Recent DDoS

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
December 06, 2016

Recent DDoS

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

December 06, 2016
Tweet

Transcript

  1. Recent DDoS Marek Majkowski marek@cloudflare.com

  2. Krebs timeline • 10th Sept - Krebs publishes VDoS database

    dump • 20th Sept - BackConnect BGP hijacks article • 21th Sept - 620 Gbps attack reported • Mostly GRE • 22nd Sept - Prolexic / Akamai kick Krebs out • 25th Sept - Onboarded on Google Project Shield • Struggling to keep the website up 2
  3. Dyn timeline • Oct 21st - Doug Madory gives a

    talk on BackConnect • Oct 21st - Dyn attack starts • Non-spoofed, mostly Mirai-based botnets • 100k "endpoints" • Mostly DNS traffic 3
  4. Mirai ! ! ! • Chinese security cameras with default

    Telnet pass • Some evidence for WD disks • Some evidence for customer modem/routers • Deutsche Telekom port 7547 TR-069 4
  5. Mirai • Very short attacks, https://twitter.com/miraiattacks • HTTP • 5

    hardcoded user agents • SYN, ACK, UDP, DNS, Valve, GRE • 30k-75k devices 5
  6. Cloudflare Point of view 6

  7. Most common attacks • L3 - SYN • L3 -

    DNS • L7 - HTTP 7
  8. SYN • Many of the big volumetric attacks • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-

    attacks/ • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos- attacks/ • Directly hitting the target IP (not amplified) • Often spoofed source IP 8
  9. SYN - thanksgiving 9

  10. SYN - thanksgiving 10

  11. Mitigation: iptables and BPF • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/ 11 ! iptables -A

    INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!
  12. Mitigation: scattering 12 dig example.com A 1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7

  13. Why scattering works • L3 Attacks often have hardcoded destination

    IP's • Low DNS TTL allows to scatter 13
  14. DNS - random prefix 14 • Miss the cache NXDOMAIN

    • Overload Auth DNS • Hard to defend
  15. DNS - random prefix 15 ! 1.666 --ip=173.245.59.101/32 --port=53 "*.example.com"

    1.639 --ip=173.245.58.211/32 --port=53 "*.example.com" 0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com" 0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com" • Random prefix queries ! ! ! • Bounced off real recursors mzcjgtofshadofgp.example.com. eleloletajgj.example.com. ovcpkpij.example.com
  16. HTTP attacks • Most: dumb repetitive http requests • IP

    reputation generally works 16
  17. HTTP - Mirai-like 17 GET /en HTTP/1.1 ! User-Agent: <some

    string> ! Cookie: <some cookie> ! Host: example.com ! Connection: close ! Content-Length: 800000! ! a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!
  18. HTTP - Mirai-like 18

  19. HTTP - Mirai-like 19

  20. HTTP - Mirai-like • Should it be received? • 52k

    source IP's • Mostly Ukraine - hacked customer routers/modems? 20
  21. Takeaways 21

  22. Takeaways • Direct volumetric SYN floods • Go up to

    450gbps and 100M pps per target • Use small DNS TTL to be able to "scatter" - retire IP's • Random-prefix DNS • Hard to defend • HTTP attacks • IP reputation works (iptables) • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic 22
  23. 23

  24. 24

  25. 25

  26. 26

  27. 27

  28. 28

  29. 29

  30. 30

  31. 31

  32. Anycast 32

  33. ECMP 33 ECMP router dst ip: 1.2.3.4 server #1 server

    #2 server #3 hash % 2 hash % 1 hash % 3
  34. 34 Gatebot Automatic attack handling

  35. Automatic attack handling 35 Mitigation Database sflow iptables Attack Detection

    Reactive Automation 35