20150909_network_security_lecture
1 like203 views
The document discusses DDoS attacks, focusing on a systematic analysis of various attack methods, amplification factors, and the use of booters as service providers for these attacks. It outlines the technicalities of attack generation, measuring service capabilities, and includes specific examples of DDoS services with associated bandwidth and pricing. Additionally, the document emphasizes the importance of understanding traffic and response limitations in mitigating risks associated with DDoS threats.
![How much traffic can be generated using my
home connection and 100 BitTorrent servers?
[theoretically]
https://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.speedtest.net/
20](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-20-320.jpg)
![4,14 Mbps * [4 ; 54,3]
[16,56 ; 224,80] Mbps
**Special thanks to Jelmer Graat21](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-21-320.jpg)
![# Booter URL
Offer
[Gbps]
1 boo ?
2 res 5
3 ano 5
4 des 25
5 fla ?
6 dej 10
7 reb Up to 3
8 gri 6
9 qua 1,5
10 oly Up to 3
11 ebo ?
12 vdo ?
13 resp 8
14 oni ?
Price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
€58,3533](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-33-320.jpg)
![# Booter URL
Offer
[Gbps]
1 boo ?
2 res 5
3 ano 5
4 des 25
5 fla ?
6 dej 10
7 reb Up to 3
8 gri 6
9 qua 1,5
10 oly Up to 3
11 ebo ?
12 vdo ?
13 resp 8
14 oni ?
Price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
Protocol
*DNS
*DNS
*DNS
*DNS
*Chargen
*DNS
*Chargen
*DNS
*DNS
Request
ddostheinter.net
anonsc.com
anonsc.com
root-server.net
-
packetdevil.com
-
root-server.net
root-server.net
dig @8.8.8.8 -t ANY packetdevil.com
dig @8.8.8.8 -t ANY root-server.net
Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).
40](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-40-320.jpg)
![Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).
# Booter URL
Offer
[Gbps]
1 boo ?
2 res 5
3 ano 5
4 des 25
5 fla ?
6 dej 10
7 reb Up to 3
8 gri 6
9 qua 1,5
10 oly Up to 3
11 ebo ?
12 vdo ?
13 resp 8
14 oni ?
Price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
Unique IPs
8281
7369
6075
4486
3779
2970
281
78
54
Protocol
*DNS
*DNS
*DNS
*DNS
*Chargen
*DNS
*Chargen
*DNS
*DNS
43](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-43-320.jpg)
![# Booter URL
Offer
[Gbps]
1 http://booter.tw ?
2 http://restricted-stresser.info 5
3 http://anonymous-stresser.net 5
4 http://destressbooter.com 25
5 http://flashstresser.net ?
6 http://dejabooter.com 10
7 http://rebel-security.com Up to 3
8 http://grimboot.com 6
9 http://quantumbooter.net 1,5
10 http://olympusstresser.org Up to 3
11 http://ebooter.5gbfree.com ?
12 http://vdoss.net ?
13 http://respawn.ca 8
14 http://onionstresser.com ?
Price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
€58,35
Unique IPs
8281
7369
6075
4486
3779
2970
281
78
54
Protocol
*DNS
*DNS
*DNS
*DNS
*Chargen
*DNS
*Chargen
*DNS
*DNS
29x
45](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-45-320.jpg)
![# Booter URL
Offer
[Gbps]
1 http://booter.tw ?
2 http://restricted-stresser.info 5
3 http://anonymous-stresser.net 5
4 http://destressbooter.com 25
5 http://flashstresser.net ?
6 http://dejabooter.com 10
7 http://rebel-security.com Up to 3
8 http://grimboot.com 6
9 http://quantumbooter.net 1,5
10 http://olympusstresser.org Up to 3
11 http://ebooter.5gbfree.com ?
12 http://vdoss.net ?
13 http://respawn.ca 8
14 http://onionstresser.com ?
Price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
€58,35
Unique IPs
8281
7369
6075
4486
3779
2970
281
78
54
Protocol
*DNS
*DNS
*DNS
*DNS
*Chargen
*DNS
*Chargen
*DNS
*DNS
9427x
46](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-46-320.jpg)
![Looking Inside the
Matrix[if time]
61](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-61-320.jpg)
![DDoS Attacks
&&
Booters
[Guest Lecture]
Jair Santanna
jairsantanna.com
j.j.santanna@utwente.nl
09/09/201563](https://image.slidesharecdn.com/20150909networksecuritycourse-160316140928/85/20150909_network_security_lecture-63-320.jpg)
20150909_network_security_lecture
- 1. DDoS Attacks into the Matrix Jair Santanna jairsantanna.com j.j.santanna@utwente.nl 09/09/2015
- 3. My Goal… 3
- 4. Requirement… What do you think is a Sniffer? 4
- 5. WIRESHARK 5
- 6. https://www.wireshark.org/download.html *sudo apt-get install tcpdump *sudo port install tcpdump 6
- 8. Steps: 1) Start sniffing 2) Open a website 3) Discover the IP address using a CMD or a terminal (host “website”) 4) Create a filter on Wireshark (ip.addr == “website_IP") Example… 8
- 10. 10
- 11. Distributed Denial of Service DDoS 11
- 12. 12
- 13. 13
- 18. ResponseServer Client J Request Spoofed Reflection and Amplification Client “J" 18
- 19. • Consider that your network can send (upload) spoofed requests at 10Mbps. • Consider Amplification factor AMP = ans/req For 1 Spoofer and 1 misused Server • Attack = 10Mbps *(ans/req) So Attack = 10Mbps*AMPserver For 1 Spoofer and 2 misused Servers • Attack = 5Mbps *AMPserver1+ 5Mbps *AMPserver2 if both servers have the same Amplification Then, Attack = (5Mbps+5Mbps)*AMP So, Attack = 10Mbps*AMP GENERALISING… For 1 Spoofer and N misused Server • Attack = (10Mbps/N)*AMPserver1+ … +(10Mbps/N) *AMPservern if ALL servers have the same Amplification Then, Attack = (10Mbps/N+…10Mbps/N)*AMP So, Attack = (N*10Mbps/N)*AMP = 10Mbps*AMP CONCLUSION: In theory, doesn’t matter the number of Amplifiers (if we consider the same Amplification factor). The bottleneck of this type of attack is the Spoofer capacity. Note that, in practice, the number of packets per second (pps) needs to be considered instead of the link size. Finally, note that Servers (able to amplify requests) have a limit of pps making the need (from attackers) for several server to amplify requests;19 Generic way to calculate how much can be generated: Attack = Spoofer_capacity*AMP
- 20. How much traffic can be generated using my home connection and 100 BitTorrent servers? [theoretically] https://en.wikipedia.org/wiki/Denial-of-service_attack http://www.speedtest.net/ 20
- 21. 4,14 Mbps * [4 ; 54,3] [16,56 ; 224,80] Mbps **Special thanks to Jelmer Graat21
- 22. Hacker Who? 22
- 23. 23
- 24. Anyone! 24
- 25. 25
- 26. 26
- 27. 27
- 28. How to Find Booters? 28
- 29. 29
- 30. 284 Booter domain names 111 online Booters 30
- 31. What is the easy way to measure their service? 31
- 32. 14 Booters Hired, Collected, and Analysed UDP-based 32
- 33. # Booter URL Offer [Gbps] 1 boo ? 2 res 5 3 ano 5 4 des 25 5 fla ? 6 dej 10 7 reb Up to 3 8 gri 6 9 qua 1,5 10 oly Up to 3 11 ebo ? 12 vdo ? 13 resp 8 14 oni ? Price [€] 10,90 1,95 3,12 3,89 3,89 3,89 3,00 3,90 8,00 4,90 free 3,11 3,90 3,90 €58,3533
- 34. 34
- 35. 3 reasons! 35
- 36. res oni 36
- 37. 3 1 oly vdo ebo 1 37
- 38. 38
- 39. Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).39
- 40. # Booter URL Offer [Gbps] 1 boo ? 2 res 5 3 ano 5 4 des 25 5 fla ? 6 dej 10 7 reb Up to 3 8 gri 6 9 qua 1,5 10 oly Up to 3 11 ebo ? 12 vdo ? 13 resp 8 14 oni ? Price [€] 10,90 1,95 3,12 3,89 3,89 3,89 3,00 3,90 8,00 4,90 free 3,11 3,90 3,90 Protocol *DNS *DNS *DNS *DNS *Chargen *DNS *Chargen *DNS *DNS Request ddostheinter.net anonsc.com anonsc.com root-server.net - packetdevil.com - root-server.net root-server.net dig @8.8.8.8 -t ANY packetdevil.com dig @8.8.8.8 -t ANY root-server.net Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015). 40
- 41. DNS-based attacks root-server.net anonsc.com ddostheinter.net packetdevil.com Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).41
- 42. CharGen-based attacks Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).42
- 43. Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015). # Booter URL Offer [Gbps] 1 boo ? 2 res 5 3 ano 5 4 des 25 5 fla ? 6 dej 10 7 reb Up to 3 8 gri 6 9 qua 1,5 10 oly Up to 3 11 ebo ? 12 vdo ? 13 resp 8 14 oni ? Price [€] 10,90 1,95 3,12 3,89 3,89 3,89 3,00 3,90 8,00 4,90 free 3,11 3,90 3,90 Unique IPs 8281 7369 6075 4486 3779 2970 281 78 54 Protocol *DNS *DNS *DNS *DNS *Chargen *DNS *Chargen *DNS *DNS 43
- 44. 8280 http://booter.tw http://restricted-stresser.info 7369 http://anonymous-stresser.net 6075 http://destressbooter.com 4486 http://flashstresser.net 3779 http://dejabooter.com 2970 http://rebel-security.com 281 http://grimboot.com 78 http://quantumbooter.net *54 98% Santanna, J.J. et al. 2015. Booters - An Analysis of DDoS-as-a-Service Attacks. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015). 44
- 45. # Booter URL Offer [Gbps] 1 http://booter.tw ? 2 http://restricted-stresser.info 5 3 http://anonymous-stresser.net 5 4 http://destressbooter.com 25 5 http://flashstresser.net ? 6 http://dejabooter.com 10 7 http://rebel-security.com Up to 3 8 http://grimboot.com 6 9 http://quantumbooter.net 1,5 10 http://olympusstresser.org Up to 3 11 http://ebooter.5gbfree.com ? 12 http://vdoss.net ? 13 http://respawn.ca 8 14 http://onionstresser.com ? Price [€] 10,90 1,95 3,12 3,89 3,89 3,89 3,00 3,90 8,00 4,90 free 3,11 3,90 3,90 €58,35 Unique IPs 8281 7369 6075 4486 3779 2970 281 78 54 Protocol *DNS *DNS *DNS *DNS *Chargen *DNS *Chargen *DNS *DNS 29x 45
- 46. # Booter URL Offer [Gbps] 1 http://booter.tw ? 2 http://restricted-stresser.info 5 3 http://anonymous-stresser.net 5 4 http://destressbooter.com 25 5 http://flashstresser.net ? 6 http://dejabooter.com 10 7 http://rebel-security.com Up to 3 8 http://grimboot.com 6 9 http://quantumbooter.net 1,5 10 http://olympusstresser.org Up to 3 11 http://ebooter.5gbfree.com ? 12 http://vdoss.net ? 13 http://respawn.ca 8 14 http://onionstresser.com ? Price [€] 10,90 1,95 3,12 3,89 3,89 3,89 3,00 3,90 8,00 4,90 free 3,11 3,90 3,90 €58,35 Unique IPs 8281 7369 6075 4486 3779 2970 281 78 54 Protocol *DNS *DNS *DNS *DNS *Chargen *DNS *Chargen *DNS *DNS 9427x 46
- 47. 47
- 50. 15 Databases 50
- 51. Trust??!!! 51
- 52. Timeline Domain Registration Domaintools DNSDB First attack Passive DNS Santanna, J.J. et al. 2015. Inside Booters: An Analysis on Operational Databases. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).52
- 54. User 54
- 55. Cu$tomer 55
- 56. Attacker 56
- 57. User Customer Attacker Santanna, J.J. et al. 2015. Inside Booters: An Analysis on Operational Databases. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).57
- 58. Santanna, J.J. et al. 2015. Inside Booters: An Analysis on Operational Databases. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).58
- 59. Santanna, J.J. et al. 2015. Inside Booters: An Analysis on Operational Databases. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).59
- 60. Santanna, J.J. et al. 2015. Inside Booters: An Analysis on Operational Databases. 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015).60
- 61. Looking Inside the Matrix[if time] 61
- 63. DDoS Attacks && Booters [Guest Lecture] Jair Santanna jairsantanna.com j.j.santanna@utwente.nl 09/09/201563