Examining DDoS Attack Preparations: Reconnaissance Techniques
Study reveals how attackers estimate network function capacities before launching DDoS attacks.
― 5 min read
Table of Contents
Attackers often gather information about their targets before launching Distributed Denial of Service (DDos) attacks. This gathering of information is known as Reconnaissance. One important part of this process is figuring out how much capacity the target's Network Functions (such as firewalls and network address translators) have. By knowing the capacity, attackers can plan their attacks to cause the most damage.
To prevent these reconnaissance attacks, it is crucial to understand how they work and how feasible they are. However, the details about how attackers can learn the Capacities of network functions without being detected are not very well known. This study investigates these reconnaissance techniques, focusing on how attackers can estimate the processing capacity of network functions while remaining unnoticed.
The Problem
The first step in this study is to define the problem of network function capacity reconnaissance. We want to find out if an attacker can learn the processing capacity of a network function remotely and without getting caught. This is done without sending too much data, which could alert the target.
Current methods for determining network capacity are not very effective in this context. Traditional approaches usually involve sending large amounts of data to see how fast the target can respond. However, this can easily be detected and may cause the target to increase its defenses.
Several factors make this form of reconnaissance difficult. The attacker must consider how many packets (units of data) they send since sending too many increases the chance of detection. Additionally, the way network functions operate may vary based on their settings and load, which can complicate the estimation process.
Key Insights
To achieve the goal of accurately estimating capacity, we developed a tool called NFTY. This tool is designed to send a limited number of packets in a way that minimizes the risk of detection while still gathering useful information.
In our approach, NFTY evaluates two different strategies for sending packets to learn about network functions. Each configuration has its own strengths and weaknesses when it comes to balancing stealthiness and accuracy. By using these configurations, attackers can glean valuable data from their targets without drawing much attention to themselves.
How NFTY Works
The NFTY tool performs capacity reconnaissance by sending packets in bursts. The idea is to send a few packets quickly to "stress" the network function just enough to reveal its capacity. By measuring the time it takes for packets to be processed, NFTY can estimate how much capacity the network function has.
For example, if an attacker sends packets to a target and measures how long it takes for them to arrive back, they can infer how many packets the network function can handle at any given time. This method relies on measuring the spacing of received packets to gauge processing speed, rather than overwhelming the network function with traffic.
Controlled Experiments
In controlled settings, NFTY demonstrated a high level of accuracy. By testing various configurations in a lab environment, we showed that NFTY could successfully estimate the processing capacity of network functions with minimal error.
We compared NFTY to existing link-bandwidth estimation techniques that do not provide the same level of accuracy. The results indicated that with NFTY, attackers could gain insights into network function capacities while remaining below the detection threshold.
Real-World Testing
In addition to lab tests, we also evaluated NFTY in real-world Internet conditions. Attacks were conducted in different settings, including commercial network functions deployed in cloud services. Despite the additional noise and challenges present in these environments, NFTY consistently provided accurate capacity estimations.
One notable test involved tracking the performance of network functions such as firewalls. The results showed that NFTY could yield processing capacity estimates within a small error margin, even in the noisy and unpredictable setting of the Internet.
Countermeasures
While understanding these reconnaissance techniques is essential for improving defenses, it is equally important to explore countermeasures to deter attackers. We identified several strategies that could be employed to reduce the effectiveness of capacity reconnaissance attempts.
Random Delays: Adding random delays to outgoing packets can confuse attackers and distort the measurements they rely on to infer processing capacity.
Batch Processing: Instead of processing packets as they arrive, network functions could delay and release them in batches. This change would make it harder for attackers to determine capacity accurately.
Packet Reordering: By utilizing multiple queues for processing packets, network functions can reorder packets before they reach the attacker. This strategy disrupts the sequence of packets and complicates the attacker's calculations.
Rate-Limiting: Limiting the rate at which packets from the same source are processed can obfuscate the true capacity of the network function, deterring attackers from accurately estimating its performance.
Challenges and Future Work
Despite the effectiveness of the proposed countermeasures, attackers are always developing new methods to circumvent them. Future research must explore how to enhance the security of network functions against these reconnaissance attacks.
Additionally, as network functions become more complex and dynamic, understanding how variations in deployment settings affect capacity determination will be crucial for developing resilient defensive strategies.
Conclusion
The ability for attackers to gather intelligence about network function capacities poses a significant threat to network security. Tools like NFTY highlight the potential risks and the need for robust countermeasures. By comprehensively understanding both reconnaissance techniques and defensive measures, organizations can better protect themselves from the ongoing threat of DDoS attacks and similar cyber threats.
In summary, this study provides not only a definition and understanding of network function capacity reconnaissance but also practical insights into counteracting such tactics. It serves as a call to action for organizations to enhance their security posture and be vigilant against evolving threats in the cyber landscape.
Title: Network Function Capacity Reconnaissance by Remote Adversaries
Abstract: There is anecdotal evidence that attackers use reconnaissance to learn the capacity of their victims before DDoS attacks to maximize their impact. The first step to mitigate capacity reconnaissance attacks is to understand their feasibility. However, the feasibility of capacity reconnaissance in network functions (NFs) (e.g., firewalls, NATs) is unknown. To this end, we formulate the problem of network function capacity reconnaissance (NFCR) and explore the feasibility of inferring the processing capacity of an NF while avoiding detection. We identify key factors that make NFCR challenging and analyze how these factors affect accuracy (measured as a divergence from ground truth) and stealthiness (measured in packets sent). We propose a flexible tool, NFTY, that performs NFCR and we evaluate two practical NFTY configurations to showcase the stealthiness vs. accuracy tradeoffs. We evaluate these strategies in controlled, Internet and/or cloud settings with commercial NFs. NFTY can accurately estimate the capacity of different NF deployments within 10% error in the controlled experiments and the Internet, and within 7% error for a commercial NF deployed in the cloud (AWS). Moreover, NFTY outperforms link-bandwidth estimation baselines by up to 30x.
Authors: Aqsa Kashaf, Aidan Walsh, Maria Apostolaki, Vyas Sekar, Yuvraj Agarwal
Last Update: 2024-05-15 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2405.09442
Source PDF: https://arxiv.org/pdf/2405.09442
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.