Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DDoS Landscape

majek04
June 06, 2018

DDoS Landscape

majek04

June 06, 2018
Tweet

More Decks by majek04

Other Decks in Technology

Transcript

  1. DDoS attacks landscape
    Marek Majkowski
    @majek04

    View Slide

  2. 2

    View Slide

  3. Reverse proxy
    3
    Eyeball Reverse proxy Origin server
    • Optimizations
    • Caching
    • Security
    • DDoS protection

    View Slide

  4. 4

    View Slide

  5. 5
    Denial of service

    View Slide

  6. 6

    View Slide

  7. 7

    View Slide

  8. Goal?
    8

    View Slide

  9. 9

    View Slide

  10. 10

    View Slide

  11. 11

    View Slide

  12. 12

    View Slide

  13. 13

    View Slide

  14. 14

    View Slide

  15. 15

    View Slide

  16. Unavailability
    16

    View Slide

  17. 17
    Break the internet

    View Slide

  18. Internet was built
    as a trusted environment
    18

    View Slide

  19. 19
    https://www.fbi.gov/wanted/cyber

    View Slide

  20. 20

    View Slide

  21. Five case studies
    21

    View Slide

  22. Amplification is largest
    22

    View Slide

  23. 23

    View Slide

  24. 24
    Two things needed:
    - IP spoofing
    - vulnerable protocol

    View Slide

  25. 25
    IP Spoofing

    View Slide

  26. 26
    5.6.7.8
    8.8.8.8
    IP Spoofing

    View Slide

  27. 27
    Enables impersonation
    Real
    8.8.8.8 Destination
    5.6.7.8
    Spoofed
    8.8.8.8

    View Slide

  28. 28
    Spoofed?
    (source: DaPuglet)

    View Slide

  29. bulletproof hostig
    29

    View Slide

  30. 30
    Find a protocol to abuse
    • DNS
    • NTP
    • SSDP

    View Slide

  31. 31
    UDP Server
    UDP Client
    request response

    View Slide

  32. 32
    Attacker
    Target
    UDP Server
    request
    response

    View Slide

  33. 33
    Attacker
    Target
    UDP Server
    request
    response
    10 bytes
    100 bytes

    View Slide

  34. 34
    Attacker
    Target
    UDP Servers
    requests
    responses

    View Slide

  35. 35

    View Slide

  36. Memcached (1.7 Tbps)
    February 2018
    36

    View Slide

  37. Memcached does UDP?
    37

    View Slide

  38. 38

    View Slide

  39. 39

    View Slide

  40. 40

    View Slide

  41. 41

    View Slide

  42. 42

    View Slide

  43. Cleanup was well underway
    • Digital Ocean
    • Linode
    • OVH
    • Amazon
    43

    View Slide

  44. Memcached today
    44

    View Slide

  45. 45

    View Slide

  46. Direct SYN flood
    46

    View Slide

  47. 47
    Target
    Server
    Attacker
    500 Gbps
    Direct SYN flood

    View Slide

  48. 48

    View Slide

  49. 49

    View Slide

  50. 50

    View Slide

  51. 51

    View Slide

  52. 52

    View Slide

  53. 53

    View Slide

  54. 54

    View Slide

  55. 55

    View Slide

  56. 56

    View Slide

  57. 57

    View Slide

  58. 58

    View Slide

  59. Is it a day job?
    59

    View Slide

  60. 60
    Direct attack today

    View Slide

  61. Imaginary attacks
    61

    View Slide

  62. 62

    View Slide

  63. 63

    View Slide

  64. 64

    View Slide

  65. 65

    View Slide

  66. Application attacks are small
    66

    View Slide

  67. 67
    We know who attacks us!
    (source: the internet)

    View Slide

  68. 68

    View Slide

  69. 69

    View Slide

  70. IoT - Cameras
    70

    View Slide

  71. 71

    View Slide

  72. 72

    View Slide

  73. 73

    View Slide

  74. 74

    View Slide

  75. 75

    View Slide

  76. 76
    GET /en HTTP/1.1
    User-Agent:
    Cookie:
    Host: example.com
    Connection: close
    Content-Length: 800000
    a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...

    View Slide

  77. 77

    View Slide

  78. 78

    View Slide

  79. 79
    • Mirai - cameras
    • TR-069/TR-064 Deutsche Telefon - CPE
    • Reaper - D-Link, Netgear, and AVTech
    • VPNFilter - routers and NAS
    Evolution of IoT botnets

    View Slide

  80. WireX - Android malware
    80

    View Slide

  81. 81

    View Slide

  82. 82
    User-Agent: jigpuzbcomkenhvladtwysqfxr
    User-Agent: yudjmikcvzoqwsbflghtxpanre
    User-Agent: mckvhaflwzbderiysoguxnqtpj
    User-Agent: deogjvtynmcxzwfsbahirukqpl
    User-Agent: fdmjczoeyarnuqkbgtlivsxhwp
    User-Agent: yczfxlrenuqtwmavhojpigkdsb
    User-Agent: dnlseufokcgvmajqzpbtrwyxih

    View Slide

  83. 83

    View Slide

  84. 84

    View Slide

  85. 85

    View Slide

  86. 86

    View Slide

  87. 87

    View Slide

  88. 88
    function attack(String target, String userAgent, String referer) {
    HashMap WebViewHeaders = new HashMap();
    WebViewHeaders->put(“Referer”,referer);
    WebViewHeaders->put(“X-Requested-With”,””);
    WebView[] AttackerViews = new WebView[100];
    for (int i=0; iAttackerViews[i] = new WebView();
    AttackerViews[i]->clearHistory();
    AttackerViews[i]->clearFormData();
    AttackerViews[i]->clearCache(true);
    WebViewSettings AWVS = AttackerViews[i]->getSettings()
    AttackWebViewSettings->setJavaScriptEnabled(true);
    AttackWebViewSettings->setUserAgentString(userAgent);
    AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE);
    this->deleteDatabase(“webview.db”);
    this->deleteDatabase(“webviewCache.db”);
    AttackerViews[i]->loadUrl(target,WebViewHeaders);
    }
    }
    }

    View Slide

  89. 89

    View Slide

  90. More....
    90

    View Slide

  91. Mobile ads
    91

    View Slide

  92. 92

    View Slide

  93. 93

    View Slide

  94. 94

    View Slide

  95. 95
    function post_send() {
    var xmlHttp=c_xmlHttp();
    xmlHttp.open("POST",t_url8,true);
    xmlHttp.setRequestHeader("Content-Type", "");
    xmlHttp.send(t_postdata);
    r_send();
    }
    function r_send() {
    setTimeout("post_send()", 50);
    }

    View Slide

  96. Hard to mitigate
    96

    View Slide

  97. Porcupine
    97

    View Slide

  98. 98

    View Slide

  99. 99

    View Slide

  100. 100

    View Slide

  101. 101

    View Slide

  102. 102

    View Slide

  103. Porcupine: Profile
    • Junk payload L7 attacks
    • Pretty large - 1M rps, 200k IP's/h
    • Brasil, Algeria, Tunisia, Ukraine
    • Attacker: .
    • Infection: .
    103

    View Slide

  104. 104

    View Slide

  105. Cloudflare
    105

    View Slide

  106. 106
    Anycast Architecture

    View Slide

  107. 107
    192.0.2.0/24
    Internet
    Los Angeles
    192.0.2.0/24
    London
    192.0.2.0/24
    Amsterdam
    192.0.2.0/24
    Moscow
    192.0.2.0/24
    San Jose
    192.0.2.0/24
    New York

    View Slide

  108. 108

    View Slide

  109. 109

    View Slide

  110. Divide and conquer
    • DNS
    • splits traffic against multiple IPs
    • Anycast
    • splits traffic globally
    • ECMP
    • splits traffic within datacenter
    • Tuned network card
    • splits traffic across CPUs
    110

    View Slide

  111. 111
    Automatic Mitigations

    View Slide

  112. 112
    iptables -A INPUT \
    --dst 1.2.3.4 \
    -p udp --dport 53 \
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \
    -j DROP

    View Slide

  113. 113
    ldx 4*([14]&0xf)
    ld #34
    add x
    tax
    lb_0:
    ldb [x + 0]
    add x
    add #1
    tax
    ld [x + 0]
    jneq #0x07657861, lb_1
    ld [x + 4]
    jneq #0x6d706c65, lb_1
    ld [x + 8]
    jneq #0x03636f6d, lb_1
    ldb [x + 12]
    jneq #0x00, lb_1
    ret #1
    lb_1:
    ret #0

    View Slide

  114. Iptables for application attacks
    • Conntrack Connlimit - limit concurrent connections
    • Hashlimits - limit rate of connections
    • Rate limit SYN packets per IP
    • Ipset - blacklisting of IP addresses
    • Manual blacklisting - feed IP blacklist from HTTP server logs
    • Supports subnets, timeouts
    • Automatic blacklisting hashlimits
    114

    View Slide

  115. 115
    Internet Router
    NIC Kernel App
    iptables fingerprints
    XDP

    View Slide

  116. Thanks!
    • Architected for DDoS
    • Iptables are great
    • Reduce DNS TTL
    • Keep your IoT firmware in check
    • Don't install random APKs
    • Use 1.1.1.1 resolver :)
    116
    [email protected]flare.com @majek04

    View Slide