DDoS attacks in 2016-2017: A Breakthrough

Transcript

1. Очень длинное название презентации DDoS attacks in 2016– 2017: a

   breakthrough • Artyom Gavrichenkov

2. 2011 Tohoku earthquake

3. 2011 Tohoku earthquake

4. 2011 Tohoku earthquake

5. 2011 Tohoku earthquake

6. 2011 Tohoku earthquake

7. 2011 Tohoku earthquake 38.322°N 142.369°E

8. 2011 Tohoku earthquake

9. 2011 Tohoku earthquake

10. 2011 Tohoku earthquake

11. 2011 Tohoku earthquake

12. 2011 Tohoku earthquake 3 m

13. 2011 Tohoku earthquake 3 m 12 m

14. 2011 Tohoku earthquake 3 m 12 m 14 m

15. 2011 Tohoku earthquake 3 m 12 m 14 m 13

    m
16. None
17. None

18. 18

19. 19 300 Mbps 30 Gbps Amplification

20. 20 5 Gbps 500 Gbps Amplification

21. • NTP • DNS • SNMP • SSDP • ICMP

    • NetBIOS • LDAP • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • Steam • … Vulnerable protocols

22. • NTP • DNS • SNMP • SSDP • ICMP

    • NetBIOS • LDAP • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • Steam • … Vulnerable protocols Amplification can be identified by source port!*

23. BGP Flow Spec

24. Amplification threat decreases

25. Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from

    192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled

26. Pingback: HTTP/HTTPS <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>https://victim.com/</string></value> </param> <param> <value>

    <string> http://reflector.blog/2016/12/01/blog_post </string> </value> </param> </params> </methodCall>

27. Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from

    192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled • Millions of vulnerable servers available in the Internet

28. Internet of Things • Webcams, routers, smartphones, coffee makers •

    Cheap hardware and software • (Little to) NO software updates

29. Internet of Things • Webcams, routers, smartphones, coffee makers •

    Cheap hardware and software • (Little to) NO software updates, including security fixes

30. Internet of Things • Webcams, routers, smartphones, coffee makers •

    Cheap hardware and software • (Little to) NO software updates, including security fixes •Default logins/passwords

31. Internet of Things • Webcams, routers, smartphones, coffee makers •

    Cheap hardware and software • (Little to) NO software updates, including security fixes •Default logins/passwords •Full Internet access

32. Internet of Things • Webcams, routers, smartphones, coffee makers •

    Cheap hardware and software • (Little to) NO software updates, including security fixes •Default logins/passwords •Full Internet access •And all it takes – a crawler.
33. None

34. 21:30:01.226868 IP 94.251.116.51 > 178.248.233.141: GREv0, length 544: IP 184.224.242.144.65323

    > 167.42.221.164.80: UDP, length 512 21:30:01.226873 IP 46.227.212.111 > 178.248.233.141: GREv0, length 544: IP 90.185.119.106.50021 > 179.57.238.88.80: UDP, length 512 21:30:01.226881 IP 46.39.29.150 > 178.248.233.141: GREv0, length 544: IP 31.173.79.118.42580 > 115.108.7.79.80: UDP, length 512

35. 21:30:01.226868 IP 94.251.116.51 > 178.248.233.141: GREv0, length 544: IP 184.224.242.144.65323

    > 167.42.221.164.80: UDP, length 512 21:30:01.226873 IP 46.227.212.111 > 178.248.233.141: GREv0, length 544: IP 90.185.119.106.50021 > 179.57.238.88.80: UDP, length 512 21:30:01.226881 IP 46.39.29.150 > 178.248.233.141: GREv0, length 544: IP 31.173.79.118.42580 > 115.108.7.79.80: UDP, length 512

36. IoT • Mirai • Hajime • Persirai • …

37. Joomla RCE: CVE-2016-8870 • 28.10.2016: patchset released • First attempts

    to exploit: within 24 hours • After 36 hours: automated scans & pwn Source: Wallarm honeypots, https://wallarm.com/

38. IoT? • Android! • Windows! • Whatever!

39. None
40. None

41. CDN/DDoSM User ISP 1 Tier-1 ISP ISP 2 Target site

    Tier-1 ISP 1

42. CDN/DDoSM User ISP 1 Tier-1 ISP ISP 2 Target site

    Tier-1 ISP 1

43. CDN/DDoSM User ISP 1 CDN Tier-1 ISP ISP 2 Target

    site Tier-1 ISP 1

44. CDN/DDoSM User ISP 1 Tier-1 ISP DDoSM ISP 2 Target

    site Tier-1 ISP 1

45. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE

    mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT

46. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE

    mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787

47. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE

    mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940

48. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE

    mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940

49. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940

50. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940

51. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787

52. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787

53. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787

54. Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/

55. Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/

56. Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/

57. None

58. TBD? • The pressure will grow • Vulnerable architectures will

    be gone • The changes are on the way

59. СПАСИБО! mailto: [email protected] fb: ximaera