ddos attacks in 2017: beyond packet filtering
TRANSCRIPT
qrator.net 2016
DDOS ATTACKS IN 2017: BEYOND PACKET FILTERING
Artyom GavrichenkovQrator [email protected]
qrator.net 2016
PARENTAL ADVISORY
qrator.net 2016
3
7861038
1993
477370
845
_2012_ _2013_ _2014_ _2015_
Volumetric
TCP-based
HERE BEDRAGONS
qrator.net 2016
4
7861038
1993
477370
845
_2012_ _2013_ _2014_ _2015_
Volumetric
TCP-based
HERE BEDRAGONS
qrator.net 2016
5
7861038
1993
477370
845
_2012_ _2013_ _2014_ _2015_
Volumetric
TCP-based
HERE BEDRAGONS
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:
SYN flood, ACK flood, TCP connection flood…
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:
SYN flood, ACK flood, TCP connection flood…
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:
SYN flood, ACK flood, TCP connection flood…• Application-specific bottlenecks (HTTP server, DBMS, caches, etc)
qrator.net 2016
Packet-based DDoS
Target
Ping*
qrator.net 2016
Packet-based DDoS
Target
Ping*
Ping*
qrator.net 2016
Packet-based DDoS
Target
Ping*
Ping*Ping*
Ping*
qrator.net 2016
Packet-based DDoS
Target
Ping*
Ping*
Ping*
Ping*
Ping*Ping*
Ping*
qrator.net 2016
L7 DDoS
Target
GET*
qrator.net 2016
L7 DDoS
Target
GET*
GET*
qrator.net 2016
L7 DDoS
Target
GET*
GET*GET*
GET*
qrator.net 2016
L7 DDoS
Target
GET*
GET*
GET*
GET*
GET*GET*
GET*
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
qrator.net 2016
BGP Flow Spec?
qrator.net 2016
BGP Flow Spec!
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
qrator.net 2016
Wordpress PingbackGET /whateverUser-Agent: WordPress/3.9.2;http://example.com/;verifying pingbackfrom 192.0.2.150
• 150-170 vulnerable serversat once• SSL/TLS-enabled
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Drupal?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?
Mediawiki?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?Sharepoint?
Mediawiki?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?ModX? Sharepoint?
Mediawiki?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?ModX? Sharepoint?
Mediawiki?
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
qrator.net 2016
40
300 Mbps
30 Gbps
Amplification
qrator.net 2016
41
2000 Mbps
200 Gbps
Amplification
qrator.net 2016
42
qrator.net 2016
43
2000 Mbps
200 Gbps
Amplification
qrator.net 2016
44
?
500 Gbps
Amplification
qrator.net 2016
Pure TCP-based attack today
qrator.net 2016
The Void
• To survive TCP- and HTTPS-based attacks,one needs a session-capable and TLS-capable DPI• To survive large botnets,
one needs a behavioral analysis andcorrelation analysis built into that DPI
• That’s extremely expensive for a large network
qrator.net 2016
The Void
• Any service offering SLA must do all of this• A service lacking any of those features is best effort• No one likes best effort services
qrator.net 2016
The Cure
• BCP 38 is no cure*• IPv6 is no cure• Time to fight for yourselves• Care about other customers• It’s every man for himself now
qrator.net 2016
The Future
qrator.net 2016
Thank you, and good luck!mailto: Artyom Gavrichenkov <[email protected]>