building a ddos mitigation pipeline - usenix.org nullroute and move on 8! ... incoming sample:...
TRANSCRIPT
![Page 1: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/1.jpg)
Building a DDoS Mitigation Pipeline Marek Majkowski
![Page 2: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/2.jpg)
2
"Help Build a Better Internet"
![Page 3: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/3.jpg)
Content neutral
3
![Page 4: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/4.jpg)
DDoS is a threat
4
![Page 5: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/5.jpg)
5
Malicious Attacker
Internet Provider
Origin Server
CloudFlare Server
trust
& sa
fety
team
wor
king w
ith o
pera
tors
publ
ic ou
trea
ch
Big effort
impr
ovin
g our i
nfrast
ruct
ure
![Page 6: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/6.jpg)
6
Automated DDoS Mitigations
Malicious Attacker
Internet Provider
Origin Server
CloudFlare Server
auto
mat
ing m
itiga
tions
![Page 7: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/7.jpg)
7
attack volume
CloudFlare network capacity
>
![Page 8: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/8.jpg)
BGP Nullroute and move on
8
! route 1.2.3.4/32 {! discard;! community [ 13335:666 13335:668 13335:36006 ];! }!
![Page 9: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/9.jpg)
attack volume
CloudFlare network capacity
<
9
![Page 10: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/10.jpg)
10
BGP Nullrouting
Router firewall
Server firewall
Application
Less
dam
age
Reducing damage
![Page 11: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/11.jpg)
11
BGP Nullrouting IP
Router firewall IP, port, packet length
Server firewallall above +
stateless DPI parameters
Applicationall above +
application logic
Mor
e pr
ecis
ion
Reducing damage
![Page 12: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/12.jpg)
12
Operator
PrecisionSpeed
![Page 13: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/13.jpg)
13
![Page 14: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/14.jpg)
14
Automation
PrecisionSpeed
![Page 15: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/15.jpg)
15
Gatebot
PrecisionSpeed
Automatic attack handling
![Page 16: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/16.jpg)
Attack Detection
Automatic attack handling
16
Mitigation
Reactive Automation
![Page 17: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/17.jpg)
The attack
17
![Page 18: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/18.jpg)
High volume packet floods
18
Pack
ets
per
seco
nd
![Page 19: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/19.jpg)
DNS packet flood
19
!$ tcpdump -ni eth2 inbound and port 53 -c 100!!IP 202.194.181.95.15443 > 1.2.3.4:53: 63476% [1au] A? example.com. (50)!IP 221.12.236.115.6570 > 1.2.3.4:53: 11406% [1au] A? example.com. (50)!IP 203.94.134.43.18473 > 1.2.3.4:53: 8559% [1au] A? example.com. (50)!IP 203.196.66.75.32573 > 1.2.3.4:53: 47971% [1au] A? example.com. (50)!IP 124.240.198.136.2333 > 1.2.3.4:53: 61152% [1au] A? example.com. (50)!IP 218.247.70.185.11679 > 1.2.3.4:53: 16360% [1au] A? example.com. (50)!IP 202.109.218.98.27549 > 1.2.3.4:53: 17829% [1au] A? example.com. (50)!IP 203.148.240.82.21825 > 1.2.3.4:53: 22590% [1au] A? example.com. (50)!IP 211.167.108.67.25782 > 1.2.3.4:53: 17663% [1au] A? example.com. (50)!IP 203.209.60.18.20221 > 1.2.3.4:53: 38257% [1au] A? example.com. (50)!IP 203.81.181.168.12749 > 1.2.3.4:53: 53492% [1au] A? example.com. (50)!
![Page 20: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/20.jpg)
1 in 10k packets is "real"
20
![Page 21: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/21.jpg)
Finding attack parameters
21
!IP 202.194.181.95.15443 > 1.2.3.4:53: 63476% [1au] A? example.com. (50)!IP 221.12.236.115.6570 > 1.2.3.4:53: 11406% [1au] A? example.com. (50)!IP 203.94.134.43.18473 > 1.2.3.4:53: 8559% [1au] A? example.com. (50)!IP 203.196.66.75.32573 > 1.2.3.4:53: 47971% [1au] A? example.com. (50)!IP 124.240.198.136.2336 > 1.2.3.4:53: 61152% [1au] A? example.com. (50)!IP 218.247.70.185.11679 > 1.2.3.4:53: 16360% [1au] A? example.com. (50)!IP 202.109.218.98.27549 > 1.2.3.4:53: 17829% [1au] A? example.com. (50)!IP 203.148.240.82.21825 > 1.2.3.4:53: 22590% [1au] A? example.com. (50)!IP 211.167.108.67.25782 > 1.2.3.4:53: 17663% [1au] A? example.com. (50)!IP 203.209.60.18.20221 > 1.2.3.4:53: 38257% [1au] A? example.com. (50)!IP 203.81.181.168.12749 > 1.2.3.4:53: 53492% [1au] A? example.com. (50)!
![Page 22: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/22.jpg)
Mitigation
22
Mitigation Operator
![Page 23: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/23.jpg)
Where to DROP?
23
ApplicationiptablesRouter
![Page 24: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/24.jpg)
Traffic matching with BPF
24
! iptables -A INPUT \! --dst 1.2.3.4 \! -p udp --dport 53 \! -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" \!
-j DROP!
![Page 25: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/25.jpg)
25
! ldx 4*([14]&0xf)! ld #34! add x! tax!lb_0:! ldb [x + 0]! add x! add #1! tax! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1!lb_1:! ret #0!
BPF bytecode
![Page 26: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/26.jpg)
26
![Page 27: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/27.jpg)
Deployment
27
iptables
Mitigation Database
![Page 28: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/28.jpg)
Mitigation database
28
!$ gatekeeper dnsbpf list!--ip=1.2.3.4 *.example.com!--ip=4.3.2.1 www.test.de *.www.test.de!--ip=4.3.4.4 *.cloudflare.com --except=www.** --except=ns1.**!--ip=2.3.1.4 www.onedomain.com,wwww.seconddomain.com!--ip=1.2.3.0/24 test.com!!$ gatekeeper dnsbpf add -- --ip=4.3.2.1 *.newattack.com!
![Page 29: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/29.jpg)
Detection
29
Attack Detection
![Page 30: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/30.jpg)
Sflow
30
Sflow
Central Aggregation
![Page 31: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/31.jpg)
What is an "attack"?
31
![Page 32: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/32.jpg)
"Attack" is large
32
Large attacks
Small attacksPack
ets
per
seco
nd
![Page 33: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/33.jpg)
33
Attacks
Mitigation
"Attack" can be mitigated
Attack Detection
Mitigation Database
Attack Description =
Mitigation
33
iptables
Sflow
![Page 34: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/34.jpg)
34
! Mpps Descr! 3.878 --ip=141.245.59.191/32! 2.878 --ip=141.245.59.192/32! 1.878 --ip=141.245.59.193/32! 1.878 --ip=141.245.59.194/32! 1.878 --ip=141.245.59.195/32! 1.878 --ip=141.245.59.196/32! 1.878 --ip=141.245.59.197/32! 1.878 --ip=141.245.59.198/32! 1.878 --ip=141.245.59.199/32! ...!
!Mpps Descr! 35.878 --ip=141.245.59.0/24!
vs
"Attacks" shall be aggregated
![Page 35: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/35.jpg)
35
An attack-finding algorithm
![Page 36: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/36.jpg)
Top N / Heavy hitters• Fixed memory size; Algorithm: Space Saving
• https://github.com/cloudflare/golibs
36
pps IP
12.2M 1.2.3.4
2.4M 42.1.2.4
0.01M 2.4.3.1
0.01M 192.168.1.1
![Page 37: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/37.jpg)
Multiple dimensions
37
pps IP:port
12.2M 1.2.3.4:53
2.4M 42.1.2.4:80
0.01M 2.4.3.1:80
0.01M 192.168.1.1:443
pps IP
12.2M 1.2.3.4
2.4M 42.1.2.4
0.01M 2.4.3.1
0.01M 192.168.1.1
pps subnet
12.2M 1.2.3.0/24
2.4M 42.1.2.0/24
0.01M 2.4.3.0/24
0.01M 192.168.1.0/24
![Page 38: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/38.jpg)
Multiple dimensions
38
pps IP:port
12.2M 1.2.3.4:53
2.4M 42.1.2.4:80
0.01M 2.4.3.1:80
0.01M 192.168.1.1:443
pps IP
12.2M 1.2.3.4
2.4M 42.1.2.4
0.01M 2.4.3.1
0.01M 192.168.1.1
pps subnet
12.2M 1.2.3.0/24
2.4M 42.1.2.0/24
0.01M 2.4.3.0/24
0.01M 192.168.1.0/24
incoming sample: 42.1.2.4:80
![Page 39: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/39.jpg)
Multiple dimensions
39
pps IP:port
12.2M 1.2.3.4:53
2.4M 42.1.2.4:80
0.01M 2.4.3.1:80
0.01M 192.168.1.1:443
pps IP
12.2M 1.2.3.4
2.4M 42.1.2.4
0.01M 2.4.3.1
0.01M 192.168.1.1
pps subnet
12.2M 1.2.3.0/24
2.4M 42.1.2.0/24
0.01M 2.4.3.0/24
0.01M 192.168.1.0/24
reporting threshold: 1M
![Page 40: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/40.jpg)
Attack report
40
! Mpps Descr! 12.2 --ip=1.2.3.4 --port=53! 2.4 --ip=42.1.2.4 --port=80! 12.2 --ip=1.2.3.4! 2.4 --ip=42.1.2.4! 12.2 --ip=1.2.3.0/24! 2.4 --ip=42.1.2.0/24!
![Page 41: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/41.jpg)
Multiple dimensions
41
pps IP:port
12.2M 1.2.3.4:53
2.4M 42.1.2.4:80
0.01M 2.4.3.1:80
0.01M 192.168.1.1:443
pps IP
0.1M 1.2.3.4
0M 42.1.2.4
0.01M 2.4.3.1
0.01M 192.168.1.1
pps subnet
0.1M 1.2.3.0/24
0M 42.1.2.0/24
0.01M 2.4.3.0/24
0.01M 192.168.1.0/24
incoming sample: 42.1.2.4:80
![Page 42: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/42.jpg)
Attack report
42
! Mpps Descr! 12.2 --ip=1.2.3.4 --port=53! 2.4 --ip=42.1.2.4 --port=80!
![Page 43: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/43.jpg)
Scales well
43
![Page 44: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/44.jpg)
Reactive automation
44
Reactive Automation
![Page 45: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/45.jpg)
Connecting the pieces
45
sflow
iptables
Attack Detection
Mitigation Database
?
![Page 46: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/46.jpg)
46
!--ip=1.2.3.4 example.com!
!--ip=1.2.3.4 example.com --qps=100!
Reactive Rule
![Page 47: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/47.jpg)
47
!--ip=1.2.3.4 example.com --qps=500!
!example.com = FREE | PAID!
Reactive Rule
!--ip=1.2.3.4 example.com!
![Page 48: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/48.jpg)
48
!--ip=1.2.3.4 example.com --except www,n1,ns2 --qps=500!
Reactive Rule
!example.com subdomains:!(www, ns1, ns2)!
!--ip=1.2.3.4 example.com!
!example.com = FREE | PAID!
![Page 49: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/49.jpg)
49
Input Steam
extra stream
extra stream
Output Stream
Reactive Rule
![Page 50: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/50.jpg)
Chain of transformations
50
!def dns_mitigation(attack, plan, subdomains):! domain = attack['domain']!! qps = 100! if plan[domain] == 'business':! qps = 500!! mitigation =! attack['description'] + \! ' --qps=%s' % qps + \! ' --except=%s'.join(subdomains[domain])!! return mitigation!
![Page 51: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/51.jpg)
Fully composable
51
![Page 52: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/52.jpg)
Putting it all together
52
![Page 53: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/53.jpg)
Putting it all together
53
Mitigation Database
sflow
iptables
Attack Detection
Reactive Automation
53
![Page 54: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/54.jpg)
Gatebot: frequency
54
Gat
ebot
act
ions
per
day
3 months
![Page 55: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/55.jpg)
Gatebot: volume
55
1 week
![Page 56: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/56.jpg)
Summary
56
![Page 57: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/57.jpg)
The fight goes on
57
Malicious Attacker
Internet Provider
Origin Server
CloudFlare Server
trust
& sa
fety
team
wor
king w
ith o
pera
tors
publ
ic ou
trea
ch
impr
ovin
g our i
nfrast
ruct
ure
![Page 58: Building a DDoS Mitigation Pipeline - usenix.org Nullroute and move on 8! ... incoming sample: 42.1.2.4:80. Multiple dimensions 39 pps IP:port ... Attack report 40! Mpps Descr!](https://reader033.vdocuments.site/reader033/viewer/2022051508/5ab03b157f8b9a07498e4ea9/html5/thumbnails/58.jpg)
!
!
• https://blog.cloudflare.com
• https://github.com/cloudflare
58
[email protected] @majek04
Thanks!and good luck!
@cfgatebot