Will 2015 be the year we finally do something about DDoS?

Published: 2014-12-29
Last Updated: 2014-12-30 04:33:09 UTC
by John Bambenek (Version: 1)
6 comment(s)

Among the events of the past few days during the holidays was a DDoS attack on Sony's Playstation network and on Xbox Live's network.  The attack was reportedly carried out by a group called Lizard Squad and by all measures is not precisely the profile of a highly sophisticated attack.  Such attacks have increased in both intensity and frequency in the past year but, to an extent, are not terribly new.

The question is, why are these low-skill attacks still happening and what can be done to stop them.  This week I hope to put up a series of posts on some things every organization can do, this one is the first.

Many of these attacks rely on spoofing source IPs to an open UDP service (i.e. NTP, DNS, etc) that respond with traffic much larger to the spoofed target.  Since some protocols can respond with hundreds of times larger of a response than the request, it makes it easy for someone with a gigabit connection to the internet to direct large DDoS's at a victim assume they know enough open services.

The first step to deal with this problem is for organizations to stop running open UDP services without a really really good reason (which you don't have).  Usually, this involves very minor configuration changes.  If you do need to run open services to the internet (you don't) than to use rate-limiting to prevent the service from being abused.
Does your network run any open UDP services?  There are 4 websites that will help you find such services on your network.

openresolverproject.org
openntpproject.org
openssdpproject.org
opensnmpproject.org

These are the four biggest offenders in reflective DDoS attacks and eliminating them would go a long way to taking a bite out of the DDoS threat.  In all cases, there are good reasons to disable the services even if you are not a victim.  First, could be the potential of civil liability from a victim. Second, is the possibility of information leakage (i.e. SNMP).
Be sure to check your organization's IP space and for fun, check your home networks as well and/or your favorite WiFi hotspot.

If we all take some time to clean up our small corners of the net, we can start tamping down on DDoS and get back to our XBox.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

Keywords:
6 comment(s)
ISC StormCast for Monday, December 29th 2014 http://isc.sans.edu/podcastdetail.html?id=4289

Comments


Diary Archives