Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DDoS-атаки в 2016–2017: переворот

368 views

Published on

К началу 2016 года у многих сложилось впечатление, что проблема DDoS-атак исчерпала себя — настолько тривиальными выглядели сами атаки и меры по защите от них. Спустя год ситуация кардинально изменилась. Обсудим эти изменения, их причины, предпосылки и последствия, а также их взаимосвязь с развитием IoT.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DDoS-атаки в 2016–2017: переворот

  1. 1. Очень длинное название презентации DDoS attacks in 2016– 2017: a breakthrough • Artyom Gavrichenkov
  2. 2. 2011 Tohoku earthquake
  3. 3. 2011 Tohoku earthquake
  4. 4. 2011 Tohoku earthquake
  5. 5. 2011 Tohoku earthquake
  6. 6. 2011 Tohoku earthquake
  7. 7. 2011 Tohoku earthquake 38.322°N 142.369°E
  8. 8. 2011 Tohoku earthquake
  9. 9. 2011 Tohoku earthquake
  10. 10. 2011 Tohoku earthquake
  11. 11. 2011 Tohoku earthquake
  12. 12. 2011 Tohoku earthquake 3 m
  13. 13. 2011 Tohoku earthquake 3 m 12 m
  14. 14. 2011 Tohoku earthquake 3 m 12 m 14 m
  15. 15. 2011 Tohoku earthquake 3 m 12 m 14 m 13 m
  16. 16. 18
  17. 17. 19 300 Mbps 30 Gbps Amplification
  18. 18. 20 5 Gbps 500 Gbps Amplification
  19. 19. • NTP • DNS • SNMP • SSDP • ICMP • NetBIOS • LDAP • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • Steam • … Vulnerable protocols
  20. 20. • NTP • DNS • SNMP • SSDP • ICMP • NetBIOS • LDAP • RIPv1 • PORTMAP • CHARGEN • QOTD • Quake • Steam • … Vulnerable protocols Amplification can be identified by source port!*
  21. 21. BGP Flow Spec
  22. 22. Amplification threat decreases
  23. 23. Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled
  24. 24. Pingback: HTTP/HTTPS <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>https://victim.com/</string></value> </param> <param> <value> <string> http://reflector.blog/2016/12/01/blog_post </string> </value> </param> </params> </methodCall>
  25. 25. Wordpress Pingback GET /whatever User-Agent: WordPress/3.9.2; http://example.com/; verifying pingback from 192.0.2.150 • 150 000 – 170 000 vulnerable servers at once • SSL/TLS-enabled • Millions of vulnerable servers available in the Internet
  26. 26. Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates
  27. 27. Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, including security fixes
  28. 28. Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, including security fixes •Default logins/passwords
  29. 29. Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, including security fixes •Default logins/passwords •Full Internet access
  30. 30. Internet of Things • Webcams, routers, smartphones, coffee makers • Cheap hardware and software • (Little to) NO software updates, including security fixes •Default logins/passwords •Full Internet access •And all it takes – a crawler.
  31. 31. 21:30:01.226868 IP 94.251.116.51 > 178.248.233.141: GREv0, length 544: IP 184.224.242.144.65323 > 167.42.221.164.80: UDP, length 512 21:30:01.226873 IP 46.227.212.111 > 178.248.233.141: GREv0, length 544: IP 90.185.119.106.50021 > 179.57.238.88.80: UDP, length 512 21:30:01.226881 IP 46.39.29.150 > 178.248.233.141: GREv0, length 544: IP 31.173.79.118.42580 > 115.108.7.79.80: UDP, length 512
  32. 32. 21:30:01.226868 IP 94.251.116.51 > 178.248.233.141: GREv0, length 544: IP 184.224.242.144.65323 > 167.42.221.164.80: UDP, length 512 21:30:01.226873 IP 46.227.212.111 > 178.248.233.141: GREv0, length 544: IP 90.185.119.106.50021 > 179.57.238.88.80: UDP, length 512 21:30:01.226881 IP 46.39.29.150 > 178.248.233.141: GREv0, length 544: IP 31.173.79.118.42580 > 115.108.7.79.80: UDP, length 512
  33. 33. IoT • Mirai • Hajime • Persirai • …
  34. 34. Joomla RCE: CVE-2016-8870 • 28.10.2016: patchset released • First attempts to exploit: within 24 hours • After 36 hours: automated scans & pwn Source: Wallarm honeypots, https://wallarm.com/
  35. 35. IoT? • Android! • Windows! • Whatever!
  36. 36. CDN/DDoSM User ISP 1 Tier-1 ISP ISP 2 Target site Tier-1 ISP 1
  37. 37. CDN/DDoSM User ISP 1 Tier-1 ISP ISP 2 Target site Tier-1 ISP 1
  38. 38. CDN/DDoSM User ISP 1 CDN Tier-1 ISP ISP 2 Target site Tier-1 ISP 1
  39. 39. CDN/DDoSM User ISP 1 Tier-1 ISP DDoSM ISP 2 Target site Tier-1 ISP 1
  40. 40. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT
  41. 41. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787
  42. 42. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940
  43. 43. Akamai: CDN vs DDoSM aut-num: AS20940 as-name: AKAMAI-ASN1 org: ORG-AT1-RIPE mnt-by: AKAM1-RIPE-MNT mnt-routes: AKAM1-RIPE-MNT ASNumber: 32787 ASName: PROLEXIC- TECHNOLOGIES-DDOS- MITIGATION-NETWORK Ref: https://whois.arin.net/ rest/asn/AS32787 https://www.peeringdb.com/asn/20940
  44. 44. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940
  45. 45. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940
  46. 46. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787
  47. 47. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787
  48. 48. Akamai: CDN vs DDoSM https://www.peeringdb.com/ asn/20940 https://www.peeringdb.com/ asn/32787
  49. 49. Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/
  50. 50. Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/
  51. 51. Akamai: CDN vs DDoSM https://radar.qrator.net/ as20940/ https://radar.qrator.net/ as32787/
  52. 52. TBD? • The pressure will grow • Vulnerable architectures will be gone • The changes are on the way
  53. 53. СПАСИБО! mailto: ag@qrator.net fb: ximaera

×