.

These initiatives are in their early stages but have the potential to gain realtime information on DDoS attacks, providing defenders with detailed information on how to defeat the attacks.

Steinthor Bjarnason is Principal Engineer in Arbor’s Security Engineering & Response Team (ASERT) at Netscout.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *