cyber attack analysis

Cyber-Attacks Analysis Part I : DDoS Kenny Huang, Ph.D. 黃勝雄博士 Executive Council Member, APNIC Member, Board of Directors, TWNIC [email protected]

Upload: codefortomorrow

Post on 23-Aug-2014




3 download



Page 1: Cyber Attack Analysis

Cyber-Attacks Analysis Part I : DDoS

Kenny Huang, Ph.D. 黃勝雄博士 Executive Council Member, APNIC Member, Board of Directors, TWNIC [email protected]

Page 2: Cyber Attack Analysis

Environmental Outlook Compromised Networks Worldwide


NSA reportedly compromised more than 50,000 networks worldwide (NSA, 2013 Nov)

Page 3: Cyber Attack Analysis

Potential Motivation of Cyber Attacks


Political Motivation

Extension of politics in the 21st century Cyber-attacks are referred to as the fifth generation warfare

Facet Description References 1. Mirkovic, 2004 2. Arbor Networks web 3. Jose Nazario, 2007

Social Motivation

Governments are common targets as not supported by people utilize cyber-attack tools against government websites

1. Don Jackson, 2009 2. Steven Adair, 2008

Business Motivation Cyber-attacked by competing companies Steal confidential information

1., 2008 2. Eneken Tikk, 2008

Personal Motivation Curiosity Get paid 1. Jeff Carr, 2009

Risks / Benefits It’s nearly impossible to find out who are conducting cyber attacks, there are definitely reasons as to how it would benefit them.

Page 4: Cyber Attack Analysis

Cyber War Case - Afghanistan

• Two-way cyber war measures – Cyber offensive capability – Cyber dependence :

• Degree to which a nation relies upon cyber-controlled systems

– Cyber defensive capability • “We have the most bandwidth running though our society and are

more dependent on that bandwidth. We are the most vulnerable.“ – former Admiral McConnell.

• Afghanistan 2001 – US had conducted a cyber war plan, but no targets for

cyber warriors, that gives Afghanistan an advantage. – If Afghanistan had any offensive cyber capability, the cyber

war would have shifted in different way 4

Page 5: Cyber Attack Analysis

Cyber War Case - China • Offense vs. defense

– US has the most sophisticated offensive capability, but it can’t make up its weaknesses in defensive position. Cyber defense trainings are offensive focus.

– China cyber warriors are tasked with both offense and defense in cyberspace.

• China advantages in cyber war – Ownership : Internet in China is like an intranet of a company.

Government is the only service provider – Censorship

• Great Firewall of China provides security advantages • The technology that Chinese use to screen emails/message provide the

infrastructure to stop malware • Install software on all computers to keep children from gaining access to

pornography – Give China control over every desktop in the country. – Critical infra: For electric power system, US relies on automation

controlled system, but China require a large degree of manual control.


Page 6: Cyber Attack Analysis

Cyber War Strength


US Cyber Offense: 8 Cyber Dependence : 2 Cyber Defense: 1 Total : 11

Russia Cyber Offense: 7 Cyber Dependence : 5 Cyber Defense: 4 Total : 16

China Cyber Offense: 5 Cyber Dependence : 4 Cyber Defense: 6 Total : 15

Iran Cyber Offense: 4 Cyber Dependence : 5 Cyber Defense: 3 Total : 12

North Korea Cyber Offense: 2 Cyber Dependence : 9 Cyber Defense: 7 Total : 18

(Richard Clarke, 2010).

Page 7: Cyber Attack Analysis

Cyber Defense Award US Military Training for Cyber Warfare


YouTube. (2013 Apr 30). Cyber Defense - Military Training for Cyber Warfare

Page 8: Cyber Attack Analysis

DDoS: Recent Cases Highlight



Event :

2014 June 14 Hong Kong

Hong Kong Voting Site Suffers Massive DDoS Attack Before Civil Referendum

Date/Location: 2014 June 19 US

Event : Facebook being massive DDOS attack by China

Page 9: Cyber Attack Analysis

DDoS Cyber-Attack Scenarios


ssh; ping; ftp; …., etc

Spoofed source IP DNS; NTP; …, etc

Error 503 Service Unavailable

technical compliance protocols

technical compliance protocols

Amplification Attack

Page 10: Cyber Attack Analysis

False Assumptions • Attackers use specific pattern to attack

– No – Attackers try all means to maximize the outcome – Uniqueness of pattern is the principle of a cyber attack

• Severe cyber-attack should be driven by cyber military (cyberwarfare) – Yes and no. – Massive traffic can be easily generated in an affordable price.

• Solutions are available to against attacks – Yes and no – No ready-made solution for any cyber-attack

• Cyber-attack happens occasionally in the global internet – It happens all the time. Live with it


Page 11: Cyber Attack Analysis

DDoS vs. Cyber War


Critical info infrastructure

of enemy country

Cyber war initiated country



1. DDoS can only attack DMZ zone. DMZ was built for that purpose. 2. DDoS attacks are compelling. The targets can be easily identified. It

gives enemy an advantage of increasing defensive capability, or relaxing cyber dependence.

DDoS Cyber War

Page 12: Cyber Attack Analysis

ECO System


Bot Makers

BotNet Builders

BotNet Operators

BotNet brokers

BotNet Users

Selling tools or give away

System compromised and code distribution. Trade valuable private information.

Provide cloud services (non-exclusive ownership)

Matching buyers and sellers

running code on BotNet platform

Legal Enforcement






Page 13: Cyber Attack Analysis



1000 Bots in Australia 24 Hrs : $100 1000 Bots in Vietnam 24 Hrs : $5 1000 Bots in China 24 Hrs Mainland (Tier2 cities) : $13 LiaoNing : $80 GuangDong : $160 1000 Bots in Taiwan 24 Hrs : $484

Bot Applications 1 Sell private information 2 Advertisement 3 DDoS services

(PC Magazine, 2009 June)

Page 14: Cyber Attack Analysis

Math Exercise • Infected PCs (Bot)

– Assume 10,000 PCs – Sending 10,000 DNS queries /PC.sec, total 100M queries/sec – Generating outbound traffic 640KBytes/PC.sec – Total Cost : USD 130 (Bot@China) for 24 hrs

• Public DNS resolvers – Assume 20,000 servers (open resolvers > 60K) – Message amplification x 50 times=>3,000bytes (6 packets)/msg – Receiving 5,000 DNS queries/server.sec – Generating outbound traffic 15MBytes/server.sec (30,000

packets/server.sec) – Total cost : Free (public goods)

• Target Victims – Receiving inbound traffic 300GBytes/sec. (600M packets/sec) – Total liability : considerable costly. (priceless to actors, vice versa)


Page 15: Cyber Attack Analysis

Solution Zone


ssh; ping; ftp; …., etc Firewall / Defense System

Build filtering rules/policing on the fly 1 block sources 2 block protocols/ports

Challenges 1 capacity and performance 2 hard to identify dynamic sources 3 design new algorithm for new patterns instantly.

S1 : rules/policing

Page 16: Cyber Attack Analysis



Spoofed source IP DNS; NTP; …, etc

technical compliance protocols

technical compliance protocols

Amplification Attack

Firewall/Defense System

S1: BIND rate limit S2: buy transit S3: rules/policing

Challenges S1 : out of victim’s control S2 : port speed may not be upgradable accordingly S3 : 1 capacity and performance 2 design new algorithm for new patterns instantly

(DNSSEC: destination validation)

Page 17: Cyber Attack Analysis

Performance Impact for Increasing Rules


Firewall Performance Impact

Router Performance Impact

(TechGuard, 2012)

Page 18: Cyber Attack Analysis

Strengthen The Defensive System Unique Algorithm for Unique Pattern


Analyze attack pattern

Design defensive algorithm

Sizing engineering #max number of sessions/connections #fit in CPU Cache #risk of saturating a CPU at a given packet rate #timeout adjustment

Rapid coding and deployment

On going monitoring

Knowledge Intensive

Page 19: Cyber Attack Analysis