CloudFlare DDoS attacks 101: what are they and how to protect your site?

2,072 views

Published on

Distributed denial of service (DDoS) attacks have scaled up in size and frequency over the past year. Attackers constantly adopt new methods to flood your website and network with malicious traffic. What exactly are DDoS attacks and how do they work? More importantly, how can you ensure that your website stays protected. CloudFlare solutions engineer Trey Guinn discusses the nature of DDoS attacks, with a focus on amplification attacks. He explains how CloudFlare is able to stop such attacks and also what can you do to ensure you are not part of the problem by running open NTP servers or DNS resolvers.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,072
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CloudFlare DDoS attacks 101: what are they and how to protect your site?

  1. 1. Trey Guinn Solution Engineer, CloudFlare www.cloudflare.com DDoS 101
  2. 2. Distributed Denial of Service ! An attack coming from all many locations which overwhelms your resources and prevents you from serving legitimate customers.
  3. 3. Fake Pizza Orders
  4. 4. Variety of Attacks Volumetric Protocol Attacks Application Attacks
  5. 5. Real Life Example
  6. 6. Wednesday, March 20 ~75Gbps attack
  7. 7. 100Gbps Magic ceiling in DDoS attacks
  8. 8. March 24 – March 25 Peaks of the attack reached at least 309Gbps
  9. 9. dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096
  10. 10. 64-byte query
  11. 11. $ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096
  12. 12. 3,363-byteresponse
  13. 13. Amplification
  14. 14. 50x Amplification factor
  15. 15. Attack Amplification ! DNS - 50 x NTP - 200x Coming: SNMP - 650x
  16. 16. UDP = no handshake
  17. 17. Problem Ingredients: Networks that allows source IP spoofing + Servers that reply to “non-customers”
  18. 18. Good networks don’t let packets originate from IPs they don’t own (BCP38)
  19. 19. Not all networks are good
  20. 20. How common are these ingredients?
  21. 21. 28 million open resolvers
  22. 22. 24.6% networks allow spoofing
  23. 23. 10s of Millions Open NTP DNS servers
  24. 24. 1 attacker’s laptop controlling 5–7 compromised servers on 3 networks that allowed spoofing of 9Gbps DNS requests to 0.1% of open resolvers resulted in 300Gbps+ of DDoS attack traffic. + + + +
  25. 25. How did we stop it?
  26. 26. Anycast
  27. 27. Inherently “dilutes” the attack
  28. 28. 300Gbps 25 Anycasted PoPs 12 Gbps/PoP ÷
  29. 29. Make sure you’re not part of the problem…
  30. 30. Are you running open DNS resolvers?
  31. 31. Are you running open NTP servers?
  32. 32. Implement BCP38 (uRPF)
  33. 33. Trey Guinn Solution Engineer www.cloudflare.com

×