DDoS Landscape - Speaker Deck

Slide 1

Slide 1 text

DDoS attacks landscape Marek Majkowski @majek04

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations • Caching • Security • DDoS protection

Slide 4

Slide 4 text

Slide 5

Slide 5 text

5 Denial of service

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Goal? 8

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Unavailability 16

Slide 17

Slide 17 text

17 Break the internet

Slide 18

Slide 18 text

Internet was built as a trusted environment 18

Slide 19

Slide 19 text

19 https://www.fbi.gov/wanted/cyber

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Five case studies 21

Slide 22

Slide 22 text

Ampliﬁcation is largest 22

Slide 23

Slide 23 text

Slide 24

Slide 24 text

24 Two things needed: - IP spooﬁng - vulnerable protocol

Slide 25

Slide 25 text

25 IP Spooﬁng

Slide 26

Slide 26 text

26 5.6.7.8 8.8.8.8 IP Spooﬁng

Slide 27

Slide 27 text

27 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

Slide 28

Slide 28 text

28 Spoofed? (source: DaPuglet)

Slide 29

Slide 29 text

bulletproof hostig 29

Slide 30

Slide 30 text

30 Find a protocol to abuse • DNS • NTP • SSDP

Slide 31

Slide 31 text

31 UDP Server UDP Client request response

Slide 32

Slide 32 text

32 Attacker Target UDP Server request response

Slide 33

Slide 33 text

33 Attacker Target UDP Server request response 10 bytes 100 bytes

Slide 34

Slide 34 text

34 Attacker Target UDP Servers requests responses

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Memcached (1.7 Tbps) February 2018 36

Slide 37

Slide 37 text

Memcached does UDP? 37

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Slide 40

Slide 40 text

Slide 41

Slide 41 text

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Cleanup was well underway • Digital Ocean • Linode • OVH • Amazon 43

Slide 44

Slide 44 text

Memcached today 44

Slide 45

Slide 45 text

Slide 46

Slide 46 text

Direct SYN ﬂood 46

Slide 47

Slide 47 text

47 Target Server Attacker 500 Gbps Direct SYN ﬂood

Slide 48

Slide 48 text

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Slide 53

Slide 53 text

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Slide 56

Slide 56 text

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

Is it a day job? 59

Slide 60

Slide 60 text

60 Direct attack today

Slide 61

Slide 61 text

Imaginary attacks 61

Slide 62

Slide 62 text

Slide 63

Slide 63 text

Slide 64

Slide 64 text

Slide 65

Slide 65 text

Slide 66

Slide 66 text

Application attacks are small 66

Slide 67

Slide 67 text

67 We know who attacks us! (source: the internet)

Slide 68

Slide 68 text

Slide 69

Slide 69 text

Slide 70

Slide 70 text

IoT - Cameras 70

Slide 71

Slide 71 text

Slide 72

Slide 72 text

Slide 73

Slide 73 text

Slide 74

Slide 74 text

Slide 75

Slide 75 text

Slide 76

Slide 76 text

76 GET /en HTTP/1.1 User-Agent: Cookie: Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...

Slide 77

Slide 77 text

Slide 78

Slide 78 text

Slide 79

Slide 79 text

79 • Mirai - cameras • TR-069/TR-064 Deutsche Telefon - CPE • Reaper - D-Link, Netgear, and AVTech • VPNFilter - routers and NAS Evolution of IoT botnets

Slide 80

Slide 80 text

WireX - Android malware 80

Slide 81

Slide 81 text

Slide 82

Slide 82 text

82 User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent: fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih

Slide 83

Slide 83 text

Slide 84

Slide 84 text

Slide 85

Slide 85 text

Slide 86

Slide 86 text

Slide 87

Slide 87 text

Slide 88

Slide 88 text

88 function attack(String target, String userAgent, String referer) { HashMap WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; iclearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }

Slide 89

Slide 89 text

Slide 90

Slide 90 text

More.... 90

Slide 91

Slide 91 text

Mobile ads 91

Slide 92

Slide 92 text

Slide 93

Slide 93 text

Slide 94

Slide 94 text

Slide 95

Slide 95 text

95 function post_send() { var xmlHttp=c_xmlHttp(); xmlHttp.open("POST",t_url8,true); xmlHttp.setRequestHeader("Content-Type", ""); xmlHttp.send(t_postdata); r_send(); } function r_send() { setTimeout("post_send()", 50); }

Slide 96

Slide 96 text

Hard to mitigate 96

Slide 97

Slide 97 text

Porcupine 97

Slide 98

Slide 98 text

Slide 99

Slide 99 text

Slide 100

Slide 100 text

100

Slide 101

Slide 101 text

101

Slide 102

Slide 102 text

102

Slide 103

Slide 103 text

Porcupine: Proﬁle • Junk payload L7 attacks • Pretty large - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 103

Slide 104

Slide 104 text

104

Slide 105

Slide 105 text

Cloudﬂare 105

Slide 106

Slide 106 text

106 Anycast Architecture

Slide 107

Slide 107 text

107 192.0.2.0/24 Internet Los Angeles 192.0.2.0/24 London 192.0.2.0/24 Amsterdam 192.0.2.0/24 Moscow 192.0.2.0/24 San Jose 192.0.2.0/24 New York

Slide 108

Slide 108 text

108

Slide 109

Slide 109 text

109

Slide 110

Slide 110 text

Divide and conquer • DNS • splits traffic against multiple IPs • Anycast • splits traffic globally • ECMP • splits traffic within datacenter • Tuned network card • splits traffic across CPUs 110

Slide 111

Slide 111 text

111 Automatic Mitigations

Slide 112

Slide 112 text

112 iptables -A INPUT \ --dst 1.2.3.4 \ -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP

Slide 113

Slide 113 text

113 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0

Slide 114

Slide 114 text

Iptables for application attacks • Conntrack Connlimit - limit concurrent connections • Hashlimits - limit rate of connections • Rate limit SYN packets per IP • Ipset - blacklisting of IP addresses • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 114

Slide 115

Slide 115 text

115 Internet Router NIC Kernel App iptables ﬁngerprints XDP

Slide 116

Slide 116 text

Thanks! • Architected for DDoS • Iptables are great • Reduce DNS TTL • Keep your IoT ﬁrmware in check • Don't install random APKs • Use 1.1.1.1 resolver :) 116 marek@cloudﬂare.com @majek04