![Page 1: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/1.jpg)
Hell of a Handshake –
Abusing TCP for Amplification DDoS
Marc Kührer1
Thomas Hupperich1
Christian Rossow2
Thorsten Holz1
1 Ruhr-University Bochum2 Saarland University
USENIX WOOT, August 2014
![Page 2: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/2.jpg)
2
Amplification DDoS Attacks
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
VictimAttacker Amplifiers
![Page 3: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/3.jpg)
3
TCP and Reflection
TCP 3-Way Handshake
• Reflection
• No amplification
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 4: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/4.jpg)
4
TCP and Reflection
…
SYN/ACK Amplifiers
• Keep repeatingSYN/ACK until ACK
• Default, e.g., in *nix
• Against packet loss
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 5: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/5.jpg)
5
TCP and Reflection
…
PSH Amplifiers
• Send data beforehandshake finishes
• e.g., FTP serverbanner info
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 6: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/6.jpg)
6
TCP and Reflection
TCP Closed Port
• Reflection
• No amplification
C S
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 7: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/7.jpg)
7
TCP and Reflection
RST Amplification
• Hosts persistsending RST
• No rationale?
C S
…
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 8: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/8.jpg)
8
Methodology
• IPv4 Address Range
• TCP SYN PacketsScan
• Amplification >20
• Prevalent ProtocolsFilter
• Amplifier Classification
• Evaluate CountermeasuresStats
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 9: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/9.jpg)
9
Amplification Statistics
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 10: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/10.jpg)
10
Attack Frequency
Response packets per X seconds
![Page 11: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/11.jpg)
11
Amplifier Classification
Networking Equipment
Misc embedded
Unknown
DEVICE TYPE
Linux
ZyNOS
Unknown
OS
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 12: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/12.jpg)
12
Active Defense
SYN/ACK storms: send RST segments Stops about 99.9% of the SYN/ACK streams
RST storm: send ICMP port unreachable messages Stops about 80% of the RST streams
Hell of a Handshake: Abusing TCP for Amplification DDoS Attacks
![Page 13: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/13.jpg)
13
Conclusion
Also TCP suffers from amplification vulnerabilities RST, PSH and SYN/ACK storms
We notified vendors, but fixes will take time
Use active countermeasures to mitigate attacks
![Page 14: Hell of a Handshake Abusing TCP for Amplification DDoS...3 TCP and Reflection TCP 3-Way Handshake • Reflection • No amplification C S Hell of a Handshake: Abusing TCP for Amplification](https://reader036.vdocuments.us/reader036/viewer/2022071106/5fdff159ce983d3ed27c4c7a/html5/thumbnails/14.jpg)
Hell of a Handshake –
Abusing TCP for Amplification DDoS
Marc Kührer1
Thomas Hupperich1
Christian Rossow2
Thorsten Holz1
1 Ruhr-University Bochum2 Saarland University
USENIX WOOT, August 2014