Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DDoS Landscape

majek04
June 06, 2018

DDoS Landscape

majek04

June 06, 2018
Tweet

More Decks by majek04

Other Decks in Technology

Transcript

  1. 2

  2. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • Security • DDoS protection
  3. 4

  4. 6

  5. 7

  6. 9

  7. 10

  8. 11

  9. 12

  10. 13

  11. 14

  12. 15

  13. 20

  14. 23

  15. 35

  16. 38

  17. 39

  18. 40

  19. 41

  20. 42

  21. 45

  22. 48

  23. 49

  24. 50

  25. 51

  26. 52

  27. 53

  28. 54

  29. 55

  30. 56

  31. 57

  32. 58

  33. 62

  34. 63

  35. 64

  36. 65

  37. 68

  38. 69

  39. 71

  40. 72

  41. 73

  42. 74

  43. 75

  44. 76 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...
  45. 77

  46. 78

  47. 79 • Mirai - cameras • TR-069/TR-064 Deutsche Telefon -

    CPE • Reaper - D-Link, Netgear, and AVTech • VPNFilter - routers and NAS Evolution of IoT botnets
  48. 81

  49. 83

  50. 84

  51. 85

  52. 86

  53. 87

  54. 88 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }
  55. 89

  56. 92

  57. 93

  58. 94

  59. 98

  60. 99

  61. 100

  62. 101

  63. 102

  64. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 103
  65. 104

  66. 108

  67. 109

  68. Divide and conquer • DNS • splits traffic against multiple

    IPs • Anycast • splits traffic globally • ECMP • splits traffic within datacenter • Tuned network card • splits traffic across CPUs 110
  69. 112 iptables -A INPUT \ --dst 1.2.3.4 \ -p udp

    --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  70. 113 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb

    [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
  71. Iptables for application attacks • Conntrack Connlimit - limit concurrent

    connections • Hashlimits - limit rate of connections • Rate limit SYN packets per IP • Ipset - blacklisting of IP addresses • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts • Automatic blacklisting hashlimits 114
  72. Thanks! • Architected for DDoS • Iptables are great •

    Reduce DNS TTL • Keep your IoT firmware in check • Don't install random APKs • Use 1.1.1.1 resolver :) 116 marek@cloudflare.com @majek04