This document discusses the problems caused by IP spoofing and denial of service (DDoS) attacks on the decentralized internet. It notes that technical solutions to IP spoofing have failed to fully address the problem. Without the ability to accurately trace attack traffic back to its source, attacks allow impersonation and amplification to occur anonymously. This lack of attribution forces networks to either absorb large attacks or route attack traffic elsewhere, undermining the decentralized structure of the internet. The document argues that implementing better netflow monitoring and supporting full netflow standards would allow accurate tracing of traffic and proper attribution of attacks. With attribution in place, a more informed discussion can occur to ultimately solve DDoS attacks and preserve the decentralized internet.

1. Spoofing and Denial of Service: A risk to the
decentralized Internet
DDoS: The real story with BCP38
Tom Paseka
APRICOT 2017

2. Global Network
© 2017 Cloudflare Inc. All rights reserved. 2

3. Content Neutral
© 2016 Cloudflare Inc. All rights reserved. 3

4. Daily Attacks
© 2016 Cloudflare Inc. All rights reserved. 4

5. Daily Attacks
• Because we have such a broad view of the internet, we see a lot of
attacks
• This graph is showing count of different attacks
• Sometimes, seeing more than 1,400 unique attacks daily
© 2016 Cloudflare Inc. All rights reserved. 5

6. We have to solve attacks
© 2016 Cloudflare Inc. All rights reserved. 6

7. Record Breaking Attacks
Nickname Type Volume
SNMP Amp SNMP Amplification/Reflection 80Gbps
Spamhaus DNS Amplification/Reflection 300Gbps
"Winter of Attacks" Direct 400Gbps
IoT Direct 500Gbps+
© 2016 Cloudflare Inc. All rights reserved. 7

8. Record Breaking Attacks
• Around 5 years ago we saw some SNMP reflection attacks
• Cable modems from a very large Cable ISP in North America were reflecting SNMP
walks towards us
• We then saw the infamous “Spamhaus” attacks. Attacks which were directed at us and
internet infrastructure, resulting in impact to hundreds of thousands of internet users
• From September 2016, the “IoT” attacks, most famously the Mirai (未来) botnet with
attacks breaking 500Gbps
© 2016 Cloudflare Inc. All rights reserved. 8

9. Most big attacks have a few things in common
© 2016 Cloudflare Inc. All rights reserved. 9

10. Flood of IP Packets
© 2016 Cloudflare Inc. All rights reserved. 10

11. © 2016 Cloudflare Inc. All rights reserved. 11

12. Spoofing Enables Impersonation
© 2016 Cloudflare Inc. All rights reserved. 12

13. Spoofing?
• Why is spoofing an
issue?
• This is my good friend
Walt Wollny
• Let’s say, he was
assaulted, but it was by
masked assailant
• Without removing the
mask, there can’t be
legal retribution
© 2016 Cloudflare Inc. All rights reserved. 13

14. May 2000: BCP38
© 2016 Cloudflare Inc. All rights reserved. 14

15. BCP38
• BCP, Best Common Practice #38 was published in May 2000
• It gave guidance on how to configure your network to prefer spoofing
• This document is nearly 17 years old, why it isn’t engrained yet?
• Vendors Faults? Operators Fault?
• Regardless, IT’S. JUST. NOT. THERE.
© 2016 Cloudflare Inc. All rights reserved. 15

16. Caida Spoofer Stats
© 2016 Cloudflare Inc. All rights reserved. 16
Updated: Feb 2017. Source: https://spoofer.caida.org

17. Filter close to the source
© 2016 Cloudflare Inc. All rights reserved. 17

18. Filter close to the source
• Filtering at the ingress from your customer is really how to stop filtering
• You should also be filtering at the egress if your network for multiple layers, incase of
some misconfiguration
• Unicast Reverse Path Forwarding doesn’t scale well
• What about simple ACLs?
• Yet this still isn’t there!
© 2016 Cloudflare Inc. All rights reserved. 18

19. IP Spoofing:
• Enables Impersonation
• Isn’t solved
© 2016 Cloudflare Inc. All rights reserved. 19

20. IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 20

21. IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 21

22. Where did the attack come from?
© 2016 Cloudflare Inc. All rights reserved. 22

23. Where did the attack come from?
• The “Server” in this slide, gets attack traffic
• It has one link out, to its router, so we know it came from the ‘router’
• But from there, where did it come from?
• There are multiple input interfaces, which one could be sending the traffic? Which
network?
• We can trace this down a bad way, by looking at graphs
© 2016 Cloudflare Inc. All rights reserved. 23

24. Identifying interfaces
© 2016 Cloudflare Inc. All rights reserved. 24

25. Identifying interfaces
© 2016 Cloudflare Inc. All rights reserved. 25

26. What’s on the other side of the Cable?
© 2016 Cloudflare Inc. All rights reserved. 26

27. What’s on the other side of the Cable?
• For most internet networks, there are several types of input sources:
• Direct Peering: Where you have a single network and their customer cone
on that interfaces
• Internet Exchange: many networks connected to a single fabric. Possible
hundreds of direct networks and thousands of in-direct networks
• Internet Carrier / Transit Provider: The whole Internet
© 2016 Cloudflare Inc. All rights reserved. 27

28. 1. Direct Peering
© 2016 Cloudflare Inc. All rights reserved. 28

29. 1. Direct Peering
• Where we have direct peering with another network, you have a pretty good idea of
what’s on the other side
• This is going to be limited to that network and their customers
• In a case like this, it’s pretty easy to identify at least the ISP responsible for traffic
© 2016 Cloudflare Inc. All rights reserved. 29

30. 2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 30
3. Transit Provider

31. IXPs and Transit Providers
• Both of these represent an issue
• There is any number of networks where traffic could be coming from
• No easy way to identify the source over either of these
• Let’s explore a little but more about IXPs
© 2016 Cloudflare Inc. All rights reserved. 31

32. 2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 32

33. 2. IXP / Internet Exchange Point
© 2016 Cloudflare Inc. All rights reserved. 33
?.?.?.?

34. 2. IXP / Internet Exchange Point
• When traffic enters the IXP, we have no idea where the source came from
• Since you’re on one big fabric, anyone can inject it
• Very hard to track back
• Some ways to trace, but poorly implemented. I’ll touch on this later.
© 2016 Cloudflare Inc. All rights reserved. 34

35. 3. Transit Provider
© 2016 Cloudflare Inc. All rights reserved. 35
Src ip = 8.8.8.8

36. 3. Transit Provider
© 2016 Cloudflare Inc. All rights reserved. 36
???
Src ip = 8.8.8.8
???
8.8.8.0/24

37. 3. Transit Provider
• So, we see an attack coming from 8.8.8.8
• This is coming in over a transit provider
• But we have direct peering with the network that represents this traffic
• Why isn’t this traffic coming over the peering?
• ….Because it’s spoofed.
© 2016 Cloudflare Inc. All rights reserved. 37

38. Lack of Attribution
© 2016 Cloudflare Inc. All rights reserved. 38

39. IP Spoofing
1. Tracing back is impossible
2. Allows sophisticated attacks
© 2016 Cloudflare Inc. All rights reserved. 39

40. Amplification
© 2016 Cloudflare Inc. All rights reserved. 40

41. Amplification
• We know about amplification attacks, so I’m not going to go into technical detail
• The premise: Send a small request and get a big response directed at your target
• Amplification means you can knock off a service, much larger than you are, without
using all your resources.
© 2016 Cloudflare Inc. All rights reserved. 41

42. March 2013: Spamhaus
© 2016 Cloudflare Inc. All rights reserved. 42

43. March 2013: Spamhaus
• During the Spamhaus attacks, DNS amplification was used
• Large DNS replies (eg. ANY isc.org ~4,000 byte reply to a very small query)
• 37Gbps of attack traffic was able to be amplified to 300Gbps of attack traffic
© 2016 Cloudflare Inc. All rights reserved. 43

44. Amplification is relatively easy to block….
• …If you have the bandwidth. (few networks can absorb hundreds of Gbps)
• Block on firewall:
• src UDP/53 > deny
• Internet is fighting amplification sources:
• openresolverproject.org
• openntpproject.org
© 2016 Cloudflare Inc. All rights reserved. 44

45. Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 45
???
Src ip = 8.8.8.8
???
8.8.8.0/24

46. Source IP Addresses
• So, what happens when we trace the source IP address in attacks.
• Taking this lovely picture from xkcd, we see a map of what the internet is
© 2016 Cloudflare Inc. All rights reserved. 46

47. Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 47
https://xkcd.com/195/

48. Source IP Addresses
• What does this same map look like, when we see a large scale attack?
© 2016 Cloudflare Inc. All rights reserved. 48

49. Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 49

50. Source IP Addresses
• What about a different type of attack?
• This attack is coming from a single network, the graph on the left is the view of what is
routed by that network
• The graph on the right is attack sources from that network
• Is this network doing egress filtering? Is it spoofed or all direct from that network?
© 2016 Cloudflare Inc. All rights reserved. 50

51. Source IP Addresses
© 2016 Cloudflare Inc. All rights reserved. 51

52. Dealing with Attacks
© 2016 Cloudflare Inc. All rights reserved. 52

53. Null Routing
© 2016 Cloudflare Inc. All rights reserved. 53

54. Null Routing
• Probably the simplest way to deal with an attack
• You instruct your ISP not to route traffic for a single host, or a series of hosts in your
network
• Except, you’ve just let the attacker win
• If you null route your service, you’ve taken it offline. Perhaps you have an advanced
system and can quickly renumber, but the attacker can update their attack too
© 2016 Cloudflare Inc. All rights reserved. 54

55. The only way to stay online is to absorb the attack
© 2016 Cloudflare Inc. All rights reserved. 55

56. Receive and Process
© 2016 Cloudflare Inc. All rights reserved. 56

57. Receive and Process
• To absorb the attack you need to receive and process it
• This means you need to scale up infrastructure or develop advanced techniques to
deal with attacks
• Both of these need huge amounts of capacity, both physical and logical
• Few networks are ready for it, so you outsource
• But this breaks the model of de-centralization
© 2016 Cloudflare Inc. All rights reserved. 57

58. Centralization
© 2016 Cloudflare Inc. All rights reserved. 58

59. Solution?
© 2016 Cloudflare Inc. All rights reserved. 59

60. Technical solutions to IP Spoofing have failed
© 2016 Cloudflare Inc. All rights reserved. 60

61. Don’t just solve the IP Spoofing
© 2016 Cloudflare Inc. All rights reserved. 61

62. Don’t just solve the IP Spoofing…
© 2016 Cloudflare Inc. All rights reserved. 62
…solve the attribution!

63. © 2016 Cloudflare Inc. All rights reserved. 63

64. Netflow
• Opensource Toolsets are great
• Scales very well
• Privacy Concerns?
• This is very very simple data
• Rotate (delete) logs every few days
• Use a high sampling rate. 1/16,000
© 2016 Cloudflare Inc. All rights reserved. 64

65. Netflow
• H/W vendors must get better
• Netflow v9 supports src/dst MAC
• Which vendor supports it?
© 2016 Cloudflare Inc. All rights reserved. 65
Photo: The Simpsons/FOX

66. NetFlow
• It is EMBARRASING that a transit provider doesn’t know where packets ingress their
networks
• It’s even more embarrassing that service providers who have NetFlow equipment, be it
open sourced / in house or provided by a vendor don’t know how to use it
• It’s also EMBARRASING that hardware vendors don’t support full NetFlow v9
• This needs to be resolved now
© 2016 Cloudflare Inc. All rights reserved. 66

67. This is the first step
© 2016 Cloudflare Inc. All rights reserved. 67

68. Attribution allows informed discussion
© 2016 Cloudflare Inc. All rights reserved. 68

69. DDoS Causes centralization
© 2016 Cloudflare Inc. All rights reserved. 69

70. To fix DDoS we need attribution
© 2016 Cloudflare Inc. All rights reserved. 70

71. To make the internet better for everyone
© 2016 Cloudflare Inc. All rights reserved. 71