Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Recent DDoS

majek04
December 06, 2016

Recent DDoS

majek04

December 06, 2016
Tweet

More Decks by majek04

Other Decks in Programming

Transcript

  1. Recent DDoS
    Marek Majkowski
    marek@cloudflare.com

    View full-size slide

  2. Krebs timeline
    • 10th Sept - Krebs publishes VDoS database dump
    • 20th Sept - BackConnect BGP hijacks article
    • 21th Sept - 620 Gbps attack reported
    • Mostly GRE
    • 22nd Sept - Prolexic / Akamai kick Krebs out
    • 25th Sept - Onboarded on Google Project Shield
    • Struggling to keep the website up
    2

    View full-size slide

  3. Dyn timeline
    • Oct 21st - Doug Madory gives a talk on BackConnect
    • Oct 21st - Dyn attack starts
    • Non-spoofed, mostly Mirai-based botnets
    • 100k "endpoints"
    • Mostly DNS traffic
    3

    View full-size slide

  4. Mirai
    !
    !
    !
    • Chinese security cameras with default Telnet pass
    • Some evidence for WD disks
    • Some evidence for customer modem/routers
    • Deutsche Telekom port 7547 TR-069
    4

    View full-size slide

  5. Mirai
    • Very short attacks, https://twitter.com/miraiattacks
    • HTTP
    • 5 hardcoded user agents
    • SYN, ACK, UDP, DNS, Valve, GRE
    • 30k-75k devices
    5

    View full-size slide

  6. Cloudflare Point of view
    6

    View full-size slide

  7. Most common attacks
    • L3 - SYN
    • L3 - DNS
    • L7 - HTTP
    7

    View full-size slide

  8. SYN
    • Many of the big volumetric attacks
    • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-
    attacks/
    • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-
    attacks/
    • Directly hitting the target IP (not amplified)
    • Often spoofed source IP
    8

    View full-size slide

  9. SYN - thanksgiving
    9

    View full-size slide

  10. SYN - thanksgiving
    10

    View full-size slide

  11. Mitigation: iptables and BPF
    • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/
    11
    !
    iptables -A INPUT \!
    --dst 1.2.3.4 \!
    -p udp --dport 53 \!
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \!
    -j DROP!

    View full-size slide

  12. Mitigation: scattering
    12
    dig example.com A
    1.2.3.4
    1.2.3.5
    1.2.3.6
    1.2.3.7

    View full-size slide

  13. Why scattering works
    • L3 Attacks often have hardcoded destination IP's
    • Low DNS TTL allows to scatter
    13

    View full-size slide

  14. DNS - random prefix
    14
    • Miss the cache NXDOMAIN
    • Overload Auth DNS
    • Hard to defend

    View full-size slide

  15. DNS - random prefix
    15
    !
    1.666 --ip=173.245.59.101/32 --port=53 "*.example.com"
    1.639 --ip=173.245.58.211/32 --port=53 "*.example.com"
    0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com"
    0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com"
    • Random prefix queries
    !
    !
    !
    • Bounced off real recursors
    mzcjgtofshadofgp.example.com.
    eleloletajgj.example.com.
    ovcpkpij.example.com

    View full-size slide

  16. HTTP attacks
    • Most: dumb repetitive http requests
    • IP reputation generally works
    16

    View full-size slide

  17. HTTP - Mirai-like
    17
    GET /en HTTP/1.1 !
    User-Agent: !
    Cookie: !
    Host: example.com !
    Connection: close !
    Content-Length: 800000!
    !
    a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!

    View full-size slide

  18. HTTP - Mirai-like
    18

    View full-size slide

  19. HTTP - Mirai-like
    19

    View full-size slide

  20. HTTP - Mirai-like
    • Should it be received?
    • 52k source IP's
    • Mostly Ukraine - hacked customer routers/modems?
    20

    View full-size slide

  21. Takeaways
    • Direct volumetric SYN floods
    • Go up to 450gbps and 100M pps per target
    • Use small DNS TTL to be able to "scatter" - retire IP's
    • Random-prefix DNS
    • Hard to defend
    • HTTP attacks
    • IP reputation works (iptables)
    • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic
    22

    View full-size slide

  22. ECMP
    33
    ECMP router
    dst ip: 1.2.3.4
    server #1
    server #2
    server #3
    hash % 2
    hash % 1
    hash % 3

    View full-size slide

  23. 34
    Gatebot
    Automatic attack handling

    View full-size slide

  24. Automatic attack handling
    35
    Mitigation
    Database
    sflow
    iptables
    Attack
    Detection
    Reactive
    Automation
    35

    View full-size slide