Recent DDoS Marek Majkowski marek@cloudflare.com

Krebs timeline • 10th Sept - Krebs publishes VDoS database dump • 20th Sept - BackConnect BGP hijacks article • 21th Sept - 620 Gbps attack reported • Mostly GRE • 22nd Sept - Prolexic / Akamai kick Krebs out • 25th Sept - Onboarded on Google Project Shield • Struggling to keep the website up 2

Dyn timeline • Oct 21st - Doug Madory gives a talk on BackConnect • Oct 21st - Dyn attack starts • Non-spoofed, mostly Mirai-based botnets • 100k "endpoints" • Mostly DNS traffic 3

Mirai ! ! ! • Chinese security cameras with default Telnet pass • Some evidence for WD disks • Some evidence for customer modem/routers • Deutsche Telekom port 7547 TR-069 4

Mirai • Very short attacks, https://twitter.com/miraiattacks • HTTP • 5 hardcoded user agents • SYN, ACK, UDP, DNS, Valve, GRE • 30k-75k devices 5

Cloudflare Point of view 6

Most common attacks • L3 - SYN • L3 - DNS • L7 - HTTP 7

SYN • Many of the big volumetric attacks • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive- attacks/ • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos- attacks/ • Directly hitting the target IP (not amplified) • Often spoofed source IP 8

SYN - thanksgiving 9

SYN - thanksgiving 10

Mitigation: iptables and BPF • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/ 11 ! iptables -A INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!

Mitigation: scattering 12 dig example.com A 1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7

Why scattering works • L3 Attacks often have hardcoded destination IP's • Low DNS TTL allows to scatter 13

DNS - random prefix 14 • Miss the cache NXDOMAIN • Overload Auth DNS • Hard to defend

DNS - random prefix 15 ! 1.666 --ip=173.245.59.101/32 --port=53 "*.example.com" 1.639 --ip=173.245.58.211/32 --port=53 "*.example.com" 0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com" 0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com" • Random prefix queries ! ! ! • Bounced off real recursors mzcjgtofshadofgp.example.com. eleloletajgj.example.com. ovcpkpij.example.com

HTTP attacks • Most: dumb repetitive http requests • IP reputation generally works 16

HTTP - Mirai-like 17 GET /en HTTP/1.1 ! User-Agent: ! Cookie: ! Host: example.com ! Connection: close ! Content-Length: 800000! ! a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!

HTTP - Mirai-like 18

HTTP - Mirai-like 19

HTTP - Mirai-like • Should it be received? • 52k source IP's • Mostly Ukraine - hacked customer routers/modems? 20

Takeaways 21

Takeaways • Direct volumetric SYN floods • Go up to 450gbps and 100M pps per target • Use small DNS TTL to be able to "scatter" - retire IP's • Random-prefix DNS • Hard to defend • HTTP attacks • IP reputation works (iptables) • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic 22

23

24

25

26

27

28

29

30

31

Anycast 32

ECMP 33 ECMP router dst ip: 1.2.3.4 server #1 server #2 server #3 hash % 2 hash % 1 hash % 3

34 Gatebot Automatic attack handling

Automatic attack handling 35 Mitigation Database sflow iptables Attack Detection Reactive Automation 35