How to beat application DDoS attacks with CrowdSec & Cloudflare

hopefully you can see my screen yep seeing you it's light so take it away [Applause] okay yes as question said i'm klaus i'm a the community community manager at the at krautsec um and i've been an interesting professional for for close to 20 years um right yes um this is what i'm going to talk about today um i first want to say something about half we've been looking at at cyber security up until now that it's really not complicated as such that we've been doing it wrong basically and then then i'll talk to you about why why we think a crowd approach is the right way to do this better then i'll tell you then we'll tell you a

little bit about how um how the tool that the cloud take opens off to works and then in the end i will uh go into a case study uh where you can use crowdsec to be details with uh yeah with witchcraft stick and cloudflare yeah sorry cyber security is as some may some may think um it's not a complicated problem because complicated problems those those are the one that that needs a genius to dissolve and this is the einstein's design science theory of of relativity and that is complicated and instead cyber security is complex and complex problems that's a completely different ballgame those can be solved if you're working as a team and what is hard especially in cyber

security and and definitely also when you're sending people to the moon is there so many things you have to make sure to remember and to have confidence for and that's hard both in terms of mastering each and every one of the steps but also to be do to be able to do the right every single time so this is the summer complicated problem they get back into solved by one smart person for complex problems you need a couple like you need a book to collaborate so we tried our powering that field we found out smarting the criminals that also failed so instead we try another approach which is outnumbering them so instead of trying to be rambo and

fight against a thousand enemies and that only works in films anyway with a risk guy this is just a hype approach so nobody wants to say wants to fight an entire beehive so anybody in the right mind they would just run away instead and that's what we were basically what we want the hackers to do these all example of companies that has has had so many so much money for cyber security and and yet and yet they messed up um all of these has big budgets last team and extraordinary people to help them defend themselves and yet they were hacked one of these i gave him morgan they have they had a security budget of 800

million us dollars per annual and and that's almost 1 billion u.s dollars and and i don't know about you guys but i can't i can't imagine that much money so it's really not a matter of resources because yeah bottom line is the approach is wrong and yeah there's a reason why it's not solved because defending is hard really hard because time to patch that's way too long uh maybe that's too much to patch too few people to do it maybe your parameter is really large maybe it's maybe it's all maybe it's even larger than it has to be who knows um and that's money money don't go on trees and many companies still don't take the risk of ransomware

seriously will they ever who knows so the thing with attacking is that that that is so much cheaper and it takes a lot a lot less resources so and unbeknowingly many people makes these easy to hack them by having you know an unsecured device and the parameter and then they're hacked or they don't have anything installed on endpoints to protect them sorry um yeah oops so like the cast of strategy that we use as the 80s we have a big castle we have we have a big wave around it uh that doesn't work anymore because the parameter is all over the place so um because the reality nowadays is that everybody every company even those who doesn't

know it they have some resources somewhere in the cloud um so it's practically it's not practically possible to protect everything from a single from a central point since that all resources all resources have to have has to defend themselves autonomous autonomously for this to this work for this to work properly so and the way threat data should be shared across the means using http because that's that's a light protocol and every device knows it so we want to leverage either reputation in the cloud to build the biggest most accurate real-time ip reputation database so you can think of us our fingers and zoom of course as uh as the waves of cyber security and that's what what we are doing building

with this project it is already the the biggest crowdsource hr network in the world our founders they all have a background in security in a secure hosting company all developers and our cto they all have a background spam testers so we know how to build a secure infrastructure the way crowdset works is that first it collects the data on your on your host it passes the log and whenever there is something that looked like that looks like an attack it's a it's being sent to our to our um hive mind if you want to say that um the the big inspiration here is is fail japan we wanted we wanted to build a modern version of failsament but then it ended

up to be end up being way more versatile than in failed japan i'll talk a little bit about that later after logs are added then threats are detected in the by the agent and then logs from either locally or from the communities analyzed to detect if there are cinnamon level and behavior by our background based on the unfriend intelligence boundaries that's the second part of the software they will they will remediate either they will block on every on the on the firewall layer layer 3 or orient or run the application layers which is layer 7. so whenever bad traffic is detected those findings are shared back with the community so every other crowdsync user crossing agent can can use that

for intelligence theoretically um the tool can handle any any scenarios that fails a band that can handle but but not yet uh in practice because fields of ben has is 20 years old and has had a supportive community for a very long time so so eventually whenever we go big and it's more known all those scenarios will come but in theory we can handle everything that can this can be described by ammo and passed by a password so our interference engine can handle so it's had to handle some some like some scenarios at a much more complex standard than what fails the bank can we will handle an in an entire ddos scenario which will which we will talk

about later we can also handle resource appears like we plug in the tires access to a website if they're trying to exhaust that website by mass rolling also we we can bend an inside ip class if some and that's why they fall five they have already been banned then the whole ip class will just be banned just like that and of course much much more are just examples and also what you'll see on the screen are also examples of of scenarios where where dropship can be used to some to zombies we think that cyber criminals they've had it's too easy for too long so what we're trying to do here with with crowds i guess to to shift the

balance of power we want them we want people to be able to work together by by sharing and collecting all the straight intelligence for the benefit of the entire of the entire crowd so ultimately we want to force the hackers to change their tactics or go somewhere else the potential threat insulting the spirit generated by crosstalk that is more more real than any than others because it's not simulated from honeypots it's from real production servers all around the world that just has the uh crowd segregated insult because as we say you you can't dodge the crowd and as a bonus the cloud6 software is free no matter what happens to crowdsick because like the company

worst case is that the code is for and then the community will simply move away so the code alone that's useless it's only in combination with the community that it gets that it gets its value the back end is not yet uh open source but but that's mostly because it's it's not fully developed and and the code is really not that stable it's not good to it's stable but it's not we don't want to show it up it's just show it show it to anyone yet but but we will eventually because we really want to make it very very visible how this decision present process is working and how our decision-making is working behind kind

yeah behind the scene every ip that's in the database that's uh they are thrown out after 72 hours i'll talk a little bit more about the decision process which we call the consensus engine on the next line every agent that sends rogue broke the ips to what we first call the smoke database then then based on this we are we will determine which which ips are bad and over time we also want to integrate this consensus engine and and the ips outcome that comes out of it then into an in the enterprise in instant response uh process so that ioc is thinking the thinkery part of the trading process that normally take place in you know in a tool life like

frenchman's mist project contingency and that this that base is a decision on various criteria that all combine one of them is the regularity of the watcher that's what we call a contributor or an agent internally also the consistency compared to all the users data and craft stakes and consolidated statistics that we correlate with crowds like zone own hypothes and high reputation watches i know i said before that data is from honeypot we but we do have our own so that we can we can control every both ends of the system so to speak so we know which system generate which log just to make sure that everything is working is going right but but there are a very

small part of of the entire ip representation database then we're crosstaking this with third party sources and we're enriching the consensus process with information from other sources if if that's possible and usually when i talk about crowdsake people always want to ask if it's possible to to poison our database and yes it's possible but but it's hard because you really have to have an army of of uh false agents so to speak that would feed that would consistently feed a visa our database first with a lot of real real data and then you would have you would have to like inject those bad or those fake fake attacker ips into our data stream and and that's pretty hard because you

wouldn't even be sure if they would be selected anyway or be remarked bad and also there are ips that that you will never be able to to a ban because we are we are widening them permanently those are like ceo bots and and the cn partners like franklin's law fair we take td bar and privacy various areas because obviously that's always always uh people's concern if they can if they can remain in our messy and the only thing that we send back is um is as little as we can to to do a reliable consensus so we only tie ip information to a random generator uid to immediately identify the crowd the crowd state agent that has submitted

those ivs [Music] and right now yeah we're around the 20 000 installs worldwide across six continents and 110 countries since as far as i remember and we have over time we've we have detected and verified or at least chosen that the seven hundred thousand ips are malicious across a lot of different industries and then our goal is to be one million users in 2024 and that's a long way to go um now i want to talk specifically about about the how to how to do a level do layer seven uh inside details with uh with crouch signal cloudflare there is a anti-id dose built into into cloudflare but but this is uh as you would see in a short while this is a

more effective um when we talk about anti-ddots there is at least two examples and one of them is happening on layer three uh it does that's not what we're talking about we're talking about layer seven the application layer um where yeah where this attack is is going on [Music] um this is our setup is uh it's basically a wordpress a wordpress server with commerce that we set up on a dps in aws with two cn cores and four gigs of ram then we found they does as a service and basically hammered that on our side for 20 minutes and this is what happened you can see that on the it screen it went down of course

and after 20 minutes um it had received 70 000 hdtv requests and from 1150 unique ip addresses and um our approach to to fixing this is is described here and those country facts they're completely arbitrary and they don't reflect any particular opinion towards that particular country just saying um we assume that for for each each human visitor there will be like one to two http requests per visitor and that's the norm so basically we want to say that everything that's not a normal a request will be filled away um and also we want to be able to take decisions on either a country level or an as number level this is this is where cloudflare comes into the into the

picture and this is what they can do when via their api so the api allows space on as country and just not ips and ranges and also the api allows us to remediate a capture or just challenge that's similar arithmetic arithmetic challenges as only humans suppose you can do so what happens here in the agent doing this uh during this attack or doing the simulation is that castigating will reach the log from read log from a pressure 2 then it will identify what is what is attack and then they will send those directly to the balancer the bouncer will then activate cloud cloudflare api and then firewall rules within cloudflare will block those connections and

yeah this is a diagram of of what happened you can see around the 30 the attack starts and network goes up cpu utilization goes up and then approximately how we look at it five six seven minutes later everything is back to normal and the two of those minutes that's delayed internally in cloudflare from when you order a fiber rule in the api it takes it takes two minutes before that rule is into effect um yeah i want to talk a little bit about how the internal decision is is made within front within crowd's sake as the attack goes on we the elastic oh sorry the crow stick agent uh groups all http requests by source

country and then and we and we only allow requests from 50 distinct ips per 30 seconds and this is where the bugger come in comes in because this is this is this is what we call the leaky bucket approach so once that deposit overflows then the scenario is triggered first car cycle block country a whole country if if if the if the entire country is deemed bad then it will block by as number and then it will block every single ip that's malicious until all the malicious traffic is gone firewall rules i said before they are created they are created in cloudflare via cloudflare api and what's really interesting about about this is that i said before it

it it doesn't necessarily block all traffic from the country by forcing the users to go through a capital that's what we call a fixed rule that's that that's really what what we're going to use here also also because it's uh somewhat less risky because the user is never blocked a real user has never blocked them that is a really really strong point here so the risk of of fault positive so to speak is a lot is a lot less so yeah let's see how it looks

first uh first off we'll start the the ddos attack the numbers on the top that's simply the tail of the apache 2 lock and on the downright there is the uh crowdstick cli and as the attack goes by you'll see how how how the agents start to identify something going wrong with india something somewhere around russia and you will see there's a lot of different ips right now and and that's a lot going on so it so basically stated that that for those three countries and that as number it will force the capture and it's starting to um to order those in cloud fair and save little time i said before then gradually you will see

fabric start to slow down you also see that the traffic will come from fewer fewer ips and then eventually that only be really yeah few ips and deaths and over time those will be really banned as well

yeah just follow on the on the cli more countries are being banned more ips are being banned

and and that's as they they individually generate more traffic than we allow then we'll block them

and eventually it will go away

you can see that this is an ip from hong kong this china this amazon also impressive yeah or bristle the ddos is now fully mitigated but the attack still goes on but we just can't can see that that is that looks more like a normal user yep sorry so basically um that was it we um yeah as i said before we we we have to ride being a or our founders has tried being a secure hosting company so so we hope or at least think that we can build a secure security as well and also we also think that this is a really great idea that we really hope and the community will catch on catch on to

one of my um my task will be to to facilitate building that that community and facilitate talking to the community about which features people want and what makes sense and of course also encourage people to to contribute because you can basically contribute anything you can go to our github to try it out um you can see the link on my slides uh and if you have any questions uh feel free to send me a mail i'll be more than happy to to answer all the questions all your questions yeah so that's it yeah if you have any questions thanks thank you very much klaus i hope i hope it wasn't i hope i wasn't stuttering

as if as i feel myself no worries about this so uh we're going to have like a a long break here before the next talk so in the meantime like you mentioned that the the tool is not jet open source right the tool is not jet open source no everything is not open source the the back end is not open source yet but but we we want to make it real transparent how the process is is made so that you can see that it's really being done in the way we say it is and does not and not something else and also and also that that will also illustrate how how hard it is to to poison the database

right so you're going to open source that right like uh like more or less like what is the timeline more or less we're not sure yet i haven't heard any specific details and i'm not sure that it's going to be the same open source license because that is uh it it is it is this strange mix that we want to hold it happens a little bit closer but we also want it to be transparent yeah so i don't i don't really know what we're gonna do but but we're we'll we'll think of something that that will sort of satisfy both needs i'm sure awesome well thank you very much i appreciate you your time with us here

today uh if anyone has any questions so feel free to ask on this live channel or ask claus said send him an email i'm sure he will be happy answer them i'll also i'll also stay the slack channel uh for the rest of the conference so yeah send me an email or sorry send me a message there or if there's anything you want you want to ask people ask about and and and if you think that crowdstrike sounds just a little bit interesting please try it out because the more users the more agents the better threat intelligence and the better we are able to defend ourselves and that's the point here awesome thank you very much so we're

going to have the next stop in around 17 minutes more or less yeah have a great conference guys