in the netherlands, europe, and beyond(snort, suricata, bro, iptables, ebpf, bgp flowspec, …)...

SOLVING DDOS ATTACKS FACILITATING BRIDGING SOLUTIONS AND STAKEHOLDERS

DDOS CLEARING HOUSEIN THE NETHERLANDS

2019-05-21

, EUROPE, AND BEYOND

SOLVING DDOS ATTACKSKoen van Hove

Researcher at the University of Twente

THE PROBLEM AND OUR IDEA

https://www.bus

iness.c

om/categ

ories/be

st-ddo

s-protec

tion-services/

https://scho

oogle.nl/sch

olar?h

&as_sdt=0

ck&btnG

WHY DOES DDOS STILL

EXIST?

??? ? ?? ?

SOLVING DDOS

ATTACKS

SOLVING DDOS

ATTACKS

ACADEMIADDOS

PROTECTIONPROVIDERS

DDOSPROTECTIONPROVIDERS

VICTIMSNETWORK

OPERATORS+

CERT/CSIRTACADEMIA

LAWENFORCEMENT

AGENCIES

DDOS CLEARING HOUSE

NETWORK MEASUREMENT (PCAP, NET FLOW, IPFIX, SFLOW, LOGS, …)DDOS_DISSECTORINPUT: NETWORK MEASUREMENTOUTPUT: DDOS FINGERPRINT (+*NOTES)

FILTERED & ANONYMIZED NETWORK MEASUREMENTSDDOS_FINGERPRINT_CONVERTERSINPUT: DDOS FINGERPRINTOUTPUT: RULE/SIGNATURE FOR SPECIFIC HW/SW SOLUTION(S)(SNORT, SURICATA, BRO, IPTABLES, EBPF, BGP FLOWSPEC, …)DDOSDBSTORE, ENRICH, AND DISTRIBUTE DDOS ATTACK RELATED INFO

VICTIMSNETWORK

OPERATORS+

CERT/CSIRTACADEMIA

LAWENFORCEMENT

AGENCIES

VICTIMSNETWORK

OPERATORS+

CERT/CSIRTACADEMIA

LAWENFORCEMENT

AGENCIES

VICTIMSNETWORK

OPERATORS+

CERT/CSIRTACADEMIA

LAWENFORCEMENT

AGENCIES

VICTIMSNETWORK

OPERATORS+

CERT/CSIRTACADEMIA

LAWENFORCEMENT

AGENCIES

VICTIMSNETWORK

OPERATORS+

CERT/CSIRTACADEMIA

LAWENFORCEMENT

AGENCIES

ONE EXTRA ELEMENT…

DDOS OPEN THREAT SIGNALING (DOTS) [IETF]

DEMO:USING THE DDOS DISSECTOR

DEMO:QUERYING DDOSDB

[THE CURRENT]DEPLOYMENT & GOVERNANCE

TIMELIME

https://github.com/ddos-clearing-house https://ddosdb.ORG https://ddosdb.NL

CHALLENGES & FUTURE DIRECTIONS

.org .nl

.org.nl.it

QUESTIONS?

SOLVING DDOS ATTACKSKoen van Hove

Researcher at the University of Twentekoen@ddosdb.org

BACKUP SLIDES

NETWORK MEASUREMENT (PCAP, NET FLOW, IPFIX, SFLOW, LOGS, …)DDOS_DISSECTORINPUT: NETWORK MEASUREMENTOUTPUT: DDOS FINGERPRINT (+*NOTES)

FILTERED AND ANONYMIZED NETW. MEASU.DDOS_FINGERPRINT_CONVERTERSINPUT: DDOS FINGERPRINTOUTPUT: RULE/SIGNATURE FOR SPECIFIC HW/SW SOLUTION(S)(SNORT, SURICATA, BRO, IPTABLES, EBPF, BGP FLOWSPEC, …)DDOSDBSTORE, ENRICH, AND DISTRIBUTE DDOS ATTACK RELATED INFO

SOLVING DDOS ATTACKS FACILITATING BRIDGING SOLUTIONS AND STAKEHOLDERS

DDOS CLEARING HOUSEIN THE NETHERLANDS, EUROPE, AND BEYOND

3/03/2019

https://www.zdn

et.com

/article/the-av

os-atta

ck-cos

t-for-bus

inesses-ris

WHAT IS THE AVERAGE ECONOMIC LOSS PER DDOS ATTACK?A. $25.000 C. $2.500.000

D. $25.000.000B. $250.000

in the netherlands, europe, and beyond(snort, suricata, bro, iptables, ebpf, bgp flowspec, …)...

Documents

fingerprint-based automated rule generation for ddos...

bgp flowspec design, configuration and troubleshooting in...

traffic diversion techniques for ddos mitigation using bgp...

gobpf - utilizing ebpf from go

bgp flowspec design, configuration and...

ebpf trace from kernel to userspace

bgp flowspec atnog

automation of ddos attack mitigation€¦ · •fastnetmon,...

flowspec -...

meet cute-between-ebpf-and-tracing

attacks using bgp flowspec adaptive mitigation of ddos ·...

bringing the power of ebpf to open vswitch - linux...

the use of bgp flowspec in the protection against ddos...

ddos mitigation using bgp flowspec(pdf) - meet us in ... ·...

security monitoring with ebpf - brendan gregg

ebpf offload getting started guide - netronome

bgp flowspec (rfc5575) case study and discussion

a.i.s.e. & ebpf survey bpr impact on biocidal products...

ebpf ovsconf-2016

using ebpf for linux performance analyses