ddos attacks in action - sans institute · © 2016 imperva, inc. all rights reserved. ddos attacks...
TRANSCRIPT
© 2016 Imperva, Inc. All rights reserved.
DDoS Attacks In Action
Ben Herzberg
@KernelXSS @Incapsula_com
© 2017 Imperva, Inc. All rights reserved. - @KernelXSS -
about()
2
> ben.childNodes.length<· 2> ben.history<· [“PT”,”Dev”] > ben.employer<· “Imperva”> ben.positionX<· “Research Manager”> ben.social<· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”}
DDoS (quick recap)
WHAT’S DDOS(IN 6 SECONDS)
Volumetric Attacks
Layer 7 Attacks
Lately…
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
IoT DDoS through the (very recent) history
16
Mirai
20-SEP-2016
OVH Attack
21-OCT-2016
Dyn DNS DDoS
5-DEC-2016INVESTIGATED IoT DDoS
BEFORE IT WAS COOL
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
IoT DDoS through the (very recent) history
17
Mirai OVH Attack
30-DEC-2014
21-OCT-2015
20-SEP-2016 5-DEC-2016
…
SOHO Routers
CCTV DDoS
21-OCT-2016
Dyn DNS DDoS
Demo
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
OSI Model Quick Recap
19
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
Tools Introduction - WireShark
20
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
Tools Introduction - Scapy @ Python
21
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
SYN Flood
22
SYN
SYNACK
???
Hi 1.1.1.1, I am 2.2.2.2, let’s handshake!
Sure, 2.2.2.2, let’s handshake!
WTF?
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
ACK Flood - Spoofed
23
ACK
???Sure, 1.1.1.1, let’s handshake
WTF?
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
ACK Flood - Reflected
24
SYNSYNACK
???
Hi x.x.x.x, I am 2.2.2.2, let’s handshake!
Sure, 2.2.2.2, let’s handshake!
WTF?
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
DNS Amplification
25
DNSQR
DNSRES
???
Hi 1.1.1.1, I am 2.2.2.2, Please send any records on
somedomain.com
Sure, 2.2.2.2, Here are all the details:
www A 200.200.200.200
www2 A 200.200.200.201
… …
WTF?
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
Amplification Factors
26
Source: US Cert
What’s next…
Over
6,000,000,000
Smart-Phones
By 2020
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
The growing prevalence of IoTs
30
Source: Ericsson Mobility Report; June 2016.
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
IoT botnets NG
• Improving the C2 functionality:
• DGA
• P2P
• Different spreading techniques
• TR-069 vulnerabilities
• Windows as a relay
• Non-DDoS botnets
• Bitcoin mining
• SPAM spreading
• Bruteforcing
• IoT vigilantes - Hajime
32
Image credits: www.mobihealthnews.com
Are we doomed?
© 2017 Imperva, Inc. All rights reserved.34
@KernelXSS, @incapsula_com
QUESTIONS?
Ben Herzberg