How to launch and defend against a DDoS

Similar documents

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

NETNOD Autumn 2014 October 2, 2014

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DDoS attacks in CESNET2

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

How To Protect A Dns Authority Server From A Flood Attack

Denial of Service Attacks

How To Understand A Network Attack

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

The curse of the Open Recursor. Tom Paseka Network Engineer

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Strategies to Protect Against Distributed Denial of Service (DD

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Analysis of a DDoS Attack

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Firewalls and Intrusion Detection

DDoS Mitigation Solutions

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

Firewall Firewall August, 2003

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

DDoS Protection Technology White Paper

/ Staminus Communications

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

First Line of Defense

DDoS Attacks Can Take Down Your Online Services

Yahoo Attack. Is DDoS a Real Problem?

CS 356 Lecture 16 Denial of Service. Spring 2013

A Very Incomplete Diagram of Network Attacks

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies APNIC th August 2013

Cloud Security In Your Contingency Plans

How To Mitigate A Ddos Attack

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

DDoS Mitigation Techniques

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

DDoS Attacks & Mitigation

Attack and Defense Techniques

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Reducing the Impact of Amplification DDoS Attack

How To Block A Ddos Attack On A Network With A Firewall

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Linux MDS Firewall Supplement

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Firewalls. Chapter 3

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

DNS amplification attacks

DoS/DDoS Attacks and Protection on VoIP/UC

Distributed Denial of Service Attacks

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

2010 Carnegie Mellon University. Malware and Malicious Traffic

GregSowell.com. Mikrotik Security

19. DDoS Mechanisms ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

Abstract. Introduction. Section I. What is Denial of Service Attack?

Security Technology White Paper

SECURING APACHE : DOS & DDOS ATTACKS - I

co Characterizing and Tracing Packet Floods Using Cisco R

DNS Best Practices. Mike Jager Network Startup Resource Center

DNSSEC and DNS Proxying

VALIDATING DDoS THREAT PROTECTION

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Chapter 15. Firewalls, IDS and IPS

Multi-Homing Dual WAN Firewall Router

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Arbor s Solution for ISP

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Campus LAN at NKN Member Institutions

NTP Reflection DDoS Attack Explanatory Document

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

DOMAIN NAME SECURITY EXTENSIONS

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls, IDS and IPS

(U) Financial Sector Cyber Security

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

Application Firewalls

Automated Mitigation of the Largest and Smartest DDoS Attacks

CIT 480: Securing Computer Systems. Firewalls

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Content Distribution Networks (CDN)

Overview. Firewall Security. Perimeter Security Devices. Routers

Theoretical Analysis and Experimental Evaluation of Bandwidth Amplification Attacks to Legitimate Websites

Security vulnerabilities in the Internet and possible solutions

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Transcription:

How to launch and defend against a DDoS John Graham-Cumming October 9, 2013 The simplest way to a safer, faster and smarter website

DDoSing web sites is... easy Motivated groups of non-technical individuals Followers of Anonymous etc. Simple tools like LOIC People with money to spend Botnets Online booter services Anyone with a grudge 2

What gets attacked TCP 92% against port 80 SYN flooding UDP 97% against DNS Reflection/amplification attacks Other significant attack ports TCP port 53 (DNS) UDP port 514 (syslog) 3

And when... 4

Three things make DDoS easy Fire and forget protocols Anything based on UDP ICMP No source IP authentication Any machine can send a packet from any machine Internet Amplifiers Authoritative DNS servers that don t rate limit Open DNS recursors Open SNMP devices 5

DDoS Situation is Worsening Size and Frequency Growing In 2012 the largest DDoS attack we saw was 65 Gbps In 2013 it was 309 Gbps (almost 5x size increase) DNS-based DDoS attacks grew in frequency by 200% in 2012 6

March 24, 2013 309 Gbps sustained for 28 minutes 30,956 open DNS resolvers Each outputting 10 Mbps 3 networks that allowed spoofing 7

March 25, 2013 287 Gbps sustained for 72 minutes 32,154 open DNS resolvers Each outputting 9 Mbps 3 networks that allowed spoofing 8

Amplification Attacks Controlling Machine 10Mbps 1x Compromised Trigger Machine Compromised Trigger Machine Compromised Trigger Machine 10x 1Gbps 10000x 1Gbps Victim 9

DNS and SNMP Amplification Small request to DNS or SNMP server with spoofed source IP address DNS or SNMP server responds with large packet to source : the victim DNS multiplier is 8x (Req: 64B; Resp: 512B) EDNS multiplier is 53x (Req: 64B; Resp: 3,364B) SNMP multiplier is 650x (Req: 100B; Resp: 65kB) 10

HOWTO: 1 Tbps DDoS Get a list of 10,000 open DNS recursors Each machine will produce 1 Tbps / 10,000 = 100 Mbps Use more machines if that s too high DNS amplification factor is 8x so need 1 Tbps / 8 = 125 Gbps trigger traffic So 100 compromised servers with 1Gbps connections will do If DNS recursors support EDNS then only need 1 Tbps / 50 = 20 Gbps trigger traffic 11

SNMP etc. We have seen a 25 Gbps DDoS attack using SNMP amplification Came from Comcast Broadband Modems NTP? 12

28 Million Open Resolvers 13

24.6% of networks allow spoofing 14

Spamhaus DDoS Was Easy 1 attacker s laptop controlling 10 compromised servers on 3 networks that allowed spoofing of 9Gbps DNS requests to 0.1% of open resolvers resulted in 300Gbps+ of DDoS attack traffic. 15

Solving This Problem Close Open DNS Recursors Please do this! Stop IP Spoofing Implement BCP38 and BCP84 16

IP Spoofing Used to ICMP attacks, TCP SYN floods and amplification attacks Vast majority of attacks on CloudFlare are spoofed attacks Victim IP DNS Server IP 64 byte request 512 byte reply Victim IP DNS Server IP Dealing with IP spoofing stops amplification, hurts botnets 17

Mars Attacks! 23% from Martian addresses 3.45% from China Telecom 2.14% from China Unicom 1.74% from Comcast 1.45% from Dreamhost 1.36% from WEBNX Larger point: spoofed packets come from everywhere 18

Ingress Filtering: BCP38 and BCP84 BCP38 is RFC2827 Been around since 2000 http://www.bcp38.info/ https://en.wikipedia.org/wiki/ingress_filtering BCP84 is RFC3704 Addresses problems with multi-homed networks 19

Why isn t BCP38 implemented widely? Simple: economic incentives are against it IP-spoofing based DDoS attacks are an externality : like a polluting factory IP-spoofing based DDoS attacks are not launched by the networks themselves: a factory that only pollutes on someone else s command Networks have a negative incentive to implement because of impact on their customers networks Externalities get fixed by regulation Better to fix this without government intervention Governments will intervene when they are threatened (and they are!) 20

We ve been here before SMTP Open Relays Let s not get to the point that BL are created Or that governments intervene 21

DDoS Defense 22

Start with a global network 23

Use Anycast 24

Anycast Attack Dilution 310 Gbps / 23 PoPs = 14 Gbps per PoP 25

Hide Your Origin If you use a DDoS service make sure your origin IP is hidden Change it when signing up Make sure no DNS records (e.g. MX) leak the IP and make sure that IP only accepts packets from the service 26

Separate Protocols By IP For example, have separate IPs for HTTP and DNS Filter by IP and protocol No UDP packets should be able to hit your HTTP server No HTTP packets should be able to hit your SMTP server 27

Protect your infrastructure Separate IPs for infrastructure Internal switches, routers Filters those IPs at the edge No external access to internal infrastructure Otherwise attackers will attack your infrastructure 28

Work closely with your upstream Get to know who to call when trouble strikes Enable them to perform filtering in their infrastructure Share you IP/Protocol architecture with them 29