This repository has been archived by the owner on Jul 23, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
DDoS Attack Research
Sándor Héman edited this page Aug 10, 2015
·
1 revision
- Flow Monitoring Explained, Hofstede et al., 2014 - Tutorial describing the ins and outs of setting up a flow monitoring pipeline.
- Traffic characteristics of common DoS tools, Bukac, 2014 - An overview of relevant flow properties and how to use those to detect DDoS attacks.
- Volume-based / Flood DDoS attacks
- Amplification Attacks
- Application DDoS attacks
- Protocol vulnerability Exploitation
- Low-rate DoS (LDoS) - doesn't require high numbers of packets
- Zero-Day DDoS Attacks - take advantage of new vulnerabilities
- Malformed packets
- HTTP Flood (39% in 2012)
- Slow Attacks
- tool Slowloris - slowly write perpetually partial HTTP requests
- slow Read attacks
- Encrypted SSL DDoS Attacks (tool THC-SSL-DoS)
- Slow Attacks
- SYN Flood (19% in 2012) - spoofed SYN packets
- UDP Flood (15% in 2012)
- spoofed UDP messages to random ports, requiring ICMP replies
- NTP reflection
- Snork Attack Flows - from port 7, 19 or 135 to port 135, Windows NT RPC Service
- Echo Request Broadcasts - UDP packet to port 7 (echo) on a Broadcast IP
- UDP Echo-Chargen - UDP Flows between port 7/Echo and port 19/Chargen, either direction
- fragmented UDP messages
- ICMP Flood (13% in 2012) - spoofed echo request
- ICMP Request Broadcasts - Echo Request, Timestamp, Info Request, or Address Mask Request to Broadcast IP
- ICMP Protocol Unreachables - 770/Protocol Unreachable, causes active TCP connections to be dropped
- ICMP Source Quench Flows - 1024/Source Quench. Out dated, could limit the bandwidth of a router or host
- Smurf Attacks - spoof victim’s source IP and send ICMP echo request to third-parties
- DNS (3% in 2012)
- DNS Open Resolver Amplification - spoof target’s source IP
- DNS Attacks - with large EDNS replies LDoS
- SMTP (2% in 2012)
- SIP INVITE Flood (0.5% in 2012)
- BGP (detected by Cisco's TAD)
- Teardrop Attacks - TCP packets with overlapping, over-sized payloads causing deficiencies in old TCP stacks to crash
- Land Attack Flows - Flows with the same Src IP & Dst IP. Causes the target machine to reply to itself continuously
- Metasploit Framework (MSF)
- Low Orbit Ion Cannon
- many connections in a short time on UDP port 80 from many IPs
- TCP with ACK & packets of size 1448
- specific malformed GET requests
- un-spoofed source IPs
- High Orbit Ion Canon
- Net Flood: ICMP (reply/request/any), UDP, TCP
- manual ACLs
- anomalous bandwidth usage
- anomalous CPU utilization
- anomalous traffic types
- Intrusion Detection System (IDS) devices
- Intrusion Prevention System (IPS) devices
- Unicast Reverse Path Forwarding (uRPF) - invalid source addresses in traffic
- Reputation-Based Blocking
- WatchGuard Reputation Authority
- WebSEO Analytics
- Imperva ThreatRadar
- unmatched ACKs (TCP reflection attacks)
- Snort rules
- Apache’s mod_evasive - request thresholds
- http server 503 errors or slow responses
- D-WARD (unfeasible source based detection)
- statistical, for example maintaining latest rates and exponential moving averages (baselines) of bytes and packets
- soft computing methods (neural networks, radial basis functions, genetic algorithms)
- Remotely triggered black hole (RTBH)
- resetting invalid TCP connections
- Tightening Connection Limits and Timeouts
- block CnC traffic to compromised internal hosts
- redirect traffic (via upstream BGP) to scrubbing center
- Cisco DDOS Guide
- LOIC (Low Orbit Ion Cannon) DDoS/DoS Analysis
- Cisco's Cyber threat defence Design Guide (Lanscape StealthWatch configuration)
- attack types
- Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions, 2013 paper
- DDoS Detection and Alerting, 2013 master's thesis using NfSen from UvA
- The Network Data Handling War: MySQL vs. NfDump
- Netflow cookbook
- Prolexic Technologies: DoS and DDoS Protection
- AT&T Internet Protect: Distributed Denial of Service Defense
- Verizon: DoS Defense Services
- Arbor Networks: Pravail Availability Protection System (APS)
-
Arbor Peakflow SP, [User Guide] (http://www.techtronicssolution.com/blog/?p=1086)
- uses per-network attack duration with bps & pps thresholds
- or auto-rate calculation with floors, percentiles and scaling parameters
- or complex fingerprints, both FCAP and Arbor’s Active Threat Feed (ATF)
- Cisco Cyber Threat Defense Solution
- Manage Engine Netflow Analyser
- Cisco Traffic Anomaly Detector (TAD)
- Open Daylight Defense4All (FOSS)
- A list of tools, mostly commercial
- Free but many obsolete tools: http://www.networkuptime.com/tools/netflow/
- SiLK - comprehensive analysis of flow data
- NFQL http://nfql.vaibhavbajpai.com
- Flow Collector https://code.google.com/p/flowd/
- GPL Commercial netflow collectors and appliance http://www.ntop.org
- Netflow record generators
- http://fprobe.sourceforge.net
- softflowd
- pfflowd
see http://nfsen.sourceforge.net/PluginGuide/plugin-guide.html
list of plugins:
- http://sourceforge.net/projects/nfsight/ (2014)
- http://sourceforge.net/projects/surfmap/ (2014, can run standalone)
- https://github.com/SSHCure/SSHCure (2014)
- http://sourceforge.net/projects/hoststats/ (2014)
- http://sourceforge.net/projects/flowdoh/ (2013)
- http://www.muni.cz/ics/services/csirt/tools/rdpmonitor (2013)
- http://www.muni.cz/ics/services/csirt/tools/sshmonitor (2013)
- http://www.muni.cz/ics/services/csirt/tools/honeyscan (2012)
- http://www.ccieflyer.com/2010-01-JasonRowley.php (2010, DDoS Detector)
- http://sourceforge.net/projects/nfsen-plugins/files/ (2008) events, events-mail, botnet
Backend Perl API Summary
- init
- run: profile / profilegroup / timeslot
- NfProfile API, ProfilePath / ReadProfile
- NfConf API, Pluginconf
- reads nfdump files itself
- condition: alert / alert file (flows) / timeslot
- alert: alert / timeslow
- Nfcomm API
Frontend PHP API Summary
- ParseInput($id)
- Run($id)
- SetMessage, $_SESSION, ParseForm
- nfsenutil API (backend channel)