![Page 1: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/1.jpg)
DDOS
![Page 2: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/2.jpg)
DDOS• Methods
– Syn flood– Icmp flood– udp
• Common amplification vectors– NTP 557 – CharGen 359 – DNS 179– QOTD 140– Quake 64 – SSDP 31– Portmap 28– mDNS 10– SNMPv2 6
Volumetric
vs
Overwhelming a service
![Page 3: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/3.jpg)
Infrastructure vulnerable to Volumetric Attack
• Campus Network “last mile”
• Firewalls, other traffic-impeding middleboxes
• Monitoring
• uwsys.net upstream transit
• Etc.
![Page 4: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/4.jpg)
Don’t be a participant
• Filter– Block or rate-limit known vectors– Deprecate open recursive resolvers– Anti-spoofing
• uRPF, ACLs
• Monitor. Can you detect DDoS in your traffic?
• UWSys has some monitoring and aggressive filters where plausible. (more from Michael later)
![Page 5: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/5.jpg)
Example (volumetric) Motivations
• On-line gaming / forums– Take a specific user offline– Revenge
• Avoid exams– Disrupt online services
• Create a distraction– Then hack machines while monitoring/staff is overwhelmed
• Wreak havoc– Happened to Rutgers
![Page 6: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/6.jpg)
Economics
![Page 7: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/7.jpg)
![Page 8: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/8.jpg)
But, I have a DR plan
![Page 9: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/9.jpg)
But, I have a DR plan
• Example: Resilient web hosting
• Oh, so you want to make a change to DNS?– Where is your SOA?– Where are the authoritative servers?
![Page 10: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/10.jpg)
• Of the 15 major UW domains,– 3 do not have any NS records off-site at all. Really.– 9 still share fate with uwsys network– Only 3 have off-site (non uw-system) resiliency– Zero have SOA off-site.
![Page 11: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/11.jpg)
DDOS Solution Space
Needed: a holistic approach
• Cloud (me)• Network (Dan D., Michael H.)• Appliance (Greg P., Scott B.)
![Page 12: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/12.jpg)
Pat
• People• Processes • Technology
![Page 13: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/13.jpg)
DDOS Detection
![Page 14: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/14.jpg)
![Page 15: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/15.jpg)
The Movies
![Page 16: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/16.jpg)
Reality
![Page 17: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/17.jpg)
Cloud Mitigation
• CDN hosting– Typically a dns redirect
• DR Load balancing
• “web application firewall”(Reverse proxy)
• Scrubbing
Recall, (2) types of DDOS:
Application / Overwhelm a service
--------------------------Volumetric Attack:
![Page 18: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/18.jpg)
Scrubbing
• Contract in place with a provider• Pre-configured GRE tunnel to scrubbing provider• Process netflow, Alert a human to look at it• Tell provider to scrub for a prefix (via BGP)• Scrubber announces more-specific prefixes (up
to /24) to Internet, processes traffic, sends legitimate traffic back via GRE
• Pricing models vary– amount of scrubbing capacity under contract– What the data rate of the clean traffic should be– Incidental overage vs long-duration
![Page 19: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/19.jpg)
The era of unsolicited packets is over...
• Can’t we just turn off / rate limit UDP?
• QUIC– Google’s experiment to replace TCP+TLS+SPDY
![Page 20: DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28](https://reader035.vdocuments.us/reader035/viewer/2022062517/56649efd5503460f94c10fee/html5/thumbnails/20.jpg)