Slide 1

Slide 1 text

Are DDoS attacks a threat to the decentralised internet? Marek Majkowski

Slide 2

Slide 2 text

2 DDoS IP Spoofing Solution Untraceable, Sophisticated Centralisation

Slide 3

Slide 3 text

3 Global network

Slide 4

Slide 4 text

4 Content neutral

Slide 5

Slide 5 text

5 Daily attacks Daily Attacks

Slide 6

Slide 6 text

6 We have to solve it

Slide 7

Slide 7 text

7 Record breaking attacks at CF Nickname Type Volume Spamhaus DNS amplification 300 Gbps “Winter of attacks” Direct 400 Gbps New attack Direct subnet 400 Gbps

Slide 8

Slide 8 text

Two things in common 8

Slide 9

Slide 9 text

9 Flood of IP packets

Slide 10

Slide 10 text

10 IP Spoofing (source: DaPuglet)

Slide 11

Slide 11 text

11 IP Spoofing 8.8.8.8 5.6.7.8

Slide 12

Slide 12 text

12 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

Slide 13

Slide 13 text

13 May 2000: BCP38

Slide 14

Slide 14 text

14 Inconsistent 15.8% Spoofable 27.8% UnSpoofable 56.4% Measured Autonomic Systems spoofer.caida.org

Slide 15

Slide 15 text

15 Filter close to the source Internet Carrier A Source Destination ISP 1 Internet Carrier B X

Slide 16

Slide 16 text

IP Spoofing: ! • Enables impersonation • Not a solved problem 16

Slide 17

Slide 17 text

IP Spoofing ! 1. Tracing back is impossible 2. Allows sophisticated attacks ! 17

Slide 18

Slide 18 text

18 Tracing the attack Attack starts Received PPS

Slide 19

Slide 19 text

19 Tcpdump ! $ tcpdump -ni eth0 -c 100! ! IP 94.242.250.109.47330 > 1.2.3.4:80: Flags [S], seq 1444613291, win 63243! IP 188.138.1.240.61454 > 1.2.3.4:80: Flags [S], seq 1995637287, win 60551! IP 207.244.90.205.17572 > 1.2.3.4:80: Flags [S], seq 1523683071, win 61607! IP 94.242.250.224.65127 > 1.2.3.4:80: Flags [S], seq 928944042, win 61778! IP 207.244.90.205.43074 > 1.2.3.4:80: Flags [S], seq 137074667, win 63891! IP 64.22.81.44.23865 > 1.2.3.4:80: Flags [S], seq 838596928, win 63808! IP 188.138.1.137.23373 > 1.2.3.4:80: Flags [S], seq 593106072, win 60272! IP 207.244.90.205.39653 > 1.2.3.4:80: Flags [S], seq 47289666, win 63210! IP 208.66.78.204.64197 > 1.2.3.4:80: Flags [S], seq 1850809890, win 62714! IP 207.244.90.205.33108 > 1.2.3.4:80: Flags [S], seq 319707959, win 63351! IP 207.244.90.205.6937 > 1.2.3.4:80: Flags [S], seq 1591500126, win 63902! IP 213.152.180.151.60560 > 1.2.3.4:80: Flags [S], seq 1902119375, win 62511! IP 64.22.79.127.11061 > 1.2.3.4:80: Flags [S], seq 1456438676, win 62148!

Slide 20

Slide 20 text

20 Which router iface is it from? Router Server

Slide 21

Slide 21 text

21 Identifying interface Attacks

Slide 22

Slide 22 text

22 Identifying the interface

Slide 23

Slide 23 text

23 Other side of the cable ! Internet Carrier Direct Peering Router Local Internet Exchange Server

Slide 24

Slide 24 text

24 1. Direct Peering Router Direct Peering

Slide 25

Slide 25 text

2. Internet Exchange ! ! 3. Internet Carrier 25 ! Internet Carrier Local Internet Exchange Router Router

Slide 26

Slide 26 text

26 2. Internet Exchanges

Slide 27

Slide 27 text

27 2. Internet Exchanges Router Internet Exchange L2 SWITCH Local ISP #1 Local ISP #2 Local ISP #3

Slide 28

Slide 28 text

28 3. Internet Carriers Target network ! Internet Carrier Router

Slide 29

Slide 29 text

29 “Winter of attacks”

Slide 30

Slide 30 text

30 “Winter of attacks” src IP= Hurricane Electric LAX router ! Internet Carrier

Slide 31

Slide 31 text

31 “Winter of attacks” LAX router ! Internet Carrier Hurricane Electric ??? Hurricane Electric ???

Slide 32

Slide 32 text

Lack of attribution

Slide 33

Slide 33 text

IP Spoofing ! 1. Tracing back is impossible 2. Allows sophisticated attacks 33

Slide 34

Slide 34 text

34 Sophistication Spamhaus DNS amplification “Winter of attacks” Direct Direct subnet Direct

Slide 35

Slide 35 text

1. UDP request-response 35 UDP Server UDP Client request response

Slide 36

Slide 36 text

1. Amplification 36 Attacker Target UDP Server request response

Slide 37

Slide 37 text

1. Amplification factor 37 Attacker Target UDP Server request response 10 bytes 100 bytes

Slide 38

Slide 38 text

1. Scale up! 38 Attacker Target UDP Servers requests responses

Slide 39

Slide 39 text

March 2013: Spamhaus 39 300 Gbps of traffic 27 Gbps of spoofing Exposed DNS Resolvers

Slide 40

Slide 40 text

• Easy to block on firewall • udp and src port 53 ! • The internet is fighting exposed DNS resolvers • openresolverproject.org • openntpproject.org • www.shodan.io 40 Amplification easy to block

Slide 41

Slide 41 text

41 Sophistication Spamhaus DNS amplification “Winter of attacks” Direct Direct subnet Direct

Slide 42

Slide 42 text

42 2. “Winter of attacks” Target Server Attacker 400 Gbps

Slide 43

Slide 43 text

43

Slide 44

Slide 44 text

44 2. Gigantic SYN flood Target Server Attacker 400 Gbps Direct SYN flood

Slide 45

Slide 45 text

Blocked with BPF 45 ! iptables -A INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!

Slide 46

Slide 46 text

46 ! ldx 4*([14]&0xf)! ld #34! add x! tax! lb_0:! ldb [x + 0]! add x! add #1! tax! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1! lb_1:! ret #0! BPF bytecode

Slide 47

Slide 47 text

47

Slide 48

Slide 48 text

48 Source IP addresses LAX router ! Internet Carrier Hurricane Electric ??? Hurricane Electric ???

Slide 49

Slide 49 text

49

Slide 50

Slide 50 text

50

Slide 51

Slide 51 text

51

Slide 52

Slide 52 text

52

Slide 53

Slide 53 text

53

Slide 54

Slide 54 text

54

Slide 55

Slide 55 text

55

Slide 56

Slide 56 text

56 Sophistication Spamhaus DNS amplification “Winter of attacks” Direct Direct subnet Direct

Slide 57

Slide 57 text

57 Null routing 1.2.3.4 Attacker 1.2.3.4 1.2.3.4 1.2.3.4

Slide 58

Slide 58 text

58 Attacks against subnet Attacker 1.2.3.4 1.2.3.4 1.2.3.4 1.2.3.4

Slide 59

Slide 59 text

The only way to keep online is to absorb the attack 59

Slide 60

Slide 60 text

60 Receive and process

Slide 61

Slide 61 text

61 Centralisation

Slide 62

Slide 62 text

62 Erosion of principles peer peer peer peer peer

Slide 63

Slide 63 text

Solution 63

Slide 64

Slide 64 text

64 Technical solutions to IP Spoofing failed

Slide 65

Slide 65 text

65 Live with it! X.X.X.X 5.6.7.8

Slide 66

Slide 66 text

66 Don't solve the IP spoofing! ! Solve the attribution!

Slide 67

Slide 67 text

67 Router Internet Exchange L2 SWITCH Local ISP #1 Local ISP #2 Local ISP #3 Internet Exchanges

Slide 68

Slide 68 text

68 Router ! Internet Carrier Customer #1 Customer #2 Customer #3 Internet Carriers

Slide 69

Slide 69 text

• The next move belongs to Carriers and IX operators • They must help with attribution • Which of their clients is transmitting the traffic? ! • Given (TARGET_IP, location, timeframe, volume) • Tell which of the CUSTOMERS transmitted the data 69 Proposal:

Slide 70

Slide 70 text

70 How?

Slide 71

Slide 71 text

71 Netflow netflow Collector Router Router Router

Slide 72

Slide 72 text

• Open source netflow toolchain is great • Scales well • To avoid privacy issues • Rotate logs often • Set high sampling rate - 1/64k connections 72 Netflow

Slide 73

Slide 73 text

73 Netflow ! (netops)# nfdump -M db/waw01:lhr01 -R . -n2 -t -300 -s dstip/packets "in if 731"! Top 2 Dst IP Addr ordered by packets:! Dst IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp! 173.245.58.40 1.0 M(77.0) 17.6 G(75.8) 1.1 T(22.6) 59.0 M 30.7 G 65! 173.245.59.15 54962( 4.0) 910.3 M( 3.9) 75.5 G( 1.5) 3.1 M 2.0 G 82! ! Summary: total flows: 1361108, total bytes: 5087980650496, total packets: 23271079936, avg bps: 135599480319, avg pps: 77524526, avg bpp: 218! Total flows processed: 2457140, Blocks skipped: 0, Bytes read: 177251772! Sys: 0.210s flows/second: 11700666.7 Wall: 0.210s flows/second: 11654603.2!

Slide 74

Slide 74 text

74 It's the first step

Slide 75

Slide 75 text

75 Attribution allows informed discussion

Slide 76

Slide 76 text

76 DDoS causes centralisation ! ! To fix DDoS we need attribution

Slide 77

Slide 77 text

77 The internet will be better for everyone. marek@cloudflare.com

Slide 78

Slide 78 text

78

Slide 79

Slide 79 text

How to help? 79

Slide 80

Slide 80 text

• From spoofer.caida.org 80 Help: report IP spoofing

Slide 81

Slide 81 text

• Scan your network for open NTP and DNS servers • http://openntpproject.org/ • http://openresolverproject.org • http://www.team-cymru.org/Open-Resolver- Challenge.html • https://www.shodan.io/ 81 Help: close NTP and DNS

Slide 82

Slide 82 text

• When under attack • Collect evidence • Ask where the traffic came from! 82 Help: press for attribution

Slide 83

Slide 83 text

Is amplification in decline? 83

Slide 84

Slide 84 text

• Very easy to block on firewall • udp and src port 123 == NTP attack • udp and src port 53 == DNS attack • DDoS mitigation vendors have FAT pipes • Amplification is bouncing off real servers • Therefore geographically distributed • Not effective against anycast 84 Is amplification in decline?

Slide 85

Slide 85 text

Why IP Filtering must be on the edge 85

Slide 86

Slide 86 text

86 Filtering is hard Internet Carrier A Destination 5.6.7.8

Slide 87

Slide 87 text

87 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 1.2.3.0/24

Slide 88

Slide 88 text

88 Filtering is hard Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 Internet Carrier B 1.2.3.0/24 1.2.3.0/24

Slide 89

Slide 89 text

89 Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 Filtering is hard Internet Carrier B ISP 2 Source 4.3.2.1 1.2.3.0/24 4.3.2.0/24

Slide 90

Slide 90 text

90 Internet is asymmetric Internet Carrier A Source 1.2.3.4 Destination 5.6.7.8 ISP 1 Internet Carrier B

Slide 91

Slide 91 text

91 Filter close to the source Internet Carrier A Source Destination ISP 1 Internet Carrier B X