How Cloudflare deals with largest DDoS attacks?

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
November 25, 2017

How Cloudflare deals with largest DDoS attacks?

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

November 25, 2017
Tweet

Transcript

  1. How Cloudflare deals with largest DDoS attacks Marek Majkowski @majek04

  2. 2

  3. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • DDoS protection • Security
  4. 4

  5. 5

  6. How to perform an attack? 6

  7. 7 X Attacker Visitor Target Bots

  8. 1. Get a cool costume 8

  9. 9 2. Fix your keyboard

  10. 3. Get a cool name 10 • Anonymous • Lizard

    Squad • WireX • Syrian Electronic Army • vDOS
  11. 4. Choose attack type • L3 Amplification (requires IP Spoofing)

    • L3 Direct • L7 - repetitive • L7 - smart 11
  12. Attack types • Amplification • SYN • DNS • HTTP

    • HTTPS 12 ⟯ ⟯ OSI L3 (source IP irrelevant) OSI L7 (established TCP/IP)
  13. Attack types 13 IP Spoofing Large Easy to block Easy

    to implement L3 Amplification required YES yes yes L3 Direct desired no depends depends L7 repetitive no yes yes L7 smart no no no
  14. 14 more bots == better

  15. 5. Choose infection vector • Ask users - hacktivism •

    Windows XP zombies • VPS Servers - Shellshock • CPE routers - Mirai • Android phones - WireX 15
  16. Infection vectors 16 IP Spoofing Plenty? Infection software Windows XP

    maybe, hard to maintain acquire? Zeus VPS Servers sometimes internet scan ? CPE Routers sometimes new vulnerability custom Android phones yes phishing custom
  17. 17 https://www.fbi.gov/wanted/cyber

  18. 18

  19. Five case studies 19

  20. 1. Asia direct 20

  21. 21

  22. 22 Target Server Attacker 510 Gbps Direct SYN flood

  23. 23

  24. 24 1 in 10000 packets

  25. Internet economics 25 Tier 1 provider Attacking network Target network

    $ $
  26. 26 Spoofed? (source: DaPuglet)

  27. 27 5.6.7.8 8.8.8.8 IP Spoofing

  28. 28 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  29. 29

  30. 30

  31. 31

  32. 32

  33. 33

  34. 34

  35. 35

  36. 36

  37. Asia direct: Profile • Direct SYN floods • VERY big

    - 510Gbps, 300Mpps • Hitting small number of pops • Capable of IP Spoofing • Attacker: ???? • Infection: Servers 37
  38. Is it a day job? 38

  39. Asia: mitigation 39 iptables -A INPUT \ --dst 1.2.3.4 \

    -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  40. BPF Bytecode 40 ldx 4*([14]&0xf) ld #34 add x tax

    lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
  41. 41

  42. 42 Internet Router NIC Kernel App XDP Iptables

  43. Application integration 43 1.2.3.4 1.2.3.5 1.2.3.6 dig A example.com 1.2.3.7

    X
  44. 2. Asia amplification 44

  45. 45

  46. 46 UDP Server UDP Client request response

  47. 47 Attacker Target UDP Server request response

  48. 48 Attacker Target UDP Server request response 10 bytes 100

    bytes
  49. 49 Attacker Target UDP Servers requests responses

  50. 50

  51. 51 192.0.2.0/24 Internet Los Angeles 192.0.2.0/24 London 192.0.2.0/24 Amsterdam 192.0.2.0/24

    Moscow 192.0.2.0/24 San Jose 192.0.2.0/24 New York
  52. 52

  53. March 2013: Spamhaus 53 300 Gbps of traffic 27 Gbps

    of spoofing Exposed DNS Resolvers
  54. 54

  55. 55 Mbps - AMP sport=1900 min:406 avg:22608 med=4663 max:186124 dev:35565

    count:1319 Mbps - AMP sport=1900: value |-------------------------------------------------- count 134 | 0 268 | *************************************** 145 536 |************************************************** 182 1073 | ******************************************** 163 2147 | ******************************************* 157 4294 | *********************************** 131 8589 | ************************ 88 17179 | ************************************************ 176 34359 | ************************************ 133 68719 | ******************************** 117 137438 | ******* 27
  56. Asia SSDP: Profile • Amplification SSDP attakcs • Pretty large

    - 186Gbps • Hitting LARGE number of pops • (we know) source is in Asia, Interesting targets • Requires IP Spoofing • Attacker: ???? • Infection: Servers 56
  57. 57

  58. 58

  59. 59 https://badupnp.benjojo.co.uk/

  60. 3. IoT - connected cameras 60

  61. 61

  62. 62

  63. 63

  64. 64 IP reputation (source: the internet)

  65. 65

  66. 66

  67. 67 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...
  68. IoT: Profile • Repetitive L7 attacks • Pretty large -

    700k rps, 400Gbps, • 128k source IP's • Ukraine, Vietnam • Attacker: ???? • Infection: CCTV Botnet 68
  69. 69 Internet Router NIC Kernel App conntrack iptables fingerprints

  70. 4. Porcupine 70

  71. 71

  72. 72

  73. 73

  74. 74

  75. 75

  76. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 76
  77. 77

  78. 5. WireX 78

  79. 79

  80. 80 User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent:

    fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih
  81. 81

  82. 82

  83. 83

  84. 84 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }
  85. WireX: Profile • Real-looking L7 requests • Mid-size - 80k

    rps, 120k IP's/h • Location: Everywhere • Targets: interesting • Attacker: . • Infection: 300+ Android apps 85
  86. 6. Elections 86

  87. 87

  88. Attack data • trump.com: ~54,000 attacks per day • donaldjtrump.com:

    ~501,000 attacks per day • trump.com: Attacked on 100% of days • donaldjtrump.com: Attacked on 94.4% of days 88
  89. Attack data • trump.com: • 25 Apr 2016 ~3,4M requests

    (39 rps) • donaldjtrump.com: • 10 Dec 2015 ~15M requests (173 rps) 89
  90. 90

  91. 91

  92. 7. The great cannon 92

  93. 93 Eyeball Target Infected website

  94. 94

  95. Infected website? • Compromised JS • Competition case • China

    great firewall • L3 injection to scripts • Rogue AD 95
  96. Cloudflare 96

  97. 97 1. Architecture

  98. 98 2. Mitigation in software

  99. 99 Attack Detection Mitigation Automation

  100. Thanks! • Architected for DDoS • Iptables + BPF great

    for L3 • Kernel bypass • XDP • Iptables + Conntrack great for L7 • Also: connlimit, hashlimits, ipset 100 marek@cloudflare.com @majek04