The New DDoS Landscape

Partially re-posted from Cloudflare:

“News outlets and blogs will frequently compare DDoS attacks by the volume of traffic that a victim receives. Surely this makes some sense, right? The greater the volume of traffic a victim receives, the harder to mitigate an attack – right?

At least, this is how things used to work. An attacker would gain capacity and then use that capacity to launch an attack. With enough capacity, an attack would overwhelm the victim’s network hardware with junk traffic such that they can no longer serve legitimate requests. If your web traffic is served by a server with a 100 Gbps port and someone sends you 200 Gbps, your network will be saturated and the website will be unavailable.

Recently, this dynamic has shifted as attackers have gotten far more sophisticated. The practical realities of the modern Internet have increased the amount of effort required to clog up the network capacity of a DDoS victim – attackers have noticed this and are now choosing to perform attacks higher up the network stack.”

DDoS against VLC.

“Attackers can order their Botnets to perform attacks against websites using “Headless Browsers” which have no user interface. Such Headless Browsers work exactly like normal browsers, except that they are controlled programmatically instead of being controlled via a window on a user’s screen.

Botnets can use Headless Browsers to effectively make HTTP requests that load and behave just like ordinary web requests. As this can be done programmatically, they can order bots to repeat these HTTP requests rapidly – effectively taking up the entire capacity of a website, taking it offline for ordinary visitors.”

Advice for developers here!

“For applications to be resilient to DDoS attacks, it is no longer enough to use a large network. A large network must be complemented with tooling that is able to filter malicious Application Layer attack traffic, even when attackers are able to make such attacks look near-legitimate.”

Continue Reading

A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography – CloudFlare

This provides a really good explanation of Elliptic Curve Cryptography (ECC) and includes a fantastic real world analogy:

 

“By this measure, breaking a 228-bit RSA key requires less energy to than it takes to boil a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all the water on earth. For this level of security with RSA, you’d need a key with 2,380-bits.”

 

CloudFlare have also just blogged about their use of ECC when signing DNSSEC responses. The result is a very strong key with a significantly smaller response size (1181 bytes vs. 313 bytes).

Their engineer (Vlad Krasnov) even implemented the ECDSA signature algorithm in assembler speeding up signing by 21x!

CloudFlare’s reason for doing this is to limit the vector of DDoS based attacks using DNS reflection.

 

“By keeping our packet size small enough to fit in a 512 byte UDP packet, we keep the domains on us safe from being the amplification factor of a DDoS attack.”

 

Source: A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography

Continue Reading