You are on page 1of 37

Trey Guinn

Solution Engineer, CloudFlare
DDoS 101
Distributed Denial of Service

An attack coming from all many locations
which overwhelms your resources and
prevents you from serving legitimate
Fake Pizza Orders
Variety of Attacks
Protocol Attacks
Application Attacks
Real Life Example
Wednesday, March 20
~75Gbps attack
Magic ceiling in DDoS attacks
March 24 March 25
Peaks of the attack reached at least 309Gbps
dig ANY @
+edns=0 +notcp +bufsize=4096
64-byte query
$ dig ANY @ +edns=0 +notcp +bufsize=4096

Amplication factor
Attack Amplication

DNS - 50 x
NTP - 200x
Coming: SNMP - 650x
UDP = no handshake
Problem Ingredients:
Networks that allows
source IP spoong
Servers that reply to
Good networks dont let
packets originate from IPs
they dont own (BCP38)
Not all networks are good
How common are
these ingredients?
28 million open resolvers
24.6% networks allow spoong
10s of Millions
Open NTP DNS servers
1 attackers laptop controlling
57 compromised servers on
3 networks that allowed spoong of
9Gbps DNS requests to
0.1% of open resolvers resulted in
300Gbps+ of DDoS attack trafc.

How did we stop it?
Inherently dilutes
the attack
25 Anycasted PoPs
12 Gbps/PoP

Make sure youre not part

of the problem
Are you running open DNS resolvers?
Are you running open NTP servers?
Implement BCP38 (uRPF)
Trey Guinn
Solution Engineer