Trey Guinn Solution Engineer, CloudFlare

www.cloudflare.com

DDoS 101

Distributed Denial of Service

!

An attack coming from all many locations which overwhelms your resources and prevents you from serving legitimate

customers.

Fake Pizza Orders

Variety of Attacks

Volumetric

Protocol Attacks

Application Attacks

Real Life Example

Wednesday, March 20 ~75Gbps attack

100Gbps Magic ceiling in DDoS attacks

March 24 – March 25 Peaks of the attack reached at least 309Gbps

dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096

64-byte query

$ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096 !

3,363-byte response

Amplification

50x Amplification factor

Attack Amplification !

DNS - 50 x NTP - 200x

Coming: SNMP - 650x

UDP = no handshake

Problem Ingredients: Networks that allows

source IP spoofing +

Servers that reply to “non-customers”

Good networks don’t let packets originate from IPs they don’t own (BCP38)

Not all networks are good

How common are these ingredients?

28 million open resolvers

24.6% networks allow spoofing

10s of Millions Open NTP DNS servers

1 attacker’s laptop controlling 5–7 compromised servers on 3 networks that allowed spoofing of 9Gbps DNS requests to 0.1% of open resolvers resulted in 300Gbps+ of DDoS attack traffic.

+ + + +

How did we stop it?

Anycast

Inherently “dilutes” the attack

300Gbps 25 Anycasted PoPs 12 Gbps/PoP

÷

Make sure you’re not part of the problem…

Are you running open DNS resolvers?

Are you running open NTP servers?

Implement BCP38 (uRPF)

Trey Guinn Solution Engineer

www.cloudflare.com