The Dark Side of Things: DDoS attacks after Mirai

Transcript

1. qrator.net 2016

2. qrator.net 2016

3. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1

   org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT

4. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1

   org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787

5. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1

   org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940

6. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1

   org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940

7. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940

8. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940

9. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787

10. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787

11. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787

12. qrator.net 2016 Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/

13. qrator.net 2016 Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/

14. qrator.net 2016 Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/

15. qrator.net 2016 15 CDN

16. qrator.net 2016 16 CDN DDoS DDoS

17. qrator.net 2016 17 CDN DDoS DDoS

18. qrator.net 2016 18 CDN DDoS DDoS

19. qrator.net 2016 19 DDoS

20. qrator.net 2016 20

21. qrator.net 2016 21 300 Mbps 30 Gbps Amplification

22. qrator.net 2016 22 5 Gbps 500 Gbps Amplification

23. qrator.net 2016 23

24. qrator.net 2016 • NTP • DNS • SNMP • SSDP

    • ICMP 24 • NetBIOS • RIPv1 • PORTMAP • CHARGEN • QOTD Vulnerable protocols

25. qrator.net 2016 • NTP • DNS • SNMP • SSDP

    • ICMP 25 • NetBIOS • RIPv1 • PORTMAP • CHARGEN • QOTD Amplification can be identified by source port Vulnerable protocols

26. qrator.net 2016 BGP Flow Spec

27. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying

    pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled

28. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying

    pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled Amplification can be identified by source port?

29. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying

    pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled Amplification can be identified by source port?

30. qrator.net 2016 BGP Flow Spec

31. qrator.net 2016 BGP Flow Spec

32. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers

33. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Drupal?

34. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    Drupal?

35. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    Drupal? Mediawiki?

36. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    Drupal? Sharepoint? Mediawiki?

37. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    TinyCMS? Drupal? ModX? Sharepoint? Mediawiki?

38. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla?

    TinyCMS? Drupal? ModX? Sharepoint? Mediawiki?

39. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers

40. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers • Cheap hardware and software

41. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers • Cheap hardware and software • (Little to) NO software updates

42. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers • Cheap hardware and software • (Little to) NO software updates, including security fixes

43. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers • Cheap hardware and software • (Little to) NO software updates, •Default logins/passwords including security fixes

44. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers • Cheap hardware and software • (Little to) NO software updates, •Default logins/passwords •Full Internet access including security fixes

45. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee

    makers • Cheap hardware and software • (Little to) NO software updates, •Default logins/passwords •Full Internet access including security fixes

46. qrator.net 2016 Internet of Things • Network scanners are now

    powerful enough to discover vulnerable IoT (good job, Flow Spec)

47. qrator.net 2016 Internet of Things • Network scanners are now

    powerful enough to discover vulnerable IoT (good job, Flow Spec) =>

48. qrator.net 2016 Internet of Things • Network scanners are now

    powerful enough to discover vulnerable IoT (good job, Flow Spec) =>

49. qrator.net 2016 Internet of Things • Network scanners are now

    powerful enough to discover vulnerable IoT (good job, Flow Spec) =>

50. qrator.net 2016 Internet of Things • Network scanners are now

    powerful enough to discover vulnerable IoT (good job, Flow Spec) =>

51. qrator.net 2016

52. qrator.net 2016 The Void • To survive TCP- and HTTPS-based

    attacks, one needs a session-capable and TLS-capable DPI • To survive large botnets, one needs a behavioral analysis and correlation analysis built into that DPI

53. qrator.net 2016 The Void • To survive TCP- and HTTPS-based

    attacks, one needs a session-capable and TLS-capable DPI • To survive large botnets, one needs a behavioral analysis and correlation analysis built into that DPI • On the 1 Tbps bandwidth

54. qrator.net 2016 The Void • Do not try to fix

    it yourself • Reach out to your ISP ASAP

55. qrator.net 2016 The Cure • ISP initiatives

56. qrator.net 2016 The Cure • ISP initiatives • Zero tolerance

    to vulnerable IoT

57. qrator.net 2016 The Cure • ISP initiatives • Zero tolerance

    to vulnerable IoT • IPv6?

58. qrator.net 2016 Thank you, and good luck! mailto: Artyom Gavrichenkov

    <[email protected]>