Seeking Feedback on Mitigation of New BGP-driven Attack
Hello, Our research lab at the University of Tennessee (volsec.org) has recently completed a study on channeling link-flooding attack (transit link DDoS) flows via BGP poisoning: the Maestro attack. We are seeking feedback on mitigation (see below). A brief summary from the abstract: "Executed from a compromised or malicious Autonomous System (AS), Maestro advertises specific-prefix routes poisoned for selected ASes to collapse inbound traffic paths onto a single target link. A greedy heuristic fed by publicly available AS relationship data iteratively builds the set of ASes to poison. Given a compromised BGP speaker with advantageous positioning relative to the target link in the Internet topology, an adversary can expect to enhance flow density by more than 30%. For a large botnet (e.g., Mirai), the bottom line result is augmenting a DDoS by more than a million additional infected hosts. Interestingly, the size of the adversary-controlled AS plays little role in this amplification effect. Devastating attacks on core links can be executed by small, resource-limited ASes." We are seeking feedback from operators on the attack and the proposed mitigations we have identified. While we have worked with our campus BGP operators, we are reaching out to the broader community for additional insights. Other than general notes/comments, we have two specific questions that we would like to include feedback for in the final paper soon to be submitted: 1) Do you already filter poisoned/path prepend advertisements? This would mitigate the attack. 2) After seeing this attack, would you consider adding poison filtering or some other Day mitigation? The preprint is available at: tiny.utk.edu/maestro. See Section 7 on defenses. Please reply with any thoughts. Thank you in advance for comments, insight, and general feedback. Best, Tyler McDaniel, Jared Smith, and Max Schuchard UT Computer Security Lab volsec.org
Re: syn flood attacks from NL-based netblocks
I would think Shodan/Zmap/pick your multi-IP-block-scanning-tool would portray similar behavior. Echoing Matt’s “probably shouldn’t worry” sentiment, this could just be someone running an incantation of such tools for research or recreational purposes. Best, Jared On Aug 16, 2019, 18:21 -0400, Matt Harris , wrote: > On Fri, Aug 16, 2019 at 5:05 PM Jim Shankland wrote: > > > 1. Rate seems too slow to do any actual damage (is anybody really > > > bothered by a few bad SYN packets per second per service, at this > > > point?); but > > > > Common technique used by port scanners to evade detection as a DoS attack > > by fw/ids/etc. > > > > > 2. IPs/port combinations with actual open services are being targeted > > > (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs > > > with those services running), implying somebody checked for open > > > services first; > > > > Or they're just checking if certain common ports are open with the > > intention of later trying known exploits against those which are reachable > > in order to attempt to compromise the hosts. Build the DB of reachable > > hosts/ports now, come back with exploits later. > > > > > 3. I'm seeing this in at least 2 locations, to addresses in different, > > > completely unrelated ASes, implying it may be pretty widespread. > > > > Sounds like a relatively common pattern though. > > > > > Is anybody else seeing the same thing? Any thoughts on what's going on? > > > Or should I just be ignoring this and getting on with the weekend? > > > > I wouldn't worry too much about it unless you have reason to believe some > > of the likely-forthcoming exploits may actually work. Of course, if that's > > the case, you should fix them anyhow. > > > > Have a good weekend! > >
