SlideShare a Scribd company logo

Spoofing and Denial of Service: A risk to the decentralized Internet

APNIC
APNIC

Presentation by Tom Paseka at APRICOT 2017 on Wednesday, 1 March 2017.

Internet
1 of 71
Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT 2017
Global Network © 2017 Cloudflare Inc. All rights reserved. 2
Content Neutral © 2016 Cloudflare Inc. All rights reserved. 3
Daily Attacks © 2016 Cloudflare Inc. All rights reserved. 4
Daily Attacks • Because we have such a broad view of the internet, we see a lot of attacks • This graph is showing count of different attacks • Sometimes, seeing more than 1,400 unique attacks daily © 2016 Cloudflare Inc. All rights reserved. 5
We have to solve attacks © 2016 Cloudflare Inc. All rights reserved. 6
Record Breaking Attacks Nickname Type Volume SNMP  Amp SNMP  Amplification/Reflection 80Gbps Spamhaus DNS  Amplification/Reflection 300Gbps "Winter  of  Attacks" Direct 400Gbps IoT Direct 500Gbps+ © 2016 Cloudflare Inc. All rights reserved. 7
Record Breaking Attacks • Around 5 years ago we saw some SNMP reflection attacks • Cable modems from a very large Cable ISP in North America were reflecting SNMP walks towards us • We then saw the infamous “Spamhaus” attacks. Attacks which were directed at us and internet infrastructure, resulting in impact to hundreds of thousands of internet users • From September 2016, the “IoT” attacks, most famously the Mirai (未来) botnet with attacks breaking 500Gbps © 2016 Cloudflare Inc. All rights reserved. 8
Most big attacks have a few things in common © 2016 Cloudflare Inc. All rights reserved. 9
Flood of IP Packets © 2016 Cloudflare Inc. All rights reserved. 10
© 2016 Cloudflare Inc. All rights reserved. 11
Spoofing Enables Impersonation © 2016 Cloudflare Inc. All rights reserved. 12
Spoofing? • Why is spoofing an issue? • This is my good friend Walt Wollny • Let’s say, he was assaulted, but it was by masked assailant • Without removing the mask, there can’t be legal retribution © 2016 Cloudflare Inc. All rights reserved. 13
May 2000: BCP38 © 2016 Cloudflare Inc. All rights reserved. 14
BCP38 • BCP, Best Common Practice #38 was published in May 2000 • It gave guidance on how to configure your network to prefer spoofing • This document is nearly 17 years old, why it isn’t engrained yet? • Vendors Faults? Operators Fault? • Regardless, IT’S. JUST. NOT. THERE. © 2016 Cloudflare Inc. All rights reserved. 15
Caida Spoofer Stats © 2016 Cloudflare Inc. All rights reserved. 16 Updated: Feb 2017. Source: https://spoofer.caida.org
Filter close to the source © 2016 Cloudflare Inc. All rights reserved. 17
Filter close to the source • Filtering at the ingress from your customer is really how to stop filtering • You should also be filtering at the egress if your network for multiple layers, incase of some misconfiguration • Unicast Reverse Path Forwarding doesn’t scale well • What about simple ACLs? • Yet this still isn’t there! © 2016 Cloudflare Inc. All rights reserved. 18
IP Spoofing: • Enables Impersonation • Isn’t solved © 2016 Cloudflare Inc. All rights reserved. 19
IP Spoofing 1. Tracing back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 20
IP Spoofing 1. Tracing back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 21
Where did the attack come from? © 2016 Cloudflare Inc. All rights reserved. 22
Where did the attack come from? • The “Server” in this slide, gets attack traffic • It has one link out, to its router, so we know it came from the ‘router’ • But from there, where did it come from? • There are multiple input interfaces, which one could be sending the traffic? Which network? • We can trace this down a bad way, by looking at graphs © 2016 Cloudflare Inc. All rights reserved. 23
Identifying interfaces © 2016 Cloudflare Inc. All rights reserved. 24
Identifying interfaces © 2016 Cloudflare Inc. All rights reserved. 25
What’s on the other side of the Cable? © 2016 Cloudflare Inc. All rights reserved. 26
What’s on the other side of the Cable? • For most internet networks, there are several types of input sources: • Direct Peering: Where you have a single network and their customer cone on that interfaces • Internet Exchange: many networks connected to a single fabric. Possible hundreds of direct networks and thousands of in-direct networks • Internet Carrier / Transit Provider: The whole Internet © 2016 Cloudflare Inc. All rights reserved. 27
1. Direct Peering © 2016 Cloudflare Inc. All rights reserved. 28
1. Direct Peering • Where we have direct peering with another network, you have a pretty good idea of what’s on the other side • This is going to be limited to that network and their customers • In a case like this, it’s pretty easy to identify at least the ISP responsible for traffic © 2016 Cloudflare Inc. All rights reserved. 29
2. IXP / Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 30 3. Transit Provider
IXPs and Transit Providers • Both of these represent an issue • There is any number of networks where traffic could be coming from • No easy way to identify the source over either of these • Let’s explore a little but more about IXPs © 2016 Cloudflare Inc. All rights reserved. 31
2. IXP / Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 32
2. IXP / Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 33 ?.?.?.?
2. IXP / Internet Exchange Point • When traffic enters the IXP, we have no idea where the source came from • Since you’re on one big fabric, anyone can inject it • Very hard to track back • Some ways to trace, but poorly implemented. I’ll touch on this later. © 2016 Cloudflare Inc. All rights reserved. 34
3. Transit Provider © 2016 Cloudflare Inc. All rights reserved. 35 Src ip = 8.8.8.8
3. Transit Provider © 2016 Cloudflare Inc. All rights reserved. 36 ??? Src ip = 8.8.8.8 ??? 8.8.8.0/24
3. Transit Provider • So, we see an attack coming from 8.8.8.8 • This is coming in over a transit provider • But we have direct peering with the network that represents this traffic • Why isn’t this traffic coming over the peering? • ….Because it’s spoofed. © 2016 Cloudflare Inc. All rights reserved. 37
Lack of Attribution © 2016 Cloudflare Inc. All rights reserved. 38
IP Spoofing 1. Tracing back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 39
Amplification © 2016 Cloudflare Inc. All rights reserved. 40
Amplification • We know about amplification attacks, so I’m not going to go into technical detail • The premise: Send a small request and get a big response directed at your target • Amplification means you can knock off a service, much larger than you are, without using all your resources. © 2016 Cloudflare Inc. All rights reserved. 41
March 2013: Spamhaus © 2016 Cloudflare Inc. All rights reserved. 42
March 2013: Spamhaus • During the Spamhaus attacks, DNS amplification was used • Large DNS replies (eg. ANY isc.org ~4,000 byte reply to a very small query) • 37Gbps of attack traffic was able to be amplified to 300Gbps of attack traffic © 2016 Cloudflare Inc. All rights reserved. 43
Amplification is relatively easy to block…. • …If you have the bandwidth. (few networks can absorb hundreds of Gbps) • Block on firewall: • src UDP/53 > deny • Internet is fighting amplification sources: • openresolverproject.org • openntpproject.org © 2016 Cloudflare Inc. All rights reserved. 44
Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 45 ??? Src ip = 8.8.8.8 ??? 8.8.8.0/24
Source IP Addresses • So, what happens when we trace the source IP address in attacks. • Taking this lovely picture from xkcd, we see a map of what the internet is © 2016 Cloudflare Inc. All rights reserved. 46
Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 47 https://xkcd.com/195/
Source IP Addresses • What does this same map look like, when we see a large scale attack? © 2016 Cloudflare Inc. All rights reserved. 48
Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 49
Source IP Addresses • What about a different type of attack? • This attack is coming from a single network, the graph on the left is the view of what is routed by that network • The graph on the right is attack sources from that network • Is this network doing egress filtering? Is it spoofed or all direct from that network? © 2016 Cloudflare Inc. All rights reserved. 50
Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 51
Dealing with Attacks © 2016 Cloudflare Inc. All rights reserved. 52
Null Routing © 2016 Cloudflare Inc. All rights reserved. 53
Null Routing • Probably the simplest way to deal with an attack • You instruct your ISP not to route traffic for a single host, or a series of hosts in your network • Except, you’ve just let the attacker win • If you null route your service, you’ve taken it offline. Perhaps you have an advanced system and can quickly renumber, but the attacker can update their attack too © 2016 Cloudflare Inc. All rights reserved. 54
The only way to stay online is to absorb the attack © 2016 Cloudflare Inc. All rights reserved. 55
Receive and Process © 2016 Cloudflare Inc. All rights reserved. 56
Receive and Process • To absorb the attack you need to receive and process it • This means you need to scale up infrastructure or develop advanced techniques to deal with attacks • Both of these need huge amounts of capacity, both physical and logical • Few networks are ready for it, so you outsource • But this breaks the model of de-centralization © 2016 Cloudflare Inc. All rights reserved. 57
Centralization © 2016 Cloudflare Inc. All rights reserved. 58
Solution? © 2016 Cloudflare Inc. All rights reserved. 59
Technical solutions to IP Spoofing have failed © 2016 Cloudflare Inc. All rights reserved. 60
Don’t just solve the IP Spoofing © 2016 Cloudflare Inc. All rights reserved. 61
Don’t just solve the IP Spoofing… © 2016 Cloudflare Inc. All rights reserved. 62 …solve the attribution!
© 2016 Cloudflare Inc. All rights reserved. 63
Netflow • Opensource Toolsets are great • Scales very well • Privacy Concerns? • This is very very simple data • Rotate (delete) logs every few days • Use a high sampling rate. 1/16,000 © 2016 Cloudflare Inc. All rights reserved. 64
Netflow • H/W vendors must get better • Netflow v9 supports src/dst MAC • Which vendor supports it? © 2016 Cloudflare Inc. All rights reserved. 65 Photo:  The  Simpsons/FOX
NetFlow • It is EMBARRASING that a transit provider doesn’t know where packets ingress their networks • It’s even more embarrassing that service providers who have NetFlow equipment, be it open sourced / in house or provided by a vendor don’t know how to use it • It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9 • This needs to be resolved now © 2016 Cloudflare Inc. All rights reserved. 66
This is the first step © 2016 Cloudflare Inc. All rights reserved. 67
Attribution allows informed discussion © 2016 Cloudflare Inc. All rights reserved. 68
DDoS Causes centralization © 2016 Cloudflare Inc. All rights reserved. 69
To fix DDoS we need attribution © 2016 Cloudflare Inc. All rights reserved. 70
To make the internet better for everyone © 2016 Cloudflare Inc. All rights reserved. 71

Recommended

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksAcquia
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUICNatasha Rooney
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 

Recommended

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksAcquia
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksMyNOG
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUICNatasha Rooney
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Suzanne Aldrich
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3Moshe Zioni
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private CloudAmazon Web Services
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSSuzanne Aldrich
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapTom Paseka
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Bangladesh Network Operators Group
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGPAPNIC
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Almdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy TranAlmdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy TranCindy Tran
 
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...Mike de Groot
 
Traumatismo Craneoencefálico
Traumatismo CraneoencefálicoTraumatismo Craneoencefálico
Traumatismo CraneoencefálicoYaneth03
 

More Related Content

What's hot

Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Suzanne Aldrich
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahnullowaspmumbai
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3Moshe Zioni
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private CloudAmazon Web Services
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSSuzanne Aldrich
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapTom Paseka
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGPAPNIC
 

What's hot (19)

Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
 
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shahNull 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
More specific announcments in BGP
More specific announcments in BGPMore specific announcments in BGP
More specific announcments in BGP
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 

Viewers also liked

Almdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy TranAlmdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy TranCindy Tran
 
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...Mike de Groot
 
Traumatismo Craneoencefálico
Traumatismo CraneoencefálicoTraumatismo Craneoencefálico
Traumatismo CraneoencefálicoYaneth03
 
Características que Requiere el Egresado del 2020
Características que Requiere el Egresado del 2020Características que Requiere el Egresado del 2020
Características que Requiere el Egresado del 2020Dr. Orville M. Disdier
 
Hipolipemiantes en prevención cardiovascular
Hipolipemiantes en prevención cardiovascularHipolipemiantes en prevención cardiovascular
Hipolipemiantes en prevención cardiovascularCadime Easp
 
Swap-space Management
Swap-space ManagementSwap-space Management
Swap-space ManagementAgnas Jasmine
 
apnic handling-network-abuse
apnic handling-network-abuseapnic handling-network-abuse
apnic handling-network-abuseAPNIC
 
Supporting internet growth and evolution
Supporting internet growth and evolutionSupporting internet growth and evolution
Supporting internet growth and evolutionAPNIC
 
IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60RIPE Meetings
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabAPNIC
 
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...APNIC
 
IPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIvan Pepelnjak
 
Korea IPv6 Measurement
Korea IPv6 MeasurementKorea IPv6 Measurement
Korea IPv6 MeasurementAPNIC
 
Case Studies: TakNet
Case Studies: TakNetCase Studies: TakNet
Case Studies: TakNetAPNIC
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentAPNIC
 
Japan IPv6 Measurement
Japan IPv6 MeasurementJapan IPv6 Measurement
Japan IPv6 MeasurementAPNIC
 
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC
 
APIX Update
APIX UpdateAPIX Update
APIX UpdateAPNIC
 
Supporting Global Discussion: IANA Stewardship Transition
Supporting Global Discussion: IANA Stewardship TransitionSupporting Global Discussion: IANA Stewardship Transition
Supporting Global Discussion: IANA Stewardship TransitionICANN
 
Evolving the network for 5G
Evolving the network for 5GEvolving the network for 5G
Evolving the network for 5GAPNIC
 

Viewers also liked (20)

Almdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy TranAlmdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy Tran
 
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
 
Traumatismo Craneoencefálico
Traumatismo CraneoencefálicoTraumatismo Craneoencefálico
Traumatismo Craneoencefálico
 
Características que Requiere el Egresado del 2020
Características que Requiere el Egresado del 2020Características que Requiere el Egresado del 2020
Características que Requiere el Egresado del 2020
 
Hipolipemiantes en prevención cardiovascular
Hipolipemiantes en prevención cardiovascularHipolipemiantes en prevención cardiovascular
Hipolipemiantes en prevención cardiovascular
 
Swap-space Management
Swap-space ManagementSwap-space Management
Swap-space Management
 
apnic handling-network-abuse
apnic handling-network-abuseapnic handling-network-abuse
apnic handling-network-abuse
 
Supporting internet growth and evolution
Supporting internet growth and evolutionSupporting internet growth and evolution
Supporting internet growth and evolution
 
IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60
 
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6LabDNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6Lab
 
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
 
IPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise NetworksIPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise Networks
 
Korea IPv6 Measurement
Korea IPv6 MeasurementKorea IPv6 Measurement
Korea IPv6 Measurement
 
Case Studies: TakNet
Case Studies: TakNetCase Studies: TakNet
Case Studies: TakNet
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
Japan IPv6 Measurement
Japan IPv6 MeasurementJapan IPv6 Measurement
Japan IPv6 Measurement
 
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017
 
APIX Update
APIX UpdateAPIX Update
APIX Update
 
Supporting Global Discussion: IANA Stewardship Transition
Supporting Global Discussion: IANA Stewardship TransitionSupporting Global Discussion: IANA Stewardship Transition
Supporting Global Discussion: IANA Stewardship Transition
 
Evolving the network for 5G
Evolving the network for 5GEvolving the network for 5G
Evolving the network for 5G
 

Similar to Spoofing and Denial of Service: A risk to the decentralized Internet

DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
DC/OS 1.8 Container Networking
DC/OS 1.8 Container NetworkingDC/OS 1.8 Container Networking
DC/OS 1.8 Container NetworkingSargun Dhillon
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringQrator Labs
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 
Building the Glue for Service Discovery & Load Balancing Microservices
Building the Glue for Service Discovery & Load Balancing MicroservicesBuilding the Glue for Service Discovery & Load Balancing Microservices
Building the Glue for Service Discovery & Load Balancing MicroservicesSargun Dhillon
 
Discover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MXDiscover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MXThousandEyes
 
Advance Malware CnC by Avkash k and dhawal shah
Advance Malware CnC by Avkash k and dhawal shahAdvance Malware CnC by Avkash k and dhawal shah
Advance Malware CnC by Avkash k and dhawal shahAvkash Kathiriya
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...Tanya Denisyuk
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
Network Emulation in SOASTA 57 Spring Release
Network Emulation in SOASTA 57 Spring ReleaseNetwork Emulation in SOASTA 57 Spring Release
Network Emulation in SOASTA 57 Spring ReleaseJennifer Finney
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 

Similar to Spoofing and Denial of Service: A risk to the decentralized Internet (20)

DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
DC/OS 1.8 Container Networking
DC/OS 1.8 Container NetworkingDC/OS 1.8 Container Networking
DC/OS 1.8 Container Networking
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Erlang containers
Erlang containersErlang containers
Erlang containers
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 
nanog
nanognanog
nanog
 
Building the Glue for Service Discovery & Load Balancing Microservices
Building the Glue for Service Discovery & Load Balancing MicroservicesBuilding the Glue for Service Discovery & Load Balancing Microservices
Building the Glue for Service Discovery & Load Balancing Microservices
 
Discover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MXDiscover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MX
 
Advance Malware CnC by Avkash k and dhawal shah
Advance Malware CnC by Avkash k and dhawal shahAdvance Malware CnC by Avkash k and dhawal shah
Advance Malware CnC by Avkash k and dhawal shah
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Network Emulation in SOASTA 57 Spring Release
Network Emulation in SOASTA 57 Spring ReleaseNetwork Emulation in SOASTA 57 Spring Release
Network Emulation in SOASTA 57 Spring Release
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 

More from APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

More from APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Recently uploaded

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 

Recently uploaded (20)

Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 

Spoofing and Denial of Service: A risk to the decentralized Internet

  • 1. Spoofing and Denial of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT 2017
  • 2. Global Network © 2017 Cloudflare Inc. All rights reserved. 2
  • 3. Content Neutral © 2016 Cloudflare Inc. All rights reserved. 3
  • 4. Daily Attacks © 2016 Cloudflare Inc. All rights reserved. 4
  • 5. Daily Attacks • Because we have such a broad view of the internet, we see a lot of attacks • This graph is showing count of different attacks • Sometimes, seeing more than 1,400 unique attacks daily © 2016 Cloudflare Inc. All rights reserved. 5
  • 6. We have to solve attacks © 2016 Cloudflare Inc. All rights reserved. 6
  • 7. Record Breaking Attacks Nickname Type Volume SNMP  Amp SNMP  Amplification/Reflection 80Gbps Spamhaus DNS  Amplification/Reflection 300Gbps "Winter  of  Attacks" Direct 400Gbps IoT Direct 500Gbps+ © 2016 Cloudflare Inc. All rights reserved. 7
  • 8. Record Breaking Attacks • Around 5 years ago we saw some SNMP reflection attacks • Cable modems from a very large Cable ISP in North America were reflecting SNMP walks towards us • We then saw the infamous “Spamhaus” attacks. Attacks which were directed at us and internet infrastructure, resulting in impact to hundreds of thousands of internet users • From September 2016, the “IoT” attacks, most famously the Mirai (未来) botnet with attacks breaking 500Gbps © 2016 Cloudflare Inc. All rights reserved. 8
  • 9. Most big attacks have a few things in common © 2016 Cloudflare Inc. All rights reserved. 9
  • 10. Flood of IP Packets © 2016 Cloudflare Inc. All rights reserved. 10
  • 11. © 2016 Cloudflare Inc. All rights reserved. 11
  • 12. Spoofing Enables Impersonation © 2016 Cloudflare Inc. All rights reserved. 12
  • 13. Spoofing? • Why is spoofing an issue? • This is my good friend Walt Wollny • Let’s say, he was assaulted, but it was by masked assailant • Without removing the mask, there can’t be legal retribution © 2016 Cloudflare Inc. All rights reserved. 13
  • 14. May 2000: BCP38 © 2016 Cloudflare Inc. All rights reserved. 14
  • 15. BCP38 • BCP, Best Common Practice #38 was published in May 2000 • It gave guidance on how to configure your network to prefer spoofing • This document is nearly 17 years old, why it isn’t engrained yet? • Vendors Faults? Operators Fault? • Regardless, IT’S. JUST. NOT. THERE. © 2016 Cloudflare Inc. All rights reserved. 15
  • 16. Caida Spoofer Stats © 2016 Cloudflare Inc. All rights reserved. 16 Updated: Feb 2017. Source: https://spoofer.caida.org
  • 17. Filter close to the source © 2016 Cloudflare Inc. All rights reserved. 17
  • 18. Filter close to the source • Filtering at the ingress from your customer is really how to stop filtering • You should also be filtering at the egress if your network for multiple layers, incase of some misconfiguration • Unicast Reverse Path Forwarding doesn’t scale well • What about simple ACLs? • Yet this still isn’t there! © 2016 Cloudflare Inc. All rights reserved. 18
  • 19. IP Spoofing: • Enables Impersonation • Isn’t solved © 2016 Cloudflare Inc. All rights reserved. 19
  • 20. IP Spoofing 1. Tracing back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 20
  • 21. IP Spoofing 1. Tracing back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 21
  • 22. Where did the attack come from? © 2016 Cloudflare Inc. All rights reserved. 22
  • 23. Where did the attack come from? • The “Server” in this slide, gets attack traffic • It has one link out, to its router, so we know it came from the ‘router’ • But from there, where did it come from? • There are multiple input interfaces, which one could be sending the traffic? Which network? • We can trace this down a bad way, by looking at graphs © 2016 Cloudflare Inc. All rights reserved. 23
  • 24. Identifying interfaces © 2016 Cloudflare Inc. All rights reserved. 24
  • 25. Identifying interfaces © 2016 Cloudflare Inc. All rights reserved. 25
  • 26. What’s on the other side of the Cable? © 2016 Cloudflare Inc. All rights reserved. 26
  • 27. What’s on the other side of the Cable? • For most internet networks, there are several types of input sources: • Direct Peering: Where you have a single network and their customer cone on that interfaces • Internet Exchange: many networks connected to a single fabric. Possible hundreds of direct networks and thousands of in-direct networks • Internet Carrier / Transit Provider: The whole Internet © 2016 Cloudflare Inc. All rights reserved. 27
  • 28. 1. Direct Peering © 2016 Cloudflare Inc. All rights reserved. 28
  • 29. 1. Direct Peering • Where we have direct peering with another network, you have a pretty good idea of what’s on the other side • This is going to be limited to that network and their customers • In a case like this, it’s pretty easy to identify at least the ISP responsible for traffic © 2016 Cloudflare Inc. All rights reserved. 29
  • 30. 2. IXP / Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 30 3. Transit Provider
  • 31. IXPs and Transit Providers • Both of these represent an issue • There is any number of networks where traffic could be coming from • No easy way to identify the source over either of these • Let’s explore a little but more about IXPs © 2016 Cloudflare Inc. All rights reserved. 31
  • 32. 2. IXP / Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 32
  • 33. 2. IXP / Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 33 ?.?.?.?
  • 34. 2. IXP / Internet Exchange Point • When traffic enters the IXP, we have no idea where the source came from • Since you’re on one big fabric, anyone can inject it • Very hard to track back • Some ways to trace, but poorly implemented. I’ll touch on this later. © 2016 Cloudflare Inc. All rights reserved. 34
  • 35. 3. Transit Provider © 2016 Cloudflare Inc. All rights reserved. 35 Src ip = 8.8.8.8
  • 36. 3. Transit Provider © 2016 Cloudflare Inc. All rights reserved. 36 ??? Src ip = 8.8.8.8 ??? 8.8.8.0/24
  • 37. 3. Transit Provider • So, we see an attack coming from 8.8.8.8 • This is coming in over a transit provider • But we have direct peering with the network that represents this traffic • Why isn’t this traffic coming over the peering? • ….Because it’s spoofed. © 2016 Cloudflare Inc. All rights reserved. 37
  • 38. Lack of Attribution © 2016 Cloudflare Inc. All rights reserved. 38
  • 39. IP Spoofing 1. Tracing back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 39
  • 40. Amplification © 2016 Cloudflare Inc. All rights reserved. 40
  • 41. Amplification • We know about amplification attacks, so I’m not going to go into technical detail • The premise: Send a small request and get a big response directed at your target • Amplification means you can knock off a service, much larger than you are, without using all your resources. © 2016 Cloudflare Inc. All rights reserved. 41
  • 42. March 2013: Spamhaus © 2016 Cloudflare Inc. All rights reserved. 42
  • 43. March 2013: Spamhaus • During the Spamhaus attacks, DNS amplification was used • Large DNS replies (eg. ANY isc.org ~4,000 byte reply to a very small query) • 37Gbps of attack traffic was able to be amplified to 300Gbps of attack traffic © 2016 Cloudflare Inc. All rights reserved. 43
  • 44. Amplification is relatively easy to block…. • …If you have the bandwidth. (few networks can absorb hundreds of Gbps) • Block on firewall: • src UDP/53 > deny • Internet is fighting amplification sources: • openresolverproject.org • openntpproject.org © 2016 Cloudflare Inc. All rights reserved. 44
  • 45. Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 45 ??? Src ip = 8.8.8.8 ??? 8.8.8.0/24
  • 46. Source IP Addresses • So, what happens when we trace the source IP address in attacks. • Taking this lovely picture from xkcd, we see a map of what the internet is © 2016 Cloudflare Inc. All rights reserved. 46
  • 47. Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 47 https://xkcd.com/195/
  • 48. Source IP Addresses • What does this same map look like, when we see a large scale attack? © 2016 Cloudflare Inc. All rights reserved. 48
  • 49. Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 49
  • 50. Source IP Addresses • What about a different type of attack? • This attack is coming from a single network, the graph on the left is the view of what is routed by that network • The graph on the right is attack sources from that network • Is this network doing egress filtering? Is it spoofed or all direct from that network? © 2016 Cloudflare Inc. All rights reserved. 50
  • 51. Source IP Addresses © 2016 Cloudflare Inc. All rights reserved. 51
  • 52. Dealing with Attacks © 2016 Cloudflare Inc. All rights reserved. 52
  • 53. Null Routing © 2016 Cloudflare Inc. All rights reserved. 53
  • 54. Null Routing • Probably the simplest way to deal with an attack • You instruct your ISP not to route traffic for a single host, or a series of hosts in your network • Except, you’ve just let the attacker win • If you null route your service, you’ve taken it offline. Perhaps you have an advanced system and can quickly renumber, but the attacker can update their attack too © 2016 Cloudflare Inc. All rights reserved. 54
  • 55. The only way to stay online is to absorb the attack © 2016 Cloudflare Inc. All rights reserved. 55
  • 56. Receive and Process © 2016 Cloudflare Inc. All rights reserved. 56
  • 57. Receive and Process • To absorb the attack you need to receive and process it • This means you need to scale up infrastructure or develop advanced techniques to deal with attacks • Both of these need huge amounts of capacity, both physical and logical • Few networks are ready for it, so you outsource • But this breaks the model of de-centralization © 2016 Cloudflare Inc. All rights reserved. 57
  • 58. Centralization © 2016 Cloudflare Inc. All rights reserved. 58
  • 59. Solution? © 2016 Cloudflare Inc. All rights reserved. 59
  • 60. Technical solutions to IP Spoofing have failed © 2016 Cloudflare Inc. All rights reserved. 60
  • 61. Don’t just solve the IP Spoofing © 2016 Cloudflare Inc. All rights reserved. 61
  • 62. Don’t just solve the IP Spoofing… © 2016 Cloudflare Inc. All rights reserved. 62 …solve the attribution!
  • 63. © 2016 Cloudflare Inc. All rights reserved. 63
  • 64. Netflow • Opensource Toolsets are great • Scales very well • Privacy Concerns? • This is very very simple data • Rotate (delete) logs every few days • Use a high sampling rate. 1/16,000 © 2016 Cloudflare Inc. All rights reserved. 64
  • 65. Netflow • H/W vendors must get better • Netflow v9 supports src/dst MAC • Which vendor supports it? © 2016 Cloudflare Inc. All rights reserved. 65 Photo:  The  Simpsons/FOX
  • 66. NetFlow • It is EMBARRASING that a transit provider doesn’t know where packets ingress their networks • It’s even more embarrassing that service providers who have NetFlow equipment, be it open sourced / in house or provided by a vendor don’t know how to use it • It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9 • This needs to be resolved now © 2016 Cloudflare Inc. All rights reserved. 66
  • 67. This is the first step © 2016 Cloudflare Inc. All rights reserved. 67
  • 68. Attribution allows informed discussion © 2016 Cloudflare Inc. All rights reserved. 68
  • 69. DDoS Causes centralization © 2016 Cloudflare Inc. All rights reserved. 69
  • 70. To fix DDoS we need attribution © 2016 Cloudflare Inc. All rights reserved. 70
  • 71. To make the internet better for everyone © 2016 Cloudflare Inc. All rights reserved. 71