web targeted ddos attack: trends, tools and tactics
DESCRIPTION
Web targeted DDoS attack: trends, tools and tactics. Christiaan Ehlers, Senior Service Consultant – Akamai Technologies. Anonymous Attack on the Home Office 7 th April 2012. DoS motivation. State Sponsored. Traditional Hackers: Glory Hounds. Organized Crime - Profit. - PowerPoint PPT PresentationTRANSCRIPT
Akamai Confidential
Web targeted DDoS attack: trends, tools and tacticsChristiaan Ehlers, Senior Service Consultant – Akamai Technologies
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Anonymous Attack on the Home Office 7th April 2012
Akamai Confidential ©2012 AkamaiFaster ForwardTM
DoS motivation
Organized Crime - Profit Political Hackitivism
State SponsoredTraditional Hackers: Glory Hounds
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Let’s Hold up Somebody for Ransom (actual ransom note)
Your site www.#####.de will be subjected to DDoS attacks 100 Gbit/s.
Pay 100 btc(bitcoin) on the account
1ACFJHoB8Z3KDwDn6XdNTEJb6S7VsQiLZG
Do not reply to this email
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Over 40X Increase in Traffic
Akamai Confidential ©2012 AkamaiFaster ForwardTM
A very brief introduction
• DoS attacks have moved up the stack, from IP floods, SYN floods and now to application level attacks.
• Attacks on the Network and Transport layers targeted the OS of the receiving machine.
• Attack on the application layer penetrates deeper into the infrastructure. Target not only the firewall or proxy, now we can reach the backend database.
• Development and architecture is focused on securing against more classical hacking attacks, DoS vulnerability gets a back seat.
Akamai Confidential ©2012 AkamaiFaster ForwardTM
DoS Vulnerability
If the target system spends a disproportionately larger amount of resources in its attempt to serve a response when compared with the amount of resources spent by the attacker in serving the request, you potentially have a DoS vulnerability.
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Target AreasBandwidth• Inbound (sometimes difficult to exploit, but also difficult to protect)• Outbound
Data access and processing (CPU, Memory and disk access)• Database searches• Formatting, regular expressions, encoding, etc…• Cryptographic processing
System limits• Registers, file handles, configured limits, etc… (slow attacks)
Algorithmic or architectural inefficiencies
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Brute Force Attacks
• Usually aimed at bandwidth and data accessing and processing targets.
• Attempt to interfere with normal operation by consuming resources through the sending large volumes or requests to targets.
• Traffic could seem like normal browser traffic.• The traffic volume required for an effective attack is determined by the
capacity and overhead of the target system.
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Algorithmic or architectural inefficiencies
ApacheKiller• Apache prepares an memory space for each requested range in the “Range” header.• If enough ranges are requested, it could exhaust the server’s memory
Hash Table collision• Hash table collision attack turns the problem of adding elements to a hash table from a O(nlogn) problem to a O(n2) problem.
Exploitation requires “abnormal” requests, thus fairly easy to identify, block and fix.
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Attack distribution
• Single origin DoS attack- Less resources available- Potentially easier to block- Attacker has no synchronization or management problems
• Distributed DoS- More resources available- Difficult to block- Attackers have a synchronization and management problem
- Bot-Net Command and Control centers- Opt in networks (Thrall-Net)
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Attack Tools
Common opt-in attack tools• LOIC – Low Orbit Ion Cannon• HOIC – High Orbit Ion Cannon
Slow attack tool• Slow Loris• RUDY – R U Dead Yet
Akamai Confidential ©2012 AkamaiFaster ForwardTM
LOIC
- Java versions that can be browsed to, no need to install software.
- IRC interface for coordination- Easy interface- Multithreaded - One type of request per session- Not very configurable- Easy to detect
Akamai Confidential ©2012 AkamaiFaster ForwardTM
HOIC- Easy to use interface- Booster packs to randomise
various HTTP headers and target URLs
- Multi-threaded- Rate throttling
Akamai Confidential ©2012 AkamaiFaster ForwardTM
HOIC booster pack Dim useragents() as String Dim referers() as String dim randheaders() as string Dim randURLs() as string# // populate rotating urls# // By Nathos, don't use to many threads or you may nuke yourself.# // IF YOU WANT TO IMPROVE THE ATTACK, ADD URLS BELONGING TO THIS DOMAIN OR RELATED SUBDOMAINS!!! PRO-TIP: You should create anew target and .HOIC file if u want to attack a different organization#randURLs.Append "http://www.formula1.com/default.html"#randURLs.Append "http://www.formula1.com/news/" #randURLs.Append "http://www.formula1.com/races/" #randURLs.Append "http://www.formula1.com/results/"#randURLs.Append "http://www.formula1.com/gallery/"#randURLs.Append "http://www.formula1.com/teams_and_drivers/"#randURLs.Append "http://www.formula1.com/inside_f1/"#randURLs.Append "http://www.formula1.com/live_timing/"#randURLs.Append http://www.formula1.com/video/ // rotate out url# URL = randURLs(RndNumber(0, randURLs.UBound))# // EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE!## useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"# useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"# useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"# useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)”
Booster pack features:• randURLs.Append – Attack random URLs• useragents.Append – Randomly selected User-
Agents• referers.Append – Randomly selected Referer
headers• randheaders.Append – Randomly select
header to append
- Makes it harder to separate attack traffic from legitimate traffic.
- Can be easily distributed since it is just an text file. Usually posted on
http://pastebin.com- Can be customised for a particular target
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Slow Attacks
Tie up web server resources by sending requests very slowly
Examples:- Slow Loris- R U Dead Yet (RUDY)Trickle feed of characters to the web server ensures that a connection is occupied for as long as possible.Is this an attack or just a client on dial-up?Apache web server has a default of 256 concurrent connections.
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Hardening against DoS – tactic 1
Avoid resource intensive processing• Optimize processing and data retrieval processes.• Caching processing and data retrieval operations.- Cache the results of resource intensive processing. DB -> Disk -> Memory.- Use reverse web caches
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Hardening against DoS – tactic 2
If you are going to work hard to generate the response, make sure the client works hard to generate the request!• Protect resource intensive operations behind authentication• User and User Agent validation: Challenge-response tests to prove it’s
a human or browser: - CAPTCHA to prove you are dealing with a human - Javascript or Flash challenges to prove that you are dealing with a browser.
• Session management- Issue and rotate session management cookies
• URL tokens• The list goes on, but how appropriate are the mechanisms?
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Additional Mitigation (is hardening enough)
• Mitigation devices such as scrubbers or WAF devices• How do we separate the good from the bad?- Signatures- Rate limiting- Anomaly detection
• Where does the mitigation go?- At the origin- In the cloud
• Which layer should be inspected to sort the good from the bad?- Transport (socket) and Network layer- Application layer – What about SSL?
Akamai Confidential ©2012 AkamaiFaster ForwardTM
Questions?