Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Recent DDoS

majek04
December 06, 2016

Recent DDoS

majek04

December 06, 2016
Tweet

More Decks by majek04

Other Decks in Programming

Transcript

  1. Krebs timeline • 10th Sept - Krebs publishes VDoS database

    dump • 20th Sept - BackConnect BGP hijacks article • 21th Sept - 620 Gbps attack reported • Mostly GRE • 22nd Sept - Prolexic / Akamai kick Krebs out • 25th Sept - Onboarded on Google Project Shield • Struggling to keep the website up 2
  2. Dyn timeline • Oct 21st - Doug Madory gives a

    talk on BackConnect • Oct 21st - Dyn attack starts • Non-spoofed, mostly Mirai-based botnets • 100k "endpoints" • Mostly DNS traffic 3
  3. Mirai ! ! ! • Chinese security cameras with default

    Telnet pass • Some evidence for WD disks • Some evidence for customer modem/routers • Deutsche Telekom port 7547 TR-069 4
  4. Mirai • Very short attacks, https://twitter.com/miraiattacks • HTTP • 5

    hardcoded user agents • SYN, ACK, UDP, DNS, Valve, GRE • 30k-75k devices 5
  5. SYN • Many of the big volumetric attacks • https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-

    attacks/ • https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos- attacks/ • Directly hitting the target IP (not amplified) • Often spoofed source IP 8
  6. Mitigation: iptables and BPF • https://blog.cloudflare.com/introducing-the-p0f-bpf-compiler/ 11 ! iptables -A

    INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \! -j DROP!
  7. DNS - random prefix 14 • Miss the cache NXDOMAIN

    • Overload Auth DNS • Hard to defend
  8. DNS - random prefix 15 ! 1.666 --ip=173.245.59.101/32 --port=53 "*.example.com"

    1.639 --ip=173.245.58.211/32 --port=53 "*.example.com" 0.297 --ip=2400:cb00:2049:1::adf5:3b61/128 --port=53 "*.example.com" 0.274 --ip=2400:cb00:2049:1::adf5:3ad1/128 --port=53 "*.example.com" • Random prefix queries ! ! ! • Bounced off real recursors mzcjgtofshadofgp.example.com. eleloletajgj.example.com. ovcpkpij.example.com
  9. HTTP - Mirai-like 17 GET /en HTTP/1.1 ! User-Agent: <some

    string> ! Cookie: <some cookie> ! Host: example.com ! Connection: close ! Content-Length: 800000! ! a[]=&b[]=&a[]=&b[]=&a[]=&b[]=&a[]=&b[]=...!
  10. HTTP - Mirai-like • Should it be received? • 52k

    source IP's • Mostly Ukraine - hacked customer routers/modems? 20
  11. Takeaways • Direct volumetric SYN floods • Go up to

    450gbps and 100M pps per target • Use small DNS TTL to be able to "scatter" - retire IP's • Random-prefix DNS • Hard to defend • HTTP attacks • IP reputation works (iptables) • Dynamic WAF / "firewall alike" rules for blocking repetitive traffic 22
  12. 23

  13. 24

  14. 25

  15. 26

  16. 27

  17. 28

  18. 29

  19. 30

  20. 31

  21. ECMP 33 ECMP router dst ip: 1.2.3.4 server #1 server

    #2 server #3 hash % 2 hash % 1 hash % 3