know your enemy introduction to ddos threat...•https flood •dns query flood •dns recursive...
TRANSCRIPT
![Page 1: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/1.jpg)
Know Your Enemy Introduction to DDoS Threat
Red Button
![Page 2: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/2.jpg)
• What is DDoS?
• DDoS Attack Types
• Best Practice Mitigation Methods
Agenda
![Page 3: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/3.jpg)
What is DDoS?
![Page 4: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/4.jpg)
Motivation
• Hacktivism
• Business competitors
• Cyber Warfare
• Ransom
• Angry Users
Motivation
Technical Motivation
• Denial of service
• Smoke Stream
• Impacting security (FW, IPS)
![Page 5: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/5.jpg)
DDoS Attack Types
Few Packets Attacks
Numerous Packets Attacks
SYN Flood
ICMP Flood
Slowloris
Sockstress
HTTP Floods
ReDoS
Application Level
Design Weakness
20 RPS
1M PPS and much more
![Page 6: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/6.jpg)
DDoS Attack Vector
Type Example
Volumetric •SYN Flood •UDP Flood •ICMP flood •DNS Reflection •NTP Flood •CHARGEN Flood
Application •HTTP Flood •HTTPS flood •DNS query flood •DNS recursive flood
Low-and-slow •Slowloris •R.U.D.Y •Large file download
Each year more
attack vectors
are seen in each
campaign
![Page 7: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/7.jpg)
DDoS Points-of-Failures
Radware Global Application & Network Security Report 2014-2015
![Page 8: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/8.jpg)
DDoS Attack Types
![Page 9: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/9.jpg)
1) SYN Flood
2) UDP Flood
3) HTTP Flood
4) HTTPS Flood
5) Slowloris
6) R.U.D.Y
7) SSL-Renegotiation
8) DNS Recursive Flood
9) DNS Reflective Flood
10) NTP Reflective Flood
DDoS Attack Types
![Page 10: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/10.jpg)
SYN Flood
SYN Flood
SYN
Stateful device
FW
IPS
Web Server
State tables are saturated causing denial-of-service
![Page 11: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/11.jpg)
SYN Cookies (legitimate)
Public Web Server Real User
SYN
SYN-ACK <cookie>
ACK <Cookie>
SYN
SYN-ACK
ACK
Mitigation
Data
Delayed Binding
(need to fix the SEQ No)
Cookie is validated, now
connection can be established
with server
![Page 12: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/12.jpg)
SYN Cookies Attacker
Public Web Server Attacker
Mitigation
SYN
SYN
SYN
The SYN ACK are going no where
since the SRC IPs are spoofed
![Page 13: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/13.jpg)
UDP Flood
Internet Pipe Organization
300 Mbps
UDP
UDP
UDP
UDP
UDP
500 Mbps
![Page 14: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/14.jpg)
HTTP Flood
Web Server
20K TPS
HTTP GET SLASH
Capacity = 10K TPS
![Page 15: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/15.jpg)
HTTPS Flood
Web Server
20K TPS
HTTPS GET SLASH
Capacity = 10K TPS
Mitigation
(no certificate)
![Page 16: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/16.jpg)
Web Challenge CAPTCHA
Public Web Server
GET /
Real User
Mitigation
✘
Attacker
![Page 17: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/17.jpg)
Web Challenge Legitimate (302 Redirect)
Public Web Server Real User
GET /
302 Redirect / + Cookie
GET / + Cookie
Mitigation
GET /
Cookie is validated, now connection
can be established with server
![Page 18: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/18.jpg)
Web Challenge Attacker (302 Redirect)
Public Web Server
GET /
302 Redirect / + Cookie
Mitigation
GET /
No response Attacker
![Page 19: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/19.jpg)
SLOWLORIS
GET
GET
200 RPS
![Page 20: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/20.jpg)
R.U.D.Y (Are You Dead Yet)
100000
20K RPS
![Page 21: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/21.jpg)
Signature
LOIC (Low Orbit Ion Canon)
“A CAT IS FINE TOO”
IPS
IPS can block known DDoS patterns
with a signature
![Page 22: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/22.jpg)
SSL Renegotiation
• The attacker renegotiations the SSL keys again-and again
• This labor takes x15 more resources from the server
![Page 23: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/23.jpg)
DNS Floods DNS Query Flood DNS Reflective Flood
DNS Recursive Flood DNS Garbage Flood
![Page 24: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/24.jpg)
NTP Reflective Flood
Attacker
NTP Server
5.6.7.8
Victim
1.2.3.4
![Page 25: Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack](https://reader033.vdocuments.site/reader033/viewer/2022042419/5f35f2ce3b537264477e777b/html5/thumbnails/25.jpg)