Upload
cloudflare
View
673
Download
8
Tags:
Embed Size (px)
DESCRIPTION
Distributed denial of service (DDoS) attacks have scaled up in size and frequency over the past year. Attackers constantly adopt new methods to flood your website and network with malicious traffic. What exactly are DDoS attacks and how do they work? More importantly, how can you ensure that your website stays protected. CloudFlare solutions engineer Trey Guinn discusses the nature of DDoS attacks, with a focus on amplification attacks. He explains how CloudFlare is able to stop such attacks and also what can you do to ensure you are not part of the problem by running open NTP servers or DNS resolvers.
Citation preview
Distributed Denial of Service
!
An attack coming from all many locations which overwhelms your resources and prevents you from serving legitimate
customers.
Fake Pizza Orders
Variety of Attacks
Volumetric
Protocol Attacks
Application Attacks
Real Life Example
Wednesday, March 20 ~75Gbps attack
100Gbps Magic ceiling in DDoS attacks
March 24 – March 25 Peaks of the attack reached at least 309Gbps
dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096
64-byte query
$ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096 !
3,363-byte response
Amplification
50x Amplification factor
Attack Amplification !
DNS - 50 x NTP - 200x
Coming: SNMP - 650x
UDP = no handshake
Problem Ingredients: Networks that allows
source IP spoofing +
Servers that reply to “non-customers”
Good networks don’t let packets originate from IPs they don’t own (BCP38)
Not all networks are good
How common are these ingredients?
28 million open resolvers
24.6% networks allow spoofing
10s of Millions Open NTP DNS servers
1 attacker’s laptop controlling 5–7 compromised servers on 3 networks that allowed spoofing of 9Gbps DNS requests to 0.1% of open resolvers resulted in 300Gbps+ of DDoS attack traffic.
+ + + +
How did we stop it?
Anycast
Inherently “dilutes” the attack
300Gbps 25 Anycasted PoPs 12 Gbps/PoP
÷
Make sure you’re not part of the problem…
Are you running open DNS resolvers?
Are you running open NTP servers?
Implement BCP38 (uRPF)