a cyberwarfare weapon: slowreq
DESCRIPTION
by Maurizio Aiello CNR - Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni mail: [email protected]TRANSCRIPT
![Page 1: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/1.jpg)
A Cyberwarfare Weapon: SlowReq
Maurizio Aiello [email protected]
Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy
Genoa, Cpexpo meeting, Italy 30 October 2013
![Page 2: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/2.jpg)
Maurizio Aiello
Cyberwarfare
“Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an
informative system owned by the adversary”
Governments vs. Governments
Groups vs. Governments
¤ Titan Rain
¤ Moonlight Maze
¤ Hacktivistic Groups Operations
¤ Anonymous
¤ LulzSec
![Page 3: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/3.jpg)
Maurizio Aiello
Attack Technologies
DENIAL OF SERVICE (DoS)
DISTRIBUTED DENIAL OF SERVICE (DDoS)
INTRUSIONS & MALWARE
SQL INJECTION BUFFER OVERFLOW TROJAN HORSES
BACKDOOR
“An attempt to make a machine or network resource unavailable to its intended users”
Amplification of the attack resources through the enrollment of (willing or not) botnet agents
![Page 4: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/4.jpg)
Maurizio Aiello
Denial of Service Attacks
¤ Attacks to the system ¤ ZIP Bomb
¤ Fork Bomb
¤ Attacks to the network ¤ Multipliers: DNS, Smurf attack, etc… ¤ Volumetric: flooding DoS attacks
¤ Application Layer: Slow DoS Attacks
![Page 5: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/5.jpg)
Maurizio Aiello
“Old Style” Flooding DoS Attacks
¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, …
Flooding based attacks
LEVEL-4 Denial of Service
![Page 6: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/6.jpg)
Maurizio Aiello
The ISO/OSI Model
Application Presentation
Session Transport Network Data Link Physical
Flooding DoS Attacks
Slow DoS Attacks
![Page 7: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/7.jpg)
Hacktivist Groups: Anonymous and LulzSec
![Page 8: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/8.jpg)
2008 2009 2010 2011
Iranian election protests
2012
Operation Payback
Project Chanology
Visa, Mastercard, Paypal
Operation Payback
Operation Sony
Interpol
Vatican
Hacktivist Groups
Anonymous LulzSec
![Page 9: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/9.jpg)
Maurizio Aiello
Slow DoS Attack (SDA)
“An attack which exhausts the resources of a victim using low
bandwidth”
![Page 10: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/10.jpg)
Maurizio Aiello
SDAs’ Strategy
¤ They move the victim to the saturation state
¤ Low bandwidth rate: ¤ Attack resources are minimized
¤ It’s easier to bypass security systems
¤ ON-OFF Nature
¤ Almost all the packets contribute to the success of the attack
![Page 11: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/11.jpg)
Maurizio Aiello
Slow DoS Attacks An Example: Slowloris ¤ A script written in Perl programming language
¤ Used during the protests against Iranian presidential elections in 2009
¤ It sends a lot of endless requests with the pattern:
\r\n X-a: b\r\n X-a: b\r\n X-a: b\r\n
Source: http://ha.ckers.org/slowloris/
GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n X-a: b\r\n
![Page 12: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/12.jpg)
Maurizio Aiello
Making Order Into the Slow DoS Field
SLOWLORIS
R-U-DEAD-YET APACHE RANGE
HEADER
#HASHDOS
REDOS QUIET ATTACK
SHREW
INDUCED SHREW THC-SSL-DOS LORDAS
CPU/Memory/Disk Network
Server Timeout Client
Request Response
Slow DoS Attacks
Other Unknown Attacks
Delayed Responses
Delayed Responses
Slow Requests
Pending Requests
Resources Occupation
Planning
Server Behavior Alteration
![Page 13: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/13.jpg)
Maurizio Aiello
SlowReq Attack
¤ It opens a large amount of endless connections with the victim
¤ It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure
SLOWLORIS SLOWREQ
X-a: b\r\n [space]
[space]
GET / HTTP/1.1\r\n�Host: www.example.com\r\n�User-Agent: Mozilla/4.0 [...]\r\n�Content -Length: 42\r\n
X-a: b\r\n [space] X-a: b\r\n [space] X-a: b\r\n [space]
![Page 14: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/14.jpg)
Maurizio Aiello
SlowReq Attack
¤ No \r\n implies no parsing (stealth and difficult to prevent)
¤ Bandwidth very limited
¤ Cpu and ram requested limited
¤ Tunable in parameters (number of connections; wait timeout; time between characters etc)
![Page 15: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/15.jpg)
Maurizio Aiello
Protocol Independence
¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case)
¤ SlowReq is able to naturally affect multiple protocols ¤ Packets payload is a sequence of white spaces
¤ Tested against FTP, SMTP, SSH servers ¤ Bounded to TCP based protocols
![Page 16: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/16.jpg)
Maurizio Aiello
Performance Results
DoS state reached after a few seconds
![Page 17: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/17.jpg)
Maurizio Aiello
Signature Based Countermeasures
Apache Web Server software modules
¤ mod-security module limits the number of simultaneous connections established from the same IP address
¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests
![Page 18: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/18.jpg)
Maurizio Aiello
Performance Results – mod-security
A non distributed attack is successfully mitigated
![Page 19: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/19.jpg)
Maurizio Aiello
Performance Results – reqtimeout
Differently to Slowloris, SlowReq is not mitigated
![Page 20: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/20.jpg)
Maurizio Aiello
Statistical Based Countermeasures
!request
!delay
!response
!next
tstart _ request
tend _ request
tstart _ response
tend _ response
![Page 21: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/21.jpg)
Maurizio Aiello
Statistical Signature Based SDAs Detection
![Page 22: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/22.jpg)
Maurizio Aiello
Statistical Signature Based SDAs Detection
Comparison with standard traffic conditions
MINIMUM VALUE
(NCV)
n(y) = ( f (x)! g(x + y))2 dx!"
"
#
NCV =min(n(y))
![Page 23: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/23.jpg)
Maurizio Aiello
Statistical Signature Based SDAs Detection
Real traffic distribution (Δdelay example)
![Page 24: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/24.jpg)
Maurizio Aiello
Statistical Signature Based SDAs Detection
Protocol:
¤ n representations of standard traffic
¤ m comparisons extracting m different NCV values
¤ Retrievement of μ and σ values from NCV
¤ Baseline: μ + 3σ
¤ Comparison of anomalous traffic with f (average) standard distributions
¤ NCV value retrieval for analyzed traffic and result
![Page 25: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/25.jpg)
Maurizio Aiello
Conclusions and Future Work
¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection
¤ Due to its requirements, we are working to a mobile deployment of SlowReq
¤ Deployment of a (mobile and) distributed attack
![Page 26: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/26.jpg)
Maurizio Aiello
Acknowledge
Enrico Cambiaso
Gianluca Papaleo
Silvia Scaglione
![Page 27: A Cyberwarfare Weapon: Slowreq](https://reader036.vdocuments.net/reader036/viewer/2022081400/555b892ad8b42acd238b4aa7/html5/thumbnails/27.jpg)
Maurizio Aiello
The End
Thanks!!