ddos attacks

DDOS ATTACKS

Ali Kapucu July 29th 2013

Who is your Speaker?

• Ali Kapucu• Network Design Engineer at KSU• Penetration Tester• Information Security Consultant• CS Master Student

Agenda

• DDoS Definition• DDoS Motivations• DDoS Flavors– Standard Attacks– Botnets– Sophisticated attacks– DDoS Flavors- Future (now)

• How to defend

DDoS Definition?

DoS - DDoS Definition???• Denial of Service attacks attempt to negate

service by – exhausting the resources at the victim side (such as network

bandwidth, CPU, memory, etc.) ,– forcing victim equipment into non operational state – hijacking victim equipment/resources for malicious goals.

• Distributed Denial of Service (DDoS) attack is a special case of the DoS when multiple distributed network nodes (zombies) are used to multiply DoS effect.

15 fat men trying to get through a revolving door at the same time

Basically DDoS Definition???

DDoS Motivations?

• DDoS is act of taking down a service• Political

– Groups like Lulzsec and Anonymous have repeatedly brought down popular websites of corporations and governments

• Monetary – money talk– Telephony DDoS is used frequently to hold corporations to

ransom• International “relations”

– Iran has targeted US with DDOS attacks repeatedly• No longer a kids game

DDoS Flavors“Classic” DDoS, a.k.a Floods

SYN Flooding, UDP Bombs, Fragment Flood, direct/indirect ARP Floods

Still work great, however less savvy Countermeasures include in network devices, rate

limiting, proxy techniques (syn cookies) Botnets

Slightly More advanced Stateful TCP (three way handshake only) DNS Request flooding Fragments that add up almost full packets.

DDoS ExamplesSYN Flood

AttackerServer B

A->B:SYN

B->A: SYN & ACK

Creates a connection object

A->B:SYN

B->A: SYN & ACK

Creates a connection object

Unused address A

Send large number of SYN packets with a spoofed source address. Initiate creation of the large number connection objects.

Botnets• The term bot is short for robot. Criminals distribute

malicious software (also known as malware) that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it.

• Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.

• Criminals use botnets to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, your computer might slow down and you might inadvertently be helping criminals.

• They used to communicate with through IRC channels

• Nowadays analyzing botnets very difficult because their communication went to http level.

• The Dutch police found a 1.5 million node botnet

• Telenor – Norwegian ISP – disbanded a 10.000 node botnet

Botnets

Botnets

Volunteer soldiers

DDoS Flavors Application Level DDoS

Much more intelligent Target flaws upper layer OSI Stack Typically less bandwidth intensive

Slowloris Focused on design flaws in HTTP spec. Hold connections

open indefinitely Selective URL attacks

Hit slowest responding URL/page on website. Vary the URL for each request so that there is no discernable pattern.

Reverse Proxies Can be slowed down to 1/8th of their speed with repeated

cache misses Multi Layer attacks

Zero window + HTTP get get flooding in one session

New Rock Star - DNS Amplifications

During the DDoS

DDoS FlavorsTelephony DDoS

Many different types Used for extortion of call centers

SIP Flooding Similar to DNS flooding

IVR walking Call 800 number Navigate the menu for days on end Never talk to a person

Bounce Attacks Use misconfigured SBC to send spoofed invites that cause

RTP floods on target.

How to DefendDevelop a checklist for standard operating

proceduresBe friendly with your ISP Identify and prioritize critical servicesMake sure critical systems have sufficient capacity You should/must/have to know Network map,

diagrams, connection type, capacities. Implement bogus ip addresses block list.Service screening from firewall to edge router.Separate your services. Do not keep all the services

under the “server”Be smart

DDoS Flavors- FutureSmartphone revolution puts us at roughly 2001

security time frame1000`s of mobile malware apps available Mobile botnets are a real thing today alreadyCarriers struggling with basic visibility into core 3G

and LTE networksStructure of 3G/LTE places trust in handset.

Handset can dictate throughput, features, bearers etc

3G/4G core is a ripe target for DDoS

Questions???

Thanks