DDoS Mitigation

collectionTL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND (EASILY) BYPASS MITIGATION TACTICS

1

Agenda

Intro to D/DoS

Methodology of work

DDoS tactics in-the-wild and how to improve

10 ‘from-the-books’ strategies & how to leverage your attack to fit them

Q&A

2

~$ whoami Hi! Moshe Zioni, I do security stuff

3 years of designing & providing a full-blown on-demand DDoS

attack service.

Mainly exp. in Ethical Hacking & Penetration Testing

1st time speaker @ CCC, grateful to have this honor.

.///. END OF SHAMELESS PROMOTION SLIDE .///.

3

DDoS for Everyone! 4

Method 5

Run-of-the-Mill DDoS attacks in-the-wild

Rely heavily on bandwidth consumption

53% of attacks are < 2Gbps (SANS)

Reflection combined with Amplification relies on 3rd party domains (DNS, NTP etc.)

Most attacks does not require brains

6

Strike Harder! (!=Larger botnet)

There is more to a web site then a front-end (!!)

Overload the backend by making the system work for you

Keep it stealthy, they might be using the ‘magic of sniffing’

Think of amplification in a general way

7

Generalized Amplification - “4 Pillars”

Amplification factors

Network – The usual suspect

CPU – Very limited on some mediators

and web application servers,

Memory – Volatile, everything uses it, multi-step operations is prime target.

Storage – Can be filled up or

exhausting I/O buffer

8

W

Ready?

Set.

12

FACEPALM

13

14

“Limit the rate

of incoming

packets”

15

The customer has been hit by a DDoSattack that consumed ALL BANDWIDTH

To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability

And so he did… believing that now he upped the game significantly for us

16

Reflection to the rescue!

Consumption by reflection

Send in 1Kb

Consume

according to

file-length

17

19

“It’s OK now,

monitoring shows

everything is

back to normal”

20

MegaCommonPractive now went on to

buy a Anti-DDoS solution

A known Anti-DDoS cloud-based

protection solution approached the client

and offered a very solid looking solution

including 24/7 third party monitoring

21

DID YOU

ACTUALLY TRY

TO ACCESS

THE WEB SITE!!!!

22

23

24

“Backend servers

are not important

to protect

against DDoS”

25

Mapping the backend for DDoS

Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification

How can we find DBs?

You can always guess, pentersters do that all the time…

Takes more time == more elaborate operation, may involve BE !!!

PROFIT!!!

26

27

28

29

Really??!?! ALL OF THE DOMAINS?!?

What is the strategy of

mitigation? Do you understand

it?

“Doesn’t matter, let’s do it!”

30

So, remember the booklet that you

didn’t read?

Interesting strategy – the system is devising some unknown algorithm to detect probable attacks.

Defense mechanism is ‘draining’ out all traffic first and do some magic.

Mitigation is kicked in 20 seconds after detection (supposedly to allow of building a model, dunno)

31

32

33

“We don’t trust

the vendor, we

don’t give them

certificates”

34

Talk to me in layer 7…

Defense have chosen not to monitor layer 7 – HTTPS attacks..

SSL re/negotiation

Plus –transmitting via HTTPS GET/POST/… the vendor product can’t learn and analyze traffic

35

36

37

“We need Big

Data, collect all

the logs”

38

Logs need to be handled

Storage Boom

Result in a complete lock-down, including not be able to manage the overflowed device

It was the IPS, so no traffic allowed to go anywhere, no traffic in/out the system

SILO NEEDED!

39

40

41

“We are under

attack – enforce

the on-demand

Scrubbing Service”

42

Learning mode – did you do it?

All is learned

Attack considered legitimate traffic

RTFM

And… Vendor response was epic by itself

43

44

45

“So what CDN is

not dynamic?

Let’s enable it”

46

NOT IN CACHE? ASK THE ORIGIN! 47

48

49

50

51

How to find an ‘invisible’ origin?

Find other known subdomain ->

translate to IP -> scan the /24 or /16 ->

good chance it’s there.

AND….. WHOIS never forgets

http://viewdns.info FTW!

52

53

54

“Block ‘em!, now

them, now them, now them, now

them, now them, now them, now

them, now them, now them, now

them, now them, now them, now

them, now them, now them. “

55

Total IPs (DE):

~116 M

56

* http://www.nirsoft.net/countryip/de.html

Roughly -1,800

class B ranges

57

We spoofed IPs from

those classes and deliver

a very detectable TCP

SYN flood attack from

each source

58

Now think of a monkey

blocking every incoming

alert.

15 MINUTES TO SELF

INFLICTED DDOS

59

60

Collected misconceptions

There is no magic pill or best cocktail mix of

technologies/appliances/services, never was

– prepare a plan, not just a mitigation.

You can have all the toys and money in the

world – best mitigation – don’t do drugs

TEST your infrastructure regularly.

If you won’t do that – you can be evaluated

for this presentation in the future

61

Questions?

62

Thank you!

Moshe Zionizimoshe@gmail.com, @dalmoz_

63