ddos attacks & mitigation
Post on 11-Dec-2016
254 Views
Preview:
TRANSCRIPT
http://www.securitech-solutions.com
1
DDoS Attacks & Mitigation
Sang YoungSecurity Consultant
ws.young@stshk.com
http://www.securitech-solutions.com
2
DoS & DDoS
• DoS Attack– an attack render a target unusable by legitimate
users
• DDoS Attack– launch the DoS attacks from various source from
Internet to a target
http://www.securitech-solutions.com
3
DDoS Attack Volume
Source: Worldwide Infrastructure Security Report, Volume V by Arbot Networks
http://www.securitech-solutions.com
4
http://status.twitter.com/post/157191978/ongoing-denial-of-service-attackhttp://status.twitter.com/post/157191978/ongoing-denial-of-service-attack
http://www.securitech-solutions.com
• Happened in Year 2009, 2007 and 2005• Affected the Hosting Servers
5
GoDaddy
http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391
http://www.securitech-solutions.com
6
Wordpress
http://www.pcmag.com/article2/0,2817,2333361,00.asphttp://www.pcmag.com/article2/0,2817,2333361,00.asp
http://www.securitech-solutions.com
7
DNS Root Servers
http://www.crn.com/security/197004065http://www.crn.com/security/197004065
http://www.securitech-solutions.com
8
Others hit by DDoS attacks• BBC• Possible unethical competition
▪ 2004 - Worldpay▪ 2004 - Authorize▪ 2004 - Authorize-It▪ 2004 - 2Checkout▪ 2006 - StormPay▪ 2008 - AlertPay
• An Anti-fraud site: Bobbear.co.uk• Norwegian BitTorrent tracker: norbits.net
http://www.securitech-solutions.com
9
Proof-of-Concept DoS Tools• Network Based
– Targa– Land– LaTierra– Nemesy– UDP Flooder– FSMax– Crazy Pinger
• Other Application Based– SomeTrouble: smtp, icq, net send– ihateperl.pl: dns
• HTTP Based– Blast– DoSHTTP
http://www.securitech-solutions.com
10
Nemesy
http://www.securitech-solutions.com
11
UDP Flood
http://www.securitech-solutions.com
12
DoSHTTP
http://www.securitech-solutions.com
13
Crazy Pinger
http://www.securitech-solutions.com
14
My Collections
http://www.securitech-solutions.com
15
Botnet
• Botnet consists of multiple bots (machines) in the Internet
• They are multiple purposes• Concept:
– A relatively small botnet with around 1,000 bots (computers) combined bandwidth that is higher than the Internet connection of most corporate systems
http://www.securitech-solutions.com
16
• Agobot• Phatbot• Forbot• XtremBot• SDBot• RBot• UrBot• UrXot• GT-Bots• Nuclear Bot
PoC Bots
Attacker
Victim
H H H H
A A A A A A
handlers (master)
agents
http://www.securitech-solutions.com
17
Uses of Botnets
Botnet Estimated Size Main Functions
Conficker 9 to 15 Million Botnet Resilience
BlackEnergy 20 to 200k DDoS
Machbot 15 nets, 100,000k each DDoS
CutwailPushdo
About 1 Million Spam, ID Theft
TorpigSinowal
About 1.9 Million Financial and ID Theft
Hexzone 200k to 500k RansomWare
Ghostnet ~1200 in 103 countries Cyber Espionage
http://www.securitech-solutions.com
18
BlackEnergy• Attack vectors
– HTTP– DNS Request Floods – ICMP– Spoofed IP’s– SynFloods– UDP Floods– Random Binary
Packet Floods• Capabilities
– 1 to 7 Gbps– New BlackEnergy can be
created over a few days to a size of 4,000 to 20,000 bots
http://www.securitech-solutions.com
19
DDoS Attack Taxonomy
DDoS Attacks
BandwidthDepletion
ResourceDepletion
Flood Attack AmplificationAttack
UDP ICMPTCP Smurf Fraggle
ProtocolExploit
MalformedPacket
TCP Syn Push+Ack
http://www.securitech-solutions.com
20
Amplification Attack
Amplifier Networks
Victim
Attacker Agent(s)
Generate a Packet:src: victim ipdst: amplifier net
Systems Reply:src: system ipdst: victim ip
http://www.securitech-solutions.com
21
Reflective DNS Attacks• Send a large number of queries to open DNS
servers• These queries will be “spoofed” to look like they
come from the victim• Small queries (60 byte) can generate large UDP
packets (512 byte) in response, an amplification factor of 8.5
• By combining different response type (A, TXT, SOA), 122 byte query results in response of 4320 bytes. An amplification factor of 73
http://www.securitech-solutions.com
22
Observed Bots
http://www.securitech-solutions.com
23
Traditional Countermeasures
• Threshold Based Attack Detection and Mitigation
• Deep Packet Inspection & Protocol Validation– Protocol Identification– Network & Applications– Identify and Disable Handler
• L7 Mitigation / WAF• More Bandwidth
http://www.securitech-solutions.com
24
Mitigation Defense vs Attacker Countermeasure
Mitigation Defense Attacker Countermeasure
Threshold Based Attack Detection and Mitigation
Low and SlowHit and Run
Deep Packet Inspection & Protocol Validation
Encryption
L7 Mitigation / WAF Vary Requests
More Bandwidth More and More Traffic
http://www.securitech-solutions.com
25
Hit and Run Attacks
• defense– rely on sampling traffic flows– take time to react: 15 – 60 seconds
http://www.securitech-solutions.com
26
Observed Attack Vectors
http://www.securitech-solutions.com
27
Trend
EverythingoverIP
Everythingover
HTTP
http://www.securitech-solutions.com
28
Application Layer Attacks (Layer-7)
• Low Packet Rate• Packet - Bandwidth > Request - Layer 7 >
Session - Behavior
http://www.securitech-solutions.com
29
DDoS and Infrastructure
http://www.securitech-solutions.com
30
Most Common HTTP Attacks
Methods Effects
http://<target>/random_page
•Extra I/O from 404’s loggged•Raises CPU on web servers•Load on Load balancer due to -ve cache hits
http://<target>/login.phphttp://<target>/search.php
•Loading on I/O to the db server•High CPU via script pages
POST action with huge amount of data
•Affect RAM•Affect loads threads
Large Botnet, low IP rate, high delays
•Bypassing DDoS equipment •HTTP requests always get through
Partial Requests •Tie down all available threads
http://www.securitech-solutions.com
31
Damaging Queries• http://target/search.php?=query=e&Submit=Sear
ch&type=all&mode=search• Produce most matches and cross-reference queries:
– e, t, a, o, n, i, r, s, d, h, l, c, u, f, p, m, w, y, b, g, v, k, x, j, q, z
– th, he, an, in, er, re, es, on, ti, at– the, and, hat, ent, ion, for, tio, has, tis– you, can, her, was, has, him, his
• Results: hit both CPU on web and database servers
http://www.securitech-solutions.com
32
New Mitigation Approach• Protocol Validation
– Inspects the structure of information in packets at application layer– HTTP anomaly detection: XYZ is not a valid command in HTTP header
• Signature/Fingerprint– Search for pattern in network packet to determine if an attack exists– Vendor specific– Open source– Adhoc Customization: Particular Custom Application Signatures– Require human operational
• Statistical– A.k.a Network Behavioral Analysis– Adaptive and predictive models of network behavior– Require human operational
http://www.securitech-solutions.com
33
New Mitigation Approach• Reputational
– a database of good and bad IP address– bad IP address includes bots, spammer etc.– Honeypot can help to track these IPs
• Client Validation– Determine if a source is a real person or an automated script– Real Browser Detection: by sending a JavaScript and determine the
response
• Transactional– Inspection and validation of application transactions, e.g. HTTP
Request, SIP request– Look at the nature of groups of transactions
http://www.securitech-solutions.com
34
New Mitigation Approach
• Decryption– to inspect the encrypted transactions and
protocols– decrypt https traffic
• Zero-Day– Requires human operation– Requires log consolidation from different
network devices
http://www.securitech-solutions.com
35
Largest Anticipated Threat
http://www.securitech-solutions.com
36
Questions?
Sang Youngwsyoung@wsyoung.com
top related