Non-standard protocols as a vector for DDoS attacks

Prof. Jon Crowcroft (Cambridge University)

Dr. Ian Brown (University College London)

Robert Rybnikar / Flickr

Monitoring data flows

• Data flows using standardised protocols can be analysed and understood using basic flow analysis software and Intrusion Detection Systems.

• Network managers that suspect DoS traffic is originating from their network must be able to check flows and if necessary shut them down (and clean up the originating host).

Obfuscated protocols

• Skype an example of software that uses non-standardised protocols that in fact are heavily obfuscated (as is the software) in an attempt to resist this type of analysis.

• Also a mechanism to traverse NATs, firewalls• http://www.blackhat.com/presentations/bh-europe-

06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf gives extensive detail

Camouflaged Skype traffic

• Uses HTTP(S) ports for TCP, random for UDP• Uses RC4 stream cipher purely for obfuscation• Data further fragmented and custom-compressed• Difficult even to block sessions:

– iptables −I FORWARD −p udp −mlength −length 39 −m u32 −u32 ’27&0 x8f=7’ −u32 ’31=0 x527c4833’ −j DROP

– Block incoming payloads starting 0x1703010000

Skype supernodes

• Skype clients with public IP addresses, no firewall and good CPU can become supernodes

• Typically tunnelling 4-8 TCP connections and at least 1 UDP flow– http://www1.cs.columbia.edu/~salman/skype/index.html

• How do security admins know what this traffic is doing?

Camouflaged DDoS zombies

• Zombies could disguise flood traffic as UDP media data, acting collectively to overwhelm specific hosts and networks

• Bot controllers can disguise control channel traffic as TCP flows, avoiding firewalls and traversing NATs using a Skype-like supernode system

Conclusion

• Enterprises would in most situations be better to use applications that use protocols they can understand and control

• Obfuscated protocols can be used as a covert channel and a vector for DoS attacks