SlideShare a Scribd company logo

Secure 2013 Poland

Cloudflare
Cloudflare

This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.

Related slideshows

Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
 
CloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - WebinarCloudFlare - The Heartbleed Bug - Webinar
CloudFlare - The Heartbleed Bug - Webinar
 
Running Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without ParachuteRunning Secure Server Software on Insecure Hardware Without Parachute
Running Secure Server Software on Insecure Hardware Without Parachute
 
1 of 29
Download to read offline
How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website
DDoSing web sites is... easy •  Motivated groups of non-technical individuals •  Followers of Anonymous etc. •  Simple tools like LOIC •  People with money to spend •  Botnets •  Online ‘booter’ services •  Anyone with a grudge 2
What gets attacked •  TCP •  92% against port 80 •  SYN flooding •  UDP •  97% against DNS •  Reflection/amplification attacks •  Other significant attack ports •  TCP port 53 (DNS) •  UDP port 514 (syslog) 3
And when... 4
Three things make DDoS easy •  Fire and forget protocols •  Anything based on UDP •  ICMP •  No source IP authentication •  Any machine can send a packet “from” any machine •  Internet Amplifiers •  Authoritative DNS servers that don’t rate limit •  Open DNS recursors •  Open SNMP devices 5
DDoS Situation is Worsening •  Size and Frequency Growing •  In 2012 the largest DDoS attack we saw was 65 Gbps •  In 2013 it was 309 Gbps (almost 5x size increase) •  DNS-based DDoS attacks grew in frequency by 200% in 2012 6
March 24, 2013 • 309 Gbps sustained for 28 minutes • 30,956 open DNS resolvers • Each outputting 10 Mbps • 3 networks that allowed spoofing 7
March 25, 2013 • 287 Gbps sustained for 72 minutes • 32,154 open DNS resolvers • Each outputting 9 Mbps • 3 networks that allowed spoofing 8
Controlling Machine Amplification Attacks Compromised Trigger Machine Compromised Trigger Machine 10Mbps Compromised Trigger Machine 1x 10x 1Gbps AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP 10000x 1Gbps Victim 9
DNS and SNMP Amplification •  Small request to DNS or SNMP server with spoofed source IP address •  DNS or SNMP server responds with large packet to ‘source’: the victim •  DNS multiplier is 8x (Req: 64B; Resp: 512B) •  EDNS multiplier is 53x (Req: 64B; Resp: 3,364B) •  SNMP multiplier is 650x (Req: 100B; Resp: 65kB) 10
HOWTO: 1 Tbps DDoS •  Get a list of 10,000 open DNS recursors •  Each machine will produce 1 Tbps / 10,000 = 100 Mbps •  Use more machines if that’s too high •  DNS amplification factor is 8x so need 1 Tbps / 8 = 125 Gbps trigger traffic •  So 100 compromised servers with 1Gbps connections will do •  If DNS recursors support EDNS then only need 1 Tbps / 50 = 20 Gbps trigger traffic 11
SNMP etc. •  We have seen a 25 Gbps DDoS attack using SNMP amplification •  Came from Comcast Broadband Modems •  NTP? 12
28 Million Open Resolvers 13
24.6% of networks allow spoofing 14
Spamhaus DDoS Was Easy •  1 attacker’s laptop controlling •  10 compromised servers on •  3 networks that allowed spoofing of •  9Gbps DNS requests to •  0.1% of open resolvers resulted in •  300Gbps+ of DDoS attack traffic. 15
Solving This Problem •  Close Open DNS Recursors •  Please do this! •  Stop IP Spoofing •  Implement BCP38 and BCP84 16
IP Spoofing •  Used to ICMP attacks, TCP SYN floods and amplification attacks •  Vast majority of attacks on CloudFlare are spoofed attacks Victim IP DNS Server IP 64 byte request 512 byte reply Victim IP DNS Server IP •  Dealing with IP spoofing stops amplification, hurts botnets 17
Mars Attacks! •  23% from Martian addresses •  3.45% from China Telecom •  2.14% from China Unicom •  1.74% from Comcast •  1.45% from Dreamhost •  1.36% from WEBNX •  Larger point: spoofed packets come from everywhere 18
Ingress Filtering: BCP38 and BCP84 •  BCP38 is RFC2827 •  Been around since 2000 •  http://www.bcp38.info/ •  https://en.wikipedia.org/wiki/Ingress_filtering •  BCP84 is RFC3704 •  Addresses problems with multi-homed networks 19
Why isn’t BCP38 implemented widely? •  Simple: economic incentives are against it •  IP-spoofing based DDoS attacks are an “externality”: like a polluting factory •  IP-spoofing based DDoS attacks are not launched by the networks themselves: a factory that only pollutes on someone else’s command •  Networks have a negative incentive to implement because of impact on their customers’ networks •  Externalities get fixed by regulation •  Better to fix this without government intervention •  Governments will intervene when they are threatened (and they are!) 20
We’ve been here before •  SMTP Open Relays •  Let’s not get to the point that BL are created •  Or that governments intervene 21
DDoS Defense 22
Start with a global network 23
Use Anycast 24
Anycast Attack Dilution 310 Gbps / 23 PoPs = 14 Gbps per PoP 25
Hide Your Origin •  If you use a DDoS service make sure your origin IP is hidden •  Change it when signing up •  Make sure no DNS records (e.g. MX) leak the IP •  and make sure that IP only accepts packets from the service 26
Separate Protocols By IP •  For example, have separate IPs for HTTP and DNS •  Filter by IP and protocol •  No UDP packets should be able to hit your HTTP server •  No HTTP packets should be able to hit your SMTP server 27
Protect your infrastructure •  Separate IPs for infrastructure •  Internal switches, routers •  Filters those IPs at the edge •  No external access to internal infrastructure •  Otherwise attackers will attack your infrastructure 28
Work closely with your upstream •  Get to know who to call when trouble strikes •  Enable them to perform filtering in their infrastructure •  Share you IP/Protocol architecture with them 29

More Related Content

Secure 2013 Poland

  • 1. How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website
  • 2. DDoSing web sites is... easy •  Motivated groups of non-technical individuals •  Followers of Anonymous etc. •  Simple tools like LOIC •  People with money to spend •  Botnets •  Online ‘booter’ services •  Anyone with a grudge 2
  • 3. What gets attacked •  TCP •  92% against port 80 •  SYN flooding •  UDP •  97% against DNS •  Reflection/amplification attacks •  Other significant attack ports •  TCP port 53 (DNS) •  UDP port 514 (syslog) 3
  • 5. Three things make DDoS easy •  Fire and forget protocols •  Anything based on UDP •  ICMP •  No source IP authentication •  Any machine can send a packet “from” any machine •  Internet Amplifiers •  Authoritative DNS servers that don’t rate limit •  Open DNS recursors •  Open SNMP devices 5
  • 6. DDoS Situation is Worsening •  Size and Frequency Growing •  In 2012 the largest DDoS attack we saw was 65 Gbps •  In 2013 it was 309 Gbps (almost 5x size increase) •  DNS-based DDoS attacks grew in frequency by 200% in 2012 6
  • 7. March 24, 2013 • 309 Gbps sustained for 28 minutes • 30,956 open DNS resolvers • Each outputting 10 Mbps • 3 networks that allowed spoofing 7
  • 8. March 25, 2013 • 287 Gbps sustained for 72 minutes • 32,154 open DNS resolvers • Each outputting 9 Mbps • 3 networks that allowed spoofing 8
  • 9. Controlling Machine Amplification Attacks Compromised Trigger Machine Compromised Trigger Machine 10Mbps Compromised Trigger Machine 1x 10x 1Gbps AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP 10000x 1Gbps Victim 9
  • 10. DNS and SNMP Amplification •  Small request to DNS or SNMP server with spoofed source IP address •  DNS or SNMP server responds with large packet to ‘source’: the victim •  DNS multiplier is 8x (Req: 64B; Resp: 512B) •  EDNS multiplier is 53x (Req: 64B; Resp: 3,364B) •  SNMP multiplier is 650x (Req: 100B; Resp: 65kB) 10
  • 11. HOWTO: 1 Tbps DDoS •  Get a list of 10,000 open DNS recursors •  Each machine will produce 1 Tbps / 10,000 = 100 Mbps •  Use more machines if that’s too high •  DNS amplification factor is 8x so need 1 Tbps / 8 = 125 Gbps trigger traffic •  So 100 compromised servers with 1Gbps connections will do •  If DNS recursors support EDNS then only need 1 Tbps / 50 = 20 Gbps trigger traffic 11
  • 12. SNMP etc. •  We have seen a 25 Gbps DDoS attack using SNMP amplification •  Came from Comcast Broadband Modems •  NTP? 12
  • 13. 28 Million Open Resolvers 13
  • 14. 24.6% of networks allow spoofing 14
  • 15. Spamhaus DDoS Was Easy •  1 attacker’s laptop controlling •  10 compromised servers on •  3 networks that allowed spoofing of •  9Gbps DNS requests to •  0.1% of open resolvers resulted in •  300Gbps+ of DDoS attack traffic. 15
  • 16. Solving This Problem •  Close Open DNS Recursors •  Please do this! •  Stop IP Spoofing •  Implement BCP38 and BCP84 16
  • 17. IP Spoofing •  Used to ICMP attacks, TCP SYN floods and amplification attacks •  Vast majority of attacks on CloudFlare are spoofed attacks Victim IP DNS Server IP 64 byte request 512 byte reply Victim IP DNS Server IP •  Dealing with IP spoofing stops amplification, hurts botnets 17
  • 18. Mars Attacks! •  23% from Martian addresses •  3.45% from China Telecom •  2.14% from China Unicom •  1.74% from Comcast •  1.45% from Dreamhost •  1.36% from WEBNX •  Larger point: spoofed packets come from everywhere 18
  • 19. Ingress Filtering: BCP38 and BCP84 •  BCP38 is RFC2827 •  Been around since 2000 •  http://www.bcp38.info/ •  https://en.wikipedia.org/wiki/Ingress_filtering •  BCP84 is RFC3704 •  Addresses problems with multi-homed networks 19
  • 20. Why isn’t BCP38 implemented widely? •  Simple: economic incentives are against it •  IP-spoofing based DDoS attacks are an “externality”: like a polluting factory •  IP-spoofing based DDoS attacks are not launched by the networks themselves: a factory that only pollutes on someone else’s command •  Networks have a negative incentive to implement because of impact on their customers’ networks •  Externalities get fixed by regulation •  Better to fix this without government intervention •  Governments will intervene when they are threatened (and they are!) 20
  • 21. We’ve been here before •  SMTP Open Relays •  Let’s not get to the point that BL are created •  Or that governments intervene 21
  • 23. Start with a global network 23
  • 25. Anycast Attack Dilution 310 Gbps / 23 PoPs = 14 Gbps per PoP 25
  • 26. Hide Your Origin •  If you use a DDoS service make sure your origin IP is hidden •  Change it when signing up •  Make sure no DNS records (e.g. MX) leak the IP •  and make sure that IP only accepts packets from the service 26
  • 27. Separate Protocols By IP •  For example, have separate IPs for HTTP and DNS •  Filter by IP and protocol •  No UDP packets should be able to hit your HTTP server •  No HTTP packets should be able to hit your SMTP server 27
  • 28. Protect your infrastructure •  Separate IPs for infrastructure •  Internal switches, routers •  Filters those IPs at the edge •  No external access to internal infrastructure •  Otherwise attackers will attack your infrastructure 28
  • 29. Work closely with your upstream •  Get to know who to call when trouble strikes •  Enable them to perform filtering in their infrastructure •  Share you IP/Protocol architecture with them 29