Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Attacks after Mirai"

96 views

Published on

С начала атак на блог Брайана Кребса прошла, по меркам IT-индустрии, уже целая вечность (месяц), и самое время изучить ситуацию и сделать из неё полезные выводы. 22 октября на площадке HighLoad Dev Conf мы проанализируем и обсудим:
- Что изменилось на рынке DDoS-атак в 2016 году;
- Каковы обстоятельства атаки, обрушившей Akamai и Google, что привело к этому и как от этого защититься;
- Как ситуация будет развиваться дальше.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Attacks after Mirai"

  1. 1. qrator.net 2016
  2. 2. qrator.net 2016
  3. 3. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT
  4. 4. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787
  5. 5. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940
  6. 6. qrator.net 2016 Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940
  7. 7. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940
  8. 8. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940
  9. 9. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787
  10. 10. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787
  11. 11. qrator.net 2016 Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787
  12. 12. qrator.net 2016 Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/
  13. 13. qrator.net 2016 Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/
  14. 14. qrator.net 2016 Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/
  15. 15. qrator.net 2016 15 CDN
  16. 16. qrator.net 2016 16 CDN DDoS DDoS
  17. 17. qrator.net 2016 17 CDN DDoS DDoS
  18. 18. qrator.net 2016 18 CDN DDoS DDoS
  19. 19. qrator.net 2016 19 DDoS
  20. 20. qrator.net 2016 20
  21. 21. qrator.net 2016 21 300 Mbps 30 Gbps Amplification
  22. 22. qrator.net 2016 22 5 Gbps 500 Gbps Amplification
  23. 23. qrator.net 2016 23
  24. 24. qrator.net 2016 • NTP • DNS • SNMP • SSDP • ICMP 24 • NetBIOS • RIPv1 • PORTMAP • CHARGEN • QOTD Vulnerable protocols
  25. 25. qrator.net 2016 • NTP • DNS • SNMP • SSDP • ICMP 25 • NetBIOS • RIPv1 • PORTMAP • CHARGEN • QOTD Amplification can be identified by source port Vulnerable protocols
  26. 26. qrator.net 2016 BGP Flow Spec
  27. 27. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled
  28. 28. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled Amplification can be identified by source port?
  29. 29. qrator.net 2016 Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled Amplification can be identified by source port?
  30. 30. qrator.net 2016 BGP Flow Spec
  31. 31. qrator.net 2016 BGP Flow Spec
  32. 32. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers
  33. 33. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Drupal?
  34. 34. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla? Drupal?
  35. 35. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla? Drupal? Mediawiki?
  36. 36. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla? Drupal? Sharepoint? Mediawiki?
  37. 37. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla? TinyCMS? Drupal? ModX? Sharepoint? Mediawiki?
  38. 38. qrator.net 2016 Wordpress Pingback • Millions of vulnerable servers Joomla? TinyCMS? Drupal? ModX? Sharepoint? Mediawiki?
  39. 39. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers
  40. 40. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software
  41. 41. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates
  42. 42. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, including security fixes
  43. 43. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, •Default logins/passwords including security fixes
  44. 44. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, •Default logins/passwords •Full Internet access including security fixes
  45. 45. qrator.net 2016 Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, •Default logins/passwords •Full Internet access including security fixes
  46. 46. qrator.net 2016 Internet of Things • Network scanners are now powerful enough to discover vulnerable IoT (good job, Flow Spec)
  47. 47. qrator.net 2016 Internet of Things • Network scanners are now powerful enough to discover vulnerable IoT (good job, Flow Spec) =>
  48. 48. qrator.net 2016 Internet of Things • Network scanners are now powerful enough to discover vulnerable IoT (good job, Flow Spec) =>
  49. 49. qrator.net 2016 Internet of Things • Network scanners are now powerful enough to discover vulnerable IoT (good job, Flow Spec) =>
  50. 50. qrator.net 2016 Internet of Things • Network scanners are now powerful enough to discover vulnerable IoT (good job, Flow Spec) =>
  51. 51. qrator.net 2016
  52. 52. qrator.net 2016 The Void • To survive TCP- and HTTPS-based attacks, one needs a session-capable and TLS-capable DPI • To survive large botnets, one needs a behavioral analysis and correlation analysis built into that DPI
  53. 53. qrator.net 2016 The Void • To survive TCP- and HTTPS-based attacks, one needs a session-capable and TLS-capable DPI • To survive large botnets, one needs a behavioral analysis and correlation analysis built into that DPI • On the 1 Tbps bandwidth
  54. 54. qrator.net 2016 The Void • Do not try to fix it yourself • Reach out to your ISP ASAP
  55. 55. qrator.net 2016 The Cure • ISP initiatives
  56. 56. qrator.net 2016 The Cure • ISP initiatives • Zero tolerance to vulnerable IoT
  57. 57. qrator.net 2016 The Cure • ISP initiatives • Zero tolerance to vulnerable IoT • IPv6?
  58. 58. qrator.net 2016 Thank you, and good luck! mailto: Artyom Gavrichenkov <ag@qrator.net>

×