defending the indefensible

Recommendations

Info

BPF bytecode ! ldx 4*([14]&0xf)! ld #34! add x! tax! lb_0:! ldb [x + 0]! add x! add #1! tax! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1! lb_1:! ret #0! 22
Tcpdump expressions • Originally: tcpdump -n “udp and port 53” • xt_bpf implemented in 2013 by Willem de Bruijn • Need to deal with BPF byte code • Tools around it are scarce (tcpdump expressions) • Tcpdump expressions are limited - for example matching valid DNS packets case insensitive • Need to hand-craft BPF 23
Page 1 and 2: Lessons from defending the indefens
Page 3 and 4: DoS is a hard problem Attacker Visi
Page 5 and 6: Congestion Network stack Slow respo
Page 7 and 8: Your Linux needs your help 7
Page 9 and 10: Congestion ! $ netstat -s! Tcp:! ..
Page 11 and 12: BGP null routing ! route 198.41.222
Page 13 and 14: High volume packet floods 13
Page 15 and 16: Looks like this Packets per second
Page 17 and 18: Drop! 17
Page 19 and 20: Packet characteristics ! • packet
Page 21: Payload matching with BPF ! iptable
Page 25 and 26: 25
Page 27 and 28: Modern NIC's RX Queue #1 Ethernet N
Page 29 and 30: Partial kernel bypas RX Queue #1 Et
Page 31 and 32: Iptables offload RX Queue #1 Ethern
Page 33 and 34: ACK floods ! IP 48.60.32.50.15244 >
Page 35 and 36: Fight for the lock CPU #1 ! Etherne
Page 37 and 38: ~1.2M pps 37
Page 39 and 40: SYN floods ! IP 94.242.250.109.4733
Page 41 and 42: SYN in Linux SYN+ACK SYN SYN backlo
Page 43 and 44: SYN backlog churn ! sysctl -w net.i
Page 45 and 46: SYN cookies ACK SYN+ACK SYN Listen
Page 47 and 48: 0.3M pps 47
Page 49 and 50: Recent changes • The idea is to r
Page 51 and 52: Real TCP/IP connections 51
Page 53 and 54: Symptoms • Connection count grows
Page 55 and 56: Iptables to the rescue • Ipset
Page 57 and 58: Note on large botnets ! GET /forum.
Page 59 and 60: Tip: sflow switch sflow switch serv
Page 61: Takeaways • You WILL null-route

defending the indefensible

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?