DDOS

29 October 2013 at 11:06am

Reflected DDoS attacks

James Davis
CSIRT
security
DDOS
DNS
chargen
Following on from our messages and briefing at the start of the year, DDOS attacks are continuing to occur at a greater frequency than they have in previous years. We have been working to assist affected customers when they happen. Many of the attacks make use of unauthenticated UDP based services to reflect and amplify traffic against the chosen target. Open DNS resolvers (53/udp) and increasingly CHARGEN (19/udp) are the two most abused services. It's not unusual to see attacks in the order of 10Gb/s.
Read more
11 June 2013 at 9:12am

Detecting DNS configuration errors

Andrew Cormack
Domain Names
#tnc2013
DDOS
The Domain Name Service (DNS) which translates names to IP addresses (among many other things) is critical for humans using the Internet. Research by Slavko Gajin and Petar Bojovic presented at the TERENA Networking Conference indicates that mis-configurations are more common than we might hope. Getting DNS right often requires different organisations to have matching configurations: if my name server says that part of the name space is delegated to your name server then your name server needs to agree!
Read more
12 February 2013 at 10:04am

Denial of service attacks

James Davis
security
DoS
DDOS
denial of service
infosec
Denial of service (DOS) attacks are comparatively rare amongst the types of security incidents that are reported to Janet. The majority of DOS attacks are unsophisticated and subsequently short-lived, causing only minor issues for us due to our network capacity.
Read more

References

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
technical guide
[1] Wikipedia - IP address spoofing: https://en.wikipedia.org/wiki/IP_address_spoofing [2] ZoneAlarm: http://www.zonelabs.com/ [3] Snort - the Lightweight Network Intrusion Detection System: http://www.snort.org/
Read more

Aftermath

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
investigating
technical guide
In this particular incident, the initial tip-off led directly to the departmental network containing the compromised hosts. This information is not always so readily available, since IP spoofing can also be used to simulate traffic from machines on many different networks. Such a situation could be handled by repositioning the network monitor on the backbone (at M’ in the diagram, for example), and again examining the source MAC addresses of attack packets (but note that performance is likely to be a concern, with monitors dropping traffic at gigabit speeds).
Read more

What we saw

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigation
technical guide
We left the monitor in place for two days, until our log fi le began to grow rapidly indicating a new attack in progress. The following entries are typical of what was observed: [**] IDS253 - DDoS shaft synflood outgoing [**] 06/12-14:30:46.599036 8:0:20:1B:22:A9 -> 0:D0:D3:56:D1:30 type:0x800 len:0x3C 98.76.54.111:1008 -> 12.34.56.78:6666 TCP TTL:30 TOS:0x0 ID:59926 DF
Read more

The network monitor

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
Our monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Read more

Network infrastructure

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
The university network is based on a Gigabit Ethernet backbone, linking together departmental Local Area Networks (LANs) which typically deliver switched 10/100Mbit/s to the desktop. The network is shown diagrammatically in Figure 1. Figure 1: Schematic of the university network
Read more

Investigating a Denial of Service attack

Anonymous
Friday, February 17, 2012 - 15:29
DDOS
denial of service
investigation
security
technical guide
GD/NOTE/001 (01/01) This paper has been contributed by a Janet customer site, and records their experiences in investigating a denial-of-service attack committed using hosts at their site. We are very grateful to them for allowing us to publish this information and hope that it will be useful to others.
Read more

Reporting Denial of Service attacks

Anonymous
Monday, February 13, 2012 - 19:49
CSIRT
DDOS
abuse
denial of service
incident response
reporting
security
Typical Denial of Service abuse (DoS) involves a very large number of connections or packets being directed to the target computer, either from a single source IP address or (Distributed Denial of Service, DDoS) from a number of addresses, possibly a large number and probably in several different networks. Sometimes the effect is to stop the data network working or make it so slow as to interfere with its normal use; sometimes the target is a single machine which also may cease to work or run very slowly.
Read more
Subscribe to DDOS