Last month, the world’s largest-ever distributed denial of service (DDOS) attack — 1.35 Tbps — hit GitHub and raised the stakes for every commercial website. These increasingly larger and more distributed attacks challenge security practitioners to better anticipate potential attacks on their own applications and infrastructure. In this live webinar, Cloudflare security experts will discuss the new DDoS landscape and mitigation techniques.

1. What You Should Know Before The Next
DDoS Attack
Junade Ali (@IcyApril)
Tim Fong (@timfong888)

2. Agenda
● The new DDoS landscape
● Analysis of major recent attacks
● DDoS mitigation techniques: what we tried, what worked, what didn’t,
and why some of the technically sound ideas turned out to be totally
impractical

3. SECURITY PERFORMANCE
DDoS Attacks
Attack traffic degrades availability or
performance and creates unpredictable
surges in infrastructure costs
Data Theft
Attackers compromise customer data,
such as user credentials, credit card
information, and other PII
Malicious Bots
Malicious bots abuse customer
applications through content scraping,
account takeovers, and fraudulent check
outs
Unavailable Applications
Overloaded or unavailable infrastructure
stops users from accessing applications
Slow Internet
Applications and APIs
Heavy pages and long distances
from the origin slow down webpages,
applications, and APIs
Slow Mobile Sites and Apps
Mobile clients introduce performance and
content delivery constraints that hurt user
experience
Primary Customer Use Cases
3

4. The New DDoS Landscape

5. 1.7
Tbps

6. Poll Question
Which Layer 7 Attacks other than HTTP would impact you?
● None -- only care about HTTP/S
● SMTP
● (S)FTP
● None -- but care about other TCP protocols

7. Analysis of Major Recent Attacks

8. Recent Network Layer Amplification Attacks
DNS Amplification
Memcached

9. Network Layer Attacks Sometimes Get Big
SYN Flood
➔ From time-to-time network layer attacks get big
➔ Example attack from April 2018
➔ Automatically mitigated using GateBot

10. Recent Network Layer Direct Attacks
➔ Direct Network Layer Attacks are usually SYN floods
➔ Usually ~300Gbps
➔ Graph showing number of mitigations over the past 6 months

11. Recent Application Layer Attacks
➔ Chart showing number of Layer 7 Attacks mitigated over 6 months
➔ Only shows large attack events
➔ Does not include attacks mitigated by user-configurable settings
◆ E.g. Rate Limiting or the Web Application Firewall

13. A Big Anycast Network Helps
● > 15 Tbps Capacity
● Close to Users
○ Peering with local ISPs
● Absorbing DDOS
● Easy Rate Limiting
● “Argo”
○ Tiered Caching
○ Smart Routing
○ “Argo Tunnel”
Local peering: Italian traffic shifted from Frankfurt
to Milan

14. DNS Always Returns Same Anycast IPs

15. DNS Resolution
dig A www.google.com dig A www.junade.com
DNS queries via whatsmydns.net

16. Network Architectures (HTTP Traffic)
● Unicast
○ Geo-routing done using DNS
○ Allows for traffic control but can be bypassed
○ Handover/failover needs DNS cache to expire
From seconds to hours
● Anycast
○ Geo-routing done using shortest path to a same IP
(generally to the geographically closest PoP / the network operators decide)
○ Immediate failover
○ Automatic DDOS attack repartition over all our network

18. Poll Question
Do you believe Anycast (versus Unicast) stops DDoS
attacks better?
➔ Yes
➔ No

19. Attack Data Analysis
● Edge produces log lines
● Sent to large scale data centres
● Aggregate and Analyse
○ Too many to store
● Asynchronous queues
○ Guarantee scalability and stability
● Parallel processing by Go Microservices

20. Attack Mitigation Pipeline
● Data processing services analyse attack patterns
○ Finding correlations intelligently
○ Bad bot detection
○ HTTP headers/IP Data
● Services create rules
● Rules deployed to the Cloudflare Edge network
● Changes measured

21. The Long Tail
Site Rank
Capacity(HTTPrequestspersecond)

22. The New Landscape: Application Layer Attacks
➔ It’s cheaper than ever to run a DDoS Attack
◆ Using Botnets with fast household internet
◆ Using breached IoT devices (i.e. security cameras)

23. The New Landscape: Application Layer Attacks
➔ Application (Layer 7) attacks are efficient
◆ It costs more resources for a web app to load a page than to
make a request

24. The New Landscape: Application Layer Attacks
➔ Presentation (Layer 6) attacks can complement
◆ Using slow crypto operations to increase damage

25. Why Application Layer?
➔ Work against almost any Layer 7 application
➔ Small websites are easier to attack than big networks
◆ Attackers more likely to choose them
◆ Most apps can only handle a few hundred clients
➔ Easy to launch an attack
◆ Typically harder to process a request than receive one
◆ Harder to differentiate than “junk traffic”
➔ Fake DDoS threats used to blackmail site owners

26. DDoS Mitigation Techniques

27. Responding to Layer 7 Attacks
➔ Protecting the Origin
◆ Cloudflare “Spectrum” allows proxying of any TCP traffic
◆ Cloudflare “Argo Tunnel” hides the IP of your web server
➔ Cache aggressively
◆ Using Cloudflare to cache dynamic content
◆ Fine-grained control with Workers
◆ E.g. Cache all HTML, but bypass cache on cookie
➔ Introduction of variadic Rate Limiting
◆ Use Rate Limiting to prevent excess requests
◆ Ban users who make excessive HTTP requests

28. Questions?
➔ Junade: junade@cloudflare.com & @IcyApril
➔ Tim: fongster@cloudflare.com & @timfong888