Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building an automated DDoS mitigation pipeline

majek04
January 23, 2016
Programming
5
1.2k

Building an automated DDoS mitigation pipeline

majek04

January 23, 2016
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
majek04
0
470
Linux at Cloudflare
majek04
3
6k
DDoS Landscape
majek04
0
320
Inside Cloudbleed
majek04
3
2.1k
Golang sucks
majek04
21
50k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
3.9k
How Cloudflare deals with largest DDoS attacks?
majek04
2
2.5k
Why we chose Service Worker API
majek04
0
1.9k
IP Spoofing - DEFCON
majek04
1
670

Other Decks in Programming

See All in Programming
「ちょうどよい」フロントエンドアーキテクチャを求めて
ari_mharada
0
170
【PHPカンファレンス沖縄 2023】素朴で考慮漏れのある PHP コードをテストコードとともに補強していく(ライブコーディング補足資料) / #phpcon_okinawa 2023 livecoding supplementary material
okashoi
2
150
わかる!Hashicorp Waypoint | HashiTalks: Japan2023
kazue
0
310
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
160
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
640
ノーコードE2Eテストで実現する高速開発
nozomiito
0
220
VSCodeから一発でProxymanを起動する
kumamotone
0
110
アジャイルのライトウィングとレフトウィングはひとりで両方できなくてもいいんじゃない? - “ひとりでできるもん”から“みんなでできるもん”への道のり
psj59129
0
250
The impact of API Platform on Open-Source
loic425
0
120
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
170
Jakarta EE 10 - Simplicity for Modern and Lightweight Cloud
ivargrimstad
0
660
KustoクエリのChatGPT Plugin!
tomokusaba
0
310

Featured

See All Featured
Clear Off the Table
cherdarchuk
81
300k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
Side Projects
sachag
450
39k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Testing 201, or: Great Expectations
jmmastey
26
6k
Designing Experiences People Love
moore
133
22k
Faster Mobile Websites
deanohume
296
29k
Git: the NoSQL Database
bkeepers
PRO
420
61k
Ruby is Unlike a Banana
tanoku
93
9.9k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Adopting Sorbet at Scale
ufuk
66
8.1k
The Invisible Side of Design
smashingmag
292
49k

Transcript

  1. Building an automated
    DDoS Mitigation Pipeline
    Marek Majkowski

    View Slide

  2. 2
    "Help Build a Better Internet"

    View Slide

  3. Content neutral
    3

    View Slide

  4. DDoS is a threat
    4

    View Slide

  5. 5
    Malicious
    Attacker
    Internet
    Provider
    Origin
    Server
    CloudFlare
    Server
    trust &
    safety
    team
    w
    orking
    w
    ith
    operators
    public outreach
    Big effort
    im
    proving
    our infrastructure

    View Slide

  6. 6
    Automated DDoS Mitigations
    Malicious
    Attacker
    Internet
    Provider
    Origin
    Server
    CloudFlare
    Server
    autom
    ating
    m
    itigations

    View Slide

  7. 7
    attack
    volume
    CloudFlare
    network capacity
    >

    View Slide

  8. BGP Nullroute and move on
    8
    !
    route 1.2.3.4/32 {!
    discard;!
    community [ 13335:666 13335:668 13335:36006 ];!
    }!

    View Slide

  9. attack
    volume
    CloudFlare
    network capacity
    <
    9

    View Slide

  10. 10
    BGP Nullrouting
    Router firewall
    Server firewall
    Application
    Less damage
    Reducing damage

    View Slide

  11. 11
    BGP Nullrouting IP
    Router firewall
    IP, port,
    packet length
    Server firewall
    all above +
    stateless DPI
    parameters
    Application
    all above +
    application logic
    More precision
    Reducing damage

    View Slide

  12. 12
    Operator
    Precision
    Speed

    View Slide

  13. 13

    View Slide

  14. 14
    Automation
    Precision
    Speed

    View Slide

  15. 15
    Gatebot
    Precision
    Speed
    Automatic attack handling

    View Slide

  16. Attack
    Detection
    Automatic attack handling
    16
    Mitigation
    Reactive
    Automation

    View Slide

  17. The attack
    17

    View Slide

  18. High volume packet floods
    18
    Packets per second

    View Slide

  19. DNS packet flood
    19
    !
    $ tcpdump -ni eth2 inbound and port 53 -c 100!
    !
    IP 202.194.181.95.15443 > 1.2.3.4:53: 63476% [1au] A? example.com. (50)!
    IP 221.12.236.115.6570 > 1.2.3.4:53: 11406% [1au] A? example.com. (50)!
    IP 203.94.134.43.18473 > 1.2.3.4:53: 8559% [1au] A? example.com. (50)!
    IP 203.196.66.75.32573 > 1.2.3.4:53: 47971% [1au] A? example.com. (50)!
    IP 124.240.198.136.2333 > 1.2.3.4:53: 61152% [1au] A? example.com. (50)!
    IP 218.247.70.185.11679 > 1.2.3.4:53: 16360% [1au] A? example.com. (50)!
    IP 202.109.218.98.27549 > 1.2.3.4:53: 17829% [1au] A? example.com. (50)!
    IP 203.148.240.82.21825 > 1.2.3.4:53: 22590% [1au] A? example.com. (50)!
    IP 211.167.108.67.25782 > 1.2.3.4:53: 17663% [1au] A? example.com. (50)!
    IP 203.209.60.18.20221 > 1.2.3.4:53: 38257% [1au] A? example.com. (50)!
    IP 203.81.181.168.12749 > 1.2.3.4:53: 53492% [1au] A? example.com. (50)!

    View Slide

  20. 1 in 10k packets is "real"
    20

    View Slide

  21. Finding attack parameters
    21
    !
    IP 202.194.181.95.15443 > 1.2.3.4:53: 63476% [1au] A? example.com. (50)!
    IP 221.12.236.115.6570 > 1.2.3.4:53: 11406% [1au] A? example.com. (50)!
    IP 203.94.134.43.18473 > 1.2.3.4:53: 8559% [1au] A? example.com. (50)!
    IP 203.196.66.75.32573 > 1.2.3.4:53: 47971% [1au] A? example.com. (50)!
    IP 124.240.198.136.2336 > 1.2.3.4:53: 61152% [1au] A? example.com. (50)!
    IP 218.247.70.185.11679 > 1.2.3.4:53: 16360% [1au] A? example.com. (50)!
    IP 202.109.218.98.27549 > 1.2.3.4:53: 17829% [1au] A? example.com. (50)!
    IP 203.148.240.82.21825 > 1.2.3.4:53: 22590% [1au] A? example.com. (50)!
    IP 211.167.108.67.25782 > 1.2.3.4:53: 17663% [1au] A? example.com. (50)!
    IP 203.209.60.18.20221 > 1.2.3.4:53: 38257% [1au] A? example.com. (50)!
    IP 203.81.181.168.12749 > 1.2.3.4:53: 53492% [1au] A? example.com. (50)!

    View Slide

  22. Mitigation
    22
    Mitigation Operator

    View Slide

  23. Where to DROP?
    23
    Application
    iptables
    Router

    View Slide

  24. Traffic matching with BPF
    24
    !
    iptables -A INPUT \!
    --dst 1.2.3.4 \!
    -p udp --dport 53 \!
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \!
    -j DROP!

    View Slide

  25. 25
    !
    ldx 4*([14]&0xf)!
    ld #34!
    add x!
    tax!
    lb_0:!
    ldb [x + 0]!
    add x!
    add #1!
    tax!
    ld [x + 0]!
    jneq #0x07657861, lb_1!
    ld [x + 4]!
    jneq #0x6d706c65, lb_1!
    ld [x + 8]!
    jneq #0x03636f6d, lb_1!
    ldb [x + 12]!
    jneq #0x00, lb_1!
    ret #1!
    lb_1:!
    ret #0!
    BPF bytecode

    View Slide

  26. 26

    View Slide

  27. Deployment
    27
    iptables
    Mitigation
    Database

    View Slide

  28. Mitigation database
    28
    !
    $ gatekeeper dnsbpf list!
    --ip=1.2.3.4 *.example.com!
    --ip=4.3.2.1 www.test.de *.www.test.de!
    --ip=4.3.4.4 *.cloudflare.com --except=www.** --except=ns1.**!
    --ip=2.3.1.4 www.onedomain.com,wwww.seconddomain.com!
    --ip=1.2.3.0/24 test.com!
    !
    $ gatekeeper dnsbpf add -- --ip=4.3.2.1 *.newattack.com!

    View Slide

  29. Detection
    29
    Attack
    Detection

    View Slide

  30. Sflow
    30
    Sflow
    Central
    Aggregation

    View Slide

  31. What is an "attack"?
    31

    View Slide

  32. "Attack" is large
    32
    Large attacks
    Small attacks
    Packets per second

    View Slide

  33. 33
    Attacks
    Mitigation
    "Attack" can be mitigated
    Attack
    Detection
    Mitigation
    Database
    Attack Description
    =
    Mitigation
    33
    iptables
    Sflow

    View Slide

  34. 34
    !
    Mpps Descr!
    3.878 --ip=141.245.59.191/32!
    2.878 --ip=141.245.59.192/32!
    1.878 --ip=141.245.59.193/32!
    1.878 --ip=141.245.59.194/32!
    1.878 --ip=141.245.59.195/32!
    1.878 --ip=141.245.59.196/32!
    1.878 --ip=141.245.59.197/32!
    1.878 --ip=141.245.59.198/32!
    1.878 --ip=141.245.59.199/32!
    ...!
    !
    Mpps Descr!
    35.878 --ip=141.245.59.0/24!
    vs
    "Attacks" shall be aggregated

    View Slide

  35. 35
    An attack-finding algorithm

    View Slide

  36. Top N / Heavy hitters
    • Fixed memory size; Algorithm: Space Saving
    • https://github.com/cloudflare/golibs
    36
    pps IP
    12.2M 1.2.3.4
    2.4M 42.1.2.4
    0.01M 2.4.3.1
    0.01M 192.168.1.1

    View Slide

  37. Multiple dimensions
    37
    pps IP:port
    12.2M 1.2.3.4:53
    2.4M 42.1.2.4:80
    0.01M 2.4.3.1:80
    0.01M 192.168.1.1:443
    pps IP
    12.2M 1.2.3.4
    2.4M 42.1.2.4
    0.01M 2.4.3.1
    0.01M 192.168.1.1
    pps subnet
    12.2M 1.2.3.0/24
    2.4M 42.1.2.0/24
    0.01M 2.4.3.0/24
    0.01M 192.168.1.0/24

    View Slide

  38. Multiple dimensions
    38
    pps IP:port
    12.2M 1.2.3.4:53
    2.4M 42.1.2.4:80
    0.01M 2.4.3.1:80
    0.01M 192.168.1.1:443
    pps IP
    12.2M 1.2.3.4
    2.4M 42.1.2.4
    0.01M 2.4.3.1
    0.01M 192.168.1.1
    pps subnet
    12.2M 1.2.3.0/24
    2.4M 42.1.2.0/24
    0.01M 2.4.3.0/24
    0.01M 192.168.1.0/24
    incoming sample: 42.1.2.4:80

    View Slide

  39. Multiple dimensions
    39
    pps IP:port
    12.2M 1.2.3.4:53
    2.4M 42.1.2.4:80
    0.01M 2.4.3.1:80
    0.01M 192.168.1.1:443
    pps IP
    12.2M 1.2.3.4
    2.4M 42.1.2.4
    0.01M 2.4.3.1
    0.01M 192.168.1.1
    pps subnet
    12.2M 1.2.3.0/24
    2.4M 42.1.2.0/24
    0.01M 2.4.3.0/24
    0.01M 192.168.1.0/24
    reporting threshold: 1M

    View Slide

  40. Attack report
    40
    !
    Mpps Descr!
    12.2 --ip=1.2.3.4 --port=53!
    2.4 --ip=42.1.2.4 --port=80!
    12.2 --ip=1.2.3.4!
    2.4 --ip=42.1.2.4!
    12.2 --ip=1.2.3.0/24!
    2.4 --ip=42.1.2.0/24!

    View Slide

  41. Multiple dimensions
    41
    pps IP:port
    12.2M 1.2.3.4:53
    2.4M 42.1.2.4:80
    0.01M 2.4.3.1:80
    0.01M 192.168.1.1:443
    pps IP
    0.1M 1.2.3.4
    0M 42.1.2.4
    0.01M 2.4.3.1
    0.01M 192.168.1.1
    pps subnet
    0.1M 1.2.3.0/24
    0M 42.1.2.0/24
    0.01M 2.4.3.0/24
    0.01M 192.168.1.0/24
    incoming sample: 42.1.2.4:80

    View Slide

  42. Attack report
    42
    !
    Mpps Descr!
    12.2 --ip=1.2.3.4 --port=53!
    2.4 --ip=42.1.2.4 --port=80!

    View Slide

  43. Scales well
    43

    View Slide

  44. Reactive automation
    44
    Reactive
    Automation

    View Slide

  45. Connecting the pieces
    45
    sflow
    iptables
    Attack
    Detection
    Mitigation
    Database
    ?

    View Slide

  46. 46
    !
    --ip=1.2.3.4 example.com!
    !
    --ip=1.2.3.4 example.com --qps=100!
    Reactive
    Rule

    View Slide

  47. 47
    !
    --ip=1.2.3.4 example.com --qps=500!
    !
    example.com = FREE | PAID!
    Reactive
    Rule
    !
    --ip=1.2.3.4 example.com!

    View Slide

  48. 48
    !
    --ip=1.2.3.4 example.com --except www,n1,ns2 --qps=500!
    Reactive
    Rule
    !
    example.com subdomains:!
    (www, ns1, ns2)!
    !
    --ip=1.2.3.4 example.com!
    !
    example.com = FREE | PAID!

    View Slide

  49. 49
    Input Steam
    extra stream
    extra stream
    Output Stream
    Reactive
    Rule

    View Slide

  50. Chain of transformations
    50
    !
    def dns_mitigation(attack, plan, subdomains):!
    domain = attack['domain']!
    !
    qps = 100!
    if plan[domain] == 'business':!
    qps = 500!
    !
    mitigation =!
    attack['description'] + \!
    ' --qps=%s' % qps + \!
    ' --except=%s'.join(subdomains[domain])!
    !
    return mitigation!

    View Slide

  51. Fully composable
    51

    View Slide

  52. Putting it all together
    52

    View Slide

  53. Putting it all together
    53
    Mitigation
    Database
    sflow
    iptables
    Attack
    Detection
    Reactive
    Automation
    53

    View Slide

  54. Gatebot: frequency
    54
    Gatebot actions per day
    3 months

    View Slide

  55. Gatebot: volume
    55
    1 week

    View Slide

  56. Summary
    56

    View Slide

  57. The fight goes on
    57
    Malicious
    Attacker
    Internet
    Provider
    Origin
    Server
    CloudFlare
    Server
    trust &
    safety
    team
    w
    orking
    w
    ith
    operators
    public outreach
    im
    proving
    our infrastructure

    View Slide

  58. !
    !
    • https://blog.cloudflare.com
    • https://github.com/cloudflare
    58
    marek@cloudflare.com
    @majek04
    Thanks!
    and good luck!
    @cfgatebot

    View Slide