DDoS Landscape

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
June 06, 2018

DDoS Landscape

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

June 06, 2018
Tweet

Transcript

  1. DDoS attacks landscape Marek Majkowski @majek04

  2. 2

  3. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • Security • DDoS protection
  4. 4

  5. 5 Denial of service

  6. 6

  7. 7

  8. Goal? 8

  9. 9

  10. 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. 15

  16. Unavailability 16

  17. 17 Break the internet

  18. Internet was built as a trusted environment 18

  19. 19 https://www.fbi.gov/wanted/cyber

  20. 20

  21. Five case studies 21

  22. Amplification is largest 22

  23. 23

  24. 24 Two things needed: - IP spoofing - vulnerable protocol

  25. 25 IP Spoofing

  26. 26 5.6.7.8 8.8.8.8 IP Spoofing

  27. 27 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  28. 28 Spoofed? (source: DaPuglet)

  29. bulletproof hostig 29

  30. 30 Find a protocol to abuse • DNS • NTP

    • SSDP
  31. 31 UDP Server UDP Client request response

  32. 32 Attacker Target UDP Server request response

  33. 33 Attacker Target UDP Server request response 10 bytes 100

    bytes
  34. 34 Attacker Target UDP Servers requests responses

  35. 35

  36. Memcached (1.7 Tbps) February 2018 36

  37. Memcached does UDP? 37

  38. 38

  39. 39

  40. 40

  41. 41

  42. 42

  43. Cleanup was well underway • Digital Ocean • Linode •

    OVH • Amazon 43
  44. Memcached today 44

  45. 45

  46. Direct SYN flood 46

  47. 47 Target Server Attacker 500 Gbps Direct SYN flood

  48. 48

  49. 49

  50. 50

  51. 51

  52. 52

  53. 53

  54. 54

  55. 55

  56. 56

  57. 57

  58. 58

  59. Is it a day job? 59

  60. 60 Direct attack today

  61. Imaginary attacks 61

  62. 62

  63. 63

  64. 64

  65. 65

  66. Application attacks are small 66

  67. 67 We know who attacks us! (source: the internet)

  68. 68

  69. 69

  70. IoT - Cameras 70

  71. 71

  72. 72

  73. 73

  74. 74

  75. 75

  76. 76 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...
  77. 77

  78. 78

  79. 79 • Mirai - cameras • TR-069/TR-064 Deutsche Telefon -

    CPE • Reaper - D-Link, Netgear, and AVTech • VPNFilter - routers and NAS Evolution of IoT botnets
  80. WireX - Android malware 80

  81. 81

  82. 82 User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent:

    fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih
  83. 83

  84. 84

  85. 85

  86. 86

  87. 87

  88. 88 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }
  89. 89

  90. More.... 90

  91. Mobile ads 91

  92. 92

  93. 93

  94. 94

  95. 95 function post_send() { var xmlHttp=c_xmlHttp(); xmlHttp.open("POST",t_url8,true); xmlHttp.setRequestHeader("Content-Type", ""); xmlHttp.send(t_postdata);

    r_send(); } function r_send() { setTimeout("post_send()", 50); }
  96. Hard to mitigate 96

  97. Porcupine 97

  98. 98

  99. 99

  100. 100

  101. 101

  102. 102

  103. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 103
  104. 104

  105. Cloudflare 105

  106. 106 Anycast Architecture

  107. 107 192.0.2.0/24 Internet Los Angeles 192.0.2.0/24 London 192.0.2.0/24 Amsterdam 192.0.2.0/24

    Moscow 192.0.2.0/24 San Jose 192.0.2.0/24 New York
  108. 108

  109. 109

  110. Divide and conquer • DNS • splits traffic against multiple

    IPs • Anycast • splits traffic globally • ECMP • splits traffic within datacenter • Tuned network card • splits traffic across CPUs 110
  111. 111 Automatic Mitigations

  112. 112 iptables -A INPUT \ --dst 1.2.3.4 \ -p udp

    --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  113. 113 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb

    [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
  114. Iptables for application attacks • Conntrack Connlimit - limit concurrent

    connections • Hashlimits - limit rate of connections • Rate limit SYN packets per IP • Ipset - blacklisting of IP addresses • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 114
  115. 115 Internet Router NIC Kernel App iptables fingerprints XDP

  116. Thanks! • Architected for DDoS • Iptables are great •

    Reduce DNS TTL • Keep your IoT firmware in check • Don't install random APKs • Use 1.1.1.1 resolver :) 116 marek@cloudflare.com @majek04