Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wrong, wrong, WRONG! methods of DDoS mitigation

Wrong, wrong, WRONG! methods of DDoS mitigation

Both in research papers and in practical guides related to DDoS attack mitigation there often appear some, as we prefer to put it, questionable approaches to the said mitigation.

We honestly find somewhat disturbing that such approaches still exist and, apparently, are implemented across production systems.

The talk presents a short outline of those approaches, or at least those usually deployed by ISPs, in a presumably funny manner.

Artyom "Töma" Gavrichenkov

October 19, 2018
Tweet

More Decks by Artyom "Töma" Gavrichenkov

Other Decks in Technology

Transcript

  1. Wrong, wrong, WRONG!
    methods of DDoS mitigation
    Töma Gavrichenkov

    View Slide

  2. “On the wrong day
    of the wrong week
    I used the wrong method
    with the wrong technique.”
    — Depeche Mode.

    View Slide

  3. View Slide

  4. View Slide

  5. Blocking known attack sources
    • Also known as:
    “I’m not expecting Chinese customers,
    why don’t we just deny access to the Chinese IPs?”

    View Slide

  6. Network Redlining
    “...In the United States, redlining is the systematic denial
    of various services to residents of specific neighborhoods
    or communities, either directly or through the selective
    raising of prices.”
    — Wikipedia.

    View Slide

  7. Network Redlining
    Why is it a bad idea?
    • GeoIP databases are unofficial
    and have no mandatory policy on corrections
    • IP addresses get sold and bought
    • Some IP networks are being used
    far from the original RIR
    • Anycast

    View Slide

  8. Network Redlining
    • GeoIP databases are unofficial
    and have no mandatory policy on corrections
    • IP addresses get sold and bought
    • Some IP networks are being used
    far from the original RIR
    • Anycast
    Some of the above might be better with IPv6.

    View Slide

  9. Amplification DDoS?
    A premise:
    40 Gbps of
    unwanted DNS
    traffic
    coming from
    source port 53
    Attacker Victim
    Src: victim (spoofed)
    Dst: amplifier
    “ANY? com.”
    1 Gbps
    Src: amplifier
    Dst: victim
    ”com. NS i.gtld-...”
    29 Gbps

    View Slide

  10. Amplification DDoS?
    A premise: 40 Gbps of unwanted DNS traffic
    coming from source port 53
    • A solution here?
    Use blocklists/Flowspec/RTBH to drop traffic
    from known reflection sources!
    • Why is it a bad idea?

    View Slide

  11. A True Story
    • An enterprise got those 40 Gbps of DNS traffic
    • Decided to parse the source IP addresses of reflectors
    and populate a blocklist

    View Slide

  12. A True Story
    • An enterprise got those 40 Gbps of DNS traffic
    • Decided to parse the source IP addresses of reflectors
    and populate a blocklist
    • 2 hours after, the attacker started enumerating IPv4 0/0
    within empty packets’ sources (with source UDP port 53)
    • Started with most popular ISP access prefixes

    View Slide

  13. A True Story
    • An enterprise got those 40 Gbps of DNS traffic
    • Decided to parse the source IP addresses of reflectors
    and populate a blocklist
    • 2 hours after, the attacker started enumerating IPv4 0/0
    within empty packets’ sources (with source UDP port 53)
    • Started with most popular ISP access prefixes
    • 8 hours later, nothing is working, ~1 bln IPv4 in blocklist

    View Slide

  14. Lesson 2
    • No blocklists without remote IP address authentication
    • Especially in the case of amplification/reflection

    View Slide

  15. But what if...
    ...we check that there’s actually an amplifier?

    View Slide

  16. But what if...
    ...we check that there’s actually an amplifier?
    Then such a check may fail due to a
    (..tada..)

    View Slide

  17. But what if...
    ...we check that there’s actually an amplifier?
    Then such a check may fail due to a
    (..tada..)
    network redlining on the other side!

    View Slide

  18. Sound bytes
    • No blocklists without remote IP address authentication
    • Avoid network redlining
    • Stop breaking the Internet!
    mailto: Töma Gavrichenkov

    View Slide

  19. CC BY-SA credits
    • https://commons.wikimedia.org/wiki/File:DaveGahanbyNOA-HASSIN.JPG
    • https://commons.wikimedia.org/wiki/Atlas_of_Brazil

    View Slide