Download - cloudfale ddos
-
Trey Guinn
Solution Engineer, CloudFlare
www.cloudflare.com
DDoS 101
-
Distributed Denial of Service
!
An attack coming from all many locations which overwhelms your resources and prevents you from serving legitimate
customers.
-
Fake Pizza Orders
-
Variety of Attacks
Volumetric
Protocol Attacks
Application Attacks
-
Real Life Example
-
Wednesday, March 20 ~75Gbps attack
-
100Gbps Magic ceiling in DDoS attacks
-
March 24 March 25 Peaks of the attack reached at least 309Gbps
-
dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096
-
64-byte query
-
$ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096
!
-
3,363-byte response
-
Amplification
-
50x Amplification factor
-
Attack Amplification !
DNS - 50 x
NTP - 200x
Coming: SNMP - 650x
-
UDP = no handshake
-
Problem Ingredients: Networks that allows
source IP spoofing
+
Servers that reply to
non-customers
-
Good networks dont let packets originate from IPs they dont own (BCP38)
-
Not all networks are good
-
How common are these ingredients?
-
28 million open resolvers
-
24.6% networks allow spoofing
-
10s of Millions Open NTP DNS servers
-
1 attackers laptop controlling
57 compromised servers on
3 networks that allowed spoofing of
9Gbps DNS requests to
0.1% of open resolvers resulted in
300Gbps+ of DDoS attack traffic.
+
+
+
+
-
How did we stop it?
-
Anycast
-
Inherently dilutes the attack
-
300Gbps 25 Anycasted PoPs 12 Gbps/PoP
-
Make sure youre not part of the problem
-
Are you running open DNS resolvers?
-
Are you running open NTP servers?
-
Implement BCP38 (uRPF)
-
Trey Guinn
Solution Engineer
www.cloudflare.com