Everything You Need to Know About DDoS@DynIncEverything You Need ToKnow About DDoS AttacksAndrew SullivanDirector of DNS E...
Everything You Need to Know About DDoS@DynIncWhat We’ll Cover Today• What is a DDoS?• Why are there DDoSes?• What can happ...
Everything You Need to Know About DDoS@DynIncDenial Of Service• Just what the name implies• Lots of ways– Break code– Smas...
Everything You Need to Know About DDoS@DynIncDenial Of Service Target
Everything You Need to Know About DDoS@DynIncJust scale
Everything You Need to Know About DDoS@DynIncMoore’s Law
Everything You Need to Know About DDoS@DynIncDenial Of Service (Traffic)
Everything You Need to Know About DDoS@DynIncDistribute The Source
Everything You Need to Know About DDoS@DynIncNo, Really Distribute It
Everything You Need to Know About DDoS@DynIncNot New• Morris worm (“the Great Worm”)was in 1988• Effective attacks were al...
Everything You Need to Know About DDoS@DynIncDDoS Attack Sources?• In the old days, always-on cable modems anda certain po...
Everything You Need to Know About DDoS@DynIncWhy Do They Do This?MoneyPoliticsReligion
Everything You Need to Know About DDoS@DynIncWhy Do They Do This?MoneyPoliticsReligion
Everything You Need to Know About DDoS@DynIncTraditional DDoS
Everything You Need to Know About DDoS@DynIncTraditional DDoS
Everything You Need to Know About DDoS@DynIncKill The C&C,You Kill The Attack
Everything You Need to Know About DDoS@DynIncWait. Spoofed Addresses?• Most modern effective attacks come overUser Datagra...
Everything You Need to Know About DDoS@DynIncWhy Don’t We Fix That?• We tried• Best Current Practice (BCP)38 says that, if...
Everything You Need to Know About DDoS@DynIncTraditional DDoS
Everything You Need to Know About DDoS@DynIncDNS DDoS: reflector
Everything You Need to Know About DDoS@DynIncKey Attributes• Uses DNS as an amplifier– Just a few octets for the query,big...
Everything You Need to Know About DDoS@DynIncAmplification• Small cost at traffic source(each member of the botnet)• Innoc...
Everything You Need to Know About DDoS@DynIncHow Amplified?• A query for the TXT records at dyn.comtakes 25 octets (bytes)...
Everything You Need to Know About DDoS@DynIncWhat’s The Target?• Could be the DNS service itself– Fill the transit• Could ...
Everything You Need to Know About DDoS@DynIncAside: Open Resolvers• Open resolvers are indeed bad– Other kinds of attack, ...
Everything You Need to Know About DDoS@DynIncAttack the DNS Service ItselfAbuseQueriesLegitimateQueriesResponses toAbuse Q...
Everything You Need to Know About DDoS@DynIncAttack Some Different ServiceResponsesto LegitimateQueries192.0.2.1Abuse Quer...
Everything You Need to Know About DDoS@DynIncAttack Some Different Service192.0.2.1Abuse Queries(forged source192.2.1)Resp...
Everything You Need to Know About DDoS@DynIncWhat Happens:You Are AuthoritativeDNS Target• You can’t answer legitimate que...
Everything You Need to Know About DDoS@DynIncWhat Happens:You Are DNS Amplifier• You get identified as amplifier• People s...
Everything You Need to Know About DDoS@DynIncWhat happens:You Are Some Target Application• All your bandwidth goes to rece...
Everything You Need to Know About DDoS@DynIncWhat To Do: Outsource?Can help in some ways• Large providers• Robust networks...
Everything You Need to Know About DDoS@DynIncHow To Do: Outsource?• Most people already outsourced– Let the registrar run ...
Everything You Need to Know About DDoS@DynIncWhat To Do: Anycast?• Anycast is a trick: one IP address actuallyidentifies s...
Everything You Need to Know About DDoS@DynIncWhat To Do: Anycast?Pro• Isolates attack traffic to particular anycastregions...
Everything You Need to Know About DDoS@DynIncWhat To Do: Anycast?Con• If you don’t know what an anycast is, youdon’t want ...
Everything You Need to Know About DDoS@DynIncHow To Do: Anycast?• Get relevant network experts• Bring (some) money• Pick t...
Everything You Need to Know About DDoS@DynIncWhat To Do: Appliances?• Basically two strategies– Identify bad guys in advan...
Everything You Need to Know About DDoS@DynIncWhat Else To Do?• There is no magic, general-purpose “DDoS protection”– Like ...
Everything You Need to Know About DDoS@DynIncRRL• Response Rate Limitingis a technique in DNS servers• Identifies repeated...
Everything You Need to Know About DDoS@DynIncRRLPro• If you’re running your own server, Turn It OnNow.• Evidence says it h...
Everything You Need to Know About DDoS@DynIncRRLCon• Some corner cases(very short TTLs and high-value, high-trafficsites) ...
Everything You Need to Know About DDoS@DynIncWhat Else To Do?• Press network operators to doBCP 38– Specify it in RFPs– Te...
Everything You Need to Know About DDoS@DynIncReview
Everything You Need to Know About DDoS@DynIncDDoS• Just a special Denial of Service• Made easier / “worse” by networkenvir...
Everything You Need to Know About DDoS@DynIncDNS DDoS• Mostly reflector attacks• Relies on issues with UDP• Even ordinary ...
Everything You Need to Know About DDoS@DynIncReflectors• 2 victims• Target service can fail• Intermediate DNS servers get ...
Everything You Need to Know About DDoS@DynIncOpen Resolvers Not At Fault• You can do a reflector attack withonly authorita...
Everything You Need to Know About DDoS@DynIncSolutions Depend On Your Use• Outsourcing can help,but not everyone• Anycast ...
Everything You Need to Know About DDoS@DynIncAugust 7-8 | Manchester, NH- Limited registrants!- Great keynotes!www.geeksum...
Everything You Need to Know About DDoS@DynIncNew whitepaper!Everything You Need To KnowAbout A DDoS AttackDownloadat http:...
Everything You Need to Know About DDoS@DynIncMike VeilleuxDirector ofEmail ProductSteve WheelerDirector ofDeliverabilityEm...
Everything You Need to Know About DDoS@DynIncThank You!Andrew SullivanDirector of DNS Engineeringasullivan@dyn.com
Upcoming SlideShare
Loading in...5
×

Everything You Need To Know About DDoS Attacks

3,954
-1

Published on

Want to understand more about DDoS attacks? Check out these slides from Dyn Director of DNS Technology Andrew Sullivan & watch the accompanying webinar: http://dyn.com/dyn-webinar-everything-you-need-to-know-about-ddos-managed-dns/

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,954
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
161
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Everything You Need To Know About DDoS Attacks

  1. 1. Everything You Need to Know About DDoS@DynIncEverything You Need ToKnow About DDoS AttacksAndrew SullivanDirector of DNS Engineering@DynInc
  2. 2. Everything You Need to Know About DDoS@DynIncWhat We’ll Cover Today• What is a DDoS?• Why are there DDoSes?• What can happen?– Suppose you’re the target– Suppose you’re an amplifier• Can outsourcing things help?• Can anycast help?• Appliances?Focus primarily on DNSsince that’s where the pain is these days
  3. 3. Everything You Need to Know About DDoS@DynIncDenial Of Service• Just what the name implies• Lots of ways– Break code– Smash the stack– Lock out passwords– Request so much that nothing elsecan get served– Stuff the network pipe so full thatnobody else can get in or out
  4. 4. Everything You Need to Know About DDoS@DynIncDenial Of Service Target
  5. 5. Everything You Need to Know About DDoS@DynIncJust scale
  6. 6. Everything You Need to Know About DDoS@DynIncMoore’s Law
  7. 7. Everything You Need to Know About DDoS@DynIncDenial Of Service (Traffic)
  8. 8. Everything You Need to Know About DDoS@DynIncDistribute The Source
  9. 9. Everything You Need to Know About DDoS@DynIncNo, Really Distribute It
  10. 10. Everything You Need to Know About DDoS@DynIncNot New• Morris worm (“the Great Worm”)was in 1988• Effective attacks were almost always“distributed” in some sense• Issue now is the type of attack,and the resources available
  11. 11. Everything You Need to Know About DDoS@DynIncDDoS Attack Sources?• In the old days, always-on cable modems anda certain popularbut vulnerable operating system• Now, cheap or compromised(often virtual) hosts with lotsof bandwidthYou’ll now run out of money for bandwidth before thebad guys run out of compromised servers.
  12. 12. Everything You Need to Know About DDoS@DynIncWhy Do They Do This?MoneyPoliticsReligion
  13. 13. Everything You Need to Know About DDoS@DynIncWhy Do They Do This?MoneyPoliticsReligion
  14. 14. Everything You Need to Know About DDoS@DynIncTraditional DDoS
  15. 15. Everything You Need to Know About DDoS@DynIncTraditional DDoS
  16. 16. Everything You Need to Know About DDoS@DynIncKill The C&C,You Kill The Attack
  17. 17. Everything You Need to Know About DDoS@DynIncWait. Spoofed Addresses?• Most modern effective attacks come overUser Datagram Protocol (UDP)• Transmission Control Protocol(TCP) requires a handshake– You can tell who’s at the other end• UDP has no handshake– Could be anybody – even someone pretending tobe someone else
  18. 18. Everything You Need to Know About DDoS@DynIncWhy Don’t We Fix That?• We tried• Best Current Practice (BCP)38 says that, if you run a network,you should never send things that shouldn’tcome from you– “egress filtering”• Some people don’t do it• There are no Internet Police– that cure worse than the disease anyway
  19. 19. Everything You Need to Know About DDoS@DynIncTraditional DDoS
  20. 20. Everything You Need to Know About DDoS@DynIncDNS DDoS: reflector
  21. 21. Everything You Need to Know About DDoS@DynIncKey Attributes• Uses DNS as an amplifier– Just a few octets for the query,big answers (usual TXT records or somethingfrom DNSSEC)• Relies on poor network securityand UDP– Send query pretending to be the target• Tricky to defend against– Might cause collateral damage
  22. 22. Everything You Need to Know About DDoS@DynIncAmplification• Small cost at traffic source(each member of the botnet)• Innocuous traffic (DNS queries)– except for the spoofed address• Query for a large ResourceRecord set– Big TXT record– RR type with lots of records– Some DNSSEC records
  23. 23. Everything You Need to Know About DDoS@DynIncHow Amplified?• A query for the TXT records at dyn.comtakes 25 octets (bytes)• The answer for that is 442 octets (bytes)About 18 times bigger!• Lots of domains look like this• Easy to get bigger responses• Not hard to create bigger responses• 18 times amplification on millions ofqueries is a lot
  24. 24. Everything You Need to Know About DDoS@DynIncWhat’s The Target?• Could be the DNS service itself– Fill the transit• Could be some other DNS service– Fill that service’s inbound transit• Could be any other service– Fill that service’s inbound transit
  25. 25. Everything You Need to Know About DDoS@DynIncAside: Open Resolvers• Open resolvers are indeed bad– Other kinds of attack, they’re critical• Not the only vector for reflection attacks• Source of problem packets need not be aresolver• Target need not be a resolver
  26. 26. Everything You Need to Know About DDoS@DynIncAttack the DNS Service ItselfAbuseQueriesLegitimateQueriesResponses toAbuse QueriesResponses toLegitimate Queries
  27. 27. Everything You Need to Know About DDoS@DynIncAttack Some Different ServiceResponsesto LegitimateQueries192.0.2.1Abuse Queries(forged source192.2.1)Responses toAbuse QueriesLegitimate Queries
  28. 28. Everything You Need to Know About DDoS@DynIncAttack Some Different Service192.0.2.1Abuse Queries(forged source192.2.1)Responses toAbuse Querieshttp responseshttprequest
  29. 29. Everything You Need to Know About DDoS@DynIncWhat Happens:You Are AuthoritativeDNS Target• You can’t answer legitimate queries youshould be able to answer• You may become a reflector– Depends on abuse source– Probably, since otherwise abusesource would fall over too
  30. 30. Everything You Need to Know About DDoS@DynIncWhat Happens:You Are DNS Amplifier• You get identified as amplifier• People start restricting you– completely– with Response Rate Limiting (RRL)*
  31. 31. Everything You Need to Know About DDoS@DynIncWhat happens:You Are Some Target Application• All your bandwidth goes to receiving answersyou didn’t ask for• Your application is useless (or down) for yourusers• This might cost you real cash (bandwidthoverage) without any legitimate increase intraffic
  32. 32. Everything You Need to Know About DDoS@DynIncWhat To Do: Outsource?Can help in some ways• Large providers• Robust networks• Expert mitigationPresents a new risk• Large providers are themselves a target• Large providers can have other customers who aretargets
  33. 33. Everything You Need to Know About DDoS@DynIncHow To Do: Outsource?• Most people already outsourced– Let the registrar run it• Research your options if you’re at risk– What are the vendor’s mitigation strategies?– Who will you be sharing your service with?– Does the vendor offer realistic promises?– What’s the vendor’s network profile?
  34. 34. Everything You Need to Know About DDoS@DynIncWhat To Do: Anycast?• Anycast is a trick: one IP address actuallyidentifies several physically differentmachines located at different places in thenetwork• Relies on routing• It can help isolate attacks– attacks often all come from one or some smallgroup of networks– so, land in the same network data centre
  35. 35. Everything You Need to Know About DDoS@DynIncWhat To Do: Anycast?Pro• Isolates attack traffic to particular anycastregions• Can use it to reroute attack traffic to morerobust network location• Harder to fill many 10G or 40G transit pathsthan one
  36. 36. Everything You Need to Know About DDoS@DynIncWhat To Do: Anycast?Con• If you don’t know what an anycast is, youdon’t want to do it yourself• Requires network experts, operations staff,and hardware• Not a solution to all victim scenarios
  37. 37. Everything You Need to Know About DDoS@DynIncHow To Do: Anycast?• Get relevant network experts• Bring (some) money• Pick the right protocol– long-lived http streams are very bad candidates– short messages (like DNS) good candidates• If you want to do this, outsourcingincreasingly a good option• Research provider’s history, participation inoperator fora
  38. 38. Everything You Need to Know About DDoS@DynIncWhat To Do: Appliances?• Basically two strategies– Identify bad guys in advance, and spot andquarantine– Use analysis to identify bad traffic• Generally perform rate limiting on identifiedbad traffic• Often quite good at identifying anomalies• If your pipe is full, it doesn’t matter
  39. 39. Everything You Need to Know About DDoS@DynIncWhat Else To Do?• There is no magic, general-purpose “DDoS protection”– Like saying “We will protect you from crime”• Murder?• Fraud?• Traffic light violations?• Techniques need to be tailored
  40. 40. Everything You Need to Know About DDoS@DynIncRRL• Response Rate Limitingis a technique in DNS servers• Identifies repeated queries forthe same name, type, and classfrom the same source– Inside the Time To Live for the record• Infers that’s not a real resolver• Limits responses
  41. 41. Everything You Need to Know About DDoS@DynIncRRLPro• If you’re running your own server, Turn It OnNow.• Evidence says it helps in themajority of cases
  42. 42. Everything You Need to Know About DDoS@DynIncRRLCon• Some corner cases(very short TTLs and high-value, high-trafficsites) with some issues• Adds yet another tricky operationalconvention to DNS
  43. 43. Everything You Need to Know About DDoS@DynIncWhat Else To Do?• Press network operators to doBCP 38– Specify it in RFPs– Test for implementation• Resist dilutions of secure protocols– Special-access ports for law enforcement,government, and so onare also back doors for criminals– We have enough compromised systems on theInternet– Insecure protocols weaken securityfor all
  44. 44. Everything You Need to Know About DDoS@DynIncReview
  45. 45. Everything You Need to Know About DDoS@DynIncDDoS• Just a special Denial of Service• Made easier / “worse” by networkenvironment we have• Not a new problem
  46. 46. Everything You Need to Know About DDoS@DynIncDNS DDoS• Mostly reflector attacks• Relies on issues with UDP• Even ordinary services(e.g. TXT records) offer big amplification
  47. 47. Everything You Need to Know About DDoS@DynIncReflectors• 2 victims• Target service can fail• Intermediate DNS servers get hit
  48. 48. Everything You Need to Know About DDoS@DynIncOpen Resolvers Not At Fault• You can do a reflector attack withonly authoritative servers involved• You can’t do a reflector attack ifyou have good egress filtering everywhere
  49. 49. Everything You Need to Know About DDoS@DynIncSolutions Depend On Your Use• Outsourcing can help,but not everyone• Anycast can help, but not inall cases• Appliances can do nothing if they’re insideyour data centre behind the same plugged“pipe”
  50. 50. Everything You Need to Know About DDoS@DynIncAugust 7-8 | Manchester, NH- Limited registrants!- Great keynotes!www.geeksummercamp.com
  51. 51. Everything You Need to Know About DDoS@DynIncNew whitepaper!Everything You Need To KnowAbout A DDoS AttackDownloadat http://dyn.com/content-hub/
  52. 52. Everything You Need to Know About DDoS@DynIncMike VeilleuxDirector ofEmail ProductSteve WheelerDirector ofDeliverabilityEmail Webinar!Wednesday, July 242 PM EST I 19:00 GMT
  53. 53. Everything You Need to Know About DDoS@DynIncThank You!Andrew SullivanDirector of DNS Engineeringasullivan@dyn.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×