Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Spoofing

majek04
September 17, 2016

IP Spoofing

majek04

September 17, 2016
Tweet

More Decks by majek04

Other Decks in Technology

Transcript

  1. Are DDoS attacks a threat to
    the decentralised internet?
    Marek Majkowski

    View Slide

  2. 2
    DDoS
    IP Spoofing
    Solution
    Untraceable, Sophisticated
    Centralisation

    View Slide

  3. 3
    Global network

    View Slide

  4. 4
    Content neutral

    View Slide

  5. 5
    Daily attacks
    Daily Attacks

    View Slide

  6. 6
    We have to solve it

    View Slide

  7. 7
    Record breaking attacks at CF
    Nickname Type Volume
    Spamhaus DNS amplification 300 Gbps
    “Winter of attacks” Direct 400 Gbps
    New attack Direct subnet 400 Gbps

    View Slide

  8. Two things in common
    8

    View Slide

  9. 9
    Flood of IP packets

    View Slide

  10. 10
    IP Spoofing
    (source: DaPuglet)

    View Slide

  11. 11
    IP Spoofing
    8.8.8.8
    5.6.7.8

    View Slide

  12. 12
    Enables impersonation
    Real
    8.8.8.8 Destination
    5.6.7.8
    Spoofed
    8.8.8.8

    View Slide

  13. 13
    May 2000: BCP38

    View Slide

  14. 14
    Inconsistent
    15.8%
    Spoofable
    27.8%
    UnSpoofable
    56.4%
    Measured Autonomic Systems
    spoofer.caida.org

    View Slide

  15. 15
    Filter close to the source
    Internet
    Carrier A
    Source Destination
    ISP 1
    Internet
    Carrier B
    X

    View Slide

  16. IP Spoofing:
    !
    • Enables impersonation
    • Not a solved problem
    16

    View Slide

  17. IP Spoofing
    !
    1. Tracing back is impossible
    2. Allows sophisticated attacks
    !
    17

    View Slide

  18. 18
    Tracing the attack
    Attack
    starts
    Received PPS

    View Slide

  19. 19
    Tcpdump
    !
    $ tcpdump -ni eth0 -c 100!
    !
    IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243!
    IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551!
    IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607!
    IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778!
    IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891!
    IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808!
    IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272!
    IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210!
    IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714!
    IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351!
    IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902!
    IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511!
    IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148!

    View Slide

  20. 20
    Which router iface is it from?
    Router Server

    View Slide

  21. 21
    Identifying interface
    Attacks

    View Slide

  22. 22
    Identifying the interface

    View Slide

  23. 23
    Other side of the cable
    !
    Internet
    Carrier
    Direct Peering
    Router
    Local
    Internet Exchange
    Server

    View Slide

  24. 24
    1. Direct Peering
    Router
    Direct Peering

    View Slide

  25. 2. Internet Exchange
    !
    !
    3. Internet Carrier
    25
    !
    Internet
    Carrier
    Local
    Internet Exchange
    Router
    Router

    View Slide

  26. 26
    2. Internet Exchanges

    View Slide

  27. 27
    2. Internet Exchanges
    Router
    Internet Exchange
    L2 SWITCH
    Local ISP #1
    Local ISP #2
    Local ISP #3

    View Slide

  28. 28
    3. Internet Carriers
    Target
    network
    !
    Internet
    Carrier
    Router

    View Slide

  29. 29
    “Winter of attacks”

    View Slide

  30. 30
    “Winter of attacks”
    src IP=
    Hurricane
    Electric
    LAX router
    !
    Internet
    Carrier

    View Slide

  31. 31
    “Winter of attacks”
    LAX router
    !
    Internet
    Carrier
    Hurricane
    Electric
    ???
    Hurricane
    Electric
    ???

    View Slide

  32. Lack of attribution

    View Slide

  33. IP Spoofing
    !
    1. Tracing back is impossible
    2. Allows sophisticated attacks
    33

    View Slide

  34. 34
    Sophistication
    Spamhaus DNS amplification
    “Winter of attacks” Direct
    Direct subnet Direct

    View Slide

  35. 1. UDP request-response
    35
    UDP Server
    UDP Client
    request response

    View Slide

  36. 1. Amplification
    36
    Attacker
    Target
    UDP Server
    request
    response

    View Slide

  37. 1. Amplification factor
    37
    Attacker
    Target
    UDP Server
    request
    response
    10 bytes
    100 bytes

    View Slide

  38. 1. Scale up!
    38
    Attacker
    Target
    UDP Servers
    requests
    responses

    View Slide

  39. March 2013: Spamhaus
    39
    300 Gbps of traffic
    27 Gbps of spoofing
    Exposed
    DNS Resolvers

    View Slide

  40. • Easy to block on firewall
    • udp and src port 53
    !
    • The internet is fighting exposed DNS resolvers
    • openresolverproject.org
    • openntpproject.org
    • www.shodan.io
    40
    Amplification easy to block

    View Slide

  41. 41
    Sophistication
    Spamhaus DNS amplification
    “Winter of attacks” Direct
    Direct subnet Direct

    View Slide

  42. 42
    2. “Winter of attacks”
    Target
    Server
    Attacker
    400 Gbps

    View Slide

  43. 43

    View Slide

  44. 44
    2. Gigantic SYN flood
    Target
    Server
    Attacker
    400 Gbps
    Direct SYN flood

    View Slide

  45. Blocked with BPF
    45
    !
    iptables -A INPUT \!
    --dst 1.2.3.4 \!
    -p udp --dport 53 \!
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \!
    -j DROP!

    View Slide

  46. 46
    !
    ldx 4*([14]&0xf)!
    ld #34!
    add x!
    tax!
    lb_0:!
    ldb [x + 0]!
    add x!
    add #1!
    tax!
    ld [x + 0]!
    jneq #0x07657861, lb_1!
    ld [x + 4]!
    jneq #0x6d706c65, lb_1!
    ld [x + 8]!
    jneq #0x03636f6d, lb_1!
    ldb [x + 12]!
    jneq #0x00, lb_1!
    ret #1!
    lb_1:!
    ret #0!
    BPF bytecode

    View Slide

  47. 47

    View Slide

  48. 48
    Source IP addresses
    LAX router
    !
    Internet
    Carrier
    Hurricane
    Electric
    ???
    Hurricane
    Electric
    ???

    View Slide

  49. 49

    View Slide

  50. 50

    View Slide

  51. 51

    View Slide

  52. 52

    View Slide

  53. 53

    View Slide

  54. 54

    View Slide

  55. 55

    View Slide

  56. 56
    Sophistication
    Spamhaus DNS amplification
    “Winter of attacks” Direct
    Direct subnet Direct

    View Slide

  57. 57
    Null routing
    1.2.3.4
    Attacker
    1.2.3.4
    1.2.3.4
    1.2.3.4

    View Slide

  58. 58
    Attacks against subnet
    Attacker
    1.2.3.4
    1.2.3.4
    1.2.3.4
    1.2.3.4

    View Slide

  59. The only way to keep online
    is to absorb the attack
    59

    View Slide

  60. 60
    Receive and process

    View Slide

  61. 61
    Centralisation

    View Slide

  62. 62
    Erosion of principles
    peer
    peer
    peer
    peer
    peer

    View Slide

  63. Solution
    63

    View Slide

  64. 64
    Technical solutions to
    IP Spoofing failed

    View Slide

  65. 65
    Live with it!
    X.X.X.X
    5.6.7.8

    View Slide

  66. 66
    Don't solve the IP spoofing!
    !
    Solve the attribution!

    View Slide

  67. 67
    Router
    Internet Exchange
    L2 SWITCH
    Local ISP #1
    Local ISP #2
    Local ISP #3
    Internet Exchanges

    View Slide

  68. 68
    Router
    !
    Internet
    Carrier
    Customer #1
    Customer #2
    Customer #3
    Internet Carriers

    View Slide

  69. • The next move belongs to Carriers and IX operators
    • They must help with attribution
    • Which of their clients is transmitting the traffic?
    !
    • Given (TARGET_IP, location, timeframe, volume)
    • Tell which of the CUSTOMERS transmitted the data
    69
    Proposal:

    View Slide

  70. 70
    How?

    View Slide

  71. 71
    Netflow
    netflow
    Collector
    Router
    Router
    Router

    View Slide

  72. • Open source netflow toolchain is great
    • Scales well
    • To avoid privacy issues
    • Rotate logs often
    • Set high sampling rate - 1/64k connections
    72
    Netflow

    View Slide

  73. 73
    Netflow
    !
    (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t -300 -s dstip/packets "in if 731"!
    Top 2 Dst IP Addr ordered by packets:!
    Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp!
    173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65!
    173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82!
    !
    Summary: total flows: 1361108, total bytes: 5087980650496, total packets:
    23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218!
    Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772!
    Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2!

    View Slide

  74. 74
    It's the first step

    View Slide

  75. 75
    Attribution allows
    informed discussion

    View Slide

  76. 76
    DDoS causes centralisation
    !
    !
    To fix DDoS we need attribution

    View Slide

  77. 77
    The internet will be better for everyone.
    marek@cloudflare.com

    View Slide

  78. 78

    View Slide

  79. How to help?
    79

    View Slide

  80. • From spoofer.caida.org
    80
    Help: report IP spoofing

    View Slide

  81. • Scan your network for open NTP and DNS servers
    • http://openntpproject.org/
    • http://openresolverproject.org
    • http://www.team-cymru.org/Open-Resolver-
    Challenge.html
    • https://www.shodan.io/
    81
    Help: close NTP and DNS

    View Slide

  82. • When under attack
    • Collect evidence
    • Ask where the traffic came from!
    82
    Help: press for attribution

    View Slide

  83. Is amplification in decline?
    83

    View Slide

  84. • Very easy to block on firewall
    • udp and src port 123 == NTP attack
    • udp and src port 53 == DNS attack
    • DDoS mitigation vendors have FAT pipes
    • Amplification is bouncing off real servers
    • Therefore geographically distributed
    • Not effective against anycast
    84
    Is amplification in decline?

    View Slide

  85. Why IP Filtering must be on
    the edge
    85

    View Slide

  86. 86
    Filtering is hard
    Internet
    Carrier A
    Destination
    5.6.7.8

    View Slide

  87. 87
    Filtering is hard
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    1.2.3.0/24

    View Slide

  88. 88
    Filtering is hard
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    Internet
    Carrier B
    1.2.3.0/24
    1.2.3.0/24

    View Slide

  89. 89
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    Filtering is hard
    Internet
    Carrier B
    ISP 2
    Source
    4.3.2.1
    1.2.3.0/24
    4.3.2.0/24

    View Slide

  90. 90
    Internet is asymmetric
    Internet
    Carrier A
    Source
    1.2.3.4
    Destination
    5.6.7.8
    ISP 1
    Internet
    Carrier B

    View Slide

  91. 91
    Filter close to the source
    Internet
    Carrier A
    Source Destination
    ISP 1
    Internet
    Carrier B
    X

    View Slide