Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Cloudflare deals with largest DDoS attacks?

majek04
November 25, 2017

How Cloudflare deals with largest DDoS attacks?

majek04

November 25, 2017
Tweet

More Decks by majek04

Other Decks in Programming

Transcript

  1. 2

  2. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • DDoS protection • Security
  3. 4

  4. 5

  5. 3. Get a cool name 10 • Anonymous • Lizard

    Squad • WireX • Syrian Electronic Army • vDOS
  6. 4. Choose attack type • L3 Amplification (requires IP Spoofing)

    • L3 Direct • L7 - repetitive • L7 - smart 11
  7. Attack types • Amplification • SYN • DNS • HTTP

    • HTTPS 12 ⟯ ⟯ OSI L3 (source IP irrelevant) OSI L7 (established TCP/IP)
  8. Attack types 13 IP Spoofing Large Easy to block Easy

    to implement L3 Amplification required YES yes yes L3 Direct desired no depends depends L7 repetitive no yes yes L7 smart no no no
  9. 5. Choose infection vector • Ask users - hacktivism •

    Windows XP zombies • VPS Servers - Shellshock • CPE routers - Mirai • Android phones - WireX 15
  10. Infection vectors 16 IP Spoofing Plenty? Infection software Windows XP

    maybe, hard to maintain acquire? Zeus VPS Servers sometimes internet scan ? CPE Routers sometimes new vulnerability custom Android phones yes phishing custom
  11. 18

  12. 21

  13. 23

  14. 29

  15. 30

  16. 31

  17. 32

  18. 33

  19. 34

  20. 35

  21. 36

  22. Asia direct: Profile • Direct SYN floods • VERY big

    - 510Gbps, 300Mpps • Hitting small number of pops • Capable of IP Spoofing • Attacker: ???? • Infection: Servers 37
  23. Asia: mitigation 39 iptables -A INPUT \ --dst 1.2.3.4 \

    -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP
  24. BPF Bytecode 40 ldx 4*([14]&0xf) ld #34 add x tax

    lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
  25. 41

  26. 45

  27. 50

  28. 52

  29. March 2013: Spamhaus 53 300 Gbps of traffic 27 Gbps

    of spoofing Exposed DNS Resolvers
  30. 54

  31. 55 Mbps - AMP sport=1900 min:406 avg:22608 med=4663 max:186124 dev:35565

    count:1319 Mbps - AMP sport=1900: value |-------------------------------------------------- count 134 | 0 268 | *************************************** 145 536 |************************************************** 182 1073 | ******************************************** 163 2147 | ******************************************* 157 4294 | *********************************** 131 8589 | ************************ 88 17179 | ************************************************ 176 34359 | ************************************ 133 68719 | ******************************** 117 137438 | ******* 27
  32. Asia SSDP: Profile • Amplification SSDP attakcs • Pretty large

    - 186Gbps • Hitting LARGE number of pops • (we know) source is in Asia, Interesting targets • Requires IP Spoofing • Attacker: ???? • Infection: Servers 56
  33. 57

  34. 58

  35. 61

  36. 62

  37. 63

  38. 65

  39. 66

  40. 67 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...
  41. IoT: Profile • Repetitive L7 attacks • Pretty large -

    700k rps, 400Gbps, • 128k source IP's • Ukraine, Vietnam • Attacker: ???? • Infection: CCTV Botnet 68
  42. 71

  43. 72

  44. 73

  45. 74

  46. 75

  47. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 76
  48. 77

  49. 79

  50. 81

  51. 82

  52. 83

  53. 84 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }
  54. WireX: Profile • Real-looking L7 requests • Mid-size - 80k

    rps, 120k IP's/h • Location: Everywhere • Targets: interesting • Attacker: . • Infection: 300+ Android apps 85
  55. 87

  56. Attack data • trump.com: ~54,000 attacks per day • donaldjtrump.com:

    ~501,000 attacks per day • trump.com: Attacked on 100% of days • donaldjtrump.com: Attacked on 94.4% of days 88
  57. Attack data • trump.com: • 25 Apr 2016 ~3,4M requests

    (39 rps) • donaldjtrump.com: • 10 Dec 2015 ~15M requests (173 rps) 89
  58. 90

  59. 91

  60. 94

  61. Infected website? • Compromised JS • Competition case • China

    great firewall • L3 injection to scripts • Rogue AD 95
  62. Thanks! • Architected for DDoS • Iptables + BPF great

    for L3 • Kernel bypass • XDP • Iptables + Conntrack great for L7 • Also: connlimit, hashlimits, ipset 100 marek@cloudflare.com @majek04