Submit Search
Upload
Spoofing and Denial of Service: A risk to the decentralized Internet
•
0 likes
•
253 views
APNIC
Follow
Presentation by Tom Paseka at APRICOT 2017 on Wednesday, 1 March 2017.
Read less
Read more
Internet
Report
Share
Report
Share
1 of 71
Recommended
The Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
Zombie DNS
Zombie DNS
APNIC
OARC 26: Who's asking
OARC 26: Who's asking
APNIC
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUIC
Natasha Rooney
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
Recommended
The Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
Zombie DNS
Zombie DNS
APNIC
OARC 26: Who's asking
OARC 26: Who's asking
APNIC
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUIC
Natasha Rooney
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
nullowaspmumbai
Testing Rolling Roots
Testing Rolling Roots
APNIC
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
Amazon Web Services
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
How to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Tom Paseka
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
DNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
IPv6 deployment at APNIC
IPv6 deployment at APNIC
APNIC
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
More specific announcments in BGP
More specific announcments in BGP
APNIC
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
Almdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy Tran
Cindy Tran
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
Mike de Groot
Traumatismo Craneoencefálico
Traumatismo Craneoencefálico
Yaneth03
More Related Content
What's hot
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
nullowaspmumbai
Testing Rolling Roots
Testing Rolling Roots
APNIC
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
Amazon Web Services
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
How to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Tom Paseka
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
DNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
IPv6 deployment at APNIC
IPv6 deployment at APNIC
APNIC
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
More specific announcments in BGP
More specific announcments in BGP
APNIC
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
What's hot
(19)
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Null 11 june_Malware CNC: Advance Evasion techniques_by Avkash k and dhawal shah
Testing Rolling Roots
Testing Rolling Roots
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
How to launch and defend against a DDoS
How to launch and defend against a DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
DNS DDoS Attack and Risk
DNS DDoS Attack and Risk
IPv6 deployment at APNIC
IPv6 deployment at APNIC
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
More specific announcments in BGP
More specific announcments in BGP
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
Viewers also liked
Almdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy Tran
Cindy Tran
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
Mike de Groot
Traumatismo Craneoencefálico
Traumatismo Craneoencefálico
Yaneth03
Características que Requiere el Egresado del 2020
Características que Requiere el Egresado del 2020
Dr. Orville M. Disdier
Hipolipemiantes en prevención cardiovascular
Hipolipemiantes en prevención cardiovascular
Cadime Easp
Swap-space Management
Swap-space Management
Agnas Jasmine
apnic handling-network-abuse
apnic handling-network-abuse
APNIC
Supporting internet growth and evolution
Supporting internet growth and evolution
APNIC
IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60
RIPE Meetings
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6Lab
APNIC
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
APNIC
IPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise Networks
Ivan Pepelnjak
Korea IPv6 Measurement
Korea IPv6 Measurement
APNIC
Case Studies: TakNet
Case Studies: TakNet
APNIC
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
APNIC
Japan IPv6 Measurement
Japan IPv6 Measurement
APNIC
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017
APNIC
APIX Update
APIX Update
APNIC
Supporting Global Discussion: IANA Stewardship Transition
Supporting Global Discussion: IANA Stewardship Transition
ICANN
Evolving the network for 5G
Evolving the network for 5G
APNIC
Viewers also liked
(20)
Almdudler Case Study - Cindy Tran
Almdudler Case Study - Cindy Tran
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
De gevolgen van traumatisch hersenletsel, een onderschat probleem in de huisa...
Traumatismo Craneoencefálico
Traumatismo Craneoencefálico
Características que Requiere el Egresado del 2020
Características que Requiere el Egresado del 2020
Hipolipemiantes en prevención cardiovascular
Hipolipemiantes en prevención cardiovascular
Swap-space Management
Swap-space Management
apnic handling-network-abuse
apnic handling-network-abuse
Supporting internet growth and evolution
Supporting internet growth and evolution
IPv6 Tutorial RIPE 60
IPv6 Tutorial RIPE 60
DNSSEC/DANE/TLS Testing in Go6Lab
DNSSEC/DANE/TLS Testing in Go6Lab
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
Community Networks: An Alternative Paradigm for Developing Network Infrastruc...
IPv6 Deployment In Enterprise Networks
IPv6 Deployment In Enterprise Networks
Korea IPv6 Measurement
Korea IPv6 Measurement
Case Studies: TakNet
Case Studies: TakNet
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
Japan IPv6 Measurement
Japan IPv6 Measurement
APNIC Update - MMNOG 2017
APNIC Update - MMNOG 2017
APIX Update
APIX Update
Supporting Global Discussion: IANA Stewardship Transition
Supporting Global Discussion: IANA Stewardship Transition
Evolving the network for 5G
Evolving the network for 5G
Similar to Spoofing and Denial of Service: A risk to the decentralized Internet
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
Jisc
DC/OS 1.8 Container Networking
DC/OS 1.8 Container Networking
Sargun Dhillon
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
Qrator Labs
Erlang containers
Erlang containers
Sargun Dhillon
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
APNIC
DNS Security Threats and Solutions
DNS Security Threats and Solutions
InnoTech
Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Imperva
nanog
nanog
Tom Paseka
Building the Glue for Service Discovery & Load Balancing Microservices
Building the Glue for Service Discovery & Load Balancing Microservices
Sargun Dhillon
Discover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MX
ThousandEyes
Advance Malware CnC by Avkash k and dhawal shah
Advance Malware CnC by Avkash k and dhawal shah
Avkash Kathiriya
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
APNIC
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
Imperva Incapsula
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Tanya Denisyuk
Dns security threats and solutions
Dns security threats and solutions
Frank Victory
Network Emulation in SOASTA 57 Spring Release
Network Emulation in SOASTA 57 Spring Release
Jennifer Finney
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
Similar to Spoofing and Denial of Service: A risk to the decentralized Internet
(20)
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
DC/OS 1.8 Container Networking
DC/OS 1.8 Container Networking
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
Erlang containers
Erlang containers
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
DNS Security Threats and Solutions
DNS Security Threats and Solutions
Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2: New attacks on the Internet’s Next Generation Foundation
nanog
nanog
Building the Glue for Service Discovery & Load Balancing Microservices
Building the Glue for Service Discovery & Load Balancing Microservices
Discover the Power of ThousandEyes on Your Meraki MX
Discover the Power of ThousandEyes on Your Meraki MX
Advance Malware CnC by Avkash k and dhawal shah
Advance Malware CnC by Avkash k and dhawal shah
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Артем Гавриченков "The Dark Side of Things: Distributed Denial of Service Att...
Dns security threats and solutions
Dns security threats and solutions
Network Emulation in SOASTA 57 Spring Release
Network Emulation in SOASTA 57 Spring Release
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
More from APNIC
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
APNIC
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
APNIC
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
APNIC
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
APNIC
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
APNIC
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
APNIC
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
APNIC
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
APNIC
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
APNIC
More from APNIC
(20)
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
Recently uploaded
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
Paul Calvano
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
gdsc13
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Sonam Pathan
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
zdzoqco
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
LinaWolf1
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
Christopher H Felton
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
Dyna Gilbert
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
miss dipika
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Excelmac1
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
Fs
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
ys8omjxb
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
MartaLoveguard
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Dana Luther
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Sonam Pathan
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
Fs
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
Fs
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Lucknow
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
rehmti665
Recently uploaded
(20)
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Spoofing and Denial of Service: A risk to the decentralized Internet
1.
Spoofing and Denial
of Service: A risk to the decentralized Internet DDoS: The real story with BCP38 Tom Paseka APRICOT 2017
2.
Global Network © 2017
Cloudflare Inc. All rights reserved. 2
3.
Content Neutral © 2016
Cloudflare Inc. All rights reserved. 3
4.
Daily Attacks © 2016
Cloudflare Inc. All rights reserved. 4
5.
Daily Attacks • Because
we have such a broad view of the internet, we see a lot of attacks • This graph is showing count of different attacks • Sometimes, seeing more than 1,400 unique attacks daily © 2016 Cloudflare Inc. All rights reserved. 5
6.
We have to
solve attacks © 2016 Cloudflare Inc. All rights reserved. 6
7.
Record Breaking Attacks Nickname
Type Volume SNMP Amp SNMP Amplification/Reflection 80Gbps Spamhaus DNS Amplification/Reflection 300Gbps "Winter of Attacks" Direct 400Gbps IoT Direct 500Gbps+ © 2016 Cloudflare Inc. All rights reserved. 7
8.
Record Breaking Attacks •
Around 5 years ago we saw some SNMP reflection attacks • Cable modems from a very large Cable ISP in North America were reflecting SNMP walks towards us • We then saw the infamous “Spamhaus” attacks. Attacks which were directed at us and internet infrastructure, resulting in impact to hundreds of thousands of internet users • From September 2016, the “IoT” attacks, most famously the Mirai (未来) botnet with attacks breaking 500Gbps © 2016 Cloudflare Inc. All rights reserved. 8
9.
Most big attacks
have a few things in common © 2016 Cloudflare Inc. All rights reserved. 9
10.
Flood of IP
Packets © 2016 Cloudflare Inc. All rights reserved. 10
11.
© 2016 Cloudflare
Inc. All rights reserved. 11
12.
Spoofing Enables Impersonation ©
2016 Cloudflare Inc. All rights reserved. 12
13.
Spoofing? • Why is
spoofing an issue? • This is my good friend Walt Wollny • Let’s say, he was assaulted, but it was by masked assailant • Without removing the mask, there can’t be legal retribution © 2016 Cloudflare Inc. All rights reserved. 13
14.
May 2000: BCP38 ©
2016 Cloudflare Inc. All rights reserved. 14
15.
BCP38 • BCP, Best
Common Practice #38 was published in May 2000 • It gave guidance on how to configure your network to prefer spoofing • This document is nearly 17 years old, why it isn’t engrained yet? • Vendors Faults? Operators Fault? • Regardless, IT’S. JUST. NOT. THERE. © 2016 Cloudflare Inc. All rights reserved. 15
16.
Caida Spoofer Stats ©
2016 Cloudflare Inc. All rights reserved. 16 Updated: Feb 2017. Source: https://spoofer.caida.org
17.
Filter close to
the source © 2016 Cloudflare Inc. All rights reserved. 17
18.
Filter close to
the source • Filtering at the ingress from your customer is really how to stop filtering • You should also be filtering at the egress if your network for multiple layers, incase of some misconfiguration • Unicast Reverse Path Forwarding doesn’t scale well • What about simple ACLs? • Yet this still isn’t there! © 2016 Cloudflare Inc. All rights reserved. 18
19.
IP Spoofing: • Enables
Impersonation • Isn’t solved © 2016 Cloudflare Inc. All rights reserved. 19
20.
IP Spoofing 1. Tracing
back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 20
21.
IP Spoofing 1. Tracing
back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 21
22.
Where did the
attack come from? © 2016 Cloudflare Inc. All rights reserved. 22
23.
Where did the
attack come from? • The “Server” in this slide, gets attack traffic • It has one link out, to its router, so we know it came from the ‘router’ • But from there, where did it come from? • There are multiple input interfaces, which one could be sending the traffic? Which network? • We can trace this down a bad way, by looking at graphs © 2016 Cloudflare Inc. All rights reserved. 23
24.
Identifying interfaces © 2016
Cloudflare Inc. All rights reserved. 24
25.
Identifying interfaces © 2016
Cloudflare Inc. All rights reserved. 25
26.
What’s on the
other side of the Cable? © 2016 Cloudflare Inc. All rights reserved. 26
27.
What’s on the
other side of the Cable? • For most internet networks, there are several types of input sources: • Direct Peering: Where you have a single network and their customer cone on that interfaces • Internet Exchange: many networks connected to a single fabric. Possible hundreds of direct networks and thousands of in-direct networks • Internet Carrier / Transit Provider: The whole Internet © 2016 Cloudflare Inc. All rights reserved. 27
28.
1. Direct Peering ©
2016 Cloudflare Inc. All rights reserved. 28
29.
1. Direct Peering •
Where we have direct peering with another network, you have a pretty good idea of what’s on the other side • This is going to be limited to that network and their customers • In a case like this, it’s pretty easy to identify at least the ISP responsible for traffic © 2016 Cloudflare Inc. All rights reserved. 29
30.
2. IXP /
Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 30 3. Transit Provider
31.
IXPs and Transit
Providers • Both of these represent an issue • There is any number of networks where traffic could be coming from • No easy way to identify the source over either of these • Let’s explore a little but more about IXPs © 2016 Cloudflare Inc. All rights reserved. 31
32.
2. IXP /
Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 32
33.
2. IXP /
Internet Exchange Point © 2016 Cloudflare Inc. All rights reserved. 33 ?.?.?.?
34.
2. IXP /
Internet Exchange Point • When traffic enters the IXP, we have no idea where the source came from • Since you’re on one big fabric, anyone can inject it • Very hard to track back • Some ways to trace, but poorly implemented. I’ll touch on this later. © 2016 Cloudflare Inc. All rights reserved. 34
35.
3. Transit Provider ©
2016 Cloudflare Inc. All rights reserved. 35 Src ip = 8.8.8.8
36.
3. Transit Provider ©
2016 Cloudflare Inc. All rights reserved. 36 ??? Src ip = 8.8.8.8 ??? 8.8.8.0/24
37.
3. Transit Provider •
So, we see an attack coming from 8.8.8.8 • This is coming in over a transit provider • But we have direct peering with the network that represents this traffic • Why isn’t this traffic coming over the peering? • ….Because it’s spoofed. © 2016 Cloudflare Inc. All rights reserved. 37
38.
Lack of Attribution ©
2016 Cloudflare Inc. All rights reserved. 38
39.
IP Spoofing 1. Tracing
back is impossible 2. Allows sophisticated attacks © 2016 Cloudflare Inc. All rights reserved. 39
40.
Amplification © 2016 Cloudflare
Inc. All rights reserved. 40
41.
Amplification • We know
about amplification attacks, so I’m not going to go into technical detail • The premise: Send a small request and get a big response directed at your target • Amplification means you can knock off a service, much larger than you are, without using all your resources. © 2016 Cloudflare Inc. All rights reserved. 41
42.
March 2013: Spamhaus ©
2016 Cloudflare Inc. All rights reserved. 42
43.
March 2013: Spamhaus •
During the Spamhaus attacks, DNS amplification was used • Large DNS replies (eg. ANY isc.org ~4,000 byte reply to a very small query) • 37Gbps of attack traffic was able to be amplified to 300Gbps of attack traffic © 2016 Cloudflare Inc. All rights reserved. 43
44.
Amplification is relatively
easy to block…. • …If you have the bandwidth. (few networks can absorb hundreds of Gbps) • Block on firewall: • src UDP/53 > deny • Internet is fighting amplification sources: • openresolverproject.org • openntpproject.org © 2016 Cloudflare Inc. All rights reserved. 44
45.
Source IP Addresses ©
2016 Cloudflare Inc. All rights reserved. 45 ??? Src ip = 8.8.8.8 ??? 8.8.8.0/24
46.
Source IP Addresses •
So, what happens when we trace the source IP address in attacks. • Taking this lovely picture from xkcd, we see a map of what the internet is © 2016 Cloudflare Inc. All rights reserved. 46
47.
Source IP Addresses ©
2016 Cloudflare Inc. All rights reserved. 47 https://xkcd.com/195/
48.
Source IP Addresses •
What does this same map look like, when we see a large scale attack? © 2016 Cloudflare Inc. All rights reserved. 48
49.
Source IP Addresses ©
2016 Cloudflare Inc. All rights reserved. 49
50.
Source IP Addresses •
What about a different type of attack? • This attack is coming from a single network, the graph on the left is the view of what is routed by that network • The graph on the right is attack sources from that network • Is this network doing egress filtering? Is it spoofed or all direct from that network? © 2016 Cloudflare Inc. All rights reserved. 50
51.
Source IP Addresses ©
2016 Cloudflare Inc. All rights reserved. 51
52.
Dealing with Attacks ©
2016 Cloudflare Inc. All rights reserved. 52
53.
Null Routing © 2016
Cloudflare Inc. All rights reserved. 53
54.
Null Routing • Probably
the simplest way to deal with an attack • You instruct your ISP not to route traffic for a single host, or a series of hosts in your network • Except, you’ve just let the attacker win • If you null route your service, you’ve taken it offline. Perhaps you have an advanced system and can quickly renumber, but the attacker can update their attack too © 2016 Cloudflare Inc. All rights reserved. 54
55.
The only way
to stay online is to absorb the attack © 2016 Cloudflare Inc. All rights reserved. 55
56.
Receive and Process ©
2016 Cloudflare Inc. All rights reserved. 56
57.
Receive and Process •
To absorb the attack you need to receive and process it • This means you need to scale up infrastructure or develop advanced techniques to deal with attacks • Both of these need huge amounts of capacity, both physical and logical • Few networks are ready for it, so you outsource • But this breaks the model of de-centralization © 2016 Cloudflare Inc. All rights reserved. 57
58.
Centralization © 2016 Cloudflare
Inc. All rights reserved. 58
59.
Solution? © 2016 Cloudflare
Inc. All rights reserved. 59
60.
Technical solutions to
IP Spoofing have failed © 2016 Cloudflare Inc. All rights reserved. 60
61.
Don’t just solve
the IP Spoofing © 2016 Cloudflare Inc. All rights reserved. 61
62.
Don’t just solve
the IP Spoofing… © 2016 Cloudflare Inc. All rights reserved. 62 …solve the attribution!
63.
© 2016 Cloudflare
Inc. All rights reserved. 63
64.
Netflow • Opensource Toolsets
are great • Scales very well • Privacy Concerns? • This is very very simple data • Rotate (delete) logs every few days • Use a high sampling rate. 1/16,000 © 2016 Cloudflare Inc. All rights reserved. 64
65.
Netflow • H/W vendors
must get better • Netflow v9 supports src/dst MAC • Which vendor supports it? © 2016 Cloudflare Inc. All rights reserved. 65 Photo: The Simpsons/FOX
66.
NetFlow • It is
EMBARRASING that a transit provider doesn’t know where packets ingress their networks • It’s even more embarrassing that service providers who have NetFlow equipment, be it open sourced / in house or provided by a vendor don’t know how to use it • It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9 • This needs to be resolved now © 2016 Cloudflare Inc. All rights reserved. 66
67.
This is the
first step © 2016 Cloudflare Inc. All rights reserved. 67
68.
Attribution allows informed
discussion © 2016 Cloudflare Inc. All rights reserved. 68
69.
DDoS Causes centralization ©
2016 Cloudflare Inc. All rights reserved. 69
70.
To fix DDoS
we need attribution © 2016 Cloudflare Inc. All rights reserved. 70
71.
To make the
internet better for everyone © 2016 Cloudflare Inc. All rights reserved. 71