Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Cloudflare deals with largest DDoS attacks?

majek04
November 25, 2017
Programming
2
3.1k

How Cloudflare deals with largest DDoS attacks?

majek04

November 25, 2017
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
majek04
0
560
Linux at Cloudflare
majek04
3
7k
DDoS Landscape
majek04
0
360
Inside Cloudbleed
majek04
3
2.5k
Golang sucks
majek04
21
52k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
4.6k
Why we chose Service Worker API
majek04
0
2.4k
IP Spoofing - DEFCON
majek04
1
800
Recent DDoS
majek04
0
290

Other Decks in Programming

See All in Programming
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
役立つログに取り組もう
irof
28
9.6k
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
690
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
230
flutterkaigi_2024.pdf
kyoheig3
0
150
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
2
120
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.2k
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
Remix on Hono on Cloudflare Workers
yusukebe
1
300
ヤプリ新卒SREの オンボーディング
masaki12
0
130
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
970

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Adopting Sorbet at Scale
ufuk
73
9.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
KATA
mclloyd
29
14k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k

Transcript

  1. How Cloudflare deals with largest DDoS attacks Marek Majkowski @majek04

  2. 2

  3. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • DDoS protection • Security

  4. 4

  5. 5

  6. How to perform an attack? 6

  7. 7 X Attacker Visitor Target Bots

  8. 1. Get a cool costume 8

  9. 9 2. Fix your keyboard

  10. 3. Get a cool name 10 • Anonymous • Lizard

    Squad • WireX • Syrian Electronic Army • vDOS

  11. 4. Choose attack type • L3 Amplification (requires IP Spoofing)

    • L3 Direct • L7 - repetitive • L7 - smart 11

  12. Attack types • Amplification • SYN • DNS • HTTP

    • HTTPS 12 ⟯ ⟯ OSI L3 (source IP irrelevant) OSI L7 (established TCP/IP)

  13. Attack types 13 IP Spoofing Large Easy to block Easy

    to implement L3 Amplification required YES yes yes L3 Direct desired no depends depends L7 repetitive no yes yes L7 smart no no no

  14. 14 more bots == better

  15. 5. Choose infection vector • Ask users - hacktivism •

    Windows XP zombies • VPS Servers - Shellshock • CPE routers - Mirai • Android phones - WireX 15

  16. Infection vectors 16 IP Spoofing Plenty? Infection software Windows XP

    maybe, hard to maintain acquire? Zeus VPS Servers sometimes internet scan ? CPE Routers sometimes new vulnerability custom Android phones yes phishing custom

  17. 17 https://www.fbi.gov/wanted/cyber

  18. 18

  19. Five case studies 19

  20. 1. Asia direct 20

  21. 21

  22. 22 Target Server Attacker 510 Gbps Direct SYN flood

  23. 23

  24. 24 1 in 10000 packets

  25. Internet economics 25 Tier 1 provider Attacking network Target network

    $ $

  26. 26 Spoofed? (source: DaPuglet)

  27. 27 5.6.7.8 8.8.8.8 IP Spoofing

  28. 28 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  29. 29

  30. 30

  31. 31

  32. 32

  33. 33

  34. 34

  35. 35

  36. 36

  37. Asia direct: Profile • Direct SYN floods • VERY big

    - 510Gbps, 300Mpps • Hitting small number of pops • Capable of IP Spoofing • Attacker: ???? • Infection: Servers 37

  38. Is it a day job? 38

  39. Asia: mitigation 39 iptables -A INPUT \ --dst 1.2.3.4 \

    -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP

  40. BPF Bytecode 40 ldx 4*([14]&0xf) ld #34 add x tax

    lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0

  41. 41

  42. 42 Internet Router NIC Kernel App XDP Iptables

  43. Application integration 43 1.2.3.4 1.2.3.5 1.2.3.6 dig A example.com 1.2.3.7

    X

  44. 2. Asia amplification 44

  45. 45

  46. 46 UDP Server UDP Client request response

  47. 47 Attacker Target UDP Server request response

  48. 48 Attacker Target UDP Server request response 10 bytes 100

    bytes

  49. 49 Attacker Target UDP Servers requests responses

  50. 50

  51. 51 192.0.2.0/24 Internet Los Angeles 192.0.2.0/24 London 192.0.2.0/24 Amsterdam 192.0.2.0/24

    Moscow 192.0.2.0/24 San Jose 192.0.2.0/24 New York

  52. 52

  53. March 2013: Spamhaus 53 300 Gbps of traffic 27 Gbps

    of spoofing Exposed DNS Resolvers

  54. 54

  55. 55 Mbps - AMP sport=1900 min:406 avg:22608 med=4663 max:186124 dev:35565

    count:1319 Mbps - AMP sport=1900: value |-------------------------------------------------- count 134 | 0 268 | *************************************** 145 536 |************************************************** 182 1073 | ******************************************** 163 2147 | ******************************************* 157 4294 | *********************************** 131 8589 | ************************ 88 17179 | ************************************************ 176 34359 | ************************************ 133 68719 | ******************************** 117 137438 | ******* 27

  56. Asia SSDP: Profile • Amplification SSDP attakcs • Pretty large

    - 186Gbps • Hitting LARGE number of pops • (we know) source is in Asia, Interesting targets • Requires IP Spoofing • Attacker: ???? • Infection: Servers 56

  57. 57

  58. 58

  59. 59 https://badupnp.benjojo.co.uk/

  60. 3. IoT - connected cameras 60

  61. 61

  62. 62

  63. 63

  64. 64 IP reputation (source: the internet)

  65. 65

  66. 66

  67. 67 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...

  68. IoT: Profile • Repetitive L7 attacks • Pretty large -

    700k rps, 400Gbps, • 128k source IP's • Ukraine, Vietnam • Attacker: ???? • Infection: CCTV Botnet 68

  69. 69 Internet Router NIC Kernel App conntrack iptables fingerprints

  70. 4. Porcupine 70

  71. 71

  72. 72

  73. 73

  74. 74

  75. 75

  76. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 76

  77. 77

  78. 5. WireX 78

  79. 79

  80. 80 User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent:

    fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih

  81. 81

  82. 82

  83. 83

  84. 84 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }

  85. WireX: Profile • Real-looking L7 requests • Mid-size - 80k

    rps, 120k IP's/h • Location: Everywhere • Targets: interesting • Attacker: . • Infection: 300+ Android apps 85

  86. 6. Elections 86

  87. 87

  88. Attack data • trump.com: ~54,000 attacks per day • donaldjtrump.com:

    ~501,000 attacks per day • trump.com: Attacked on 100% of days • donaldjtrump.com: Attacked on 94.4% of days 88

  89. Attack data • trump.com: • 25 Apr 2016 ~3,4M requests

    (39 rps) • donaldjtrump.com: • 10 Dec 2015 ~15M requests (173 rps) 89

  90. 90

  91. 91

  92. 7. The great cannon 92

  93. 93 Eyeball Target Infected website

  94. 94

  95. Infected website? • Compromised JS • Competition case • China

    great firewall • L3 injection to scripts • Rogue AD 95

  96. Cloudflare 96

  97. 97 1. Architecture

  98. 98 2. Mitigation in software

  99. 99 Attack Detection Mitigation Automation

  100. Thanks! • Architected for DDoS • Iptables + BPF great

    for L3 • Kernel bypass • XDP • Iptables + Conntrack great for L7 • Also: connlimit, hashlimits, ipset 100 marek@cloudflare.com @majek04