Це відео не доступне.
Перепрошуємо.
How BGP FlowSpec Swats Away DDoS Attacks
Вставка
- Опубліковано 7 сер 2024
- Start learning cybersecurity with CBT Nuggets. courses.cbt.gg/security
In this video, CBT Nuggets trainer Knox Hutchinson covers understanding FlowSpec's primary use case: thwarting a DDoS attack.
When learning about FlowSpec and how it works, it's important to take a closer look into DDoS attacks. The days of run-of-the-mill DDoS attacks are gone, and much more sophisticated attacks like amplification attacks are much more common. FlowSpec coordinates the implementation of firewall policies between a customer and service provider so that DDoS attacks are stopped before they can even begin. Knox dives deep into a network topology to show you first-hand how FlowSpec operates and what a DDoS attack is actually doing.
🔒 Download the Free Ultimate Security Cert Guide: blog.cbt.gg/dpyr
⬇️ 15-Week Study Plan: CCNP Security Core (350-701 SCOR): blog.cbt.gg/rlfd
Start learning with CBT Nuggets:
• Describe Network Switch Functions and How to Locate Network Devices | courses.cbt.gg/8s0
Thank you for taking the time to make this video.
The provided HTTP amplification attack example will not work. That API node has to first establish a TCP connection to the target to be able to send traffic to it. But in case of UDP, you're pretty much able to cause damage.
Correct and 100% of the time amplication attacks are using UDP traffic and not tcp, but his example is what happens.
His dummy API server will apparently accept Port 80, protocol TCP, instead of the standard TCP.
@@nomayor1 that make no sense, tcp is tcp , regardless of what port # being used.
@@kfelix2934 TCP of course is TCP. And in either case, your application can be made to work with either protocol TCP or UDP, and with any port. The fact that the hacker has his own server, and so can freely craft all those parameters, is the key.
If an attacker controls both a botnet and the API server (example around the 5:00 mark), and that API server is able to send large payloads to a host that didn't request anything, why is the botnet required? In other words, couldn't this API server just generate the response payloads as though they were properly spoofed by a botnet participant? (I expect I'm missing something...)
With QUIC (and http/3), we can no longer assume all https traffic is TCP-only.
What if that bad http server source from a range of ports instead of just 80?
HTTP is tcp, hard to spoof the victim since the 3 way handshake will failed if a bot spoof the syn from the target .
SYN
SYN+ACK
ACK
One more thing, with chrome and a few other browser and the QUIC protocol, you could establish spoof attacks but here's the main item, if we use QUIC and DTLS on the server only, this would squash most of this with just deploying a acl filter of udp.port 80 or flowspec rule for port 80 and udp.
So in his example, if the sever and network was support QUIC his example would be correct.
Knox sounds a little sick 😃
Hardware firewalls that support BGP FlowSpec are expensive.The network performance of software that supports BGP FlowSpec is inferior to that of hardware firewalls.Is it unlikely that BGP FlowSpec will be applied to high-traffic network nodes?
it isnt inferior, if i get hit by 400 gigs of traffic and my link is 100 gigs BGP FLOWSPEC will stop it from saturating me as it gets blocked by my isp before it reaches me using bgpflow spec
If you're closing the port 80/443, you might as well shut down your server
Right, it is like I did DDoS to myself...
Presumably the bot IP address(es) will be included in the generated filter so you don't break http for everybody. From RFC 8955: “A Flow Specification is an n-tuple consisting of several matching criteria that can be applied to IP traffic.”