As the web application security landscape evolves, companies are facing increased pressures to strengthen their security posture. Recently, the world’s largest distributed denial of service (DDoS) recorded attacked GitHub at 1.35 Tbps. While the big attacks get all the headlines, at Cloudflare we have learned about other forms of attacks that can unexpectedly bring your site down. Join this webinar to learn about how small DDoS attacks can still bring your site down, a little known way attackers can bypass traditional DDoS protections, why TCP services may make you vulnerable to a DDoS attack, and how to augment Cloudflare’s unmetered DDoS solution with Spectrum, Rate Limiting, and Argo Tunnel
3. Agenda
● The new DDoS landscape
● A little known way attackers can bypass traditional DDoS protections
● Why TCP services may make you vulnerable to a DDoS attack
● Pros and cons of multiple solutions: BGP, MPLS, and building your own
● How to augment Cloudflare’s unmetered DDoS solution with
Spectrum, Rate Limiting, and Argo Tunnel
4. Poll #1
Have you experienced a DDoS attack in the past year?
● No, but I want DDoS protection
● No, and I already have enough DDoS protection to my site
● Yes, and I want to take my DDoS protection to the next level
● Yes, but I don’t think it will happen to my site again
6. Volumetric DNS Flood
Bots
DNS Server
DNS Server Server
Amplification (Layer 3 & 4)
HTTP Flood (Layer 7)
1
2
Bots
3
Bots
Degrades availability and performance of applications, websites, and APIs
HTTP
Application
Application/Login
Types of DDoS Attack Traffic
9. DDoS 2018 and Beyond
More
Frequent
Difficult to
Mitigate
DNS
Layer 7
SSL CPU
Exhaustion
(Layer 6)
HTTP
Layer 7
Layer 3/4
500
Gbps
100
Gbps
200
Gbps
40
Gbps
Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4
Less
Frequent
9
11. Say Cheese: a
snapshot of the
massive DDoS attacks
coming from IoT
cameras:
128,000+ unique IP’s
220k rps
360 Gbps
IoT DDoS / Attack Case Study
CHALLENGES
• DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers switched
to L7 attacks in an attempt to knock web applications offline
• Unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to
the attacked server.
• These attacks came from Internet-of-Things (IoT) category of devices
CLOUDFLARE SOLUTION
• Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these
attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a
fingerprint that protects all Cloudflare customers.
Attacks
Blog Post: https://blog.cloudflare.com/say-
cheese-a-snapshot-of-the-massive-ddos-
attacks-coming-from-iot-cameras/
The attack lasted 15 minutes with over 1 million HTTP
RPS (Requests Per Second)
The First Attack
This attack had 128,833 unique IP addresses. It
generated only 220k RPS, but topped out at a high 360
Gbps bandwidth
The Second Attack
11
12. Poll #2
Do you run services (SSH, FTP, SharePoint, SMTP, etc.) other than HTTP/S traffic on your origin?
● Yes
● No
18. Volumetric attacks on TCP-based services
Attackers send direct volumetric attack traffic to
TCP-based services like email or remote access,
impacting performance and availability.
DDoS Attack
Customer Challenges
Non-HTTP/S
TCP Attack Traffic
SSH
Snooping Attempt on clear-text TCP
Attackers snoop non-web, unencrypted
traffic to gain access to sensitive data, such
as user credentials.
Data Theft
SMTP
SFTP
SSH
SMTP
SFTP
Snooping of
Unencrypted Data
in-Transit
19. Cloudflare Spectrum
Proxy non-HTTP/S TCP traffic through Cloudflare
Mitigate DDoS for TCP Protocols and Ports
Cloudflare Spectrum proxies all non-HTTPS TCP traffic
through the same 120+ cloudflare data centers, ensuring
protection against DDoS attacks targeting layers 3 and 4
across open ports.
Encrypt Non-HTTP/S TCP Traffic
Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with
Universal SSL to protect against snooping of data in transit.
Block Traffic by IP or IP Range
Spectrum integrates with Cloudflare’s IP Firewall so that traffic
from specific IP or IP ranges can be dropped at the edge
2
1
Client
Encrypted
TCP Traffic
SSH
SMTP
SFTP
SSH
SMTP
SFTP
3
Client
SSH
SMTP
SFTP
IP
10.0.0.1
10.0.0.1
https://developers.cloudflare.com/spectrum/
21. Direct Attack against Origin IP
Attackers directly attack the origin IP address.
DDoS Data Theft
Intrusion Attempt Directly on Origin
Applications exposed to the public Internet through the IP
address can be brute-forced to access sensitive data.
206.221.179.46
206.221.179.46
Brute
Force
Attack stopped by
Cloudflare proxy
Direct Attack against Origin IP
Attack bypasses proxy to hit
IP address directly
Attack stopped by
Cloudflare proxy
Attack bypasses proxy to
hit IP address directly
22. Cloudflare Argo Tunnel
Stop Direct Attacks Against the Web Server’s Origin with a Secure Agent
Protect web servers from DDoS attacks directly against their
origin’s public IP address
When connected directly to Cloudflare, web servers can no longer be
directly attacked through open ports on public IP addresses with
DDoS or data theft attempts, keeping applications and APIs online
and performant.
Safely and easily expose development environments to the
Internet
Developers can expose the localhost on their laptop directly to the
public Internet for testing code and speeding up development, while
also being protected from attacks.
Accelerate Origin Traffic
Argo Tunnels not only protects web servers from direct attacks, but
also accelerates origin requests through a persistent HTTP/2
connection.
With Argo Smart routing, origin requests bypass congested networks
and are routed on the shortest network distance to ensure fast
2
1
3
localhost
HTTP/2
206.221.179.46
24. The Long Tail of “Layer 7” Attacks
Site Rank
Capacity(HTTPrequestspersecond)
25. Cloudflare Rate Limiting
Precise DDoS Mitigation
• High precision denial-of-service protection
through robust configuration options
Protect Customer Data
• Protect sensitive customer information
against brute force login attacks
Ensure Availability
• Avoid service disruptions by setting usage
limits on HTTP requests
Requests per IP address matching the traffic pattern
25
Talk Track:
This slide gives examples of the types of DDoS attack. We could dive deeper with the rest of your team and our security team, as well.
The important take-away is that these attacks are layered.
In other words, a DDoS can attack different parts of your infrastructure.
Volumetric DNS Flood: volumetric DNS queries against your DNS servers to make the DNS server unavailable
Amplification: using a DNS to amplify requests and overload yours server over UDP
HTTP Flood: volumetric HTTP attack to bring down the application
All of those attacks impacts availability and performance of of websites, applications and API’s.
Questions:
This is often a good, in-depth slide to share with broader audience, for example if you have a security or infrastructure team. Would you be interested in that?
Which have you experienced in the past, if any? How did you respond to them if you did?
This final chart shows the volume of DNS-based attacks in Mbps. It's notable that these are never very big, but the one big spike is the day after we announced Unmetered Mitigation. Almost as if someone had a go to see if they could cause us harm :-)
What is driving the exponential growth in traffic here? Insecure devices and increased connectivity and increasing connected devices
If you return to attack sizes over time
Have 10 gbps - fast cnx to internet
2007 - 24 gbps would have overwhelemd
See peek sizes growing
Huge attacks, easily
Can’t fight these on your own
- Animate from smallest to largest – one circle at a time
Side bar info = home internet connection
https://www.youtube.com/watch?v=Sp6bnvbrJb8&t=364s
9.45 min
1
Measuring Gigabytes is not an effective way of measuring DDoS
Across enterprises, l3 + 4 handled with existing solutions. Attackers moving to L7.
Today the most damaging attacks are more frequent and not the size of the attacks
Targeted frequency greater than size….
Most damaging… less damage…
Request per second…
You still need layer ¾
Hitting the application layer it is more effective
Rough Notes
Size of attacks vs effectiveness of attacks....
Application attacks are much more complex
Quadrant - frequency and effectiveness -small L7 and effective,,,
Resource exhaustion....
reason this is happening is that we have gotten good at layer 3 layer 4
Differeinater.... data, what you get for free
DDoS 2017
Customers automatically get DDOS updates... does not require human interaction
Freeium and worlds largest QA.
New fingerprinting
Free unmitigated DDoS exists and why it is better because the more people using service the
Speak re issue with dine
Frankfurt is top
CHALLENGES
DDoS mitigation systems are tuned to handle volumetric L3/4 attacks; in this instance attackers switched to L7 attacks in an attempt to knock web applications offline
Unlike volumetric L3/4 attacks, HTTP-based attacks eat up resources by making actual HTTP requests to the attacked server.
These attacks came from Internet-of-Things (IoT) category of devices
These attacks featured unique, long payloads that allowed the attackers to generate substantial traffic
CLOUDFLARE SOLUTION
Seeing the move towards L7 DDoS attacks we put in place a new system that recognizes and blocks these attacks as they happen. The L7 mitigator recognizes attacks against a single host and distributes a fingerprint that protects all Cloudflare customers.
Manually change DNS introduces latency in time-to-migration
Single location can easily get flooded, and either exceed capacity or result in high overage charges during attack
These scrubbers have exotic and extensive dedicated hardware which is expensive to maintain and operate!
Versus Cloudflare commodity hardware that leverages the network
Longer distances for ‘clean’ traffic to travel since Scrubbers are centralized or different from cache
DDoS integrated
Trey Comments
We should show:
1. What is normal traffic not under attack
2. What happens when an attack starts
3, what happens when mitigations are now in place (with cloudflare)
Continuous Performance Benefit
Real-Time Detection and automated mitigation
Non Impact Mitigation
Manually change DNS introduces latency in time-to-migration
Single location can easily get flooded, and either exceed capacity or result in high overage charges during attack
Longer distances for ‘clean’ traffic to travel since Scrubbers are centralized or different from cache
DDoS integrated
Trey Comments
We should show:
1. What is normal traffic not under attack
2. What happens when an attack starts
3, what happens when mitigations are now in place (with cloudflare)
Talk Track
DDoS Attack
Internet application and API owners expose pieces of origin infrastructure to the public Internet when hosting non-HTTP/S services, such as: gaming networks, remote access servers, file transfer services, email, and more. Exposing pieces of origin infrastructure increases the likelihood of unmasking origin IPs, potentially resulting in volumetric DDoS attack.
Data Theft
Talk Track
Spectrum ensures the same level of layer 3 and 4 volumetric DDoS mitigation expected from Cloudflare, across all TCP protocols, including those which are proprietary. In addition, it protects said protocols from data snooping and theft by encrypting traffic with Universal SSL / TLS.
Talk Track
Securing internal applications using a VPN is complex, lacks granular control, and doesn’t meet the performance needs of mobile users. To solve these problems is why Cloudflare created Cloudflare Access.
Cloudflare Access protects internal resources without having to setup a VPN. With Cloudflare Access, only authenticated users with the required permissions are able to access specific resources behind the Cloudflare edge. Support for existing identity providers such as Google, GSuite, Github, Okta, and more ensures the right users have easy and instant access regardless of physical location.
Talking Points:
Rate Limiting complements Cloudflare’s DDoS and Web Application Firewall (WAF) Services.
Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer.
It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period.
Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic.