ddos attacks & mitigation

http://www.securitech-solutions.com

1

DDoS Attacks & Mitigation

Sang YoungSecurity Consultant

[email protected]


2

DoS & DDoS

• DoS Attack– an attack render a target unusable by legitimate

users

• DDoS Attack– launch the DoS attacks from various source from

Internet to a target


3

DDoS Attack Volume

Source: Worldwide Infrastructure Security Report, Volume V by Arbot Networks


4

Twitter

http://status.twitter.com/post/157191978/ongoing-denial-of-service-attackhttp://status.twitter.com/post/157191978/ongoing-denial-of-service-attack


• Happened in Year 2009, 2007 and 2005• Affected the Hosting Servers

5

GoDaddy

http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391


6

Wordpress

http://www.pcmag.com/article2/0,2817,2333361,00.asphttp://www.pcmag.com/article2/0,2817,2333361,00.asp


7

DNS Root Servers

http://www.crn.com/security/197004065http://www.crn.com/security/197004065


8

Others hit by DDoS attacks• BBC• Possible unethical competition

▪ 2004 - Worldpay▪ 2004 - Authorize▪ 2004 - Authorize-It▪ 2004 - 2Checkout▪ 2006 - StormPay▪ 2008 - AlertPay

• An Anti-fraud site: Bobbear.co.uk• Norwegian BitTorrent tracker: norbits.net


9

Proof-of-Concept DoS Tools• Network Based

– Targa– Land– LaTierra– Nemesy– UDP Flooder– FSMax– Crazy Pinger

• Other Application Based– SomeTrouble: smtp, icq, net send– ihateperl.pl: dns

• HTTP Based– Blast– DoSHTTP


10

Nemesy


11

UDP Flood


12

DoSHTTP


13

Crazy Pinger


14

My Collections


15

Botnet

• Botnet consists of multiple bots (machines) in the Internet

• They are multiple purposes• Concept:

– A relatively small botnet with around 1,000 bots (computers) combined bandwidth that is higher than the Internet connection of most corporate systems


16

• Agobot• Phatbot• Forbot• XtremBot• SDBot• RBot• UrBot• UrXot• GT-Bots• Nuclear Bot

PoC Bots

Attacker

Victim

H H H H

A A A A A A

handlers (master)

agents


17

Uses of Botnets

Botnet Estimated Size Main Functions

Conficker 9 to 15 Million Botnet Resilience

BlackEnergy 20 to 200k DDoS

Machbot 15 nets, 100,000k each DDoS

CutwailPushdo

About 1 Million Spam, ID Theft

TorpigSinowal

About 1.9 Million Financial and ID Theft

Hexzone 200k to 500k RansomWare

Ghostnet ~1200 in 103 countries Cyber Espionage


18

BlackEnergy• Attack vectors

– HTTP– DNS Request Floods – ICMP– Spoofed IP’s– SynFloods– UDP Floods– Random Binary

Packet Floods• Capabilities

– 1 to 7 Gbps– New BlackEnergy can be

created over a few days to a size of 4,000 to 20,000 bots


19

DDoS Attack Taxonomy

DDoS Attacks

BandwidthDepletion

ResourceDepletion

Flood Attack AmplificationAttack

UDP ICMPTCP Smurf Fraggle

ProtocolExploit

MalformedPacket

TCP Syn Push+Ack


20

Amplification Attack

Amplifier Networks

Victim

Attacker Agent(s)

Generate a Packet:src: victim ipdst: amplifier net

Systems Reply:src: system ipdst: victim ip


21

Reflective DNS Attacks• Send a large number of queries to open DNS

servers• These queries will be “spoofed” to look like they

come from the victim• Small queries (60 byte) can generate large UDP

packets (512 byte) in response, an amplification factor of 8.5

• By combining different response type (A, TXT, SOA), 122 byte query results in response of 4320 bytes. An amplification factor of 73


22

Observed Bots


23

Traditional Countermeasures

• Threshold Based Attack Detection and Mitigation

• Deep Packet Inspection & Protocol Validation– Protocol Identification– Network & Applications– Identify and Disable Handler

• L7 Mitigation / WAF• More Bandwidth


24

Mitigation Defense vs Attacker Countermeasure

Mitigation Defense Attacker Countermeasure

Threshold Based Attack Detection and Mitigation

Low and SlowHit and Run

Deep Packet Inspection & Protocol Validation

Encryption

L7 Mitigation / WAF Vary Requests

More Bandwidth More and More Traffic


25

Hit and Run Attacks

• defense– rely on sampling traffic flows– take time to react: 15 – 60 seconds


26

Observed Attack Vectors


27

Trend

EverythingoverIP

Everythingover

HTTP


28

Application Layer Attacks (Layer-7)

• Low Packet Rate• Packet - Bandwidth > Request - Layer 7 >

Session - Behavior


29

DDoS and Infrastructure


30

Most Common HTTP Attacks

Methods Effects

http://<target>/random_page

•Extra I/O from 404’s loggged•Raises CPU on web servers•Load on Load balancer due to -ve cache hits

http://<target>/login.phphttp://<target>/search.php

•Loading on I/O to the db server•High CPU via script pages

POST action with huge amount of data

•Affect RAM•Affect loads threads

Large Botnet, low IP rate, high delays

•Bypassing DDoS equipment •HTTP requests always get through

Partial Requests •Tie down all available threads


31

Damaging Queries• http://target/search.php?=query=e&Submit=Sear

ch&type=all&mode=search• Produce most matches and cross-reference queries:

– e, t, a, o, n, i, r, s, d, h, l, c, u, f, p, m, w, y, b, g, v, k, x, j, q, z

– th, he, an, in, er, re, es, on, ti, at– the, and, hat, ent, ion, for, tio, has, tis– you, can, her, was, has, him, his

• Results: hit both CPU on web and database servers


32

New Mitigation Approach• Protocol Validation

– Inspects the structure of information in packets at application layer– HTTP anomaly detection: XYZ is not a valid command in HTTP header

• Signature/Fingerprint– Search for pattern in network packet to determine if an attack exists– Vendor specific– Open source– Adhoc Customization: Particular Custom Application Signatures– Require human operational

• Statistical– A.k.a Network Behavioral Analysis– Adaptive and predictive models of network behavior– Require human operational


33

New Mitigation Approach• Reputational

– a database of good and bad IP address– bad IP address includes bots, spammer etc.– Honeypot can help to track these IPs

• Client Validation– Determine if a source is a real person or an automated script– Real Browser Detection: by sending a JavaScript and determine the

response

• Transactional– Inspection and validation of application transactions, e.g. HTTP

Request, SIP request– Look at the nature of groups of transactions


34

New Mitigation Approach

• Decryption– to inspect the encrypted transactions and

protocols– decrypt https traffic

• Zero-Day– Requires human operation– Requires log consolidation from different

network devices


35

Largest Anticipated Threat


36

Questions?

Sang [email protected]

ddos attacks & mitigation

Documents