doss, ddos, drdos attacks

DoS, DDoS, DrDoS

Presentation by : Wasim Halani (@washalsec)

./about_me• Infosec professional for 7+ years• Chapter lead for NULL Mumbai (washal [at] null.co.in)• SME at Network Intelligence India (

https://www.niiconsulting.com)• Blog at http://securitythoughts.wordpress.com• Tweet at http://twitter.com/washalsec

./about_topic• Denial of Service• Distributed DoS (DDoS)• Distributed Reflection DoS (DrDoS)• Mitigation Approaches

What is DoS?• Any activity or event which denies availability of

resource (any resource) to an entity with legitimate requirement can be considered as Denial of Service• Power outage• Heavy CPU utilization (due to bad code)• Consuming full bandwidth during downloads• Disk storage filled up

• !Availability = DoS

…contd.• Traditionally• Crashing a service at the target (Metasploit exploits)• Consuming the bandwidth available while hosting a website• Deleting records/files (SONY anyone?)

Motives behind DoS Attacks• Fun!• Hacktivism - Anonymous• Extortion – Ransomware• Vandalism – Lizard Square Xbox Christmas DoS• Personal/Commercial rivalry• Political motives (cyber warfare) – e.g. Ukraine/Russia,

Iran/Israel

Old/New DoS Attacks• Tear Drop

• Mangled IP fragments (overlapping or oversized payloads)• Older systems were unable to handle the bad packet structure and would

crash – Windows 3.1, 95 and NT • ICMP Attacks

• Smurf : Send ping on broadcast address with spoofed source• Ping Flood: Send direct ping request with spoofed source• Ping-of-Death: Send malformed (oversized) ping request

• State-Exhaustion• SYN Flood (and variants)

• Large number of SYN requests with spoofed source. State table is exhausted• LAND (Local Area Denial)

• Spoofed source + Same source and destination port

…and many more

DoS Vectors – Focus Area• Layer 7 Attacks• Large number of requests consuming resource on victim side• Slow requests (I’m sending you 1 MB of data…but at 1 byte per second)• Bugs in application or server code• Consume excess compute power -> higher billing

• Volumetric Attacks• Send large volume of data • Primarily UDP based• Attacker bandwidth > Victim bandwidth

• Most DoS vectors can be made deadly by using DDoS/DrDoS

Layer 7 Attacks• GET Flood

• Large number of GET requests – something like ‘slashdotting’ • Brute-force

• ReDoS (Regular Expression DoS)• https://dzone.com/articles/regular-expressions-denial

• XML Bomb (XML Billion Laughs)• < 1 KB input => 3 GB memory use

• Wordpress Pingbacks• Javascript Injection (ref: Github)• Account Lockouts

https://en.wikipedia.org/wiki/Billion_laughs

UDP Flood• UDP = Connection + Session-less protocol• Traffic can be sent to victim without ‘handshakes’• Symmetrical attack (Many:1)• Works very well with ‘Reflection/Amplification’ attacks• Requires ability to spoof source IP address• Asymmetrical attack (1:Many -> Many:1)

https://www.incapsula.com/blog/massive-dns-ddos-flood.html

More about DrDoS• Popular DDoS attack vector• Abuses UDP protocols that send larger responses for

small requests• 1 KB (request) --------> 300 KB (response)

• Known vulnerable protocols• NTP (monlist)• DNS (Query for DNS records for a domain)• SSDP • SNMP (getBulkRequest)

Protocol Bandwidth Amplification Factor Vulnerable Command

NTP 556.9 Monlist requestCharGEN 358.8 Character generation

requestQOTD 140.3 Quote requestRIPv1 131.24 Malformed requestQuake Network Protocol 63.9 Server info exchangeDNS 28 to 54 Open resolutionSSDP 30.8 SEARCH requestPortmap (RPCbind) 7 to 28 Malformed requestKad 16.3 Peer list exchangeMulticast DNS (mDNS) 2 to 10 Unicast querySNMPv2 6.3 GetBulk requestSteam Protocol 5.5 Server info exchangeNetBIOS 3.8 Name resolutionBitTorrent 3.8 File searchhttps://www.us-cert.gov/ncas/alerts/TA14-017A

Attack Mitigation• Potential targets

• Purchase scrubbing services from ISP or 3rd party• Ensure all internet facing services are fully patched• Secure coding practices

• ISPs and Service Providers• Secure network device configurations• Disable network IP spoofing – BCP38 (https://tools.ietf.org/html/bcp38)• Implement RFC6959 (Source Address Validation Improvement)• Disallow insecure amplifier services on the network

• Other users• Avoid getting caught up in hacker tools (e.g. LOIC)• Don’t become a zombie (bot) – install an AV

Thank you!Queries? Reach me at @washalsec