DDoS Attacks in 2017: Beyond Packet Filtering
-
Upload
qrator-labs -
Category
Internet
-
view
87 -
download
0
Transcript of DDoS Attacks in 2017: Beyond Packet Filtering
![Page 1: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/1.jpg)
qrator.net 2016
DDOS ATTACKS IN 2017: BEYOND PACKET FILTERING
Artyom GavrichenkovQrator [email protected]
![Page 2: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/2.jpg)
qrator.net 2016
PARENTAL ADVISORY
![Page 3: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/3.jpg)
qrator.net 2016
3
7861038
1993
477370
845
_2012_ _2013_ _2014_ _2015_
Volumetric
TCP-based
HERE BEDRAGONS
![Page 4: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/4.jpg)
qrator.net 2016
4
7861038
1993
477370
845
_2012_ _2013_ _2014_ _2015_
Volumetric
TCP-based
HERE BEDRAGONS
![Page 5: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/5.jpg)
qrator.net 2016
5
7861038
1993
477370
845
_2012_ _2013_ _2014_ _2015_
Volumetric
TCP-based
HERE BEDRAGONS
![Page 6: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/6.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources
![Page 7: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/7.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth
![Page 8: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/8.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…
![Page 9: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/9.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...
![Page 10: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/10.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks
![Page 11: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/11.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:
SYN flood, ACK flood, TCP connection flood…
![Page 12: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/12.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:
SYN flood, ACK flood, TCP connection flood…
![Page 13: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/13.jpg)
qrator.net 2016
Distributed Denial-of-Service attack• An attempt to make a network resource unavailable
by exhausting its resources:• Bandwidth:
ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,
RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:
SYN flood, ACK flood, TCP connection flood…• Application-specific bottlenecks (HTTP server, DBMS, caches, etc)
![Page 14: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/14.jpg)
qrator.net 2016
Packet-based DDoS
Target
Ping*
![Page 15: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/15.jpg)
qrator.net 2016
Packet-based DDoS
Target
Ping*
Ping*
![Page 16: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/16.jpg)
qrator.net 2016
Packet-based DDoS
Target
Ping*
Ping*Ping*
Ping*
![Page 17: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/17.jpg)
qrator.net 2016
Packet-based DDoS
Target
Ping*
Ping*
Ping*
Ping*
Ping*Ping*
Ping*
![Page 18: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/18.jpg)
qrator.net 2016
L7 DDoS
Target
GET*
![Page 19: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/19.jpg)
qrator.net 2016
L7 DDoS
Target
GET*
GET*
![Page 20: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/20.jpg)
qrator.net 2016
L7 DDoS
Target
GET*
GET*GET*
GET*
![Page 21: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/21.jpg)
qrator.net 2016
L7 DDoS
Target
GET*
GET*
GET*
GET*
GET*GET*
GET*
![Page 22: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/22.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
![Page 23: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/23.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
![Page 24: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/24.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
![Page 25: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/25.jpg)
qrator.net 2016
BGP Flow Spec?
![Page 26: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/26.jpg)
qrator.net 2016
BGP Flow Spec!
![Page 27: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/27.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
![Page 28: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/28.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
![Page 29: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/29.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
![Page 30: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/30.jpg)
qrator.net 2016
Wordpress PingbackGET /whateverUser-Agent: WordPress/3.9.2;http://example.com/;verifying pingbackfrom 192.0.2.150
• 150-170 vulnerable serversat once• SSL/TLS-enabled
![Page 31: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/31.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
![Page 32: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/32.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Drupal?
![Page 33: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/33.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?
![Page 34: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/34.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?
Mediawiki?
![Page 35: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/35.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?Sharepoint?
Mediawiki?
![Page 36: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/36.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?ModX? Sharepoint?
Mediawiki?
![Page 37: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/37.jpg)
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?ModX? Sharepoint?
Mediawiki?
![Page 38: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/38.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
![Page 39: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/39.jpg)
qrator.net 2016
Packet vs Request• 3-way handshake
=> SYN cookies=> IP Authentication
• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!
• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!
![Page 40: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/40.jpg)
qrator.net 2016
40
300 Mbps
30 Gbps
Amplification
![Page 41: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/41.jpg)
qrator.net 2016
41
2000 Mbps
200 Gbps
Amplification
![Page 42: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/42.jpg)
qrator.net 2016
42
![Page 43: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/43.jpg)
qrator.net 2016
43
2000 Mbps
200 Gbps
Amplification
![Page 44: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/44.jpg)
qrator.net 2016
44
?
500 Gbps
Amplification
![Page 45: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/45.jpg)
qrator.net 2016
Pure TCP-based attack today
![Page 46: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/46.jpg)
qrator.net 2016
The Void
• To survive TCP- and HTTPS-based attacks,one needs a session-capable and TLS-capable DPI• To survive large botnets,
one needs a behavioral analysis andcorrelation analysis built into that DPI
• That’s extremely expensive for a large network
![Page 47: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/47.jpg)
qrator.net 2016
The Void
• Any service offering SLA must do all of this• A service lacking any of those features is best effort• No one likes best effort services
![Page 48: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/48.jpg)
qrator.net 2016
The Cure
• BCP 38 is no cure*• IPv6 is no cure• Time to fight for yourselves• Care about other customers• It’s every man for himself now
![Page 49: DDoS Attacks in 2017: Beyond Packet Filtering](https://reader034.fdocuments.in/reader034/viewer/2022042907/587d34941a28ab2a448b5b09/html5/thumbnails/49.jpg)
qrator.net 2016
The Future