Brasil vs Mundo: Uma Análise Comparativa de Ataques DDoS por Reflexão
Resumo
Ataques distribuídos de negação de serviço por reflexão (distributed reflection denial of service, DRDoS) estão disseminados na Internet. Esses ataques oferecem diversas vantagens para os atacantes, sendo bastante eficazes em provocar a indisponibilidade de hosts individuais ou mesmo sub-redes inteiras. Para detectar, mitigar e prevenir ataques DRDoS, é importante entender como eles funcionam, e quais são suas características de tráfego. Este artigo apresenta uma análise comparativa de ataques DRDoS contra vítimas no Brasil e no resto do mundo. São analisados 190 dias de tráfego coletado usando um honeypot, contando com mais de 204 k ataques DRDoS. Várias características de tráfego DRDoS são descritas e comparadas, incluindo uma análise aprofundada de ataques de carpet bombing. íE possível concluir que os ataques contra vítimas brasileiras são menos intensos e sofisticados que os ataques contra o restante do mundo, o que pode indicar que o cenário local pode piorar se os atacantes aperfeiçoarem suas táticas e ferramentas.Referências
Arbor (2018). Um balanço dos ataques DDoS ao Brasil no primeiro semestre deste ano. https://bit.ly/2EKEElw
CERT.br (2019a). Estatísticas de noticações de IPs e ASNs permitindo amplicação. https://www.cert.br/stats/amplificadores/.
CERT.br (2019b). Incidentes reportados ao CERT.br – janeiro a dezembro de 2018 – análise de alguns fatos de interesse observados neste período. https://www.cert.br/stats/incidentes/2018-jan-dec/analise.html.
Cymru (2019). DNS research at Team Cymru. http://dnsresearch.cymru.com/.
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. (2014). Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, pages 435–448. ACM.
DDoSMon (2019). Insight into global DDoS threat landscape. https://ddosmon.net/insight/.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reection denial of service attacks from darknet. Computer Communications, 62:59–71.
Heinrich, T., Longo, F. S., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evolução do tráfego malicioso. In XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg).
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.
Kottler, S. (2018). February 28th DDoS incident report. https://githubengineering.com/ddos-incident-report/.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplication DDoS attacks. In International Workshop on Recent Advances in Intrusion Detection, pages 615–636. Springer.
Krupp, J., Karami, M., Rossow, C., McCoy, D., and Backes, M. (2017). Linking amplication DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 427–449.
Majkowski, M. (2018). Memcrashed – major amplification attacks from UDP port 11211. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/.
Manseld-Devine, S. (2015). The growth and evolution of DDoS. Network Security, 2015(10):13–20.
Nazario, J. (2008). DDoS attack evolution. Network Security, 2008(7):7–10.
NETSCOUT (2019). Dawn of the terrorbit era. Threat intelligence report 2H 2018. https://www.netscout.com/.
Noroozian, A., Korczyínski, M., Ga˜nan, C. H., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? analyzing victimization by DDoS-as-a-Service. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368– 389. Springer.
OpenNTP (2019). OpenNTPProject.org – NTP scanning project. http://openntpproject.org/.
Paxson, V. (2001). An analysis of using reectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Rossow, C. (2014). Amplication hell: Revisiting network protocols for DDoS abuse. In Network and Distributed System Security Symposium (NDSS).
Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. (2015). Booters – an analysis of DDoS-as-a-service attacks. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pages 243–251. IEEE.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplication DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime), pages 79–84. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into Internet DDoS attacks by botnets: Characterization and analysis. IEEE/ACM Trans. Netw., 26(6):2843– 2855.
Welzel, A., Rossow, C., and Bos, H. (2014). On measuring the impact of DDoS botnets. In Proceedings of the Seventh European Workshop on System Security, page 3. ACM.
Zand, A., Modelo-Howard, G., Tongaonkar, A., Lee, S.-J., Kruegel, C., and Vigna, G. (2017). Demystifying DDoS as a service. IEEE Communications Magazine, 55(7):14– 21.
CERT.br (2019a). Estatísticas de noticações de IPs e ASNs permitindo amplicação. https://www.cert.br/stats/amplificadores/.
CERT.br (2019b). Incidentes reportados ao CERT.br – janeiro a dezembro de 2018 – análise de alguns fatos de interesse observados neste período. https://www.cert.br/stats/incidentes/2018-jan-dec/analise.html.
Cymru (2019). DNS research at Team Cymru. http://dnsresearch.cymru.com/.
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. (2014). Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, pages 435–448. ACM.
DDoSMon (2019). Insight into global DDoS threat landscape. https://ddosmon.net/insight/.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reection denial of service attacks from darknet. Computer Communications, 62:59–71.
Heinrich, T., Longo, F. S., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evolução do tráfego malicioso. In XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg).
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.
Kottler, S. (2018). February 28th DDoS incident report. https://githubengineering.com/ddos-incident-report/.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplication DDoS attacks. In International Workshop on Recent Advances in Intrusion Detection, pages 615–636. Springer.
Krupp, J., Karami, M., Rossow, C., McCoy, D., and Backes, M. (2017). Linking amplication DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 427–449.
Majkowski, M. (2018). Memcrashed – major amplification attacks from UDP port 11211. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/.
Manseld-Devine, S. (2015). The growth and evolution of DDoS. Network Security, 2015(10):13–20.
Nazario, J. (2008). DDoS attack evolution. Network Security, 2008(7):7–10.
NETSCOUT (2019). Dawn of the terrorbit era. Threat intelligence report 2H 2018. https://www.netscout.com/.
Noroozian, A., Korczyínski, M., Ga˜nan, C. H., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? analyzing victimization by DDoS-as-a-Service. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368– 389. Springer.
OpenNTP (2019). OpenNTPProject.org – NTP scanning project. http://openntpproject.org/.
Paxson, V. (2001). An analysis of using reectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Rossow, C. (2014). Amplication hell: Revisiting network protocols for DDoS abuse. In Network and Distributed System Security Symposium (NDSS).
Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. (2015). Booters – an analysis of DDoS-as-a-service attacks. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pages 243–251. IEEE.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplication DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime), pages 79–84. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into Internet DDoS attacks by botnets: Characterization and analysis. IEEE/ACM Trans. Netw., 26(6):2843– 2855.
Welzel, A., Rossow, C., and Bos, H. (2014). On measuring the impact of DDoS botnets. In Proceedings of the Seventh European Workshop on System Security, page 3. ACM.
Zand, A., Modelo-Howard, G., Tongaonkar, A., Lee, S.-J., Kruegel, C., and Vigna, G. (2017). Demystifying DDoS as a service. IEEE Communications Magazine, 55(7):14– 21.
Publicado
02/09/2019
Como Citar
HEINRICH, Tiago; OBELHEIRO, Rafael.
Brasil vs Mundo: Uma Análise Comparativa de Ataques DDoS por Reflexão. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 239-252.
DOI: https://doi.org/10.5753/sbseg.2019.13975.