2. Wilson Rogério Lopes
• Network Engineer Specialist, with 12 years of experience in the internet
industry
• Postgraduate degree from University of Sao Paulo – USP
• Frequent speaker at GTER and GTS – Network engineering and security
groups of Brazil, talking about network engineering, DDoS mitigation, DNS
and DNSSEC
• Interests – Network architecture and network security, IaaS, SDN, DNS,
DNSSEC
Contacts – wilsonlopes00@gmail.com
https://br.linkedin.com/in/wrlopes
3. Disclaimer
All information and opinions contained in this presentation does not represent
my employer. All information and stats presented is public, collected from blogs
and specialized sites on the internet.
4. Agenda
• DDoS – Scenery and Evolution
• Mitigation – Options and Applicability
• General Recomendations
5. “DDoS is a new spam…and it’s
everyone’s problem now.”
6. Technical Details Behind a 400Gbps NTP Amplification
DDoS Attack
13 Feb 2014 by Matthew Prince
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
“To generate approximately 400Gbps of traffic, the attacker used
4,529 NTP servers running on 1,298 different networks. On
average, each of these servers sent 87Mbps of traffic to the
intended victim on CloudFlare's network. Remarkably, it is
possible that the attacker used only a single server running on a
network that allowed source IP address spoofing to initiate the
requests.”
8. SSDP - Simple Service Discovery Protocol
• UDP port 1900
• “Search” Request
• Amplification factor – 30x
• 8 million of opened devices around the world
Source: https://ssdpscan.shadowserver.org/
9. 2016 - IoT – CCTV Botnet
• CCTV devices – telnet, admin with default passwd
• At least 70 vendors running the same linux embedded
• Lizard Squad – Bot LizardStresser
• 400Gbps of volumetry – without amplification
HTTP Request flood, tcp connections flood, udp flood
Source: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
10. 2016 – Rio Olympic Games
Start of IoT botnet activity
• 540Gbps sustained
• Targets – Sponsors, government sites, financial
institutions
• Use of GRE to bypass the mitigations
Fonte: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
11. 2016 – 21/09 – Retaliation and Censorship
• vDOS from Israel identified and owners were arrested
• Reported by Brian Krebs - http://krebsonsecurity.com/about/
• 665Gbps – 143Mpps – Without amplification !
12. 2016 – 25/09 – Google Project Shield
#dig krebsonsecurity.com.
krebsonsecurity.com. 246 IN A 130.211.45.45
CIDR: 130.211.0.0/16
NetName: GOOGLE-CLOUD
13. DDoS Attacks – IPv6
Source: Arbor 2016 Worldwide Infrastructure Security Report
• 354 Service Providers interviewed
• 70% answered that have IPv6 deployed
2015 – 2% at least 1 DDoS attack
2016 – 9%
Biggest volumetry - 6Gbps
14. Mitigation – Team Cymru UTRS
BGP Peering
x.x.x.x/32 announce
• UTRS - Unwanted Traffic Removal Service
• Destination RTBH multihop – BGP
• AS victim annouces the ip under attack
• Authenticity verified – whois and peering db
• The attack is blocked in the source AS
• Restricted to /32 prefixes
• More participants, more efficacy
Recommended
• Internet service providers for home users
One or more user will lost the connectivity, but the
provider remains up
Maybe recommended....
ISPs, Content Providers, Hosting Providers
Client Services unavailable (news home, e-commerce basket, bakline page)
UTRS
AS 1234
Network Under Attack
Destination: x.x.x.x/32
Upstream 1 Upstream 2
AS YYYY
route x.x.x.x/32 null0
AS XXXX
route x.x.x.x/32 null0
BGP update
BGP update
Attack Traffic
15. Mitigation – Clean Pipe IP Transit Providers
PE Provider
CPE Client
Cleaning Center
• Normal Traffic
• Attack Traffic
• Cleaned Traffic
• Detection via Netflow
• Start a more specific announce of ip/prefix under attack
• The traffic will be “cleaned” using:
- Syn cookies / Syn Auth
- Static filters : drop proto udp and src port 1900
drop proto udp and src port 123
- Rate Limit per src/dst prefix and ports
- Protocol Authentication
- Payload regular expressions
- TCP connection limit
- Rate limit or drops using GeoIP
16. Mitigation – Cloud DDoS Mitigation Service Providers
PE Provider
CPE Client
• Normal Traffic
• Attack Traffic
• Cleaned Traffic
• GRE tunnel between client and provider
• BGP session under gre tunnel
• Detection via Netflow
• Start a more specific announce of ip/prefix under attack
• Cloud Provider annouce to your upstreams
• All the input traffic will be via Cloud Provider Network
• Block of layer 3 and 4 attacks
• Additionaly, WAF services
Cloud Provider Network
BGP
GRE
GRE
Pros
• Capacity of mitigation – Tbps
• Easy implementation, without changes in the client network
Cons
• Latency
• GRE and MSS –MSS, TCP DF bit setted
Inbound traffic
Outbound traffic
17. Mitigation Layer 7 – Load Balancers
• L7 HTTP/HTTPS Floods
- Rate limit client IP, destination URL, destination URI
- HTTP header analisys
Check of User Agent
Check of Referer
Validation if client is a browser:
- Cookie insertion
- JS insertion
Validation if client is a human:
- Captcha insertion
18. Mitigation – Home Made
• Iptables SynProxy
Kernel 3.13, Red Hat 7
iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT –notrack
iptables -I INPUT -p tcp -m tcp -m conntrack –ctstate UNTRACKED
-j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
19. Mitigation – Home Made
• Mod Evasive
Rate limit client IP, destination URL, destination URI
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify admin@example.org
20. Mitigation – Home Made
• Mod Security
WAF – Monitoring, Log and Block
OWASP Core rules - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Protocol violation
RBL
Block of floods e slow attacks
Bot, crowler and scan detection
21. Mitigation – General Recomendations
• Use Hybrid strategy
Block l3/l4 attacks os the service provider
Block l7 attacks using on-premisse solutions
• Monitoring systems focused on DDoS detection
• Configure Control Plane Policy. Use filters to block traffic to control plane of network devices
• Don’t use the same prefixes to infrastructure and clients
• Keep the mitigation easy – WEB Servers separated of DNS Servers, etc....
• Use anycast as possible – our old and good friend
• Get away of statefull controls on the edge (Firewalls, IPS, etc). Use only where is necessary.
22. References
• CERT.BR - Recomendações para Melhorar o Cenário de Ataques Distribuídos de Negação de Serviço (DDoS)
http://www.cert.br/docs/whitepapers/ddos/
• Mod Evasive - http://www.zdziarski.com/blog/?page_id=442
• Mod Security - https://www.modsecurity.org/
• Iptables SynProxy - http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-
enterprise-linux-7-beta/
• UTRS - https://www.cymru.com/jtk/misc/utrs.html
• Google Project Shield - https://projectshield.withgoogle.com/public