The Journal of Korea Institute of Information, Electronics, and Communication Technology (한국정보전자통신기술학회논문지)

Korea Information Electronic Communication Technology (한국정보전자통신기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Amplification DRDoS Attacks and Defenses

DRDoS 증폭 공격 기법과 방어 기술 연구

  • Choi, Hyunsang (Department of Computer Science and Engineering, Korea University) ;
  • Park, Hyundo (Department of Computer Science and Engineering, Korea University) ;
  • Lee, Heejo (Department of Computer Science and Engineering, Korea University)
  • Received : 2015.10.08
  • Accepted : 2015.10.15
  • Published : 2015.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

DDoS attacks have been used for paralyzing popular Internet services. Especially, amplification attacks have grown dramatically in recent years. Defending against amplification attacks is challenging since the attacks usually generate extremely hugh amount of traffic and attack traffic is coming from legitimate servers, which is hard to differentiate from normal traffic. Moreover, some of protocols used by amplification attacks are widely adopted in IoT devices so that the number of servers susceptible to amplification attacks will continue to increase. This paper studies on the analysis of amplification attack mechanisms in detail and proposes defense methodologies for scenarios where attackers, abused servers or victims are in a monitoring network.

DDoS 공격은 주요 정부기관 및 기업의 서비스 시스템 및 웹사이트를 마비시키는 사이버 공격의 수단으로 지속적으로 이용되고 있다. 최근에는 증폭기법을 이용한 DDoS 공격이 지속적으로 발생하고 있는데 공격의 특징상 다수의 정상적으로 동작하고 있는 서버들에서 공격 트래픽이 발생하므로 정상 트래픽과의 구분이 어렵고 수백 Gbps 이상의 대규모의 공격 트래픽을 발생시킬 수 있으므로 탐지를 하더라도 방어를 하는 것이 매우 어려운 상황이다. 그리고 공격에 이용되는 프로토콜들 중에서 SSDP, SNMP등 일부 프로토콜들은 IoT 장비들에서 널리 사용되는 프로토콜이기 때문에 앞으로 공격에 이용될 수 있는 서버들도 크게 증가할 것으로 예측된다. 본 논문에서는 최근에 인터넷에 커다란 위협이 되고 있는 증폭 기법을 이용한 DDoS 공격들에 대해 이용되는 프로토콜별로 공격 기법을 분석한다. 또한, 공격에 효과적으로 대응하기 위해 공격을 방어하는 네트워크에 공격자가 존재하는 경우, 공격에 사용되는 서버가 존재하는 경우, 공격 대상이 존재하는 경우들로 나누어 각각의 상황에 취할 수 있는 대응 방법을 제안한다.

Keywords

References

  1. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
  2. Shodan, networked device search engine, http://www.shodanhq.com/
  3. Karami, M., McCoy, D. "Understanding the Emerging Threat of DDoS-as-a-Service", Proc. of the 6th UNSENIX Workshop on Large-Scale Exploits and Emergent Threats. (LEET), 2013.
  4. J. Mirkovic , P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms", ACM SIGCOMM, 2004.
  5. M. M. Andrade and N. Vlajic, "Dirt jumper: A key player in today's botnet-for-ddos market". IEEE WorldCIS, 2012.
  6. M. S. Kang, S. B. Lee, and V. D. Gligor, "The Crossfire Attack", Proc. of IEEE Security and Privacy (S&P), 2013.
  7. A. Studer and A. Perrig, "The Coremelt Attack", Proc. of the European Symposium on Research in Computer Security (ESORICS), 2009.
  8. J. Ioannidis and S. M. Bellovin, "Implementing Pushback: Router-Based Defense Against DDoS Attacks", Proc. of Network and Distributed System Security Symposium (NDSS), 2002
  9. V. Sekar, N. G. Duffield, O. Spatscheck, J. E. van der Merwe, and H. Zhang, "LADS: Large-scale Automated DDoS Detection System", Proc. of the USENIX Annual Technical Conference (ATC), 2006.
  10. X. Wang and M. K. Reiter, "Mitigating BandwidthExhaustion Attacks Using Congestion Puzzles", Proc. of the 11th ACM Conference on Computer and Communications Security (CCS), 2004.
  11. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast Portscan Detection Using Sequential Hypothesis Testing", Proc. of IEEE Symposium on Security and Privacy (S&P), 2004
  12. C. Rossow, "Amplification Hell: Revisiting Network Protocols for DDoS Abuse", Proc. of the Network and Distributed System Security (NDSS) Symposium, 2014.
  13. M. Kuhrer , T. Hupperich , C. Rossow , T. Holz, "Exit from hell? reducing the impact of amplification DDoS attacks", Proc. of the 23rd USENIX conference on Security Symposium, 2014.
  14. M. Kuhrer, T. Hupperich, C. Rossow, T. Holz, "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", USENIX Workshop on Offensive Technologies (WOOT), 2014.
  15. Shadowserver foundation, https://www.shadowserver.org/
  16. P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", IETF RFC 2827, 2000
  17. K. Park and H. Lee, "On the Effectiveness of Route-based Packet Filtering for Distributed DoS Attack Prevention in Power-law Internets", ACM SIGCOMM, 2001.
  18. S. Gorbunov and A. Rosenbloom, "Autofuzz: Automated network protocol fuzzing framework", IJCSNS International Journal of Computer Science and Network Security, 2010.
  19. https://www.cloudflare.com/
  20. W. Feng, E. Kaiser, W. Feng, and A. Luu, "Design and implementation of network puzzles", Proc. of IEEE INFOCOM 2005.
  21. Y. Gilad and A. Herzberg, "LOT: A Defense Against IP Spoofing and Flooding Attacks", ACM Transaction on Information and System Security, 2012.

Cited by

  1. Attack Scenarios and Countermeasures using CoAP in IoT Environment vol.7, pp.4, 2016, https://doi.org/10.15207/JKCS.2016.7.4.033
  2. Construction of IoT Environment for XMPP Protocol Based Medical Devices Using Powershell vol.2, pp.2, 2016, https://doi.org/10.20465/KIOTS.2016.2.2.015
  3. 홈 IoT에서 SSDP 반사체 공격에 대한 대응기법 vol.7, pp.2, 2015, https://doi.org/10.22156/cs4smb.2017.7.2.001
  4. DRDoS 증폭 공격 대응 시스템 vol.10, pp.12, 2015, https://doi.org/10.22156/cs4smb.2020.10.12.022