SlideShare uma empresa Scribd logo

How to launch and defend against a DDoS

J
jgrahamc
Tecnologia
1 de 29
Baixar para ler offline
How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website
DDoSing web sites is... easy •  Motivated groups of non-technical individuals •  Followers of Anonymous etc. •  Simple tools like LOIC •  People with money to spend •  Botnets •  Online ‘booter’ services •  Anyone with a grudge 2
What gets attacked •  TCP •  92% against port 80 •  SYN flooding •  UDP •  97% against DNS •  Reflection/amplification attacks •  Other significant attack ports •  TCP port 53 (DNS) •  UDP port 514 (syslog) 3
And when... 4
Three things make DDoS easy •  Fire and forget protocols •  Anything based on UDP •  ICMP •  No source IP authentication •  Any machine can send a packet “from” any machine •  Internet Amplifiers •  Authoritative DNS servers that don’t rate limit •  Open DNS recursors •  Open SNMP devices 5
DDoS Situation is Worsening •  Size and Frequency Growing •  In 2012 the largest DDoS attack we saw was 65 Gbps •  In 2013 it was 309 Gbps (almost 5x size increase) •  DNS-based DDoS attacks grew in frequency by 200% in 2012 6
March 24, 2013 • 309 Gbps sustained for 28 minutes • 30,956 open DNS resolvers • Each outputting 10 Mbps • 3 networks that allowed spoofing 7
March 25, 2013 • 287 Gbps sustained for 72 minutes • 32,154 open DNS resolvers • Each outputting 9 Mbps • 3 networks that allowed spoofing 8
Controlling Machine Amplification Attacks Compromised Trigger Machine Compromised Trigger Machine 10Mbps Compromised Trigger Machine 1x 10x 1Gbps AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP 10000x 1Gbps Victim 9
DNS and SNMP Amplification •  Small request to DNS or SNMP server with spoofed source IP address •  DNS or SNMP server responds with large packet to ‘source’: the victim •  DNS multiplier is 8x (Req: 64B; Resp: 512B) •  EDNS multiplier is 53x (Req: 64B; Resp: 3,364B) •  SNMP multiplier is 650x (Req: 100B; Resp: 65kB) 10
HOWTO: 1 Tbps DDoS •  Get a list of 10,000 open DNS recursors •  Each machine will produce 1 Tbps / 10,000 = 100 Mbps •  Use more machines if that’s too high •  DNS amplification factor is 8x so need 1 Tbps / 8 = 125 Gbps trigger traffic •  So 100 compromised servers with 1Gbps connections will do •  If DNS recursors support EDNS then only need 1 Tbps / 50 = 20 Gbps trigger traffic 11
SNMP etc. •  We have seen a 25 Gbps DDoS attack using SNMP amplification •  Came from Comcast Broadband Modems •  NTP? 12
28 Million Open Resolvers 13
24.6% of networks allow spoofing 14
Spamhaus DDoS Was Easy •  1 attacker’s laptop controlling •  10 compromised servers on •  3 networks that allowed spoofing of •  9Gbps DNS requests to •  0.1% of open resolvers resulted in •  300Gbps+ of DDoS attack traffic. 15
Solving This Problem •  Close Open DNS Recursors •  Please do this! •  Stop IP Spoofing •  Implement BCP38 and BCP84 16
IP Spoofing •  Used to ICMP attacks, TCP SYN floods and amplification attacks •  Vast majority of attacks on CloudFlare are spoofed attacks Victim IP DNS Server IP 64 byte request 512 byte reply Victim IP DNS Server IP •  Dealing with IP spoofing stops amplification, hurts botnets 17
Mars Attacks! •  23% from Martian addresses •  3.45% from China Telecom •  2.14% from China Unicom •  1.74% from Comcast •  1.45% from Dreamhost •  1.36% from WEBNX •  Larger point: spoofed packets come from everywhere 18
Ingress Filtering: BCP38 and BCP84 •  BCP38 is RFC2827 •  Been around since 2000 •  http://www.bcp38.info/ •  https://en.wikipedia.org/wiki/Ingress_filtering •  BCP84 is RFC3704 •  Addresses problems with multi-homed networks 19
Why isn’t BCP38 implemented widely? •  Simple: economic incentives are against it •  IP-spoofing based DDoS attacks are an “externality”: like a polluting factory •  IP-spoofing based DDoS attacks are not launched by the networks themselves: a factory that only pollutes on someone else’s command •  Networks have a negative incentive to implement because of impact on their customers’ networks •  Externalities get fixed by regulation •  Better to fix this without government intervention •  Governments will intervene when they are threatened (and they are!) 20
We’ve been here before •  SMTP Open Relays •  Let’s not get to the point that BL are created •  Or that governments intervene 21
DDoS Defense 22
Start with a global network 23
Use Anycast 24
Anycast Attack Dilution 310 Gbps / 23 PoPs = 14 Gbps per PoP 25
Hide Your Origin •  If you use a DDoS service make sure your origin IP is hidden •  Change it when signing up •  Make sure no DNS records (e.g. MX) leak the IP •  and make sure that IP only accepts packets from the service 26
Separate Protocols By IP •  For example, have separate IPs for HTTP and DNS •  Filter by IP and protocol •  No UDP packets should be able to hit your HTTP server •  No HTTP packets should be able to hit your SMTP server 27
Protect your infrastructure •  Separate IPs for infrastructure •  Internal switches, routers •  Filters those IPs at the edge •  No external access to internal infrastructure •  Otherwise attackers will attack your infrastructure 28
Work closely with your upstream •  Get to know who to call when trouble strikes •  Enable them to perform filtering in their infrastructure •  Share you IP/Protocol architecture with them 29

Recomendados

12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedPavel Odintsov
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffingShyama Bhuvanendran
 
What is botnet?
What is botnet?What is botnet?
What is botnet?Milan Petrásek
 

Recomendados

12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
VietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedVietTel AntiDDoS Volume Based
VietTel AntiDDoS Volume BasedPavel Odintsov
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffingShyama Bhuvanendran
 
What is botnet?
What is botnet?What is botnet?
What is botnet?Milan Petrásek
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attackscommunication-eg
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS BasicsMahendra Pratap Singh
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linuxMandeep Singh
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Firewall
FirewallFirewall
FirewallMudasser Afzal
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Lorenzo Miniero
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to MalwaresAbdelhamid Limami
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)sayyed azam
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark TutorialCoursenvy.com
 
Best Practices for Monitoring DNS
Best Practices for Monitoring DNSBest Practices for Monitoring DNS
Best Practices for Monitoring DNSThousandEyes
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 

Mais conteúdo relacionado

Mais procurados

Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Lorenzo Miniero
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)sayyed azam
 
Best Practices for Monitoring DNS
Best Practices for Monitoring DNSBest Practices for Monitoring DNS
Best Practices for Monitoring DNSThousandEyes
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 

Mais procurados (20)

Denial of service
Denial of serviceDenial of service
Denial of service
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
Iptables in linux
Iptables in linuxIptables in linux
Iptables in linux
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Firewall
FirewallFirewall
Firewall
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020Can SFUs and MCUs be friends @ IIT-RTC 2020
Can SFUs and MCUs be friends @ IIT-RTC 2020
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Network security (syed azam)
Network security (syed azam)Network security (syed azam)
Network security (syed azam)
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
 
Best Practices for Monitoring DNS
Best Practices for Monitoring DNSBest Practices for Monitoring DNS
Best Practices for Monitoring DNS
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 

Destaque

(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation TechniquesIntruGuard
 
NetScout nGeniusONE overview
NetScout nGeniusONE overviewNetScout nGeniusONE overview
NetScout nGeniusONE overviewBAKOTECH
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3Moshe Zioni
 
Top 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 InfographicTop 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 InfographicState of the Internet
 

Destaque (10)

(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
NetScout nGeniusONE overview
NetScout nGeniusONE overviewNetScout nGeniusONE overview
NetScout nGeniusONE overview
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
 
Top 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 InfographicTop 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 Infographic
 

Semelhante a How to launch and defend against a DDoS

Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!PriyadharshiniHemaku
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1InfoSec Girls
 
World's Largest DDoS Attack
World's Largest DDoS AttackWorld's Largest DDoS Attack
World's Largest DDoS AttackBvs Narayana
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoSAPNIC
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSSuzanne Aldrich
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012Cloudflare
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
denialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive designdenialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive designperfetbyedshareen
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Nick Sullivan
 
DMMS presentation25
DMMS presentation25DMMS presentation25
DMMS presentation25Yuri Alimov
 
AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...
AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...
AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...Amazon Web Services
 

Semelhante a How to launch and defend against a DDoS (20)

DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
 
World's Largest DDoS Attack
World's Largest DDoS AttackWorld's Largest DDoS Attack
World's Largest DDoS Attack
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Virus Bulletin 2012
Virus Bulletin 2012Virus Bulletin 2012
Virus Bulletin 2012
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
denialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive designdenialofservice.pdfdos attacck basic details with interactive design
denialofservice.pdfdos attacck basic details with interactive design
 
Security attacks
Security attacksSecurity attacks
Security attacks
 
Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3Heartache and Heartbleed - 31c3
Heartache and Heartbleed - 31c3
 
DMMS presentation25
DMMS presentation25DMMS presentation25
DMMS presentation25
 
AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...
AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...
AWS re:Invent 2016: Mitigating DDoS Attacks on AWS: Five Vectors and Four Use...
 

Mais de jgrahamc

Better living through microcontrollers
Better living through microcontrollersBetter living through microcontrollers
Better living through microcontrollersjgrahamc
 
Big O London Meetup April 2015
Big O London Meetup April 2015Big O London Meetup April 2015
Big O London Meetup April 2015jgrahamc
 
Go Containers
Go ContainersGo Containers
Go Containersjgrahamc
 
Lua: the world's most infuriating language
Lua: the world's most infuriating languageLua: the world's most infuriating language
Lua: the world's most infuriating languagejgrahamc
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloonsjgrahamc
 
Highlights of Go 1.1
Highlights of Go 1.1Highlights of Go 1.1
Highlights of Go 1.1jgrahamc
 
Go Concurrency
Go ConcurrencyGo Concurrency
Go Concurrencyjgrahamc
 
That'll never work!
That'll never work!That'll never work!
That'll never work!jgrahamc
 
HAB Software Woes
HAB Software WoesHAB Software Woes
HAB Software Woesjgrahamc
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 

Mais de jgrahamc (11)

Better living through microcontrollers
Better living through microcontrollersBetter living through microcontrollers
Better living through microcontrollers
 
Big O London Meetup April 2015
Big O London Meetup April 2015Big O London Meetup April 2015
Big O London Meetup April 2015
 
Go Containers
Go ContainersGo Containers
Go Containers
 
Lua: the world's most infuriating language
Lua: the world's most infuriating languageLua: the world's most infuriating language
Lua: the world's most infuriating language
 
Software Debugging for High-altitude Balloons
Software Debugging for High-altitude BalloonsSoftware Debugging for High-altitude Balloons
Software Debugging for High-altitude Balloons
 
Go memory
Go memoryGo memory
Go memory
 
Highlights of Go 1.1
Highlights of Go 1.1Highlights of Go 1.1
Highlights of Go 1.1
 
Go Concurrency
Go ConcurrencyGo Concurrency
Go Concurrency
 
That'll never work!
That'll never work!That'll never work!
That'll never work!
 
HAB Software Woes
HAB Software WoesHAB Software Woes
HAB Software Woes
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

How to launch and defend against a DDoS

  • 1. How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website
  • 2. DDoSing web sites is... easy •  Motivated groups of non-technical individuals •  Followers of Anonymous etc. •  Simple tools like LOIC •  People with money to spend •  Botnets •  Online ‘booter’ services •  Anyone with a grudge 2
  • 3. What gets attacked •  TCP •  92% against port 80 •  SYN flooding •  UDP •  97% against DNS •  Reflection/amplification attacks •  Other significant attack ports •  TCP port 53 (DNS) •  UDP port 514 (syslog) 3
  • 5. Three things make DDoS easy •  Fire and forget protocols •  Anything based on UDP •  ICMP •  No source IP authentication •  Any machine can send a packet “from” any machine •  Internet Amplifiers •  Authoritative DNS servers that don’t rate limit •  Open DNS recursors •  Open SNMP devices 5
  • 6. DDoS Situation is Worsening •  Size and Frequency Growing •  In 2012 the largest DDoS attack we saw was 65 Gbps •  In 2013 it was 309 Gbps (almost 5x size increase) •  DNS-based DDoS attacks grew in frequency by 200% in 2012 6
  • 7. March 24, 2013 • 309 Gbps sustained for 28 minutes • 30,956 open DNS resolvers • Each outputting 10 Mbps • 3 networks that allowed spoofing 7
  • 8. March 25, 2013 • 287 Gbps sustained for 72 minutes • 32,154 open DNS resolvers • Each outputting 9 Mbps • 3 networks that allowed spoofing 8
  • 9. Controlling Machine Amplification Attacks Compromised Trigger Machine Compromised Trigger Machine 10Mbps Compromised Trigger Machine 1x 10x 1Gbps AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP AMP 10000x 1Gbps Victim 9
  • 10. DNS and SNMP Amplification •  Small request to DNS or SNMP server with spoofed source IP address •  DNS or SNMP server responds with large packet to ‘source’: the victim •  DNS multiplier is 8x (Req: 64B; Resp: 512B) •  EDNS multiplier is 53x (Req: 64B; Resp: 3,364B) •  SNMP multiplier is 650x (Req: 100B; Resp: 65kB) 10
  • 11. HOWTO: 1 Tbps DDoS •  Get a list of 10,000 open DNS recursors •  Each machine will produce 1 Tbps / 10,000 = 100 Mbps •  Use more machines if that’s too high •  DNS amplification factor is 8x so need 1 Tbps / 8 = 125 Gbps trigger traffic •  So 100 compromised servers with 1Gbps connections will do •  If DNS recursors support EDNS then only need 1 Tbps / 50 = 20 Gbps trigger traffic 11
  • 12. SNMP etc. •  We have seen a 25 Gbps DDoS attack using SNMP amplification •  Came from Comcast Broadband Modems •  NTP? 12
  • 13. 28 Million Open Resolvers 13
  • 14. 24.6% of networks allow spoofing 14
  • 15. Spamhaus DDoS Was Easy •  1 attacker’s laptop controlling •  10 compromised servers on •  3 networks that allowed spoofing of •  9Gbps DNS requests to •  0.1% of open resolvers resulted in •  300Gbps+ of DDoS attack traffic. 15
  • 16. Solving This Problem •  Close Open DNS Recursors •  Please do this! •  Stop IP Spoofing •  Implement BCP38 and BCP84 16
  • 17. IP Spoofing •  Used to ICMP attacks, TCP SYN floods and amplification attacks •  Vast majority of attacks on CloudFlare are spoofed attacks Victim IP DNS Server IP 64 byte request 512 byte reply Victim IP DNS Server IP •  Dealing with IP spoofing stops amplification, hurts botnets 17
  • 18. Mars Attacks! •  23% from Martian addresses •  3.45% from China Telecom •  2.14% from China Unicom •  1.74% from Comcast •  1.45% from Dreamhost •  1.36% from WEBNX •  Larger point: spoofed packets come from everywhere 18
  • 19. Ingress Filtering: BCP38 and BCP84 •  BCP38 is RFC2827 •  Been around since 2000 •  http://www.bcp38.info/ •  https://en.wikipedia.org/wiki/Ingress_filtering •  BCP84 is RFC3704 •  Addresses problems with multi-homed networks 19
  • 20. Why isn’t BCP38 implemented widely? •  Simple: economic incentives are against it •  IP-spoofing based DDoS attacks are an “externality”: like a polluting factory •  IP-spoofing based DDoS attacks are not launched by the networks themselves: a factory that only pollutes on someone else’s command •  Networks have a negative incentive to implement because of impact on their customers’ networks •  Externalities get fixed by regulation •  Better to fix this without government intervention •  Governments will intervene when they are threatened (and they are!) 20
  • 21. We’ve been here before •  SMTP Open Relays •  Let’s not get to the point that BL are created •  Or that governments intervene 21
  • 23. Start with a global network 23
  • 25. Anycast Attack Dilution 310 Gbps / 23 PoPs = 14 Gbps per PoP 25
  • 26. Hide Your Origin •  If you use a DDoS service make sure your origin IP is hidden •  Change it when signing up •  Make sure no DNS records (e.g. MX) leak the IP •  and make sure that IP only accepts packets from the service 26
  • 27. Separate Protocols By IP •  For example, have separate IPs for HTTP and DNS •  Filter by IP and protocol •  No UDP packets should be able to hit your HTTP server •  No HTTP packets should be able to hit your SMTP server 27
  • 28. Protect your infrastructure •  Separate IPs for infrastructure •  Internal switches, routers •  Filters those IPs at the edge •  No external access to internal infrastructure •  Otherwise attackers will attack your infrastructure 28
  • 29. Work closely with your upstream •  Get to know who to call when trouble strikes •  Enable them to perform filtering in their infrastructure •  Share you IP/Protocol architecture with them 29