DDoSs and
What the Average Person
Can Do About It
Tony Bemus
Penguicon 2019
bemushosting.com/security
Penguicon 2019
bemushosting.com/security

What is it?
Who is doing it?
What do they use?
Why are they doing it?
How is it done?
Where do you fit in?
Who is doing it?
What do they use?
Why are they doing it?
How is it done?
Where do you fit in?
DDoS
DDoS
What is it
Distributed
- Describes the attacker or source computers.
Denial of Service
- Denies the resource to the users or customers
- Affects the Availability of the resource
(Website, internet access or other services)
State of the DDoS
Worldwide Infrastructure Security Report
1.7 TBPS attacks (Increase of 273%)
Cloud and CDN services
Cloud and CDN services
Availability?
CIA Triad

Making sure the system
is available when
someone needs it.
is available when
someone needs it.
Keeping things secret
Insuring accurate or
unchanged info
unchanged info
Who is doing it?
- Nation States
- Protesters
- Criminal Organizations
- Disgruntled workers


- Botnets are hijacked connected devices
Compromised devices, home routers, IoT, etc
- Spoofed IP addresses
- Other servers on the internet (reflection/amplification attacks)

What do they use?
Why?
- Extortion
- Political Motivations
- Hackivism
- Competition
- Vandalism
- Distraction

HOW is it done?
High Bandwidth Attacks
Traffic flood
ICMP/Ping, SYN
Reflection,
Amplification
UDP: DNS, NTP
ICMP/Ping, SYN
Reflection,
Amplification
UDP: DNS, NTP

Low Bandwidth Attacks
HOW is it done?
Application attacks (L7)
- Slow Loris,
- HTTP GET flood,
- SIP invite flood,

HOW is it done?
Connection Attacks
TCP Attack Flood: TCP SYN, TCP FIN, TCP RST, TCP Flags


Wireshark Example of good TCP connections
Wireshark pcap example of syn attack
Defensive Countermeasures
When an attack hits
Proxy / Cloud / redirection service
- More bandwidth
- Work with ISP to block the traffic
- Stateless packet filtering
Always on and automated:
Hardware appliance (Not Firewall or IPS)Proxy / Cloud / redirection service


Proactive Countermeasures
Take steps to not become part of a bot net
Take steps to not become part of a bot net
Where do you fit in
Patch your devices
Enable firewalls
Change Default passwords
Be vigilant against phishing attacks
Update your anti-virus and anti-maleware
Enable firewalls
Change Default passwords
Be vigilant against phishing attacks
Update your anti-virus and anti-maleware
Sources
A Cisco Guide to Defending Against Distributed Denial of Service Attacks
Arbor Networks and Silver Back communications
NetScout DDoS and Network Visibility
NetScout WISR
About me
Tony Bemus
Bemushosting
https://bemushosting.com
Sunday Morning Linux Review
https://smlr.us
NetScout Arbor Cloud SOC
https://www.netscout.com/arbor-ddos
This Presentation:
https://bemushosting.com/security
Bemushosting
https://bemushosting.com
Sunday Morning Linux Review
https://smlr.us
NetScout Arbor Cloud SOC
https://www.netscout.com/arbor-ddos
This Presentation:
https://bemushosting.com/security