DDOS Notes

In this post I’m going to jot down some notes I have sitting around for DDOS. I’ll list some things that anyone can do without getting a service like Akamai. This is just a high level post and it won’t go into details.

#WHAT IS IT
-Today DDOS attacks are mostly spoofed IP’s
-Over 50% amplification attacks (UDP,NTP,DNS,SSDP)
-Spoofed packets sent are coming from residential customers (thank you IOT devices)
-Open IOT devices (botnets) = major problem

#TYPES OF ATTACKS
-TCP SYN+ACK
-TCP Fragment
-UDP
-Slowloris
-Spoofing
-ICMP
-IGMP
-HTTP Flood
-Brute Force
-Connection Flood
-DNS Flood
-NXDomain
-Ping of Death
-Smurf
-Reflected ICMP & UDP

reflection = attacker “reflect” or hide behind third parties by spoofing addresses
amplification = adds to reflection where small queries will have a very large response / are always reflection attacks

#WHAT YOU CAN DO TODAY TO “HELP” MITIGATE ATTACKS
-Routers – Use BOGON List Filtering (see below)
-Firewalls – Block ALL Countries NOT Needed
-Multiple DNS – Use more than one DNS for external lookups
-Reverse Path Forwarding or uRPF

#HOW TO VERIFY YOU’RE GETTING ATTACKED
-Major jump in packets per second
-Lots and lots of connections per second
-Connection attempts to hosts
-High number of unique sources
-UDP Floods are used
-SYN attacks are less nowadays

#PREVENTION:
-Use cloud provider like Akamai / probably the best solution since you want this mitigated upstream!
-Block upstream / get help from ISP / Use cloud provider
-Filter BOGONS
-Multiple DNS
-TCP Handshake Proxy
-AnyCast / Akamai uses this
-Don’t use external DNS Names with make/models in them, attackers try to tailor the attack to the endpoint (for instance, if it’s a Juniper Router or Cisco Router. They look for vulnerabilities)
-Impossible to weed threw what is the spoofed source so don’t do it
-Block Countries / It’s easy to find the top dangerous counties, if anything start with the USA Trade Embargo List
-Lots of bandwidth
-Appliances – Filter out bad traffic
-inline greater visibility because it’s always taking traffic
-netflow/sflow insert blackhole route
-Block at ISP level or my Edge / Edge is already already getting hit but your protecting a service
-DDOS Scrubbing Service
-DDOS is infrastructure WIDE
-BGP Flowspec
-IPS – False positives so people shoot for IDS
-IDS – reactive and not pro-active

#BOGON CONFIG EXAMPLE:

prefix-set BOGON_IP_BLOCKS
  0.0.0.0/8 le 32,
  10.0.0.0/8 le 32,
  100.64.0.0/10 le 32,
  127.0.0.0/8 le 32,
  169.254.0.0/16 le 32,
  172.16.0.0/12 le 32,
  192.0.2.0/24 le 32,
  192.88.99.0/24 le 32,
  192.168.0.0/16 le 32,
  198.18.0.0/15 le 32,
  198.51.100.0/24 le 32,
  203.0.113.0/24 le 32,
  224.0.0.0/4 le 32,
  240.0.0.0/4 le 32
end-set
!
route-policy BGP_FILTER_IN
  if destination in BOGON_IP_BLOCKS then
    drop
  endif
end-policy

#CLOUD SOLUTIONS
Azure = Sentinel
AWS = Shield