cloudfale ddos

Upload: boolaaone

Post on 10-Oct-2015

26 views

Category:

Documents


0 download

DESCRIPTION

cloudfale ddos

TRANSCRIPT

  • Trey Guinn

    Solution Engineer, CloudFlare

    www.cloudflare.com

    DDoS 101

  • Distributed Denial of Service

    !

    An attack coming from all many locations which overwhelms your resources and prevents you from serving legitimate

    customers.

  • Fake Pizza Orders

  • Variety of Attacks

    Volumetric

    Protocol Attacks

    Application Attacks

  • Real Life Example

  • Wednesday, March 20 ~75Gbps attack

  • 100Gbps Magic ceiling in DDoS attacks

  • March 24 March 25 Peaks of the attack reached at least 309Gbps

  • dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096

  • 64-byte query

  • $ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096

    !

  • 3,363-byte response

  • Amplification

  • 50x Amplification factor

  • Attack Amplification !

    DNS - 50 x

    NTP - 200x

    Coming: SNMP - 650x

  • UDP = no handshake

  • Problem Ingredients: Networks that allows

    source IP spoofing

    +

    Servers that reply to

    non-customers

  • Good networks dont let packets originate from IPs they dont own (BCP38)

  • Not all networks are good

  • How common are these ingredients?

  • 28 million open resolvers

  • 24.6% networks allow spoofing

  • 10s of Millions Open NTP DNS servers

  • 1 attackers laptop controlling

    57 compromised servers on

    3 networks that allowed spoofing of

    9Gbps DNS requests to

    0.1% of open resolvers resulted in

    300Gbps+ of DDoS attack traffic.

    +

    +

    +

    +

  • How did we stop it?

  • Anycast

  • Inherently dilutes the attack

  • 300Gbps 25 Anycasted PoPs 12 Gbps/PoP

  • Make sure youre not part of the problem

  • Are you running open DNS resolvers?

  • Are you running open NTP servers?

  • Implement BCP38 (uRPF)

  • Trey Guinn

    Solution Engineer

    www.cloudflare.com