Slide 1

Slide 1 text

Recent DDoS Marek Majkowski marek@cloudflare.com

Slide 2

Slide 2 text

Krebs timeline • 10th Sept - Krebs publishes VDoS database dump • 20th Sept - BackConnect BGP hijacks article • 21th Sept - 620 Gbps attack reported • Mostly GRE • 22nd Sept - Prolexic / Akamai kick Krebs out • 25th Sept - Onboarded on Google Project Shield • Struggling to keep the website up 2

Slide 3

Slide 3 text

Dyn timeline • Oct 21st - Doug Madory gives a talk on BackConnect • Oct 21st - Dyn attack starts • Non-spoofed, mostly Mirai-based botnets • 100k "endpoints" • Mostly DNS traffic 3

Slide 4

Slide 4 text

Mirai ! ! ! • Chinese security cameras with default Telnet pass • Some evidence for WD disks • Some evidence for customer modem/routers • Deutsche Telekom port 7547 TR-069 4

Slide 5

Slide 5 text

Mirai • Very short attacks, https://twitter.com/miraiattacks • HTTP • 5 hardcoded user agents • SYN, ACK, UDP, DNS, Valve, GRE • 30k-75k devices 5

Slide 6

Slide 6 text

Cloudflare Point of view 6

Slide 7

Slide 7 text

Most common attacks • L3 - SYN • L3 - DNS • L7 - HTTP 7

Slide 8

Slide 8 text

SYN • Many of the big volumetric attacks • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive- attacks/ • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos- attacks/ • Directly hitting the target IP (not amplified) • Often spoofed source IP 8

Slide 9

Slide 9 text

SYN - thanksgiving 9

Slide 10

Slide 10 text

SYN - thanksgiving 10

Slide 11

Slide 11 text

Mitigation: iptables and BPF • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/ 11 ! iptables -A INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!

Slide 12

Slide 12 text

Mitigation: scattering 12 dig example.com A 1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7

Slide 13

Slide 13 text

Why scattering works • L3 Attacks often have hardcoded destination IP's • Low DNS TTL allows to scatter 13

Slide 14

Slide 14 text

DNS - random prefix 14 • Miss the cache NXDOMAIN • Overload Auth DNS • Hard to defend

Slide 15

Slide 15 text

DNS - random prefix 15 ! 1.666 --ip=173.245.59.101/32 --port=53 "*.example.com" 1.639 --ip=173.245.58.211/32 --port=53 "*.example.com" 0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com" 0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com" • Random prefix queries ! ! ! • Bounced off real recursors mzcjgtofshadofgp.example.com. eleloletajgj.example.com. ovcpkpij.example.com

Slide 16

Slide 16 text

HTTP attacks • Most: dumb repetitive http requests • IP reputation generally works 16

Slide 17

Slide 17 text

HTTP - Mirai-like 17 GET /en HTTP/1.1 ! User-Agent: ! Cookie: ! Host: example.com ! Connection: close ! Content-Length: 800000! ! a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!

Slide 18

Slide 18 text

HTTP - Mirai-like 18

Slide 19

Slide 19 text

HTTP - Mirai-like 19

Slide 20

Slide 20 text

HTTP - Mirai-like • Should it be received? • 52k source IP's • Mostly Ukraine - hacked customer routers/modems? 20

Slide 21

Slide 21 text

Takeaways 21

Slide 22

Slide 22 text

Takeaways • Direct volumetric SYN floods • Go up to 450gbps and 100M pps per target • Use small DNS TTL to be able to "scatter" - retire IP's • Random-prefix DNS • Hard to defend • HTTP attacks • IP reputation works (iptables) • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic 22

Slide 23

Slide 23 text

23

Slide 24

Slide 24 text

24

Slide 25

Slide 25 text

25

Slide 26

Slide 26 text

26

Slide 27

Slide 27 text

27

Slide 28

Slide 28 text

28

Slide 29

Slide 29 text

29

Slide 30

Slide 30 text

30

Slide 31

Slide 31 text

31

Slide 32

Slide 32 text

Anycast 32

Slide 33

Slide 33 text

ECMP 33 ECMP router dst ip: 1.2.3.4 server #1 server #2 server #3 hash % 2 hash % 1 hash % 3

Slide 34

Slide 34 text

34 Gatebot Automatic attack handling

Slide 35

Slide 35 text

Automatic attack handling 35 Mitigation Database sflow iptables Attack Detection Reactive Automation 35