Wilson Rogério Lopes

LACNIC 26 / LACNOG 2016

09/2016

DDoS AttacksScenery, Evolution and Mitigation

Wilson Rogério Lopes

• Network Engineer Specialist, with 12 years of experience in the internetindustry

• Postgraduate degree from University of Sao Paulo – USP

• Frequent speaker at GTER and GTS – Network engineering and securitygroups of Brazil, talking about network engineering, DDoS mitigation, DNSand DNSSEC

• Interests – Network architecture and network security, IaaS, SDN, DNS,DNSSEC

Contacts – wilsonlopes00@gmail.comhttps://br.linkedin.com/in/wrlopes

Disclaimer

All information and opinions contained in this presentation does not represent my employer. All information and stats presented is public, collected from blogs

and specialized sites on the internet.

Agenda

• DDoS – Scenery and Evolution

• Mitigation – Options and Applicability

• General Recomendations

“DDoS is a new spam…and it’severyone’s problem now.”

Technical Details Behind a 400Gbps NTP Amplification DDoS Attack13 Feb 2014 by Matthew Prince

http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/

“To generate approximately 400Gbps of traffic, the attacker used4,529 NTP servers running on 1,298 different networks. Onaverage, each of these servers sent 87Mbps of traffic to theintended victim on CloudFlare's network. Remarkably, it ispossible that the attacker used only a single server running on anetwork that allowed source IP address spoofing to initiate therequests.”

Source: Atlas Arbor Networks

SSDP - Simple Service Discovery Protocol

• UDP port 1900• “Search” Request• Amplification factor – 30x• 8 million of opened devices around the world

Source: https://ssdpscan.shadowserver.org/

2016 - IoT – CCTV Botnet

• CCTV devices – telnet, admin with default passwd• At least 70 vendors running the same linux embedded• Lizard Squad – Bot LizardStresser• 400Gbps of volumetry – without amplification

HTTP Request flood, tcp connections flood, udp flood

Source: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/

2016 – Rio Olympic Games

Start of IoT botnet activity

• 540Gbps sustained• Targets – Sponsors, government sites, financial

institutions• Use of GRE to bypass the mitigations

Fonte: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/

2016 – 21/09 – Retaliation and Censorship

• vDOS from Israel identified and owners were arrested• Reported by Brian Krebs - http://krebsonsecurity.com/about/• 665Gbps – 143Mpps – Without amplification !

2016 – 25/09 – Google Project Shield

#dig krebsonsecurity.com. krebsonsecurity.com. 246 IN A 130.211.45.45

CIDR: 130.211.0.0/16NetName: GOOGLE-CLOUD

DDoS Attacks – IPv6

Source: Arbor 2016 Worldwide Infrastructure Security Report

• 354 Service Providers interviewed• 70% answered that have IPv6 deployed

2015 – 2% at least 1 DDoS attack2016 – 9%

Biggest volumetry - 6Gbps

Mitigation – Team Cymru UTRS

BGP Peeringx.x.x.x/32 announce

• UTRS - Unwanted Traffic Removal Service• Destination RTBH multihop – BGP• AS victim annouces the ip under attack• Authenticity verified – whois and peering db• The attack is blocked in the source AS• Restricted to /32 prefixes• More participants, more efficacy

Recommended• Internet service providers for home users

One or more user will lost the connectivity, but theprovider remains up

Maybe recommended....ISPs, Content Providers, Hosting ProvidersClient Services unavailable (news home, e-commerce basket, bakline page)

UTRS

AS 1234Network Under AttackDestination: x.x.x.x/32

Upstream 1 Upstream 2

AS YYYYroute x.x.x.x/32 null0

AS XXXXroute x.x.x.x/32 null0

BGP updateBGP update

Attack Traffic

Mitigation – Clean Pipe IP Transit Providers

PE Provider

CPE Client

Cleaning Center

• Normal Traffic• Attack Traffic• Cleaned Traffic

• Detection via Netflow• Start a more specific announce of ip/prefix under attack• The traffic will be “cleaned” using:

- Syn cookies / Syn Auth- Static filters : drop proto udp and src port 1900

drop proto udp and src port 123- Rate Limit per src/dst prefix and ports- Protocol Authentication- Payload regular expressions- TCP connection limit- Rate limit or drops using GeoIP

Mitigation – Cloud DDoS Mitigation Service Providers

PE Provider

CPE Client

• Normal Traffic• Attack Traffic• Cleaned Traffic

• GRE tunnel between client and provider• BGP session under gre tunnel• Detection via Netflow• Start a more specific announce of ip/prefix under attack• Cloud Provider annouce to your upstreams• All the input traffic will be via Cloud Provider Network• Block of layer 3 and 4 attacks• Additionaly, WAF services

Cloud Provider Network

BGP

GRE

GRE

Pros• Capacity of mitigation – Tbps• Easy implementation, without changes in the client network

Cons• Latency• GRE and MSS –MSS, TCP DF bit setted

Inbound traffic

Outbound traffic

Mitigation Layer 7 – Load Balancers

• L7 HTTP/HTTPS Floods

- Rate limit client IP, destination URL, destination URI

- HTTP header analisys

Check of User AgentCheck of Referer

Validation if client is a browser:

- Cookie insertion

- JS insertion

Validation if client is a human:

- Captcha insertion

Mitigation – Home Made

• Iptables SynProxy

Kernel 3.13, Red Hat 7

iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT –notrack

iptables -I INPUT -p tcp -m tcp -m conntrack –ctstate UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460

Mitigation – Home Made

• Mod Evasive

Rate limit client IP, destination URL, destination URI

DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60DOSEmailNotify admin@example.org

Mitigation – Home Made

• Mod Security

WAF – Monitoring, Log and Block

OWASP Core rules - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Protocol violationRBLBlock of floods e slow attacksBot, crowler and scan detection

Mitigation – General Recomendations

• Use Hybrid strategy

Block l3/l4 attacks os the service providerBlock l7 attacks using on-premisse solutions

• Monitoring systems focused on DDoS detection

• Configure Control Plane Policy. Use filters to block traffic to control plane of network devices

• Don’t use the same prefixes to infrastructure and clients

• Keep the mitigation easy – WEB Servers separated of DNS Servers, etc....

• Use anycast as possible – our old and good friend

• Get away of statefull controls on the edge (Firewalls, IPS, etc). Use only where is necessary.

References

• CERT.BR - Recomendações para Melhorar o Cenário de Ataques Distribuídos de Negação de Serviço (DDoS) http://www.cert.br/docs/whitepapers/ddos/

• Mod Evasive - http://www.zdziarski.com/blog/?page_id=442

• Mod Security - https://www.modsecurity.org/

• Iptables SynProxy - http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/

• UTRS - https://www.cymru.com/jtk/misc/utrs.html

• Google Project Shield - https://projectshield.withgoogle.com/public