Spoofing and Denial of Service: A risk to the decentralized InternetDDoS: The real story with BCP38
Tom Paseka
GPF 2017
Global Network
© 2017 Cloudflare Inc. All rights reserved. 2
Content Neutral
© 2016 Cloudflare Inc. All rights reserved. 3
Daily Attacks
© 2016 Cloudflare Inc. All rights reserved. 4
We have to solve attacks
© 2016 Cloudflare Inc. All rights reserved. 5
Record Breaking Attacks
Nickname Type Volume
SNMP Amp SNMP Amplification/Reflection 80Gbps
Spamhaus DNS Amplification/Reflection 300Gbps
"Winter of Attacks" Direct 400Gbps
IoT Direct 500Gbps+
© 2016 Cloudflare Inc. All rights reserved. 6
Most big attacks have a few things in common
© 2016 Cloudflare Inc. All rights reserved. 7
Flood of IP Packets
© 2016 Cloudflare Inc. All rights reserved. 8
© 2016 Cloudflare Inc. All rights reserved. 9
Spoofing Enables Impersonation
© 2016 Cloudflare Inc. All rights reserved. 10
Spoofing? • Why is spoofing an
issue?
• This is my good friend Walt Wollny
• Let’s say, he was assaulted, but it was by masked assailant
• Without removing the mask, there can’t be legal retribution
© 2016 Cloudflare Inc. All rights reserved. 11
May 2000: BCP38
© 2016 Cloudflare Inc. All rights reserved. 12
Caida Spoofer Stats
© 2016 Cloudflare Inc. All rights reserved. 13
Updated: Feb 2017. Source: https://spoofer.caida.org
Filter close to the source
© 2016 Cloudflare Inc. All rights reserved. 14
IP Spoofing:
•Enables Impersonation
• Isn’t solved
© 2016 Cloudflare Inc. All rights reserved. 15
IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 16
IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 17
Where did the attack come from?
© 2016 Cloudflare Inc. All rights reserved. 18
Identifying interfaces
© 2016 Cloudflare Inc. All rights reserved. 19
Identifying interfaces
© 2016 Cloudflare Inc. All rights reserved. 20
What’s on the other side of the Cable?
© 2016 Cloudflare Inc. All rights reserved. 21
1. Direct Peering
© 2016 Cloudflare Inc. All rights reserved. 22
2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 23
3. Transit Provider
2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 24
2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 25
?.?.?.?
3. Transit Provider
© 2016 Cloudflare Inc. All rights reserved. 26
Src ip = 8.8.8.8
3. Transit Provider
© 2016 Cloudflare Inc. All rights reserved. 27
???Src ip = 8.8.8.8???
8.8.8.0/24
Lack of Attribution
© 2016 Cloudflare Inc. All rights reserved. 28
IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 29
Amplification
© 2016 Cloudflare Inc. All rights reserved. 30
March 2013: Spamhaus
© 2016 Cloudflare Inc. All rights reserved. 31
Amplification is relatively easy to block….• …If you have the bandwidth. (few networks can absorb hundreds of Gbps)
• Block on firewall:
• src UDP/53 > deny
• Internet is fighting amplification sources:
• openresolverproject.org
• openntpproject.org
© 2016 Cloudflare Inc. All rights reserved. 32
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 33
???Src ip = 8.8.8.8???
8.8.8.0/24
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 34
https://xkcd.com/195/
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 35
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 36
Dealing with Attacks
© 2016 Cloudflare Inc. All rights reserved. 37
Null Routing
© 2016 Cloudflare Inc. All rights reserved. 38
Null Routing• Probably the simplest way to deal with an attack
• You instruct your ISP not to route traffic for a single host, or a series of hosts in your network
• Except, you’ve just let the attacker win
• If you null route your service, you’ve taken it offline. Perhaps you have an advanced system and can quickly renumber, but the attacker can update their attack too
© 2016 Cloudflare Inc. All rights reserved. 39
The only way to stay online is to absorb the attack
© 2016 Cloudflare Inc. All rights reserved. 40
Receive and Process
© 2016 Cloudflare Inc. All rights reserved. 41
Centralization
© 2016 Cloudflare Inc. All rights reserved. 42
Solution?
© 2016 Cloudflare Inc. All rights reserved. 43
Technical solutions to IP Spoofing have failed
© 2016 Cloudflare Inc. All rights reserved. 44
Don’t just solve the IP Spoofing
© 2016 Cloudflare Inc. All rights reserved. 45
Don’t just solve the IP Spoofing…
© 2016 Cloudflare Inc. All rights reserved. 46
…solve the attribution!
© 2016 Cloudflare Inc. All rights reserved. 47
Netflow• Opensource Toolsets are great
• Scales very well
• Privacy Concerns?
• This is very very simple data
• Rotate (delete) logs every few days
• Use a high sampling rate. 1/16,000
© 2016 Cloudflare Inc. All rights reserved. 48
Netflow• H/W vendors must get better
• Netflow v9 supports src/dst MAC
• Which vendor supports it?
© 2016 Cloudflare Inc. All rights reserved. 49
Photo: The Simpsons/FOX
NetFlow• It is EMBARRASING that a transit provider doesn’t know where packets ingress their
networks
• It’s even more embarrassing that service providers who have NetFlow equipment, be it open sourced / in house or provided by a vendor don’t know how to use it
• It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9
• This needs to be resolved now
© 2016 Cloudflare Inc. All rights reserved. 50
This is the first step
© 2016 Cloudflare Inc. All rights reserved. 51
Attribution allows informed discussion
© 2016 Cloudflare Inc. All rights reserved. 52
DDoS Causes centralization
© 2016 Cloudflare Inc. All rights reserved. 53
To fix DDoS we need attribution
© 2016 Cloudflare Inc. All rights reserved. 54
To make the internet better for everyone
© 2016 Cloudflare Inc. All rights reserved. 55