spoofing and denial of service: a risk to the ... · spoofing and denial of service: a risk to the...

Spoofing and Denial of Service: A risk to the decentralized InternetDDoS: The real story with BCP38

Tom Paseka

GPF 2017

Global Network

© 2017 Cloudflare Inc. All rights reserved. 2

Content Neutral

© 2016 Cloudflare Inc. All rights reserved. 3

Daily Attacks

© 2016 Cloudflare Inc. All rights reserved. 4

We have to solve attacks

© 2016 Cloudflare Inc. All rights reserved. 5

Record Breaking Attacks

Nickname Type Volume

SNMP  Amp SNMP  Amplification/Reflection 80Gbps

Spamhaus DNS  Amplification/Reflection 300Gbps

"Winter  of  Attacks" Direct 400Gbps

IoT Direct 500Gbps+

© 2016 Cloudflare Inc. All rights reserved. 6

Most big attacks have a few things in common

© 2016 Cloudflare Inc. All rights reserved. 7

Flood of IP Packets

© 2016 Cloudflare Inc. All rights reserved. 8

© 2016 Cloudflare Inc. All rights reserved. 9

Spoofing Enables Impersonation

© 2016 Cloudflare Inc. All rights reserved. 10

Spoofing? • Why is spoofing an

issue?

• This is my good friend Walt Wollny

• Let’s say, he was assaulted, but it was by masked assailant

• Without removing the mask, there can’t be legal retribution

© 2016 Cloudflare Inc. All rights reserved. 11

May 2000: BCP38

© 2016 Cloudflare Inc. All rights reserved. 12

Caida Spoofer Stats

© 2016 Cloudflare Inc. All rights reserved. 13

Updated: Feb 2017. Source: https://spoofer.caida.org

Filter close to the source

© 2016 Cloudflare Inc. All rights reserved. 14

IP Spoofing:

•Enables Impersonation

• Isn’t solved

© 2016 Cloudflare Inc. All rights reserved. 15

IP Spoofing

1. Tracing back is impossible

2. Allows sophisticated attacks

© 2016 Cloudflare Inc. All rights reserved. 16

IP Spoofing

1. Tracing back is impossible

2. Allows sophisticated attacks

© 2016 Cloudflare Inc. All rights reserved. 17

Where did the attack come from?

© 2016 Cloudflare Inc. All rights reserved. 18

Identifying interfaces

© 2016 Cloudflare Inc. All rights reserved. 19

Identifying interfaces

© 2016 Cloudflare Inc. All rights reserved. 20

What’s on the other side of the Cable?

© 2016 Cloudflare Inc. All rights reserved. 21

1. Direct Peering

© 2016 Cloudflare Inc. All rights reserved. 22

2. IXP / Internet Exchange Point

© 2016 Cloudflare Inc. All rights reserved. 23

3. Transit Provider

2. IXP / Internet Exchange Point

© 2016 Cloudflare Inc. All rights reserved. 24

2. IXP / Internet Exchange Point

© 2016 Cloudflare Inc. All rights reserved. 25

?.?.?.?

3. Transit Provider

© 2016 Cloudflare Inc. All rights reserved. 26

Src ip = 8.8.8.8

3. Transit Provider

© 2016 Cloudflare Inc. All rights reserved. 27

???Src ip = 8.8.8.8???

8.8.8.0/24

Lack of Attribution

© 2016 Cloudflare Inc. All rights reserved. 28

IP Spoofing

1. Tracing back is impossible

2. Allows sophisticated attacks

© 2016 Cloudflare Inc. All rights reserved. 29

Amplification

© 2016 Cloudflare Inc. All rights reserved. 30

March 2013: Spamhaus

© 2016 Cloudflare Inc. All rights reserved. 31

Amplification is relatively easy to block….• …If you have the bandwidth. (few networks can absorb hundreds of Gbps)

• Block on firewall:

• src UDP/53 > deny

• Internet is fighting amplification sources:

• openresolverproject.org

• openntpproject.org

© 2016 Cloudflare Inc. All rights reserved. 32

Source IP Addresses

© 2016 Cloudflare Inc. All rights reserved. 33

???Src ip = 8.8.8.8???

8.8.8.0/24

Source IP Addresses

© 2016 Cloudflare Inc. All rights reserved. 34

https://xkcd.com/195/

Source IP Addresses

© 2016 Cloudflare Inc. All rights reserved. 35

Source IP Addresses

© 2016 Cloudflare Inc. All rights reserved. 36

Dealing with Attacks

© 2016 Cloudflare Inc. All rights reserved. 37

Null Routing

© 2016 Cloudflare Inc. All rights reserved. 38

Null Routing• Probably the simplest way to deal with an attack

• You instruct your ISP not to route traffic for a single host, or a series of hosts in your network

• Except, you’ve just let the attacker win

• If you null route your service, you’ve taken it offline. Perhaps you have an advanced system and can quickly renumber, but the attacker can update their attack too

© 2016 Cloudflare Inc. All rights reserved. 39

The only way to stay online is to absorb the attack

© 2016 Cloudflare Inc. All rights reserved. 40

Receive and Process

© 2016 Cloudflare Inc. All rights reserved. 41

Centralization

© 2016 Cloudflare Inc. All rights reserved. 42

Solution?

© 2016 Cloudflare Inc. All rights reserved. 43

Technical solutions to IP Spoofing have failed

© 2016 Cloudflare Inc. All rights reserved. 44

Don’t just solve the IP Spoofing

© 2016 Cloudflare Inc. All rights reserved. 45

Don’t just solve the IP Spoofing…

© 2016 Cloudflare Inc. All rights reserved. 46

…solve the attribution!

© 2016 Cloudflare Inc. All rights reserved. 47

Netflow• Opensource Toolsets are great

• Scales very well

• Privacy Concerns?

• This is very very simple data

• Rotate (delete) logs every few days

• Use a high sampling rate. 1/16,000

© 2016 Cloudflare Inc. All rights reserved. 48

Netflow• H/W vendors must get better

• Netflow v9 supports src/dst MAC

• Which vendor supports it?

© 2016 Cloudflare Inc. All rights reserved. 49

Photo:  The  Simpsons/FOX

NetFlow• It is EMBARRASING that a transit provider doesn’t know where packets ingress their

networks

• It’s even more embarrassing that service providers who have NetFlow equipment, be it open sourced / in house or provided by a vendor don’t know how to use it

• It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9

• This needs to be resolved now

© 2016 Cloudflare Inc. All rights reserved. 50

This is the first step

© 2016 Cloudflare Inc. All rights reserved. 51

Attribution allows informed discussion

© 2016 Cloudflare Inc. All rights reserved. 52

DDoS Causes centralization

© 2016 Cloudflare Inc. All rights reserved. 53

To fix DDoS we need attribution

© 2016 Cloudflare Inc. All rights reserved. 54

To make the internet better for everyone

© 2016 Cloudflare Inc. All rights reserved. 55