1 / 20

Web targeted DDoS attack: trends, tools and tactics

Web targeted DDoS attack: trends, tools and tactics. Christiaan Ehlers, Senior Service Consultant – Akamai Technologies. Anonymous Attack on the Home Office 7 th April 2012. DoS motivation. State Sponsored. Traditional Hackers: Glory Hounds. Organized Crime - Profit.

summer
Download Presentation

Web targeted DDoS attack: trends, tools and tactics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web targeted DDoSattack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies

  2. Anonymous Attack on the Home Office 7th April 2012

  3. DoS motivation State Sponsored Traditional Hackers: Glory Hounds • Organized Crime - Profit Political Hackitivism

  4. Let’s Hold up Somebody for Ransom (actual ransom note) • Your site www.#####.de will be subjected to DDoS attacks 100 Gbit/s. • Pay 100 btc(bitcoin) on the account • 1ACFJHoB8Z3KDwDn6XdNTEJb6S7VsQiLZG • Do not reply to this email

  5. Over 40X Increase in Traffic

  6. A very brief introduction • DoS attacks have moved up the stack, from IP floods, SYN floods and now to application level attacks. • Attacks on the Network and Transport layers targeted the OS of the receiving machine. • Attack on the application layer penetrates deeper into the infrastructure. Target not only the firewall or proxy, now we can reach the backend database. • Development and architecture is focused on securing against more classical hacking attacks, DoS vulnerability gets a back seat.

  7. DoS Vulnerability • If the target system spends a disproportionately larger amount of resources in its attempt to serve a response when compared with the amount of resources spent by the attacker in serving the request, you potentially have a DoS vulnerability.

  8. Target Areas • Bandwidth • Inbound (sometimes difficult to exploit, but also difficult to protect) • Outbound • Data access and processing (CPU, Memory and disk access) • Database searches • Formatting, regular expressions, encoding, etc… • Cryptographic processing • System limits • Registers, file handles, configured limits, etc… (slow attacks) • Algorithmic or architectural inefficiencies

  9. Brute Force Attacks • Usually aimed at bandwidth and data accessing and processing targets. • Attempt to interfere with normal operation by consuming resources through the sending large volumes or requests to targets. • Traffic could seem like normal browser traffic. • The traffic volume required for an effective attack is determined by the capacity and overhead of the target system.

  10. Algorithmic or architectural inefficiencies • ApacheKiller • Apache prepares an memory space for each requested range in the “Range” header. • If enough ranges are requested, it could exhaust the server’s memory • Hash Table collision • Hash table collision attack turns the problem of adding elements to a hash table from a O(nlogn) problem to a O(n2) problem. • Exploitation requires “abnormal” requests, thus fairly easy to identify, block and fix.

  11. Attack distribution • Single origin DoS attack • Less resources available • Potentially easier to block • Attacker has no synchronization or management problems • Distributed DoS • More resources available • Difficult to block • Attackers have a synchronization and management problem • Bot-Net Command and Control centers • Opt in networks (Thrall-Net)

  12. Attack Tools • Common opt-in attack tools • LOIC – Low Orbit Ion Cannon • HOIC – High Orbit Ion Cannon • Slow attack tool • Slow Loris • RUDY – R U Dead Yet

  13. LOIC • Java versions that can be browsed to, no need to install software. • IRC interface for coordination • Easy interface • Multithreaded • One type of request per session • Not very configurable • Easy to detect

  14. HOIC • Easy to use interface • Booster packs to randomise various HTTP headers and target URLs • Multi-threaded • Rate throttling

  15. HOIC booster pack Dim useragents() as String Dim referers() as String dim randheaders() as string Dim randURLs() as string # // populate rotating urls # // By Nathos, don't use to many threads or you may nuke yourself. # // IF YOU WANT TO IMPROVE THE ATTACK, ADD URLS BELONGING TO THIS DOMAIN OR RELATED SUBDOMAINS!!! PRO-TIP: You should create anew target and .HOIC file if u want to attack a different organization # randURLs.Append "http://www.formula1.com/default.html" # randURLs.Append "http://www.formula1.com/news/" # randURLs.Append "http://www.formula1.com/races/" # randURLs.Append "http://www.formula1.com/results/" # randURLs.Append "http://www.formula1.com/gallery/" # randURLs.Append "http://www.formula1.com/teams_and_drivers/" # randURLs.Append "http://www.formula1.com/inside_f1/" # randURLs.Append "http://www.formula1.com/live_timing/" # randURLs.Appendhttp://www.formula1.com/video/ // rotate out url # URL = randURLs(RndNumber(0, randURLs.UBound)) # // EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE! # # useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" # useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" # useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" # useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)” • Booster pack features: • randURLs.Append – Attack random URLs • useragents.Append – Randomly selected User-Agents • referers.Append– Randomly selected Refererheaders • randheaders.Append – Randomly select header to append • Makes it harder to separate attack traffic from legitimate traffic. • Can be easily distributed since it is just an text file. Usually posted on • http://pastebin.com • Can be customised for a particular target

  16. Slow Attacks • Tie up web server resources by sending requests very slowly • Examples: • Slow Loris • R U Dead Yet (RUDY) • Trickle feed of characters to the web server ensures that a connection is occupied for as long as possible. • Is this an attack or just a client on dial-up? • Apache web server has a default of 256 concurrent connections.

  17. Hardening against DoS – tactic 1 • Avoid resource intensive processing • Optimize processing and data retrieval processes. • Caching processing and data retrieval operations. • Cache the results of resource intensive processing. DB -> Disk -> Memory. • Use reverse web caches

  18. Hardening against DoS – tactic 2 • If you are going to work hard to generate the response, make sure the client works hard to generate the request! • Protect resource intensive operations behind authentication • User and User Agent validation: Challenge-response tests to prove it’s a human or browser: • CAPTCHA to prove you are dealing with a human • Javascriptor Flash challenges to prove that you are dealing with a browser. • Session management • Issue and rotate session management cookies • URL tokens • The list goes on, but how appropriate are the mechanisms?

  19. Additional Mitigation (is hardening enough) • Mitigation devices such as scrubbers or WAF devices • How do we separate the good from the bad? • Signatures • Rate limiting • Anomaly detection • Where does the mitigation go? • At the origin • In the cloud • Which layer should be inspected to sort the good from the bad? • Transport (socket) and Network layer • Application layer – What about SSL?

  20. Questions?

More Related