Internet Facing VMs and the DDoS Problem, Wido den Hollander, Your.Online
ShapeBlue
137 views
23 slides
Oct 14, 2024
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
When connected to the internet, it is probably just a matter of time before one of your VMs is under a DDoS attack. In this session, Wido covered how CloudStack handles this and what can you do about it.
--
The CloudStack European User Group 2024 took place on September 19th in Frankfurt, Germany....
Slide Content
Internet facing VMs
and the DDoS
problem
19.09.2024
Public
and the DDoS
problem
19.09.2024
Public
•Wido den Hollander (1986)
•Born and live in the Netherlands
•Married, two sons (2020 and 2022)
•CTO @ Your.Online
•Started my own hosting company in 2003
•My company became part of Your.Online in 2018
•I’m a tech guy
•Linux
•Networking
•Development
•Architecture
•Open Source & Tech
•Apache CloudStack developer and PMC member
•Cephevangelist
•IPv6 fanatic
1
Who am I?
Wido den Hollander
1) Don’t ask me, I’ll talk way too long! ;-)
2-PUBLIC -
•Born and live in the Netherlands
•Married, two sons (2020 and 2022)
•CTO @ Your.Online
•Started my own hosting company in 2003
•My company became part of Your.Online in 2018
•I’m a tech guy
•Linux
•Networking
•Development
•Architecture
•Open Source & Tech
•Apache CloudStack developer and PMC member
•Cephevangelist
•IPv6 fanatic
1
Who am I?
Wido den Hollander
1) Don’t ask me, I’ll talk way too long! ;-)
2-PUBLIC -
Who is Your.Online?
Introduction to Your.Online
3
Your.Onlineisateamofpioneersfromalloverthe
worldunitedbythepassionofhelpingbusinesses
succeedonline.Ourteamsoflocalexpertsprovide
highlystandardizedmanagedservicestohigh-intent
customerstoreachtheirfullonlinepotential.We
cherishoursuccessfultrackrecordinacquiring,
developing,andempoweringstronglocalbrandsto
leadtheirmarkets
4 8FT E
1
3 10 FT E
5
30 FTE
2
2 00 FT E
5
60FTE
Expand intoMarket Position
5
50FTE
1
200 FTE
120 FTE
1
0
Introduction to Your.Online
3
Your.Onlineisateamofpioneersfromalloverthe
worldunitedbythepassionofhelpingbusinesses
succeedonline.Ourteamsoflocalexpertsprovide
highlystandardizedmanagedservicestohigh-intent
customerstoreachtheirfullonlinepotential.We
cherishoursuccessfultrackrecordinacquiring,
developing,andempoweringstronglocalbrandsto
leadtheirmarkets
4 8FT E
1
3 10 FT E
5
30 FTE
2
2 00 FT E
5
60FTE
Expand intoMarket Position
5
50FTE
1
200 FTE
120 FTE
1
0
•We run two large Apache CloudStack deployments
•Yourhostingin the Netherlands
•Axarnetin Spain
•More deployments coming!
We love CloudStack!
Apache CloudStack @ Your.Online
Infrastructure at Your.Online
4-PUBLIC -
•Yourhostingin the Netherlands
•Axarnetin Spain
•More deployments coming!
We love CloudStack!
Apache CloudStack @ Your.Online
Infrastructure at Your.Online
4-PUBLIC -
•Webservers
•DNS servers
•E-Mail
•VPS
•These are DDoS magnets!
These services all have public IPv4 and IPv6 addresses
Our services are public
Internet facing
5-PUBLIC -
•DNS servers
•VPS
•These are DDoS magnets!
These services all have public IPv4 and IPv6 addresses
Our services are public
Internet facing
5-PUBLIC -
•Layer 3: Bandwidth saturation
•Just sent 10s or 100s of Gigabits of data towards an IP
•Layer 4: TCP SYN-flood attacks
•Sent a massive amount of SYN TCP/IP packets towards an IP
•Layer7:
•DNS amplificationattacks
•DNS random record attack
•HTTP Slowloris
•HTTP flooding
•HTTP TLS attacks
•Many, many, many more
What kind of DDoS attacks?
DDoS attacks
6-PUBLIC -
•Just sent 10s or 100s of Gigabits of data towards an IP
•Layer 4: TCP SYN-flood attacks
•Sent a massive amount of SYN TCP/IP packets towards an IP
•Layer7:
•DNS amplificationattacks
•DNS random record attack
•HTTP Slowloris
•HTTP flooding
•HTTP TLS attacks
•Many, many, many more
What kind of DDoS attacks?
DDoS attacks
6-PUBLIC -
•Firewalls protectme againsta DDoS! Nope
•They can get saturated quickly
•Bandwidth exhaustion
•Concurrent sessions
•Packets/s
We have firewalls!
Security
7-PUBLIC -
•They can get saturated quickly
•Bandwidth exhaustion
•Concurrent sessions
•Packets/s
We have firewalls!
Security
7-PUBLIC -
•Thereis alwayssomebodywitha biggergun
•Localfirewalls aren’tsufficient
The person withthisbiggergun canbea DDoS-er withjusta
bunchof machines andthehping3tool.
(Anda networkwhichdoesn’tdo outboundtraffic filtering
byimplementingBCP38)
I will buy a bigger firewall!
Security
8-PUBLIC -
•Localfirewalls aren’tsufficient
The person withthisbiggergun canbea DDoS-er withjusta
bunchof machines andthehping3tool.
(Anda networkwhichdoesn’tdo outboundtraffic filtering
byimplementingBCP38)
I will buy a bigger firewall!
Security
8-PUBLIC -
“BCP38 is RFC2827: Network IngressFiltering: DefeatingDenialof Service Attacks whichemployIP Source AddressSpoofing. “
Best Current Practice 38: Prevent spoofed IP-packets from leaving yournetwork
IP-Address spoofing
9-PUBLIC -
•Manynetworksdo notcheck theiroutboundpacketsandallowIP-
spoofing
•CloudStack’ssecurity groupsdo preventsource addressspoofing
•ip(6)tablesusesanipsettocheck thesource of eachpacket
•Thisdoesn’thelp youwhenyouare thevictimof theattack
•Helpstopreventthatyournetworktakes part in a DDoS attack
usingspoofedpackets
Best Current Practice 38: Prevent spoofed IP-packets from leaving yournetwork
IP-Address spoofing
9-PUBLIC -
•Manynetworksdo notcheck theiroutboundpacketsandallowIP-
spoofing
•CloudStack’ssecurity groupsdo preventsource addressspoofing
•ip(6)tablesusesanipsettocheck thesource of eachpacket
•Thisdoesn’thelp youwhenyouare thevictimof theattack
•Helpstopreventthatyournetworktakes part in a DDoS attack
usingspoofedpackets
•Security Groupsare ip(6)tablesruleson thehypervisor
•Shared Networks withKVM
•Theycontrol whichtraffic is allowedfora VM
•Ingress
•Egress
•Theyusestatefulconnectiontracking
CloudStack’ssecurity groups
Security Groups
10-PUBLIC -
•Shared Networks withKVM
•Theycontrol whichtraffic is allowedfora VM
•Ingress
•Egress
•Theyusestatefulconnectiontracking
CloudStack’ssecurity groups
Security Groups
10-PUBLIC -
StatelessFiltering
Eachpacketis processedin isolationwithout regardtoany
otherpackets. Traditional firewalls onlyconsiderpacket
headers (source/destinationIP, port, etc.) forfiltering.
Stateful vs. Stateless Filtering
Connection tracking
11-PUBLIC -
Stateful Filtering
The firewall keeps track of the state of network
connections. It monitors the entire session (e.g., a TCP
handshake) and applies rules based on the state of the
connection.
Eachpacketis processedin isolationwithout regardtoany
otherpackets. Traditional firewalls onlyconsiderpacket
headers (source/destinationIP, port, etc.) forfiltering.
Stateful vs. Stateless Filtering
Connection tracking
11-PUBLIC -
Stateful Filtering
The firewall keeps track of the state of network
connections. It monitors the entire session (e.g., a TCP
handshake) and applies rules based on the state of the
connection.
•State TableLimits: The state tablethattracks connectionshas finitelimits. On veryhigh-traffic systems (like web servers or
firewalls in large enterpriseenvironments), thistablecanbecomefull, leadingtolegitimateconnectionsbeingdropped.
•State TableExhaustion(DoSAttack): Attackerscanexploitstatefulconnectiontracking byinitiatinga large numberof
connectionstofillup thestate table, leadingtoa Denialof Service (DoS). Oncethetableis full, thefirewall maystart dropping
legitimateconnections.
What is the downside of Stateful connection tracking?
Stateful connection tracking
12-PUBLIC -
firewalls in large enterpriseenvironments), thistablecanbecomefull, leadingtolegitimateconnectionsbeingdropped.
•State TableExhaustion(DoSAttack): Attackerscanexploitstatefulconnectiontracking byinitiatinga large numberof
connectionstofillup thestate table, leadingtoa Denialof Service (DoS). Oncethetableis full, thefirewall maystart dropping
legitimateconnections.
What is the downside of Stateful connection tracking?
Stateful connection tracking
12-PUBLIC -
hping3
Stateful connection tracking
13-PUBLIC -
Stateful connection tracking
13-PUBLIC -
hping3
Stateful connection tracking
14-PUBLIC -
Stateful connection tracking
14-PUBLIC -
State TableExhaustion
Stateful connection tracking
15-PUBLIC -
Stateful connection tracking
15-PUBLIC -
•ThisaffectsallVMsrunning on thesamehypervisor
•Onlyifyouare usingShared Networks
•The HV thenperformsthefiltering locallyusingip(6)tables
•In VPC networkstheSG runs on theVR
•Thissuffers even more fromthisproblem!
•I have limitedexperiencewithVPCs
•It canaffect connectionsfromandtothehypervisor
•NFS, Ceph& iSCSI
•Youcan’tjustkeep increasingthelimit
•Withhundredsor thousandsof connectionsper second youwillrun out of memory veryquickly
State TableExhaustion
Stateful connection tracking
16-PUBLIC -
•Onlyifyouare usingShared Networks
•The HV thenperformsthefiltering locallyusingip(6)tables
•In VPC networkstheSG runs on theVR
•Thissuffers even more fromthisproblem!
•I have limitedexperiencewithVPCs
•It canaffect connectionsfromandtothehypervisor
•NFS, Ceph& iSCSI
•Youcan’tjustkeep increasingthelimit
•Withhundredsor thousandsof connectionsper second youwillrun out of memory veryquickly
State TableExhaustion
Stateful connection tracking
16-PUBLIC -
•Don’thost DDoS ‘magnet’ services
•ToRexit nodes, Minecraftservers, UnmanagedVPS, Certainwebsites, etc
•Investin upstream Anti-DDoS services
•Cogent, Arelion, Colt andothershave these services
•ImprovetheSecurity Groupsin CloudStack
•Tell usmore!
Whatcanwe do aboutthis?
Solutions
17-PUBLIC -
•ToRexit nodes, Minecraftservers, UnmanagedVPS, Certainwebsites, etc
•Investin upstream Anti-DDoS services
•Cogent, Arelion, Colt andothershave these services
•ImprovetheSecurity Groupsin CloudStack
•Tell usmore!
Whatcanwe do aboutthis?
Solutions
17-PUBLIC -
•We can’tfix everythingwithCloudStack
•SomeDDoS attacks are justtoobig andwilloverwhelmyournetwork
•Manyattacks canhoweverbehandledbyyournetwork
•But it’syourLinux hypervisor whichcan’tkeep up withthepackets/second
•We couldmake theSecurity Groupsmodularin theKVM Agent
•The default driver wouldusesecurity_group.pyas itdoes now
•Additionaldrivers couldusedifferent methodstoachievethesameend result
ImprovingCloudStack
Solutions
18-PUBLIC -
•SomeDDoS attacks are justtoobig andwilloverwhelmyournetwork
•Manyattacks canhoweverbehandledbyyournetwork
•But it’syourLinux hypervisor whichcan’tkeep up withthepackets/second
•We couldmake theSecurity Groupsmodularin theKVM Agent
•The default driver wouldusesecurity_group.pyas itdoes now
•Additionaldrivers couldusedifferent methodstoachievethesameend result
ImprovingCloudStack
Solutions
18-PUBLIC -
Driver options and capabilities
Security Groups
eBPF Hardware Packet Filtering
•First line if defense is stateless
•We carefully select which packets to
inspect stateful
•And thus track the connection
Tiered Filtering
•Certain NICs support this
•Mellanox
•Intel
•Requires implementation per
vendor/situation?
•Extended Berkeley Packet Filter
•Build-in in Linux kernel since 3.18
•Run custom code in the kernel which
can do packet filtering
•High-performance packet filtering
•Integration with iptables is available
•bpfilteris on it’s way
1
•Easy to plug your own solution on the
hypervisor-level
•Implement a driver which suits your
specificsituation/needs
Custom Solution
19–PUBLIC –
A driver might need to use a combination of the options mentioned here
1)-https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
Security Groups
eBPF Hardware Packet Filtering
•First line if defense is stateless
•We carefully select which packets to
inspect stateful
•And thus track the connection
Tiered Filtering
•Certain NICs support this
•Mellanox
•Intel
•Requires implementation per
vendor/situation?
•Extended Berkeley Packet Filter
•Build-in in Linux kernel since 3.18
•Run custom code in the kernel which
can do packet filtering
•High-performance packet filtering
•Integration with iptables is available
•bpfilteris on it’s way
1
•Easy to plug your own solution on the
hypervisor-level
•Implement a driver which suits your
specificsituation/needs
Custom Solution
19–PUBLIC –
A driver might need to use a combination of the options mentioned here
1)-https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/
•I don’tthinkso
•Thiswillneedproper investigation
•Currentimplementationcanbeimproved
•Modularitywouldhoweverbeverywelcome
•Anyvolunteers?
Is is thateasy?
Solutions
20-PUBLIC -
•Thiswillneedproper investigation
•Currentimplementationcanbeimproved
•Modularitywouldhoweverbeverywelcome
•Anyvolunteers?
Is is thateasy?
Solutions
20-PUBLIC -
•I won’tmake attackerssmarterthanneeded
•We usea combinationof things
1.Flow analysis on incomingpackets
•Juniperrouters providesFlowdata
•FastnetMonanalyzestheflows
•We canfilter a specific/32 (IPv4) or /128 (IPv6)
2.Hardware firewall machines optimizedtofilter specific, common, DDoS attacks
•A single destinationIP-addresscanbefilteredbythese machines
•These machines are strategicallyplacedin ournetworkandhave high capacityconnections
3.In case it’stoomuchwe offloadtoexternalcarriers
•Theythando theirmagic
Whatdoes Your.Online do?
Solutions
21-PUBLIC -
•We usea combinationof things
1.Flow analysis on incomingpackets
•Juniperrouters providesFlowdata
•FastnetMonanalyzestheflows
•We canfilter a specific/32 (IPv4) or /128 (IPv6)
2.Hardware firewall machines optimizedtofilter specific, common, DDoS attacks
•A single destinationIP-addresscanbefilteredbythese machines
•These machines are strategicallyplacedin ournetworkandhave high capacityconnections
3.In case it’stoomuchwe offloadtoexternalcarriers
•Theythando theirmagic
Whatdoes Your.Online do?
Solutions
21-PUBLIC -
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 137
- Slides 23
- Age 413 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views