Recent DDoS

Transcript

1. Recent DDoS Marek Majkowski marek@cloudflare.com

2. Krebs timeline • 10th Sept - Krebs publishes VDoS database

   dump • 20th Sept - BackConnect BGP hijacks article • 21th Sept - 620 Gbps attack reported • Mostly GRE • 22nd Sept - Prolexic / Akamai kick Krebs out • 25th Sept - Onboarded on Google Project Shield • Struggling to keep the website up 2

3. Dyn timeline • Oct 21st - Doug Madory gives a

   talk on BackConnect • Oct 21st - Dyn attack starts • Non-spoofed, mostly Mirai-based botnets • 100k "endpoints" • Mostly DNS traffic 3

4. Mirai ! ! ! • Chinese security cameras with default

   Telnet pass • Some evidence for WD disks • Some evidence for customer modem/routers • Deutsche Telekom port 7547 TR-069 4

5. Mirai • Very short attacks, https://twitter.com/miraiattacks • HTTP • 5

   hardcoded user agents • SYN, ACK, UDP, DNS, Valve, GRE • 30k-75k devices 5

6. Cloudflare Point of view 6

7. Most common attacks • L3 - SYN • L3 -

   DNS • L7 - HTTP 7

8. SYN • Many of the big volumetric attacks • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-

   attacks/ • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos- attacks/ • Directly hitting the target IP (not amplified) • Often spoofed source IP 8

9. SYN - thanksgiving 9

10. SYN - thanksgiving 10

11. Mitigation: iptables and BPF • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/ 11 ! iptables -A

    INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!

12. Mitigation: scattering 12 dig example.com A 1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7

13. Why scattering works • L3 Attacks often have hardcoded destination

    IP's • Low DNS TTL allows to scatter 13

14. DNS - random prefix 14 • Miss the cache NXDOMAIN

    • Overload Auth DNS • Hard to defend

15. DNS - random prefix 15 ! 1.666 --ip=173.245.59.101/32 --port=53 "*.example.com"

    1.639 --ip=173.245.58.211/32 --port=53 "*.example.com" 0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com" 0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com" • Random prefix queries ! ! ! • Bounced off real recursors mzcjgtofshadofgp.example.com. eleloletajgj.example.com. ovcpkpij.example.com

16. HTTP attacks • Most: dumb repetitive http requests • IP

    reputation generally works 16

17. HTTP - Mirai-like 17 GET /en HTTP/1.1 ! User-Agent: <some

    string> ! Cookie: <some cookie> ! Host: example.com ! Connection: close ! Content-Length: 800000! ! a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!

18. HTTP - Mirai-like 18

19. HTTP - Mirai-like 19

20. HTTP - Mirai-like • Should it be received? • 52k

    source IP's • Mostly Ukraine - hacked customer routers/modems? 20

21. Takeaways 21

22. Takeaways • Direct volumetric SYN floods • Go up to

    450gbps and 100M pps per target • Use small DNS TTL to be able to "scatter" - retire IP's • Random-prefix DNS • Hard to defend • HTTP attacks • IP reputation works (iptables) • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic 22

23. 23

24. 24

25. 25

26. 26

27. 27

28. 28

29. 29

30. 30

31. 31

32. Anycast 32

33. ECMP 33 ECMP router dst ip: 1.2.3.4 server #1 server

    #2 server #3 hash % 2 hash % 1 hash % 3

34. 34 Gatebot Automatic attack handling

35. Automatic attack handling 35 Mitigation Database sflow iptables Attack Detection

    Reactive Automation 35