against
play

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 - PowerPoint PPT Presentation

Jun 17, 2023 •792 likes •915 views

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

  1. Best Practices for Using CDNs Against DDoS Attacks Wilson Rogério Lopes LACNIC 28 / LACNOG 2017 09/2017

  2. CDNs for DDoS Protection • As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast • Excelent approach to cache content, reduce time-to-access and load of “ origin ” servers www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com Origin Servers 200.200.200.10 www.example.com CNAME www1.cdn.com

  3. CDNs for DDoS Protection • By distributing the traffic, it’s reduce the power of a DDoS attack • Even in an attack of hundreds of Gbps, a small amount will reach each pop www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com Origin Servers 200.200.200.10 www.example.com CNAME www1.cdn.com

  4. CDNs for DDoS Protection • But, if the origin ip is the target? www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com Origin Servers 200.200.200.10 www.example.com CNAME www1.cdn.com

  5. CDNs for DDoS Protection • But, if the origin ip is the target? • It’s impossible, nobody knowns the origin ip, since the dns record pointing to cdn servers  www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com www1.cdn.com Origin Servers 200.200.200.10 www.example.com CNAME www1.cdn.com

  6. Discovering the “origin ip ” • If the target is an Autonomous System • Whois will show the ip prefixes associated with ASN of victim aut-num: AS65000 owner: Example S.A. inetnum: 200.200.200.0/24 • Attacker can send requests to all ips of prefix to check for the same response of cdn servers $for i in `seq 1 254`; do curl 200.200.200.$i; done $curl http://www1.cdn.com <html> <html> Same content of cdn response..... Some content..... </html> </html> • Or simply send volumetric attack to any ip in the prefix to saturate the bandwidth of origin network !

  7. Discovering the “origin ip ” • Using related hosts • www.example.com CNAME www1.cdn.com • static.example.com A 200.200.200.100 • webmail.example.com A 200.200.200.10 • ns1.example.com A 200.200.200.20 Guess the victim are hosted at 200.200.200.x • As in the previous example, use curl to check the ips that answers are identical of cdn servers to have the origin ip

  8. Discovering the “origin ip ” • Outbound connections Im some situations, the origin server establish outbound connections, directly to destination Example: • Pages “ Forgot my password ” send email messages directly from application servers The email header will show the origin ip • Server Leaking ip address • HTTP error messages (like 404), can reveal the server ip address

  9. Best Practices • If you are an Autonomous System: Prefer to use BGP mitigation systems, to effective protection of entire network • GRE tunnels between client and anti-DDoS provider • BGP sessions under gre tunnels • Provider announce the client prefixes and mitigate attacks • Cleaned traffic delivered in gre tunnels ASN65000 200.200.200.0/24 Attack Traffic Cleaned Traffic via gre GRE tunnel Announce 200.200.200.0/24

  10. Best Practices • If you aren’t an Autonomous System, and choose for CDN protection It can be safer if you follow some checklist: • Remove all DNS records pointing to the origin • As possible, host the protected systems in na exclusive infrastructure • Use DNS servers in the CDN also • Check all applications for outbound connections • Check error messages for ip leakages • Ask you service provider to put ACLs in the edge to protect your ips – generally not acceptable, complex maintanance • Change the origin ip always that it was leaked • Hide and seek

  11. References • DDoS Protection Bypass Techniques - Allison Nixon and Christopher Camejo https://media.blackhat.com/us-13/US-13-Nixon-Denying-Service-to-DDOS-Protection-Services-WP.pdf https://www.youtube.com/watch?v=bmzHIB18XT8 • DDoS Attacks - Overview, Mitigation and Evolution – Wilson Lopes https://www.dropbox.com/s/odd4k3mdfi8ntxi/22%20-%20Wilson%20Rogerio%20Lopes%20%20Ataques%20DDoS%20- %20Panorama%2C%20Mitiga%C3%A7%C3%A3o%20e%20Evolu%C3%A7%C3%A3o%20-%20LACNOG.pdf?dl=0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics on the map of early-modern positions. Specifically, her doctrine of substance and body. Approach: strongly internalist. I seek to reconstruct

201 views • 18 slides
Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France Tlcom R&amp;D - Caen, France Frdric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research &amp; Development DIMVA06 - July

570 views • 27 slides
Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in

Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in

Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in progress with M. Unsal and D. Dorigoni Resurgence for QFT Belief: QFT observables are transseries in the couplings Generically, all series are separately

585 views • 35 slides
Derivatives of Exponential and Logarithmic Functions Michael Freeze MAT 151 UNC Wilmington

Derivatives of Exponential and Logarithmic Functions Michael Freeze MAT 151 UNC Wilmington

Derivatives of Exponential and Logarithmic Functions Michael Freeze MAT 151 UNC Wilmington Summer 2013 1 / 23 Section 4.4 :: Derivatives of Exponential Functions 2 / 23 Derivative of e x d dx ( e x ) = e x Example Find the derivative of y

586 views • 23 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church

The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church

The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church to recover the Holy Lands from the Moslems The Crusades What are the Crusades Crusades ? they occurred across several centuries called the

1.2k views • 91 slides
Information Extraction with GATE Angus Roberts University of Sheffield, NLP Recap Installed

Information Extraction with GATE Angus Roberts University of Sheffield, NLP Recap Installed

University of Sheffield, NLP Information Extraction with GATE Angus Roberts University of Sheffield, NLP Recap Installed and run GATE Language Resources - LRs documents corpora Looked at annotations Processing resources -

737 views • 58 slides
$17 Billion for NYC $375 billion total for counties and localities $34 Billion for NY State $500

$17 Billion for NYC $375 billion total for counties and localities $34 Billion for NY State $500

HOUSE HOUSE FEDERAL FEDERAL ST STIMULUS IMULUS BILL BILL Direct State and Local Aid $17 Billion for NYC $375 billion total for counties and localities $34 Billion for NY State $500 billion for states HOUSE HOUSE FEDERAL FEDERAL ST

527 views • 18 slides
Why data mining? The world is awash with digital data; trillions of gigabytes and growing

Why data mining? The world is awash with digital data; trillions of gigabytes and growing

Why data mining? The world is awash with digital data; trillions of gigabytes and growing A trillion gigabytes is a zettabyte , or 1 000 000 000 000 000 000 000 bytes Computational Thinking ct.cs.ubc.ca Why data mining? More and more,

1.26k views • 60 slides
The Beauty and Joy of The Beauty and Joy of Computing Computing Lectur Lecture #25 e #25

The Beauty and Joy of The Beauty and Joy of Computing Computing Lectur Lecture #25 e #25

The Beauty and Joy of The Beauty and Joy of Computing Computing Lectur Lecture #25 e #25 Summary &amp; Far Summary &amp; Farewell ewell UC Berkeley EECS UC Berkeley EECS Sr Lectur Sr Lecturer SOE er SOE Dan Garcia Dan Gar cia

61 views • 4 slides
You Forgot it in the Genotype M ODELING TOWARDS ADAPTATION OF FOOD CROPS UNDER CLIMATE CHANGE

You Forgot it in the Genotype M ODELING TOWARDS ADAPTATION OF FOOD CROPS UNDER CLIMATE CHANGE

You Forgot it in the Genotype M ODELING TOWARDS ADAPTATION OF FOOD CROPS UNDER CLIMATE CHANGE THREAT Olivia Mendivil Ramos (CSHL - NY) &amp; Linda Petrini (Google Brain - Montreal) 4/26/2020 Why modeling in agriculture? Global warming history

581 views • 7 slides
15-381: Artificial Intelligence Introduction and Overview Course data All up-to-date info is

15-381: Artificial Intelligence Introduction and Overview Course data All up-to-date info is

15-381: Artificial Intelligence Introduction and Overview Course data All up-to-date info is on the course web page: - http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15381-s07/www/ Instructors: - Martial Hebert - Mike Lewicki TAs:

435 views • 25 slides
FPD-M-net: Fingerprint Image Denoising and Inpainting Using M-Net Based Convolutional Neural

FPD-M-net: Fingerprint Image Denoising and Inpainting Using M-Net Based Convolutional Neural

FPD-M-net: Fingerprint Image Denoising and Inpainting Using M-Net Based Convolutional Neural Networks Sukesh Adiga V and Jayanthi Sivaswamy Center for Visual Information Technology, IIIT, Hyderabad 09-09-2018 Hyderaba IIIT d Problems to be

457 views • 14 slides
Fuzzy Logic Interval Clustering for Drug Discovery PREDICTION ACCURACY FOR DRUG DISCOVERY

Fuzzy Logic Interval Clustering for Drug Discovery PREDICTION ACCURACY FOR DRUG DISCOVERY

Fuzzy Logic Interval Clustering for Drug Discovery PREDICTION ACCURACY FOR DRUG DISCOVERY PROBLEM Hundreds of Test EACH thousands of compoundon High throughput screening compoundsare the desired (HTS) is expensive and time-

554 views • 5 slides
Probability and Informa0on 270C Defini0on of Probability

Probability and Informa0on 270C Defini0on of Probability

Probability and Informa0on 270C Defini0on of Probability Experiment : toss a coin twice Sample space : possible outcomes of an experiment S = {HH,

1.09k views • 51 slides
Essentjals for a Cryo-EM lab What do you need? What can you borrow? How do you assess a new

Essentjals for a Cryo-EM lab What do you need? What can you borrow? How do you assess a new

Essentjals for a Cryo-EM lab What do you need? What can you borrow? How do you assess a new specimen? General Advice Be reasonable, BUT this is the appropriate time to ask for and buy exactly what you need Decide what is essential and what

485 views • 13 slides
Transportation Asset Management Webinar Series Webinar 44 TAMP and STIP Integration Sponsored

Transportation Asset Management Webinar Series Webinar 44 TAMP and STIP Integration Sponsored

Transportation Asset Management Webinar Series Webinar 44 TAMP and STIP Integration Sponsored by FHWA and AASHTO Webinar 44 June 17, 2020 FHWA-AASHTO Asset Management Webinar Series This is the 44th in a webinar series that has been

935 views • 69 slides
Network-based reasoning COMPSCI 276, Spring 2011 Set 1: Introduction and Background Rina Dechter

Network-based reasoning COMPSCI 276, Spring 2011 Set 1: Introduction and Background Rina Dechter

Probabilistic Reasoning; Network-based reasoning COMPSCI 276, Spring 2011 Set 1: Introduction and Background Rina Dechter (Reading: Pearl chapter 1-2, Darwiche chapters 1,3) 1 Class Description Instructor: Rina Dechter Days: Tuesday

712 views • 56 slides
Graphical Models Model Estimation and Validation Marco Scutari m.scutari@ucl.ac.uk Genetics

Graphical Models Model Estimation and Validation Marco Scutari m.scutari@ucl.ac.uk Genetics

Graphical Models Model Estimation and Validation Marco Scutari m.scutari@ucl.ac.uk Genetics Institute University College London September 27, 2011 Marco Scutari University College London Graphical Models Marco Scutari University College

1.04k views • 71 slides
Probabilistic Graphical Models Part I: Bayesian Belief Networks Selim Aksoy Department of

Probabilistic Graphical Models Part I: Bayesian Belief Networks Selim Aksoy Department of

Probabilistic Graphical Models Part I: Bayesian Belief Networks Selim Aksoy Department of Computer Engineering Bilkent University saksoy@cs.bilkent.edu.tr CS 551, Fall 2015 CS 551, Fall 2015 2015, Selim Aksoy (Bilkent University) c 1 /

540 views • 27 slides
COVID-19 Essen entia ial F l Family ily C Caregiv iver Prec ecauti tion ons a and I

COVID-19 Essen entia ial F l Family ily C Caregiv iver Prec ecauti tion ons a and I

COVID-19 Essen entia ial F l Family ily C Caregiv iver Prec ecauti tion ons a and I Infec ecti tion on C Contr trol ol Training Updated July 22, 2020 What at is C COVID-19? 9? A new coronavirus is a virus (type of germ)

337 views • 17 slides
Data Preprocessing Why Data Preprocessing? Chris Williams, School of Informatics University of

Data Preprocessing Why Data Preprocessing? Chris Williams, School of Informatics University of

Data Preprocessing Why Data Preprocessing? Chris Williams, School of Informatics University of Edinburgh Data in the real world is dirty. It is: Data preparation is a big issue for data mining. Cabena et al (1998) extimate that data

410 views • 8 slides
Non-invasive Lung IMPEDANCE-Guided Preemptive Treatment in Chronic Heart Failure Patients: a

Non-invasive Lung IMPEDANCE-Guided Preemptive Treatment in Chronic Heart Failure Patients: a

Non-invasive Lung IMPEDANCE-Guided Preemptive Treatment in Chronic Heart Failure Patients: a Randomized Controlled Trial (IMPEDANCE-HF trial) M Kleiner Shochat, MD, BSc, PhD a , A Shotan, MD a , DS Blondheim, MD a , M Kazatsker, MD a , I Dahan,

343 views • 11 slides
Distribution channel of Distribution channel of Tropical Fruits in Thailand Tropical Fruits in

Distribution channel of Distribution channel of Tropical Fruits in Thailand Tropical Fruits in

Distribution channel of Distribution channel of Tropical Fruits in Thailand Tropical Fruits in Thailand I mport Wholesale Local Market Retail Consumer Grower Market/ Market (Talaad Collector Thai) Contact farm/ Agreement Export

758 views • 49 slides

More recommend