ddos attacks - scenery, evolution and mitigation
TRANSCRIPT
![Page 1: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/1.jpg)
Wilson Rogério Lopes
LACNIC 26 / LACNOG 2016
09/2016
DDoS AttacksScenery, Evolution and Mitigation
![Page 2: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/2.jpg)
Wilson Rogério Lopes
• Network Engineer Specialist, with 12 years of experience in the internetindustry
• Postgraduate degree from University of Sao Paulo – USP
• Frequent speaker at GTER and GTS – Network engineering and securitygroups of Brazil, talking about network engineering, DDoS mitigation, DNSand DNSSEC
• Interests – Network architecture and network security, IaaS, SDN, DNS,DNSSEC
Contacts – [email protected]://br.linkedin.com/in/wrlopes
![Page 3: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/3.jpg)
Disclaimer
All information and opinions contained in this presentation does not represent my employer. All information and stats presented is public, collected from blogs
and specialized sites on the internet.
![Page 4: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/4.jpg)
Agenda
• DDoS – Scenery and Evolution
• Mitigation – Options and Applicability
• General Recomendations
![Page 5: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/5.jpg)
“DDoS is a new spam…and it’severyone’s problem now.”
![Page 6: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/6.jpg)
Technical Details Behind a 400Gbps NTP Amplification DDoS Attack13 Feb 2014 by Matthew Prince
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
“To generate approximately 400Gbps of traffic, the attacker used4,529 NTP servers running on 1,298 different networks. Onaverage, each of these servers sent 87Mbps of traffic to theintended victim on CloudFlare's network. Remarkably, it ispossible that the attacker used only a single server running on anetwork that allowed source IP address spoofing to initiate therequests.”
![Page 7: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/7.jpg)
Source: Atlas Arbor Networks
![Page 8: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/8.jpg)
SSDP - Simple Service Discovery Protocol
• UDP port 1900• “Search” Request• Amplification factor – 30x• 8 million of opened devices around the world
Source: https://ssdpscan.shadowserver.org/
![Page 9: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/9.jpg)
2016 - IoT – CCTV Botnet
• CCTV devices – telnet, admin with default passwd• At least 70 vendors running the same linux embedded• Lizard Squad – Bot LizardStresser• 400Gbps of volumetry – without amplification
HTTP Request flood, tcp connections flood, udp flood
Source: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
![Page 10: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/10.jpg)
2016 – Rio Olympic Games
Start of IoT botnet activity
• 540Gbps sustained• Targets – Sponsors, government sites, financial
institutions• Use of GRE to bypass the mitigations
Fonte: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
![Page 11: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/11.jpg)
2016 – 21/09 – Retaliation and Censorship
• vDOS from Israel identified and owners were arrested• Reported by Brian Krebs - http://krebsonsecurity.com/about/• 665Gbps – 143Mpps – Without amplification !
![Page 12: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/12.jpg)
2016 – 25/09 – Google Project Shield
#dig krebsonsecurity.com. krebsonsecurity.com. 246 IN A 130.211.45.45
CIDR: 130.211.0.0/16NetName: GOOGLE-CLOUD
![Page 13: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/13.jpg)
DDoS Attacks – IPv6
Source: Arbor 2016 Worldwide Infrastructure Security Report
• 354 Service Providers interviewed• 70% answered that have IPv6 deployed
2015 – 2% at least 1 DDoS attack2016 – 9%
Biggest volumetry - 6Gbps
![Page 14: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/14.jpg)
Mitigation – Team Cymru UTRS
BGP Peeringx.x.x.x/32 announce
• UTRS - Unwanted Traffic Removal Service• Destination RTBH multihop – BGP• AS victim annouces the ip under attack• Authenticity verified – whois and peering db• The attack is blocked in the source AS• Restricted to /32 prefixes• More participants, more efficacy
Recommended• Internet service providers for home users
One or more user will lost the connectivity, but theprovider remains up
Maybe recommended....ISPs, Content Providers, Hosting ProvidersClient Services unavailable (news home, e-commerce basket, bakline page)
UTRS
AS 1234Network Under AttackDestination: x.x.x.x/32
Upstream 1 Upstream 2
AS YYYYroute x.x.x.x/32 null0
AS XXXXroute x.x.x.x/32 null0
BGP updateBGP update
Attack Traffic
![Page 15: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/15.jpg)
Mitigation – Clean Pipe IP Transit Providers
PE Provider
CPE Client
Cleaning Center
• Normal Traffic• Attack Traffic• Cleaned Traffic
• Detection via Netflow• Start a more specific announce of ip/prefix under attack• The traffic will be “cleaned” using:
- Syn cookies / Syn Auth- Static filters : drop proto udp and src port 1900
drop proto udp and src port 123- Rate Limit per src/dst prefix and ports- Protocol Authentication- Payload regular expressions- TCP connection limit- Rate limit or drops using GeoIP
![Page 16: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/16.jpg)
Mitigation – Cloud DDoS Mitigation Service Providers
PE Provider
CPE Client
• Normal Traffic• Attack Traffic• Cleaned Traffic
• GRE tunnel between client and provider• BGP session under gre tunnel• Detection via Netflow• Start a more specific announce of ip/prefix under attack• Cloud Provider annouce to your upstreams• All the input traffic will be via Cloud Provider Network• Block of layer 3 and 4 attacks• Additionaly, WAF services
Cloud Provider Network
BGP
GRE
GRE
Pros• Capacity of mitigation – Tbps• Easy implementation, without changes in the client network
Cons• Latency• GRE and MSS –MSS, TCP DF bit setted
Inbound traffic
Outbound traffic
![Page 17: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/17.jpg)
Mitigation Layer 7 – Load Balancers
• L7 HTTP/HTTPS Floods
- Rate limit client IP, destination URL, destination URI
- HTTP header analisys
Check of User AgentCheck of Referer
Validation if client is a browser:
- Cookie insertion
- JS insertion
Validation if client is a human:
- Captcha insertion
![Page 18: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/18.jpg)
Mitigation – Home Made
• Iptables SynProxy
Kernel 3.13, Red Hat 7
iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT –notrack
iptables -I INPUT -p tcp -m tcp -m conntrack –ctstate UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
![Page 19: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/19.jpg)
Mitigation – Home Made
• Mod Evasive
Rate limit client IP, destination URL, destination URI
DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60DOSEmailNotify [email protected]
![Page 20: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/20.jpg)
Mitigation – Home Made
• Mod Security
WAF – Monitoring, Log and Block
OWASP Core rules - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Protocol violationRBLBlock of floods e slow attacksBot, crowler and scan detection
![Page 21: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/21.jpg)
Mitigation – General Recomendations
• Use Hybrid strategy
Block l3/l4 attacks os the service providerBlock l7 attacks using on-premisse solutions
• Monitoring systems focused on DDoS detection
• Configure Control Plane Policy. Use filters to block traffic to control plane of network devices
• Don’t use the same prefixes to infrastructure and clients
• Keep the mitigation easy – WEB Servers separated of DNS Servers, etc....
• Use anycast as possible – our old and good friend
• Get away of statefull controls on the edge (Firewalls, IPS, etc). Use only where is necessary.
![Page 22: DDoS Attacks - Scenery, Evolution and Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022020108/587d34cc1a28ab2a448b5bbd/html5/thumbnails/22.jpg)
References
• CERT.BR - Recomendações para Melhorar o Cenário de Ataques Distribuídos de Negação de Serviço (DDoS) http://www.cert.br/docs/whitepapers/ddos/
• Mod Evasive - http://www.zdziarski.com/blog/?page_id=442
• Mod Security - https://www.modsecurity.org/
• Iptables SynProxy - http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/
• UTRS - https://www.cymru.com/jtk/misc/utrs.html
• Google Project Shield - https://projectshield.withgoogle.com/public