This post is the second in a three-part series surveying recent DDoS attack trends, and detection and mitigation techniques.
Exploitable port filters
Many of the attack vectors that are used for DDoS attacks use services that are usually not sent across the Internet. Among those are SSDP, memcached, chargen and others. In addition, protocols like NTP, which are commonly used across the Internet, generate very little traffic and should not be allowed at high volumes.
One approach that has been adopted by the industry is ‘exploitable port filters’. This means that the network operator pre-deploys access lists, which are used to rate-limit (or block) these well-known attack vectors. These access lists are always active, resulting in a dramatic reduction in the impact of these kinds of attacks.
An example of this was published by Job Snijders on the NANOG mailing lists:
ipv4 access-list exploitable-ports permit udp any eq ntp any permit udp any eq 1900 any permit udp any eq 19 any permit udp any eq 11211 any ! ipv6 access-list exploitable-ports-v6 permit udp any eq ntp any permit udp any eq 1900 any permit udp any eq 19 any permit udp any eq 11211 any ! class-map match-any exploitable-ports match access-group ipv4 exploitable-ports match access-group ipv6 exploitable-ports-v6
policy-map ntt-external-in class exploitable-ports police rate percent 1 conform-action transmit exceed-action drop set precedence 0 set mpls experimental topmost 0 class class-default set mpls experimental imposition 0 set precedence 0 ! interface Bundle-Ether19 description Customer: the best customer service-policy input ntt-external-in ! interface Bundle-Ether20 service-policy input ntt-external-in
In addition to this, a number of other approaches can be used. More information can be found at Barry Green’s website at: http://www.senki.org.
The need for increased visibility
As the situation is today, any organization can expect to be hit with a devastating DDoS attack at any time. The attack can be a single vector or as is more common, multi-vectored and being a mix of reflected and directed attacks.
In many ways, this can be compared to living in a castle surrounded by ever-lasting fog, with no visibility of who is out there and their goals or intentions.
Figure 1 — Increased visibility can increase operators awareness of attackers’ goals and intentions. Source: Jens Ottoson/Shutterstock.com
In order to see through the fog, work has started on a number of initiatives, which might help to gain a better understanding of the attackers, the attack tools they use, and when and how those tools are used.
Among those initiatives are:
- Detecting attacks and attack parameters as they happen in realtime by using botnet infiltration and reflector honeypots. This will provide the defender with the exact details of the attack tools and their parameters in realtime.
- Scanning for potential DDoS reflectors and correlating their attack activity. This will allow the defenders to block known DDoS reflectors, potentially dramatically reducing the attack volume.
- Using IoT honeypots to capture information on how attackers scan for and infect vulnerable IoT devices. During the infection process, the attackers will inject the malware into the IoT honeypots, allowing DDoS researchers to inspect and reverse-engineer the attack tools.
- Using DNS sinkholes to masquerade as Command and Control (C&C) servers, making it possible to gather information on infected devices.
These initiatives are in their early stages but have the potential to gain realtime information on DDoS attacks, providing defenders with detailed information on how to defeat the attacks.
Steinthor Bjarnason is Principal Engineer in Arbor’s Security Engineering & Response Team (ASERT) at Netscout.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.