![Page 1: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/1.jpg)
Spoofing and Denial of Service: A risk to the decentralized InternetDDoS: The real story with BCP38
Tom Paseka
APRICOT 2017
![Page 2: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/2.jpg)
Global Network
© 2017 Cloudflare Inc. All rights reserved. 2
![Page 3: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/3.jpg)
Content Neutral
© 2016 Cloudflare Inc. All rights reserved. 3
![Page 4: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/4.jpg)
Daily Attacks
© 2016 Cloudflare Inc. All rights reserved. 4
![Page 5: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/5.jpg)
Daily Attacks
• Because we have such a broad view of the internet, we see a lot of attacks
• This graph is showing count of different attacks
• Sometimes, seeing more than 1,400 unique attacks daily
© 2016 Cloudflare Inc. All rights reserved. 5
![Page 6: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/6.jpg)
We have to solve attacks
© 2016 Cloudflare Inc. All rights reserved. 6
![Page 7: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/7.jpg)
Record Breaking Attacks
Nickname Type Volume
SNMP Amp SNMP Amplification/Reflection 80Gbps
Spamhaus DNS Amplification/Reflection 300Gbps
"Winter of Attacks" Direct 400Gbps
IoT Direct 500Gbps+
© 2016 Cloudflare Inc. All rights reserved. 7
![Page 8: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/8.jpg)
Record Breaking Attacks• Around 5 years ago we saw some SNMP reflection attacks
• Cable modems from a very large Cable ISP in North America were reflecting SNMP walks towards us
• We then saw the infamous “Spamhaus” attacks. Attacks which were directed at us and internet infrastructure, resulting in impact to hundreds of thousands of internet users
• From September 2016, the “IoT” attacks, most famously the Mirai (未来) botnet with attacks breaking 500Gbps
© 2016 Cloudflare Inc. All rights reserved. 8
![Page 9: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/9.jpg)
Most big attacks have a few things in common
© 2016 Cloudflare Inc. All rights reserved. 9
![Page 10: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/10.jpg)
Flood of IP Packets
© 2016 Cloudflare Inc. All rights reserved. 10
![Page 11: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/11.jpg)
© 2016 Cloudflare Inc. All rights reserved. 11
![Page 12: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/12.jpg)
Spoofing Enables Impersonation
© 2016 Cloudflare Inc. All rights reserved. 12
![Page 13: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/13.jpg)
Spoofing? • Why is spoofing an
issue?
• This is my good friend Walt Wollny
• Let’s say, he was assaulted, but it was by masked assailant
• Without removing the mask, there can’t be legal retribution
© 2016 Cloudflare Inc. All rights reserved. 13
![Page 14: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/14.jpg)
May 2000: BCP38
© 2016 Cloudflare Inc. All rights reserved. 14
![Page 15: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/15.jpg)
BCP38• BCP, Best Common Practice #38 was published in May 2000
• It gave guidance on how to configure your network to prefer spoofing
• This document is nearly 17 years old, why it isn’t engrained yet?
• Vendors Faults? Operators Fault?
• Regardless, IT’S. JUST. NOT. THERE.
© 2016 Cloudflare Inc. All rights reserved. 15
![Page 16: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/16.jpg)
Caida Spoofer Stats
© 2016 Cloudflare Inc. All rights reserved. 16
Updated: Feb 2017. Source: https://spoofer.caida.org
![Page 17: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/17.jpg)
Filter close to the source
© 2016 Cloudflare Inc. All rights reserved. 17
![Page 18: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/18.jpg)
Filter close to the source• Filtering at the ingress from your customer is really how to stop filtering
• You should also be filtering at the egress if your network for multiple layers, incase of some misconfiguration
• Unicast Reverse Path Forwarding doesn’t scale well
• What about simple ACLs?
• Yet this still isn’t there!
© 2016 Cloudflare Inc. All rights reserved. 18
![Page 19: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/19.jpg)
IP Spoofing:
•Enables Impersonation
• Isn’t solved
© 2016 Cloudflare Inc. All rights reserved. 19
![Page 20: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/20.jpg)
IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 20
![Page 21: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/21.jpg)
IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 21
![Page 22: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/22.jpg)
Where did the attack come from?
© 2016 Cloudflare Inc. All rights reserved. 22
![Page 23: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/23.jpg)
Where did the attack come from?• The “Server” in this slide, gets attack traffic
• It has one link out, to its router, so we know it came from the ‘router’
• But from there, where did it come from?
• There are multiple input interfaces, which one could be sending the traffic? Which network?
• We can trace this down a bad way, by looking at graphs
© 2016 Cloudflare Inc. All rights reserved. 23
![Page 24: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/24.jpg)
Identifying interfaces
© 2016 Cloudflare Inc. All rights reserved. 24
![Page 25: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/25.jpg)
Identifying interfaces
© 2016 Cloudflare Inc. All rights reserved. 25
![Page 26: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/26.jpg)
What’s on the other side of the Cable?
© 2016 Cloudflare Inc. All rights reserved. 26
![Page 27: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/27.jpg)
What’s on the other side of the Cable?• For most internet networks, there are several types of input sources:
• Direct Peering: Where you have a single network and their customer cone on that interfaces
• Internet Exchange: many networks connected to a single fabric. Possible hundreds of direct networks and thousands of in-direct networks
• Internet Carrier / Transit Provider: The whole Internet
© 2016 Cloudflare Inc. All rights reserved. 27
![Page 28: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/28.jpg)
1. Direct Peering
© 2016 Cloudflare Inc. All rights reserved. 28
![Page 29: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/29.jpg)
1. Direct Peering• Where we have direct peering with another network, you have a pretty good idea of
what’s on the other side
• This is going to be limited to that network and their customers
• In a case like this, it’s pretty easy to identify at least the ISP responsible for traffic
© 2016 Cloudflare Inc. All rights reserved. 29
![Page 30: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/30.jpg)
2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 30
3. Transit Provider
![Page 31: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/31.jpg)
IXPs and Transit Providers• Both of these represent an issue
• There is any number of networks where traffic could be coming from
• No easy way to identify the source over either of these
• Let’s explore a little but more about IXPs
© 2016 Cloudflare Inc. All rights reserved. 31
![Page 32: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/32.jpg)
2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 32
![Page 33: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/33.jpg)
2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 33
?.?.?.?
![Page 34: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/34.jpg)
2. IXP / Internet Exchange Point• When traffic enters the IXP, we have no idea where the source came from
• Since you’re on one big fabric, anyone can inject it
• Very hard to track back
• Some ways to trace, but poorly implemented. I’ll touch on this later.
© 2016 Cloudflare Inc. All rights reserved. 34
![Page 35: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/35.jpg)
3. Transit Provider
© 2016 Cloudflare Inc. All rights reserved. 35
Src ip = 8.8.8.8
![Page 36: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/36.jpg)
3. Transit Provider
© 2016 Cloudflare Inc. All rights reserved. 36
???Src ip = 8.8.8.8???
8.8.8.0/24
![Page 37: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/37.jpg)
3. Transit Provider• So, we see an attack coming from 8.8.8.8
• This is coming in over a transit provider
• But we have direct peering with the network that represents this traffic
• Why isn’t this traffic coming over the peering?
• ….Because it’s spoofed.
© 2016 Cloudflare Inc. All rights reserved. 37
![Page 38: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/38.jpg)
Lack of Attribution
© 2016 Cloudflare Inc. All rights reserved. 38
![Page 39: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/39.jpg)
IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 39
![Page 40: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/40.jpg)
Amplification
© 2016 Cloudflare Inc. All rights reserved. 40
![Page 41: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/41.jpg)
Amplification • We know about amplification attacks, so I’m not going to go into technical detail
• The premise: Send a small request and get a big response directed at your target
• Amplification means you can knock off a service, much larger than you are, without using all your resources.
© 2016 Cloudflare Inc. All rights reserved. 41
![Page 42: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/42.jpg)
March 2013: Spamhaus
© 2016 Cloudflare Inc. All rights reserved. 42
![Page 43: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/43.jpg)
March 2013: Spamhaus• During the Spamhaus attacks, DNS amplification was used
• Large DNS replies (eg. ANY isc.org ~4,000 byte reply to a very small query)
• 37Gbps of attack traffic was able to be amplified to 300Gbps of attack traffic
© 2016 Cloudflare Inc. All rights reserved. 43
![Page 44: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/44.jpg)
Amplification is relatively easy to block….• …If you have the bandwidth. (few networks can absorb hundreds of Gbps)
• Block on firewall:
• src UDP/53 > deny
• Internet is fighting amplification sources:
• openresolverproject.org
• openntpproject.org
© 2016 Cloudflare Inc. All rights reserved. 44
![Page 45: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/45.jpg)
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 45
???Src ip = 8.8.8.8???
8.8.8.0/24
![Page 46: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/46.jpg)
Source IP Addresses• So, what happens when we trace the source IP address in attacks.
• Taking this lovely picture from xkcd, we see a map of what the internet is
© 2016 Cloudflare Inc. All rights reserved. 46
![Page 47: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/47.jpg)
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 47
https://xkcd.com/195/
![Page 48: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/48.jpg)
Source IP Addresses• What does this same map look like, when we see a large scale attack?
© 2016 Cloudflare Inc. All rights reserved. 48
![Page 49: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/49.jpg)
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 49
![Page 50: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/50.jpg)
Source IP Addresses• What about a different type of attack?
• This attack is coming from a single network, the graph on the left is the view of what is routed by that network
• The graph on the right is attack sources from that network
• Is this network doing egress filtering? Is it spoofed or all direct from that network?
© 2016 Cloudflare Inc. All rights reserved. 50
![Page 51: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/51.jpg)
Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 51
![Page 52: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/52.jpg)
Dealing with Attacks
© 2016 Cloudflare Inc. All rights reserved. 52
![Page 53: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/53.jpg)
Null Routing
© 2016 Cloudflare Inc. All rights reserved. 53
![Page 54: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/54.jpg)
Null Routing• Probably the simplest way to deal with an attack
• You instruct your ISP not to route traffic for a single host, or a series of hosts in your network
• Except, you’ve just let the attacker win
• If you null route your service, you’ve taken it offline. Perhaps you have an advanced system and can quickly renumber, but the attacker can update their attack too
© 2016 Cloudflare Inc. All rights reserved. 54
![Page 55: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/55.jpg)
The only way to stay online is to absorb the attack
© 2016 Cloudflare Inc. All rights reserved. 55
![Page 56: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/56.jpg)
Receive and Process
© 2016 Cloudflare Inc. All rights reserved. 56
![Page 57: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/57.jpg)
Receive and Process• To absorb the attack you need to receive and process it
• This means you need to scale up infrastructure or develop advanced techniques to deal with attacks
• Both of these need huge amounts of capacity, both physical and logical
• Few networks are ready for it, so you outsource
• But this breaks the model of de-centralization
© 2016 Cloudflare Inc. All rights reserved. 57
![Page 58: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/58.jpg)
Centralization
© 2016 Cloudflare Inc. All rights reserved. 58
![Page 59: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/59.jpg)
Solution?
© 2016 Cloudflare Inc. All rights reserved. 59
![Page 60: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/60.jpg)
Technical solutions to IP Spoofing have failed
© 2016 Cloudflare Inc. All rights reserved. 60
![Page 61: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/61.jpg)
Don’t just solve the IP Spoofing
© 2016 Cloudflare Inc. All rights reserved. 61
![Page 62: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/62.jpg)
Don’t just solve the IP Spoofing…
© 2016 Cloudflare Inc. All rights reserved. 62
…solve the attribution!
![Page 63: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/63.jpg)
© 2016 Cloudflare Inc. All rights reserved. 63
![Page 64: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/64.jpg)
Netflow• Opensource Toolsets are great
• Scales very well
• Privacy Concerns?
• This is very very simple data
• Rotate (delete) logs every few days
• Use a high sampling rate. 1/16,000
© 2016 Cloudflare Inc. All rights reserved. 64
![Page 65: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/65.jpg)
Netflow• H/W vendors must get better
• Netflow v9 supports src/dst MAC
• Which vendor supports it?
© 2016 Cloudflare Inc. All rights reserved. 65
Photo: The Simpsons/FOX
![Page 66: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/66.jpg)
NetFlow• It is EMBARRASING that a transit provider doesn’t know where packets ingress their
networks
• It’s even more embarrassing that service providers who have NetFlow equipment, be it open sourced / in house or provided by a vendor don’t know how to use it
• It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9
• This needs to be resolved now
© 2016 Cloudflare Inc. All rights reserved. 66
![Page 67: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/67.jpg)
This is the first step
© 2016 Cloudflare Inc. All rights reserved. 67
![Page 68: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/68.jpg)
Attribution allows informed discussion
© 2016 Cloudflare Inc. All rights reserved. 68
![Page 69: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/69.jpg)
DDoS Causes centralization
© 2016 Cloudflare Inc. All rights reserved. 69
![Page 70: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/70.jpg)
To fix DDoS we need attribution
© 2016 Cloudflare Inc. All rights reserved. 70
![Page 71: Spoofing and Denial of Service: A risk to the ... version... · Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT](https://reader034.vdocuments.us/reader034/viewer/2022051408/600ea2332c0e246fcc1618f7/html5/thumbnails/71.jpg)
To make the internet better for everyone
© 2016 Cloudflare Inc. All rights reserved. 71