ddos attacks & mitigation
TRANSCRIPT
![Page 1: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/1.jpg)
http://www.securitech-solutions.com
1
DDoS Attacks & Mitigation
Sang YoungSecurity Consultant
![Page 2: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/2.jpg)
http://www.securitech-solutions.com
2
DoS & DDoS
• DoS Attack– an attack render a target unusable by legitimate
users
• DDoS Attack– launch the DoS attacks from various source from
Internet to a target
![Page 3: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/3.jpg)
http://www.securitech-solutions.com
3
DDoS Attack Volume
Source: Worldwide Infrastructure Security Report, Volume V by Arbot Networks
![Page 4: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/4.jpg)
http://www.securitech-solutions.com
4
http://status.twitter.com/post/157191978/ongoing-denial-of-service-attackhttp://status.twitter.com/post/157191978/ongoing-denial-of-service-attack
![Page 5: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/5.jpg)
http://www.securitech-solutions.com
• Happened in Year 2009, 2007 and 2005• Affected the Hosting Servers
5
GoDaddy
http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391
![Page 6: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/6.jpg)
http://www.securitech-solutions.com
6
Wordpress
http://www.pcmag.com/article2/0,2817,2333361,00.asphttp://www.pcmag.com/article2/0,2817,2333361,00.asp
![Page 7: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/7.jpg)
http://www.securitech-solutions.com
7
DNS Root Servers
http://www.crn.com/security/197004065http://www.crn.com/security/197004065
![Page 8: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/8.jpg)
http://www.securitech-solutions.com
8
Others hit by DDoS attacks• BBC• Possible unethical competition
▪ 2004 - Worldpay▪ 2004 - Authorize▪ 2004 - Authorize-It▪ 2004 - 2Checkout▪ 2006 - StormPay▪ 2008 - AlertPay
• An Anti-fraud site: Bobbear.co.uk• Norwegian BitTorrent tracker: norbits.net
![Page 9: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/9.jpg)
http://www.securitech-solutions.com
9
Proof-of-Concept DoS Tools• Network Based
– Targa– Land– LaTierra– Nemesy– UDP Flooder– FSMax– Crazy Pinger
• Other Application Based– SomeTrouble: smtp, icq, net send– ihateperl.pl: dns
• HTTP Based– Blast– DoSHTTP
![Page 10: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/10.jpg)
http://www.securitech-solutions.com
10
Nemesy
![Page 11: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/11.jpg)
http://www.securitech-solutions.com
11
UDP Flood
![Page 12: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/12.jpg)
http://www.securitech-solutions.com
12
DoSHTTP
![Page 13: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/13.jpg)
http://www.securitech-solutions.com
13
Crazy Pinger
![Page 14: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/14.jpg)
http://www.securitech-solutions.com
14
My Collections
![Page 15: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/15.jpg)
http://www.securitech-solutions.com
15
Botnet
• Botnet consists of multiple bots (machines) in the Internet
• They are multiple purposes• Concept:
– A relatively small botnet with around 1,000 bots (computers) combined bandwidth that is higher than the Internet connection of most corporate systems
![Page 16: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/16.jpg)
http://www.securitech-solutions.com
16
• Agobot• Phatbot• Forbot• XtremBot• SDBot• RBot• UrBot• UrXot• GT-Bots• Nuclear Bot
PoC Bots
Attacker
Victim
H H H H
A A A A A A
handlers (master)
agents
![Page 17: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/17.jpg)
http://www.securitech-solutions.com
17
Uses of Botnets
Botnet Estimated Size Main Functions
Conficker 9 to 15 Million Botnet Resilience
BlackEnergy 20 to 200k DDoS
Machbot 15 nets, 100,000k each DDoS
CutwailPushdo
About 1 Million Spam, ID Theft
TorpigSinowal
About 1.9 Million Financial and ID Theft
Hexzone 200k to 500k RansomWare
Ghostnet ~1200 in 103 countries Cyber Espionage
![Page 18: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/18.jpg)
http://www.securitech-solutions.com
18
BlackEnergy• Attack vectors
– HTTP– DNS Request Floods – ICMP– Spoofed IP’s– SynFloods– UDP Floods– Random Binary
Packet Floods• Capabilities
– 1 to 7 Gbps– New BlackEnergy can be
created over a few days to a size of 4,000 to 20,000 bots
![Page 19: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/19.jpg)
http://www.securitech-solutions.com
19
DDoS Attack Taxonomy
DDoS Attacks
BandwidthDepletion
ResourceDepletion
Flood Attack AmplificationAttack
UDP ICMPTCP Smurf Fraggle
ProtocolExploit
MalformedPacket
TCP Syn Push+Ack
![Page 20: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/20.jpg)
http://www.securitech-solutions.com
20
Amplification Attack
Amplifier Networks
Victim
Attacker Agent(s)
Generate a Packet:src: victim ipdst: amplifier net
Systems Reply:src: system ipdst: victim ip
![Page 21: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/21.jpg)
http://www.securitech-solutions.com
21
Reflective DNS Attacks• Send a large number of queries to open DNS
servers• These queries will be “spoofed” to look like they
come from the victim• Small queries (60 byte) can generate large UDP
packets (512 byte) in response, an amplification factor of 8.5
• By combining different response type (A, TXT, SOA), 122 byte query results in response of 4320 bytes. An amplification factor of 73
![Page 22: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/22.jpg)
http://www.securitech-solutions.com
22
Observed Bots
![Page 23: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/23.jpg)
http://www.securitech-solutions.com
23
Traditional Countermeasures
• Threshold Based Attack Detection and Mitigation
• Deep Packet Inspection & Protocol Validation– Protocol Identification– Network & Applications– Identify and Disable Handler
• L7 Mitigation / WAF• More Bandwidth
![Page 24: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/24.jpg)
http://www.securitech-solutions.com
24
Mitigation Defense vs Attacker Countermeasure
Mitigation Defense Attacker Countermeasure
Threshold Based Attack Detection and Mitigation
Low and SlowHit and Run
Deep Packet Inspection & Protocol Validation
Encryption
L7 Mitigation / WAF Vary Requests
More Bandwidth More and More Traffic
![Page 25: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/25.jpg)
http://www.securitech-solutions.com
25
Hit and Run Attacks
• defense– rely on sampling traffic flows– take time to react: 15 – 60 seconds
![Page 26: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/26.jpg)
http://www.securitech-solutions.com
26
Observed Attack Vectors
![Page 27: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/27.jpg)
http://www.securitech-solutions.com
27
Trend
EverythingoverIP
Everythingover
HTTP
![Page 28: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/28.jpg)
http://www.securitech-solutions.com
28
Application Layer Attacks (Layer-7)
• Low Packet Rate• Packet - Bandwidth > Request - Layer 7 >
Session - Behavior
![Page 29: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/29.jpg)
http://www.securitech-solutions.com
29
DDoS and Infrastructure
![Page 30: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/30.jpg)
http://www.securitech-solutions.com
30
Most Common HTTP Attacks
Methods Effects
http://<target>/random_page
•Extra I/O from 404’s loggged•Raises CPU on web servers•Load on Load balancer due to -ve cache hits
http://<target>/login.phphttp://<target>/search.php
•Loading on I/O to the db server•High CPU via script pages
POST action with huge amount of data
•Affect RAM•Affect loads threads
Large Botnet, low IP rate, high delays
•Bypassing DDoS equipment •HTTP requests always get through
Partial Requests •Tie down all available threads
![Page 31: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/31.jpg)
http://www.securitech-solutions.com
31
Damaging Queries• http://target/search.php?=query=e&Submit=Sear
ch&type=all&mode=search• Produce most matches and cross-reference queries:
– e, t, a, o, n, i, r, s, d, h, l, c, u, f, p, m, w, y, b, g, v, k, x, j, q, z
– th, he, an, in, er, re, es, on, ti, at– the, and, hat, ent, ion, for, tio, has, tis– you, can, her, was, has, him, his
• Results: hit both CPU on web and database servers
![Page 32: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/32.jpg)
http://www.securitech-solutions.com
32
New Mitigation Approach• Protocol Validation
– Inspects the structure of information in packets at application layer– HTTP anomaly detection: XYZ is not a valid command in HTTP header
• Signature/Fingerprint– Search for pattern in network packet to determine if an attack exists– Vendor specific– Open source– Adhoc Customization: Particular Custom Application Signatures– Require human operational
• Statistical– A.k.a Network Behavioral Analysis– Adaptive and predictive models of network behavior– Require human operational
![Page 33: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/33.jpg)
http://www.securitech-solutions.com
33
New Mitigation Approach• Reputational
– a database of good and bad IP address– bad IP address includes bots, spammer etc.– Honeypot can help to track these IPs
• Client Validation– Determine if a source is a real person or an automated script– Real Browser Detection: by sending a JavaScript and determine the
response
• Transactional– Inspection and validation of application transactions, e.g. HTTP
Request, SIP request– Look at the nature of groups of transactions
![Page 34: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/34.jpg)
http://www.securitech-solutions.com
34
New Mitigation Approach
• Decryption– to inspect the encrypted transactions and
protocols– decrypt https traffic
• Zero-Day– Requires human operation– Requires log consolidation from different
network devices
![Page 35: DDoS Attacks & Mitigation](https://reader030.vdocuments.net/reader030/viewer/2022021420/584c72951a28ab85738ecd59/html5/thumbnails/35.jpg)
http://www.securitech-solutions.com
35
Largest Anticipated Threat