DDoS Landscape

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
June 06, 2018

DDoS Landscape

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

June 06, 2018
Tweet

Transcript

  1. 2.

    2

  2. 3.

    Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • Security • DDoS protection
  3. 4.

    4

  4. 6.

    6

  5. 7.

    7

  6. 8.
  7. 9.

    9

  8. 10.

    10

  9. 11.

    11

  10. 12.

    12

  11. 13.

    13

  12. 14.

    14

  13. 15.

    15

  14. 20.

    20

  15. 23.

    23

  16. 35.

    35

  17. 38.

    38

  18. 39.

    39

  19. 40.

    40

  20. 41.

    41

  21. 42.

    42

  22. 45.

    45

  23. 48.

    48

  24. 49.

    49

  25. 50.

    50

  26. 51.

    51

  27. 52.

    52

  28. 53.

    53

  29. 54.

    54

  30. 55.

    55

  31. 56.

    56

  32. 57.

    57

  33. 58.

    58

  34. 62.

    62

  35. 63.

    63

  36. 64.

    64

  37. 65.

    65

  38. 68.

    68

  39. 69.

    69

  40. 71.

    71

  41. 72.

    72

  42. 73.

    73

  43. 74.

    74

  44. 75.

    75

  45. 76.

    76 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...
  46. 77.

    77

  47. 78.

    78

  48. 79.

    79 • Mirai - cameras • TR-069/TR-064 Deutsche Telefon -

    CPE • Reaper - D-Link, Netgear, and AVTech • VPNFilter - routers and NAS Evolution of IoT botnets
  49. 81.

    81

  50. 83.

    83

  51. 84.

    84

  52. 85.

    85

  53. 86.

    86

  54. 87.

    87

  55. 88.

    88 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }
  56. 89.

    89

  57. 92.

    92

  58. 93.

    93

  59. 94.

    94

  60. 98.

    98

  61. 99.

    99

  62. 100.

    100

  63. 101.

    101

  64. 102.

    102

  65. 103.

    Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 103
  66. 104.

    104

  67. 108.

    108

  68. 109.

    109

  69. 110.

    Divide and conquer • DNS • splits traffic against multiple

    IPs • Anycast • splits traffic globally • ECMP • splits traffic within datacenter • Tuned network card • splits traffic across CPUs 110
  70. 112.

    112 iptables -A INPUT \ --dst 1.2.3.4 \ -p udp

    --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  71. 113.

    113 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb

    [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
  72. 114.

    Iptables for application attacks • Conntrack Connlimit - limit concurrent

    connections • Hashlimits - limit rate of connections • Rate limit SYN packets per IP • Ipset - blacklisting of IP addresses • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 114
  73. 116.

    Thanks! • Architected for DDoS • Iptables are great •

    Reduce DNS TTL • Keep your IoT firmware in check • Don't install random APKs • Use 1.1.1.1 resolver :) 116 marek@cloudflare.com @majek04