Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Cloudflare deals with largest DDoS attacks?

majek04
November 25, 2017
Programming
2
3k

How Cloudflare deals with largest DDoS attacks?

majek04

November 25, 2017
Tweet

More Decks by majek04

See All by majek04
BPF programmable socket lookup
majek04
0
560
Linux at Cloudflare
majek04
3
7k
DDoS Landscape
majek04
0
360
Inside Cloudbleed
majek04
3
2.5k
Golang sucks
majek04
21
52k
Gatelogic - Somewhat functional reactive framework in Python
majek04
1
4.6k
Why we chose Service Worker API
majek04
0
2.4k
IP Spoofing - DEFCON
majek04
1
790
Recent DDoS
majek04
0
290

Other Decks in Programming

See All in Programming
プロジェクト新規参入者のリードタイム短縮の観点から見る、品質の高いコードとアーキテクチャを保つメリット
d_endo
1
1k
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
0
150
Honoの来た道とこれから
yusukebe
19
3k
Synchronizationを支える技術
s_shimotori
1
150
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
390
JaSST 24 九州:ワークショップ(は除く) 実践!マインドマップを活用したソフトウェアテスト+活用事例
satohiroyuki
0
260
Realtime API 入門
riofujimon
0
110
リリース8年目のサービスの1800個のERBファイルをViewComponentに移行した方法とその結果
katty0324
5
3.6k
Pinia Colada が実現するスマートな非同期処理
naokihaba
2
160
go.mod、DockerfileやCI設定に分散しがちなGoのバージョンをまとめて管理する / Go Connect #3
arthur1
10
2.4k
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
130
Outline View in SwiftUI
1024jp
1
110

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k
GraphQLとの向き合い方2022年版
quramy
43
13k
Designing for humans not robots
tammielis
249
25k
We Have a Design System, Now What?
morganepeng
50
7.2k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Become a Pro
speakerdeck
PRO
24
5k
Facilitating Awesome Meetings
lara
49
6k
Producing Creativity
orderedlist
PRO
341
39k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
The Invisible Side of Design
smashingmag
297
50k
A Modern Web Designer's Workflow
chriscoyier
692
190k

Transcript

  1. How Cloudflare deals with largest DDoS attacks Marek Majkowski @majek04

  2. 2

  3. Reverse proxy 3 Eyeball Reverse proxy Origin server • Optimizations

    • Caching • DDoS protection • Security

  4. 4

  5. 5

  6. How to perform an attack? 6

  7. 7 X Attacker Visitor Target Bots

  8. 1. Get a cool costume 8

  9. 9 2. Fix your keyboard

  10. 3. Get a cool name 10 • Anonymous • Lizard

    Squad • WireX • Syrian Electronic Army • vDOS

  11. 4. Choose attack type • L3 Amplification (requires IP Spoofing)

    • L3 Direct • L7 - repetitive • L7 - smart 11

  12. Attack types • Amplification • SYN • DNS • HTTP

    • HTTPS 12 ⟯ ⟯ OSI L3 (source IP irrelevant) OSI L7 (established TCP/IP)

  13. Attack types 13 IP Spoofing Large Easy to block Easy

    to implement L3 Amplification required YES yes yes L3 Direct desired no depends depends L7 repetitive no yes yes L7 smart no no no

  14. 14 more bots == better

  15. 5. Choose infection vector • Ask users - hacktivism •

    Windows XP zombies • VPS Servers - Shellshock • CPE routers - Mirai • Android phones - WireX 15

  16. Infection vectors 16 IP Spoofing Plenty? Infection software Windows XP

    maybe, hard to maintain acquire? Zeus VPS Servers sometimes internet scan ? CPE Routers sometimes new vulnerability custom Android phones yes phishing custom

  17. 17 https://www.fbi.gov/wanted/cyber

  18. 18

  19. Five case studies 19

  20. 1. Asia direct 20

  21. 21

  22. 22 Target Server Attacker 510 Gbps Direct SYN flood

  23. 23

  24. 24 1 in 10000 packets

  25. Internet economics 25 Tier 1 provider Attacking network Target network

    $ $

  26. 26 Spoofed? (source: DaPuglet)

  27. 27 5.6.7.8 8.8.8.8 IP Spoofing

  28. 28 Enables impersonation Real 8.8.8.8 Destination 5.6.7.8 Spoofed 8.8.8.8

  29. 29

  30. 30

  31. 31

  32. 32

  33. 33

  34. 34

  35. 35

  36. 36

  37. Asia direct: Profile • Direct SYN floods • VERY big

    - 510Gbps, 300Mpps • Hitting small number of pops • Capable of IP Spoofing • Attacker: ???? • Infection: Servers 37

  38. Is it a day job? 38

  39. Asia: mitigation 39 iptables -A INPUT \ --dst 1.2.3.4 \

    -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \ -j DROP

  40. BPF Bytecode 40 ldx 4*([14]&0xf) ld #34 add x tax

    lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0

  41. 41

  42. 42 Internet Router NIC Kernel App XDP Iptables

  43. Application integration 43 1.2.3.4 1.2.3.5 1.2.3.6 dig A example.com 1.2.3.7

    X

  44. 2. Asia amplification 44

  45. 45

  46. 46 UDP Server UDP Client request response

  47. 47 Attacker Target UDP Server request response

  48. 48 Attacker Target UDP Server request response 10 bytes 100

    bytes

  49. 49 Attacker Target UDP Servers requests responses

  50. 50

  51. 51 192.0.2.0/24 Internet Los Angeles 192.0.2.0/24 London 192.0.2.0/24 Amsterdam 192.0.2.0/24

    Moscow 192.0.2.0/24 San Jose 192.0.2.0/24 New York

  52. 52

  53. March 2013: Spamhaus 53 300 Gbps of traffic 27 Gbps

    of spoofing Exposed DNS Resolvers

  54. 54

  55. 55 Mbps - AMP sport=1900 min:406 avg:22608 med=4663 max:186124 dev:35565

    count:1319 Mbps - AMP sport=1900: value |-------------------------------------------------- count 134 | 0 268 | *************************************** 145 536 |************************************************** 182 1073 | ******************************************** 163 2147 | ******************************************* 157 4294 | *********************************** 131 8589 | ************************ 88 17179 | ************************************************ 176 34359 | ************************************ 133 68719 | ******************************** 117 137438 | ******* 27

  56. Asia SSDP: Profile • Amplification SSDP attakcs • Pretty large

    - 186Gbps • Hitting LARGE number of pops • (we know) source is in Asia, Interesting targets • Requires IP Spoofing • Attacker: ???? • Infection: Servers 56

  57. 57

  58. 58

  59. 59 https://badupnp.benjojo.co.uk/

  60. 3. IoT - connected cameras 60

  61. 61

  62. 62

  63. 63

  64. 64 IP reputation (source: the internet)

  65. 65

  66. 66

  67. 67 GET /en HTTP/1.1 User-Agent: <some string> Cookie: <some cookie>

    Host: example.com Connection: close Content-Length: 800000 a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...

  68. IoT: Profile • Repetitive L7 attacks • Pretty large -

    700k rps, 400Gbps, • 128k source IP's • Ukraine, Vietnam • Attacker: ???? • Infection: CCTV Botnet 68

  69. 69 Internet Router NIC Kernel App conntrack iptables fingerprints

  70. 4. Porcupine 70

  71. 71

  72. 72

  73. 73

  74. 74

  75. 75

  76. Porcupine: Profile • Junk payload L7 attacks • Pretty large

    - 1M rps, 200k IP's/h • Brasil, Algeria, Tunisia, Ukraine • Attacker: . • Infection: . 76

  77. 77

  78. 5. WireX 78

  79. 79

  80. 80 User-Agent: jigpuzbcomkenhvladtwysqfxr User-Agent: yudjmikcvzoqwsbflghtxpanre User-Agent: mckvhaflwzbderiysoguxnqtpj User-Agent: deogjvtynmcxzwfsbahirukqpl User-Agent:

    fdmjczoeyarnuqkbgtlivsxhwp User-Agent: yczfxlrenuqtwmavhojpigkdsb User-Agent: dnlseufokcgvmajqzpbtrwyxih

  81. 81

  82. 82

  83. 83

  84. 84 function attack(String target, String userAgent, String referer) { HashMap

    WebViewHeaders = new HashMap(); WebViewHeaders->put(“Referer”,referer); WebViewHeaders->put(“X-Requested-With”,””); WebView[] AttackerViews = new WebView[100]; for (int i=0; i<AttackerViews.length; i++) { AttackerViews[i] = new WebView(); AttackerViews[i]->clearHistory(); AttackerViews[i]->clearFormData(); AttackerViews[i]->clearCache(true); WebViewSettings AWVS = AttackerViews[i]->getSettings() AttackWebViewSettings->setJavaScriptEnabled(true); AttackWebViewSettings->setUserAgentString(userAgent); AttackWebViewSettings->setCacheMode(LOAD_NO_CACHE); this->deleteDatabase(“webview.db”); this->deleteDatabase(“webviewCache.db”); AttackerViews[i]->loadUrl(target,WebViewHeaders); } } }

  85. WireX: Profile • Real-looking L7 requests • Mid-size - 80k

    rps, 120k IP's/h • Location: Everywhere • Targets: interesting • Attacker: . • Infection: 300+ Android apps 85

  86. 6. Elections 86

  87. 87

  88. Attack data • trump.com: ~54,000 attacks per day • donaldjtrump.com:

    ~501,000 attacks per day • trump.com: Attacked on 100% of days • donaldjtrump.com: Attacked on 94.4% of days 88

  89. Attack data • trump.com: • 25 Apr 2016 ~3,4M requests

    (39 rps) • donaldjtrump.com: • 10 Dec 2015 ~15M requests (173 rps) 89

  90. 90

  91. 91

  92. 7. The great cannon 92

  93. 93 Eyeball Target Infected website

  94. 94

  95. Infected website? • Compromised JS • Competition case • China

    great firewall • L3 injection to scripts • Rogue AD 95

  96. Cloudflare 96

  97. 97 1. Architecture

  98. 98 2. Mitigation in software

  99. 99 Attack Detection Mitigation Automation

  100. Thanks! • Architected for DDoS • Iptables + BPF great

    for L3 • Kernel bypass • XDP • Iptables + Conntrack great for L7 • Also: connlimit, hashlimits, ipset 100 marek@cloudflare.com @majek04