Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Cloudflare deals with largest DDoS attacks?

majek04
November 25, 2017
Programming
2
2.8k

How Cloudflare deals with largest DDoS attacks?

majek04

November 25, 2017
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
majek04
0
520
Linux at Cloudflare
majek04
3
6.6k
DDoS Landscape
majek04
0
340
Inside Cloudbleed
majek04
3
2.4k
Golang sucks
majek04
21
51k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
4.3k
Why we chose Service Worker API
majek04
0
2.2k
IP Spoofing - DEFCON
majek04
1
720
Recent DDoS
majek04
0
260

Other Decks in Programming

See All in Programming
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
670
使ってみよう Azure AI Document Intelligence
kosmosebi
2
360
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
490
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
860
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
4
320
Going beyond Apache Parquet's default settings
xhochy
0
120
ゆるい個人開発のススメ
kuroppe1819
10
1k
GitHub Copilotのススメ
marcy731
1
220
Code Reviews
bkuhlmann
4
890
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
1k
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
1.1k
Ruby GitHub Packages
bkuhlmann
0
640

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
21
1.4k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Debugging Ruby Performance
tmm1
70
11k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Building an army of robots
kneath
300
41k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.7k
Designing for humans not robots
tammielis
248
25k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
A Philosophy of Restraint
colly
197
16k

Transcript

  1. How Cloudflare deals with largest DDoS attacks Marek Majkowski @majek04

  2. 2

  3. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • DDoS protection • Security

  4. 4

  5. 5

  6. How to perform an attack? 6

  7. 7 X Attacker Visitor Target Bots

  8. 1. Get a cool costume 8

  9. 9 2. Fix your keyboard

  10. 3. Get a cool name 10 • Anonymous • Lizard

    Squad • WireX • Syrian Electronic Army • vDOS

  11. 4. Choose attack type • L3 Amplification (requires IP Spoofing)

    • L3 Direct • L7 - repetitive • L7 - smart 11

  12. Attack types • Amplification • SYN • DNS • HTTP

    • HTTPS 12 ⟯ ⟯ OSI L3 (source IP irrelevant) OSI L7 (established TCP/IP)

  13. Attack types 13 IP Spoofing Large Easy to block Easy

    to implement L3 Amplification required YES yes yes L3 Direct desired no depends depends L7 repetitive no yes yes L7 smart no no no

  14. 14 more bots == better

  15. 5. Choose infection vector • Ask users - hacktivism •

    Windows XP zombies • VPS Servers - Shellshock • CPE routers - Mirai • Android phones - WireX 15

  16. Infection vectors 16 IP Spoofing Plenty? Infection software Windows XP

    maybe, hard to maintain acquire? Zeus VPS Servers sometimes internet scan ? CPE Routers sometimes new vulnerability custom Android phones yes phishing custom

  17. 17 https://www.fbi.gov/wanted/cyber

  18. 18

  19. Five case studies 19

  20. 1. Asia direct 20

  21. 21

  22. 22 Target Server Attacker 510 Gbps Direct SYN flood

  23. 23

  24. 24 1 in 10000 packets

  25. Internet economics 25 Tier 1 provider Attacking network Target network

    $ $

  26. 26 Spoofed? (source: DaPuglet)

  27. 27 5.6.7.8 8.8.8.8 IP Spoofing

  28. 28 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  29. 29

  30. 30

  31. 31

  32. 32

  33. 33

  34. 34

  35. 35

  36. 36

  37. Asia direct: Profile • Direct SYN floods • VERY big

    - 510Gbps, 300Mpps • Hitting small number of pops • Capable of IP Spoofing • Attacker: ???? • Infection: Servers 37

  38. Is it a day job? 38

  39. Asia: mitigation 39 iptables -A INPUT \ --dst 1.2.3.4 \

    -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP

  40. BPF Bytecode 40 ldx 4*([14]&0xf) ld #34 add x tax

    lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0

  41. 41

  42. 42 Internet Router NIC Kernel App XDP Iptables

  43. Application integration 43 1.2.3.4 1.2.3.5 1.2.3.6 dig A example.com 1.2.3.7

    X

  44. 2. Asia amplification 44

  45. 45

  46. 46 UDP Server UDP Client request response

  47. 47 Attacker Target UDP Server request response

  48. 48 Attacker Target UDP Server request response 10 bytes 100

    bytes

  49. 49 Attacker Target UDP Servers requests responses

  50. 50

  51. 51 192.0.2.0/24 Internet Los Angeles 192.0.2.0/24 London 192.0.2.0/24 Amsterdam 192.0.2.0/24

    Moscow 192.0.2.0/24 San Jose 192.0.2.0/24 New York

  52. 52

  53. March 2013: Spamhaus 53 300 Gbps of traffic 27 Gbps

    of spoofing Exposed DNS Resolvers

  54. 54

  55. 55 Mbps - AMP sport=1900 min:406 avg:22608 med=4663 max:186124 dev:35565

    count:1319 Mbps - AMP sport=1900: value |-------------------------------------------------- count 134 | 0 268 | *************************************** 145 536 |************************************************** 182 1073 | ******************************************** 163 2147 | ******************************************* 157 4294 | *********************************** 131 8589 | ************************ 88 17179 | ************************************************ 176 34359 | ************************************ 133 68719 | ******************************** 117 137438 | ******* 27

  56. Asia SSDP: Profile • Amplification SSDP attakcs • Pretty large

    - 186Gbps • Hitting LARGE number of pops • (we know) source is in Asia, Interesting targets • Requires IP Spoofing • Attacker: ???? • Infection: Servers 56

  57. 57

  58. 58

  59. 59 https://badupnp.benjojo.co.uk/

  60. 3. IoT - connected cameras 60

  61. 61

  62. 62

  63. 63

  64. 64 IP reputation (source: the internet)

  65. 65

  66. 66

  67. 67 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...

  68. IoT: Profile • Repetitive L7 attacks • Pretty large -

    700k rps, 400Gbps, • 128k source IP's • Ukraine, Vietnam • Attacker: ???? • Infection: CCTV Botnet 68

  69. 69 Internet Router NIC Kernel App conntrack iptables fingerprints

  70. 4. Porcupine 70

  71. 71

  72. 72

  73. 73

  74. 74

  75. 75

  76. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 76

  77. 77

  78. 5. WireX 78

  79. 79

  80. 80 User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent:

    fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih

  81. 81

  82. 82

  83. 83

  84. 84 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }

  85. WireX: Profile • Real-looking L7 requests • Mid-size - 80k

    rps, 120k IP's/h • Location: Everywhere • Targets: interesting • Attacker: . • Infection: 300+ Android apps 85

  86. 6. Elections 86

  87. 87

  88. Attack data • trump.com: ~54,000 attacks per day • donaldjtrump.com:

    ~501,000 attacks per day • trump.com: Attacked on 100% of days • donaldjtrump.com: Attacked on 94.4% of days 88

  89. Attack data • trump.com: • 25 Apr 2016 ~3,4M requests

    (39 rps) • donaldjtrump.com: • 10 Dec 2015 ~15M requests (173 rps) 89

  90. 90

  91. 91

  92. 7. The great cannon 92

  93. 93 Eyeball Target Infected website

  94. 94

  95. Infected website? • Compromised JS • Competition case • China

    great firewall • L3 injection to scripts • Rogue AD 95

  96. Cloudflare 96

  97. 97 1. Architecture

  98. 98 2. Mitigation in software

  99. 99 Attack Detection Mitigation Automation

  100. Thanks! • Architected for DDoS • Iptables + BPF great

    for L3 • Kernel bypass • XDP • Iptables + Conntrack great for L7 • Also: connlimit, hashlimits, ipset 100 marek@cloudflare.com @majek04