At Cloudflare, we protect 9 million domains against DDoS attacks with our global network. This puts us in a unique position to learn from the myriad of attacks on the network and use the knowledge to strengthen our DDoS mitigation capabilities. Be it small or large, even unusual.
The new DDoS landscape
Cloudflare's unmetered, always-on DDoS protection service
Cloudflare Rate Limiting - a new solution for Layer 7 DDoS attacks
Cloudflare Spectrum - a new solution for non-web DDoS attacks
3. Topics
1. Current DDoS Threat Landscape
2. Cloudflare DDoS Mitigation Solutions
3. Cloudflare Rate Limiting
- a new solution for layer 7 DDoS attacks
4. Cloudflare Spectrum
- a new solution for non-web DDoS attacks
4. Poll #1
Are you a current Cloudflare user?
Options:
● No
● Yes, I'm on Cloudflare Free Plan
● Yes, I'm on Cloudflare Pro Plan
● Yes, I'm on Cloudflare Business Plan
● Yes, I'm on Cloudflare Enterprise Plan
Link: Plan definitions
6. DNS
Bots
DNS Server
DNS Server Server
IP/TCP/UDP ("Layer 3 & 4")
HTTP/HTTPS ("Layer 7")
1
2
Bots
3
Bots
Degrades availability and performance of applications, websites, and APIs
HTTP
Application
Application/Login
Types of DDoS Attack Traffic
7. DDoS 2018 and Beyond
More
Frequent
Difficult to
Mitigate
DNS
Layer 7
SSL CPU
Exhaustion
(Layer 6)
HTTP
Layer 7
Layer 3/4
500
Gbps
100
Gbps
200
Gbps
40
Gbps
Smaller, target L7 attacks are proving to be more difficult for the industry than L3/4
Less
Frequent
7
8. L3/4: More spaced out with unmetered
mitigation by Cloudflare
8
Unmetered Mitigation
Introduced by Cloudflare
9. L7: Attackers Moving Up The Stack
9
Unmetered Mitigation
Introduced by Cloudflare
14. Stay Online
Global Anycast network
with 150+ data centers
absorbs highly
distributed attack traffic
so customers stay online
Protect origin infrastructure
Detect and drop at the edge
volumetric attacks: layer 3/4, DNS
and layer 7
Identify anomalous traffic
Fingerprint HTTP requests to
protect sites against known and
emerging botnets with automatic
mitigation rules
Protect applications
with control
Rate Limiting gives more
granular control to block
harder-to-detect
application-layer attacks
Origin Server
DDoS attack
Anticipate attacks
Shared intelligence across
8M websites proactively
blocks known bad
signatures
Gives customers unlimited and unmetered distributed denial-of-service (DDoS) attack
protection regardless of the size of attack.
Cloudflare Data Center
*Business and Enterprise customers will continue to benefit from additional advanced mitigation services including better reporting, productivity enhancements, fine-
grained controls, business and enterprise-grade service level agreements (SLA’s), and customer support options to fit their individual needs. 14
Cloudflare DDoS Solutions
16. Cloudflare Rate Limiting: L7 throttling
Precise DDoS Mitigation
• High precision denial-of-service protection
through robust configuration options
Protect Customer Data
• Protect sensitive customer information
against brute force login attacks
Ensure Availability
• Avoid service disruptions by setting usage
limits on HTTP requests
Requests per IP address matching the traffic pattern
16
18. Mitigate DDoS for TCP Protocols and Ports
Cloudflare Spectrum proxies all non-HTTPS TCP traffic
through the same 150+ cloudflare data centers, ensuring
protection against DDoS attacks targeting layers 3 and 4
across open ports.
Encrypt Non-HTTP/S TCP Traffic
Cloudflare Spectrum encrypts non-HTTP/S TCP traffic with
Universal SSL to protect against snooping of data in transit.
Block Traffic by IP or IP Range
Spectrum integrates with Cloudflare’s IP Firewall so that traffic
from specific IP or IP ranges can be dropped at the edge
2
1
Client
Encrypted
TCP Traffic
SSH
SMTP
SFTP
SSH
SMTP
SFTP
3
Client
SSH
SMTP
SFTP
IP
10.0.0.1
10.0.0.1
https://developers.cloudflare.com/spectrum/
Cloudflare Spectrum: protects all TCP ports (and UDP
soon)
19. Questions?
Follow our blog at https://blog.cloudflare.com/
Interested in Our Enterprise Solution? Visit https://www.cloudflare.com/plans/enterprise/contact/
21. Cloudflare DDoS Differentiation
Leverage Data
● Anycast scales DDoS surface area across all
data centers (versus just a subset)
● Unified view of attacks across integrated
stack of network, DNS, application
● Kernel bypass reduces CPU usage
● Innovation on hardware, routers, network
increase capacity and lowers costs
Architecture
● Broad, heterogeneous traffic across
8M websites to more proactively
drop attacks
● Develop heuristics to automatically
(versus manually) block
● No OEM of third-party hardware
● Settlement free peering reduces
costs of traffic over peering points
● Easily absorb inbound attack traffic
spikes at no extra cost
Cost Structure
21
22. Benefit of Cloudflare’s Always-on DDoS
Attack starts
DDoS Config
Mitigation
starts
Mitigation
complete
Next attack
DDoS Config
Mitigation
Mitigation
Turn on
Cloudflare
Next attack
begins
DDoS Config
Next attack
+ mitigation
Next attack
+ mitigation
Next attack
+ mitigation
22
Load
Time
23. Cloudflare Bot Mitigation
ATTACKS
Account Takeover
Content Scraping
Checkout Fraud
1.
2.
3.
Classification
By leveraging visibility into large
volume of both good and bad
traffic, intelligently classifying risk
based on attributes like:
● IP reputation intelligence
● User Agent strings
● Other HTTP fingerprints
● Behavioral analysis
Mitigation Techniques
Different levels of severity and
sophistication to block attacks.
These can include: Block,
throttle, image substitution,
data obfuscations
Rules Customization
Customers can tune their
security posture by defining rules
to support both positive and
negative security model.
Client Validation
To reduce false positives,
provide progressive levels of
client validation to distinguish
between legitimate visitors and
malicious bots based on clients
validating themselves
● Browser Integrity
● Captcha
● JS Validations
● Client Classifications
● Machine Learning
CLOUDFLARE
SOLUTIONS
23
24. Cloudflare Security Summary
24
Cloudflare continues to
out-innovate the
market, driving growth
in security-only deals
The threat landscape is
exploding with the
growth in new platforms
and devices; security
solution use cases are
expanding to meet
them
Cloud-based solutions
reduce complexity,
improve time to
response and combine
performance and
security in a single,
integrated offering
Data-driven threat
intelligence dynamically
adapts our platform to
meet the ever changing
threat landscape
Thanks for the introduction Erfi.
Today's topic is
I'm a Cloudflare Solutions Engineer based in the APAC region.
First a quick poll, how many of you are currently using Cloudflare?
https://www.cloudflare.com/plans/#compare-features
With new vulnerabilities now and then, the attack types haven't changed that much.
Typical DDoS attack types that can target at the web applications.
DNS Flood:
by floooding the DNS service, one can bring down the entire web infrature relying on it.
e.g. October 2016 Dyn attack by Mirai botnet TCP/UDP Port 53
L3/4:
exhaustion of network resources: typical techniques reflection & amplification: using a NTP/DNS to amplify requests and overload yours server using 3rd party services
e.g. Feb 2018 Memcache UDP Port 11211: amplification factors of up to 51,200x: a 1 byte request, a 51 kB response can be sent.
L7:
exhaustion of system and application resources: volumetric HTTP attack to bring down the application
e.g. HTTP POST flood at one's Wordpress login page
They can be used together; used a ransom as financial incentive
Same samples this year.
Horizon frequency
Vertical difficulty
DNS & SSL: Less common; used to be a challenge. but the adoption of large scale DNS and SSL services like Cloudflare, it has become less frequent.
L3/4: Bulk of traffic; Industry is getting better handling it
L7: More frequent and more difficult to mitigate.
https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
Cloudflare introduced unmetered DDoS mitigation September 2017.
SYN flood is L4 attack
Things to note:
1. Since the introduction of Unmetered Mitigation large attacks continue but you can see they are more spaced out.
https://blog.cloudflare.com/the-new-ddos-landscape/
2. Cloudflare very frequently gets attacks greater than 300 Gbps and 400 Gbps; The large attacks still remain.
The L7 volume in HTTP requests per second by day.
This doesn't show a slow down which seems to indicate what we've long suspected: as protection services like Cloudflare have got really good at handling L3/L4 attacks attackers have moved up the stack to focus on L7.
https://blog.cloudflare.com/the-new-ddos-landscape/
This final chart shows the volume of DNS-based attacks in Mbps.
It's notable that these are never very big, but the one big spike is the day after we announced Unmetered Mitigation. Almost as if someone had a go to see if they could cause us harm :-) They did not succeed, of course.
https://blog.cloudflare.com/the-new-ddos-landscape/
Scrubbing centers: a few (<10) of data centers with huge bandwidth and powerful hardware;
The architecture give rise to some disadvantages:
Performance: Longer distances for ‘clean’ traffic to travel since Scrubbers are centralized or different from cache
On-demand: Manually change DNS introduces latency in time-to-migration
Reliability: Single location can easily get flooded, and either exceed capacity or result in high overage charges during attack
Cloudflare DDoS mitigation infrastructure lives in 152 data centers globally, instead of 10.
The architecture advantages:
Performance: improvement instead of degradation
Always on: no monitoring required
Reliability:
https://blog.cloudflare.com/unmetered-mitigation/
Cloudflare takes a multi-layerd approach.
Step 1:
Global Anycast means we’re high resilient, and absorb attack traffic as close to the source of the attack as possible
Means we do not have to transport or add latency diverting traffic to scrubbing centers
Step 2 :
The origin is key, and usually the weakest point
Cloudflare hides the Origin’s IP address so we will always take the brunt of any attacks
Step 3:
Attack vectors are never the same
Dynamic fingerprinting on the fly lowers false positives and also decreases “leakage” - which is where some traffic will get through (NOTE: AKAM in their ENT SLA say they will leak up to x%)
Step 4:
Proactive protections for DDoS attacks seen at other customers means we can track attribution, meaning faster detection and more accurate mitigations
Step 5:
Low and slow attacks are difficult to track, especially at the scale Cloudflare is at today. We put the power back into our customer’s hands by providing solutions like Rate-Limiting, allowing them to define what they know is to be a good level of traffic, and for Cloudflare to block everything else.
Rate-Limiting can be applied to APIs with JSON responses as well
Talking Points:
Rate Limiting complements Cloudflare’s DDoS and Web Application Firewall (WAF) Services.
Rate Limiting protects against layer 7 denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer.
It provides the ability to configure thresholds and define responses by IP. If traffic from a specific IP exceeds the threshold, than those requests get blocked and timed out for a defined period.
Rate Limiting also provides customers to gain analytical insights into endpoints of the website, application, or API, and they can monitor their good and bad traffic.
Demo
Disconnect from VPN
Open UI
Check: https://cecilsflorist.cf/wp-login.php
Talk Track
Historically, Cloudflare proxies web traffic only.
With Spectrum, Cloudfalre now provides the same level of layer 3 and 4 volumetric DDoS mitigation expected, across all TCP protocols, including those which are proprietary.
In addition, it protects said protocols from data snooping and theft by encrypting traffic with Universal SSL / TLS.
Demo:
Open UI
dig ssh.cecilsflorist.cf
ssh root@ssh.cecilsflorist.cf
link to the Sheets form with the graph data is in the notes (also here: https://docs.google.com/spreadsheets/d/11NffR-jEWaSEi8CUUTk6IiWKoX3luOr-e1vQKwOYJMc/edit?zx=ochdtwfluz0u#gid=0) everything is mutable if you'd like to update the wording!
Cloudflare mitigates DDoS attacks, including those that target UDP and ICMP protocols, SYN/ACK, DNS and NTP amplification and Layer 7 attacks. Our global network has defended against sustained attacks over 400Gbps. If you're under DDoS attack, we can get your site back online within minutes.
https://docs.google.com/spreadsheets/d/11NffR-jEWaSEi8CUUTk6IiWKoX3luOr-e1vQKwOYJMc/edit?zx=ochdtwfluz0u#gid=0
Slide that discusses the fact that our customers never see attacks
Which is why it is hard for us to find references to show process on how we mitigated an attack…. Our customers don’t even know we did it
Which is why we don’t have many numbers on largest attack seen…
And then tell story on why this is…..
Customer’s Set it and Forget it!!
Because of the wide surface area CF has today we are able to build a sustainable behavioral analysis on clients allowing us to identify a baseline of what is considered normal activity across the entire cloudflare network.
I'm not sure the current design captures and punches up the 3 ways we are attacking this problem. We dive right down to the features. Instead, I think we need to frame our approach: AI, Client challenge, Finer grain controls. Also, we are missing our current capabilities (see notes)
When we asked this group, #1 desire = bot mitigation
Bots make up more than 50% of the world’s internet traffic today, that’s huge…
The challenge is determining what’s a good bot and a bad bot.
Today we challenge bots through our Browser Integrity Checks, JavaScript challenge, and Captchas.
Our current Bot Management provisions blocked over 144m requests.
But we know you need more specific protections.
In the next year, we’re going to be launching aggressive protection against Account Takeover and Web Scraping,
all powered through our new Machine Learning and Client Identification platforms
which have been delivering some amazing preliminary results.
address growing threats on new platforms and device , which calls for a broader breadth of services to meet demand (Access, Bot Mitigation, custom rules on the edge)
What is driving the exponential growth in traffic here? Insecure devices and increased connectivity and increasing connected devices
If you return to attack sizes over time
Have 10 gbps - fast cnx to internet
2007 - 24 gbps would have overwhelemd
See peek sizes growing
Huge attacks, easily
Can’t fight these on your own
- Animate from smallest to largest – one circle at a time
Side bar info = home internet connection
https://www.youtube.com/watch?v=Sp6bnvbrJb8&t=364s
9.45 min
1