3. How does CloudFlare Work?
3
CloudFlare works at the network level.
• Once a website is part of the CloudFlare community, its web traffic is routed through CloudFlare’s global network
of 24 (and growing) data centers.
• At each edge node, CloudFlare manages DNS, caching, bot filtering, web content optimization and third party app
installations.
4. IPv6 Gateway
With the Internet's explosive growth and the number of on-net
devices closing in on IPv4's maximum capacity,
CloudFlare now offers an automatic IPv6 gateway seamlessly
bridging the IPv4 and IPv6 networks.
• For most businesses, upgrading to the IPv6 protocol is costly
and time consuming.
• CloudFlare’s solution requires NO hardware, software, or
other infrastructure changes by the site owner or hosting
provider.
• Enabled via the flip of a switch on the site owner’s CloudFlare
dashboard.
• Users can choose two options: (FULL) which will enable IPv6
on all subdomains that are CloudFlare Enabled, or (SAFE)
which will automatically create specific IPv6-only subdomains
(e.g. www.ipv6.yoursite.com).
4
6. DDoS Overview
• Purpose of a DDoS is to overwhelm an internet resource, to take it offline
• This can be:
• Volumetric (eg. High Gbps, High PPS or SYN Flooding).
To overwhelm infrastructure to the website / resource.
SYN floods overwhelm the
• Application based (eg. Excessive HTTP POST or search)
To overwhelm the application or server.
• A website suddenly becoming very popular can also be like a DDOS
7. DDoS Overview
• Growing Trend
• Increasing in size all
the time
• Now regularly
attacks are greater
than 400Gbps+
• Source:
http://www.arbornetworks.com/
images/PeakDDoSAttack_rev2.jpg
8. DDoS Overview
• Large scale DDoS is a common occurrence.
• Used for exploitation, even for relatively low amounts (US$500 and below).
• Online services available for purchase of DDoS
• Known as ‘Booters’
• Large purpose is to kick competitors off online-games so they forfeit the
game
• Free trails are often available for ‘Booters’ too!
12. So, what’s this got to do with IPv6?
Aged tools without IPv6 support:
NetFlow (v5):
Interface (SNMP) Graph:
13. So, what’s this got to do with IPv6?
Aged tools without IPv6 support:
NetFlow (v5):
Interface (SNMP) Graph:
14. So, what’s this got to do with IPv6?
Aged tools without IPv6 support:
NetFlow (v5):
Interface (SNMP) Graph:
?
15. So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
16. So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
17. So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
18. So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
L
19. So, what’s this got to do with IPv6?
• Without supporting systems, many things may be impeded:
• Ability to identify attacks:
No NetFlow data?
• Ability to filter the attacks:
IP Tables support? (ip6tables)
IP ACL / Access-lists
BGP FlowSpec
Remotely Triggered Black Holing
20. So, what’s this got to do with IPv6?
• So, is this IPv6’s fault?
• Looking at the vendors in the room.
• Why is any product released without FULL IPv6 support today.
21. So, what’s this got to do with IPv6?
• A lot of IPv6 deployments feel like “best effort”
• Best effort doesn’t cut it under big attacks and
with security
• We all still have a long way to come.
23. IPv6 Attacks in the Wild
• For the most part, in our experience, they’re the same as
IPv4 based attacks.
• Typically, attack scope is smaller, due to much smaller
number of IPv6 hosts on the internet
• Not true for all attacks
24. IPv6 Attacks in the Wild
• DNS cache-busted query attacks.
• Not only a IPv6 attack, but interesting because of how it
came in over IPv6.
• Botnet bots, query through their normal configured
recursors, using random strings which aren’t cachable
25. IPv6 Attacks in the Wild
Queries look like this:
ebepexklyfaxmloh.www.popvote.hk
ktylstudkr.www.popvote.hk
ohunarajmbkrej.www.popvote.hk
wwtdheilzcv.www.popvote.hk
zktvvotoyrewaku.www.popvote.hk
…….
khyhavsnijslyb.www.popvote.hk
gchjpexychflvfv.api-token.popvote.hk
ruqnpvp.api-token.popvote.hk
fapzefvgowzonss.api-token.popvote.hk
mcvhothfketpgre.api-token.popvote.hk
26. IPv6 Attacks in the Wild
• We see about equal break down
between normal DNS traffic and Attack
DNS traffic with IPv4 and IPv6
• Often in ISP networks, first thing IPv6
enabled on is their own infrastructure,
eg: DNS Servers
• When infrastructure is dual stacked, the
abuse will follow!
IPv6
IPv4
$ host tom.ns.cloudflare.com
tom.ns.cloudflare.com has address 173.245.59.147
tom.ns.cloudflare.com has IPv6 address 2400:cb00:2049:1::adf5:3b93
27. IPv6 Attacks in the Wild
• These attacks are very effective
• Attacks growing past 100M PPS (packets per second)
• With the prior ratio of IPv6 traffic
• That’s ~20M PPS of IPv6 traffic
28. IPv6 Attacks in the Wild
• About the same amount of IPv6 PPS going across AMS-IX
Internet exchange!
29. IPv6 Attacks in the Wild
• IPv6 SYN Floods (and other flooding based attacks)
• Botnet send commands/attacks to direct traffic towards
a hostname, eg: example.com
$ host example.com
example.com has address 93.184.216.119
example.com has IPv6 address 2606:2800:220:6d:26bf:
1447:1097:aa7
30. IPv6 Attacks in the Wild
• Botnet master may not be intentional to send traffic
towards IPv6 hosts
• But bots inside the botnet see the AAAA and send traffic
that way
• IPv6 preferred selection.
31. IPv6 Attacks in the Wild
Aged tools without IPv6 support:
NetFlow (v5):
Interface (SNMP) Graph:
?
33. IPv6 Attacks in the Wild
• Show’s IPv6 adoption is growing, not just in users
networks, but other parts of the internet.
• Expands scope of where IPv6
attacks can come in
• Helps change the IPv4 only
mindset
36. Moving Forward
• We’re making sure IPv6 is
enabled for everyone
• Previously, we had IPv6 as
an option, now its default on
and enabled for all our
customers
38. Moving Forward
• This is just the tip of the iceberg
• Nothing over IPv6 has been that unique yet
• Most attacks are still directed at an IP (IPv4) Address
• Most sophisticated are still IPv4 only
• Who knows what is coming next?
39. Moving Forward
• Unless we can see what’s happening now
• We can’t know what to expect going forward
• Except that if you’re not prepared with the same
principles in IPv4 security, IPv6 will byte you.
• Once you’ve reached equality in IPv4 and IPv6, the
issues of IPv4 v. IPv6 in attacks is moot.