DDOS attacks in an IPv6 World Tom Paseka HKNOG 1.0 September 2014

Who are we?

2

How does CloudFlare Work?

3

CloudFlare works at the network level.

•  Once a website is part of the CloudFlare community, its web traffic is routed through CloudFlare’s global network of 24 (and growing) data centers.

•  At each edge node, CloudFlare manages DNS, caching, bot filtering, web content optimization and third party app installations.

IPv6 Gateway With the Internet's explosive growth and the number of on-net devices closing in on IPv4's maximum capacity, CloudFlare now offers an automatic IPv6 gateway seamlessly bridging the IPv4 and IPv6 networks.

•  For most businesses, upgrading to the IPv6 protocol is costly and time consuming.

•  CloudFlare’s solution requires NO hardware, software, or other infrastructure changes by the site owner or hosting provider.

•  Enabled via the flip of a switch on the site owner’s CloudFlare dashboard.

•  Users can choose two options: (FULL) which will enable IPv6 on all subdomains that are CloudFlare Enabled, or (SAFE) which will automatically create specific IPv6-only subdomains (e.g. www.ipv6.yoursite.com).

4

DDoS Overview

DDoS Overview •  Purpose of a DDoS is to overwhelm an internet resource, to take it offline

•  This can be:

•  Volumetric (eg. High Gbps, High PPS or SYN Flooding). To overwhelm infrastructure to the website / resource. SYN floods overwhelm the

•  Application based (eg. Excessive HTTP POST or search) To overwhelm the application or server.

•  A website suddenly becoming very popular can also be like a DDOS

DDoS Overview •  Growing Trend

•  Increasing in size all the time

•  Now regularly attacks are greater than 400Gbps+

•  Source: http://www.arbornetworks.com/images/PeakDDoSAttack_rev2.jpg

DDoS Overview •  Large scale DDoS is a common occurrence.

•  Used for exploitation, even for relatively low amounts (US$500 and below).

•  Online services available for purchase of DDoS

•  Known as ‘Booters’

•  Large purpose is to kick competitors off online-games so they forfeit the game

•  Free trails are often available for ‘Booters’ too!

So, what’s this got to do with IPv6?

So, what’s this got to do with IPv6?

Nothing?

So, what’s this got to do with IPv6?

Or maybe a lot?

So, what’s this got to do with IPv6? Aged tools without IPv6 support: NetFlow (v5):

Interface (SNMP) Graph:

So, what’s this got to do with IPv6? Aged tools without IPv6 support: NetFlow (v5):

Interface (SNMP) Graph:

So, what’s this got to do with IPv6? Aged tools without IPv6 support: NetFlow (v5):

Interface (SNMP) Graph:

?

So, what’s this got to do with IPv6?

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet f?

Possible completions:

> flow Include flow NLRI

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet6 f?

No valid completions

So, what’s this got to do with IPv6?

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet f? Possible completions: > flow Include flow NLRI

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet6 f?

No valid completions

So, what’s this got to do with IPv6?

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet f? Possible completions: > flow Include flow NLRI

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet6 f? No valid completions

So, what’s this got to do with IPv6?

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet f? Possible completions: > flow Include flow NLRI

[edit protocols bgp group ROUTESERVER neighbor]

tom@edge01.syd01# set family inet6 f? No valid completions

L

So, what’s this got to do with IPv6? •  Without supporting systems, many things may be impeded:

•  Ability to identify attacks: No NetFlow data?

•  Ability to filter the attacks: IP Tables support? (ip6tables) IP ACL / Access-lists BGP FlowSpec Remotely Triggered Black Holing

So, what’s this got to do with IPv6?

•  So, is this IPv6’s fault?

•  Looking at the vendors in the room.

•  Why is any product released without FULL IPv6 support today.

So, what’s this got to do with IPv6?

• A lot of IPv6 deployments feel like “best effort”

• Best effort doesn’t cut it under big attacks and with security

• We all still have a long way to come.

IPv6 Attacks in the Wild

IPv6 Attacks in the Wild

•  For the most part, in our experience, they’re the same as IPv4 based attacks.

• Typically, attack scope is smaller, due to much smaller number of IPv6 hosts on the internet

• Not true for all attacks

IPv6 Attacks in the Wild

• DNS cache-busted query attacks.

• Not only a IPv6 attack, but interesting because of how it came in over IPv6.

• Botnet bots, query through their normal configured recursors, using random strings which aren’t cachable

IPv6 Attacks in the Wild Queries look like this:

ebepexklyfaxmloh.www.popvote.hk ktylstudkr.www.popvote.hk ohunarajmbkrej.www.popvote.hk wwtdheilzcv.www.popvote.hk zktvvotoyrewaku.www.popvote.hk ……. khyhavsnijslyb.www.popvote.hk gchjpexychflvfv.api-token.popvote.hk ruqnpvp.api-token.popvote.hk fapzefvgowzonss.api-token.popvote.hk mcvhothfketpgre.api-token.popvote.hk

IPv6 Attacks in the Wild •  We see about equal break down

between normal DNS traffic and Attack DNS traffic with IPv4 and IPv6

•  Often in ISP networks, first thing IPv6 enabled on is their own infrastructure, eg: DNS Servers

•  When infrastructure is dual stacked, the abuse will follow!

IPv6

IPv4

$ host tom.ns.cloudflare.com tom.ns.cloudflare.com has address 173.245.59.147 tom.ns.cloudflare.com has IPv6 address 2400:cb00:2049:1::adf5:3b93

IPv6 Attacks in the Wild

• These attacks are very effective

• Attacks growing past 100M PPS (packets per second)

• With the prior ratio of IPv6 traffic

• That’s ~20M PPS of IPv6 traffic

IPv6 Attacks in the Wild

• About the same amount of IPv6 PPS going across AMS-IX Internet exchange!

IPv6 Attacks in the Wild

•  IPv6 SYN Floods (and other flooding based attacks)

• Botnet send commands/attacks to direct traffic towards a hostname, eg: example.com $ host example.com

example.com has address 93.184.216.119 example.com has IPv6 address 2606:2800:220:6d:26bf:1447:1097:aa7

IPv6 Attacks in the Wild

• Botnet master may not be intentional to send traffic towards IPv6 hosts

• But bots inside the botnet see the AAAA and send traffic that way

•  IPv6 preferred selection.

IPv6 Attacks in the Wild Aged tools without IPv6 support: NetFlow (v5):

Interface (SNMP) Graph:

?

IPv6 Attacks in the Wild

Is all of this interesting?

IPv6 Attacks in the Wild

• Show’s IPv6 adoption is growing, not just in users networks, but other parts of the internet.

• Expands scope of where IPv6 attacks can come in

• Helps change the IPv4 only mindset

Moving Forward

Moving Forward

Moving Forward

•  We’re making sure IPv6 is enabled for everyone

•  Previously, we had IPv6 as an option, now its default on and enabled for all our customers

Moving Forward

Moving Forward

• This is just the tip of the iceberg

• Nothing over IPv6 has been that unique yet

• Most attacks are still directed at an IP (IPv4) Address

• Most sophisticated are still IPv4 only

• Who knows what is coming next?

Moving Forward

• Unless we can see what’s happening now

• We can’t know what to expect going forward

• Except that if you’re not prepared with the same principles in IPv4 security, IPv6 will byte you.

•  Once you’ve reached equality in IPv4 and IPv6, the issues of IPv4 v. IPv6 in attacks is moot.

Questions?

Thank You!