[proxy] web.archive.org← back | site home | direct (HTTPS) ↗ | proxy home | ◑ dark◐ light

Prolexic Technologies

Prolexic Distributed Denial of Service Attack Alert

May 14, 2007

P2P DDoS Attacks

In recent weeks, Prolexic Technologies has observed an increase in the number and frequency of peer-to-peer (P2P) based Distributed Denial of Service (DDoS) attacks. These attacks can cause a major local network disruption.

Overview

Peer to peer file sharing network popularity is at an all time high, with hundreds of thousands of computers connected to a single P2P network at a given time. In fact, some reports indicate that peer-to-peer may actually exceed web traffic. The popularity of peer-to-peer networks has now gained the interest of cyber criminals who see these networks as a huge potential for distributing malware and launching DDoS attacks by convincing 100k+ computers to attack on their behalf. Recently, attackers have found a way to pull off this type of attack anonymously, and with ease, flooding victims with far more connections than they can handle.

Description

ing a P2P network to launch a DDoS attack has been a topic of discussion in the technical community for a while now in fact some have occurred albeit on a small scale. However, recently attackers have found a way to exploit a number of bugs in P2P servers to create chaos for many companies. The most aggressive of these P2P-DDoS attacks is termed a dc++ attack, and it has been spreading in the last few months from our monitoring

P2P attacks are different from regular botnet. There is no botnet and the attacker doesnt have to communicate with the clients it subverts. Instead, the attacker acts as a puppet master, instructing clients of large P2P file sharing hubs to disconnect from their P2P network and to connect to the victims website instead. As a result, 25k computers may aggressively try to connect to a target website.

But 25K computers is the start of the dc++ attack, and it grows from there. While a typical web server can handle a few hundred connections/sec before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections/sec. If the attackers are feeling spiteful, they will instruct another 25k users of a different hub to attack. At a certain point, not only the web server is at risk, but routers, firewalls, and even DDoS defenses.

Impact

With a moderately big dc++ attack, and 150,000 computers each opening 4 or 5 connections, a site could potentially be hit with up to 750,000 connections in a short order. The web server will be plugged up and confused because the incoming connections, while on port 80, are not HTTP at all (they are a P2P specific protocol). Lets say for the sake of argument that a web server can service 10,000 simultaneous HTTP connections. Under a dc++ attack, a web server is going to get 50k to 60k non-HTTP connections easily before it starts rejecting connections, and each of the 10k connections the web server can actually service is going to be held down until a web-server timeout (often 30 seconds) drops the bogus connection.

Solution

Plugging up web servers isnt anything new, but the ability to block 150k+ attacking IP addresses is. While dc++ attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250k during the course of a big attack) means that this type of attack can overwhelm even functioning intrusion prevention systems (IPS). While a lot of IPS systems work well with small block lists, the rate at which they block new attacking IP addresses degrades as the size of the block list increases. Even most Linux firewalling (with IPTables) for instance becomes very slow with relatively small blocklists (say, 20k or so). Even if a mitigation device can keep blocking IP addresses, there are other problems to consider. For instance, there is a brief moment where the connection is opened on the server side before the signature itself comes through. Only once the connection is opened to the server can the identifying signature be sent and detected, and the connection torn down. Even tearing down connections rapidly takes server resources and can harm the server.

Mitigating P2P attacks with on-site gear while possible can be a frustrating, labor intensive and expensive and, perhaps in the end futile exercise for all the reasons just described. ISPs and internet security service providers also may be able to stop P2P attacks that exceed the technical or financial resources of a firm.

At Prolexic, we have seen some very large dc++ attacks -- over 300k IP addresses. To block these attacks we recently have invested in new technology and developed our own in-house pattern detection and filtering algorithms optimized for these new aggressive attacks.

Prolexic Technologies Inc.
1930 Harrison St, Suite 403, Hollywood, FL 33020
www.prolexic.com