ddos attacks in action - sans institute · © 2016 imperva, inc. all rights reserved. ddos attacks...
TRANSCRIPT
![Page 1: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/1.jpg)
© 2016 Imperva, Inc. All rights reserved.
DDoS Attacks In Action
Ben Herzberg
@KernelXSS @Incapsula_com
![Page 2: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/2.jpg)
© 2017 Imperva, Inc. All rights reserved. - @KernelXSS -
about()
2
> ben.childNodes.length<· 2> ben.history<· [“PT”,”Dev”] > ben.employer<· “Imperva”> ben.positionX<· “Research Manager”> ben.social<· {“TWT”: “@KernelXSS”, “LNK”: “Ben Herzberg”}
![Page 3: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/3.jpg)
DDoS (quick recap)
![Page 4: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/4.jpg)
WHAT’S DDOS(IN 6 SECONDS)
![Page 5: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/5.jpg)
![Page 6: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/6.jpg)
![Page 7: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/7.jpg)
Volumetric Attacks
![Page 8: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/8.jpg)
![Page 9: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/9.jpg)
Layer 7 Attacks
![Page 10: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/10.jpg)
![Page 11: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/11.jpg)
![Page 12: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/12.jpg)
![Page 13: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/13.jpg)
![Page 14: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/14.jpg)
![Page 15: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/15.jpg)
Lately…
![Page 16: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/16.jpg)
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
IoT DDoS through the (very recent) history
16
Mirai
20-SEP-2016
OVH Attack
21-OCT-2016
Dyn DNS DDoS
5-DEC-2016INVESTIGATED IoT DDoS
BEFORE IT WAS COOL
![Page 17: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/17.jpg)
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
IoT DDoS through the (very recent) history
17
Mirai OVH Attack
30-DEC-2014
21-OCT-2015
20-SEP-2016 5-DEC-2016
…
SOHO Routers
CCTV DDoS
21-OCT-2016
Dyn DNS DDoS
![Page 18: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/18.jpg)
Demo
![Page 19: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/19.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
OSI Model Quick Recap
19
![Page 20: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/20.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
Tools Introduction - WireShark
20
![Page 21: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/21.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
Tools Introduction - Scapy @ Python
21
![Page 22: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/22.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
SYN Flood
22
SYN
SYNACK
???
Hi 1.1.1.1, I am 2.2.2.2, let’s handshake!
Sure, 2.2.2.2, let’s handshake!
WTF?
![Page 23: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/23.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
ACK Flood - Spoofed
23
ACK
???Sure, 1.1.1.1, let’s handshake
WTF?
![Page 24: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/24.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
ACK Flood - Reflected
24
SYNSYNACK
???
Hi x.x.x.x, I am 2.2.2.2, let’s handshake!
Sure, 2.2.2.2, let’s handshake!
WTF?
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
SYNACK
![Page 25: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/25.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
DNS Amplification
25
DNSQR
DNSRES
???
Hi 1.1.1.1, I am 2.2.2.2, Please send any records on
somedomain.com
Sure, 2.2.2.2, Here are all the details:
www A 200.200.200.200
www2 A 200.200.200.201
… …
WTF?
![Page 26: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/26.jpg)
© 2016 Imperva, Inc. All rights reserved. - @KernelXSS -
Amplification Factors
26
Source: US Cert
![Page 27: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/27.jpg)
![Page 28: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/28.jpg)
What’s next…
![Page 29: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/29.jpg)
Over
6,000,000,000
Smart-Phones
By 2020
![Page 30: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/30.jpg)
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
The growing prevalence of IoTs
30
Source: Ericsson Mobility Report; June 2016.
![Page 31: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/31.jpg)
![Page 32: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/32.jpg)
© 2017 Imperva, Inc. All rights reserved. @KernelXSS @Incapsula_com
IoT botnets NG
• Improving the C2 functionality:
• DGA
• P2P
• Different spreading techniques
• TR-069 vulnerabilities
• Windows as a relay
• Non-DDoS botnets
• Bitcoin mining
• SPAM spreading
• Bruteforcing
• IoT vigilantes - Hajime
32
Image credits: www.mobihealthnews.com
![Page 33: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/33.jpg)
Are we doomed?
![Page 34: DDoS Attacks In Action - SANS Institute · © 2016 Imperva, Inc. All rights reserved. DDoS Attacks In Action Ben Herzberg @KernelXSS @Incapsula_com](https://reader034.vdocuments.us/reader034/viewer/2022042206/5ea907d8017bfd11086cb64a/html5/thumbnails/34.jpg)
© 2017 Imperva, Inc. All rights reserved.34
@KernelXSS, @incapsula_com
QUESTIONS?
Ben Herzberg