Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Recent DDoS

majek04
December 06, 2016

Recent DDoS

majek04

December 06, 2016
Tweet

More Decks by majek04

Other Decks in Programming

Transcript

  1. Recent DDoS
    Marek Majkowski
    [email protected]flare.com

    View Slide

  2. Krebs timeline
    • 10th Sept - Krebs publishes VDoS database dump
    • 20th Sept - BackConnect BGP hijacks article
    • 21th Sept - 620 Gbps attack reported
    • Mostly GRE
    • 22nd Sept - Prolexic / Akamai kick Krebs out
    • 25th Sept - Onboarded on Google Project Shield
    • Struggling to keep the website up
    2

    View Slide

  3. Dyn timeline
    • Oct 21st - Doug Madory gives a talk on BackConnect
    • Oct 21st - Dyn attack starts
    • Non-spoofed, mostly Mirai-based botnets
    • 100k "endpoints"
    • Mostly DNS traffic
    3

    View Slide

  4. Mirai
    !
    !
    !
    • Chinese security cameras with default Telnet pass
    • Some evidence for WD disks
    • Some evidence for customer modem/routers
    • Deutsche Telekom port 7547 TR-069
    4

    View Slide

  5. Mirai
    • Very short attacks, https://twitter.com/miraiattacks
    • HTTP
    • 5 hardcoded user agents
    • SYN, ACK, UDP, DNS, Valve, GRE
    • 30k-75k devices
    5

    View Slide

  6. Cloudflare Point of view
    6

    View Slide

  7. Most common attacks
    • L3 - SYN
    • L3 - DNS
    • L7 - HTTP
    7

    View Slide

  8. SYN
    • Many of the big volumetric attacks
    • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-
    attacks/
    • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-
    attacks/
    • Directly hitting the target IP (not amplified)
    • Often spoofed source IP
    8

    View Slide

  9. SYN - thanksgiving
    9

    View Slide

  10. SYN - thanksgiving
    10

    View Slide

  11. Mitigation: iptables and BPF
    • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/
    11
    !
    iptables -A INPUT \!
    --dst 1.2.3.4 \!
    -p udp --dport 53 \!
    -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7
    0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5
    1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1
    0,6 0 0 1,6 0 0 0" \!
    -j DROP!

    View Slide

  12. Mitigation: scattering
    12
    dig example.com A
    1.2.3.4
    1.2.3.5
    1.2.3.6
    1.2.3.7

    View Slide

  13. Why scattering works
    • L3 Attacks often have hardcoded destination IP's
    • Low DNS TTL allows to scatter
    13

    View Slide

  14. DNS - random prefix
    14
    • Miss the cache NXDOMAIN
    • Overload Auth DNS
    • Hard to defend

    View Slide

  15. DNS - random prefix
    15
    !
    1.666 --ip=173.245.59.101/32 --port=53 "*.example.com"
    1.639 --ip=173.245.58.211/32 --port=53 "*.example.com"
    0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com"
    0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com"
    • Random prefix queries
    !
    !
    !
    • Bounced off real recursors
    mzcjgtofshadofgp.example.com.
    eleloletajgj.example.com.
    ovcpkpij.example.com

    View Slide

  16. HTTP attacks
    • Most: dumb repetitive http requests
    • IP reputation generally works
    16

    View Slide

  17. HTTP - Mirai-like
    17
    GET /en HTTP/1.1 !
    User-Agent: !
    Cookie: !
    Host: example.com !
    Connection: close !
    Content-Length: 800000!
    !
    a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!

    View Slide

  18. HTTP - Mirai-like
    18

    View Slide

  19. HTTP - Mirai-like
    19

    View Slide

  20. HTTP - Mirai-like
    • Should it be received?
    • 52k source IP's
    • Mostly Ukraine - hacked customer routers/modems?
    20

    View Slide

  21. Takeaways
    21

    View Slide

  22. Takeaways
    • Direct volumetric SYN floods
    • Go up to 450gbps and 100M pps per target
    • Use small DNS TTL to be able to "scatter" - retire IP's
    • Random-prefix DNS
    • Hard to defend
    • HTTP attacks
    • IP reputation works (iptables)
    • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic
    22

    View Slide

  23. 23

    View Slide

  24. 24

    View Slide

  25. 25

    View Slide

  26. 26

    View Slide

  27. 27

    View Slide

  28. 28

    View Slide

  29. 29

    View Slide

  30. 30

    View Slide

  31. 31

    View Slide

  32. Anycast
    32

    View Slide

  33. ECMP
    33
    ECMP router
    dst ip: 1.2.3.4
    server #1
    server #2
    server #3
    hash % 2
    hash % 1
    hash % 3

    View Slide

  34. 34
    Gatebot
    Automatic attack handling

    View Slide

  35. Automatic attack handling
    35
    Mitigation
    Database
    sflow
    iptables
    Attack
    Detection
    Reactive
    Automation
    35

    View Slide