DDOS attacks in an IPv6 World Tom Paseka HKNOG 1.0 September 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
- Slide 1
DDOS attacks in an IPv6 World Tom Paseka HKNOG 1.0 September 2014 Slide 2 Who are we? 2 Slide 3 How does CloudFlare Work? 3 CloudFlare works at the network level. Once a website is part of the CloudFlare community, its web traffic is routed through CloudFlares global network of 24 (and growing) data centers. At each edge node, CloudFlare manages DNS, caching, bot filtering, web content optimization and third party app installations. Slide 4 IPv6 Gateway With the Internet's explosive growth and the number of on-net devices closing in on IPv4's maximum capacity, CloudFlare now offers an automatic IPv6 gateway seamlessly bridging the IPv4 and IPv6 networks. For most businesses, upgrading to the IPv6 protocol is costly and time consuming. CloudFlares solution requires NO hardware, software, or other infrastructure changes by the site owner or hosting provider. Enabled via the flip of a switch on the site owners CloudFlare dashboard. Users can choose two options: (FULL) which will enable IPv6 on all subdomains that are CloudFlare Enabled, or (SAFE) which will automatically create specific IPv6-only subdomains (e.g. www.ipv6.yoursite.com). www.ipv6.yoursite.com 4 Slide 5 DDoS Overview Slide 6 Purpose of a DDoS is to overwhelm an internet resource, to take it offline This can be: Volumetric (eg. High Gbps, High PPS or SYN Flooding). To overwhelm infrastructure to the website / resource. SYN floods overwhelm the Application based (eg. Excessive HTTP POST or search) To overwhelm the application or server. A website suddenly becoming very popular can also be like a DDOS Slide 7 DDoS Overview Growing Trend Increasing in size all the time Now regularly attacks are greater than 400Gbps+ Source: http://www.arbornetworks.com/images/P eakDDoSAttack_rev2.jpg Slide 8 DDoS Overview Large scale DDoS is a common occurrence. Used for exploitation, even for relatively low amounts (US$500 and below). Online services available for purchase of DDoS Known as Booters Large purpose is to kick competitors off online-games so they forfeit the game Free trails are often available for Booters too! Slide 9 So, whats this got to do with IPv6? Slide 10 Nothing? Slide 11 So, whats this got to do with IPv6? Or maybe a lot? Slide 12 So, whats this got to do with IPv6? Aged tools without IPv6 support: NetFlow (v5):Interface (SNMP) Graph: Slide 13 So, whats this got to do with IPv6? Aged tools without IPv6 support: NetFlow (v5):Interface (SNMP) Graph: Slide 14 So, whats this got to do with IPv6? Aged tools without IPv6 support: NetFlow (v5):Interface (SNMP) Graph: ? Slide 15 So, whats this got to do with IPv6? [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet f? Possible completions: > flow Include flow NLRI [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet6 f? No valid completions Slide 16 So, whats this got to do with IPv6? [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet f? Possible completions: > flow Include flow NLRI [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet6 f? No valid completions Slide 17 So, whats this got to do with IPv6? [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet f? Possible completions: > flow Include flow NLRI [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet6 f? No valid completions Slide 18 So, whats this got to do with IPv6? [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet f? Possible completions: > flow Include flow NLRI [edit protocols bgp group ROUTESERVER neighbor] [email protected]# set family inet6 f? No valid completions Slide 19 So, whats this got to do with IPv6? Without supporting systems, many things may be impeded: Ability to identify attacks: No NetFlow data? Ability to filter the attacks: IP Tables support? (ip6tables) IP ACL / Access-lists BGP FlowSpec Remotely Triggered Black Holing Slide 20 So, whats this got to do with IPv6? So, is this IPv6s fault? Looking at the vendors in the room. Why is any product released without FULL IPv6 support today. Slide 21 So, whats this got to do with IPv6? A lot of IPv6 deployments feel like best effort Best effort doesnt cut it under big attacks and with security We all still have a long way to come. Slide 22 IPv6 Attacks in the Wild Slide 23 For the most part, in our experience, theyre the same as IPv4 based attacks. Typically, attack scope is smaller, due to much smaller number of IPv6 hosts on the internet Not true for all attacks Slide 24 IPv6 Attacks in the Wild DNS cache-busted query attacks. Not only a IPv6 attack, but interesting because of how it came in over IPv6. Botnet bots, query through their normal configured recursors, using random strings which arent cachable Slide 25 IPv6 Attacks in the Wild Queries look like this : ebepexklyfaxmloh.www.popvote.hk ktylstudkr.www.popvote.hk ohunarajmbkrej.www.popvote.hk wwtdheilzcv.www.popvote.hk zktvvotoyrewaku.www.popvote.hk . khyhavsnijslyb.www.popvote.hk gchjpexychflvfv.api-token.popvote.hk ruqnpvp.api-token.popvote.hk fapzefvgowzonss.api-token.popvote.hk mcvhothfketpgre.api-token.popvote.hk Slide 26 IPv6 Attacks in the Wild We see about equal break down between normal DNS traffic and Attack DNS traffic with IPv4 and IPv6 Often in ISP networks, first thing IPv6 enabled on is their own infrastructure, eg: DNS Servers When infrastructure is dual stacked, the abuse will follow! $ host tom.ns.cloudflare.com tom.ns.cloudflare.com has address 173.245.59.147 tom.ns.cloudflare.com has IPv6 address 2400:cb00:2049:1::adf5:3b93 Slide 27 IPv6 Attacks in the Wild These attacks are very effective Attacks growing past 100M PPS (packets per second) With the prior ratio of IPv6 traffic Thats ~20M PPS of IPv6 traffic Slide 28 IPv6 Attacks in the Wild About the same amount of IPv6 PPS going across AMS-IX Internet exchange! Slide 29 IPv6 Attacks in the Wild IPv6 SYN Floods (and other flooding based attacks) Botnet send commands/attacks to direct traffic towards a hostname, eg: example.com $ host example.com example.com has address 93.184.216.119 example.com has IPv6 address 2606:2800:220:6d:26bf:1447:1097:aa7 Slide 30 IPv6 Attacks in the Wild Botnet master may not be intentional to send traffic towards IPv6 hosts But bots inside the botnet see the AAAA and send traffic that way IPv6 preferred selection. Slide 31 IPv6 Attacks in the Wild Aged tools without IPv6 support: NetFlow (v5):Interface (SNMP) Graph: ? Slide 32 IPv6 Attacks in the Wild Is all of this interesting? Slide 33 IPv6 Attacks in the Wild Shows IPv6 adoption is growing, not just in users networks, but other parts of the internet. Expands scope of where IPv6 attacks can come in Helps change the IPv4 only mindset Slide 34 Moving Forward Slide 35 Slide 36 Were making sure IPv6 is enabled for everyone Previously, we had IPv6 as an option, now its default on and enabled for all our customers Slide 37 Moving Forward Slide 38 This is just the tip of the iceberg Nothing over IPv6 has been that unique yet Most attacks are still directed at an IP (IPv4) Address Most sophisticated are still IPv4 only Who knows what is coming next? Slide 39 Moving Forward Unless we can see whats happening now We cant know what to expect going forward Except that if youre not prepared with the same principles in IPv4 security, IPv6 will byte you. Once youve reached equality in IPv4 and IPv6, the issues of IPv4 v. IPv6 in attacks is moot. Slide 40 Questions? Slide 41 Thank You! Slide 42
Related Documents
