ABSTRACT
Distributed Denial of Service (DDoS) attacks cause significant disruption on critical networks within South Africa. Timely detection and mitigation is a key concern for the SANReN Cyber Security Incident Response Team (CSIRT). This paper presents an analysis on the Memcached reflection DDoS attack which occurred in February 2018. The attack was the largest DDoS attack to date. By analysing the attack and the impact it had on the SANReN network, this paper aims to show how network flow data can be used to detect network attacks, and perform post attack analysis to prevent future network attacks. The attack time-line is divided into three main phases: pre-attack, peek attack period and post attack residue.
- Akamai CSIRT Alerts. 2018. Memcached-fueled 1.3 Tbps attacks. https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html. Date published2018-03-01. Date accessed 2018-03-05.Google Scholar
- B. Claise, B. Trammell, and P. Aitken. 2013. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. STD 77. RFC Editor. http://www.rfc-editor.org/rfc/rfc7011.txt.Google Scholar
- Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. 2014. Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 435--448. Google ScholarDigital Library
- DDoSMon. 2018. Real-time Memcached-based UDP Reflection/Amplification Attack Monitoring. Technical Report. DDoSMon. https://ddosmon.net/memcached_amplification_attack, published 2018-03-26. Date accessed 2018-03-28.Google Scholar
- Christian Dietz. 2013. Passive Remote Detection of Network Address Translation (NAT) by using NetFlow. Master's thesis. Hochschule Darmstadt, University of Applied Sciences.Google Scholar
- Kevin Draai and Roderick Mooi. 2015. Implementing perfSONAR in the South African National Research and Education Network. (2015).Google Scholar
- Brad Fitzpatrick. 2004. Distributed caching with memcached. Linux journal 124 (2004), 5. Google ScholarDigital Library
- Steve Gibson. 2002. Distributed reflection denial of service. Technical Report. Technical Report, Gibson Research Corporation.Google Scholar
- Mark Graham. 2017. An IPFIX Primer. Technical Report. BotProbe. https://www.researchgate.net/publication/320740474_An_IPFIX_Primer. Date published2017-10-15. Date accessed 2018-02-22.Google Scholar
- Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow monitoring explained: From packet capture to data analysis with NetFlow and ipfix. IEEE Communications Surveys & Tutorials Volume 16, 4 (2014), 2037--2064.Google ScholarCross Ref
- Barry Irwin. 2012. A network telescope perspective of the Conficker outbreak. In Information Security for South Africa (ISSA), 2012. IEEE, 1--8.Google Scholar
- Brian Kerbs. 2018. Powerful New DDoS Method Adds Extortion. https://krebsonsecurity.com/tag/memcached-attack/. Date published 2018-03-02. Date accessed 2018-03-05.Google Scholar
- Sanjeev Kumar. 2007. Smurf-based distributed denial of service (ddos) attack amplification in internet. In Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on. IEEE, 25--25. Google ScholarDigital Library
- Michael J Martin. 2002. Router Expert: Smurf/Fraggle Attack Defense Using SACLS. Networking Tips and Newsletters, www.searchnetwork.techtarget.com (2002).Google Scholar
- D. Mills, J. Martin, J. Burbank, and W. Kasch. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905. RFC Editor. http://www.rfc-editor.org/rfc/rfc5905.txt http://www.rfc-editor.org/rfc/rfc5905.txt.Google Scholar
- Iyatiti Mokube and Michele Adams. 2007. Honeypots: concepts, approaches, and challenges. In Proceedings of the 45th annual southeast regional conference. ACM, 321--326. Google ScholarDigital Library
- Matt Ploessel. 2018. ATTACKERS INCLUDE RANSOM NOTE IN AMPLIFIED DDOS ATTACKS THAT USE MEMCACHED SERVERS. Technical Report. Cyber Reason. https://www.cybereason.com/blog/memcached-ddos-attack, published2018-03-02. Date accessed 2018-03-28.Google Scholar
- Ajith Harshana Ranabahu and E Michael Maximilien. 2009. A best practice model for cloud middleware systems. (2009).Google Scholar
- D Senie and P Ferguson. 1998. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. Network (1998).Google Scholar
- SHODAN. 2018. SHODAN - Memcached - ZA. Technical Report. SHODAN. https://www.shodan.io/report/4m45wTZw, published 2018-03-12. Date accessed 2018-03-28.Google Scholar
- Stephen M Specht and Ruby B Lee. 2004. Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. In ISCA PDCS. 543--550.Google Scholar
- Lance Spitzner. 2003. Honeypots: Catching the insider threat. In Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE, 170--179. Google ScholarDigital Library
- Avinash Sridharan, Tao Ye, and Supratik Bhattacharyya. 2006. Connectionless port scan detection on the backbone. In Performance, Computing, and Communications Conference, 2006. IPCCC 2006. 25th IEEE International. IEEE, 10--pp.Google Scholar
- US-CERT. 2018. Alert (TA14-017A) - UDP-Based Amplification Attacks. https://www.us-cert.gov/ncas/alerts/TA14-017A. Date accessed 14 March 2018.Google Scholar
Index Terms
- Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN
Recommendations
Surviving Distributed Denial-of-Service Attacks
A series of distributed denial-of-service (DDoS) attacks were launched against computer systems and services in the US and South Korea beginning July 4th. A DDoS attack is an attempt to make a computer service unavailable to its intended users. The ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Defending against flooding-based distributed denial-of-service attacks: a tutorial
Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim, or its ...
Comments