The document discusses the differences between Content Delivery Networks (CDNs) and DDoS mitigation services, highlighting Akamai and Prolexic's roles. It outlines the various vulnerable protocols that can lead to amplification attacks and emphasizes the importance of proper security measures for IoT devices. Additionally, it touches upon the necessity for ISPs to adopt stringent policies against vulnerable IoT devices and to support their customers during cyber attacks.

1. qrator.net 2016

2. qrator.net 2016

3. qrator.net 2016
Akamai: CDN vs DDoSM
aut-num: AS20940
as-name: AKAMAI-ASN1
org: ORG-AT1-RIPE
mnt-by: AKAM1-RIPE-MNT
mnt-routes: AKAM1-RIPE-MNT

4. qrator.net 2016
Akamai: CDN vs DDoSM
aut-num: AS20940
as-name: AKAMAI-ASN1
org: ORG-AT1-RIPE
mnt-by: AKAM1-RIPE-MNT
mnt-routes: AKAM1-RIPE-MNT
ASNumber: 32787
ASName: PROLEXIC-
TECHNOLOGIES-DDOS-
MITIGATION-NETWORK
Ref: https://whois.arin.net/
rest/asn/AS32787

5. qrator.net 2016
Akamai: CDN vs DDoSM
aut-num: AS20940
as-name: AKAMAI-ASN1
org: ORG-AT1-RIPE
mnt-by: AKAM1-RIPE-MNT
mnt-routes: AKAM1-RIPE-MNT
ASNumber: 32787
ASName: PROLEXIC-
TECHNOLOGIES-DDOS-
MITIGATION-NETWORK
Ref: https://whois.arin.net/
rest/asn/AS32787
https://www.peeringdb.com/asn/20940

6. qrator.net 2016
Akamai: CDN vs DDoSM
aut-num: AS20940
as-name: AKAMAI-ASN1
org: ORG-AT1-RIPE
mnt-by: AKAM1-RIPE-MNT
mnt-routes: AKAM1-RIPE-MNT
ASNumber: 32787
ASName: PROLEXIC-
TECHNOLOGIES-DDOS-
MITIGATION-NETWORK
Ref: https://whois.arin.net/
rest/asn/AS32787
https://www.peeringdb.com/asn/20940

7. qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/
asn/20940

8. qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/
asn/20940

9. qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/
asn/20940
https://www.peeringdb.com/
asn/32787

10. qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/
asn/20940
https://www.peeringdb.com/
asn/32787

11. qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/
asn/20940
https://www.peeringdb.com/
asn/32787

12. qrator.net 2016
Akamai: CDN vs DDoSM
https://radar.qrator.net/
as20940/

13. qrator.net 2016
Akamai: CDN vs DDoSM
https://radar.qrator.net/
as20940/
https://radar.qrator.net/
as32787/

14. qrator.net 2016
Akamai: CDN vs DDoSM
https://radar.qrator.net/
as20940/
https://radar.qrator.net/
as32787/

15. qrator.net 2016
15
CDN

16. qrator.net 2016
16
CDN
DDoS
DDoS

17. qrator.net 2016
17
CDN
DDoS
DDoS

18. qrator.net 2016
18
CDN
DDoS
DDoS

19. qrator.net 2016
19
DDoS

20. qrator.net 2016
20

21. qrator.net 2016
21
300 Mbps
30 Gbps
Amplification

22. qrator.net 2016
22
5 Gbps
500 Gbps
Amplification

23. qrator.net 2016
23

24. qrator.net 2016
• NTP
• DNS
• SNMP
• SSDP
• ICMP
24
• NetBIOS
• RIPv1
• PORTMAP
• CHARGEN
• QOTD
Vulnerable protocols

25. qrator.net 2016
• NTP
• DNS
• SNMP
• SSDP
• ICMP
25
• NetBIOS
• RIPv1
• PORTMAP
• CHARGEN
• QOTD
Amplification can be identified by source port
Vulnerable protocols

26. qrator.net 2016
BGP Flow Spec

27. qrator.net 2016
Wordpress Pingback
GET /whatever
User-Agent: WordPress/3.9.2;
http://example.com/;
verifying pingback
from 192.0.2.150
• 150 000 – 170 000
vulnerable servers
at once
• SSL/TLS-enabled

28. qrator.net 2016
Wordpress Pingback
GET /whatever
User-Agent: WordPress/3.9.2;
http://example.com/;
verifying pingback
from 192.0.2.150
• 150 000 – 170 000
vulnerable servers
at once
• SSL/TLS-enabled
Amplification can be identified by source port?

29. qrator.net 2016
Wordpress Pingback
GET /whatever
User-Agent: WordPress/3.9.2;
http://example.com/;
verifying pingback
from 192.0.2.150
• 150 000 – 170 000
vulnerable servers
at once
• SSL/TLS-enabled
Amplification can be identified by source port?

30. qrator.net 2016
BGP Flow Spec

31. qrator.net 2016
BGP Flow Spec

32. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers

33. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers
Drupal?

34. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers
Joomla?
Drupal?

35. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers
Joomla?
Drupal?
Mediawiki?

36. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers
Joomla?
Drupal?
Sharepoint?
Mediawiki?

37. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?
ModX?
Sharepoint?
Mediawiki?

38. qrator.net 2016
Wordpress Pingback
• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?
ModX?
Sharepoint?
Mediawiki?

39. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers

40. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software

41. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software
• (Little to) NO software updates

42. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software
• (Little to) NO software updates, including security fixes

43. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software
• (Little to) NO software updates,
•Default logins/passwords
including security fixes

44. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software
• (Little to) NO software updates,
•Default logins/passwords
•Full Internet access
including security fixes

45. qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
• Cheap hardware and software
• (Little to) NO software updates,
•Default logins/passwords
•Full Internet access
including security fixes

46. qrator.net 2016
Internet of Things
• Network scanners are now powerful enough
to discover vulnerable IoT (good job, Flow Spec)

47. qrator.net 2016
Internet of Things
• Network scanners are now powerful enough
to discover vulnerable IoT (good job, Flow Spec)
=>

48. qrator.net 2016
Internet of Things
• Network scanners are now powerful enough
to discover vulnerable IoT (good job, Flow Spec)
=>

49. qrator.net 2016
Internet of Things
• Network scanners are now powerful enough
to discover vulnerable IoT (good job, Flow Spec)
=>

50. qrator.net 2016
Internet of Things
• Network scanners are now powerful enough
to discover vulnerable IoT (good job, Flow Spec)
=>

51. qrator.net 2016

52. qrator.net 2016
The Void
• To survive TCP- and HTTPS-based attacks,
one needs a session-capable and TLS-capable DPI
• To survive large botnets,
one needs a behavioral analysis and
correlation analysis built into that DPI

53. qrator.net 2016
The Void
• To survive TCP- and HTTPS-based attacks,
one needs a session-capable and TLS-capable DPI
• To survive large botnets,
one needs a behavioral analysis and
correlation analysis built into that DPI
• On the 1 Tbps bandwidth

54. qrator.net 2016
The Void
• Do not try to fix it yourself
• Reach out to your ISP ASAP

55. qrator.net 2016
The Cure
• ISP initiatives

56. qrator.net 2016
The Cure
• ISP initiatives
• Zero tolerance to vulnerable IoT

57. qrator.net 2016
The Cure
• ISP initiatives
• Zero tolerance to vulnerable IoT
• IPv6?

58. qrator.net 2016
Thank you, and good luck!
mailto: Artyom Gavrichenkov <ag@qrator.net>