Date post: | 17-Jan-2017 |
Category: |
Internet |
Upload: | wilson-rogerio-lopes |
View: | 88 times |
Download: | 1 times |
Wilson Rogério Lopes
LACNIC 26 / LACNOG 2016
09/2016
DDoS AttacksScenery, Evolution and Mitigation
Wilson Rogério Lopes
• Network Engineer Specialist, with 12 years of experience in the internetindustry
• Postgraduate degree from University of Sao Paulo – USP
• Frequent speaker at GTER and GTS – Network engineering and securitygroups of Brazil, talking about network engineering, DDoS mitigation, DNSand DNSSEC
• Interests – Network architecture and network security, IaaS, SDN, DNS,DNSSEC
Contacts – [email protected]://br.linkedin.com/in/wrlopes
Disclaimer
All information and opinions contained in this presentation does not represent my employer. All information and stats presented is public, collected from blogs
and specialized sites on the internet.
Agenda
• DDoS – Scenery and Evolution
• Mitigation – Options and Applicability
• General Recomendations
“DDoS is a new spam…and it’severyone’s problem now.”
Technical Details Behind a 400Gbps NTP Amplification DDoS Attack13 Feb 2014 by Matthew Prince
http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
“To generate approximately 400Gbps of traffic, the attacker used4,529 NTP servers running on 1,298 different networks. Onaverage, each of these servers sent 87Mbps of traffic to theintended victim on CloudFlare's network. Remarkably, it ispossible that the attacker used only a single server running on anetwork that allowed source IP address spoofing to initiate therequests.”
Source: Atlas Arbor Networks
SSDP - Simple Service Discovery Protocol
• UDP port 1900• “Search” Request• Amplification factor – 30x• 8 million of opened devices around the world
Source: https://ssdpscan.shadowserver.org/
2016 - IoT – CCTV Botnet
• CCTV devices – telnet, admin with default passwd• At least 70 vendors running the same linux embedded• Lizard Squad – Bot LizardStresser• 400Gbps of volumetry – without amplification
HTTP Request flood, tcp connections flood, udp flood
Source: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
2016 – Rio Olympic Games
Start of IoT botnet activity
• 540Gbps sustained• Targets – Sponsors, government sites, financial
institutions• Use of GRE to bypass the mitigations
Fonte: https://www.arbornetworks.com/blog/asert/lizard-brain-lizardstresser/
2016 – 21/09 – Retaliation and Censorship
• vDOS from Israel identified and owners were arrested• Reported by Brian Krebs - http://krebsonsecurity.com/about/• 665Gbps – 143Mpps – Without amplification !
2016 – 25/09 – Google Project Shield
#dig krebsonsecurity.com. krebsonsecurity.com. 246 IN A 130.211.45.45
CIDR: 130.211.0.0/16NetName: GOOGLE-CLOUD
DDoS Attacks – IPv6
Source: Arbor 2016 Worldwide Infrastructure Security Report
• 354 Service Providers interviewed• 70% answered that have IPv6 deployed
2015 – 2% at least 1 DDoS attack2016 – 9%
Biggest volumetry - 6Gbps
Mitigation – Team Cymru UTRS
BGP Peeringx.x.x.x/32 announce
• UTRS - Unwanted Traffic Removal Service• Destination RTBH multihop – BGP• AS victim annouces the ip under attack• Authenticity verified – whois and peering db• The attack is blocked in the source AS• Restricted to /32 prefixes• More participants, more efficacy
Recommended• Internet service providers for home users
One or more user will lost the connectivity, but theprovider remains up
Maybe recommended....ISPs, Content Providers, Hosting ProvidersClient Services unavailable (news home, e-commerce basket, bakline page)
UTRS
AS 1234Network Under AttackDestination: x.x.x.x/32
Upstream 1 Upstream 2
AS YYYYroute x.x.x.x/32 null0
AS XXXXroute x.x.x.x/32 null0
BGP updateBGP update
Attack Traffic
Mitigation – Clean Pipe IP Transit Providers
PE Provider
CPE Client
Cleaning Center
• Normal Traffic• Attack Traffic• Cleaned Traffic
• Detection via Netflow• Start a more specific announce of ip/prefix under attack• The traffic will be “cleaned” using:
- Syn cookies / Syn Auth- Static filters : drop proto udp and src port 1900
drop proto udp and src port 123- Rate Limit per src/dst prefix and ports- Protocol Authentication- Payload regular expressions- TCP connection limit- Rate limit or drops using GeoIP
Mitigation – Cloud DDoS Mitigation Service Providers
PE Provider
CPE Client
• Normal Traffic• Attack Traffic• Cleaned Traffic
• GRE tunnel between client and provider• BGP session under gre tunnel• Detection via Netflow• Start a more specific announce of ip/prefix under attack• Cloud Provider annouce to your upstreams• All the input traffic will be via Cloud Provider Network• Block of layer 3 and 4 attacks• Additionaly, WAF services
Cloud Provider Network
BGP
GRE
GRE
Pros• Capacity of mitigation – Tbps• Easy implementation, without changes in the client network
Cons• Latency• GRE and MSS –MSS, TCP DF bit setted
Inbound traffic
Outbound traffic
Mitigation Layer 7 – Load Balancers
• L7 HTTP/HTTPS Floods
- Rate limit client IP, destination URL, destination URI
- HTTP header analisys
Check of User AgentCheck of Referer
Validation if client is a browser:
- Cookie insertion
- JS insertion
Validation if client is a human:
- Captcha insertion
Mitigation – Home Made
• Iptables SynProxy
Kernel 3.13, Red Hat 7
iptables -t raw -I PREROUTING -p tcp -m tcp --syn -j CT –notrack
iptables -I INPUT -p tcp -m tcp -m conntrack –ctstate UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
Mitigation – Home Made
• Mod Evasive
Rate limit client IP, destination URL, destination URI
DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60DOSEmailNotify [email protected]
Mitigation – Home Made
• Mod Security
WAF – Monitoring, Log and Block
OWASP Core rules - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Protocol violationRBLBlock of floods e slow attacksBot, crowler and scan detection
Mitigation – General Recomendations
• Use Hybrid strategy
Block l3/l4 attacks os the service providerBlock l7 attacks using on-premisse solutions
• Monitoring systems focused on DDoS detection
• Configure Control Plane Policy. Use filters to block traffic to control plane of network devices
• Don’t use the same prefixes to infrastructure and clients
• Keep the mitigation easy – WEB Servers separated of DNS Servers, etc....
• Use anycast as possible – our old and good friend
• Get away of statefull controls on the edge (Firewalls, IPS, etc). Use only where is necessary.
References
• CERT.BR - Recomendações para Melhorar o Cenário de Ataques Distribuídos de Negação de Serviço (DDoS) http://www.cert.br/docs/whitepapers/ddos/
• Mod Evasive - http://www.zdziarski.com/blog/?page_id=442
• Mod Security - https://www.modsecurity.org/
• Iptables SynProxy - http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/
• UTRS - https://www.cymru.com/jtk/misc/utrs.html
• Google Project Shield - https://projectshield.withgoogle.com/public