DDoS Attacks - Scenery, Evolution and Mitigation
0 likes448 views
Wilson Rogério Lopes presented on the evolution of DDoS attacks and mitigation options. He discussed how amplification attacks have grown in size using protocols like NTP and SSDP. IoT botnets using CCTV cameras conducted large DDoS attacks in 2016. Mitigation options discussed include using clean pipe providers, cloud DDoS services, BGP routing, and homemade tools like iptables and ModSecurity. The presentation recommended a hybrid mitigation strategy using both on-premise and cloud-based solutions.
DDoS Attacks - Scenery, Evolution and Mitigation
- 1. Wilson Rogério Lopes LACNIC 26 / LACNOG 2016 09/2016 DDoS Attacks Scenery, Evolution and Mitigation
- 2. Wilson Rogério Lopes • Network Engineer Specialist, with 12 years of experience in the internet industry • Postgraduate degree from University of Sao Paulo – USP • Frequent speaker at GTER and GTS – Network engineering and security groups of Brazil, talking about network engineering, DDoS mitigation, DNS and DNSSEC • Interests – Network architecture and network security, IaaS, SDN, DNS, DNSSEC Contacts – wilsonlopes00@gmail.com https://br.linkedin.com/in/wrlopes
- 3. Disclaimer All information and opinions contained in this presentation does not represent my employer. All information and stats presented is public, collected from blogs and specialized sites on the internet.
- 4. Agenda • DDoS – Scenery and Evolution • Mitigation – Options and Applicability • General Recomendations
- 5. “DDoS is a new spam…and it’s everyone’s problem now.”
- 6. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack 13 Feb 2014 by Matthew Prince http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/ “To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests.”
- 7. Source: Atlas Arbor Networks
- 8. SSDP - Simple Service Discovery Protocol • UDP port 1900 • “Search” Request • Amplification factor – 30x • 8 million of opened devices around the world Source: https://ssdpscan.shadowserver.org/
- 9. 2016 - IoT – CCTV Botnet • CCTV devices – telnet, admin with default passwd • At least 70 vendors running the same linux embedded • Lizard Squad – Bot LizardStresser • 400Gbps of volumetry – without amplification HTTP Request flood, tcp connections flood, udp flood Source: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
- 10. 2016 – Rio Olympic Games Start of IoT botnet activity • 540Gbps sustained • Targets – Sponsors, government sites, financial institutions • Use of GRE to bypass the mitigations Fonte: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
- 11. 2016 – 21/09 – Retaliation and Censorship • vDOS from Israel identified and owners were arrested • Reported by Brian Krebs - http://krebsonsecurity.com/about/ • 665Gbps – 143Mpps – Without amplification !
- 12. 2016 – 25/09 – Google Project Shield #dig krebsonsecurity.com. krebsonsecurity.com. 246 IN A 130.211.45.45 CIDR: 130.211.0.0/16 NetName: GOOGLE-CLOUD
- 13. DDoS Attacks – IPv6 Source: Arbor 2016 Worldwide Infrastructure Security Report • 354 Service Providers interviewed • 70% answered that have IPv6 deployed 2015 – 2% at least 1 DDoS attack 2016 – 9% Biggest volumetry - 6Gbps
- 14. Mitigation – Team Cymru UTRS BGP Peering x.x.x.x/32 announce • UTRS - Unwanted Traffic Removal Service • Destination RTBH multihop – BGP • AS victim annouces the ip under attack • Authenticity verified – whois and peering db • The attack is blocked in the source AS • Restricted to /32 prefixes • More participants, more efficacy Recommended • Internet service providers for home users One or more user will lost the connectivity, but the provider remains up Maybe recommended.... ISPs, Content Providers, Hosting Providers Client Services unavailable (news home, e-commerce basket, bakline page) UTRS AS 1234 Network Under Attack Destination: x.x.x.x/32 Upstream 1 Upstream 2 AS YYYY route x.x.x.x/32 null0 AS XXXX route x.x.x.x/32 null0 BGP update BGP update Attack Traffic
- 15. Mitigation – Clean Pipe IP Transit Providers PE Provider CPE Client Cleaning Center • Normal Traffic • Attack Traffic • Cleaned Traffic • Detection via Netflow • Start a more specific announce of ip/prefix under attack • The traffic will be “cleaned” using: - Syn cookies / Syn Auth - Static filters : drop proto udp and src port 1900 drop proto udp and src port 123 - Rate Limit per src/dst prefix and ports - Protocol Authentication - Payload regular expressions - TCP connection limit - Rate limit or drops using GeoIP
- 16. Mitigation – Cloud DDoS Mitigation Service Providers PE Provider CPE Client • Normal Traffic • Attack Traffic • Cleaned Traffic • GRE tunnel between client and provider • BGP session under gre tunnel • Detection via Netflow • Start a more specific announce of ip/prefix under attack • Cloud Provider annouce to your upstreams • All the input traffic will be via Cloud Provider Network • Block of layer 3 and 4 attacks • Additionaly, WAF services Cloud Provider Network BGP GRE GRE Pros • Capacity of mitigation – Tbps • Easy implementation, without changes in the client network Cons • Latency • GRE and MSS –MSS, TCP DF bit setted Inbound traffic Outbound traffic
- 17. Mitigation Layer 7 – Load Balancers • L7 HTTP/HTTPS Floods - Rate limit client IP, destination URL, destination URI - HTTP header analisys Check of User Agent Check of Referer Validation if client is a browser: - Cookie insertion - JS insertion Validation if client is a human: - Captcha insertion
- 18. Mitigation – Home Made • Iptables SynProxy Kernel 3.13, Red Hat 7 iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT –notrack iptables -I INPUT -p tcp -m tcp -m conntrack –ctstate UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
- 19. Mitigation – Home Made • Mod Evasive Rate limit client IP, destination URL, destination URI DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60 DOSEmailNotify admin@example.org
- 20. Mitigation – Home Made • Mod Security WAF – Monitoring, Log and Block OWASP Core rules - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project Protocol violation RBL Block of floods e slow attacks Bot, crowler and scan detection
- 21. Mitigation – General Recomendations • Use Hybrid strategy Block l3/l4 attacks os the service provider Block l7 attacks using on-premisse solutions • Monitoring systems focused on DDoS detection • Configure Control Plane Policy. Use filters to block traffic to control plane of network devices • Don’t use the same prefixes to infrastructure and clients • Keep the mitigation easy – WEB Servers separated of DNS Servers, etc.... • Use anycast as possible – our old and good friend • Get away of statefull controls on the edge (Firewalls, IPS, etc). Use only where is necessary.
- 22. References • CERT.BR - Recomendações para Melhorar o Cenário de Ataques Distribuídos de Negação de Serviço (DDoS) http://www.cert.br/docs/whitepapers/ddos/ • Mod Evasive - http://www.zdziarski.com/blog/?page_id=442 • Mod Security - https://www.modsecurity.org/ • Iptables SynProxy - http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat- enterprise-linux-7-beta/ • UTRS - https://www.cymru.com/jtk/misc/utrs.html • Google Project Shield - https://projectshield.withgoogle.com/public