Lessons from defending the indefensible

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
November 12, 2015
5
2k

Lessons from defending the indefensible

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

November 12, 2015
Tweet

Want more?

D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
280
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
3
1.9k
D4e1d473a995ef37b3e03e9e6006c3e3?s=48 majek04
0
230
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
12
630
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
3
330
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
220
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
420
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
8
250
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
320
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
650
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
190
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
260

Transcript

  1. 1.

    Lessons from defending the indefensible Marek Majkowski marek@cloudflare.com @majek04

  2. 2.

    2 Denial of service (DoS) (source: the internet)

  3. 3.

    Unique view 3

  4. 4.

    DoS attempts daily 4 DoS events per day

  5. 5.

    Defending from DoS is hard 5 X Attacker Visitor example.com

  6. 6.

    Attack surface 6 Internet Router NIC Kernel App ~2Mpps 0.3Mpps

    0.1Mpps >20M pps
  7. 7.

    Attack surface 7 Internet Router NIC Kernel App this presentation

  8. 8.

    Agenda 1. Network congestion 2. L3 - High volume packet

    floods 3. L4 - Packet floods against TCP stack 4. L7 - Botnets 5. L7+ - Very large botnets 8
  9. 9.

    Network congestion 9

  10. 10.

    BGP null routing 10 ! route 1.2.3.4/32 {! discard;! community

    [ 13335:666 13335:668 13335:36006 ];! }!
  11. 11.

    Application integration 11 1.2.3.4 1.2.3.5 1.2.3.6 ! dig A example.com!

    1.2.3.7 X
  12. 12.

    High volume packet floods (L3) 12

  13. 13.

    13 Let it flow (source: Yogendra Joshi)

  14. 14.

    High volume packet flood 14 Packets per second

  15. 15.

    UDP DNS flood 15 ! IP 202.194.181.95.15443 > 1.2.3.4:53: 63476%

    [1au] A? example.com. (50)! IP 221.12.236.115.6570 > 1.2.3.4:53: 11406% [1au] A? example.com. (50)! IP 203.94.134.43.18473 > 1.2.3.4:53: 8559% [1au] A? example.com. (50)! IP 203.196.66.75.32573 > 1.2.3.4:53: 47971% [1au] A? example.com. (50)! IP 124.240.198.136.23336 > 1.2.3.4:53: 61152% [1au] A? example.com. (50)! IP 218.247.70.185.11679 > 1.2.3.4:53: 16360% [1au] A? example.com. (50)! IP 202.109.218.98.27549 > 1.2.3.4:53: 17829% [1au] A? example.com. (50)! IP 203.148.240.82.21825 > 1.2.3.4:53: 22590% [1au] A? example.com. (50)! IP 211.167.108.67.25782 > 1.2.3.4:53: 17663% [1au] A? example.com. (50)! IP 203.209.60.18.20221 > 1.2.3.4:53: 38257% [1au] A? example.com. (50)! IP 203.81.181.168.12749 > 1.2.3.4:53: 53492% [1au] A? example.com. (50)!
  16. 16.

    Sad DNS server 16

  17. 17.

    17 Spoofed? (source: DaPuglet)

  18. 18.

    18 Drop!

  19. 19.

    19 1 in 10K packets

  20. 20.

    Packet characteristics 20 ! • Packet length • Payload •

    Goal: limit false positives
  21. 21.

    Matching on payload in iptables 21

  22. 22.

    Payload matching with BPF 22 ! iptables -A INPUT \!

    --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!
  23. 23.

    BPF bytecode 23 ! ldx 4*([14]&0xf)! ld #34! add x!

    tax! lb_0:! ldb [x + 0]! add x! add #1! tax! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1! lb_1:! ret #0!
  24. 24.

    Tcpdump expressions • Originally: • xt_bpf implemented in 2013 by

    Willem de Bruijn ! • Tcpdump expressions are limited - no variables • Benefits in hand-crafting BPF 24 tcpdump -n “udp and port 53”
  25. 25.

    BPF tools 25 • Open source: • https://github.com/cloudflare/bpftools • Can

    match various DNS patterns: • *.example.com! • --case-insensitive *.example.com! • --invalid-dns
  26. 26.

    26 ~2M pps

  27. 27.

    27 Happy DNS server

  28. 28.

    Sad OS - interrupt storms 28

  29. 29.

    Payload matching close to NIC 29

  30. 30.

    Modern NIC's 30 Network card RX Queue #1 RX Queue

    #2 RX Queue #3 RX Queue #N Ethernet CPU #1 CPU #2 CPU #3 CPU #N
  31. 31.

    Traditional kernel bypass 31 Network card User space RX Queue

    #1 RX Queue #2 RX Queue #3 RX Queue #N Ethernet
  32. 32.

    Partial kernel bypass 32 Network card RX Queue #1 RX

    Queue #2 RX Queue #N RX Queue #? user space Kernel Ethernet aka bifurcated driver
  33. 33.

    Partial kernel bypass ! • Or EFVI for SolarFlares: •

    http://www.openonload.org/ • Open sourced netmap patch, tested on Intel: • https://github.com/luigirizzo/netmap/pull/87 33
  34. 34.

    Iptables offload 34 Network card RX Queue #1 RX Queue

    #2 RX Queue #N RX Queue #? ! userspace offload Ethernet Kernel
  35. 35.

    35 >3M pps It works really well

  36. 36.

    36 It works really well

  37. 37.

    No characteristics: Attacks against TCP/IP network stack (L4) 37

  38. 38.

    ACK floods 38 ! IP 48.60.32.50.15244 > 1.2.3.4.80: Flags [.],

    ack 1754729313, win 16153! IP 31.102.214.103.13396 > 1.2.3.4.80: Flags [.], ack 1569851274, win 15707! IP 112.36.216.55.56515 > 1.2.3.4.80: Flags [.], ack 2051477187, win 16102! IP 65.130.63.30.10341 > 1.2.3.4.80: Flags [.], ack 2108282782, win 16112! IP 16.18.205.115.15962 > 1.2.3.4.80: Flags [.], ack 1359019408, win 16119! IP 128.177.247.54.13752 > 1.2.3.4.80: Flags [.], ack 1416531343, win 16102! IP 204.59.118.78.61528 > 1.2.3.4.80: Flags [.], ack 348671255, win 16101! IP 119.195.142.20.3344 > 1.2.3.4.80: Flags [.], ack 1917538144, win 16161! IP 70.197.6.24.39340 > 1.2.3.4.80: Flags [.], ack 1920842431, win 16124!
  39. 39.

    39 ~0.3M pps

  40. 40.

    Statefull firewall - conntrack 40 ! iptables -A INPUT \!

    --dst 1.2.3.4 \! -m conntrack --ctstate INVALID \! -j DROP! ! sysctl -w net/netfilter/nf_conntrack_tcp_loose=0!
  41. 41.

    41 ~2M pps

  42. 42.

    Effective against TCP attacks • Works well against: • ACK

    • FIN • RST • X-mas • What about SYN floods? 42
  43. 43.

    SYN floods 43 ! IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S],

    seq 1444613291, win 63243! IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551! IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607! IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778! IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891! IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808! IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272! IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210! IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714! IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351! IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902! IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511! IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148!
  44. 44.

    44 0M pps

  45. 45.

    SYN in Linux 45 SYN backlog SYN_RECV Listen backlog ESTABLISHED

    SYN ACK accept() App SYN+ACK
  46. 46.

    SYN Cookies 46 5 bits t mod 32 3 bits

    MSS 24 bits hash(ip, port, t) sequence number: 26 bits timestamp 1 bit ECN 1 bit SACK 4 bits wscale timestamp: ! sysctl -w net.ipv4.tcp_syncookies = 1! sysctl -w net.ipv4.tcp_timestamps = 1!
  47. 47.

    47 ~0.3M pps

  48. 48.

    Recent changes • The idea is to remove the LISTEN

    lock • Heavy refactoring of the SYN queue • Submitted by Eric Dumazet in early October 2015 • Merged to net-next, will land in 4.4 48
  49. 49.

    Connections from a botnet (L7) 49

  50. 50.

    50 Real TCP/IP connections

  51. 51.

    Small volume 51 Packets per second

  52. 52.

    Symptoms 52 • Concurrent connection count going up • Many

    sockets in "orphaned" state • "Time waits" socket state indicates churn
  53. 53.

    Sad HTTP server 53

  54. 54.

    54 IP reputation (source: the internet)

  55. 55.

    Reputation in iptables 1. Conntrack Connlimit 2. Hashlimits • Rate

    limit SYN packets per IP 3. Ipset • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 55
  56. 56.

    Make it a SYN flood ! ! ! ! !

    • Disable HTTP keep-alives • Make it a SYN flood 56 ! GET / HTTP/1.1! Host: www.example.com! ! GET / HTTP/1.1! Host: www.example.com! ! GET / HTTP/1.1! Host: www.example.com! ...!
  57. 57.

    Very large botnets (L7+) 57

  58. 58.

    Very large botnets • Blacklist IP's based on payload •

    "BPF" or "string" module for match + ipsets auto expiry 58 ! GET /forum.php HTTP/1.1! Accept: */*! Accept-Language: zh-cn! Accept-Encoding: gzip, deflate! User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;... ! Host: www.example.com:80! Connection: Keep-Alive!
  59. 59.

    300k RPS, 650k uniques 59 (source: CloudFlare blog)

  60. 60.

    Detection 60

  61. 61.

    Sflow for real time analytics 61 sflow central aggregation switch

    switch switch
  62. 62.

    Centralized Sflow 62 ! $ tailsflow -i sflow | tcpdump

    -n -r - -c 10 'vlan and ip'! reading from file -, link-type EN10MB (Ethernet)! IP 10.11.8.17.8070 > 10.11.8.82.24982:! IP 10.16.8.95.8070 > 10.16.10.139.33176: 18:55:22.345369! IP 70.215.131.237.3232 > 104.16.19.35.80: 18:55:22.345371! IP 162.222.178.71.35563 > 173.245.58.146.53:! IP 199.71.213.20.40150 > 173.245.58.146.53: 18:55:22.345430 IP 195.175.255.138.62803 > 173.245.58.221.53:! IP 220.213.193.137.52163 > 104.31.188.8.80: ! IP 10.40.8.97.8070 > 10.40.8.59.46943:! IP 115.231.91.118.35120 > 173.245.58.146.53:! IP 10.12.11.5.8070 > 10.12.8.106.24514:!
  63. 63.

    Host-sflowd 63 iptables -I INPUT \! -m statistic \! --mode

    random --probability 0.00048828125 \! -j NFLOG --nflog-group 33! ! hsflowd -d -f hsflowd.conf -o /var/run/hsflowd.auto - p /var/run/hsflowd.pid sflow {! DNSSD = off! collector {! ip = 4.3.2.1! udpport = 6343! }! nflogProbability = 0.00048828125! nflogGroup = 33! polling = 300! }
  64. 64.

    • You WILL BGP null-route • Prepare your application for

    that • DROP all the packets! (only 1 in 10k could be valid!) • With BPF • Partial kernel bypass for better speed • Iptables are powerful • Connlimit, hashlimits, ipsets (please fill the attendee excitement form!) marek@cloudflare.com @majek04 Thanks!
  65. 65.

    65

  66. 66.

    Exciting system tweaks 66 Appendix A

  67. 67.

    ! ethtool -N eth3 flow-type udp4 \! dst-ip 192.168.254.30 \!

    dst-port 53 action -1! NIC: discard with flow steering 67
  68. 68.

    Tip: Flow steering for priority 68 ! ethtool -X eth3

    weight 0 1 1 1 1 1 1 1 1 1 1! ethtool -N eth3 flow-type tcp4 \! dst-port 22 action 0!
  69. 69.

    SYN backlog size 1. Listen backlog size ! 2. Capped

    by somaxconn ! 3. SYN backlog capped with ! 4. Rounded to next power of two 69 sysctl -w net.ipv4.tcp_max_syn_backlog = 65535 listen(int sockfd, int backlog) sysctl -w net.core.somaxconn = 65535 127 --> 128 128 -->256
  70. 70.

    SYN backlog decay 70 ! sysctl -w net.ipv4.tcp_synack_retries=1!

  71. 71.

    L7 connection count 71 ! sysctl -w net.ipv4.tcp_max_orphans=262144! sysctl -w

    net.ipv4.tcp_orphan_retries=1! ! sysctl -w net.ipv4.tcp_max_tw_buckets=360000! sysctl -w net.ipv4.tcp_tw_reuse=1! sysctl -w net.ipv4.tcp_fin_timeout=5!
  72. 72.

    Iptables examples 72 Appendix B

  73. 73.

    L3: u32 73 ! iptables -A INPUT \! --dst 1.2.3.4

    \! -p udp -m udp --dport 53 \! -m u32 --u32 "6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C@4=0x29"\! -j DROP!
  74. 74.

    L4: Conntrack 74 ! iptables -t raw -A PREROUTING \!

    -i eth2 \! --dst 1.2.3.4 \! -j ACCEPT! ! iptables -t raw -A PREROUTING \! -i eth2 \! -j NOTRACK! ! ! iptables -A INPUT \! --dst 1.2.3.4 \! -m conntrack --ctstate INVALID \! -j DROP!
  75. 75.

    Tuning conntrack 75 ! sysctl -w net.netfilter.nf_conntrack_helper=0! ! sysctl -w

    net.nf_conntrack_max=2000000! echo 2500000 > /sys/module/nf_conntrack/parameters/hashsize! ! sysctl -w net/netfilter/nf_conntrack_tcp_loose=0!
  76. 76.

    L7: Connlimit 76 ! iptables -t raw -A PREROUTING \!

    -i eth2 \! --dst 1.2.3.4 \! -j ACCEPT! ! iptables -A INPUT \! --dst 1.2.3.4 \! -p tcp -m tcp --dport 80 \! -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN \! -m connlimit \! --connlimit-above 10 \! --connlimit-mask 32 \! --connlimit-saddr \! -j DROP!
  77. 77.

    L7: ipset for blacklisting 77 ! ipset -exist create ta_d335c5

    hash:net family inet! ! ipset add ta_d335c5 192.168.0.0/16! ipset add ta_d335c5 10.0.0/8! ! iptables -A INPUT \! -m set --match-set ta_d335c5 src \! -j DROP!
  78. 78.

    L7: being evil - TARPIT 78 ! iptables -A INPUT

    \! -m set --match-set ta_d335c5 src \! -j TARPIT!
  79. 79.

    L7: hashlimit for rate limiting 79 ! iptables -A INPUT

    \! --dst 1.2.3.4 -p tcp -m tcp --dport 80\! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN \! -m hashlimit \! --hashlimit-above 123/sec \! --hashlimit-burst 5 \! --hashlimit-mode srcip \! --hashlimit-srcmask 24 \! --hashlimit-name 341654b1d4af9bf \! -j DROP!
  80. 80.

    L7: auto-blacklisting 80 ! ipset -exist create blacklist hash:net timeout

    60! ! iptables -A INPUT \! --dst 1.2.3.4 \! -m set --match-set blacklist src \! -j DROP! ! iptables -A INPUT \! --dst 1.2.3.4 -p tcp -m tcp --dport 80\! --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN \! -m hashlimit \! --hashlimit-above 100/sec \! --hashlimit-mode srcip \! --hashlimit-srcmask 24 \! --hashlimit-name hl_blacklist \! -j SET --add-set blacklist src!
  81. 81.

    L7+: payload in TCP - string 81 ! iptables -A

    INPUT \! ! --dst 1.2.3.4 \! ! -p tcp --dport 80 \! ! -m string \! ! --hex-string 486f73743a207777772e787878787878782e... \! --from 231 --to 300 \! -j DROP!
  82. 82.

    L7+: payload in TCP - BPF 82 ! $ ./fixed_offset.py

    'Host: www.xxxxxxx.com:80\r\n' 231! ! ip[231:4] == 0x486f7374 and ip[235:4] == 0x3a207777 and ip[239:4] == 0x772e7878 and ip[243:4] == 0x78787878 and ip[247:4] == 0x782e636f and ip[251:4] == 0x6d3a3830 and ip[255:2] == 0x0d0a! (source: fixed_offset.py)