Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DDoS Landscape

majek04
June 06, 2018
Technology
0
300

DDoS Landscape

majek04

June 06, 2018
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
majek04
0
450
Linux at Cloudflare
majek04
3
5.8k
Inside Cloudbleed
majek04
3
1.9k
Golang sucks
majek04
21
50k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
3.7k
How Cloudflare deals with largest DDoS attacks?
majek04
2
2.3k
Why we chose Service Worker API
majek04
0
1.8k
IP Spoofing - DEFCON
majek04
1
650
Recent DDoS
majek04
0
240

Other Decks in Technology

See All in Technology
全世界のユーザー体験の改善にNew Relic Mobileをどのように活用したか/How New Relic Mobile was used to improve the global user experience
isaoshimizu
2
370
AI in Action
charmichokshi
0
170
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
210
ローコードでできる! アクセシビリティテスト自動化入門!
odasho
0
100
データマイニングと機械学習-SVM
trycycle
0
140
KEDAによるイベント駆動ジョブスケール / Event-driven job scale by KEDA
kohbis
2
150
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
120
Turbinando Microsserviços com Distributed Cache
jordihofc
1
300
How to Write Robust Python Code
hayaosuzuki
5
990
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
5
1.5k
NestJS をかじってみた / MIERUNE BBQ #01 / #mierune
tacck
0
170
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2.2k

Featured

See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
What's in a price? How to price your products and services
michaelherold
234
10k
In The Pink: A Labor of Love
frogandcode
133
21k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
Fireside Chat
paigeccino
18
2.1k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
RailsConf 2023
tenderlove
0
93
KATA
mclloyd
13
10k
Gamification - CAS2011
davidbonilla
75
4.2k
Why Our Code Smells
bkeepers
PRO
327
55k

Transcript

  1. DDoS attacks landscape
    Marek Majkowski
    @majek04

    View Slide

  2. 2

    View Slide

  3. Reverse proxy
    3
    Eyeball Reverse proxy Origin server
    • Optimizations
    • Caching
    • Security
    • DDoS protection

    View Slide

  4. 4

    View Slide

  5. 5
    Denial of service

    View Slide

  6. 6

    View Slide

  7. 7

    View Slide

  8. Goal?
    8

    View Slide

  9. 9

    View Slide

  10. 10

    View Slide

  11. 11

    View Slide

  12. 12

    View Slide

  13. 13

    View Slide

  14. 14

    View Slide

  15. 15

    View Slide

  16. Unavailability
    16

    View Slide

  17. 17
    Break the internet

    View Slide

  18. Internet was built
    as a trusted environment
    18

    View Slide

  19. 19
    https://www.fbi.gov/wanted/cyber

    View Slide

  20. 20

    View Slide

  21. Five case studies
    21

    View Slide

  22. Amplification is largest
    22

    View Slide

  23. 23

    View Slide

  24. 24
    Two things needed:
    - IP spoofing
    - vulnerable protocol

    View Slide

  25. 25
    IP Spoofing

    View Slide

  26. 26
    5.6.7.8
    8.8.8.8
    IP Spoofing

    View Slide

  27. 27
    Enables impersonation
    Real
    8.8.8.8 Destination
    5.6.7.8
    Spoofed
    8.8.8.8

    View Slide

  28. 28
    Spoofed?
    (source: DaPuglet)

    View Slide

  29. bulletproof hostig
    29

    View Slide

  30. 30
    Find a protocol to abuse
    • DNS
    • NTP
    • SSDP

    View Slide

  31. 31
    UDP Server
    UDP Client
    request response

    View Slide

  32. 32
    Attacker
    Target
    UDP Server
    request
    response

    View Slide

  33. 33
    Attacker
    Target
    UDP Server
    request
    response
    10 bytes
    100 bytes

    View Slide

  34. 34
    Attacker
    Target
    UDP Servers
    requests
    responses

    View Slide

  35. 35

    View Slide

  36. Memcached (1.7 Tbps)
    February 2018
    36

    View Slide

  37. Memcached does UDP?
    37

    View Slide

  38. 38

    View Slide

  39. 39

    View Slide

  40. 40

    View Slide

  41. 41

    View Slide

  42. 42

    View Slide

  43. Cleanup was well underway
    • Digital Ocean
    • Linode
    • OVH
    • Amazon
    43

    View Slide

  44. Memcached today
    44

    View Slide

  45. 45

    View Slide

  46. Direct SYN flood
    46

    View Slide

  47. 47
    Target
    Server
    Attacker
    500 Gbps
    Direct SYN flood

    View Slide

  48. 48

    View Slide

  49. 49

    View Slide

  50. 50

    View Slide

  51. 51

    View Slide

  52. 52

    View Slide

  53. 53

    View Slide

  54. 54

    View Slide

  55. 55

    View Slide

  56. 56

    View Slide

  57. 57

    View Slide

  58. 58

    View Slide

  59. Is it a day job?
    59

    View Slide

  60. 60
    Direct attack today

    View Slide

  61. Imaginary attacks
    61

    View Slide

  62. 62

    View Slide

  63. 63

    View Slide

  64. 64

    View Slide

  65. 65

    View Slide

  66. Application attacks are small
    66

    View Slide

  67. 67
    We know who attacks us!
    (source: the internet)

    View Slide

  68. 68

    View Slide

  69. 69

    View Slide

  70. IoT - Cameras
    70

    View Slide

  71. 71

    View Slide

  72. 72

    View Slide

  73. 73

    View Slide

  74. 74

    View Slide

  75. 75

    View Slide

  76. 76
    GET /en HTTP/1.1
    User-Agent:
    Cookie:
    Host: example.com
    Connection: close
    Content-Length: 800000
    a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...

    View Slide

  77. 77

    View Slide

  78. 78

    View Slide

  79. 79
    • Mirai - cameras
    • TR-069/TR-064 Deutsche Telefon - CPE
    • Reaper - D-Link, Netgear, and AVTech
    • VPNFilter - routers and NAS
    Evolution of IoT botnets

    View Slide

  80. WireX - Android malware
    80

    View Slide

  81. 81

    View Slide

  82. 82
    User-Agent: jigpuzbcomkenhvladtwysqfxr
    User-Agent: yudjmikcvzoqwsbflghtxpanre
    User-Agent: mckvhaflwzbderiysoguxnqtpj
    User-Agent: deogjvtynmcxzwfsbahirukqpl
    User-Agent: fdmjczoeyarnuqkbgtlivsxhwp
    User-Agent: yczfxlrenuqtwmavhojpigkdsb
    User-Agent: dnlseufokcgvmajqzpbtrwyxih

    View Slide

  83. 83

    View Slide

  84. 84

    View Slide

  85. 85

    View Slide

  86. 86

    View Slide

  87. 87

    View Slide

  88. 88
    function attack(String target, String userAgent, String referer) {
    HashMap WebViewHeaders = new HashMap();
    WebViewHeaders->put(“Referer”,referer);
    WebViewHeaders->put(“X-Requested-With”,””);
    WebView[] AttackerViews = new WebView[100];
    for (int i=0; iAttackerViews[i] = new WebView();
    AttackerViews[i]->clearHistory();
    AttackerViews[i]->clearFormData();
    AttackerViews[i]->clearCache(true);
    WebViewSettings AWVS = AttackerViews[i]->getSettings()
    AttackWebViewSettings->setJavaScriptEnabled(true);
    AttackWebViewSettings->setUserAgentString(userAgent);
    AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE);
    this->deleteDatabase(“webview.db”);
    this->deleteDatabase(“webviewCache.db”);
    AttackerViews[i]->loadUrl(target,WebViewHeaders);
    }
    }
    }

    View Slide

  89. 89

    View Slide

  90. More....
    90

    View Slide

  91. Mobile ads
    91

    View Slide

  92. 92

    View Slide

  93. 93

    View Slide

  94. 94

    View Slide

  95. 95
    function post_send() {
    var xmlHttp=c_xmlHttp();
    xmlHttp.open("POST",t_url8,true);
    xmlHttp.setRequestHeader("Content-Type", "");
    xmlHttp.send(t_postdata);
    r_send();
    }
    function r_send() {
    setTimeout("post_send()", 50);
    }

    View Slide

  96. Hard to mitigate
    96

    View Slide

  97. Porcupine
    97

    View Slide

  98. 98

    View Slide

  99. 99

    View Slide

  100. 100

    View Slide

  101. 101

    View Slide

  102. 102

    View Slide

  103. Porcupine: Profile
    • Junk payload L7 attacks
    • Pretty large - 1M rps, 200k IP's/h
    • Brasil, Algeria, Tunisia, Ukraine
    • Attacker: .
    • Infection: .
    103

    View Slide

  104. 104

    View Slide

  105. Cloudflare
    105

    View Slide

  106. 106
    Anycast Architecture

    View Slide

  107. 107
    192.0.2.0/24
    Internet
    Los Angeles
    192.0.2.0/24
    London
    192.0.2.0/24
    Amsterdam
    192.0.2.0/24
    Moscow
    192.0.2.0/24
    San Jose
    192.0.2.0/24
    New York

    View Slide

  108. 108

    View Slide

  109. 109

    View Slide

  110. Divide and conquer
    • DNS
    • splits traffic against multiple IPs
    • Anycast
    • splits traffic globally
    • ECMP
    • splits traffic within datacenter
    • Tuned network card
    • splits traffic across CPUs
    110

    View Slide

  111. 111
    Automatic Mitigations

    View Slide

  112. 112
    iptables -A INPUT \
    --dst 1.2.3.4 \
    -p udp --dport 53 \
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \
    -j DROP

    View Slide

  113. 113
    ldx 4*([14]&0xf)
    ld #34
    add x
    tax
    lb_0:
    ldb [x + 0]
    add x
    add #1
    tax
    ld [x + 0]
    jneq #0x07657861, lb_1
    ld [x + 4]
    jneq #0x6d706c65, lb_1
    ld [x + 8]
    jneq #0x03636f6d, lb_1
    ldb [x + 12]
    jneq #0x00, lb_1
    ret #1
    lb_1:
    ret #0

    View Slide

  114. Iptables for application attacks
    • Conntrack Connlimit - limit concurrent connections
    • Hashlimits - limit rate of connections
    • Rate limit SYN packets per IP
    • Ipset - blacklisting of IP addresses
    • Manual blacklisting - feed IP blacklist from HTTP server logs
    • Supports subnets, timeouts
    • Automatic blacklisting hashlimits
    114

    View Slide

  115. 115
    Internet Router
    NIC Kernel App
    iptables fingerprints
    XDP

    View Slide

  116. Thanks!
    • Architected for DDoS
    • Iptables are great
    • Reduce DNS TTL
    • Keep your IoT firmware in check
    • Don't install random APKs
    • Use 1.1.1.1 resolver :)
    116
    [email protected]flare.com @majek04

    View Slide