Lyamin nanog63 lightning ddos amplifiers
•Download as PPTX, PDF•
0 likes•501 views
My lightning speech at nanog63@SanAntonio
Recommended
More Related Content
More from Alexander Lyamin
Lyamin nanog63 lightning ddos amplifiers
- 1. On the topic of Amplification Alexander Lyamin <la@qrator.net>
- 2. Usual suspects User Datagram Protocol • DNS • NTP • SSDP • SNMP • Chargen
- 3. Weighted • X – absolute number of amplifiers that fall in • Y - axis amplification multiplier
- 4. DNS 0 20000 40000 60000 80000 100000 120000 140000 160000 13 14 15 16 18 19 20 21 23 24 25 26 28 29 30 31 33 34 35 36 38 39 40 41 43 44 45 46 47 49 50 51 52 54 55 56 57 59 60
- 5. NTP 0 2000 4000 6000 8000 10000 12000 14000 35 90 145 200 255 310 365 420 475 530 585 640 695 750 805 860 915 970 1025 1080 1135 1190 1245 1300 1355
- 6. Chargen 0 50 100 150 200 250 300 350 400 12 23 34 45 56 67 78 89 100 111 122 133 144 155 166 177 188 200 211 222 233 244 255
- 7. SNMP 0 50000 100000 150000 200000 250000 300000 30 32 34 37 39 41 43 46 48 50 53 55 57 59 62 64 66 69 71 73 75 78 80
- 9. and measured • X integral multiplier in IPv4 on • Y timeline since 1 June to 5th October 2014
- 11. Bottom line Road notes: 1. 1.6B packets per one packet of a 1st stage – WOW! 2. SSDP is the king of a day. Hypothesis: We’re all not dead (yet) because SSDP amplifiers situated at periphery of the network. Its not about how much packets you can generate with 2nd stage – its about how many will reach the target.
- 13. Questions?
Editor's Notes
- My name is Alexander Lyamin, Qrator Labs 2 quick questions Who being hit by amplification attack last year ? Who observed amplifications originating from their own network ? (that’s where the problem comes from – lack of obserations)
- poor design (amplifiable) Lack of ability to establish client authenticity inherent by UDP
- So we decided to take a closer look whats up with all this trash flying around the network
- It used to be much worset a year ago, we’re (as community) doing a good job fixing our DNS servers.
- Also much of an improvement, but still thousands of servers which will amplify by 1300 times
- It’s a chargen… what would you expect.
- I have no slightest idea what this 3 peaks mean.
- Third of a million amplifiers with multiplier of 78, but 50 isn’t tpo shaky
- Intersting snapshot, but whats the big picture and is there are changes?
- 2 road notes 1.6 BILLION packets per one packet of a 1st stage – (even if purely theoretically) just WOW SSDP is a king 1 hyphotesis We’re not dead (yet) because SSDP amplifiers situated at periphery of the network Its not about how much packets you can generate with 2nd stage – its about how many will reach the target.
- Catch me up in hallway or email me to find out hows your ASN fares from our viewpoint. Lets stay vigilant and keep our networks clean.