Embed Size (px)
Citation preview
qrator.net 2016
qrator.net 2016
qrator.net 2016
Akamai: CDN vs DDoSMaut-num: AS20940as-name: AKAMAI-ASN1org: ORG-AT1-RIPEmnt-by: AKAM1-RIPE-MNTmnt-routes: AKAM1-RIPE-MNT
qrator.net 2016
Akamai: CDN vs DDoSMaut-num: AS20940as-name: AKAMAI-ASN1org: ORG-AT1-RIPEmnt-by: AKAM1-RIPE-MNTmnt-routes: AKAM1-RIPE-MNT
ASNumber: 32787ASName: PROLEXIC-
TECHNOLOGIES-DDOS-MITIGATION-NETWORK
Ref: https://whois.arin.net/rest/asn/AS32787
qrator.net 2016
Akamai: CDN vs DDoSMaut-num: AS20940as-name: AKAMAI-ASN1org: ORG-AT1-RIPEmnt-by: AKAM1-RIPE-MNTmnt-routes: AKAM1-RIPE-MNT
ASNumber: 32787ASName: PROLEXIC-
TECHNOLOGIES-DDOS-MITIGATION-NETWORK
Ref: https://whois.arin.net/rest/asn/AS32787
https://www.peeringdb.com/asn/20940
qrator.net 2016
Akamai: CDN vs DDoSMaut-num: AS20940as-name: AKAMAI-ASN1org: ORG-AT1-RIPEmnt-by: AKAM1-RIPE-MNTmnt-routes: AKAM1-RIPE-MNT
ASNumber: 32787ASName: PROLEXIC-
TECHNOLOGIES-DDOS-MITIGATION-NETWORK
Ref: https://whois.arin.net/rest/asn/AS32787
https://www.peeringdb.com/asn/20940
qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/asn/20940
qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/asn/20940
qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/asn/20940
https://www.peeringdb.com/asn/32787
qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/asn/20940
https://www.peeringdb.com/asn/32787
qrator.net 2016
Akamai: CDN vs DDoSM
https://www.peeringdb.com/asn/20940
https://www.peeringdb.com/asn/32787
qrator.net 2016
Akamai: CDN vs DDoSMhttps://radar.qrator.net/as20940/
qrator.net 2016
Akamai: CDN vs DDoSMhttps://radar.qrator.net/as20940/
https://radar.qrator.net/as32787/
qrator.net 2016
Akamai: CDN vs DDoSMhttps://radar.qrator.net/as20940/
https://radar.qrator.net/as32787/
qrator.net 2016
15
CDN
qrator.net 2016
16
CDN
DDoS
DDoS
qrator.net 2016
17
CDN
DDoS
DDoS
qrator.net 2016
18
CDN
DDoS
DDoS
qrator.net 2016
19
DDoS
qrator.net 2016
20
qrator.net 2016
21
300 Mbps
30 Gbps
Amplification
qrator.net 2016
22
5 Gbps
500 Gbps
Amplification
qrator.net 2016
23
qrator.net 2016
• NTP• DNS• SNMP• SSDP• ICMP
24
• NetBIOS• RIPv1• PORTMAP• CHARGEN• QOTD
Vulnerable protocols
qrator.net 2016
• NTP• DNS• SNMP• SSDP• ICMP
25
• NetBIOS• RIPv1• PORTMAP• CHARGEN• QOTD
Amplification can be identified by source port
Vulnerable protocols
qrator.net 2016
BGP Flow Spec
qrator.net 2016
Wordpress PingbackGET /whateverUser-Agent: WordPress/3.9.2;http://example.com/;verifying pingbackfrom 192.0.2.150
• 150 000 – 170 000vulnerable serversat once• SSL/TLS-enabled
qrator.net 2016
Wordpress PingbackGET /whateverUser-Agent: WordPress/3.9.2;http://example.com/;verifying pingbackfrom 192.0.2.150
• 150 000 – 170 000vulnerable serversat once• SSL/TLS-enabled
Amplification can be identified by source port?
qrator.net 2016
Wordpress PingbackGET /whateverUser-Agent: WordPress/3.9.2;http://example.com/;verifying pingbackfrom 192.0.2.150
• 150 000 – 170 000vulnerable serversat once• SSL/TLS-enabled
Amplification can be identified by source port?
qrator.net 2016
BGP Flow Spec
qrator.net 2016
BGP Flow Spec
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Drupal?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?
Mediawiki?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
Drupal?Sharepoint?
Mediawiki?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?ModX? Sharepoint?
Mediawiki?
qrator.net 2016
Wordpress Pingback• Millions of vulnerable servers
Joomla?
TinyCMS?
Drupal?ModX? Sharepoint?
Mediawiki?
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers• Cheap hardware and software
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers• Cheap hardware and software• (Little to) NO software updates
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers• Cheap hardware and software• (Little to) NO software updates, including security fixes
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers• Cheap hardware and software• (Little to) NO software updates,
•Default logins/passwordsincluding security fixes
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers• Cheap hardware and software• (Little to) NO software updates,
•Default logins/passwords•Full Internet access
including security fixes
qrator.net 2016
Internet of Things
• Webcams, routers, smartphones, coffee makers• Cheap hardware and software• (Little to) NO software updates,
•Default logins/passwords•Full Internet access
including security fixes
qrator.net 2016
Internet of Things
• Network scanners are now powerful enoughto discover vulnerable IoT (good job, Flow Spec)
qrator.net 2016
Internet of Things
• Network scanners are now powerful enoughto discover vulnerable IoT (good job, Flow Spec)
=>
qrator.net 2016
Internet of Things
• Network scanners are now powerful enoughto discover vulnerable IoT (good job, Flow Spec)
=>
qrator.net 2016
Internet of Things
• Network scanners are now powerful enoughto discover vulnerable IoT (good job, Flow Spec)
=>
qrator.net 2016
Internet of Things
• Network scanners are now powerful enoughto discover vulnerable IoT (good job, Flow Spec)
=>
qrator.net 2016
qrator.net 2016
The Void
• To survive TCP- and HTTPS-based attacks,one needs a session-capable and TLS-capable DPI• To survive large botnets,
one needs a behavioral analysis andcorrelation analysis built into that DPI
qrator.net 2016
The Void
• To survive TCP- and HTTPS-based attacks,one needs a session-capable and TLS-capable DPI• To survive large botnets,
one needs a behavioral analysis andcorrelation analysis built into that DPI
• On the 1 Tbps bandwidth
qrator.net 2016
The Void
• Do not try to fix it yourself• Reach out to your ISP ASAP
qrator.net 2016
The Cure
• ISP initiatives
qrator.net 2016
The Cure
• ISP initiatives• Zero tolerance to vulnerable IoT
qrator.net 2016
The Cure
• ISP initiatives• Zero tolerance to vulnerable IoT• IPv6?
