Recent DDoS

Recent DDoS
Marek Majkowski
[email protected]ﬂare.com

View Slide

Krebs timeline
• 10th Sept - Krebs publishes VDoS database dump
• 20th Sept - BackConnect BGP hijacks article
• 21th Sept - 620 Gbps attack reported
• Mostly GRE
• 22nd Sept - Prolexic / Akamai kick Krebs out
• 25th Sept - Onboarded on Google Project Shield
• Struggling to keep the website up
2

View Slide

Dyn timeline
• Oct 21st - Doug Madory gives a talk on BackConnect
• Oct 21st - Dyn attack starts
• Non-spoofed, mostly Mirai-based botnets
• 100k "endpoints"
• Mostly DNS traﬃc
3

View Slide

Mirai
!
!
!
• Chinese security cameras with default Telnet pass
• Some evidence for WD disks
• Some evidence for customer modem/routers
• Deutsche Telekom port 7547 TR-069
4

View Slide

Mirai
• Very short attacks, https://twitter.com/miraiattacks
• HTTP
• 5 hardcoded user agents
• SYN, ACK, UDP, DNS, Valve, GRE
• 30k-75k devices
5

View Slide

Cloudﬂare Point of view
6

View Slide

Most common attacks
• L3 - SYN
• L3 - DNS
• L7 - HTTP
7

View Slide

SYN
• Many of the big volumetric attacks
• https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-
attacks/
• https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-
attacks/
• Directly hitting the target IP (not amplified)
• Often spoofed source IP
8

View Slide

SYN - thanksgiving
9

View Slide

SYN - thanksgiving
10

View Slide

Mitigation: iptables and BPF
• https://blog.cloudﬂare.com/introducing-the-p0f-bpf-compiler/
11
!
iptables -A INPUT \!
--dst 1.2.3.4 \!
-p udp --dport 53 \!
-m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
0,6 0 0 1,6 0 0 0" \!
-j DROP!

View Slide

Mitigation: scattering
12
dig example.com A
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7

View Slide

Why scattering works
• L3 Attacks often have hardcoded destination IP's
• Low DNS TTL allows to scatter
13

View Slide

DNS - random preﬁx
14
• Miss the cache NXDOMAIN
• Overload Auth DNS
• Hard to defend

View Slide

DNS - random prefix
15
!
1.666 --ip=173.245.59.101/32 --port=53 "*.example.com"
1.639 --ip=173.245.58.211/32 --port=53 "*.example.com"
0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com"
0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com"
• Random prefix queries
!
!
!
• Bounced off real recursors
mzcjgtofshadofgp.example.com.
eleloletajgj.example.com.
ovcpkpij.example.com

View Slide

HTTP attacks
• Most: dumb repetitive http requests
• IP reputation generally works
16

View Slide

HTTP - Mirai-like
17
GET /en HTTP/1.1 !
User-Agent: !
Cookie: !
Host: example.com !
Connection: close !
Content-Length: 800000!
!
a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!

View Slide

HTTP - Mirai-like
18

View Slide

HTTP - Mirai-like
19

View Slide

HTTP - Mirai-like
• Should it be received?
• 52k source IP's
• Mostly Ukraine - hacked customer routers/modems?
20

View Slide

Takeaways
21

View Slide

Takeaways
• Direct volumetric SYN floods
• Go up to 450gbps and 100M pps per target
• Use small DNS TTL to be able to "scatter" - retire IP's
• Random-prefix DNS
• Hard to defend
• HTTP attacks
• IP reputation works (iptables)
• Dynamic WAF / "firewall alike" rules for blocking repetitive traffic
22

View Slide

23

View Slide

24

View Slide

25

View Slide

26

View Slide

27

View Slide

28

View Slide

29

View Slide

30

View Slide

31

View Slide

Anycast
32

View Slide

ECMP
33
ECMP router
dst ip: 1.2.3.4
server #1
server #2
server #3
hash % 2
hash % 1
hash % 3

View Slide

34
Gatebot
Automatic attack handling

View Slide

Automatic attack handling
35
Mitigation
Database
sﬂow
iptables
Attack
Detection
Reactive
Automation
35

View Slide

Recent DDoS

Recent DDoS

majek04

More Decks by majek04

Other Decks in Programming

Featured

Transcript