Upload
dyn
View
1.156
Download
0
Embed Size (px)
Citation preview
Distributed Denial of Service Attacks2013-08-29
Andrew SullivanPrincipal Architect
Pg. 2 Distributed Denial of Service Attacks
What is a DDoS?To Cover Today
What do they do?
How do they work?
Who does them?
Why?
Pg. 3 Distributed Denial of Service Attacks
How does DNS play in?To Cover Today
What is reflection?
What is amplification?
What if you are being attacked?
What if you’re used in an attack?
Pg. 4 Distributed Denial of Service Attacks
Things you can doTo Cover Today
Does outsourcing help?
Does anycast help?
What about appliances?
What about mitigation services?
Pg. 5 Distributed Denial of Service Attacks
Just what the name saysDenial of Service prevents users from being able to use the target service
Break code
“Smash the stack”
Lock out passwords
Viruses &c. Request lots and block legitimate requests
Stuff the network so nobody can communicate
DDoS: what?
Pg. 6 Distributed Denial of Service Attacks
Respond to DoS
DoS Target
Pg. 7 Distributed Denial of Service Attacks
Respond to DoS
First Defense: more boxes!
Pg. 8 Distributed Denial of Service Attacks
Respond to DoS
Or even not quite so many
Pg. 9 Distributed Denial of Service Attacks
DoS by Network
Send a lot of traffic
Pg. 10 Distributed Denial of Service Attacks
DoS by Network
Send a lot of traffic
Pg. 11 Distributed Denial of Service Attacks
Why talk about this now?What’s new?
Not new: Morris, 1988
New: “better” profiles
New: “better” tools
New: better-provisioned sources
Pg. 12 Distributed Denial of Service Attacks
The sources have changedYou will run out of money for bandwidth before attackers run out of compromised servers.
DDoS: what?
Then Now
Pg. 13 Distributed Denial of Service Attacks
Really distributed attacks
Big attackers
Attack networks
are now well-
connected, very
widely distributed
How DDoS works
• 18 data centers • Global presence• Used to see attacks in
some sites• Now see them
everywhere
Pg. 14 Distributed Denial of Service Attacks
Why?Money,
Politics,
Religion.
Mostly money.
Explaining DoS
Pg. 15 Distributed Denial of Service Attacks
How DDoS works
Flood from many sites
Something bad from spoofed address
(smurf attack, DNS query for big
record, ping of death, etc.)
Pg. 16 Distributed Denial of Service Attacks
How DDoS works
Need control
Something bad from spoofed address
(smurf attack, DNS query for big
record, ping of death, etc.)
Pg. 17 Distributed Denial of Service Attacks
How DDoS works
Block control, end the attack X
XSomething bad from spoofed address
(smurf attack, DNS query for big
record, ping of death, etc.)
Pg. 18 Distributed Denial of Service Attacks
Wait a minute!
Spoofed addresses?
User Datagram
Protocol (UDP),
not Transmission
Control Protocol
(TCP, handshake)
How DDoS works
Something bad from spoofed address
(smurf attack, DNS query for big
record, ping of death, etc.)
Pg. 19 Distributed Denial of Service Attacks
Why not fix that?How DDoS works
We tried in Best Current Practice (BCP) 38
Some networks don’t do that
There are no Internet Police
Internet Police would also be bad
Pg. 20 Distributed Denial of Service Attacks
How DDoS works: DNS
Don’t attack directly
Pg. 21 Distributed Denial of Service Attacks
Use someone else to mount attack
ReflectionSince you can spoof
addresses, you
query pretending to
be someone else.
They get the
responses.
How DDoS works: DNS
Pg. 22 Distributed Denial of Service Attacks
Key attributes of reflectionHow DDoS works: DNS
Relies on UDP to permit spoofing Relies on servers trying to answer every query Server refusing to answer might cause collateral damage
Pg. 23 Distributed Denial of Service Attacks
How DDoS works: DNS
Amplification
Pg. 24 Distributed Denial of Service Attacks
Key attributes of amplification
How DDoS works: DNS
Queries are small
Answers can be large
Target need not be a DNS server
Makes DNS a very useful attack vector
Pg. 25 Distributed Denial of Service Attacks
How effective is DNS amplification?
Good amplifierThe cost of the
attack stays the
same; different
queries provide
different
amplification.
How DDoS works: DNS
Pg. 26 Distributed Denial of Service Attacks
Not just DNS targets
Any serviceThis is mostly a
network DoS:
the attacker just fills
the network.
How DDoS works: DNS
Pg. 27 Distributed Denial of Service Attacks
Attack the DNS server
Direct attackThe abuse queries
and the amplified
responses block
legitimate traffic
How DDoS works: DNS
Pg. 28 Distributed Denial of Service Attacks
Attack the DNS server
Indirect attackThe abuse queries
and the amplified
responses block
legitimate traffic at
some other server
How DDoS works: DNS
Pg. 29 Distributed Denial of Service Attacks
Attack another service
Indirect attackThe abuse queries
and the amplified
responses block
legitimate traffic at
some other service
How DDoS works: DNS
Pg. 30 Distributed Denial of Service Attacks
Attack on your authoritative DNS server
Scenario
Your DNS service
is the target of
attack query
traffic
What happens
• You receive a lot of queries
• You send a lot of responses
• You can’t answer real queries
• Probably, you’re a reflector
Pg. 31 Distributed Denial of Service Attacks
Attack on your recursive DNS server
Scenario
Your DNS service
is the target of
attack answer
traffic
What happens
• You receive a lot of answers
• The traffic fills your bandwidth
• You can’t answer real queries
Pg. 32 Distributed Denial of Service Attacks
You are a reflector or amplifier
Scenario
Your DNS service
is the target of
attack query
traffic sending a
lot of answers
What happens
• You receive a lot of queries
• You send a lot of responses to someone
• You get identified• People start blocking you
Pg. 33 Distributed Denial of Service Attacks
Your application is a target
Scenario
Your non-DNS
service is the
target of attack
answers
What happens
• Your bandwidth goes to receiving (useless) data
• Your application is broken
• Might cost you money (bandwidth fees)
Pg. 34 Distributed Denial of Service Attacks
What can you do?
Outsourcing
Letting someone
else run your
systems for you
can help
Responding
• Large systems• Robust networks• Expert operators• Skilled mitigation
Pg. 35 Distributed Denial of Service Attacks
What can you do?
Outsourcing
Letting someone
else run your
systems for you
can bring new
risk
Responding
• Large providers are themselves targets
• Large providers have other customers who might be targets
• You give up some control
Pg. 36 Distributed Denial of Service Attacks
How do you do it?
Outsourcing
Not all providers
are equal
Responding
You may be already! • Your registrar?Research your options• What’s the network like?• Mitigation strategies?• Other customers?
Pg. 37 Distributed Denial of Service Attacks
What can you do?
Anycast
Nifty trick of
serving the same
IP address from
different
machines
Responding
Pg. 38 Distributed Denial of Service Attacks
What can you do?
Anycast
Nifty trick of
serving the same
IP address from
different
machines
Responding
Pg. 39 Distributed Denial of Service Attacks
What can you do?
Anycast
Can help localize
attacks on the
Internet
Responding
• Usually isolates attack to one or two network locations
• Can reroute traffic to “bigger” node
• Harder to fill many transit paths
Pg. 40 Distributed Denial of Service Attacks
What can you do?
Anycast
No magic bullet
Responding
• If you don’t know what anycast is, you don’t want to do it
• Requires money: staff, machines, sites
• Won’t actually stop attack
Pg. 41 Distributed Denial of Service Attacks
How do you do it?
Anycast
Bring money,
and pick the right
use cases
Responding
You will need• Experts• NetworkNot good for all cases• “Short” protocols
(e.g. DNS) ok• Long-lived streams
(like http) bad
Pg. 42 Distributed Denial of Service Attacks
What can you do?
Appliances
There are lots
of these with
different
strategies
Responding
• Some identify by analysis
• Some identify by known bad actors
• Usually rate limit traffic• Ineffective if your pipe
is full
Pg. 43 Distributed Denial of Service Attacks
What can you do?
Services
Pay people for
their mitigation
strategies
Responding
• Large services will “scrub” your traffic
• Reasonably effective for http
• Almost useless for DNS• Often difficult for
bespoke protocols
Pg. 44 Distributed Denial of Service Attacks
What can you do?
Scepticism
There’s a lot of
security snake oil.
Test. Then test
again.
Responding
I doubt it.
Pg. 45 Distributed Denial of Service Attacks
What can you do?
RRL
Response Rate
Limiting
Responding
Pg. 46 Distributed Denial of Service Attacks
What can you do?
RRL
Response Rate
Limiting
Responding
• Reduces the rate at which a server responds to apparent attacks
• Changes assumptions about DNS
• If you’re running your own servers, get the patch and turn it on
Pg. 47 Distributed Denial of Service Attacks
What can you do?
RRL
Some corner
cases
Responding
• Standard patch poor fit for very busy zones with very short TTLs
• Adds yet another operational convention to DNS
Pg. 48 Distributed Denial of Service Attacks
What can you do?
BCP 38
Best Current
Practice 38
Responding
• Says you should only send traffic that ought to come from your network
• Will clean up the network you’re on
• Insist on this from your ISP
Pg. 49 Distributed Denial of Service Attacks
What can you do?
Insecure systems
A back door can
be used for good
or for evil
Responding
• Lots of agencies want special treatment
• Any “special access” is also a vulnerability
• We need more secure systems, not less
Pg. 50 Distributed Denial of Service Attacks
Review
Pg. 51 Distributed Denial of Service Attacks
DDoSReview
Denial of Service
Distributed
Made easier by facts of network
Not new
Pg. 52 Distributed Denial of Service Attacks
DDoS using DNSReview
Usually reflector attack
Depends on DNS use of UDP
Ordinary services can offer big amplifiers
Pg. 53 Distributed Denial of Service Attacks
Reflector and amplifierReview
2 victims
Target can be hurt
Amplifier can hurt
Pg. 54 Distributed Denial of Service Attacks
No perfect solutionReview
Tailor the solution to your application Outsourcing different parts (maybe diversify) can help
So magic solution