Kazdy z nas w dobie obecnego Internetu i Pokemon Go ma swoja stronę internetowa, forum czy tez prowadzi sklep e-commerce. Z punktu widzenia klienta, rozwiązanie jest proste. Loguje się na swoje konto, uruchamia instalator CMS i zaczyna prowadzić swoje usługi bądź tez dostarczać treści. Będzie to pierwsze case study skutecznej obrony przed potężnymi atakami wolumetrycznymi mające na celu wyłącznie usług HTTP bądź HTTPS za pomocą wysyłania dużej ilości pakietów SYN na serwer który hostuje zainfekowana stronę www. Celem prezentacji jest pokazanie mechanizmu obrony przed szeroko znanego problemu jakim jestDDoS, metody mitygacji, blackholing oraz przykładowe scenariusze w raz z konfiguracja w oparciu o dystrybucje CentOS oraz modułu HAProxy.

1. DDOS MITYGACJA ORAZ OCHRONA
SIECI W ŚRODOWISKU SZEROKO
UWIELBIANEGO WORDPRESS'A :)
Patryk Wojtachnio

3. ABOUT ME
 Network Engineer at Fasthosts Internet Ltd (1&1 Group).
 Previously Network & Security Engineer at PGE, MF, AtoS
 IT Tech & Home Data Center blog owner (virtualolivia.com)
 Bike Trial Rider & Car Movie Producer (rufzor.com)
 Administrator of CCIE.PL board

4. ABOUT CCIE.PL
 The biggest Cisco community in Europe
 Over 8300 users
 Strong staff
 3 general admins
 1 board admin
 3 servers admins
 3 moderators
 Over 60 polish CCIEs as members
 over 20 of them actively posting!
 About 100 new topics per month
 About 800 posts per month
 English section available

6. AGENDA
 General overview
 DDoS categories
 Mitigation
 DDoS as a Service
 Why WordPress ?
 How to defend?
 UK vs Polish law
 Web hosting – case study 
 Network topology
 UDP mitigation
 TCP mitigation – Scrubbing Center

8. DDOS CATEGORIES
 Volumetric
 Flood-based attacks that can be at layer 3, 4, or 7
 Asymmetric
 Attacks designed to invoke timeouts or session-state changes
 Computational
 Attacks designed to consume CPU and memory
 Vulnerability-based
 Attacks that exploit software vulnerabilities
reference f5.com

9. MITIGATION
 Volumetric
 Cloud-Based Scrubbing Service, Web Application Firewall
 Asymmetric
 Web Application Firewall
 Computational
 Application Delivery Controller Network Firewall
 Vulnerability-based
 IP Reputation Database Intrusion Prevention/Detection Systems (IDS/IPS),
Application Delivery Controller
reference f5.com

10. MITIGATION
 Layer 1/2
 Cut cables, Jamming, EMP, MAC spoofing & flood
 Layer 3
 Floods (ICMP)
 IP fragments (TCP fragmentation)
 Layer 4
 SYN, RST, FIN flood
 Layer 5
 Slowris
 Layer 6
 XML
 Layer 7
 SPAM, DNS queries
reference f5.com

11. DDOS AS A SERVICE
(DDOS AAS)

12. DDOS AAS

13. DDOS AAS

14. DDOS AAS
reference digitalattackmap.com

15. WHY WORDPRESS ?

16. WHY WORDPRESS?
 Most popular content management system
 Require on-demand plugin update
 Free
 Vulnerability plugins

17. HOW TO DEFEND ?

18. THERE IS NO UNIVERSAL SOLUTIONS,
THE DEFENCE OF OUR OWN INFRASTRUCTURE
IS A WAY OF THINKING, BEING A GOOD STRATEGIST,
AWARE OF THE WEAKNESSES AND STRENGTHS

19. HOW WE WILL MEASURE THE IMPACT ON OUR
INFRASTRUCTURE, AND HOW DOES THAT RELATIONSHIP
WITH OUR CUSTOMERS?

20. MONEY
DECISION
KNOWLEDGE

21. I DO NOT NEED PROTECTION? WHY?
 Customer side
 Impact ?
 Am I ready to loose my customers ?
 Data corruption ?
 Reputation – Haters gona hate ?
 $$$
 Hosting provider
 More wider look at the issue - think global
 Business impact
 SLA / ETR ?
 Political - Hacktivism

22. WHY NOC IS SO IMPORTANT ?
 Incident management
 Tools (Network Anomalies, Time changes)
 24/7
 Processes & Escalation
 Standby Engineer always on call
 First point of contact

23. WHY NOC IS SO IMPORTANT ? - TOOLS
 Focus on real data
 Cacti
 Netstat
 Tcpdump
 Wireshark
 FlowViewer / Flow Grapher

24. UK VS POLISH LAW

25. UK VS POLISH LAW
reference
http://www.legislation.gov.uk/ukpga/2006/48
http://www.legislation.gov.uk/ukpga/1990/18/section/3
http://isap.sejm.gov.pl/DetailsServlet?id=WDU19970880553

26. CASE STUDY
 Network topology
 UDP mitigation
 TCP mitigation
 Blackholing

27. R1 R2
DIST1 DIST2
SC2
SC1
SW1
SCRUBBING CENTER
INTERFACE PORT-CHANNEL 4X40 GB
VPC

28. CASE STUDY – UDP MITIGATION – DNS
 DNS Amplification
 Small look-up query
 Asymmetrical
 Saturate network bandwidth capacity
 DNS Flood
 Saturate hardware side (Memory, RAM, CPU etc…
 Symmetrical
 Generated by script on compromised botnet machines

29. CASE STUDY – UDP MITIGATION – DNS REFLECTION

30. CASE STUDY – UDP MITIGATION – FRAGMENTS

31. R1 R2
DIST1 DIST2
SW1
ip access-list extended OUTSIDE-ACL

32. CASE STUDY – UDP MITIGATION – SAMPLE ACL
IP ACCESS-LIST EXTENDED OUTSIDE-ACL
1 DENY UDP ANY HOST X.X.X.X
2 DENY UDP ANY HOST X.X.X.X FRAGMENTS
3 DENY UDP ANY EQ 53 HOST X.X.X.X
4 DENY UDP ANY EQ 4444 HOST X.X.X.X

33. CASE STUDY – TCP MITIGATION

34. CASE STUDY – TCP THREE WAY HANDSHAKE

35. WWW.CCIE.PL
BACKBONE
DIST
SW
INTERFACE GI0/0
DESCRIPTION WAN
IP ADDRESS 1.1.1.1/24
INTERFACE ETH0
DESCRIPTION FRONTEND-INT
IP ADDRESS 1.1.1.2/24
INNCOMMING TCP SYN FLOOD ON
PORT 80
SIZE 100 GBPS

36. WWW.CCIE.PL
BACKBONE
DIST
SW
INTERFACE GI0/0
DESCRIPTION WAN
IP ADDRESS 1.1.1.1/24
INTERFACE ETH0
DESCRIPTION FRONTEND-INT
IP ADDRESS 1.1.1.2/24
INNCOMMING TCP SYN FLOOD ON
PORT 80
SIZE 100 GBPS
CUSTOMER IMPACT: 1000
CUSTOMER DOMAINS: 3000

37. SYN FLOOD
 How it works ?
 Think3-way handshake
 Host has a number of incoming free slots
 When slots are full no more connections are
accepted

38. SYN FLOOD

39. SYN FLOOD

40. WWW.CCIE.PL
WWW.RUFZOR.COM
WWW.COMPANY.PL

41. WWW.CCIE.PL
BACKBONE
DIST
SW
INTERFACE GI0/0
DESCRIPTION WAN
IP ADDRESS 1.1.1.1/24
INTERFACE ETH0
DESCRIPTION FRONTEND-INT
IP ADDRESS 1.1.1.2/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.2/24

42. WWW.CCIE.PL
BACKBONE
DIST
SC
SW
RFC1918
INTERFACE GI0/0
DESCRIPTION WAN
IP ADDRESS 1.1.1.1/24
INTERFACE ETH0
DESCRIPTION FRONTEND-INT
IP ADDRESS 1.1.1.2/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.1/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.2/24

43. WWW.CCIE.PL
BACKBONE
DIST
SC
SW
RFC1918
INTERFACE GI0/0
DESCRIPTION WAN
IP ADDRESS 1.1.1.1/24
INTERFACE ETH0
DESCRIPTION FRONTEND-INT
IP ADDRESS 1.1.1.2/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.1/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.2/24

44. CASE STUDY – WORDPRESS VS HAPROXY
 ACL
 TCP SYN, Flood free
 XMLRPC Brute Force Amplification
 NGINX support
 GREP & AWK knowledge required

45. CASE STUDY – HAPROXY SAMPLE CONFIGURATION
defaults
log global
timeout http-request 5s
timeout queue 1m
timeout connect 10s
timeout client 30s
timeout server 10s
timeout check 10s
option httplog
timeout connect 5000
option httpchk
maxconn 30000
timeout http-request 5s
option httpclose
retries 2
listen live_http_nginx_nodes
bind 0.0.0.0:80
tcp-request inspect-delay 10s
tcp-request content accept if HTTP

46. CASE STUDY – HAPROXY SAMPLE CONFIGURATION - SLOWRIS
/etc/haproxy/haproxy.cfg
defaults
option http-server-close
mode http
timeout http-request 5s
timeout connect 5s
timeout server 10s
timeout client 30s
 Will send slowly requests (header by header)
 Will be waiting long time between each of them
 It tells HAproxy to let five seconds to a clients
to send its whole HTTP Request
 Otherwise HAproxy will close connection

47. CASE STUDY – HAPROXY CONFIGURATION - ACL
# acl host_ccie(host) -i ccie.pl
www.ccie.pl
# acl allowed hdr(host) -i www.ccie.pl
www.ccie.pl
acl wplogin path_beg /wp-login.php
acl xmlrpc_path path_end /xmlrpc.php
# acl wplogin_rewrite path_beg /wp-log-me-in
# http-request set-path /wp-login.php if wplogin_rewrite
# http-request deny if host_singeply
http-request deny if xmlrpc_path
# http-request deny if !allowed

48. CASE STUDY – HAPROXY

49. WWW.CCIE.PL
BACKBONE
DIST
SC
SW
RFC1918
INTERFACE GI0/0
DESCRIPTION WAN
IP ADDRESS 1.1.1.1/24
INTERFACE ETH0
DESCRIPTION FRONTEND-INT
IP ADDRESS 1.1.1.2/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.1/24
INTERFACE ETH1
DESCRIPTION BACKEND-INT
IP ADDRESS 10.10.10.2/24

50. THIS IS NOT ALL…
 DNS Amplification
 DNS Flood
 HTTP Flood
 IP Fragmentation Attack
 NTP Amplification
 Ping of Death
 Ping Flood
 R-U-Dead-Yet
 Slowloris
 Smurf Attack
 SNMP Reflection
 SYN Flood
 UDP Flood
https://pl.wikipedia.org/wiki/Nycticebus
Nycticebus – rodzaj małpiatek z rodziny lorisowatych,
obejmujący gatunki występujące w południowej Azji.

51. CASE STUDY – BLACKHOLING
IP ACCESS-LIST EXTENDED OUTSIDE-ACL
1 DENY TCP HOST X.X.X.X EQ 80 ANY

52. SUMMARIZE IT…

53. QUESTIONS?

54. THANK YOU
/in/pwojtachnio