For the last year, we've been working hard to optimize CloudFlare's infrastructure to survive different types of denial of service attacks. If you have plenty of servers the usual advice of "buy more bandwidth" may be sufficient, but it certainly wasn't useful to us. At some point you need to do _something_ with the incoming traffic, and the servers have only so many CPU cycles.
In this talk, we'll share our experiences in defending our services. We'll go through many layers, from flowspec and sflow, to ethtool tweaks, kernel bypass techniques, iptables examples to useful sysctls. We'll touch on details such as: why increasing backlog queue size may hurt you, why your servers can't send more than 200k syn cookies per second, how to stop a botnet with iptables ipsets and hashlimits, when enabling conntrack makes sense or how to process 10M pps on a single commodity server. Our favorite defense techniques are using BPF, so we will spent a fair bit of time discussing this.
We'll discuss what we tried, what worked, what didn't, and why some of the technically sound ideas turned up to be totally impractical.
Our experience is in defending HTTP/S and DNS services, on which this talk will focus, but our techniques are applicable to the usual variety of DDoS'es like Chargen, SSDP, NTP or DNS reflection.
Lessons From Defending The Indefensible blackhat 2015
53 Likes
53 Dislikes
3,216 views views
117K followers
People & Blogs
Upload TimePublished on 5 Mar 2016
Related keywords
infosec news
information security manager
blackhat asia 2019
blackhat 2019
infosec twitter
blackhat 2018
black hat seo technique
blackhat europe
blackhat badger sekiro
black hat x reader
black hat cartoon
black hat x dr flug
cyber securityとは
blackhat conference 2019
cyber security cloud
black hat full movie
blackhat badger
blackhat forum
information security foundation 勉強
infosec rotkreuz
cyber security framework
information security policy template
infosecurity utrecht
infosec ups system
cyber security news
cyber security act
infosecurity
blackhat full movie
infosec blog
black hat badger
information security foundation 参考書
information security management system
cyber security conference
black hat seo
cyber security pro
black hat movie
blackhat imdb
infosec podcast
black hat cast
cyber security pro 新しいネットワークが検出されました
cyber security cloud managed rules
cyber security measures
information security governance
infosec global
infosecurity europe 2020
infosec health
infosec magazine
information security 日本語
infosec 19
black hat anime
information security foundation
infosecurity magazine
cyber security tokyo
black hat meaning
black hatch
information security definition
information security pdf
infosec europe 2019
cyber security market
infosec institute
infosec 2019 london
information security foundation 難易度
black hatch gamefowl
cyber security management system
information security certifications
blackhat film
cyber security pro アンインストール
information security specialist
cyber security 意味
cyber security analyst
information security policy
black hat usa 2019
information security forum
information security news
infosec conferences
information security officer
infosekta
cyber security japan
blackhat trailer
information security analyst
cyber security university
black hat hacker
black hat forum
cyber security company
black hat hacking
black hat villainous
blackhat conference
information security foundation based on iso/iec 27001
by Marek Majkowski
Không có nhận xét nào:
Đăng nhận xét