ddos attacks in 2017: beyond packet filtering

qrator.net 2016

DDOS ATTACKS IN 2017: BEYOND PACKET FILTERING

Artyom GavrichenkovQrator Labsag@qrator.net

qrator.net 2016

PARENTAL ADVISORY

qrator.net 2016

3

7861038

1993

477370

845

_2012_ _2013_ _2014_ _2015_

Volumetric

TCP-based

HERE BEDRAGONS

qrator.net 2016

4

7861038

1993

477370

845

_2012_ _2013_ _2014_ _2015_

Volumetric

TCP-based

HERE BEDRAGONS

qrator.net 2016

5

7861038

1993

477370

845

_2012_ _2013_ _2014_ _2015_

Volumetric

TCP-based

HERE BEDRAGONS

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth:

ICMP flood, UDP flood, SYN flood…

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth:

ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,

RIPv1, PORTMAP, CHARGEN, QOTD...

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth:

ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,

RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth:

ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,

RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:

SYN flood, ACK flood, TCP connection flood…

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth:

ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,

RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:

SYN flood, ACK flood, TCP connection flood…

qrator.net 2016

Distributed Denial-of-Service attack• An attempt to make a network resource unavailable

by exhausting its resources:• Bandwidth:

ICMP flood, UDP flood, SYN flood…Amplification: NTP, DNS, SNMP, SSDP, ICMP, NetBIOS,

RIPv1, PORTMAP, CHARGEN, QOTD...• TCP finite state machine implementation attacks:

SYN flood, ACK flood, TCP connection flood…• Application-specific bottlenecks (HTTP server, DBMS, caches, etc)

qrator.net 2016

Packet-based DDoS

Target

Ping*

qrator.net 2016

Packet-based DDoS

Target

Ping*

Ping*

qrator.net 2016

Packet-based DDoS

Target

Ping*

Ping*Ping*

Ping*

qrator.net 2016

Packet-based DDoS

Target

Ping*

Ping*

Ping*

Ping*

Ping*Ping*

Ping*

qrator.net 2016

L7 DDoS

Target

GET*

qrator.net 2016

L7 DDoS

Target

GET*

GET*

qrator.net 2016

L7 DDoS

Target

GET*

GET*GET*

GET*

qrator.net 2016

L7 DDoS

Target

GET*

GET*

GET*

GET*

GET*GET*

GET*

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!

qrator.net 2016

BGP Flow Spec?

qrator.net 2016

BGP Flow Spec!

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!

qrator.net 2016

Wordpress PingbackGET /whateverUser-Agent: WordPress/3.9.2;http://example.com/;verifying pingbackfrom 192.0.2.150

• 150-170 vulnerable serversat once• SSL/TLS-enabled

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

Drupal?

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

Joomla?

Drupal?

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

Joomla?

Drupal?

Mediawiki?

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

Joomla?

Drupal?Sharepoint?

Mediawiki?

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

Joomla?

TinyCMS?

Drupal?ModX? Sharepoint?

Mediawiki?

qrator.net 2016

Wordpress Pingback• Millions of vulnerable servers

Joomla?

TinyCMS?

Drupal?ModX? Sharepoint?

Mediawiki?

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!

qrator.net 2016

Packet vs Request• 3-way handshake

=> SYN cookies=> IP Authentication

• IP Authentication not available in most* UDP-based protocols=> Spoofing=> UDP Amplification!

• Amp-vulnerable server may be identified by source port=> Flow Spec solves problems!

qrator.net 2016

40

300 Mbps

30 Gbps

Amplification

qrator.net 2016

41

2000 Mbps

200 Gbps

Amplification

qrator.net 2016

42

qrator.net 2016

43

2000 Mbps

200 Gbps

Amplification

qrator.net 2016

44

?

500 Gbps

Amplification

qrator.net 2016

Pure TCP-based attack today

qrator.net 2016

The Void

• To survive TCP- and HTTPS-based attacks,one needs a session-capable and TLS-capable DPI• To survive large botnets,

one needs a behavioral analysis andcorrelation analysis built into that DPI

• That’s extremely expensive for a large network

qrator.net 2016

The Void

• Any service offering SLA must do all of this• A service lacking any of those features is best effort• No one likes best effort services

qrator.net 2016

The Cure

• BCP 38 is no cure*• IPv6 is no cure• Time to fight for yourselves• Care about other customers• It’s every man for himself now

qrator.net 2016

The Future

qrator.net 2016

Thank you, and good luck!mailto: Artyom Gavrichenkov <ag@qrator.net>