Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
IP Spoofing - DEFCON
majek04
July 26, 2017
Programming
1
600
IP Spoofing - DEFCON
majek04
July 26, 2017
Tweet
Share
More Decks by majek04
See All by majek04
BPF programmable socket lookup
majek04
0
380
Linux at Cloudflare
majek04
3
4.1k
DDoS Landscape
majek04
0
270
Inside Cloudbleed
majek04
3
1.5k
Golang sucks
majek04
21
48k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
3.2k
How Cloudflare deals with largest DDoS attacks?
majek04
2
1.9k
Why we chose Service Worker API
majek04
0
1.3k
Recent DDoS
majek04
0
220
Other Decks in Programming
See All in Programming
roadmap to rust 2024
matsu7874
1
860
偏見と妄想で語るスクリプト言語としての Swift / Swift as a Scripting Language
lovee
2
270
Learning DDD輪読会#4 / Learning DDD Book Club #4
suzushin54
1
150
Explore Java 17 and beyond
josepaumard
3
650
Unity Localization で多言語対応実装しよう / xrdnk-yokohamaunity-lt10-20220513
xrdnk
0
140
Airflow1=>Airflow2へのupgrade 事例紹介
reizist
0
110
Better Reliability through Observability (and Experimentation)
ksatirli
PRO
1
270
SRE bridge the gap: Feature development to Core API / 機能開発チームとコアAPIチームの架け橋としてのSRE
kenzan100
1
180
LOWYAの信頼性向上とNew Relic
kazumax55
4
360
機能横断型チームにおける技術改善
takeshiakutsu
3
470
実録mruby組み込み体験
coe401_
0
110
microCMS × imgixを活用して品質とレスポンスを両立したポートフォリオサイトを作成した話
takehitogoto
0
420
Featured
See All Featured
Clear Off the Table
cherdarchuk
79
280k
StorybookのUI Testing Handbookを読んだ
zakiyama
4
2k
Fontdeck: Realign not Redesign
paulrobertlloyd
73
4.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
337
17k
Web Components: a chance to create the future
zenorocha
303
40k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
172
8.3k
What's in a price? How to price your products and services
michaelherold
229
9.3k
Teambox: Starting and Learning
jrom
121
7.6k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
315
19k
Rails Girls Zürich Keynote
gr2m
86
12k
Facilitating Awesome Meetings
lara
29
3.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
25
1.5k
Transcript
IP Spoofing (what is it, how it allows largest attacks
and how to fix it) Marek Majkowski
What is it? 2
3 IP Spoofing (source: DaPuglet)
4 IP Spoofing 8.8.8.8 5.6.7.8
5 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8
6
IP Spoofing is still a problem • 1995 - Mitnick
pwned Shimomura with TCP seq • 1996 - SYN flooding • 1998 - idle scanning (ipid) • 1998 - BGP connection reset - RFC 2385 • 2008 - Dan Kaminsky's DNS bug • 2013+ - Multiple amplification DDoS 7
IP Spoofing fight • 1998 - Reverse Path Forwarding RFC2267
• 2000 - BCP38 / RFC2827 • 2004 - BCP84 / RFC3704 / Unicast RPF • 2009 - IETF SAVI https://tools.ietf.org/wg/savi/ • 2014 - MANRS https://routingmanifesto.org/manrs/ • 2015 - http://spoofer.caida.org 8
9 Inconsistent 15.8% Spoofable 27.8% UnSpoofable 56.4% Measured Autonomic Systems
spoofer.caida.org
bulletproof hostig 10
IP Spoofing enables largest attacks 11
12
13 Global network
14 Daily attacks Daily Attacks
15 Some are super large
Two types 1. Direct 2. Amplification 16
1. Direct attacks a) keep us online b) identify the
source 17
18 Direct: “Winter of attacks” Target Server Attacker 400 Gbps
19 Direct: SYN Flood "winter of attacks"
20 Direct attacks
1. Direct attacks a) keep us online b) identify the
source 21
22 Tcpdump $ tcpdump -ni eth0 -c 100 IP 94.242.250.109.47330
> 1.2.3.4:80: Flags [S], seq 1444613291, win 63243 IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551 IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607 IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778 IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891 IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808 IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272 IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210 IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714 IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351 IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902 IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511 IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148
Blocked with BPF 23 iptables -A INPUT \ --dst 1.2.3.4
\ -p tcp --dport 80 \ --syn \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
24 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb
[x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0 BPF bytecode
25
Extreme Data Path - XDP • Feature of kernels 4.9+
• Super fast • Tomorrow, Saturday 2pm, Packet Hacking Village! 26
1. Direct attacks a) keep us online b) identify the
source 27
28 Which router iface is it from? Router Server
29 Identifying interface Attacks
30 Identifying the interface
31 Other side of the cable Internet Carrier Direct Peering
Router Local Internet Exchange Server
32 1. Direct Peering Router Direct Peering
33
2. Internet Exchange 3. Internet Carrier 34 Internet Carrier Local
Internet Exchange Router Router
35 2. Internet Exchanges
36 2. Internet Exchanges L3 Router Internet Exchange L2 SWITCH
Local ISP #1 Local ISP #2 Local ISP #3
37 3. Internet Carriers Router Internet Carrier
38 3. Internet Carriers Router Internet Carrier Customer #1 Customer
#2 Customer #3
Tracing back is impossible
40 Direct: SYN Flood "winter of attacks" “Winter of attacks”
41 “Winter of attacks” src IP= Hurricane Electric LAX router
Internet Carrier
42 “Winter of attacks” LAX router Internet Carrier Hurricane Electric
??? Hurricane Electric ???
Other examples
44
45
46
47
48
49
50
2. Amplification attacks a) keep us online b) identify the
source 51 51
52 SSDP: Amplification
UDP request-response 53 UDP Server UDP Client request response
Amplification 54 Attacker Target UDP Server request response
Amplification factor 55 Attacker Target UDP Server request response 10
bytes 100 bytes
Scale up! 56 Attacker Target UDP Servers requests responses
June 2017: SSDP 57 112 Gbps of traffic 5 Gbps
of spoofing 940k exposed SSDP Devices
2. Amplification attacks a) keep us online b) identify the
source 58
59 Dispersed geographically
1.2.3.0/24 Internet Los Angeles 1.2.3.0/24 London 1.2.3.0/24 Amsterdam 1.2.3.0/24 Moscow
1.2.3.0/24 San Jose 1.2.3.0/24 New York
61 Trivial to block iptables -A INPUT \ --dst 1.2.3.4
\ -p udp --sport 1900 \ -j DROP
2. Amplification attacks a) keep us online b) identify the
source 62
63 Tracing back is impossible Router Reflector #1 Reflector #2
Reflector #3 Attacker
Other amplifications 64 Count Proto Src port 3774 udp 123
NTP 1692 udp 1900 SSDP 438 udp 0 IP fragmentation (*) 253 udp 53 DNS 42 udp 27015 SRCDS 20 udp 19 Chargen 19 udp 20800 Call Of Duty 16 udp 161 SNMP 12 udp 389 CLDAP 11 udp 111 Sunrpc 10 udp 137 Netbios 6 tcp 80 HTTP 5 udp 27005 SRCDS 2 udp 520 RIP
Amplification sizes 65 $ cat all-gbps |cut -d " "
-f 1|~/bin/mmhistogram Gbps min:0.04 avg:7.07 max:78.03 dev:9.06 count:6353 Gbps: value |-------------------------------------------------- count 0 | **************** 658 1 | ************************* 1012 2 |************************************************** 1947 4 | ****************************** 1176 8 | **************** 641 16 | ******************* 748 32 | **** 157 64 | 14
• IP spoofing is bad • You need network capacity
• Tracing back is impossible 66
How to fix it? 67
• IP spoofing is bad • You need network capacity
• Tracing back is impossible 68
69 IP spoofing is the root of all evil
70 Promote BCP38
• From spoofer.caida.org 71 Report IP spoofing
Vendor defaults 72
73 Filtering is hard Internet Carrier A Source Destination ISP
1 Internet Carrier B X
We're left with the incompetent 74
• IP spoofing is bad • You need network capacity
• Tracing back is impossible 75
76 BGP Flowspec for the rescue!
77 Router under attack Flowspec Flowspec Flowspec BGP Flowspec
78
• https://conference.apnic.net/data/41/apricot-ddos- mitigation-using-flowspec_1456208439.pdf 79
80 Adoption = nil
BGP Flowspec success story • RASCOM AS20764 • https://www.slideshare.net/pavel_odintsov/ implementing-bgp-flowspec-at-ip-transit-network
81
• IP spoofing is bad • You need network capacity
• Tracing back is impossible 82
83 Netflow / IP FIX!
84 How?
85 Netflow within one AS Netflow collector Netflow samples Netflow
samples Netflow samples
86 Router Internet Carrier Customer #1 Customer #2 Customer #3
Internet Carriers
87
88 Netflow (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t
-300 -s dstip/packets "in if 731" Top 2 Dst IP Addr ordered by packets: Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82 Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218 Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772 Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2
• Open source toolchain is great • Scales well •
Set high sampling rate - 1/64k flows • Rotate logs every 72h 89 Netflow
90 Internet exchanges
91 L3 Router Internet Exchange L2 SWITCH Local ISP #1
Local ISP #2 Local ISP #3 Internet Exchanges
Internet Exchanges • SFlow • IX charts • mac-accounting •
IP FIX support for mac addresses 92
Recap • Prevent IP spoofing - BCP38 • The root
of all evil, unfixable in short time • BGP flowspec firewall • A stop gap for capacity • Netflow/IP FIX sampling • Gives visibility into your network. Solves attack attribution. 93
• https://blog.cloudflare.com • https://github.com/cloudflare 94 marek@cloudflare.com @majek04 DDoS is fixable!
95
Mirai was different 96
97
Why IP Filtering must be on the edge 98
99 Filtering is hard Internet Carrier A Destination 5.6.7.8
100 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination
5.6.7.8 ISP 1 1.2.3.0/24
101 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination
5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24
102 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1
Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24
103 Internet is asymmetric Internet Carrier A Source 1.2.3.4 Destination
5.6.7.8 ISP 1 Internet Carrier B
104 Filter close to the source Internet Carrier A Source
Destination ISP 1 Internet Carrier B X