DDoS-атаки в 2016–2017: переворот

Очень длинное
название презентации
DDoS attacks in 2016–
2017: a breakthrough
• Artyom Gavrichenkov

2011 Tohoku earthquake
38.322°N
142.369°E

3 m
12 m

3 m
12 m
14 m

3 m
12 m
14 m
13 m

19
300 Mbps
30 Gbps
Amplification

20
5 Gbps
500 Gbps
Amplification

• NTP
• DNS
• SNMP
• SSDP
• ICMP
• NetBIOS
• LDAP
• RIPv1
• PORTMAP
• CHARGEN
• QOTD
• Quake
• Steam
• …
Vulnerable protocols

• NTP
• DNS
• SNMP
• SSDP
• ICMP
• NetBIOS
• LDAP
• RIPv1
• PORTMAP
• CHARGEN
• QOTD
• Quake
• Steam
• …
Vulnerable protocols
Amplification can be identified by source port!*

Amplification threat decreases

Wordpress Pingback
GET /whatever
User-Agent: WordPress/3.9.2;
http://example.com/;
verifying pingback
from 192.0.2.150
• 150 000 – 170 000
vulnerable servers
at once
• SSL/TLS-enabled

Pingback: HTTP/HTTPS
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>https://victim.com/</string></value>
</param>
<param>
<value>
<string>
http://reflector.blog/2016/12/01/blog_post
</string>
</value>
</param>
</params>
</methodCall>

Wordpress Pingback
GET /whatever
User-Agent: WordPress/3.9.2;
http://example.com/;
verifying pingback
from 192.0.2.150
• 150 000 – 170 000
vulnerable servers
at once
• SSL/TLS-enabled
• Millions of vulnerable servers
available in the Internet

Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software
• (Little to) NO software updates

Internet of Things
• (Little to) NO software updates, including security fixes

Internet of Things
•Default logins/passwords

Internet of Things
•Full Internet access

Internet of Things
•Full Internet access
•And all it takes – a crawler.

21:30:01.226868 IP 94.251.116.51 > 178.248.233.141:
GREv0, length 544:
IP 184.224.242.144.65323 > 167.42.221.164.80:
UDP, length 512
21:30:01.226873 IP 46.227.212.111 > 178.248.233.141:
GREv0, length 544:
IP 90.185.119.106.50021 > 179.57.238.88.80:
UDP, length 512
21:30:01.226881 IP 46.39.29.150 > 178.248.233.141:
GREv0, length 544:
IP 31.173.79.118.42580 > 115.108.7.79.80:
UDP, length 512

IoT
• Mirai
• Hajime
• Persirai
• …

Joomla RCE: CVE-2016-8870
• 28.10.2016: patchset released
• First attempts to exploit:
within 24 hours
• After 36 hours:
automated scans & pwn
Source: Wallarm honeypots, https://wallarm.com/

IoT?
• Android!
• Windows!
• Whatever!

CDN/DDoSM
User
ISP 1
Tier-1 ISP
ISP 2
Target site
Tier-1 ISP 1

CDN/DDoSM
User
ISP 1
CDN
Tier-1 ISP
ISP 2
Target site
Tier-1 ISP 1

CDN/DDoSM
User
ISP 1
Tier-1 ISP
DDoSM ISP 2
Target site
Tier-1 ISP 1

Akamai: CDN vs DDoSM
aut-num: AS20940
as-name: AKAMAI-ASN1
org: ORG-AT1-RIPE
mnt-by: AKAM1-RIPE-MNT
mnt-routes: AKAM1-RIPE-MNT

aut-num: AS20940
org: ORG-AT1-RIPE
ASNumber: 32787
ASName: PROLEXIC-
TECHNOLOGIES-DDOS-
MITIGATION-NETWORK
Ref: https://whois.arin.net/
rest/asn/AS32787

aut-num: AS20940
org: ORG-AT1-RIPE
ASNumber: 32787
ASName: PROLEXIC-
TECHNOLOGIES-DDOS-
MITIGATION-NETWORK
Ref: https://whois.arin.net/
rest/asn/AS32787
https://www.peeringdb.com/asn/20940

https://www.peeringdb.com/
asn/20940

asn/20940
asn/32787

https://radar.qrator.net/
as20940/

as20940/
as32787/

TBD?
• The pressure will grow
• Vulnerable architectures will be gone
• The changes are on the way

СПАСИБО!
mailto: ag@qrator.net
fb: ximaera

DDoS-атаки в 2016–2017: переворот

More Related Content

What's hot

Similar to DDoS-атаки в 2016–2017: переворот

More from Positive Hack Days

Recently uploaded

DDoS-атаки в 2016–2017: переворот