Distributed Denial
of Service Attacks
2013-08-29
Andrew Sullivan
Principal Architect
Pg. 2 Distributed Denial of Service Attacks
What is a DDoS?
To Cover Today
What do they do?
How do they work?
Who does the...
Pg. 3 Distributed Denial of Service Attacks
How does DNS play in?
To Cover Today
What is reflection?
What is amplification...
Pg. 4 Distributed Denial of Service Attacks
Things you can do
To Cover Today
Does outsourcing help?
Does anycast help?
Wha...
Pg. 5 Distributed Denial of Service Attacks
Just what the name says
Denial of Service prevents users from
being able to us...
Pg. 6 Distributed Denial of Service Attacks
Respond to DoS
DoS Target
Pg. 7 Distributed Denial of Service Attacks
Respond to DoS
First Defense: more boxes!
Pg. 8 Distributed Denial of Service Attacks
Respond to DoS
Or even not quite so many
Pg. 9 Distributed Denial of Service Attacks
DoS by Network
Send a lot of traffic
Pg. 10 Distributed Denial of Service Attacks
DoS by Network
Send a lot of traffic
Pg. 11 Distributed Denial of Service Attacks
Why talk about this now?
What’s new?
Not new: Morris, 1988
New: “better” prof...
Pg. 13 Distributed Denial of Service Attacks
Really distributed attacks
Big attackers
Attack networks
are now well-
connec...
Pg. 14 Distributed Denial of Service Attacks
Why?
Money,
Politics,
Religion.
Mostly money.
Explaining DoS
Pg. 15 Distributed Denial of Service Attacks
How DDoS works
Flood from many sites
Something
bad from
spoofed address
(smur...
Pg. 16 Distributed Denial of Service Attacks
How DDoS works
Need control
Something
bad from
spoofed address
(smurf attack,...
Pg. 17 Distributed Denial of Service Attacks
How DDoS works
Block control, end the attack
X
X
Something
bad from
spoofed a...
Pg. 18 Distributed Denial of Service Attacks
Wait a minute!
Spoofed addresses?
User Datagram
Protocol (UDP),
not Transmiss...
Pg. 19 Distributed Denial of Service Attacks
Why not fix that?
How DDoS works
We tried in Best Current Practice (BCP) 38
S...
Pg. 20 Distributed Denial of Service Attacks
How DDoS works: DNS
Don’t attack directly
Pg. 21 Distributed Denial of Service Attacks
Use someone else to mount attack
Reflection
Since you can spoof
addresses, yo...
Pg. 22 Distributed Denial of Service Attacks
Key attributes of reflection
How DDoS works: DNS
Relies on UDP to permit spoo...
Pg. 23 Distributed Denial of Service Attacks
How DDoS works: DNS
Amplification
Pg. 24 Distributed Denial of Service Attacks
Key attributes of amplification
How DDoS works: DNS
Queries are small
Answers...
Pg. 25 Distributed Denial of Service Attacks
How effective is DNS amplification?
Good amplifier
The cost of the attack
sta...
Pg. 26 Distributed Denial of Service Attacks
Not just DNS targets
Any service
This is mostly a
network DoS:
the attacker j...
Pg. 27 Distributed Denial of Service Attacks
Attack the DNS server
Direct attack
The abuse queries
and the amplified
respo...
Pg. 28 Distributed Denial of Service Attacks
Attack the DNS server
Indirect attack
The abuse queries and
the amplified
res...
Pg. 29 Distributed Denial of Service Attacks
Attack another service
Indirect attack
The abuse queries and
the amplified
re...
Pg. 30 Distributed Denial of Service Attacks
Attack on your authoritative
DNS server
Scenario
Your DNS service is
the targ...
Pg. 31 Distributed Denial of Service Attacks
Attack on your recursive
DNS server
Scenario
Your DNS service is
the target o...
Pg. 32 Distributed Denial of Service Attacks
You are a reflector or amplifier
Scenario
Your DNS service is
the target of a...
Pg. 33 Distributed Denial of Service Attacks
Your application is a target
Scenario
Your non-DNS
service is the target
of a...
Pg. 34 Distributed Denial of Service Attacks
What can you do?
Outsourcing
Letting someone
else run your
systems for you ca...
Pg. 35 Distributed Denial of Service Attacks
What can you do?
Outsourcing
Letting someone
else run your
systems for you ca...
Pg. 36 Distributed Denial of Service Attacks
How do you do it?
Outsourcing
Not all providers
are equal
Responding
You may ...
Pg. 37 Distributed Denial of Service Attacks
What can you do?
Anycast
Nifty trick of
serving the same IP
address from
diff...
Pg. 38 Distributed Denial of Service Attacks
What can you do?
Anycast
Nifty trick of
serving the same IP
address from
diff...
Pg. 39 Distributed Denial of Service Attacks
What can you do?
Anycast
Can help localize
attacks on the
Internet
Responding...
Pg. 40 Distributed Denial of Service Attacks
What can you do?
Anycast
No magic bullet
Responding
• If you don’t know what
...
Pg. 41 Distributed Denial of Service Attacks
How do you do it?
Anycast
Bring money,
and pick the right
use cases
Respondin...
Pg. 42 Distributed Denial of Service Attacks
What can you do?
Appliances
There are lots
of these with
different strategies...
Pg. 43 Distributed Denial of Service Attacks
What can you do?
Services
Pay people for their
mitigation
strategies
Respondi...
Pg. 44 Distributed Denial of Service Attacks
What can you do?
Scepticism
There’s a lot of
security snake oil.
Test. Then t...
Pg. 45 Distributed Denial of Service Attacks
What can you do?
RRL
Response Rate
Limiting
Responding
Pg. 46 Distributed Denial of Service Attacks
What can you do?
RRL
Response Rate
Limiting
Responding
• Reduces the rate at
...
Pg. 47 Distributed Denial of Service Attacks
What can you do?
RRL
Some corner cases
Responding
• Standard patch poor fit f...
Pg. 48 Distributed Denial of Service Attacks
What can you do?
BCP 38
Best Current
Practice 38
Responding
• Says you should...
Pg. 49 Distributed Denial of Service Attacks
What can you do?
Insecure systems
A back door can
be used for good
or for evi...
Pg. 50 Distributed Denial of Service Attacks
Review
Pg. 51 Distributed Denial of Service Attacks
DDoS
Review
Denial of Service
Distributed
Made easier by facts of network
Not...
Pg. 52 Distributed Denial of Service Attacks
DDoS using DNS
Review
Usually reflector attack
Depends on DNS use of UDP
Ordi...
Pg. 53 Distributed Denial of Service Attacks
Reflector and amplifier
Review
2 victims
Target can be hurt
Amplifier can hurt
Pg. 54 Distributed Denial of Service Attacks
No perfect solution
Review
Tailor the solution to
your application
Outsourcin...
Dyn Road Show: Andrew Sullivan talks DDoS
Upcoming SlideShare
Loading in …5
×

Dyn Road Show: Andrew Sullivan talks DDoS

1,162 views

Published on

Dyn Director of DNS Engineering Andrew Sullivan went to Harvard and talked about DDoS to an invite-only group. Take a look at these slides and check out his webinar on DDoS for more: http://dyn.com/dyn-webinar-everything-you-need-to-know-about-ddos-managed-dns/

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,162
On SlideShare
0
From Embeds
0
Number of Embeds
501
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Something bad from spoofed address (smurf attack, DNS query for big record, ping of death, etc.)
  • Something bad from spoofed address (smurf attack, DNS query for big record, ping of death, etc.)
  • Dyn Road Show: Andrew Sullivan talks DDoS

    1. 1. Distributed Denial of Service Attacks 2013-08-29 Andrew Sullivan Principal Architect
    2. 2. Pg. 2 Distributed Denial of Service Attacks What is a DDoS? To Cover Today What do they do? How do they work? Who does them? Why?
    3. 3. Pg. 3 Distributed Denial of Service Attacks How does DNS play in? To Cover Today What is reflection? What is amplification? What if you are being attacked? What if you’re used in an attack?
    4. 4. Pg. 4 Distributed Denial of Service Attacks Things you can do To Cover Today Does outsourcing help? Does anycast help? What about appliances? What about mitigation services?
    5. 5. Pg. 5 Distributed Denial of Service Attacks Just what the name says Denial of Service prevents users from being able to use the target service Break code “Smash the stack” Lock out passwords Viruses &c. Request lots and block legitimate requests Stuff the network so nobody can communicate DDoS: what?
    6. 6. Pg. 6 Distributed Denial of Service Attacks Respond to DoS DoS Target
    7. 7. Pg. 7 Distributed Denial of Service Attacks Respond to DoS First Defense: more boxes!
    8. 8. Pg. 8 Distributed Denial of Service Attacks Respond to DoS Or even not quite so many
    9. 9. Pg. 9 Distributed Denial of Service Attacks DoS by Network Send a lot of traffic
    10. 10. Pg. 10 Distributed Denial of Service Attacks DoS by Network Send a lot of traffic
    11. 11. Pg. 11 Distributed Denial of Service Attacks Why talk about this now? What’s new? Not new: Morris, 1988 New: “better” profiles New: “better” tools New: better-provisioned sources
    12. 12. Pg. 13 Distributed Denial of Service Attacks Really distributed attacks Big attackers Attack networks are now well- connected, very widely distributed How DDoS works • 18 data centers • Global presence • Used to see attacks in some sites • Now see them everywhere
    13. 13. Pg. 14 Distributed Denial of Service Attacks Why? Money, Politics, Religion. Mostly money. Explaining DoS
    14. 14. Pg. 15 Distributed Denial of Service Attacks How DDoS works Flood from many sites Something bad from spoofed address (smurf attack, DNS query for big record, ping of death, etc.)
    15. 15. Pg. 16 Distributed Denial of Service Attacks How DDoS works Need control Something bad from spoofed address (smurf attack, DNS query for big record, ping of death, etc.)
    16. 16. Pg. 17 Distributed Denial of Service Attacks How DDoS works Block control, end the attack X X Something bad from spoofed address (smurf attack, DNS query for big record, ping of death, etc.)
    17. 17. Pg. 18 Distributed Denial of Service Attacks Wait a minute! Spoofed addresses? User Datagram Protocol (UDP), not Transmission Control Protocol (TCP, handshake) How DDoS works Something bad from spoofed address (smurf attack, DNS query for big record, ping of death, etc.)
    18. 18. Pg. 19 Distributed Denial of Service Attacks Why not fix that? How DDoS works We tried in Best Current Practice (BCP) 38 Some networks don’t do that There are no Internet Police Internet Police would also be bad
    19. 19. Pg. 20 Distributed Denial of Service Attacks How DDoS works: DNS Don’t attack directly
    20. 20. Pg. 21 Distributed Denial of Service Attacks Use someone else to mount attack Reflection Since you can spoof addresses, you query pretending to be someone else. They get the responses. How DDoS works: DNS
    21. 21. Pg. 22 Distributed Denial of Service Attacks Key attributes of reflection How DDoS works: DNS Relies on UDP to permit spoofing Relies on servers trying to answer every query Server refusing to answer might cause collateral damage
    22. 22. Pg. 23 Distributed Denial of Service Attacks How DDoS works: DNS Amplification
    23. 23. Pg. 24 Distributed Denial of Service Attacks Key attributes of amplification How DDoS works: DNS Queries are small Answers can be large Target need not be a DNS server Makes DNS a very useful attack vector
    24. 24. Pg. 25 Distributed Denial of Service Attacks How effective is DNS amplification? Good amplifier The cost of the attack stays the same; different queries provide different amplification. How DDoS works: DNS
    25. 25. Pg. 26 Distributed Denial of Service Attacks Not just DNS targets Any service This is mostly a network DoS: the attacker just fills the network. How DDoS works: DNS
    26. 26. Pg. 27 Distributed Denial of Service Attacks Attack the DNS server Direct attack The abuse queries and the amplified responses block legitimate traffic How DDoS works: DNS
    27. 27. Pg. 28 Distributed Denial of Service Attacks Attack the DNS server Indirect attack The abuse queries and the amplified responses block legitimate traffic at some other server How DDoS works: DNS
    28. 28. Pg. 29 Distributed Denial of Service Attacks Attack another service Indirect attack The abuse queries and the amplified responses block legitimate traffic at some other service How DDoS works: DNS
    29. 29. Pg. 30 Distributed Denial of Service Attacks Attack on your authoritative DNS server Scenario Your DNS service is the target of attack query traffic What happens • You receive a lot of queries • You send a lot of responses • You can’t answer real queries • Probably, you’re a reflector
    30. 30. Pg. 31 Distributed Denial of Service Attacks Attack on your recursive DNS server Scenario Your DNS service is the target of attack answer traffic What happens • You receive a lot of answers • The traffic fills your bandwidth • You can’t answer real queries
    31. 31. Pg. 32 Distributed Denial of Service Attacks You are a reflector or amplifier Scenario Your DNS service is the target of attack query traffic sending a lot of answers What happens • You receive a lot of queries • You send a lot of responses to someone • You get identified • People start blocking you
    32. 32. Pg. 33 Distributed Denial of Service Attacks Your application is a target Scenario Your non-DNS service is the target of attack answers What happens • Your bandwidth goes to receiving (useless) data • Your application is broken • Might cost you money (bandwidth fees)
    33. 33. Pg. 34 Distributed Denial of Service Attacks What can you do? Outsourcing Letting someone else run your systems for you can help Responding • Large systems • Robust networks • Expert operators • Skilled mitigation
    34. 34. Pg. 35 Distributed Denial of Service Attacks What can you do? Outsourcing Letting someone else run your systems for you can bring new risk Responding • Large providers are themselves targets • Large providers have other customers who might be targets • You give up some control
    35. 35. Pg. 36 Distributed Denial of Service Attacks How do you do it? Outsourcing Not all providers are equal Responding You may be already! • Your registrar? Research your options • What’s the network like? • Mitigation strategies? • Other customers?
    36. 36. Pg. 37 Distributed Denial of Service Attacks What can you do? Anycast Nifty trick of serving the same IP address from different machines Responding
    37. 37. Pg. 38 Distributed Denial of Service Attacks What can you do? Anycast Nifty trick of serving the same IP address from different machines Responding
    38. 38. Pg. 39 Distributed Denial of Service Attacks What can you do? Anycast Can help localize attacks on the Internet Responding • Usually isolates attack to one or two network locations • Can reroute traffic to “bigger” node • Harder to fill many transit paths
    39. 39. Pg. 40 Distributed Denial of Service Attacks What can you do? Anycast No magic bullet Responding • If you don’t know what anycast is, you don’t want to do it • Requires money: staff, machines, sites • Won’t actually stop attack
    40. 40. Pg. 41 Distributed Denial of Service Attacks How do you do it? Anycast Bring money, and pick the right use cases Responding You will need • Experts • Network Not good for all cases • “Short” protocols (e.g. DNS) ok • Long-lived streams (like http) bad
    41. 41. Pg. 42 Distributed Denial of Service Attacks What can you do? Appliances There are lots of these with different strategies Responding • Some identify by analysis • Some identify by known bad actors • Usually rate limit traffic • Ineffective if your pipe is full
    42. 42. Pg. 43 Distributed Denial of Service Attacks What can you do? Services Pay people for their mitigation strategies Responding • Large services will “scrub” your traffic • Reasonably effective for http • Almost useless for DNS • Often difficult for bespoke protocols
    43. 43. Pg. 44 Distributed Denial of Service Attacks What can you do? Scepticism There’s a lot of security snake oil. Test. Then test again. Responding
    44. 44. Pg. 45 Distributed Denial of Service Attacks What can you do? RRL Response Rate Limiting Responding
    45. 45. Pg. 46 Distributed Denial of Service Attacks What can you do? RRL Response Rate Limiting Responding • Reduces the rate at which a server responds to apparent attacks • Changes assumptions about DNS • If you’re running your own servers, get the patch and turn it on
    46. 46. Pg. 47 Distributed Denial of Service Attacks What can you do? RRL Some corner cases Responding • Standard patch poor fit for very busy zones with very short TTLs • Adds yet another operational convention to DNS
    47. 47. Pg. 48 Distributed Denial of Service Attacks What can you do? BCP 38 Best Current Practice 38 Responding • Says you should only send traffic that ought to come from your network • Will clean up the network you’re on • Insist on this from your ISP
    48. 48. Pg. 49 Distributed Denial of Service Attacks What can you do? Insecure systems A back door can be used for good or for evil Responding • Lots of agencies want special treatment • Any “special access” is also a vulnerability • We need more secure systems, not less
    49. 49. Pg. 50 Distributed Denial of Service Attacks Review
    50. 50. Pg. 51 Distributed Denial of Service Attacks DDoS Review Denial of Service Distributed Made easier by facts of network Not new
    51. 51. Pg. 52 Distributed Denial of Service Attacks DDoS using DNS Review Usually reflector attack Depends on DNS use of UDP Ordinary services can offer big amplifiers
    52. 52. Pg. 53 Distributed Denial of Service Attacks Reflector and amplifier Review 2 victims Target can be hurt Amplifier can hurt
    53. 53. Pg. 54 Distributed Denial of Service Attacks No perfect solution Review Tailor the solution to your application Outsourcing different parts (maybe diversify) can help So magic solution

    ×