DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

1
DDoS In Oceania and the Pacific
A lesson on introspection
Dave Phelan - APNIC

2
Who Am I?
• Dave Phelan
– Network and Infrastructure engineer for a LONG time
– Trainer at APNIC
– Parent to 2 Human children and 3 Fur Children
– Likes Cat memes

3
3
What are we going to talk about?
• What is a DDoS
• Look at some stats around DDoS Globally and Per Sub
Region
• What do we need to fix?
• How can we mitigate and not contribute to the problem?

4
4
What is DoS and DDoS?
• In general, a denial of service is an attack against
availability of a service
– A service can be a network, or a specific service such as a web site
• DoS - Denial of Service
– Usually from only one source
• DDoS - Distributed Denial of Service
– Attack originates from multiple sources
– This is caused through resource exhaustion
4

5
5
Network
Access
Application
Transport
Internet
Application
Presentation
Session
Transport
Network
Data Link
Physical
WiFi, Ethernet,
Fiber, Copper
HTTP, FTP,
DHCP, NTP,
TFTP, DNS
TCP, UDP
IP, ICMP, RIP
SYN Flood
ICMP Flood
Wi-Fi De-auth & Jamming
Electrical Interference
Construction Equipment
Reflection and
Amplification
(DNS, NTP, SSDP, etc),
Slowloris, SIP Flood,
Complex DB Queries
DoS by Layers
5
TCP/IP Model
OSI Model
Protocols and
Services Attacks
* Colour animated slide

6
Anatomy of a Plain DoS Attack
Attacker Victim
Attacker sends any valid or
invalid traffic to the victim
1
Simple DoS

7
Anatomy of a Plain DDoS
Attack
Botnet
Attacker
Victim
Attacker directs
bots to begin attack
1
All bots send any valid or
invalid traffic to the victim
2
BOT
BOT BOT
BOT
BOT
Simple DDoS

8
Anatomy of a Reflected
Amplification Attack
Open recursive
DNS servers
Botnet
Attacker directs bots
to begin attack
1
All bots send DNS queries for the TXT record in domain “evil.com”
to open recursive DNS servers and fake "my IP is 10.10.1.1"
2
Open
resolvers
ask the
authoritative
name server
for the TXT
record
“evil.com”
3
4
evil.com name
server responds
with 4000 byte
TXT records
Open resolvers
cache the
response and
send a stream
of 4000 byte
DNS responses
to the victim
5
Victim
(10.10.1.1)
BOT
BOT BOT
BOT
evil.com
authoritative
name server
Attacker
BOT
Reflected and Amplified DDoS

9
9
Reflection and Amplification
• What makes for good reflection?
– UDP
• Spoofable / forged source IP addresses
• Connectionless (no 3-way handshake)
• What makes for good amplification?
– Small command results in a larger reply
• This creates a Bandwidth Amplification Factor (BAF)
• Reply Length / Request Length = BAF
– Example: 3223 bytes / 64 bytes = BAF of 50.4
• Chart on next slide created with data from
https://www.us-cert.gov/ncas/alerts/TA14-017A
9

10
10
Amplification Factors
Protocol
Bandwidth
Amplification
Factor
Multicast DNS (mDNS) 2-10
BitTorrent 3.8
NetBIOS 3.8
Steam Protocol 5.5
SNMPv2 6.3
Portmap (RPCbind) 7 to 28
DNS 28 to 54
SSDP 30.8
10
Protocol
Bandwidth
Amplification
Factor
LDAP 46 to 55
TFTP 60
Quake Network Protocol 63.9
RIPv1 131.24
QOTD 140.3
CHARGEN 358.8
NTP 556.9
Memcached up to 51,000

11
So why are you telling me this?
• Operators Complain about DoS/DDoS
• Do the minimum to ensure they are not contributing
• But How bad is it really?
– (Hint: It’s not good….)

12
Global Numbers
• Most data sourced from
– Cloudflare Radar
– Shodan.io
• Top 5 Countries DDoS Sources
https://radar.cloudflare.com/security-and-attacks
OCTOBER 2023 APRIL 2024
USA - 31%
India – 9.2%
Germany – 5.4%
Brazil – 5.2%
China – 3.3%
USA – 22.6%
Germany – 6.5%
China - 5.5%
Indonesia – 4.7%
Brazil – 4.3%

13
Global Numbers
Attack Types
https://radar.cloudflare.com/security-and-attacks

14
Australia
Top Source Networks:
https://radar.cloudflare.com/security-and-attacks/in?dateRange=12w
# ASN Perentage
1 20473 - AS-CHOOPA 27.70%
2 1221 - ASN-TELSTRA Telstra Corporation Ltd 6.70%
3 7545 - TPG-INTERNET-AP TPG Telecom Limited 5.80%
4 8075 - MICROSOFT-CORP-MSN-AS-BLOCK 4.60%
5 16276 - OVH 4.30%

15
Australia
Attack Types

16
Australia
• Open Ports
https://www.shodan.io/search?query=country%3Aau
DNS 12,376
NTP 57,079
SSDP 866
MemcacheD 64
Telnet 11,810
SNMP 7,711
Winbox 4,055

17
Australia
• Targets

18
Fiji
# ASN Perentage
1 38442 - VODAFONEFIJI-AS-FJ Vodafone Fiji Limited 47.90%
2 45355 - DIGICELPACIFIC-1-AP Digicel Fiji Limited 29.30%
3 4638 - IS-FJ-AS Telecom Fiji Limited 21.50%
4 9241 - FINTEL-FJ Fiji International Telecomunications Ltd 0.20%
5 136921 - FNU-AS-AP Fiji National University 0.20%

19
Fiji
Attack Types

20
Fiji
• Open Ports
DNS 14
NTP 2,057
SSDP 1
MemcacheD 0
Telnet 84
SNMP 24
Winbox 11

21
Fiji
• Targets
https://www.shodan.io/search?query=country%3Afj

22
New Caledonia
# ASN Perentage
1 56089 - OFFRATEL-AS-AP OFFRATEL 39.00%
2 17480 - CANL CANL 20.30%
3 56055 - MLS-NC Micro Logic Systems 20.00%
4 18200 - OPT-NC-AS-AP Office des Postes et Telecommunications New-Caledonia 10.50%
5 45345 - NAUTILE-NC-AS-AP Nautile 8.00%

23
New Caledonia
Attack Types

24
New Caledonia
• Open Ports
DNS 400
NTP 582
SSDP 5
MemcacheD 1
Telnet 60
SNMP 84
Winbox 665

25
New Caledonia
• Targets
https://www.shodan.io/search?query=country%3Anc

26
New Zealand
# ASN Perentage
1 4771 - SPARKNZ Spark New Zealand Trading Ltd. 23.40%
2 9790 - TWO-DEGREES-AS-AP Two Degrees Networks Limited 19.10%
3 4648 - SPARK-NZ Global-Gateway Internet 12.50%
4 45177 - DEVOLI-AS-AP Devoli 9.30%
5 24324 - KORDIA-TRANSIT-AS-AP Kordia Limited 7.50%

27
New Zealand
Attack Types

28
New Zealand
• Open Ports
https://www.shodan.io/search?query=country%3Anz
DNS 2,922
NTP 6,304
SSDP 94
MemcacheD 4
Telnet 887
SNMP 2,018(BUT)
Winbox 1,659

29
New Zealand
• Targets
https://www.shodan.io/search?query=country%3Anz

30
30
Mitigation Strategies
• Protect your services from attack
– Anycast
– IPS / DDoS protection
– Overall network architecture
• Protect your services from attacking others
– Rate-limiting
– BCP38 (outbound filtering) source address validation
– Securely configured DNS, NTP and SNMP servers
– No open resolvers!
Only allow owned or authorised IP addresses to connect
30

31
31
• Remote Triggered Black Hole (RTBH) filtering
– With your ISP
31
Attack traffic
Signalling

32
32
• Remote Triggered Black Hole (RTBH) filtering
– With your ISP
32
Attack traffic
Signalling

33
33
33
• uRPF
– Strict: verifies both
source address and
incoming interface
with entries in the
forwarding table
– Loose: verifies
existence of route to
source address
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
Forwarding Table:
2406:6400:100::/48 ge0/0
2406:6400:200::/48 fa0/0
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1

34
34
• Source Remote Triggered Black Hole (sRTBH) filtering
– RTBH with uRPF (Unicast Reverse Path Forwarding)
• RFC5635
– Basic Operation
• Setup a RTBH Sinkhole (routing to a Null Interface)
• Enable uRPF in loose mode
• Create an appropriate community to NH traffic to your Sinkhole
• When a source is identified
– Tag with appropriate community to send to the Sink
– uRPF check will fail (as it is routed to a Null)
– Traffic Dropped
34
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

Recommended

Recommended

More Related Content

Similar to DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

Similar to DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024 (20)

More from APNIC

More from APNIC (20)

Recently uploaded

Recently uploaded (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024