SlideShare a Scribd company logo

Net mcr 2021 05 handout

Faelix Ltd
Faelix Ltd

How we stopped a DDos ransom attack - some redaction in deck - why give opportunists to up their game?

Internet
1 of 49
Download to read offline
ASK ME WHY I DON'T LIKE DDOSERS AND I’LL TELL YOU WHY YOU SHOULD NEVER PAY THE RANSOM https://faelix.link/netmcr59
About Marek Stuff I do: CTO @FAELIX – https://faelix.net/ PC @uknof – https://uknof.uk/ Crew @net_mcr – https://www.netmcr.uk/ Trail of SSIDs in my wake: "AS41495 Faelix Limited" Me — @maznu – @NetworkMoose
These Slides are Not all slides are included in this public deck Is this “security through obscurity”? Not giving opportunists ideas to up their game
Customer Received This… To stop these attacks, please deposit in bitcoin to $address before
<RECORD SCRATCH> WHAT ABOUT LAST WEEK?
Symptoms Call from occasional-consultancy client saying: Connectivity problems Difficulty logging onto the routers at each site Struggling to diagnose Please help!? External observations: BGP sessions on LON1 were down/flapping One of their customers also alerted us to problems
bad stuff and more bad stuff
UDP 53+389; some ICMP
Sudden Start, Sudden Stop
Initial Thoughts Looks like a DDoS Feels like a DDoS Was not preceded by a ransom note…? One-off attack? Are any access customers gamers? Did a ransom email go missing? What was targeted?
DDoS Traffic from IX Customer’s ASN peers with LINX route-servers And some networks who sent peering requests Not every peering request is worth your time If control plane is weak, decide with netflow stats Also consider whether a peer might be a path for e.g. compromised eyeballs to send you 1Mpps
Weak Control Plane DDoS pegged your CPU? BGP is going to hurt: Router in attack path cannot keep up BGP hellos eBGP sessions (with shorter timers) drop Huge route churn to iBGP sessions Even more CPU load, might drop iBGP Cascades across entire iBGP mesh Vicious cycle of instability
Targets
Initial Steps Accept default + full tables from upstreams Filter full tables and only accept “golden networks” Filter IXs (especially LINX RS) for “golden networks” Pare down from approx 2x 860k and 2x 200k routes To just ~210k total (~105k active) Convergence reduced to ~1 minute (from 10+)
Next Steps Still no ransom note! Is this attacking a specific customer(s)? Implement some quick fixes: Inject /32 route to BGP P+T routers Blackhole traffic on entry to network
Strengths / Luck Very obvious pattern of the attacks now
Challenges / Suck Lots of UDP with no specific ports
Attacks Move Next attack targets Why is this happening? Still no ransom note! Evolve defences: Send flow data to a VPS Run fastnetmon to detect badness and inject /32 Builds on the manual approach we had in place
fastnetmon Difficulties Attacks are bit/sec at each of IPs Number of PPS? Mbit/sec? Flows? From experience: false-positives block customers We needed several iterations of tuning fastnetmon Most recent was ~4 weeks after implementation!
Balancing Act Easy for a human to spot an attack Not so easy for a “simple” tool like fastnetmon Absolutely need to tune the config! Initial “manual approach” doesn’t react quickly But “manual approach” less likely to false positive Once we understood more about the attacks, we moved to auto-blocking
fastnetmon_cli
Ransom Note Arrives
My Thoughts on Ransoms Badness will continue until BTC account improves Increasingly “cyber insurance” is paying ransoms Is there honour among thieves? Or are you now known to be a soft target? Gives the crooks more resources to spend on stresser or DDoS tools for hire Extends the pain to other networks Crime should not pay!
Get a Scrubber AS41495 has Voxility as an upstream transit We buy DDoS mitigation with that service We can apply that to downstream networks Add Victim ISP to AS-FAELIX Order (and expedite) XC Establish direct peering over LINX Propagate their routes to AS3223
<WOBBLY DISSOLVE TRAVEL BACK IN TIME>
UKNOF September 2020
Whoops! AS41495 applies BCP38 to peering and transit ports Will drop packets trying to go out a P/T port if source address is not within AS-FAELIX This will drop packets that have come from outside AS-FAELIX destined for Victim ISP We need to provide Victim ISP transit over LON1 Therefore we will need to emit packets from 0.0.0.0/0 out of AS4145’s LON1 port
Sorry, Caida!
Sorry, EveryoneJISC! LINX LON1
Nearing the Deadline Another attack happens fastnetmon does its thing Voxility does their thing AS41495’s LON1 port was warm for a minute Was still a bit of pain (still tweaking knobs) but feels like we’re getting a hold of the situation
Finally: Cross-Connect! Add Victim ISP as a “traditional” downstream Adjust BGP session on LON1 to be normal peering Victim is still protected… deadline is hours away! AS41495 will re-apply BCP38 filtering on LON1 port a few days later
The Deadline …? …? Seriously…?
Oh! There It Is!
Oh! There It Is! ???
Even Scrubbers Overblock
Contact from Ransomers Ransom: Follow-up:
But Wait! There’s More!
“We will not go away until you pay.” – paraphrased from ransom note
NARRATOR: THEY DID GO AWAY
Why Did Attacks Stop? Combination of mitigations were effective: Their ASN is no longer a soft target Attackers moved on to other low-hanging fruit
Anecdata
Anecdata Help your upstreams by using their RTBH Some tier-1s have selective RTBH communities e.g. drop only from country/region/ASN
What Does It Feel Like? For Victim ISP: pain, “some of the most stressful days” their head of network has ever had For Victim ISP’s customers: unpredictable pain For Incident Responders: try to remain cool and methodical, analyse and iterate, learn and improve defences, plan for next time
What We Learned Don’t be complacent just because no ransom note Even with expedite, XCs can take (what feels like) forever to get installed Transit over LINX LON1 vs BCP38 DDoS mitigation is expensive, at least till you need it Traffic engineering BGP communities are cool
RECOMMENDATIONS
Some Ideas Be able to blackhole routes across entire network Be ready to drop ingress traffic But don’t you dare block all ICMP!
Next Steps Get a real out-of-band network to all your POPs Get RTBH from the upstreams that support it Understand your flows from customers Understand traffic patterns with peers/upstreams Deploy tooling, start tuning it before you need it Join Team Cymru’s UTRS “Who ya gonna call?” when it gets too big
ASK ME HOW MANY MORE GRAY HAIRS E: marek @ faelix . net T: @maznu T: @faelix W: https://faelix.net/ https://faelix.link/netmcr59

Recommended

VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityFaelix Ltd
 
Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with TeleportFaelix Ltd
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017Juan De Bravo
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 

Recommended

VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityFaelix Ltd
 
Bastion jump hosts with Teleport
Bastion jump hosts with TeleportBastion jump hosts with Teleport
Bastion jump hosts with TeleportFaelix Ltd
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017WebRTC meetup barcelona 2017
WebRTC meetup barcelona 2017Juan De Bravo
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
SF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkSF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkRomana Project
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 RouterNetProtocol Xpert
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPNNetProtocol Xpert
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 HackerySecurity B-Sides
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X RouterNetProtocol Xpert
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerCumulus Networks
 
Building Scalable Data Center Networks
Building Scalable Data Center NetworksBuilding Scalable Data Center Networks
Building Scalable Data Center NetworksCumulus Networks
 
DMVPN
DMVPNDMVPN
DMVPNNetProtocol Xpert
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Naoto MATSUMOTO
 
Best practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionBest practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionWestermo Network Technologies
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Naoto MATSUMOTO
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example3Anetwork com
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPNNetwax Lab
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksfangjiafu
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationRishabh Dangwal
 

More Related Content

What's hot

Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Cumulus Networks
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkPavel Odintsov
 
SF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkSF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkRomana Project
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerCumulus Networks
 
Building Scalable Data Center Networks
Building Scalable Data Center NetworksBuilding Scalable Data Center Networks
Building Scalable Data Center NetworksCumulus Networks
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Naoto MATSUMOTO
 
Best practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionBest practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionWestermo Network Technologies
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Naoto MATSUMOTO
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example3Anetwork com
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!Daniel Stenberg
 

What's hot (20)

Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013Morphology of Modern Data Center Networks - YaC 2013
Morphology of Modern Data Center Networks - YaC 2013
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
SF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkSF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning Talk
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
Layer 2 Hackery
Layer 2 HackeryLayer 2 Hackery
Layer 2 Hackery
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface Manager
 
Building Scalable Data Center Networks
Building Scalable Data Center NetworksBuilding Scalable Data Center Networks
Building Scalable Data Center Networks
 
DMVPN
DMVPNDMVPN
DMVPN
 
Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -Unbreakable VPN using Vyatta/VyOS - HOW TO -
Unbreakable VPN using Vyatta/VyOS - HOW TO -
 
Best practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionBest practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protection
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
 
Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)Tiny Server Clustering using Vyatta/VyOS (MEMO)
Tiny Server Clustering using Vyatta/VyOS (MEMO)
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPN
 
Cumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network ConfigurationCumulus Networks: Automating Network Configuration
Cumulus Networks: Automating Network Configuration
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 

Similar to Net mcr 2021 05 handout

Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksfangjiafu
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationRishabh Dangwal
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...The Linux Foundation
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginEC-Council
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewbrouer
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Securitydkaya
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacksdkaya
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoTran Thanh Song
 

Similar to Net mcr 2021 05 handout (20)

Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
 
Introduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigationIntroduction to layer 2 attacks & mitigation
Introduction to layer 2 attacks & mitigation
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
Dos attack
Dos attackDos attack
Dos attack
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...
XPDS13: On Paravirualizing TCP - Congestion Control on Xen VMs - Luwei Cheng,...
 
Exploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul CogginExploiting First Hop Protocols to Own the Network - Paul Coggin
Exploiting First Hop Protocols to Own the Network - Paul Coggin
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Cisco Switch Security
Cisco Switch SecurityCisco Switch Security
Cisco Switch Security
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Advanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity HardwareAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
 
Lec21 22
Lec21 22Lec21 22
Lec21 22
 

More from Faelix Ltd

Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
How we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump hostHow we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump hostFaelix Ltd
 
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6Faelix Ltd
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Faelix Ltd
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOSFaelix Ltd
 
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...Faelix Ltd
 

More from Faelix Ltd (6)

Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
How we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump hostHow we found a firewall vendor bug using Teleport as a bastion jump host
How we found a firewall vendor bug using Teleport as a bastion jump host
 
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
The Story of CVE-2018-19299 - finding and reporting bugs in Mikrotik RouterOS v6
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
SDN, CMDB, NMS ...CRM! How we're putting the customer at the centre of our ne...
 

Recently uploaded

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 

Net mcr 2021 05 handout

  • 1. ASK ME WHY I DON'T LIKE DDOSERS AND I’LL TELL YOU WHY YOU SHOULD NEVER PAY THE RANSOM https://faelix.link/netmcr59
  • 2. About Marek Stuff I do: CTO @FAELIX – https://faelix.net/ PC @uknof – https://uknof.uk/ Crew @net_mcr – https://www.netmcr.uk/ Trail of SSIDs in my wake: "AS41495 Faelix Limited" Me — @maznu – @NetworkMoose
  • 3. These Slides are Not all slides are included in this public deck Is this “security through obscurity”? Not giving opportunists ideas to up their game
  • 4. Customer Received This… To stop these attacks, please deposit in bitcoin to $address before
  • 6. Symptoms Call from occasional-consultancy client saying: Connectivity problems Difficulty logging onto the routers at each site Struggling to diagnose Please help!? External observations: BGP sessions on LON1 were down/flapping One of their customers also alerted us to problems
  • 10. Initial Thoughts Looks like a DDoS Feels like a DDoS Was not preceded by a ransom note…? One-off attack? Are any access customers gamers? Did a ransom email go missing? What was targeted?
  • 11.
  • 12. DDoS Traffic from IX Customer’s ASN peers with LINX route-servers And some networks who sent peering requests Not every peering request is worth your time If control plane is weak, decide with netflow stats Also consider whether a peer might be a path for e.g. compromised eyeballs to send you 1Mpps
  • 13. Weak Control Plane DDoS pegged your CPU? BGP is going to hurt: Router in attack path cannot keep up BGP hellos eBGP sessions (with shorter timers) drop Huge route churn to iBGP sessions Even more CPU load, might drop iBGP Cascades across entire iBGP mesh Vicious cycle of instability
  • 15. Initial Steps Accept default + full tables from upstreams Filter full tables and only accept “golden networks” Filter IXs (especially LINX RS) for “golden networks” Pare down from approx 2x 860k and 2x 200k routes To just ~210k total (~105k active) Convergence reduced to ~1 minute (from 10+)
  • 16. Next Steps Still no ransom note! Is this attacking a specific customer(s)? Implement some quick fixes: Inject /32 route to BGP P+T routers Blackhole traffic on entry to network
  • 17. Strengths / Luck Very obvious pattern of the attacks now
  • 18. Challenges / Suck Lots of UDP with no specific ports
  • 19. Attacks Move Next attack targets Why is this happening? Still no ransom note! Evolve defences: Send flow data to a VPS Run fastnetmon to detect badness and inject /32 Builds on the manual approach we had in place
  • 20. fastnetmon Difficulties Attacks are bit/sec at each of IPs Number of PPS? Mbit/sec? Flows? From experience: false-positives block customers We needed several iterations of tuning fastnetmon Most recent was ~4 weeks after implementation!
  • 21. Balancing Act Easy for a human to spot an attack Not so easy for a “simple” tool like fastnetmon Absolutely need to tune the config! Initial “manual approach” doesn’t react quickly But “manual approach” less likely to false positive Once we understood more about the attacks, we moved to auto-blocking
  • 24. My Thoughts on Ransoms Badness will continue until BTC account improves Increasingly “cyber insurance” is paying ransoms Is there honour among thieves? Or are you now known to be a soft target? Gives the crooks more resources to spend on stresser or DDoS tools for hire Extends the pain to other networks Crime should not pay!
  • 25. Get a Scrubber AS41495 has Voxility as an upstream transit We buy DDoS mitigation with that service We can apply that to downstream networks Add Victim ISP to AS-FAELIX Order (and expedite) XC Establish direct peering over LINX Propagate their routes to AS3223
  • 28. Whoops! AS41495 applies BCP38 to peering and transit ports Will drop packets trying to go out a P/T port if source address is not within AS-FAELIX This will drop packets that have come from outside AS-FAELIX destined for Victim ISP We need to provide Victim ISP transit over LON1 Therefore we will need to emit packets from 0.0.0.0/0 out of AS4145’s LON1 port
  • 31. Nearing the Deadline Another attack happens fastnetmon does its thing Voxility does their thing AS41495’s LON1 port was warm for a minute Was still a bit of pain (still tweaking knobs) but feels like we’re getting a hold of the situation
  • 32. Finally: Cross-Connect! Add Victim ISP as a “traditional” downstream Adjust BGP session on LON1 to be normal peering Victim is still protected… deadline is hours away! AS41495 will re-apply BCP38 filtering on LON1 port a few days later
  • 35. Oh! There It Is! ???
  • 39. “We will not go away until you pay.” – paraphrased from ransom note
  • 41. Why Did Attacks Stop? Combination of mitigations were effective: Their ASN is no longer a soft target Attackers moved on to other low-hanging fruit
  • 43. Anecdata Help your upstreams by using their RTBH Some tier-1s have selective RTBH communities e.g. drop only from country/region/ASN
  • 44. What Does It Feel Like? For Victim ISP: pain, “some of the most stressful days” their head of network has ever had For Victim ISP’s customers: unpredictable pain For Incident Responders: try to remain cool and methodical, analyse and iterate, learn and improve defences, plan for next time
  • 45. What We Learned Don’t be complacent just because no ransom note Even with expedite, XCs can take (what feels like) forever to get installed Transit over LINX LON1 vs BCP38 DDoS mitigation is expensive, at least till you need it Traffic engineering BGP communities are cool
  • 47. Some Ideas Be able to blackhole routes across entire network Be ready to drop ingress traffic But don’t you dare block all ICMP!
  • 48. Next Steps Get a real out-of-band network to all your POPs Get RTBH from the upstreams that support it Understand your flows from customers Understand traffic patterns with peers/upstreams Deploy tooling, start tuning it before you need it Join Team Cymru’s UTRS “Who ya gonna call?” when it gets too big
  • 49. ASK ME HOW MANY MORE GRAY HAIRS E: marek @ faelix . net T: @maznu T: @faelix W: https://faelix.net/ https://faelix.link/netmcr59