Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Will 2015 be the year we finally do something about DDoS? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Will 2015 be the year we finally do something about DDoS?

Among the events of the past few days during the holidays was a DDoS attack on Sony's Playstation network and on Xbox Live's network.  The attack was reportedly carried out by a group called Lizard Squad and by all measures is not precisely the profile of a highly sophisticated attack.  Such attacks have increased in both intensity and frequency in the past year but, to an extent, are not terribly new.

The question is, why are these low-skill attacks still happening and what can be done to stop them.  This week I hope to put up a series of posts on some things every organization can do, this one is the first.

Many of these attacks rely on spoofing source IPs to an open UDP service (i.e. NTP, DNS, etc) that respond with traffic much larger to the spoofed target.  Since some protocols can respond with hundreds of times larger of a response than the request, it makes it easy for someone with a gigabit connection to the internet to direct large DDoS's at a victim assume they know enough open services.

The first step to deal with this problem is for organizations to stop running open UDP services without a really really good reason (which you don't have).  Usually, this involves very minor configuration changes.  If you do need to run open services to the internet (you don't) than to use rate-limiting to prevent the service from being abused.
Does your network run any open UDP services?  There are 4 websites that will help you find such services on your network.

openresolverproject.org
openntpproject.org
openssdpproject.org
opensnmpproject.org

These are the four biggest offenders in reflective DDoS attacks and eliminating them would go a long way to taking a bite out of the DDoS threat.  In all cases, there are good reasons to disable the services even if you are not a victim.  First, could be the potential of civil liability from a victim. Second, is the possibility of information leakage (i.e. SNMP).
Be sure to check your organization's IP space and for fun, check your home networks as well and/or your favorite WiFi hotspot.

If we all take some time to clean up our small corners of the net, we can start tamping down on DDoS and get back to our XBox.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

John

248 Posts
ISC Handler
When I try the first link, I get the following message:

"Your requested host "openresovlerproject.org" could not be resolved by DNS."
Anonymous
I think this year should be the push for BCP 38.
Anonymous
There is an inversion of 2 letters

http://openresolverproject.org/
Daniel

7 Posts
BCP 38 is on deck for my diary tomorrow. :)
John

248 Posts
ISC Handler
Take into consideration to put on your diary the BCP 84 as well. BCP 38 is kind of tricky for multi-homed BGP connected networks.
cicero

2 Posts
On January 6 (today), all four links point to the same place: puck.nether.net
jclarkv

1 Posts

Sign Up for Free or Log In to start participating in the conversation!