dyn road show: andrew sullivan talks ddos

Distributed Denial of Service Attacks2013-08-29

Andrew SullivanPrincipal Architect

http://www.linkedin.com/company/dyn

http://www.facebook.com/Dyn

http://twitter.com/dyninc

http://www.youtube.com/dyninc

Pg. 2 Distributed Denial of Service Attacks

What is a DDoS?To Cover Today

What do they do?

How do they work?

Who does them?

Why?






How does DNS play in?To Cover Today

What is reflection?

What is amplification?

What if you are being attacked?

What if you’re used in an attack?






Things you can doTo Cover Today

Does outsourcing help?

Does anycast help?

What about appliances?

What about mitigation services?






Just what the name saysDenial of Service prevents users from being able to use the target service

Break code

“Smash the stack”

Lock out passwords

Viruses &c. Request lots and block legitimate requests

Stuff the network so nobody can communicate

DDoS: what?






Respond to DoS

DoS Target






Respond to DoS

First Defense: more boxes!






Respond to DoS

Or even not quite so many






DoS by Network

Send a lot of traffic






Why talk about this now?What’s new?

Not new: Morris, 1988

New: “better” profiles

New: “better” tools

New: better-provisioned sources






The sources have changedYou will run out of money for bandwidth before attackers run out of compromised servers.

DDoS: what?

Then Now






Really distributed attacks

Big attackers

Attack networks

are now well-

connected, very

widely distributed

How DDoS works

• 18 data centers • Global presence• Used to see attacks in

some sites• Now see them

everywhere






Why?Money,

Politics,

Religion.

Mostly money.

Explaining DoS

Andrew Sullivan

need a better money sign.






How DDoS works

Flood from many sites

Something bad from spoofed address

(smurf attack, DNS query for big

record, ping of death, etc.)






How DDoS works

Need control









How DDoS works

Block control, end the attack X

XSomething bad from spoofed address








Wait a minute!

Spoofed addresses?

User Datagram

Protocol (UDP),

not Transmission

Control Protocol

(TCP, handshake)

How DDoS works









Why not fix that?How DDoS works

We tried in Best Current Practice (BCP) 38

Some networks don’t do that

There are no Internet Police

Internet Police would also be bad






How DDoS works: DNS

Don’t attack directly






Use someone else to mount attack

ReflectionSince you can spoof

addresses, you

query pretending to

be someone else.

They get the

responses.

How DDoS works: DNS






Key attributes of reflectionHow DDoS works: DNS

Relies on UDP to permit spoofing Relies on servers trying to answer every query Server refusing to answer might cause collateral damage






How DDoS works: DNS

Amplification






Key attributes of amplification

How DDoS works: DNS

Queries are small

Answers can be large

Target need not be a DNS server

Makes DNS a very useful attack vector






How effective is DNS amplification?

Good amplifierThe cost of the

attack stays the

same; different

queries provide

different

amplification.

How DDoS works: DNS






Not just DNS targets

Any serviceThis is mostly a

network DoS:

the attacker just fills

the network.

How DDoS works: DNS






Attack the DNS server

Direct attackThe abuse queries

and the amplified

responses block

legitimate traffic

How DDoS works: DNS






Attack the DNS server

Indirect attackThe abuse queries

and the amplified

responses block

legitimate traffic at

some other server

How DDoS works: DNS






Attack another service

Indirect attackThe abuse queries

and the amplified

responses block

legitimate traffic at

some other service

How DDoS works: DNS






Attack on your authoritative DNS server

Scenario

Your DNS service

is the target of

attack query

traffic

What happens

• You receive a lot of queries

• You send a lot of responses

• You can’t answer real queries

• Probably, you’re a reflector






Attack on your recursive DNS server

Scenario

Your DNS service

is the target of

attack answer

traffic

What happens

• You receive a lot of answers

• The traffic fills your bandwidth

• You can’t answer real queries






You are a reflector or amplifier

Scenario

Your DNS service

is the target of

attack query

traffic sending a

lot of answers

What happens

• You receive a lot of queries

• You send a lot of responses to someone

• You get identified• People start blocking you






Your application is a target

Scenario

Your non-DNS

service is the

target of attack

answers

What happens

• Your bandwidth goes to receiving (useless) data

• Your application is broken

• Might cost you money (bandwidth fees)






What can you do?

Outsourcing

Letting someone

else run your

systems for you

can help

Responding

• Large systems• Robust networks• Expert operators• Skilled mitigation






What can you do?

Outsourcing

Letting someone

else run your

systems for you

can bring new

risk

Responding

• Large providers are themselves targets

• Large providers have other customers who might be targets

• You give up some control






How do you do it?

Outsourcing

Not all providers

are equal

Responding

You may be already! • Your registrar?Research your options• What’s the network like?• Mitigation strategies?• Other customers?






What can you do?

Anycast

Nifty trick of

serving the same

IP address from

different

machines

Responding






What can you do?

Anycast

Can help localize

attacks on the

Internet

Responding

• Usually isolates attack to one or two network locations

• Can reroute traffic to “bigger” node

• Harder to fill many transit paths






What can you do?

Anycast

No magic bullet

Responding

• If you don’t know what anycast is, you don’t want to do it

• Requires money: staff, machines, sites

• Won’t actually stop attack






How do you do it?

Anycast

Bring money,

and pick the right

use cases

Responding

You will need• Experts• NetworkNot good for all cases• “Short” protocols

(e.g. DNS) ok• Long-lived streams

(like http) bad






What can you do?

Appliances

There are lots

of these with

different

strategies

Responding

• Some identify by analysis

• Some identify by known bad actors

• Usually rate limit traffic• Ineffective if your pipe

is full






What can you do?

Services

Pay people for

their mitigation

strategies

Responding

• Large services will “scrub” your traffic

• Reasonably effective for http

• Almost useless for DNS• Often difficult for

bespoke protocols






What can you do?

Scepticism

There’s a lot of

security snake oil.

Test. Then test

again.

Responding

I doubt it.






What can you do?

RRL

Response Rate

Limiting

Responding






What can you do?

RRL

Response Rate

Limiting

Responding

• Reduces the rate at which a server responds to apparent attacks

• Changes assumptions about DNS

• If you’re running your own servers, get the patch and turn it on






What can you do?

RRL

Some corner

cases

Responding

• Standard patch poor fit for very busy zones with very short TTLs

• Adds yet another operational convention to DNS






What can you do?

BCP 38

Best Current

Practice 38

Responding

• Says you should only send traffic that ought to come from your network

• Will clean up the network you’re on

• Insist on this from your ISP






What can you do?

Insecure systems

A back door can

be used for good

or for evil

Responding

• Lots of agencies want special treatment

• Any “special access” is also a vulnerability

• We need more secure systems, not less






Review






DDoSReview

Denial of Service

Distributed

Made easier by facts of network

Not new






DDoS using DNSReview

Usually reflector attack

Depends on DNS use of UDP

Ordinary services can offer big amplifiers






Reflector and amplifierReview

2 victims

Target can be hurt

Amplifier can hurt






No perfect solutionReview

Tailor the solution to your application Outsourcing different parts (maybe diversify) can help

So magic solution





dyn road show: andrew sullivan talks ddos

Technology