DDoS Attacks in 2017: Beyond Packet Filtering

Transcript

1. qrator.net 2016 DDOS ATTACKS IN 2017: BEYOND PACKET FILTERING Artyom

   Gavrichenkov Qrator Labs [email protected]

2. qrator.net 2016 PARENTAL ADVISORY

3. qrator.net 2016 3 786 1038 1993 477 370 845 _2012_

   _2013_ _2014_ _2015_ Volumetric TCP-based HERE BE DRAGONS

4. qrator.net 2016 4 786 1038 1993 477 370 845 _2012_

   _2013_ _2014_ _2015_ Volumetric TCP-based HERE BE DRAGONS

5. qrator.net 2016 5 786 1038 1993 477 370 845 _2012_

   _2013_ _2014_ _2015_ Volumetric TCP-based HERE BE DRAGONS

6. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

   a network resource unavailable by exhausting its resources

7. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

   a network resource unavailable by exhausting its resources: • Bandwidth

8. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

   a network resource unavailable by exhausting its resources: • Bandwidth: ICMP flood, UDP flood, SYN flood…

9. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

   a network resource unavailable by exhausting its resources: • Bandwidth: ICMP flood, UDP flood, SYN flood… Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS, RIPv1, PORTMAP, CHARGEN, QOTD...

10. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

    a network resource unavailable by exhausting its resources: • Bandwidth: ICMP flood, UDP flood, SYN flood… Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS, RIPv1, PORTMAP, CHARGEN, QOTD... • TCP finite state machine implementation attacks

11. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

    a network resource unavailable by exhausting its resources: • Bandwidth: ICMP flood, UDP flood, SYN flood… Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS, RIPv1, PORTMAP, CHARGEN, QOTD... • TCP finite state machine implementation attacks: SYN flood, ACK flood, TCP connection flood…

12. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

    a network resource unavailable by exhausting its resources: • Bandwidth: ICMP flood, UDP flood, SYN flood… Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS, RIPv1, PORTMAP, CHARGEN, QOTD... • TCP finite state machine implementation attacks: SYN flood, ACK flood, TCP connection flood…

13. qrator.net 2016 Distributed Denial-of-Service attack • An attempt to make

    a network resource unavailable by exhausting its resources: • Bandwidth: ICMP flood, UDP flood, SYN flood… Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS, RIPv1, PORTMAP, CHARGEN, QOTD... • TCP finite state machine implementation attacks: SYN flood, ACK flood, TCP connection flood… • Application-specific bottlenecks (HTTP server, DBMS, caches, etc)

14. qrator.net 2016 Packet-based DDoS Target Ping*

15. qrator.net 2016 Packet-based DDoS Target Ping* Ping*

16. qrator.net 2016 Packet-based DDoS Target Ping* Ping* Ping* Ping*

17. qrator.net 2016 Packet-based DDoS Target Ping* Ping* Ping* Ping* Ping*

    Ping* Ping*

18. qrator.net 2016 L7 DDoS Target GET*

19. qrator.net 2016 L7 DDoS Target GET* GET*

20. qrator.net 2016 L7 DDoS Target GET* GET* GET* GET*

21. qrator.net 2016 L7 DDoS Target GET* GET* GET* GET* GET*

    GET* GET*

22. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication

23. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification!

24. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification! • Amp-vulnerable server may be identified by source port => Flow Spec solves problems!

25. qrator.net 2016 BGP Flow Spec?

26. qrator.net 2016 BGP Flow Spec!

27. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification! • Amp-vulnerable server may be identified by source port => Flow Spec solves problems!

28. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification! • Amp-vulnerable server may be identified by source port => Flow Spec solves problems!

29. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification! • Amp-vulnerable server may be identified by source port => Flow Spec solves problems!

30. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying

    pingback from 192.0.2.150 • 150-170 vulnerable servers at once • SSL/TLS-enabled

31. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers

32. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Drupal?

33. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    Drupal?

34. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    Drupal? Mediawiki?

35. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    Drupal? Sharepoint? Mediawiki?

36. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    TinyCMS? Drupal? ModX? Sharepoint? Mediawiki?

37. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    TinyCMS? Drupal? ModX? Sharepoint? Mediawiki?

38. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification! • Amp-vulnerable server may be identified by source port => Flow Spec solves problems!

39. qrator.net 2016 Packet vs Request • 3-way handshake => SYN

    cookies => IP Authentication • IP Authentication not available in most* UDP-based protocols => Spoofing => UDP Amplification! • Amp-vulnerable server may be identified by source port => Flow Spec solves problems!

40. qrator.net 2016 40 300 Mbps 30 Gbps Amplification

41. qrator.net 2016 41 2000 Mbps 200 Gbps Amplification

42. qrator.net 2016 42

43. qrator.net 2016 43 2000 Mbps 200 Gbps Amplification

44. qrator.net 2016 44 ? 500 Gbps Amplification

45. qrator.net 2016 Pure TCP-based attack today

46. qrator.net 2016 The Void • To survive TCP- and HTTPS-based

    attacks, one needs a session-capable and TLS-capable DPI • To survive large botnets, one needs a behavioral analysis and correlation analysis built into that DPI • That’s extremely expensive for a large network

47. qrator.net 2016 The Void • Any service offering SLA must

    do all of this • A service lacking any of those features is best effort • No one likes best effort services

48. qrator.net 2016 The Cure • BCP 38 is no cure*

    • IPv6 is no cure • Time to fight for yourselves • Care about other customers • It’s every man for himself now

49. qrator.net 2016 The Future

50. qrator.net 2016 Thank you, and good luck! mailto: Artyom Gavrichenkov

    <[email protected]>