You are on page 1of 37

Trey Guinn

Solution Engineer, CloudFlare


www.cloudare.com
DDoS 101
Distributed Denial of Service

An attack coming from all many locations
which overwhelms your resources and
prevents you from serving legitimate
customers.
Fake Pizza Orders
Variety of Attacks
Volumetric
Protocol Attacks
Application Attacks
Real Life Example
Wednesday, March 20
~75Gbps attack
100Gbps
Magic ceiling in DDoS attacks
March 24 March 25
Peaks of the attack reached at least 309Gbps
dig ANY isc.org @63.217.84.76
+edns=0 +notcp +bufsize=4096
64-byte query
$ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096

3,363-byte
response
Amplication
50x
Amplication factor
Attack Amplication

DNS - 50 x
NTP - 200x
Coming: SNMP - 650x
UDP = no handshake
Problem Ingredients:
Networks that allows
source IP spoong
+
Servers that reply to
non-customers
Good networks dont let
packets originate from IPs
they dont own (BCP38)
Not all networks are good
How common are
these ingredients?
28 million open resolvers
24.6% networks allow spoong
10s of Millions
Open NTP DNS servers
1 attackers laptop controlling
57 compromised servers on
3 networks that allowed spoong of
9Gbps DNS requests to
0.1% of open resolvers resulted in
300Gbps+ of DDoS attack trafc.

+
+
+
+
How did we stop it?
Anycast
Inherently dilutes
the attack
300Gbps
25 Anycasted PoPs
12 Gbps/PoP

Make sure youre not part


of the problem
Are you running open DNS resolvers?
Are you running open NTP servers?
Implement BCP38 (uRPF)
Trey Guinn
Solution Engineer
www.cloudare.com