Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All you ever wanted to know about DDoS

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
February 24, 2016
Technology
1
230

All you ever wanted to know about DDoS

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

February 24, 2016
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
390
Linux at Cloudflare
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
3
4.5k
DDoS Landscape
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
280
Inside Cloudbleed
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
3
1.5k
Golang sucks
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
21
49k
Gatelogic - Somewhat functional reactive framework in Python
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
1
3.3k
How Cloudflare deals with largest DDoS attacks?
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
2
1.9k
Why we chose Service Worker API
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
1.4k
IP Spoofing - DEFCON
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
1
610

Other Decks in Technology

See All in Technology
サイバー攻撃を想定したクラウドネイティブセキュリティガイドラインとCNAPP及びSecurity Observabilityの未来
D9130a0952480278c7f44527c6989da7?s=48 syoshie
1
880
A3-1 IBM Championが本音で語る「IBM Cloud」
49844569246a6d183a5551bb74895e2a?s=48 kolinz
0
300
Simplify Cloud Native Security with Trivy
3f2e97dc4e6a5daaf1cb8a406c533176?s=48 knqyf263
0
490
Djangoで組織とユーザーの権限管理をやってみよう #devio2022
Fe8025d56f2bf17204e3aa7598a96fe2?s=48 seiichi1101
0
370
塩漬けにしているMySQL 8.0.xxをバージョンアップしたくなる、ここ数年でのMySQL 8.0の改善点 / MySQL Update 202208
7fb060398b26ed622d34921bd64e4f5d?s=48 yoshiakiyamasaki
1
570
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
PRO
10
19k
AWSで実現する「好き」の感情 / Develop Suki by AWS #devio2022
1e72c797afb9bab65655a1eb7d183460?s=48 syobochim
1
240
Power Automate for desktopで 配信環境を改善してみた話
C97407daeb9ad3a654e6a0ad8701b972?s=48 akiika
0
210
増田亨さんによる 「設計の考え方とやり方」勉強会オープニング
8ccb6288c8b9f34d6917a14d42e66cbe?s=48 tsuyok
0
190
ログ集約基盤をCloudWatchからOpenSearchに変えてみた
098ad475722e3697ec2fba28c8654f9f?s=48 yuhta28
0
130
私のAWS愛を聞け! ~ここが好きだよStep Functions~ #devio2022
808ce3d41280c085f8bdc27dce7ea8fb?s=48 kongmingstrap
0
270
Settlement simulation testing to ensure correct settlement processing
23e9a5be8e46efd1cf6a07694a047237?s=48 applepine1125
2
900

Featured

See All Featured
What's in a price? How to price your products and services
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
229
9.4k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.3k
Designing on Purpose - Digital PM Summit 2013
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.7k
5 minutes of I Can Smell Your CMS
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
18k
A Philosophy of Restraint
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
192
15k
How New CSS Is Changing Everything About Graphic Design on the Web
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
213
11k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
344
17k
It's Worth the Effort
Ba530e786553390f3fb271848485681c?s=48 3n
172
26k
What the flash - Photography Introduction
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
62
10k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
A designer walks into a library…
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
196
16k

Transcript

  1. All you ever wanted to know about DDoS Marek Majkowski

    marek@cloudflare.com @majek04

  2. Content neutral 2

  3. DoS attempts daily 3 DoS events per day

  4. Defending from DoS is hard 4 X Attacker Visitor example.com

  5. Where the attacks come from? ! • L3 - Spoofed

    IP packets • L7 - Real connections from botnets 5

  6. • Internet economics • Deniability L3 - Spoofed IP packets

    6 Tier 1 provider Attacking network Target network $ $

  7. L7 - Botnet traffic • Unpatched virtual machines - VPS,

    EC2 • bugs in application software like wordpress • Infected end-user computers • windows XP? • Malicious javascript injected into browsers • javascript from advertisement networks 7 $ Easy! Easy!

  8. 8

  9. 9 attack volume network capacity >

  10. Network congestion 10 Internet Router NIC Kernel App

  11. BGP null routing 11 ! route 1.2.3.4/32 {! discard;! community

    [ 13335:666 13335:668 13335:36006 ];! }!

  12. Application integration 12 1.2.3.4 1.2.3.5 1.2.3.6 ! dig A example.com!

    1.2.3.7 X

  13. 13 attack volume network capacity <

  14. High volume packet floods (L3) 14 Internet Router NIC Kernel

    App

  15. 15 Let it flow (source: Yogendra Joshi)

  16. High volume packet flood 16 Packets per second

  17. UDP DNS flood 17 ! IP 202.194.181.95.15443 > 1.2.3.4:53: 63476%

    [1au] A? example.com. (50)! IP 221.12.236.115.6570 > 1.2.3.4:53: 11406% [1au] A? example.com. (50)! IP 203.94.134.43.18473 > 1.2.3.4:53: 8559% [1au] A? example.com. (50)! IP 203.196.66.75.32573 > 1.2.3.4:53: 47971% [1au] A? example.com. (50)! IP 124.240.198.136.23336 > 1.2.3.4:53: 61152% [1au] A? example.com. (50)! IP 218.247.70.185.11679 > 1.2.3.4:53: 16360% [1au] A? example.com. (50)! IP 202.109.218.98.27549 > 1.2.3.4:53: 17829% [1au] A? example.com. (50)! IP 203.148.240.82.21825 > 1.2.3.4:53: 22590% [1au] A? example.com. (50)! IP 211.167.108.67.25782 > 1.2.3.4:53: 17663% [1au] A? example.com. (50)! IP 203.209.60.18.20221 > 1.2.3.4:53: 38257% [1au] A? example.com. (50)! IP 203.81.181.168.12749 > 1.2.3.4:53: 53492% [1au] A? example.com. (50)!

  18. Sad DNS server 18

  19. 19 Spoofed? (source: DaPuglet)

  20. 20 Drop!

  21. 21 1 in 10K packets

  22. Packet characteristics 22 ! • Packet length • Payload •

    Goal: limit false positives

  23. Matching on payload in iptables 23

  24. Payload matching with BPF 24 ! iptables -A INPUT \!

    --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!

  25. BPF bytecode 25 ! ldx 4*([14]&0xf)! ld #34! add x!

    tax! lb_0:! ldb [x + 0]! add x! add #1! tax! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1! lb_1:! ret #0!

  26. Tcpdump expressions • Originally: • xt_bpf implemented in 2013 by

    Willem de Bruijn ! • Tcpdump expressions are limited - no variables • Benefits in hand-crafting BPF 26 tcpdump -n “udp and port 53”

  27. BPF tools 27 • Open source: • https://github.com/cloudflare/bpftools • Can

    match various DNS patterns: • *.example.com! • --case-insensitive *.example.com! • --invalid-dns

  28. 28 ~2M pps

  29. 29 Happy DNS server

  30. 30 Internet Router NIC Kernel App Overloaded operating system

  31. Interrupt storms 31

  32. Payload matching close to NIC 32

  33. Partial kernel bypass ! • Or EFVI for SolarFlares: •

    http://www.openonload.org/ • Open sourced netmap patch, tested on Intel: • https://github.com/luigirizzo/netmap/pull/87 33

  34. Iptables BPF offload 34 Network card RX Queue #1 RX

    Queue #2 RX Queue #N RX Queue #? ! userspace offload Ethernet Kernel

  35. 35 >3M pps It works really well

  36. 36 It works really well

  37. No characteristics: Attacks against TCP/IP network stack (L4) 37

  38. ACK floods 38 ! IP 48.60.32.50.15244 > 1.2.3.4.80: Flags [.],

    ack 1754729313, win 16153! IP 31.102.214.103.13396 > 1.2.3.4.80: Flags [.], ack 1569851274, win 15707! IP 112.36.216.55.56515 > 1.2.3.4.80: Flags [.], ack 2051477187, win 16102! IP 65.130.63.30.10341 > 1.2.3.4.80: Flags [.], ack 2108282782, win 16112! IP 16.18.205.115.15962 > 1.2.3.4.80: Flags [.], ack 1359019408, win 16119! IP 128.177.247.54.13752 > 1.2.3.4.80: Flags [.], ack 1416531343, win 16102! IP 204.59.118.78.61528 > 1.2.3.4.80: Flags [.], ack 348671255, win 16101! IP 119.195.142.20.3344 > 1.2.3.4.80: Flags [.], ack 1917538144, win 16161! IP 70.197.6.24.39340 > 1.2.3.4.80: Flags [.], ack 1920842431, win 16124!

  39. 39 ~0.3M pps

  40. Statefull firewall - conntrack 40 ! iptables -A INPUT \!

    --dst 1.2.3.4 \! -m conntrack --ctstate INVALID \! -j DROP! ! sysctl -w net/netfilter/nf_conntrack_tcp_loose=0! !

  41. 41 ~2M pps

  42. Effective against TCP attacks • Works well against: • ACK

    • FIN • RST • X-mas • What about SYN floods? 42

  43. SYN floods 43 ! IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S],

    seq 1444613291, win 63243! IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551! IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607! IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778! IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891! IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808! IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272! IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210! IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714! IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351! IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902! IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511! IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148!

  44. 44 0M pps

  45. SYN in Linux 45 SYN backlog SYN_RECV Listen backlog ESTABLISHED

    SYN ACK accept() App SYN+ACK

  46. SYN Cookies 46 5 bits t mod 32 3 bits

    MSS 24 bits hash(ip, port, t) sequence number: 26 bits timestamp 1 bit ECN 1 bit SACK 4 bits wscale timestamp: ! sysctl -w net.ipv4.tcp_syncookies = 1! ! ! sysctl -w net.ipv4.tcp_timestamps = 1!

  47. 47 ~0.3M pps

  48. Recent changes • The idea is to remove the LISTEN

    lock • Heavy refactoring of the SYN queue • Submitted by Eric Dumazet in early October 2015 • Kernel 4.4 48

  49. Connections from a botnet (L7) 49

  50. 50 Real TCP/IP connections

  51. Small volume 51 Packets per second

  52. Symptoms 52 • Concurrent connection count going up • Many

    sockets in "orphaned" state • "Time waits" socket state indicates churn

  53. 53 Internet Router NIC Kernel App Overloaded application

  54. Sad HTTP server 54

  55. 55 IP reputation (source: the internet)

  56. Reputation in iptables 1. Conntrack Connlimit - limit concurrent connections

    2. Hashlimits - limit rate of connections • Rate limit SYN packets per IP 3. Ipset - blacklisting of IP addresses • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 56

  57. Make it a SYN flood ! ! ! ! !

    • Disable HTTP keep-alives • Make it a SYN flood 57 ! GET / HTTP/1.1! Host: www.example.com! ! GET / HTTP/1.1! Host: www.example.com! ! GET / HTTP/1.1! Host: www.example.com! ...!

  58. Very large botnets (L7+) 58

  59. Very large botnets • Blacklist IP's based on payload •

    "BPF" or "string" module for match + ipsets auto expiry 59 ! GET /forum.php HTTP/1.1! Accept: */*! Accept-Language: zh-cn! Accept-Encoding: gzip, deflate! User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;... ! Host: www.example.com:80! Connection: Keep-Alive!

  60. 300k RPS, 650k uniques 60 (source: CloudFlare blog)

  61. 61 Congestion L2 Remove IP address BGP Nullrouting High volume

    packet flood L3 DROP bad packets Match on BPF High volume packet flood L4 DROP bad packets Conntrack Botnet L7 Limit damage for each bot Connlimit Hashlimit Ipsets Very large botnet L7+ DROP bad requests Match HTTP request in TCP packets

  62. • You WILL BGP null-route • Prepare your application for

    that • DROP all the packets! (only 1 in 10k could be valid!) • With BPF • Partial kernel bypass for better speed • Iptables are powerful • Connlimit, hashlimits, ipsets marek@cloudflare.com @majek04 Thanks!

  63. 63

  64. Exciting system tweaks 64 Appendix A

  65. ! ethtool -N eth3 flow-type udp4 \! dst-ip 192.168.254.30 \!

    dst-port 53 action -1! NIC: discard with flow steering 65

  66. Tip: Flow steering for priority 66 ! ethtool -X eth3

    weight 0 1 1 1 1 1 1 1 1 1 1! ethtool -N eth3 flow-type tcp4 \! dst-port 22 action 0!

  67. SYN backlog size 1. Listen backlog size ! 2. Listen

    backlog capped to ! 3. SYN backlog capped to ! 4. Rounded to next power of two 67 sysctl -w net.ipv4.tcp_max_syn_backlog = 65535 listen(int sockfd, int backlog) sysctl -w net.core.somaxconn = 65535 127 --> 128 128 -->256

  68. SYN backlog decay 68 ! sysctl -w net.ipv4.tcp_synack_retries=1!

  69. L7 connection count 69 ! sysctl -w net.ipv4.tcp_max_orphans=262144! sysctl -w

    net.ipv4.tcp_orphan_retries=1! ! sysctl -w net.ipv4.tcp_max_tw_buckets=360000! sysctl -w net.ipv4.tcp_tw_reuse=1! sysctl -w net.ipv4.tcp_fin_timeout=5!

  70. Iptables examples 70 Appendix B

  71. L3: u32 71 ! iptables -A INPUT \! --dst 1.2.3.4

    \! -p udp -m udp --dport 53 \! -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C@4=0x29"\! -j DROP!

  72. L4: Conntrack 72 ! iptables -t raw -A PREROUTING \!

    -i eth2 \! --dst 1.2.3.4 \! -j ACCEPT! ! iptables -t raw -A PREROUTING \! -i eth2 \! -j NOTRACK! ! ! iptables -A INPUT \! --dst 1.2.3.4 \! -m conntrack --ctstate INVALID \! -j DROP!

  73. Tuning conntrack 73 ! sysctl -w net.netfilter.nf_conntrack_helper=0! ! sysctl -w

    net.nf_conntrack_max=2000000! echo 2500000 > /sys/module/nf_conntrack/parameters/hashsize! ! sysctl -w net/netfilter/nf_conntrack_tcp_loose=0!

  74. L7: Connlimit 74 ! iptables -t raw -A PREROUTING \!

    -i eth2 \! --dst 1.2.3.4 \! -j ACCEPT! ! iptables -A INPUT \! --dst 1.2.3.4 \! -p tcp -m tcp --dport 80 \! -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN \! -m connlimit \! --connlimit-above 10 \! --connlimit-mask 32 \! --connlimit-saddr \! -j DROP!

  75. L7: ipset for blacklisting 75 ! ipset -exist create ta_d335c5

    hash:net family inet! ! ipset add ta_d335c5 192.168.0.0/16! ipset add ta_d335c5 10.0.0/8! ! iptables -A INPUT \! -m set --match-set ta_d335c5 src \! -j DROP!

  76. L7: being evil - TARPIT 76 ! iptables -A INPUT

    \! -m set --match-set ta_d335c5 src \! -j TARPIT!

  77. L7: hashlimit for rate limiting 77 ! iptables -A INPUT

    \! --dst 1.2.3.4 -p tcp -m tcp --dport 80 \! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN \! -m hashlimit \! --hashlimit-above 100/sec \! --hashlimit-burst 5 \! --hashlimit-mode srcip \! --hashlimit-srcmask 24 \! --hashlimit-name 341654b1d4af9bf \! -j DROP!

  78. L7: auto-blacklisting 78 ! ipset -exist create blacklist hash:net timeout

    60! ! iptables -A INPUT \! --dst 1.2.3.4 \! -m set --match-set blacklist src \! -j DROP! ! iptables -A INPUT \! --dst 1.2.3.4 -p tcp -m tcp --dport 80\! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN \! -m hashlimit \! --hashlimit-above 100/sec \! --hashlimit-mode srcip \! --hashlimit-srcmask 24 \! --hashlimit-name hl_blacklist \! -j SET --add-set blacklist src!

  79. L7+: payload in TCP - string 79 ! iptables -A

    INPUT \! ! --dst 1.2.3.4 \! ! -p tcp --dport 80 \! ! -m string \! ! --hex-string 486f73743a207777772e787878787878782e... \! --from 231 --to 300 \! -j DROP!

  80. L7+: payload in TCP - BPF 80 ! $ ./fixed_offset.py

    'Host: www.xxxxxxx.com:80\r\n' 231! ! ip[231:4] == 0x486f7374 and ip[235:4] == 0x3a207777 and ip[239:4] == 0x772e7878 and ip[243:4] == 0x78787878 and ip[247:4] == 0x782e636f and ip[251:4] == 0x6d3a3830 and ip[255:2] == 0x0d0a! (source: fixed_offset.py)