Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IP Spoofing

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
September 17, 2016
Technology
4
1.2k

IP Spoofing

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

September 17, 2016
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
390
Linux at Cloudflare
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
3
4.3k
DDoS Landscape
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
280
Inside Cloudbleed
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
3
1.5k
Golang sucks
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
21
49k
Gatelogic - Somewhat functional reactive framework in Python
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
1
3.2k
How Cloudflare deals with largest DDoS attacks?
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
2
1.9k
Why we chose Service Worker API
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
1.4k
IP Spoofing - DEFCON
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
1
610

Other Decks in Technology

See All in Technology
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
658c29959d8a9fd352afa440a5813137?s=48 ritou
2
450
History of the ML system in KARTE
290d6f09d5a1df2c2ecb6601011fe5c1?s=48 kargo113
1
650
Meet passkeys
53e2d354b3299d64a54af680865516d5?s=48 satotakeshi
1
120
Design for Humans: How to make better modernization decisions
4d71670118785e492d724ba8c0ae54ad?s=48 indualagarsamy
2
120
覗いてみよう!現場のスクラムチーム
1f0222f7251c3c48f4a8e5103cc64346?s=48 tkredman
0
1.1k
プログラマがオブジェクト指向しても幸せになれない理由
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
0
140
ROS再入門​-はじめてのSLAM-
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
410
【Pythonデータ分析勉強会#33】「DearPyGuiに入門しました」の続き~Image-Processing-Node-Editor~
26afa82334d1037f0ba602272b950c90?s=48 kazuhitotakahashi
0
150
RDRA + JavaによるレジャーSaaSプロダクトの要件定義と実装のシームレスな接続
050b8cdbe92809580ed71d0d0d327e36?s=48 jjebejj
PRO
3
700
FoodTechにおける商流・金流・物流の進化/Evolution of Commercial, Financial, and Logistics in FoodTech
Ff655584d57df8448153fa618cc86db3?s=48 dskst
0
400
セキュリティ 開運研修2022 / security 2022
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
PRO
3
3.8k
さいきんのRaspberry Pi。 / osc22do-rpi
74476e142a767a018d68c5e72e34ee2f?s=48 akkiesoft
6
5.2k

Featured

See All Featured
Embracing the Ebb and Flow
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
73
3.4k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
E425fe9f170efa0dfaf8ab69d7107418?s=48 aki_i
23
15k
How STYLIGHT went responsive
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
85
3.9k
How To Stay Up To Date on Web Technology
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
250k
Creatively Recalculating Your Daily Design Routine
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
207
10k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
237
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
269
11k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
Three Pipe Problems
11c84dff30266b907714802088852677?s=48 jasonvnalue
89
8.7k
Art Directing for the Web. Five minutes with CSS Template Areas
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
196
9.4k

Transcript

  1. Are DDoS attacks a threat to the decentralised internet? Marek

    Majkowski

  2. 2 DDoS IP Spoofing Solution Untraceable, Sophisticated Centralisation

  3. 3 Global network

  4. 4 Content neutral

  5. 5 Daily attacks Daily Attacks

  6. 6 We have to solve it

  7. 7 Record breaking attacks at CF Nickname Type Volume Spamhaus

    DNS amplification 300 Gbps “Winter of attacks” Direct 400 Gbps New attack Direct subnet 400 Gbps

  8. Two things in common 8

  9. 9 Flood of IP packets

  10. 10 IP Spoofing (source: DaPuglet)

  11. 11 IP Spoofing 8.8.8.8 5.6.7.8

  12. 12 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  13. 13 May 2000: BCP38

  14. 14 Inconsistent 15.8% Spoofable 27.8% UnSpoofable 56.4% Measured Autonomic Systems

    spoofer.caida.org

  15. 15 Filter close to the source Internet Carrier A Source

    Destination ISP 1 Internet Carrier B X

  16. IP Spoofing: ! • Enables impersonation • Not a solved

    problem 16

  17. IP Spoofing ! 1. Tracing back is impossible 2. Allows

    sophisticated attacks ! 17

  18. 18 Tracing the attack Attack starts Received PPS

  19. 19 Tcpdump ! $ tcpdump -ni eth0 -c 100! !

    IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243! IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551! IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607! IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778! IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891! IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808! IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272! IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210! IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714! IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351! IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902! IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511! IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148!

  20. 20 Which router iface is it from? Router Server

  21. 21 Identifying interface Attacks

  22. 22 Identifying the interface

  23. 23 Other side of the cable ! Internet Carrier Direct

    Peering Router Local Internet Exchange Server

  24. 24 1. Direct Peering Router Direct Peering

  25. 2. Internet Exchange ! ! 3. Internet Carrier 25 !

    Internet Carrier Local Internet Exchange Router Router

  26. 26 2. Internet Exchanges

  27. 27 2. Internet Exchanges Router Internet Exchange L2 SWITCH Local

    ISP #1 Local ISP #2 Local ISP #3

  28. 28 3. Internet Carriers Target network ! Internet Carrier Router

  29. 29 “Winter of attacks”

  30. 30 “Winter of attacks” src IP= Hurricane Electric LAX router

    ! Internet Carrier

  31. 31 “Winter of attacks” LAX router ! Internet Carrier Hurricane

    Electric ??? Hurricane Electric ???

  32. Lack of attribution

  33. IP Spoofing ! 1. Tracing back is impossible 2. Allows

    sophisticated attacks 33

  34. 34 Sophistication Spamhaus DNS amplification “Winter of attacks” Direct Direct

    subnet Direct

  35. 1. UDP request-response 35 UDP Server UDP Client request response

  36. 1. Amplification 36 Attacker Target UDP Server request response

  37. 1. Amplification factor 37 Attacker Target UDP Server request response

    10 bytes 100 bytes

  38. 1. Scale up! 38 Attacker Target UDP Servers requests responses

  39. March 2013: Spamhaus 39 300 Gbps of traffic 27 Gbps

    of spoofing Exposed DNS Resolvers

  40. • Easy to block on firewall • udp and src

    port 53 ! • The internet is fighting exposed DNS resolvers • openresolverproject.org • openntpproject.org • www.shodan.io 40 Amplification easy to block

  41. 41 Sophistication Spamhaus DNS amplification “Winter of attacks” Direct Direct

    subnet Direct

  42. 42 2. “Winter of attacks” Target Server Attacker 400 Gbps

  43. 43

  44. 44 2. Gigantic SYN flood Target Server Attacker 400 Gbps

    Direct SYN flood

  45. Blocked with BPF 45 ! iptables -A INPUT \! --dst

    1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!

  46. 46 ! ldx 4*([14]&0xf)! ld #34! add x! tax! lb_0:!

    ldb [x + 0]! add x! add #1! tax! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1! lb_1:! ret #0! BPF bytecode

  47. 47

  48. 48 Source IP addresses LAX router ! Internet Carrier Hurricane

    Electric ??? Hurricane Electric ???

  49. 49

  50. 50

  51. 51

  52. 52

  53. 53

  54. 54

  55. 55

  56. 56 Sophistication Spamhaus DNS amplification “Winter of attacks” Direct Direct

    subnet Direct

  57. 57 Null routing 1.2.3.4 Attacker 1.2.3.4 1.2.3.4 1.2.3.4

  58. 58 Attacks against subnet Attacker 1.2.3.4 1.2.3.4 1.2.3.4 1.2.3.4

  59. The only way to keep online is to absorb the

    attack 59

  60. 60 Receive and process

  61. 61 Centralisation

  62. 62 Erosion of principles peer peer peer peer peer

  63. Solution 63

  64. 64 Technical solutions to IP Spoofing failed

  65. 65 Live with it! X.X.X.X 5.6.7.8

  66. 66 Don't solve the IP spoofing! ! Solve the attribution!

  67. 67 Router Internet Exchange L2 SWITCH Local ISP #1 Local

    ISP #2 Local ISP #3 Internet Exchanges

  68. 68 Router ! Internet Carrier Customer #1 Customer #2 Customer

    #3 Internet Carriers

  69. • The next move belongs to Carriers and IX operators

    • They must help with attribution • Which of their clients is transmitting the traffic? ! • Given (TARGET_IP, location, timeframe, volume) • Tell which of the CUSTOMERS transmitted the data 69 Proposal:

  70. 70 How?

  71. 71 Netflow netflow Collector Router Router Router

  72. • Open source netflow toolchain is great • Scales well

    • To avoid privacy issues • Rotate logs often • Set high sampling rate - 1/64k connections 72 Netflow

  73. 73 Netflow ! (netops)# nfdump -M db/waw01:lhr01 -R . -n2

    -t -300 -s dstip/packets "in if 731"! Top 2 Dst IP Addr ordered by packets:! Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp! 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65! 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82! ! Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218! Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772! Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2!

  74. 74 It's the first step

  75. 75 Attribution allows informed discussion

  76. 76 DDoS causes centralisation ! ! To fix DDoS we

    need attribution

  77. 77 The internet will be better for everyone. marek@cloudflare.com

  78. 78

  79. How to help? 79

  80. • From spoofer.caida.org 80 Help: report IP spoofing

  81. • Scan your network for open NTP and DNS servers

    • http://openntpproject.org/ • http://openresolverproject.org • http://www.team-cymru.org/Open-Resolver- Challenge.html • https://www.shodan.io/ 81 Help: close NTP and DNS

  82. • When under attack • Collect evidence • Ask where

    the traffic came from! 82 Help: press for attribution

  83. Is amplification in decline? 83

  84. • Very easy to block on firewall • udp and

    src port 123 == NTP attack • udp and src port 53 == DNS attack • DDoS mitigation vendors have FAT pipes • Amplification is bouncing off real servers • Therefore geographically distributed • Not effective against anycast 84 Is amplification in decline?

  85. Why IP Filtering must be on the edge 85

  86. 86 Filtering is hard Internet Carrier A Destination 5.6.7.8

  87. 87 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 1.2.3.0/24

  88. 88 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24

  89. 89 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1

    Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24

  90. 90 Internet is asymmetric Internet Carrier A Source 1.2.3.4 Destination

    5.6.7.8 ISP 1 Internet Carrier B

  91. 91 Filter close to the source Internet Carrier A Source

    Destination ISP 1 Internet Carrier B X