Cloudflare, profile picture
Uploaded byCloudflare
PDF, PPTX1,533 views

Virus Bulletin 2012

This document discusses internet background radiation and DDoS attacks seen by CloudFlare between January and July 2012. Some key points: - CloudFlare sees 64 billion page views per month and the majority (95.5%) of DDoS attacks are layer 7. The largest attack was 65Gbps. - Layer 4 attacks mainly target port 80 (TCP) and DNS (UDP), while layer 7 attacks originate from many different IPs but mostly the US, China, Turkey, Brazil and Thailand. - Reflection and amplification attacks exploit protocols like DNS and SNMP to magnify small queries into large responses. Booter websites and botnets are also used to launch attacks. - Attacks are

Embed presentation

Download as PDF, PPTX
INTERNET BACKGROUND RADIATION John Graham-Cumming Virus Bulletin Conference 2012 www.cloudflare.com!
MALTRAFFIC www.cloudflare.com!
Quick CloudFlare Background www.cloudflare.com!
Overview •  64 billion page views per month •  40% of the time we see a layer 4 DDoS attack •  95.5% of the time we see a layer 7 DDoS attack •  Largest DDoS attack we’ve seen was 65Gbps •  Overall trend in layer 4 DDoS is slightly down •  Overall trend in layer 7 DDoS is up (overall 10%; large: 21%) •  Layer 7 attacks from from 0.05% of connecting IPs •  Data drawn from monitoring between January 2012 to July 2012 www.cloudflare.com!
Layer 4 DoS by UTC time www.cloudflare.com!
Layer 4 DoS by day of week www.cloudflare.com!
Layer 4 Protocol Breakdown www.cloudflare.com!
Layer 4 Port Data •  TCP •  92% against port 80 •  SYN flooding •  UDP •  97% against DNS •  Reflection/amplification attacks •  Other significant attack ports •  TCP port 53 (DNS) •  UDP port 514 (syslog) www.cloudflare.com!
Layer 4 Source Network Data •  Addresses are spoofed: •  23% from Martian addresses •  3.45% from China Telecom •  2.14% from China Unicom •  1.74% from Comcast •  1.45% from Dreamhost •  1.36% from WEBNX. •  37,284 different networks around the world. With a total of 41,838 networks, we've apparently been attacked during July by 89% of the networks. www.cloudflare.com!
Layer 7 Number of IPs by day of week www.cloudflare.com!
Layer 7 IPs by UTC Hour www.cloudflare.com!
Layer 7 IPs in large attacks by UTC Hour www.cloudflare.com!
Layer 7 IPs by day Mardi Gras Earth Day US Independence Memorial Day Vernal Equinox www.cloudflare.com!
Top countries performing Layer 7 attacks •  18.34% from US •  11.47% from China •  7.88% Turkey •  6.96% Brazil •  6.55% Thailand www.cloudflare.com!
Not just about botnets •  We don’t do a good job of tracking this (yet) •  Four types of attacking forces: •  Botnets •  Legitimate servers participating in reflection attack •  Supporters of campaigns using tools like LOIC •  Booter web sites www.cloudflare.com!
Reflection Attacks •  UDP-based protocol are prone to source IP spoofing •  Use genuine UDP servers on Internet to attack by reflection •  Send spoofed UDP query to legitimate server indicating source address as the target •  Legitimate server replies to the query hitting the target •  Works well for DNS and SNMP •  Saw a 25Gbps SNMP reflection attack from Comcast modems •  Has secondary effect •  The legitimate servers think the target is attacking them! www.cloudflare.com!
Amplification •  A corollary to reflection attacks •  Exploit asymmetry between query and response sizes •  Send small query to many servers that returns a large response •  Can turn small outbound bandwidth into a large attack •  Examples: •  DNS: Take 64 byte query and return 512 bytes response (8x increase in bandwidth) •  DNSSEC/EDNS0 makes situation worse because of large response sizes •  SNMP: Take 100 byte query and return up to the UDP datagram size (theoretically 65k bytes) www.cloudflare.com!
Booter Web Sites •  Originally used to ‘boot’ users off chat and online games •  Repurposed to knock web sites off line •  Buy access on hacker forums •  Usually simple PHP web sites •  The booter uses multiple VPS or other accounts to perform small DDoS attacks www.cloudflare.com!
Carpet Bombing •  Attacks come in waves •  TCP SYN flood against target web server’s IP addresses •  TCP SYN flood against the DNS server for the attacked site •  DNS reflection attack against the same DNS server •  Repeat for the rest of the /24 www.cloudflare.com!
Attack Reasons •  Political/Economic •  EuroVision Song Contest 2012 •  “Anonymous” •  Mexican and Russian Elections •  Government Web Sites •  Extortion •  Typically against ‘sinful’ business types •  Gambling Sites •  Prostitution •  Feuds www.cloudflare.com!
An Appeal •  We have lots of data •  We have smart people who can write filters to capture more data •  What should we be doing? •  We need your help jgc@cloudflare.com www.cloudflare.com!

More Related Content

PDF
Overview of SSL: choose the option that's right for you
byCloudflare
 
PDF
Sullivan heartbleed-defcon22 2014
byCloudflare
 
PPTX
Managing Traffic Spikes This Holiday Season
byCloudflare
 
PPTX
Botconf ppt
byCloudflare
 
PDF
Sullivan red october-oscon-2014
byCloudflare
 
PDF
Sullivan handshake proxying-ieee-sp_2014
byCloudflare
 
PPTX
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
byCloudflare
 
PDF
Running Secure Server Software on Insecure Hardware Without Parachute
byCloudflare
 
Overview of SSL: choose the option that's right for you
byCloudflare
 
Sullivan heartbleed-defcon22 2014
byCloudflare
 
Managing Traffic Spikes This Holiday Season
byCloudflare
 
Botconf ppt
byCloudflare
 
Sullivan red october-oscon-2014
byCloudflare
 
Sullivan handshake proxying-ieee-sp_2014
byCloudflare
 
Running a Robust DNS Infrastructure with CloudFlare Virtual DNS
byCloudflare
 
Running Secure Server Software on Insecure Hardware Without Parachute
byCloudflare
 

What's hot

PPTX
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
byCloudflare
 
PPTX
MRA AMA Part 7: The Circuit Breaker Pattern
byNGINX, Inc.
 
PPTX
The 3 Models in the NGINX Microservices Reference Architecture
byNGINX, Inc.
 
PDF
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
byNGINX, Inc.
 
PDF
Sullivan white boxcrypto-baythreat-2013
byCloudflare
 
PDF
Sullivan randomness-infiltrate 2014
byCloudflare
 
PDF
An analysis of TLS handshake proxying
byNick Sullivan
 
PDF
SSL for SaaS Providers
byCloudflare
 
PDF
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
PDF
Bringing Elliptic Curve Cryptography into the Mainstream
byNick Sullivan
 
PPTX
Flawless Application Delivery with NGINX Plus
byPeter Guagenti
 
PDF
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
byNick Sullivan
 
PDF
What is Nginx and Why You Should to Use it with Wordpress Hosting
byWPSFO Meetup Group
 
PPTX
Benchmarking NGINX for Accuracy and Results
byNGINX, Inc.
 
PDF
What's New in Go Crypto - Gotham Go
byNick Sullivan
 
PDF
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
byNGINX, Inc.
 
PPTX
Secure Your Apps with NGINX Plus and the ModSecurity WAF
byNGINX, Inc.
 
PPTX
3 Ways to Automate App Deployments with NGINX
byNGINX, Inc.
 
PPTX
Delivering High Performance Websites with NGINX
byNGINX, Inc.
 
PDF
Inside election night at The New York Times | Altitude NYC
byFastly
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
byCloudflare
 
MRA AMA Part 7: The Circuit Breaker Pattern
byNGINX, Inc.
 
The 3 Models in the NGINX Microservices Reference Architecture
byNGINX, Inc.
 
Monitoring Highly Dynamic and Distributed Systems with NGINX Amplify
byNGINX, Inc.
 
Sullivan white boxcrypto-baythreat-2013
byCloudflare
 
Sullivan randomness-infiltrate 2014
byCloudflare
 
An analysis of TLS handshake proxying
byNick Sullivan
 
SSL for SaaS Providers
byCloudflare
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
Bringing Elliptic Curve Cryptography into the Mainstream
byNick Sullivan
 
Flawless Application Delivery with NGINX Plus
byPeter Guagenti
 
CFSSL 1.1: The Evolution of a PKI toolkit - DEF CON 23
byNick Sullivan
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
byWPSFO Meetup Group
 
Benchmarking NGINX for Accuracy and Results
byNGINX, Inc.
 
What's New in Go Crypto - Gotham Go
byNick Sullivan
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
byNGINX, Inc.
 
Secure Your Apps with NGINX Plus and the ModSecurity WAF
byNGINX, Inc.
 
3 Ways to Automate App Deployments with NGINX
byNGINX, Inc.
 
Delivering High Performance Websites with NGINX
byNGINX, Inc.
 
Inside election night at The New York Times | Altitude NYC
byFastly
 

Viewers also liked

KEY
SortaSQL
byCloudflare
 
PDF
Secure 2013 Poland
byCloudflare
 
PDF
CloudFlare - The Heartbleed Bug - Webinar
byCloudflare
 
PDF
Go Containers
byCloudflare
 
PDF
WordPress London Meetup January 2012
byCloudflare
 
PDF
How to Meet FFIEC Regulations and Protect Your Bank from Cyber Attacks
byCloudflare
 
PDF
A Channel Compendium
byCloudflare
 
PDF
Go Profiling - John Graham-Cumming
byCloudflare
 
PDF
Hardening Microservices Security: Building a Layered Defense Strategy
byCloudflare
 
PPTX
Latest Trends in Web Application Security
byCloudflare
 
PDF
Bootkits: Past, Present & Future - Virus Bulletin
byESET
 
PDF
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
byAditya K Sood
 
PDF
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
bykimw001
 
PDF
Taking the Fear out of WAF
byBrian A. McHenry
 
PDF
Klein consulting prodej 2.0
byŠtěpán Klein
 
PPTX
CMC Teacher Education SIG Presentation; Tsouris
byCmcTchrEdSIG
 
SortaSQL
byCloudflare
 
Secure 2013 Poland
byCloudflare
 
CloudFlare - The Heartbleed Bug - Webinar
byCloudflare
 
Go Containers
byCloudflare
 
WordPress London Meetup January 2012
byCloudflare
 
How to Meet FFIEC Regulations and Protect Your Bank from Cyber Attacks
byCloudflare
 
A Channel Compendium
byCloudflare
 
Go Profiling - John Graham-Cumming
byCloudflare
 
Hardening Microservices Security: Building a Layered Defense Strategy
byCloudflare
 
Latest Trends in Web Application Security
byCloudflare
 
Bootkits: Past, Present & Future - Virus Bulletin
byESET
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
byAditya K Sood
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
bykimw001
 
Taking the Fear out of WAF
byBrian A. McHenry
 
Klein consulting prodej 2.0
byŠtěpán Klein
 
CMC Teacher Education SIG Presentation; Tsouris
byCmcTchrEdSIG
 

Similar to Virus Bulletin 2012

PPTX
Cyber security fundamentals
byCloudflare
 
PPTX
Cyber security fundamentals (Cantonese)
byCloudflare
 
PPTX
Cyber Security 101
byCloudflare
 
PDF
Spoofing and Denial of Service: A risk to the decentralized Internet
byAPNIC
 
PDF
DDoS And Spoofing, a risk to the decentralized internet
byTom Paseka
 
PDF
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
byallanjude
 
PDF
A survey of trends in massive ddos attacks and cloud based mitigations
byIJNSA Journal
 
PDF
A survey of trends in massive ddos attacks and cloud based mitigations
byIJNSA Journal
 
PDF
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
byIJNSA Journal
 
PDF
A10 issa d do s 5-2014
byRaleigh ISSA
 
PDF
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
byAPNIC
 
PDF
What You Should Know Before The Next DDoS Attack
byCloudflare
 
PPTX
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
byFwdays
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
PDF
World's Largest DDoS Attack
byBvs Narayana
 
PPTX
Cloudflare
byFadi Abdulwahab
 
PDF
How to launch and defend against a DDoS
byjgrahamc
 
PPTX
DDoS 101: Attack Types and Mitigation
byCloudflare
 
PPT
nanog
byTom Paseka
 
PDF
DDoS Attacks - Scenery, Evolution and Mitigation
byWilson Rogerio Lopes
 
Cyber security fundamentals
byCloudflare
 
Cyber security fundamentals (Cantonese)
byCloudflare
 
Cyber Security 101
byCloudflare
 
Spoofing and Denial of Service: A risk to the decentralized Internet
byAPNIC
 
DDoS And Spoofing, a risk to the decentralized internet
byTom Paseka
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
byallanjude
 
A survey of trends in massive ddos attacks and cloud based mitigations
byIJNSA Journal
 
A survey of trends in massive ddos attacks and cloud based mitigations
byIJNSA Journal
 
A SURVEY OF TRENDS IN MASSIVE DDOS ATTACKS AND CLOUD-BASED MITIGATIONS
byIJNSA Journal
 
A10 issa d do s 5-2014
byRaleigh ISSA
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
byAPNIC
 
What You Should Know Before The Next DDoS Attack
byCloudflare
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
byFwdays
 
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
World's Largest DDoS Attack
byBvs Narayana
 
Cloudflare
byFadi Abdulwahab
 
How to launch and defend against a DDoS
byjgrahamc
 
DDoS 101: Attack Types and Mitigation
byCloudflare
 
nanog
byTom Paseka
 
DDoS Attacks - Scenery, Evolution and Mitigation
byWilson Rogerio Lopes
 

More from Cloudflare

PDF
Succeeding with Secure Access Service Edge (SASE)
byCloudflare
 
PPTX
Close your security gaps and get 100% of your traffic protected with Cloudflare
byCloudflare
 
PPTX
Why you should replace your d do s hardware appliance
byCloudflare
 
PPTX
Don't Let Bots Ruin Your Holiday Business - Snackable Webinar
byCloudflare
 
PPTX
Why Zero Trust Architecture Will Become the New Normal in 2021
byCloudflare
 
PPTX
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...
byCloudflare
 
PPTX
Zero trust for everybody: 3 ways to get there fast
byCloudflare
 
PPTX
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...
byCloudflare
 
PPTX
Network Transformation: What it is, and how it’s helping companies stay secur...
byCloudflare
 
PPTX
Scaling service provider business with DDoS-mitigation-as-a-service
byCloudflare
 
PPTX
Application layer attack trends through the lens of Cloudflare data
byCloudflare
 
PPTX
Recent DDoS attack trends, and how you should respond
byCloudflare
 
PPTX
Cybersecurity 2020 threat landscape and its implications (AMER)
byCloudflare
 
PPTX
Strengthening security posture for modern-age SaaS providers
byCloudflare
 
PPTX
Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
byCloudflare
 
PDF
Stopping DDoS Attacks in North America
byCloudflare
 
PPTX
It’s 9AM... Do you know what’s happening on your network?
byCloudflare
 
PPTX
Cyber security fundamentals (simplified chinese)
byCloudflare
 
PPTX
Bring speed and security to the intranet with cloudflare for teams
byCloudflare
 
PPTX
Accelerate your digital transformation
byCloudflare
 
Succeeding with Secure Access Service Edge (SASE)
byCloudflare
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
byCloudflare
 
Why you should replace your d do s hardware appliance
byCloudflare
 
Don't Let Bots Ruin Your Holiday Business - Snackable Webinar
byCloudflare
 
Why Zero Trust Architecture Will Become the New Normal in 2021
byCloudflare
 
HARTMANN and Cloudflare Learn how healthcare providers can build resilient in...
byCloudflare
 
Zero trust for everybody: 3 ways to get there fast
byCloudflare
 
LendingTree and Cloudflare: Ensuring zero trade-off between security and cust...
byCloudflare
 
Network Transformation: What it is, and how it’s helping companies stay secur...
byCloudflare
 
Scaling service provider business with DDoS-mitigation-as-a-service
byCloudflare
 
Application layer attack trends through the lens of Cloudflare data
byCloudflare
 
Recent DDoS attack trends, and how you should respond
byCloudflare
 
Cybersecurity 2020 threat landscape and its implications (AMER)
byCloudflare
 
Strengthening security posture for modern-age SaaS providers
byCloudflare
 
Kentik and Cloudflare Partner to Mitigate Advanced DDoS Attacks
byCloudflare
 
Stopping DDoS Attacks in North America
byCloudflare
 
It’s 9AM... Do you know what’s happening on your network?
byCloudflare
 
Cyber security fundamentals (simplified chinese)
byCloudflare
 
Bring speed and security to the intranet with cloudflare for teams
byCloudflare
 
Accelerate your digital transformation
byCloudflare
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
final.pdf
byomarbishtawi04
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
final.pdf
byomarbishtawi04
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 

Virus Bulletin 2012

  • 1.
  • 2.
  • 3.
  • 4.
    Overview •  64 billionpage views per month •  40% of the time we see a layer 4 DDoS attack •  95.5% of the time we see a layer 7 DDoS attack •  Largest DDoS attack we’ve seen was 65Gbps •  Overall trend in layer 4 DDoS is slightly down •  Overall trend in layer 7 DDoS is up (overall 10%; large: 21%) •  Layer 7 attacks from from 0.05% of connecting IPs •  Data drawn from monitoring between January 2012 to July 2012 www.cloudflare.com!
  • 5.
    Layer 4 DoSby UTC time www.cloudflare.com!
  • 6.
    Layer 4 DoSby day of week www.cloudflare.com!
  • 7.
    Layer 4 ProtocolBreakdown www.cloudflare.com!
  • 8.
    Layer 4 PortData •  TCP •  92% against port 80 •  SYN flooding •  UDP •  97% against DNS •  Reflection/amplification attacks •  Other significant attack ports •  TCP port 53 (DNS) •  UDP port 514 (syslog) www.cloudflare.com!
  • 9.
    Layer 4 SourceNetwork Data •  Addresses are spoofed: •  23% from Martian addresses •  3.45% from China Telecom •  2.14% from China Unicom •  1.74% from Comcast •  1.45% from Dreamhost •  1.36% from WEBNX. •  37,284 different networks around the world. With a total of 41,838 networks, we've apparently been attacked during July by 89% of the networks. www.cloudflare.com!
  • 10.
    Layer 7 Numberof IPs by day of week www.cloudflare.com!
  • 11.
    Layer 7 IPsby UTC Hour www.cloudflare.com!
  • 12.
    Layer 7 IPsin large attacks by UTC Hour www.cloudflare.com!
  • 13.
    Layer 7 IPsby day Mardi Gras Earth Day US Independence Memorial Day Vernal Equinox www.cloudflare.com!
  • 14.
    Top countries performingLayer 7 attacks •  18.34% from US •  11.47% from China •  7.88% Turkey •  6.96% Brazil •  6.55% Thailand www.cloudflare.com!
  • 15.
    Not just aboutbotnets •  We don’t do a good job of tracking this (yet) •  Four types of attacking forces: •  Botnets •  Legitimate servers participating in reflection attack •  Supporters of campaigns using tools like LOIC •  Booter web sites www.cloudflare.com!
  • 16.
    Reflection Attacks •  UDP-basedprotocol are prone to source IP spoofing •  Use genuine UDP servers on Internet to attack by reflection •  Send spoofed UDP query to legitimate server indicating source address as the target •  Legitimate server replies to the query hitting the target •  Works well for DNS and SNMP •  Saw a 25Gbps SNMP reflection attack from Comcast modems •  Has secondary effect •  The legitimate servers think the target is attacking them! www.cloudflare.com!
  • 17.
    Amplification •  A corollaryto reflection attacks •  Exploit asymmetry between query and response sizes •  Send small query to many servers that returns a large response •  Can turn small outbound bandwidth into a large attack •  Examples: •  DNS: Take 64 byte query and return 512 bytes response (8x increase in bandwidth) •  DNSSEC/EDNS0 makes situation worse because of large response sizes •  SNMP: Take 100 byte query and return up to the UDP datagram size (theoretically 65k bytes) www.cloudflare.com!
  • 18.
    Booter Web Sites • Originally used to ‘boot’ users off chat and online games •  Repurposed to knock web sites off line •  Buy access on hacker forums •  Usually simple PHP web sites •  The booter uses multiple VPS or other accounts to perform small DDoS attacks www.cloudflare.com!
  • 19.
    Carpet Bombing • Attacks come in waves •  TCP SYN flood against target web server’s IP addresses •  TCP SYN flood against the DNS server for the attacked site •  DNS reflection attack against the same DNS server •  Repeat for the rest of the /24 www.cloudflare.com!
  • 20.
    Attack Reasons •  Political/Economic • EuroVision Song Contest 2012 •  “Anonymous” •  Mexican and Russian Elections •  Government Web Sites •  Extortion •  Typically against ‘sinful’ business types •  Gambling Sites •  Prostitution •  Feuds www.cloudflare.com!
  • 21.
    An Appeal •  Wehave lots of data •  We have smart people who can write filters to capture more data •  What should we be doing? •  We need your help jgc@cloudflare.com www.cloudflare.com!