SlideShare une entreprise Scribd logo

#NSD15 - Attaques DDoS Internet et comment les arrêter

NetSecure Day
NetSecure Day

Toutes les informations sur http://www.netsecure-day.fr/nsd15

Technologie
1  sur  57
Attacks and DDoS Mitigation Jérôme Fleury NetSecure Day December 2015
NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare 2
NetSecure Day 2015 - CloudFlare - Jérôme Fleury What is CloudFlare? CloudFlare makes websites faster and safer using our globally distributed network to deliver essential services to any website ● Performance ● Content ● Optimization ● Security ● 3rd party services ● Analytics 3
NetSecure Day 2015 - CloudFlare - Jérôme Fleury How does CloudFlare work? CloudFlare works at the network level ● Once a website is part of the CloudFlare community, its web traffic is routed through CloudFlare’s global network of 60+ (and growing) data centers. ● At each edge node, CloudFlare manages DNS, caching, bot filtering, web content optimization and third party app installations. 4
NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare works globally 5 CloudFlare protects globally ● DDoS attack traffic is localized and lets other geographic areas continue to operate
NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare has customers globally more than 4 million websites 6
NetSecure Day 2015 - CloudFlare - Jérôme Fleury DDoS Mitigation 7
DoS attempts daily 8 DoSeventsperday
NetSecure Day 2015 - CloudFlare - Jérôme Fleury The Evolving Landscape of DDoS Attacks 9 ATTACK TYPE TREND • Volumetric Layer 3 / 4 • DNS Infrastructure • HTTPS application • Origin: 100s of countries DNS infrastructure 100s Gbps HTTP Application 100s Gbps Sophistication NTP reflection Up to 400+ Gbps (35% up from DNS amplification) DNS amplification Up to 300 Gbps 20142013 2015 Equallycapableof beingIPv4andIPv6 More sophisticated DDoS mitigation and larger surface area to block volumetric attacks has forced hackers to change tactics. New DNS infrastructure and HTTP layer 7 attack signatures that mimic human-like behavior are increasing in frequency.
NetSecure Day 2015 - CloudFlare - Jérôme Fleury DNS Infrastructure Attacks 10 Protecting DNS can be independent of IPv4 or IPv6 usage
NetSecure Day 2015 - CloudFlare - Jérôme Fleury DNSSEC and DNS attacks and open resolvers $ dig ANY isc.org @63.21*.**.** +edns=0 +notcp +bufsize=4096 64bytequery ;; ANSWER SECTION: isc.org. 7147 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013073000 7200 3600 24796800 3600 isc.org. 7147 IN NS ns.isc.afilias-nst.info. isc.org. 7147 IN NS ord.sns-pb.isc.org. isc.org. 7147 IN NS ams.sns-pb.isc.org. isc.org. 7147 IN NS sfba.sns-pb.isc.org. isc.org. 7 IN A 149.20.64.69 isc.org. 7147 IN MX 10 mx.pao1.isc.org. isc.org. 7147 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7147 IN TXT "$Id: isc.org,v 1.1835 2013-07-24 00:15:22 dmahoney Exp $" isc.org. 7 IN AAAA 2001:4f8:0:2::69 isc.org. 7147 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 3547 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 7147 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU= 7147 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 7147 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" 7147 IN RRSIG SPF 5 2 7200 20130828233259 20130729233259 50012 isc.org. XDoOYzkTHEV1W1V4TT50SsqXn4cxNhPvEuz3iFjq/oskLY9UOaK4GYDO GqHAjwNT0B6pUakKTQ3GvBjUBufPcEauCOl7L7kb8/cC6zYifUCoW0pS moiQxmyqfrPDTzyVA894myUONGgMmB6QW68HGPVvc6HzGWx9bOmjvFyX uOs= 7147 IN RRSIG DNSKEY 5 2 7200 20130828230128 20130729230128 12892 isc.org. COfF8fU6a8TBUG97SI/X+u2eKv7/mw+ixD3IWBnr3d3cWZmzF1sV8bWT YbuJebwnJMgN5OfB9PLsN+4QT617OjBe1dUF2M9jZeBiWsSsvvrdHnHM P8KwX6eayByDUoFsYe9VAH6C94XmOVXTQ7h7Cr0ytaVSXUytqFZV+DGn v3kqSi50V3YkFNPAJDqqs0treWjwV/SPlqWVqEAoU/KMZMtYpCEMbHVP 8nbRP3jj/10WLccPtjHhiw4Ka9Sk4o+b7BMYCgXGXlhaap21SUqkytHt 8RJdVxxd5Cj7Bi+O4LXODlS4bAZEDG7UoHR27MzXtvMZogsNyyNUKHSs FtUvBg== 7147 IN RRSIG DNSKEY 5 2 7200 20130828230128 20130729230128 50012 isc.org. Mbr/QqJPoIuf3K5jCuABUIG0/zSHQ8iWZpqvHx7olVBEmTxhi3/vW+IE DW6VCE1EpZclSIlMMRZUnbBnVSpe0rZ13BxoLlRQqvsbC3jD15Se41WB DscD0S63C0GLqI9IhSyVugtlpqhA3CaluSqtABHbAktPP05Rm00tST2Y A5Q= 3547 IN RRSIG NSEC 5 2 3600 20130828233259 20130729233259 50012 isc.org. V7G42xY7TY9wF1vsBlRFuJ2ror/QjftLoRrDCMfqFW6kb5ZswjKt5zho 4o2sIrylTqad68O+lMxrDcg+7c2D8Hdh84SC0DEkjunBXkGBtLtaJvO5 zMn+d/OgUY5O7wtkerybJwZeiHcFxIkMRIcvsPKJYZWKCdaaCWibne7c w1s= 7147 IN RRSIG NAPTR 5 2 7200 20130828233259 20130729233259 50012 isc.org. gWDvD0KACaYgsCgtRS4iKkHBBidfJfqS4drUf4kuPX2Etl9fj1YrqOQK QFB5kBrzJLKh1IF4YpV+KYVUF82l3AtpsohpUH5Uyc3yD3r1CUDVyVvc T9qUrIuRpZLInD2kBLmDaG76MRz4Fz+NAkdXmwxZJhgTrfMLy+Uw/Ktk H7w= 7 IN RRSIG AAAA 5 2 60 20130828233259 20130729233259 50012 isc.org. dfzIo0VGT0MptTaPoua3tFwDxSpeuOg127QedlqLGTxKGN1ppV/bd6R0 WktMagZY9rSqmjfXNPlF3Q+7YeTpMssQhHqjE/tDoj9q9r8RXuBLJ1+a VRq3+xMbxb5EXAyQVZw24LIuloqNprXePRUGCXNINSWd7VZEIDNqhu9C g7U= 7147 IN RRSIG TXT 5 2 7200 20130828233259 20130729233259 50012 isc.org. WtB3SYzcOKpNbOtBlnmtsI0DCbDB4Kiv/HBY24PTZyWF/3tI8l+wZ+/p MfJ/SblbAzT67DO5RfxlOhr8UlRKVa70oqinQp5+rqiS67lv1hGO6ArO k+J0jLTis9Uz32653dgAxlgjEdWDKAg4F12TaHirAXxyI8fos5WNl/h4 GLo= 7147 IN RRSIG MX 5 2 7200 20130828233259 20130729233259 50012 isc.org. BSXC42oV6MCF0dX2icyxnvyijhy569BJCoanm5VrIIuiNeTeo261FQJx 7ofFCWa4fKOoa+EZ0qloNPfDiczStr8MmK8Lznu6+8IRfdmcG/kURuSi JdvDa0swxjmCm9aYu2nhoyHs+jqbJ+9+fneI0iDUX1fiM+9G2K9BjLru NxU= 7 IN RRSIG A 5 2 60 20130828233259 20130729233259 50012 isc.org. Gmb8tt8d7kxx4HsA8L6IdFYGGSJCA8PTWexUP3CBLna39e4a6gVzjoNd dEI7B5mySAujZBEXNx3dSagpjiTJYfMML8AY0uO0tgyjqaTyzwPPV5lW xQKVC092BPJx9IeKw+DC57f3m9LOaHJlMIh7wYFn8jxqeg1lSwJN0e35 Qvc= 7147 IN RRSIG NS 5 2 7200 20130828233259 20130729233259 50012 isc.org. RBvXLeTH0726iKvElmBZYUE+AWG3s2YRxKxuCnrhg7o9qIQGKXvEXrb3 wJeC/74KY2FW+RRz4F0QxODnPm+frpWIPbCpRf0SUFDQ82opQDwAb2CM 0D9N95y1t9hYfSeHEsEEk2yWgLymd9/S24XCmwuVVZ7ZeYQmVEVkF7Jt V3A= 7147 IN RRSIG SOA 5 2 7200 20130828233259 20130729233259 50012 isc.org. iiDnH6tvmap0h2cdULI8Ihme+zbtQ2+D3ycKRqBc9TRfA0poNaaZ97aF 15EIKyIpjiVybkP2DNLm5nkpNsgA+Ur+YQ6pr0hZKzbDkBllBIW4C0LV DsjzPX3qLPH4G3x/20M+TeGe4uzPB5ImPuw0VxB8g8ZP5znvdiZG6qen jas= ;; AUTHORITY SECTION: isc.org. 7147 IN NS ns.isc.afilias-nst.info. isc.org. 7147 IN NS ord.sns-pb.isc.org. isc.org. 7147 IN NS ams.sns-pb.isc.org. isc.org. 7147 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: ns.isc.afilias-nst.info. 56648 IN A 199.254.63.254 ns.isc.afilias-nst.info. 56652 IN AAAA 2001:500:2c::254 ord.sns-pb.isc.org. 31018 IN AAAA 2001:500:71::30 ord.sns-pb.isc.org. 31018 IN A 199.6.0.30 ams.sns-pb.isc.org. 31018 IN AAAA 2001:500:60::30 ams.sns-pb.isc.org. 31018 IN A 199.6.1.30 sfba.sns-pb.isc.org. 31018 IN AAAA 2001:4f8:0:2::19 sfba.sns-pb.isc.org. 31018 IN A 149.20.64.3 mx.pao1.isc.org. 3547 IN AAAA 2001:4f8:0:2::2b mx.pao1.isc.org. 3547 IN A 149.20.64.53 _sip._udp.isc.org. 7147 IN SRV 0 1 5060 asterisk.isc.org. 3,363byteresponse 11
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Hundreds of millions of packets per second 12
Let’s talk about the scale 13 congestion 10M pps 6M pps 1.2M pps 0.1M pps
upstream: capacity game 14 upstream congestion more ports, null, topology IP 10M pps 6M pps 1.2M pps 0.1M pps
Topology: Anycast 15
Traditional traffic routing 16
Routing with anycast reverse proxy 17
NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare Amsterdam CloudFlare Frankfurt CloudFlare London Anycast CDN How does it work? ● DNS Query - to anycast DNS address ● DNS result returned with “Anycast” IP ● Client makes connection to closest server ● CloudFlare replies - session established What happens in the event of an outage? ● Traffic re-routes to next closest DC o TCP session resets at this point ISP DNS server Visitor 18
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Anycast CDN – equally IPv4 and IPv6 Anycast prefixes ● Same IP prefixes (IPv4 & IPv6) advertised in each of the 30+ sites around the world (and growing) ● Unicast (from separate site-specific prefixes) used to pull traffic from “origin” web source Traffic Control ● Eyeball ISPs (should) route to closest node, resulting in a very low latency to our services from everywhere in the world ● If ISP A routes to CloudFlare in Germany then traffic will be served from Frankfurt or Düsseldorf ● If ISP B routes to CloudFlare in Texas then traffic will be served from Dallas This results in a reasonable distribution of attack traffic between our sites ● Easier to mitigate 10 sites receiving a ~50Gbit DDoS than 1 site receiving 500Gbit DDoS 19
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Peering vs Transit Far more difficult to mitigate a DDoS coming in on an IX than a DDoS coming in via a transit provider. ● Can negotiate with transit provider for features such as RTBH, NOC implementing firewall filters for you, etc ● Peering exchanges generally don’t have these features. Peering exchanges are also surprisingly expensive to scale up for DDoS. Generally will be more expensive to order more 10Gbit ports at an IX vs additional handovers to a transit provider. Often end up de-peering a network sourcing large amounts of attack traffic to force them onto a transit provider where you have more control. This seems broken - surely there is a better way to ingest this traffic? 20
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Mitigation - in the network 21
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Regional enforcement Under certain circumstances, it makes sense to enforce regionally ● Seeing 300Gbit of traffic targeted at AMS, LHR, FRA, CDG for a website with 99% of legitimate traffic being served into HKG and SIN o Can implement strict flowspec enforcement in sites targeted, while no enforcement needed in sites traffic is legitimately needed in. o Take advantage of any opportunity presented Regional null routing can also be worthwhile at times ● Want to move site to new IPs and move on. o Null route in only the regions that are being targeted. Have your transit provider configure firewall filters in their network to filter certain packet types / lengths / src-IPs / dst-IPs / etc upstream in one region only to help filter malicious traffic. 23
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Null route and move on When an attacker targets a website or a service, while they may want to take this website/service down, they target the IP address in order to do this. First order of business can be to update the DNS A/AAAA record and move on. If the attacker follows, keep doing this. Easy to automate, requires an attacker to continually change the attack to follow. Depends on rDNS service operators honouring our TTLs 24
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Dealing with attacks on infrastructure IPs Relatively easy to mitigate attacks on Anycast IP space. ● Multiple hundred gig attack on an anycast IP o Distributed over 28 sites o Multiple tens of gigs per site Vs: ● Multiple hundred gig attack on an IP specific to a single router, link or DC o Very hard to mitigate o Multiple hundred gig attack traffic > 100Gbit link How do we prevent this from happening? What can we do about it? What gain do you get from exposing this? 25
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Attacks on Infrastructure - obfuscation of IPs Traceroutes that show you the full path are nice… but… at what expense? ● Reveals a lot of the IP addressing information of your infrastructure to the entire internet o Becomes easy to figure out what to attack. o Makes every linknet, loopback, and infrastructure IP a target Worth at least considering obscuring some of your infrastructure ● Stop responding to ICMP and UDP ttl expired ● Avoid ICMP-Packet-Too-Big in IPv6 o Killing this can cause serious problems.` 26
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Attacks on Infrastructure - kill routability to IPs Can take the next step and kill reachability entirely. Make your linknet IPs non-routable; ● Take all your linknet IPs from a /24 that is not advertised on the internet ● Use RFC1918 space ● Blackhole all your linknets o Don’t forget to blackhole the provider side also! This can make debugging significantly harder! A lot of work will need to be done in the pre-sales stage with transit providers to ensure that one of these options is possible. Peering exchanges should not be reachable on the internet anyway 27
scale: router 28 upstream congestion more ports, null, topology IP router 10M pps flowspec, ECMP ip,proto,length 6M pps 1.2M pps 0.1M pps
Topology: spread it out with ECMP 29 hash(proto, src ip, src port, dst ip, dst port) hash % 2
NetSecure Day 2015 - CloudFlare - Jérôme Fleury ECMP to distribute traffic between servers Allows us to ensure no one server bears the entire brunt (for traffic coming into a given site) of the attack load aimed at a single IP. 16 servers can more easily mitigate an attack than 1. All our servers speak BGP to our routing infrastructure, so this is not particularly difficult to implement. By default, ECMP hashes will be re-calculated every time there is a next-hop change. ● Causes flows to shift between servers o TCP sessions reset ● Can solve this with consistent ECMP hashing o Available in Junos from 13.3R3 for any trio based chipset o Only works for up to 1k unicast prefixes, so struggles to scale 30
Where do the attacks come from ? Compromised (or not ?) farms of servers from large hosting companies: 80% These servers are well connected (1Gbps or 10Gbps), no upload limitations, low-latency, not very well monitored. They’re the perfect tool for DDoS generation. 35
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Detection How do we even work out what to mitigate 39
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Detection - how do we do it? If I asked you to tell me what was DDoSing you, without expensive vendor hardware how would you do it? ● tcpdump(1)? ● Some other packet sniffer Servers under load during attacks (CPU, RAM, etc), despite great scale. tcpdump attempts to find a large block of contiguous free RAM, then times out if this is not possible, leaving it often useless until the attack is over. It is also very resource intensive to start sniffing all traffic on a server. 40
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Detection - how do we do it? So how do we do this? ● Taking the burden of detection away from the device being attacked can be very helpful o Export NetFlow records from the edge routers o Export sFlow from the switches in our datacenters o Automating this process has helped considerably ● Reading data from the application o NGINX logs tell you a lot that is useful. ● Sometimes calming the attack down to a manageable level with blunt rules (rate-limit all traffic from these 5x /16s to this single /32) can help to be able to then do deeper inspection and fine-tune the rules we implement to mitigate 41
Manual attack handling 42 sflow pretty analytics command lineiptables rules iptables mgmt sflow aggregation Operator servers switch switch switch
Automatic attack handling 43 API Gatebot sflow analytics iptables rules iptables mgmt sflow aggregation servers switch switch switch
44 Drop!
Packet characteristics 45 • Packet length • Payload • Goal: limit false positives
46 Spoofed? (source: DaPuglet)
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Matching on payload in iptables 47
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Payload matching with BPF ● BPF (Berkeley Packet Filter) tools o High performance pattern matching driven filtering o Allows us to filter out DNS attack traffic using far less CPU resource 48 iptables -A INPUT --dst 1.2.3.4 -p udp --dport 53 -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" -j DROP
BPF bytecode 49 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
TCPDump expressions 50 • Originally: • xt_bpf implemented in 2013 by Willem de Bruijn • Tcpdump expressions are limited - no variables • Benefits in hand-crafting BPF tcpdump -n “udp and port 53”
BPF Tools 51 • Open source: • https://github.com/cloudflare/bpftools • http://blog.cloudflare.com/introducing-the-bpf-tools • Can match various DNS patterns: • *.example.com • --case-insensitive *.example.com • --invalid-dns
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Hashlimits Enforce “no more than X connection attempts per minute for this hash”, otherwise blacklist Hash is made up from whatever criterion you want, but for our purposes combo of src + dest IPs Fairly effective method of easily detecting “ddos-like” traffic. Trick is preventing false detections. ● Customer with many millions of users released an application update causing the application to regularly perform JSON queries against their application. ● Users behind a CG-NAT appeared as if they were coming from a single IP. ● Triggered enforcement on non-malicious traffic. 52
DDoS Mitigation: a matter of scale 53 upstream congestion more ports, null, topology ip router 10M pps flowspec ip, proto, length, kernel 2M pps iptables full payload DNS server 0.3M pps selective drops, just handle full payload
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Payload matching close to NIC 54
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Solarflare cards and OpenOnload In our latest generation of server hardware we; ● Made the move to 2x10Gbit per server (from 6x1Gbit LAGs) ● Did this with NICs from Solarflare. SolarFlare NICs have very cool abilities to pre-process traffic on-board before handing to the CPU (OpenOnload). Can identify certain types of traffic and assign it to cores based on rules pushed in the cards. Can handle certain requests in userspace without creating CPU interrupts Cloudflare have been helping SolarFlare develop this functionality for their cards. http://blog.cloudflare.com/a-tour-inside-cloudflares-latest-generation-servers/ 55
IPTables BPF offload 56
DDoS Mitigation: a matter of scale 57 upstream congestion more ports, null, topology ip router 10M pps flowspec ip, proto, length, network card 6M pps floodgate full payload kernel 1.2M pps iptables full payload DNS server 0.3M pps selective drops, just handle full payload
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Connections from a botnet (L7) 58
59 Real TCP/IP connections
Small volume 60
Symptoms 61 • Concurrent connection count going up • Many sockets in "orphaned" state • "Time waits" socket state indicates churn
62 IP reputation (source: the internet)
Reputation in iptables 63 • Contract connlimit • Hash limits • Rate limit SYN packets per IP • IPSet • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts
Conclusions • If you have sensitive content and/or customers, you WILL be DDoSed • DDoS are not a fatality • Mitigating them requires investment in hardware, bandwidth, and most importantly, people. 64
NetSecure Day 2015 - CloudFlare - Jérôme Fleury Questions? Jérôme Fleury, Network Engineering jf@cloudflare.com http://www.cloudflare.com/ AS13335 Thank you! 75

Recommandé

SMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANEMen and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
20150909_network_security_lecture
20150909_network_security_lecture20150909_network_security_lecture
20150909_network_security_lectureUniversity of Twente
 

Contenu connexe

Tendances

Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootMen and Mice
 
DNS privacy in theory and practice
DNS privacy in theory and practiceDNS privacy in theory and practice
DNS privacy in theory and practiceAPNIC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringQrator Labs
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationAPNIC
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 levelIICT Chromepet
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 

Tendances (20)

Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 
DNS privacy in theory and practice
DNS privacy in theory and practiceDNS privacy in theory and practice
DNS privacy in theory and practice
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
DNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentationDNS OARC 27: DNS over IPv6 - A study in fragmentation
DNS OARC 27: DNS over IPv6 - A study in fragmentation
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
An Overview of DNSSEC
An Overview of DNSSECAn Overview of DNSSEC
An Overview of DNSSEC
 
Openssl
OpensslOpenssl
Openssl
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 

En vedette

#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot
#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot
#NSD16 - ré-inventer une informatique au service de l'homme - Tristan NitotNetSecure Day
 
Securisation des web services soap contre les attaques par injection
Securisation des web services soap contre les attaques par injectionSecurisation des web services soap contre les attaques par injection
Securisation des web services soap contre les attaques par injectionZakaria SMAHI
 
Attaques Informatiques
Attaques InformatiquesAttaques Informatiques
Attaques InformatiquesSylvain Maret
 
Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Hackfest Communication
 
Buffer Overflow exploitation
Buffer Overflow exploitationBuffer Overflow exploitation
Buffer Overflow exploitationZakaria SMAHI
 
Module 3 intégration de traitement dans les applications web asp.net
Module 3 intégration de traitement dans les applications web asp.netModule 3 intégration de traitement dans les applications web asp.net
Module 3 intégration de traitement dans les applications web asp.netMohammed Amine Mostefai
 

En vedette (10)

#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot
#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot
#NSD16 - ré-inventer une informatique au service de l'homme - Tristan Nitot
 
Les attaques
Les attaques Les attaques
Les attaques
 
Securisation des web services soap contre les attaques par injection
Securisation des web services soap contre les attaques par injectionSecurisation des web services soap contre les attaques par injection
Securisation des web services soap contre les attaques par injection
 
Attaques Informatiques
Attaques InformatiquesAttaques Informatiques
Attaques Informatiques
 
JQuery
JQueryJQuery
JQuery
 
Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)
 
Buffer Overflow exploitation
Buffer Overflow exploitationBuffer Overflow exploitation
Buffer Overflow exploitation
 
Javascript 2.0
Javascript 2.0 Javascript 2.0
Javascript 2.0
 
Module 5 validation de données
Module 5 validation de donnéesModule 5 validation de données
Module 5 validation de données
 
Module 3 intégration de traitement dans les applications web asp.net
Module 3 intégration de traitement dans les applications web asp.netModule 3 intégration de traitement dans les applications web asp.net
Module 3 intégration de traitement dans les applications web asp.net
 

Similaire à #NSD15 - Attaques DDoS Internet et comment les arrêter

Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutionsFrank Victory
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and SolutionsInnoTech
 
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o... "How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...Cohesive Networks
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaMyNOG
 
Von Null auf Hundert mit Microservices
Von Null auf Hundert mit Microservices Von Null auf Hundert mit Microservices
Von Null auf Hundert mit Microservices Bernd Zuther
 
DDos, Peering, Automation and more
DDos, Peering, Automation and moreDDos, Peering, Automation and more
DDos, Peering, Automation and moreInternet Society
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013Ryan Koop
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloudrandomuserid
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...ContainerDay Security 2023
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7allanjude
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationWilson Rogerio Lopes
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Connect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo EuropeConnect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo Europewallyqs
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyMediafly
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...Cloudflare
 
Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxAKHIL969626
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceCloudflare
 

Similaire à #NSD15 - Attaques DDoS Internet et comment les arrêter (20)

Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
DNS Security Threats and Solutions
DNS Security Threats and SolutionsDNS Security Threats and Solutions
DNS Security Threats and Solutions
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o... "How overlay networks can make public clouds your global WAN" by Ryan Koop o...
"How overlay networks can make public clouds your global WAN" by Ryan Koop o...
 
Combating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in AsiaCombating DDoS and why peering is important in Asia
Combating DDoS and why peering is important in Asia
 
Von Null auf Hundert mit Microservices
Von Null auf Hundert mit Microservices Von Null auf Hundert mit Microservices
Von Null auf Hundert mit Microservices
 
DDos, Peering, Automation and more
DDos, Peering, Automation and moreDDos, Peering, Automation and more
DDos, Peering, Automation and more
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
 
Engineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the CloudEngineering Challenges Doing Intrusion Detection in the Cloud
Engineering Challenges Doing Intrusion Detection in the Cloud
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Connect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo EuropeConnect Everything with NATS - Cloud Expo Europe
Connect Everything with NATS - Cloud Expo Europe
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
 
Nagios intro
Nagios intro Nagios intro
Nagios intro
 
Final ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docxFinal ProjectFinal Project Details Description Given a spec.docx
Final ProjectFinal Project Details Description Given a spec.docx
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
 

Plus de NetSecure Day

#NSD16 - rex-audit coté startup - Youen Chéné
#NSD16 - rex-audit coté startup - Youen Chéné#NSD16 - rex-audit coté startup - Youen Chéné
#NSD16 - rex-audit coté startup - Youen ChénéNetSecure Day
 
#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse
#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse
#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent CasseNetSecure Day
 
#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...
#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...
#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...NetSecure Day
 
#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...
#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...
#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...NetSecure Day
 
#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...
#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...
#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...NetSecure Day
 
#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)
#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)
#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)NetSecure Day
 
#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...
#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...
#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...NetSecure Day
 
#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou
#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou
#NSD16 - vos informations ont de la valeur prenez-en soin - Florence FeniouNetSecure Day
 
#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...
#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...
#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...NetSecure Day
 
#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu
#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu
#NSD16 - Et si on parlait d'authentification forte - Nicolas GlonduNetSecure Day
 
#NSD15 - Threat intelligence et Deep/Dark web
#NSD15 - Threat intelligence et Deep/Dark web#NSD15 - Threat intelligence et Deep/Dark web
#NSD15 - Threat intelligence et Deep/Dark webNetSecure Day
 
#NSD15 - Intelligence juridique & systèmes d'informations
#NSD15 - Intelligence juridique & systèmes d'informations#NSD15 - Intelligence juridique & systèmes d'informations
#NSD15 - Intelligence juridique & systèmes d'informationsNetSecure Day
 
#NSD15 - Sécurité des plateformes voix
#NSD15 - Sécurité des plateformes voix#NSD15 - Sécurité des plateformes voix
#NSD15 - Sécurité des plateformes voixNetSecure Day
 
#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...
#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...
#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...NetSecure Day
 
#NSD15 - Les défis de l'expert judiciaire
#NSD15 - Les défis de l'expert judiciaire#NSD15 - Les défis de l'expert judiciaire
#NSD15 - Les défis de l'expert judiciaireNetSecure Day
 
#NSD15 - Partage sécurisé en P2P entre cloud personnels
#NSD15 - Partage sécurisé en P2P entre cloud personnels#NSD15 - Partage sécurisé en P2P entre cloud personnels
#NSD15 - Partage sécurisé en P2P entre cloud personnelsNetSecure Day
 
#NSD15 - Sécurité : Sons & Lumières
#NSD15 - Sécurité : Sons & Lumières#NSD15 - Sécurité : Sons & Lumières
#NSD15 - Sécurité : Sons & LumièresNetSecure Day
 
#NSD14 - La sécurité et l'Internet des objets
#NSD14 - La sécurité et l'Internet des objets#NSD14 - La sécurité et l'Internet des objets
#NSD14 - La sécurité et l'Internet des objetsNetSecure Day
 
#NSD14 - Sécuriser l'infrastructure réseau des datacenters
#NSD14 - Sécuriser l'infrastructure réseau des datacenters#NSD14 - Sécuriser l'infrastructure réseau des datacenters
#NSD14 - Sécuriser l'infrastructure réseau des datacentersNetSecure Day
 
#NSD14 - Protection contre l'espionnage des données
#NSD14 - Protection contre l'espionnage des données#NSD14 - Protection contre l'espionnage des données
#NSD14 - Protection contre l'espionnage des donnéesNetSecure Day
 

Plus de NetSecure Day (20)

#NSD16 - rex-audit coté startup - Youen Chéné
#NSD16 - rex-audit coté startup - Youen Chéné#NSD16 - rex-audit coté startup - Youen Chéné
#NSD16 - rex-audit coté startup - Youen Chéné
 
#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse
#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse
#NSD16 - Comment assurer la scalabilité et la sécurité des api - Vincent Casse
 
#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...
#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...
#NSD16 - le test d’intrusion red team : digne successeur de l’audit de sécuri...
 
#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...
#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...
#NSD16 - cybersecurite - comment se protéger d’un point de vue légal & assura...
 
#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...
#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...
#NSD16 - certicate transparency : des journaux publics en ajout seul pour séc...
 
#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)
#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)
#NSD16 - bug bounty as a service - Manuel Dorne (alias Korben)
 
#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...
#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...
#NSD16 - btle juice, un framework d’interception pour le bluetooth low energy...
 
#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou
#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou
#NSD16 - vos informations ont de la valeur prenez-en soin - Florence Feniou
 
#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...
#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...
#NSD16 - le suivi des bonnes pratiques tls dans l’écosystème https - Maxence ...
 
#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu
#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu
#NSD16 - Et si on parlait d'authentification forte - Nicolas Glondu
 
#NSD15 - Threat intelligence et Deep/Dark web
#NSD15 - Threat intelligence et Deep/Dark web#NSD15 - Threat intelligence et Deep/Dark web
#NSD15 - Threat intelligence et Deep/Dark web
 
#NSD15 - Intelligence juridique & systèmes d'informations
#NSD15 - Intelligence juridique & systèmes d'informations#NSD15 - Intelligence juridique & systèmes d'informations
#NSD15 - Intelligence juridique & systèmes d'informations
 
#NSD15 - Sécurité des plateformes voix
#NSD15 - Sécurité des plateformes voix#NSD15 - Sécurité des plateformes voix
#NSD15 - Sécurité des plateformes voix
 
#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...
#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...
#NSD15 - Interactions entre sécurité physique et sécurité logique avec une do...
 
#NSD15 - Les défis de l'expert judiciaire
#NSD15 - Les défis de l'expert judiciaire#NSD15 - Les défis de l'expert judiciaire
#NSD15 - Les défis de l'expert judiciaire
 
#NSD15 - Partage sécurisé en P2P entre cloud personnels
#NSD15 - Partage sécurisé en P2P entre cloud personnels#NSD15 - Partage sécurisé en P2P entre cloud personnels
#NSD15 - Partage sécurisé en P2P entre cloud personnels
 
#NSD15 - Sécurité : Sons & Lumières
#NSD15 - Sécurité : Sons & Lumières#NSD15 - Sécurité : Sons & Lumières
#NSD15 - Sécurité : Sons & Lumières
 
#NSD14 - La sécurité et l'Internet des objets
#NSD14 - La sécurité et l'Internet des objets#NSD14 - La sécurité et l'Internet des objets
#NSD14 - La sécurité et l'Internet des objets
 
#NSD14 - Sécuriser l'infrastructure réseau des datacenters
#NSD14 - Sécuriser l'infrastructure réseau des datacenters#NSD14 - Sécuriser l'infrastructure réseau des datacenters
#NSD14 - Sécuriser l'infrastructure réseau des datacenters
 
#NSD14 - Protection contre l'espionnage des données
#NSD14 - Protection contre l'espionnage des données#NSD14 - Protection contre l'espionnage des données
#NSD14 - Protection contre l'espionnage des données
 

Dernier

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 

Dernier (20)

Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 

#NSD15 - Attaques DDoS Internet et comment les arrêter

  • 1. Attacks and DDoS Mitigation Jérôme Fleury NetSecure Day December 2015
  • 2. NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare 2
  • 3. NetSecure Day 2015 - CloudFlare - Jérôme Fleury What is CloudFlare? CloudFlare makes websites faster and safer using our globally distributed network to deliver essential services to any website ● Performance ● Content ● Optimization ● Security ● 3rd party services ● Analytics 3
  • 4. NetSecure Day 2015 - CloudFlare - Jérôme Fleury How does CloudFlare work? CloudFlare works at the network level ● Once a website is part of the CloudFlare community, its web traffic is routed through CloudFlare’s global network of 60+ (and growing) data centers. ● At each edge node, CloudFlare manages DNS, caching, bot filtering, web content optimization and third party app installations. 4
  • 5. NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare works globally 5 CloudFlare protects globally ● DDoS attack traffic is localized and lets other geographic areas continue to operate
  • 6. NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare has customers globally more than 4 million websites 6
  • 7. NetSecure Day 2015 - CloudFlare - Jérôme Fleury DDoS Mitigation 7
  • 9. NetSecure Day 2015 - CloudFlare - Jérôme Fleury The Evolving Landscape of DDoS Attacks 9 ATTACK TYPE TREND • Volumetric Layer 3 / 4 • DNS Infrastructure • HTTPS application • Origin: 100s of countries DNS infrastructure 100s Gbps HTTP Application 100s Gbps Sophistication NTP reflection Up to 400+ Gbps (35% up from DNS amplification) DNS amplification Up to 300 Gbps 20142013 2015 Equallycapableof beingIPv4andIPv6 More sophisticated DDoS mitigation and larger surface area to block volumetric attacks has forced hackers to change tactics. New DNS infrastructure and HTTP layer 7 attack signatures that mimic human-like behavior are increasing in frequency.
  • 10. NetSecure Day 2015 - CloudFlare - Jérôme Fleury DNS Infrastructure Attacks 10 Protecting DNS can be independent of IPv4 or IPv6 usage
  • 11. NetSecure Day 2015 - CloudFlare - Jérôme Fleury DNSSEC and DNS attacks and open resolvers $ dig ANY isc.org @63.21*.**.** +edns=0 +notcp +bufsize=4096 64bytequery ;; ANSWER SECTION: isc.org. 7147 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013073000 7200 3600 24796800 3600 isc.org. 7147 IN NS ns.isc.afilias-nst.info. isc.org. 7147 IN NS ord.sns-pb.isc.org. isc.org. 7147 IN NS ams.sns-pb.isc.org. isc.org. 7147 IN NS sfba.sns-pb.isc.org. isc.org. 7 IN A 149.20.64.69 isc.org. 7147 IN MX 10 mx.pao1.isc.org. isc.org. 7147 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7147 IN TXT "$Id: isc.org,v 1.1835 2013-07-24 00:15:22 dmahoney Exp $" isc.org. 7 IN AAAA 2001:4f8:0:2::69 isc.org. 7147 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 3547 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 7147 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU= 7147 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org. 7147 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all" 7147 IN RRSIG SPF 5 2 7200 20130828233259 20130729233259 50012 isc.org. XDoOYzkTHEV1W1V4TT50SsqXn4cxNhPvEuz3iFjq/oskLY9UOaK4GYDO GqHAjwNT0B6pUakKTQ3GvBjUBufPcEauCOl7L7kb8/cC6zYifUCoW0pS moiQxmyqfrPDTzyVA894myUONGgMmB6QW68HGPVvc6HzGWx9bOmjvFyX uOs= 7147 IN RRSIG DNSKEY 5 2 7200 20130828230128 20130729230128 12892 isc.org. COfF8fU6a8TBUG97SI/X+u2eKv7/mw+ixD3IWBnr3d3cWZmzF1sV8bWT YbuJebwnJMgN5OfB9PLsN+4QT617OjBe1dUF2M9jZeBiWsSsvvrdHnHM P8KwX6eayByDUoFsYe9VAH6C94XmOVXTQ7h7Cr0ytaVSXUytqFZV+DGn v3kqSi50V3YkFNPAJDqqs0treWjwV/SPlqWVqEAoU/KMZMtYpCEMbHVP 8nbRP3jj/10WLccPtjHhiw4Ka9Sk4o+b7BMYCgXGXlhaap21SUqkytHt 8RJdVxxd5Cj7Bi+O4LXODlS4bAZEDG7UoHR27MzXtvMZogsNyyNUKHSs FtUvBg== 7147 IN RRSIG DNSKEY 5 2 7200 20130828230128 20130729230128 50012 isc.org. Mbr/QqJPoIuf3K5jCuABUIG0/zSHQ8iWZpqvHx7olVBEmTxhi3/vW+IE DW6VCE1EpZclSIlMMRZUnbBnVSpe0rZ13BxoLlRQqvsbC3jD15Se41WB DscD0S63C0GLqI9IhSyVugtlpqhA3CaluSqtABHbAktPP05Rm00tST2Y A5Q= 3547 IN RRSIG NSEC 5 2 3600 20130828233259 20130729233259 50012 isc.org. V7G42xY7TY9wF1vsBlRFuJ2ror/QjftLoRrDCMfqFW6kb5ZswjKt5zho 4o2sIrylTqad68O+lMxrDcg+7c2D8Hdh84SC0DEkjunBXkGBtLtaJvO5 zMn+d/OgUY5O7wtkerybJwZeiHcFxIkMRIcvsPKJYZWKCdaaCWibne7c w1s= 7147 IN RRSIG NAPTR 5 2 7200 20130828233259 20130729233259 50012 isc.org. gWDvD0KACaYgsCgtRS4iKkHBBidfJfqS4drUf4kuPX2Etl9fj1YrqOQK QFB5kBrzJLKh1IF4YpV+KYVUF82l3AtpsohpUH5Uyc3yD3r1CUDVyVvc T9qUrIuRpZLInD2kBLmDaG76MRz4Fz+NAkdXmwxZJhgTrfMLy+Uw/Ktk H7w= 7 IN RRSIG AAAA 5 2 60 20130828233259 20130729233259 50012 isc.org. dfzIo0VGT0MptTaPoua3tFwDxSpeuOg127QedlqLGTxKGN1ppV/bd6R0 WktMagZY9rSqmjfXNPlF3Q+7YeTpMssQhHqjE/tDoj9q9r8RXuBLJ1+a VRq3+xMbxb5EXAyQVZw24LIuloqNprXePRUGCXNINSWd7VZEIDNqhu9C g7U= 7147 IN RRSIG TXT 5 2 7200 20130828233259 20130729233259 50012 isc.org. WtB3SYzcOKpNbOtBlnmtsI0DCbDB4Kiv/HBY24PTZyWF/3tI8l+wZ+/p MfJ/SblbAzT67DO5RfxlOhr8UlRKVa70oqinQp5+rqiS67lv1hGO6ArO k+J0jLTis9Uz32653dgAxlgjEdWDKAg4F12TaHirAXxyI8fos5WNl/h4 GLo= 7147 IN RRSIG MX 5 2 7200 20130828233259 20130729233259 50012 isc.org. BSXC42oV6MCF0dX2icyxnvyijhy569BJCoanm5VrIIuiNeTeo261FQJx 7ofFCWa4fKOoa+EZ0qloNPfDiczStr8MmK8Lznu6+8IRfdmcG/kURuSi JdvDa0swxjmCm9aYu2nhoyHs+jqbJ+9+fneI0iDUX1fiM+9G2K9BjLru NxU= 7 IN RRSIG A 5 2 60 20130828233259 20130729233259 50012 isc.org. Gmb8tt8d7kxx4HsA8L6IdFYGGSJCA8PTWexUP3CBLna39e4a6gVzjoNd dEI7B5mySAujZBEXNx3dSagpjiTJYfMML8AY0uO0tgyjqaTyzwPPV5lW xQKVC092BPJx9IeKw+DC57f3m9LOaHJlMIh7wYFn8jxqeg1lSwJN0e35 Qvc= 7147 IN RRSIG NS 5 2 7200 20130828233259 20130729233259 50012 isc.org. RBvXLeTH0726iKvElmBZYUE+AWG3s2YRxKxuCnrhg7o9qIQGKXvEXrb3 wJeC/74KY2FW+RRz4F0QxODnPm+frpWIPbCpRf0SUFDQ82opQDwAb2CM 0D9N95y1t9hYfSeHEsEEk2yWgLymd9/S24XCmwuVVZ7ZeYQmVEVkF7Jt V3A= 7147 IN RRSIG SOA 5 2 7200 20130828233259 20130729233259 50012 isc.org. iiDnH6tvmap0h2cdULI8Ihme+zbtQ2+D3ycKRqBc9TRfA0poNaaZ97aF 15EIKyIpjiVybkP2DNLm5nkpNsgA+Ur+YQ6pr0hZKzbDkBllBIW4C0LV DsjzPX3qLPH4G3x/20M+TeGe4uzPB5ImPuw0VxB8g8ZP5znvdiZG6qen jas= ;; AUTHORITY SECTION: isc.org. 7147 IN NS ns.isc.afilias-nst.info. isc.org. 7147 IN NS ord.sns-pb.isc.org. isc.org. 7147 IN NS ams.sns-pb.isc.org. isc.org. 7147 IN NS sfba.sns-pb.isc.org. ;; ADDITIONAL SECTION: ns.isc.afilias-nst.info. 56648 IN A 199.254.63.254 ns.isc.afilias-nst.info. 56652 IN AAAA 2001:500:2c::254 ord.sns-pb.isc.org. 31018 IN AAAA 2001:500:71::30 ord.sns-pb.isc.org. 31018 IN A 199.6.0.30 ams.sns-pb.isc.org. 31018 IN AAAA 2001:500:60::30 ams.sns-pb.isc.org. 31018 IN A 199.6.1.30 sfba.sns-pb.isc.org. 31018 IN AAAA 2001:4f8:0:2::19 sfba.sns-pb.isc.org. 31018 IN A 149.20.64.3 mx.pao1.isc.org. 3547 IN AAAA 2001:4f8:0:2::2b mx.pao1.isc.org. 3547 IN A 149.20.64.53 _sip._udp.isc.org. 7147 IN SRV 0 1 5060 asterisk.isc.org. 3,363byteresponse 11
  • 12. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Hundreds of millions of packets per second 12
  • 13. Let’s talk about the scale 13 congestion 10M pps 6M pps 1.2M pps 0.1M pps
  • 14. upstream: capacity game 14 upstream congestion more ports, null, topology IP 10M pps 6M pps 1.2M pps 0.1M pps
  • 17. Routing with anycast reverse proxy 17
  • 18. NetSecure Day 2015 - CloudFlare - Jérôme Fleury CloudFlare Amsterdam CloudFlare Frankfurt CloudFlare London Anycast CDN How does it work? ● DNS Query - to anycast DNS address ● DNS result returned with “Anycast” IP ● Client makes connection to closest server ● CloudFlare replies - session established What happens in the event of an outage? ● Traffic re-routes to next closest DC o TCP session resets at this point ISP DNS server Visitor 18
  • 19. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Anycast CDN – equally IPv4 and IPv6 Anycast prefixes ● Same IP prefixes (IPv4 & IPv6) advertised in each of the 30+ sites around the world (and growing) ● Unicast (from separate site-specific prefixes) used to pull traffic from “origin” web source Traffic Control ● Eyeball ISPs (should) route to closest node, resulting in a very low latency to our services from everywhere in the world ● If ISP A routes to CloudFlare in Germany then traffic will be served from Frankfurt or Düsseldorf ● If ISP B routes to CloudFlare in Texas then traffic will be served from Dallas This results in a reasonable distribution of attack traffic between our sites ● Easier to mitigate 10 sites receiving a ~50Gbit DDoS than 1 site receiving 500Gbit DDoS 19
  • 20. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Peering vs Transit Far more difficult to mitigate a DDoS coming in on an IX than a DDoS coming in via a transit provider. ● Can negotiate with transit provider for features such as RTBH, NOC implementing firewall filters for you, etc ● Peering exchanges generally don’t have these features. Peering exchanges are also surprisingly expensive to scale up for DDoS. Generally will be more expensive to order more 10Gbit ports at an IX vs additional handovers to a transit provider. Often end up de-peering a network sourcing large amounts of attack traffic to force them onto a transit provider where you have more control. This seems broken - surely there is a better way to ingest this traffic? 20
  • 21. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Mitigation - in the network 21
  • 22. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Regional enforcement Under certain circumstances, it makes sense to enforce regionally ● Seeing 300Gbit of traffic targeted at AMS, LHR, FRA, CDG for a website with 99% of legitimate traffic being served into HKG and SIN o Can implement strict flowspec enforcement in sites targeted, while no enforcement needed in sites traffic is legitimately needed in. o Take advantage of any opportunity presented Regional null routing can also be worthwhile at times ● Want to move site to new IPs and move on. o Null route in only the regions that are being targeted. Have your transit provider configure firewall filters in their network to filter certain packet types / lengths / src-IPs / dst-IPs / etc upstream in one region only to help filter malicious traffic. 23
  • 23. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Null route and move on When an attacker targets a website or a service, while they may want to take this website/service down, they target the IP address in order to do this. First order of business can be to update the DNS A/AAAA record and move on. If the attacker follows, keep doing this. Easy to automate, requires an attacker to continually change the attack to follow. Depends on rDNS service operators honouring our TTLs 24
  • 24. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Dealing with attacks on infrastructure IPs Relatively easy to mitigate attacks on Anycast IP space. ● Multiple hundred gig attack on an anycast IP o Distributed over 28 sites o Multiple tens of gigs per site Vs: ● Multiple hundred gig attack on an IP specific to a single router, link or DC o Very hard to mitigate o Multiple hundred gig attack traffic > 100Gbit link How do we prevent this from happening? What can we do about it? What gain do you get from exposing this? 25
  • 25. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Attacks on Infrastructure - obfuscation of IPs Traceroutes that show you the full path are nice… but… at what expense? ● Reveals a lot of the IP addressing information of your infrastructure to the entire internet o Becomes easy to figure out what to attack. o Makes every linknet, loopback, and infrastructure IP a target Worth at least considering obscuring some of your infrastructure ● Stop responding to ICMP and UDP ttl expired ● Avoid ICMP-Packet-Too-Big in IPv6 o Killing this can cause serious problems.` 26
  • 26. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Attacks on Infrastructure - kill routability to IPs Can take the next step and kill reachability entirely. Make your linknet IPs non-routable; ● Take all your linknet IPs from a /24 that is not advertised on the internet ● Use RFC1918 space ● Blackhole all your linknets o Don’t forget to blackhole the provider side also! This can make debugging significantly harder! A lot of work will need to be done in the pre-sales stage with transit providers to ensure that one of these options is possible. Peering exchanges should not be reachable on the internet anyway 27
  • 27. scale: router 28 upstream congestion more ports, null, topology IP router 10M pps flowspec, ECMP ip,proto,length 6M pps 1.2M pps 0.1M pps
  • 28. Topology: spread it out with ECMP 29 hash(proto, src ip, src port, dst ip, dst port) hash % 2
  • 29. NetSecure Day 2015 - CloudFlare - Jérôme Fleury ECMP to distribute traffic between servers Allows us to ensure no one server bears the entire brunt (for traffic coming into a given site) of the attack load aimed at a single IP. 16 servers can more easily mitigate an attack than 1. All our servers speak BGP to our routing infrastructure, so this is not particularly difficult to implement. By default, ECMP hashes will be re-calculated every time there is a next-hop change. ● Causes flows to shift between servers o TCP sessions reset ● Can solve this with consistent ECMP hashing o Available in Junos from 13.3R3 for any trio based chipset o Only works for up to 1k unicast prefixes, so struggles to scale 30
  • 30. Where do the attacks come from ? Compromised (or not ?) farms of servers from large hosting companies: 80% These servers are well connected (1Gbps or 10Gbps), no upload limitations, low-latency, not very well monitored. They’re the perfect tool for DDoS generation. 35
  • 31. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Detection How do we even work out what to mitigate 39
  • 32. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Detection - how do we do it? If I asked you to tell me what was DDoSing you, without expensive vendor hardware how would you do it? ● tcpdump(1)? ● Some other packet sniffer Servers under load during attacks (CPU, RAM, etc), despite great scale. tcpdump attempts to find a large block of contiguous free RAM, then times out if this is not possible, leaving it often useless until the attack is over. It is also very resource intensive to start sniffing all traffic on a server. 40
  • 33. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Detection - how do we do it? So how do we do this? ● Taking the burden of detection away from the device being attacked can be very helpful o Export NetFlow records from the edge routers o Export sFlow from the switches in our datacenters o Automating this process has helped considerably ● Reading data from the application o NGINX logs tell you a lot that is useful. ● Sometimes calming the attack down to a manageable level with blunt rules (rate-limit all traffic from these 5x /16s to this single /32) can help to be able to then do deeper inspection and fine-tune the rules we implement to mitigate 41
  • 34. Manual attack handling 42 sflow pretty analytics command lineiptables rules iptables mgmt sflow aggregation Operator servers switch switch switch
  • 35. Automatic attack handling 43 API Gatebot sflow analytics iptables rules iptables mgmt sflow aggregation servers switch switch switch
  • 37. Packet characteristics 45 • Packet length • Payload • Goal: limit false positives
  • 39. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Matching on payload in iptables 47
  • 40. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Payload matching with BPF ● BPF (Berkeley Packet Filter) tools o High performance pattern matching driven filtering o Allows us to filter out DNS attack traffic using far less CPU resource 48 iptables -A INPUT --dst 1.2.3.4 -p udp --dport 53 -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12 0 0 0,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0" -j DROP
  • 41. BPF bytecode 49 ldx 4*([14]&0xf) ld #34 add x tax lb_0: ldb [x + 0] add x add #1 tax ld [x + 0] jneq #0x07657861, lb_1 ld [x + 4] jneq #0x6d706c65, lb_1 ld [x + 8] jneq #0x03636f6d, lb_1 ldb [x + 12] jneq #0x00, lb_1 ret #1 lb_1: ret #0
  • 42. TCPDump expressions 50 • Originally: • xt_bpf implemented in 2013 by Willem de Bruijn • Tcpdump expressions are limited - no variables • Benefits in hand-crafting BPF tcpdump -n “udp and port 53”
  • 43. BPF Tools 51 • Open source: • https://github.com/cloudflare/bpftools • http://blog.cloudflare.com/introducing-the-bpf-tools • Can match various DNS patterns: • *.example.com • --case-insensitive *.example.com • --invalid-dns
  • 44. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Hashlimits Enforce “no more than X connection attempts per minute for this hash”, otherwise blacklist Hash is made up from whatever criterion you want, but for our purposes combo of src + dest IPs Fairly effective method of easily detecting “ddos-like” traffic. Trick is preventing false detections. ● Customer with many millions of users released an application update causing the application to regularly perform JSON queries against their application. ● Users behind a CG-NAT appeared as if they were coming from a single IP. ● Triggered enforcement on non-malicious traffic. 52
  • 45. DDoS Mitigation: a matter of scale 53 upstream congestion more ports, null, topology ip router 10M pps flowspec ip, proto, length, kernel 2M pps iptables full payload DNS server 0.3M pps selective drops, just handle full payload
  • 46. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Payload matching close to NIC 54
  • 47. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Solarflare cards and OpenOnload In our latest generation of server hardware we; ● Made the move to 2x10Gbit per server (from 6x1Gbit LAGs) ● Did this with NICs from Solarflare. SolarFlare NICs have very cool abilities to pre-process traffic on-board before handing to the CPU (OpenOnload). Can identify certain types of traffic and assign it to cores based on rules pushed in the cards. Can handle certain requests in userspace without creating CPU interrupts Cloudflare have been helping SolarFlare develop this functionality for their cards. http://blog.cloudflare.com/a-tour-inside-cloudflares-latest-generation-servers/ 55
  • 49. DDoS Mitigation: a matter of scale 57 upstream congestion more ports, null, topology ip router 10M pps flowspec ip, proto, length, network card 6M pps floodgate full payload kernel 1.2M pps iptables full payload DNS server 0.3M pps selective drops, just handle full payload
  • 50. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Connections from a botnet (L7) 58
  • 53. Symptoms 61 • Concurrent connection count going up • Many sockets in "orphaned" state • "Time waits" socket state indicates churn
  • 55. Reputation in iptables 63 • Contract connlimit • Hash limits • Rate limit SYN packets per IP • IPSet • Manual blacklisting - feed IP blacklist from HTTP server logs • Supports subnets, timeouts
  • 56. Conclusions • If you have sensitive content and/or customers, you WILL be DDoSed • DDoS are not a fatality • Mitigating them requires investment in hardware, bandwidth, and most importantly, people. 64
  • 57. NetSecure Day 2015 - CloudFlare - Jérôme Fleury Questions? Jérôme Fleury, Network Engineering jf@cloudflare.com http://www.cloudflare.com/ AS13335 Thank you! 75