Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. How to Mitigate a 300G DDoSTom PasekaNetwork
  2. 2. 2www.cloudflare.comBackground…
  3. 3. 3www.cloudflare.comBackground…
  4. 4. 4www.cloudflare.comScrubbing….• The Beginning
  5. 5.• Spamhaus were under attack• They didn’t have resources to keep their website online• Spamhaus moved to CloudFlare• Attack was approximately 75Gbps• Website back online!• Attack vector was very simple to mitigate• DNS Amplification / Reflection.• Easy to filter… If you have the capacityThe Start
  6. 6. 6www.cloudflare.comAfter a bit of thisThe Start
  7. 7. 7www.cloudflare.comI was feeling a bit like thisThe Start
  8. 8. Then…. It happened
  9. 9.• The Attackers realised the volume and method of attackwouldn’t bring the website offline• They went after CloudFlare’s infrastructure directly.• They would traceroute to• Direct the attack to the last routable IP• This was our upstream point-to-point interfaces and otherinfrastructure• Volume reached >300GbpsIncreased Volume
  10. 10.• Ouch.• But, it can be mitigated.• After some time speaking to the NOC’s of our upstreams theygave us some• Re-numbered and or filtered the IP space• Some to point-to-points were renumbered to RFC-1918address space• Others placed filters at their edges• Others blackholed the P2P IPsIncreased Volume
  11. 11.• Attackers saw this was no longer effective• The attackers traceroutes showed they could reach us via AMS-IX,DE-CIX, LINX, Equinix SG and HKIX.• Their attacks were directed towards our IP’s on the exchange fabric• Ouch.• We can’t renumber these interfaces [easily].• We can’t filter these interfaces upstream.• Only mitigation tactic for us was to disable the ports.Change of Tactic
  12. 12.• After leaving the port out of action for a few hours, the attack wouldstop• Attackers were monitoring our routing, if they saw we activated peerson the exchange, they’d begin attacking again.• We reached out to peers, exchange point operators to see whatcould be done.• Some exchange points were originating/announcing the fabric IPspace to the default free zone, and attracting the attack traffic• Other peers on the fabric also originating/announcing exchange IPspaceOngoing attacks
  13. 13. What you should do?
  14. 14. 14www.cloudflare.comWhat you should do?• Consider the numbering if your infrastructure• If it’s non-routable, its more difficult to attack it.• Proper infrastructure ACLs• Have good upstream providers• They should all support BGP signaling for black-holing• Ability to push firewall rules quickly• We use and love flowspec (even if we hit bugs)• Don’t announce Internet Exchange IP space to the internet• Don’t even carry it in your backbone if you can!(set next-hop self)
  15. 15. 15www.cloudflare.comWhat you should do?BCP-38If your network allows spoofing, you should fix it right now.Then, hang your head in shame.Check if the network your attached to supports spoofing by installing testfrom:
  16. 16. 16www.cloudflare.comWhat you should do?
  17. 17. 17Questions?
  18. 18. 18Thank You