prevention, protection and mitigation of ddos attacks
DESCRIPTION
Prevention, Protection and Mitigation of DDoS AttacksTRANSCRIPT
-
Herramientas de Seguridad: Prevencion, Proteccion y Mitigacion de ataques de DDoS
Alex [email protected]+34 676 99 5439
Ferran [email protected]+34 616 472 433
-
2Arbor - a Trusted & Proven Vendor Securing the Worlds Largest and Most Demanding Networks
90%PercentageofworldsTier1serviceproviderswhoareArborcustomers 115
NumberofcountrieswithArborproductsdeployed
35,7Tbps
AmountofglobaltrafficmonitoredbytheATLASsecurityintelligenceinitiativerightnow25%ofglobalInternettraffic!
#1
ArbormarketpositioninCarrier,EnterpriseandMobileDDoSequipmentmarketsegments61%oftotalmarket[Infonetics ResearchDec2013]
NumberofyearsArborhasbeendeliveringinnovativesecurityandnetworkvisibilitytechnologies&products
14
$16B
2011GAAPrevenues[USD]ofDanaher Arborsparentcompanyprovidingdeepfinancialbacking
-
Agenda
3
Smart.Secure.Available.
War Games
Attack TechniquesWhat is DDoS?
Defense Techniques
-
Smart.Secure.Available.
War Games
Attack Techniques
Agenda
4
Defense Techniques
What is DDoS? What is a DDoS attack? How does DDoS work? Who and why launches DDoS? What types of attacks exist? Am I already protected?
-
DDoS?
-
What do I need to defend against?
1 Statesponsoredespionage2 DDoS3 Cloudsecurity4 PasswordManagement5 Sabotage6 Botnets7 InsiderThreat8 Mobility9 Internet10 Privacylaws
-
Todays enterprise security pains
Serviceavailability/DDoS/Botnets/Cloudservicesprotection/Defacement/BigData
DataLoss/DataBreach/Injections/APT/ZeroDays/Maliciousinsiders/AccountHijacking/Malware/Espionage/Phising/Mobility/BYOD
7
-
What is DoS and DDoS? In computing, a denial-of-service attack (DoS attack) is an attempt to make a machine
or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet
A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.
-
During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed sources
overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.
How does a DDoS attack work?
9
-
The art of DDoS
10
-
Theart of DDoS
11
-
Arbor + Google = www.digitalattackmap.com
12
-
Why are these attacks happening?
13
-
Is it difficult/expensive to launch an attack?
14http://www.youtube.com/watch?v=c9MuuW0HfSA
-
Is it difficult/expensive to launch an attack?
15
-
How does a botnet work?
16
Volunteer botnets are much worse than Zombie botnets, as host resources are fully focused to attackThere are botnets reported of up to 30 million computers!! (BredoLab)In Spain, Mariposa, created by DDP, managed to have as many as.. 12 million infected computers!!
-
Is it a crime to launch a DDoS attack in Spain?
En relacin con esto se recuerda la entrada en vigor el pasado 23 de diciembre del nuevo Cdigo Penal que dedica uno de sus artculos a describir como delito la conducta que puede identificarse como un ataque DoS, artculo 264:
1. El que por cualquier medio, sin autorizacin y de manera grave borrase, daase, deteriorase, alterase, suprimiese, o hiciese inaccesibles datos, programas informticos o documentos electrnicos ajenos, cuando el resultado producido fuera grave, ser castigado con la pena de prisin de seis meses a dos aos.
2. El que por cualquier medio, sin estar autorizado y de manera grave obstaculizara o interrumpiera el funcionamiento de un sistema informtico ajeno, introduciendo, transmitiendo, daando, borrando, deteriorando, alterando, suprimiendo o haciendo inaccesibles datos informticos, cuando el resultado producido fuera grave, ser castigado, con la pena de prisin de seis meses a tres aos
DicelaLeydeConservacindeDatos25/2007ensuarticulo1: 1.EstaLeytieneporobjetolaregulacindelaobligacindelosoperadoresdeconservarlosdatosgeneradosotratadosen
elmarcodelaprestacindeserviciosdecomunicacioneselectrnicasoderedespblicasdecomunicacin,ascomoeldeberdecesindedichosdatosalosagentesfacultadossiemprequelesseanrequeridosatravsdelacorrespondienteautorizacinjudicialconfinesdedeteccin,investigacinyenjuiciamientodedelitosgravescontempladosenelCdigoPenaloenlasleyespenalesespeciales.2.EstaLeyseaplicaralosdatosdetrficoydelocalizacinsobrepersonasfsicasyjurdicasyalosdatosrelacionadosnecesariosparaidentificaralabonadoousuarioregistrado.
SegnelCodigo Penal,articulo13,losdelitosgravessonaquelloscastigadosconpenagrave.Ylaspenasgraves,articulo33.2
Sonpenasgraves: Laprisinsuperioracincoaos.
InSummary:LaunchingaDDoS attackisacrimebutnotasevereone;therefore,theSPwontresolvetheIPaddressandthereforeitcannotbeprosecuted!!
-
Is it a crime to launch a DDoS attack in Spain?
18
-
Spanish Law for Critical Infraestructures Securization
19
Enconsecuencia,ydadalacomplejidaddelamateria,suincidenciasobrelaseguridaddelaspersonasysobreelfuncionamientodelasestructurasbsicasnacionaleseinternacionales,yencumplimientodeloestipuladoporlaDirectiva2008/114/CE,sehaceprecisoelaborarunanormacuyoobjetoes,porunlado,regularlaproteccindelasinfraestructurascrticascontraataques deliberadosdetodotipo(tantodecarcterfsicocomociberntico)y,porotrolado,ladefinicindeunsistemaorganizativodeproteccindedichasinfraestructurasqueaglutinealasAdministracionesPblicasyentidadesprivadasafectadas.Comopiezabsicadeestesistema,laLeycreaelCentroNacionalparalaProteccindelasInfraestructurasCrticascomorganodeasistenciaalSecretariodeEstadodeSeguridadenlaejecucindelasfuncionesqueseleencomiendanastecomorganoresponsabledelsistema.
-
20
DDoS Attack Types: Volumetric
Volumetric DDoS attacks are designed to saturate and overwhelm network resources, circuits etc by brute force
AttackTraffic
GoodTraffic
ISP 2
ISP 1
ISP n
ISP
SATURATION
TargetApplications&
Services
Firewall IPSLoad
Balancer
DATACENTER
Common attacks:TCPFlood,UDPFlood,Packet Flood,DNSReflection,DNSSec Amplification
-
21
DDoS Attack Types: State-Exhausting
State-Exhausting DDoS attacks target stateful security devices. Leads to exhaustion of state which render them useless.
ExhaustionofState
ISP 2
ISP 1
ISP n
ISP
Firewall IPSLoad
Balancer
TargetApplications&
Services
DATACENTER
AttackTraffic
GoodTraffic
Common attacks:SYNFlood,RSTFlood,FINFlood,SockStress
-
Existing perimeter security devices focus on integrity and confidentiality but not on availability
Information Security Triangle
All firewalls and IPS are stateful devices which are targeted by state-based DoS attacks from botnets!
Does my FW/IDS/WAF protect me from DDoS?
22
IPS
Firewalls including WAFs help enforce confidentiality or that information and functions can be accessed only by properly authorized parties
Intrusion Prevention Systems (IPS) help enforce integrity or that information can be added, altered, or removed only by authorized persons
-
23
DDoS Attack Types: Application Layer
Application-Layer DDoS attacks target specific applications (HTTP, SSL, DNS, SMTP, SIP, etc.).
ISP 2
ISP 1
ISP n
ISP ExhaustionofServiceFirewall IPS
LoadBalancer
TargetApplications&
Services
DATACENTER
AttackTraffic
GoodTraffic
Common attacks:URLFloods,RUDeadYet(RUDY),Slowloris,Pyloris,LOIC,HOIC,DNSdictionaryattacks
-
IncreasedAttack Tools
More and more tools available to perform the attacks (LOIC, HOIC;
Slowloris, SlowPost)
Increased Complexity
Over quarter of attacks are now application-based DDoS mostly
targeting HTTP, DNS, SMTP
Increased Frequency
More than 50% of data center operators are seeing more than
10 attacks per month
The Increases in DDoS Attacks
The Increased Complexity and Frequency is Driving Demand in Midsize Enterprises
-
Data Center DDoS Attack and Impact
83.3% of respondents now see between 1 and 50 attacks per month. Proportion of respondents seeing 0 attacks per month drops from 30% to 5.6% Big rise in proportion of respondents seeing attacks targeting infrastructure and
infrastructure services. Operational costs are main expense for data center operators in dealing with
attacks. However nearly a third experience customer churn or revenue loss due to attacks.
-
DNS Visibility
81% of respondents operate DNS infrastructure. 19% have NO security team responsible for it
An improvement from 23% last year Still not good given the criticality of this service
Nearly three quarters have good visibility at layers 3/4 , but only just over a quarter have layer 7 visibility Needed to detect some types of attacks etc.
-
Attacks Size historic report & Duration
27
-
28
Worldwide Infrastructure Security Report
Checkitoutatwww.arbornetworks.com/thearbornetworks7thannualworldwideinfrastructuresecurityreport.html
-
What impact has DDoS in my business?
29
Source:Gartner Report Making the casefor DDoS protection
-
.. And attacks are unlikely to stop
30
-
Agenda
31
Smart.Secure.Available.
War Games
What is DDoS?
Defense Techniques
Attack Techniques How can I perform a DDOS Attack? How difficult it is? Are there tools I can use? Explanations of attacks and tools.
-
Detailed attack description
32
Traditional DDOS Attacks Volumetric Attacks
UDP Flood ICMP Flood DNS Attacks
DNS dictionary DNS Reflection
NTP Attacks Connection Attacks
SYN Flood Fragmentation Attack
Application's Layer Attacks Exhaustion of Bandwidth
LOIC Exhaustion of Current Sessions
SlowLoris Rudy
Exhaustion of Memory Attacks Apache Killer RefRef
Exhaustion of CPU THC Attack
-
Update on Traditional DDOS Attacks
-
High Bandwidth Volumetric DDoS
Description Largevolumeoftrafficinbpsand/orpps.
Trafficcouldbespoofedornotspoofed.
EffectonNetwork Networklinksbecomesaturated. Softwarebasedrouters,switches,firewalls,ISPsgetoverwhelmed.
EffectonServices Legitimateuserscantgettoservices.
CommonNames Packetflood,UDPflood,TCPflood
34
-
UDP Floods
UDP is stateless, making it good for floods of traffic
Generation of UDP packets is easy Stateless implies spoofing source IP addresses
is possible Packet sizes may range from 60 to 1500 bytes
High volume of small packets can cause forwarding issues for routers and firewalls and other inline devices
1Mpps @60byte = 458Mbps 1Mpps @1400bytes = 10Gbps
35
-
What are Reflection/Amplification Attacks?
Amplification DDoS Attack Is when an attacker makes a relatively small request that generates a
larger response/reply. This is true of most (not all) server responses.
Reflection DDoS Attack A DDoS attack in which forged requests are sent to a very large number
of Internet connected devices that reply to the requests. Using IP address spoofing, the source address is set to the actual target of the attack, where all replies are sent. Many services can be exploited to act as reflectors.
A Reflection/Amplification DDoS Attack combines both techniques to create a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin.
-
Why NTP?
Abbreviation Protocol Ports AmplificationFactor
#AbusableServers
CHARGEN CharacterGenerationProtocol
UDP/19 ~17.75x Tensofthousands(~90K)
DNS DomainNameSystem
UDP/53 ~160x Millions(~30M)
NTP NetworkTimeProtocol
UDP/123 ~1000x Over OneHundredThousand(~128K)
SNMP SimpleNetworkManagementProtocol
UDP/161 ~880x Millions(~5M)
-
UDP Floods
UDP Floods can cause jitter and latency, impacting other services like VoIP
UPD Floods do not generally impact the server (unless DNS) but do impact the infrastructure causing collateral damage
DNS is the primary attack target with UDP Some attacks use UDP toward typical TCP-
based services HTTP DNS Amplification floods can generate a high
rate of large UDP packets
38
-
ICMP Flood
ICMP floods attempt to overwhelm the victim Sources continuously send ICMP packets Victim (Server) must process all packets and
attempt to respond to all of the packets
ICMP reflection attack sends a echo request to the broadcast ip with the source of the request spoofed to that of the victim
39
-
DNS Threats
Multiple threat vectors against DNS whose impacts include loss of service availability, reduced customer satisfaction, and hurt profitability
C
l
i
e
n
t
S
i
d
e
A
t
t
a
c
k
s
S
e
r
v
e
r
S
i
d
e
R
e
f
l
e
c
t
i
v
e
A
t
t
a
c
k
s
DNSServers
DNSServers
AttackTarget
D
N
S
C
a
c
h
e
P
o
i
s
o
n
i
n
g
A
t
t
a
c
k
DNSResolvers
PhishingServers
D
N
S
A
p
p
l
i
c
a
t
i
o
n
L
a
y
e
r
A
t
t
a
c
k
s
DNSServers"RootQueries""RandomQueries""MultipleQueriesperPacket""NXDomainReflective"
40
-
DB ServerDNS Cache
Attacker requests entries that do not exist in the DNS Cache:
Query: abcd.somedomain.comQuery: efgh.somedomain.comQuery: ijkl.somedomain.com
.
.
DB Server overwhelmed with lookups
NXDomain: abcd.somedomain.comNXDomain: efgh.somedomain.comNXDomain: ijkl.somedomain.com
.
.
.
DNS Dictionary Attack
41
-
Attacker - a
Victim - v
Resolver - r
A botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity.
Source IP of Victim (v) spoofed when query sent to resolver, resolver receives, responds to v. 55-byte query elicits 4200-byte response
DNS Amplification Attack
42
-
What is NTP? NTP = Network Time Protocol Used for clock synchronization between networked devices One of oldest protocols and in operation since the mid-1980s User Datagram Protocol (UDP) on port number 123 Current version is NTPv4 (RFC 5905) A hierarchical, semi-layered system of
time sources called stratum, where the number represents the distance from the reference clock
NTP is the mechanism that synchronizes the clock on your laptop, smartphone, tablet, and network infrastructure devices
-
Attackersendsmonlist,showpeers,orotherNTPlevel6/7administrative
querieswithtargetportandspoofedIPaddressoftarget
Attackersendsmonlist,showpeers,orotherNTPlevel6/7administrative
querieswithtargetportandspoofedIPaddressoftarget
AbusableNTPServers
NTP Reflection Attack
TargetPort:UDP/80OrUDP/123
NTPservicesreplytotheattacktargetwithstreamsof~468bytepacketssourcedfromUDP/123tothe`target;
thedestinationportisthesourceporttheattackerchosewhilegeneratingtheNTPqueries
NTPservicesreplytotheattacktargetwithstreamsof~468bytepacketssourcedfromUDP/123tothe`target;
thedestinationportisthesourceporttheattackerchosewhilegeneratingtheNTPqueries
-
Connection Based Attacks
Description Attackerscreatemanyconnectionstotheservicesendingnotrafficorinfrequenttraffic.Sometimestheattackermaysendincompleterequeststotheservices.
EffectonNetwork Availableconnectionstotheserviceareexhausted.StatetablesofFW,IPS,loadbalancerscouldalsogetoverwhelmed.
EffectonServices Legitimateuserscantgettoservices.
CommonNames Sockstress
45
-
Connection Attacks
Description Attacks that maintain a large number of either
open TCP connections or fully open idle connections impeding new connections from forming on the victim
Common names TCP Idle attack
46
-
SYN Flood
SYN flood attempts to exhaust the server side resources for TCP connections
Source(s) continuously send packets with just the SYN bit set
Victim (Server) must open a connection and send a SYN-ACK back to the source
Connection is kept open Source ACKs and then data is exchanged Source terminates connection Server times out the connection
SYN packets are typically small in size47
-
TCP Stack Attack Syn Attack
48
-
Fragmentation Attacks
Description A flood of TCP or UDP fragments are sent to a
victim overwhelming the victims ability to re-assemble the streams and severely reducing performance
Fragments may also be malformed in some way May be a result of a network mis-configuration
Common names Teardrop, Targa3, Jolt2, Nestea
49
-
Update on Application's Layer Attacks
-
Application's Layer Attacks are focus on exhaust resources of the target in order to collapse it and take it down.
We can classify the attacks in groups: Exhaustion of bandwidth: HTTP flood attacks, HTTP
post Attacks, LOIC and Variants. Exhaustion of concurrent sessions: SlowSloris,
SlowPost, nkiller2, recoil. Exhaustion of Memory: Apachekiller Exhaustion of CPU: SSL renegotiation, refref.
Application's Layer Attack
-
Multiple These attacks correctly follow TCP and HTTP protocol (handshake, distribution of packages).
Volume of attack per source in not very huge and therefore they need multiple attackers at the same time.
Since HTTP responses are much bigger in pps than request a minimal uploading bandwidth use a lot of downloading bandwidth.
Depending of the volume of the attack these attacks could be easily detected by DDOS network Solutions.
Exhaustion of Bandwidth
-
Wait for Answers and respond to digests. Could use GZIP Can add payloads to the packets PAYLOAD Can randomly change request to hide itself.
Used by Anonymous. Modes:
Manual IRC with Botnets
Attacks: TCP Flood UDP Flood HTTP Flood
Exhaustion of Bandwidth: LOIC
-
Also known as Low and Slow Attacks Allows a single machine to take down a web server with minimal
bandwidth and side effects on unrelated services and ports Designed to hold open as many connections as possible to the
HTTP server and abuse them by handling of HTTP request headers ssslooowly
Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Low&Slow Attacks have a high impact and relatively low bandwidth usage
It is pretty hard to detect those low rate attacks from a Solution that is based in Traffic Baselines and Netflow.
Exhaustion of Current Sessions
-
SlowLoris: Uses HTTP Get requests but the HTTP Header portion is never
completed Slowloris process opens several connections to the target web server
and sends a partial request: one not ending with a /n line This tells the web server to hold on: the rest of the get request is on
its way
Rudy: Uses HTTP POST requests but the HTTP Header portion is
complete and sent in full to the web server. Abuses HTTP web form fields by iteratively injects one custom byte
into a web application post field and goes to sleep Application threads become zombies awaiting ends of posts until
death lurks upon the website
Exhaustion of Current Sessions: Examples
-
GET http://www.google.com/ HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0Content-Lenght: 42
X-a: bX-a: bX-a: bX-a: bX-a: bX-a: bX-a: b
Exhaustion of Current Sessions: Slowloris
-
POST http://victim.com/Host: victim.comConnection: keep-aliveContent-Length: 1000000User-Agent: Mozilla/5.0Cookie: __utmz=181569312.1294666144.1.1
Username=A AAAAAAAAAAA
Exhaustion of Current Sessions: R.U.D.Y.
-
The target of the attack is to overwhelm the Server using lot of memory to make it crash.
These kind of attacks are focus on some Web Application Server/Solution and are abuse some vulnerabilities
Many botnet include these kind of attacks already multiplying the affect of the attack.
Those attacks are oriented to Applications such as Apache, WordPress, & Joomla servers
Server normally goes down in less than 2 minutes.
Exhaustion of Memory Attacks
-
ApacheKiller: Vulnerability originally discovered by Michal Zalewski
of Google The attack exploits a vulnerability in the way Apache
handles requests based on "Range". If you are sent to servers running Apache 1.3 and 2 Byte
Ranges containing multiple overlapping requests can consume all memory of these.
RefRef: RefRef is the new Anonymous tool that replace LOIC. The attack exploits a vulnerability servers that use database and GET
variables". Flood attack that sends: select
benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f
Exhaustion of Memory Attacks: Examples
-
HEAD/HTTP/1.1Host:208.109.47.175Range:bytes=0,50,51,52,53,54,55,56,57,58,59,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,5100,5101,5102,5103,5104,5105,5106,5107,5108,5109,5110,5111,5112,5113,5114,5115,5116,5117,5118,5119,5120,5121,5122,5123,5124,5125,5126,5127,5128,5129,5130,5131,5132,5133,5134,5135,5136,5137,5138,5139,5140,5141,5142,5143,5144,5145,5146,5147,5148,5149,5150,5151,5152,5153,5154,5155,5156,5157,5158,5159,5160,5161,5162,5163,5164,5165,5166,5167,5168,5169,5170,5171,5172,5173,5174,5175,5176,5177,5178,5179,5180,5181,5182,5183,5184,5185,5186,5187,5188,5189,5190,5191,5192,5193,5194,5195,5196,5197,5198,5199,5200,5201,5202,5203,5204,5205,5206,5207,5208,5209,5210,5211,5212,5213,5214,5215,5216,5217,5218,5219,5220,5221,5222,5223,5224,5225,5226,5227,5228,5229,5230,5231,5232,5233,5234,5235,5236,5237,5238,5239,5240,5241,5242,5243,5244,5245,5246,5247,5248,5249,5250,5251,5252,5253,5254,5255,5256,5257,5258,5259,5260,5261,5262,5263,5264,5265,5266,5267,5268,5269,5270,5271,5272,5273,5274,5275,5276,5277,5278,5279,5280,5281,5282,5283,5284,5285,5286,5287,5288,5289,5290,5291,5292,5293,5294,5295,5296,5297,5298,5299,5300,5301,5302,5303,5304,5305,5306,5307,5308,5309,5310,5311,5312,5313,5314,5315,5316,5317,5318,5319,5320,5321,5322,5323,5324,5325,5326,5327,5328,5329,5330,5331,5332,5333,5334,5335,5336,5337,5338,5339,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360,5361,5362,5363,5364,5365,5366,5367,5368,5369,5370,5371,5372,5373,5374,5375,5376,5377,5378,5379,5380,5381,5382,5383,5384,5385,5386,5387,5388,5389,5390,5391,5392,5393,5394,5395,5396,5397,5398,5399,5400,5401,5402,5403,5404,5405,5406,5407,5408,5409,5410,5411,5412,5413,5414,5415,5416,5417,5418,5419,5420,5421,5422,5423,5424,5425,5426,5427,5428,5429,5430,5431,5432,5433,5434,5435,5436,5437,5438,5439,5440,5441,5442,5443,5444,5445,5446,5447,5448,5449,5450,5451,5452,5453,5454,5455,5456,5457,5458,5459,5460,5461,5462,5463,5464,5465,5466,5467,5468,5469,5470,5471,5472,5473,5474,5475,5476,5477,5478,5479,5480,5481,5482,5483,5484,5485,5486,5487,5488,5489,5490,5491,5492,5493,5494,5495,5496,5497,5498,5499,5500,5501,5502,5503,5504,5505,5506,5507,5508,5509,5510,5511,5512,5513,5514,5515,5516,5517,5518,5519,5520,5521,5522,5523,5524,5525,5526,5527,5528,5529,5530,5531,5532,5533,5534,5535,5536,5537,5538,5539,5540,5541,5542,5543,5544,5545,5546,5547,5548,5549,5550,5551,5552,5553,5554,5555,5556,5557,5558,5559,5560,5561,5562,5563,5564,5565,5566,5567,5568,5569,5570,5571,5572,5573,5574,5575,5576,5577,5578,5579,5580,5581,5582,5583,5584,5585,5586,5587,5588,5589,5590,5591,5592,5593,5594,5595,5596,5597,5598,5599,5600,5601,5602,5603,5604,5605,5606,5607,5608,5609,5610,5611,5612,5613,5614,5615,5616,5617,5618,5619,5620,5621,5622,5623,5624,5625,5626,5627,5628,5629,5630,5631,5632,5633,5634,5635,5636,5637,5638,5639,5640,5641,5642,5643,5644,5645,5646,5647,5648,5649,5650,5651,5652,5653,5654,5655,5656,5657,5658,5659,5660,5661,5662,5663,5664,5665,5666,5667,5668,5669,5670,5671,5672,5673,5674,5675,5676,5677,5678,5679,5680,5681,5682,5683,5684,5685,5686,5687,5688,5689,5690,5691,5692,5693,5694,5695,5696,5697,5698,5699,5700,5701,5702,5703,5704,5705,5706,5707,5708,5709,5710,5711,5712,5713,5714,5715,5716,5717,5718,5719,5720,5721,5722,5723,5724,5725,5726,5727,5728,5729,5730,5731,5732,5733,5734,5735,5736,5737,5738,5739,5740,5741,5742,5743,5744,5745,5746,5747,5748,5749,5750,5751,5752,5753,5754,5755,5756,5757,5758,5759,5760,5761,5762,5763,5764,5765,5766,5767,5768,5769,5770,5771,5772,5773,5774,5775,5776,5777,5778,5779,5780,5781,5782,5783,5784,5785,5786,5787,5788,5789,5790,5791,5792,5793,5794,5795,5796,5797,5798,5799,5800,5801,5802,5803,5804,5805,5806,5807,5808,5809,5810,5811,5812,5813,5814,5815,5816,5817,5818,5819,5820,5821,5822,5823,5824,5825,5826,5827,5828,5829,5830,5831,5832,5833,5834,5835,5836,5837,5838,5839,5840,5841,5842,5843,5844,5845,5846,5847,5848,5849,5850,5851,5852,5853,5854,5855,5856,5857,5858,5859,5860,5861,5862,5863,5864,5865,5866,5867,5868,5869,5870,5871,5872,5873,5874,5875,5876,5877,5878,5879,5880,5881,5882,5883,5884,5885,5886,5887,5888,5889,5890,5891,5892,5893,5894,5895,5896,5897,5898,5899,5900,5901,5902,5903,5904,5905,5906,5907,5908,5909,5910,5911,5912,5913,5914,5915,5916,5917,5918,5919,5920,5921,5922,5923,5924,5925,5926,5927,5928,5929,5930,5931,5932,5933,5934,5935,5936,5937,5938,5939,5940,5941,5942,5943,5944,5945,5946,5947,5948,5949,5950,5951,5952,5953,5954,5955,5956,5957,5958,5959,5960,5961,5962,5963,5964,5965,5966,5967,5968,5969,5970,5971,5972,5973,5974,5975,5976,5977,5978,5979,5980,5981,5982,5983,5984,5985,5986,5987,5988,5989,5990,5991,5992,5993,5994,5995,5996,5997,5998,5999,51000,51001,51002,51003,51004,51005,51006,51007,51008,51009,51010,51011,51012,51013,51014,51015,51016,51017,51018,51019,51020,51021,51022,51023,51024,51025,51026,51027,51028,51029,51030,51031,51032,51033,51034,51035,51036,51037,51038,51039,51040,51041,51042,51043,51044,51045,51046,51047,51048,51049,51050,51051,51052,51053,51054,51055,51056,51057,51058,51059,51060,51061,51062,51063,51064,51065,51066,51067,51068,51069,51070,51071,51072,51073,51074,51075,51076,51077,51078,51079,51080,51081,51082,51083,51084,51085,51086,51087,51088,51089,51090,51091,51092,51093,51094,51095,51096,51097,51098,51099,51100,51101,51102,51103,51104,51105,51106,51107,51108,51109,51110,51111,51112,51113,51114,51115,51116,51117,51118,51119,51120,51121,51122,51123,51124,51125,51126,51127,51128,51129,51130,51131,51132,51133,51134,51135,51136,51137,51138,51139,51140,51141,51142,51143,51144,51145,51146,51147,51148,51149,51150,51151,51152,51153,51154,51155,51156,51157,51158,51159,51160,51161,51162,51163,51164,51165,51166,51167,51168,51169,51170,51171,51172,51173,51174,51175,51176,51177,51178,51179,51180,51181,51182,51183,51184,51185,51186,51187,51188,51189,51190,51191,51192,51193,51194,51195,51196,51197,51198,51199,51200,51201,51202,51203,51204,51205,51206,51207,51208,51209,51210,51211,51212,51213,51214,51215,51216,51217,51218,51219,51220,51221,51222,51223,51224,51225,51226,51227,51228,51229,51230,51231,51232,51233,51234,51235,51236,51237,51238,51239,51240,51241,51242,51243,51244,51245,51246,51247,51248,51249,51250,51251,51252,51253,51254,51255,51256,51257,51258,51259,51260,51261,51262,51263,51264,51265,51266,51267,51268,51269,51270,51271,51272,51273,51274,51275,51276,51277,51278,51279,51280,51281,51282,51283,51284,51285,51286,51287,51288,51289,51290,51291,51292,51293,51294,51295,51296,51297,51298,51299
AcceptEncoding:gzipConnection:close
Exhaustion of Memory Attacks: ApacheKiller
-
GET/viewNews.php?id=53%20and%20(select+benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f))HTTP/1.1TE:deflate,gzip;q=0.3Connection:TE,closeHost:www.eudragene.localUserAgent:Mozilla/5.0(Windows;U;WindowsNT5.1;nl;rv:1.8.1.12)Gecko/20080201Firefox/2.0.0.12
perlrefref.plhttp://www.telefonica.com/viewNews.php?id=53
==#RefRefhttp://hackingalert.blogspot.com==
[+]Target:http://www.telefonica.com/viewNews.php?id=53
[+]Startingtheattack[+]Info:control+cforstopattack[+]WebOff
==RefRefhttp://hackingalert.blogspot.com==
Exhaustion of Memory Attacks: RefRef
-
The easy way to overwhelm a server is by attack HTTPS Server since the SSL handshake use lots of CPU due to encryption.
Many DDOS tools and botnets are able to perform HTTPS attacks.
Network Solutions Based can stop HTTPS attacks on protocol or resources exhaustion.
Slow&Slow attacks again HTTPS Servers must be stopped by decrypting the traffic
Enterprises are managing their own SSL Certificate and will not let ISP to open those tunnels
The only way to stop these attacks are by decrypt/analyses/encrypt these connections.
Latest versions of SlowLoris and Siege already support HTTPS. In 2012 we have seen the first botnet that supports it too.
Exhaustion of CPU
-
TCP HandShake SSL HandShake
Exhaustion of CPU: Two Handshakes
-
thc-ssl-dos -l 1 192.168.127.1 8443 --accept______________ ___ _________\__ ___/ | \ \_ ___ \| | / ~ \/ \ \/| | \ Y /\ \____|____| \___|_ / \______ /
\/ \/http://www.thc.org
Twitter @hackerschoice
Greetingz: the french underground
Waiting for script kiddies to piss off................The force is with those who read the source...
Handshakes 0 [0.00 h/s], 1 Conn, 0 ErrHandshakes 128 [136.44 h/s], 1 Conn, 0 ErrHandshakes 260 [132.65 h/s], 1 Conn, 0 ErrHandshakes 400 [136.49 h/s], 1 Conn, 0 ErrHandshakes 550 [145.47 h/s], 1 Conn, 0 ErrHandshakes 694 [152.00 h/s], 1 Conn, 0 ErrHandshakes 834 [140.42 h/s], 1 Conn, 0 ErrHandshakes 973 [139.26 h/s], 1 Conn, 0 Err
Exhaustion of CPU: HTTPS renegotiation
-
Agenda
65
Smart.Secure.Available.
War Games
Attack TechniquesWhat is DDoS?
Defense Techniques How can I protected clients
connected to my network? ISP DDOS Solution Deployment,
how it works? Defense in Layers.
-
Stopping Attacks in the Right Place
-
Arbors Key Technologies
67
Visibility
Flow Intelligence
Arbors products are the premier analyzers of full network
flow data providing holistic traffic & security visibility
Application Intelligence
Arbors products
offer deep insight intoapplications and services
as more services move to standard
ports
Global Intelligence
Arbors products
leverage the real-time Internet-
wide visibility ofthe ATLAS initiative to detect and stop active
threats
Protection
Arbors core packet
analysis & blocking
engine can stop and is
also immune to all threats
against availability.
Botnets & Malware
Arbors Security & Emergency Response
Team (ASERT) conducts unique
researchinto botnets
and malware.
Cloud Signaling
Arbors proprietary
protocol enables signaling from the
enterprise edge to the
cloud for complete protection
Availability Engine
-
Peakflow Products
68
Visibility Protection
Peakflow TMSPeakflow SP
Models: CP-6000, PI-6000, BI-6000, FS-6000
The Peakflow Service Provider (SP) solution collects and analyzes Flow, BGP, and SNMP data; conducts network anomaly detection for security visibility; provides user interface for managed services; and massive scale to meet the needs of the worlds largest service providers and cloud operators.
Models: TMS-2300 & TMS-4000 Series
The Peakflow Threat Management System (TMS) is built for high-performance, carrier-class networks and used for surgical mitigation of DDoS attack traffic with no additional latency for legitimate traffic; and serves as protection platform for in-cloud managed security services.
-
Pravail Products
69
Visibility Protection
Pravail APSPravail NSI
Models: Collectors 5003, 5004, 5005, 5006, 5007; Controllers 5110, 5120, 5130, 5220, 5230The Pravail Network Security Intelligence (NSI) solution (formally known as Peakflow X) collects and analyzes Flow and raw packet data; performs behavioral anomaly detection; and provides application-level and pervasive security intelligence across the enterprise network.
Models: APS 2202, APS-2203- APS 2004, APS-2104, APS-2105, APS-2107, APS-2108The Pravail Availability Protection System (APS) provides out-of-box protection for attacks while being immune to state-exhausting attacks; blocks complex application-layer DDoS; supports a dynamic threat from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream.
-
The ATLAS Initiative
70
The ATLAS initiative is the worlds most comprehensive Internet monitoring &
security intelligence systemServices: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), Fingerprint Sharing, Global Threat Analysis Portal
ATLAS intelligence is seamlesslyintegrated into Arbors products and service including real-time services, global threat intelligence, and insight into key Internet trends.
ASERT, Arbors Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address the significant Internet research questions.
ActiveThreatFeed(ATF)
-
71
ASERT Threat Detection/Classification
Honeypots &SPAM Traps
ATLAS
SecurityCommunity
2.2M +samples
DDoSFamily
Over 2 dozen malware sources
20 50KMalware samples/day
Sandbox of Virtual Machines run malware(look for botnet C&C, files, network behavior)
Fingerprint
Report and PCAP stored in database
Tracker DDoS AttackAuto-classification and analysis every 24 hrs.
-
CLOUDProvider A
Peakflow SP / TMS - Solution Overview
PEERING EDGE
CPCP
A Central Console for Visibility & Security
Collector Platform (CP) collects and analyzes IP Flow, BGP, and SNMP data; conducts network anomaly detection; traffic & service reporting; provides user interface; manages other SP devices (i.e. TMS).
Peakflow SP CP
Threat Management System (TMS) built for carrier-class networks and used for surgical mitigation of attack traffic; conducts service performance monitoring; serves as platform for in-cloud managed security services.
Peakflow SP TMS
= Pravail APS
TMSTMS
Provider B
Provider C
VISIBILITIY DETECTION MITIGATION
NETWORKWIDE
-
DDoS - Mitigation
CPCP
TMSTMS
-
DDoS - Mitigation
CPCP
TMSTMS
-
DDoS - Mitigation
1. Detect(Network wide: CP using Flow)
CPCP
TMSTMS
-
DDoS - Mitigation
1. Detect(Network wide: CP using Flow)
2. Activate TMS (manual or automatic)
CPCP
TMSTMS
-
DDoS - Mitigation
1. Detect(Network wide: CP using Flow)
2. Activate TMS (manual or automatic)3. Divert Traffic (Network wide: BGP OFF-Ramp announcement)
CPCP
TMSTMS
-
DDoS - Mitigation
1. Detect(Network wide: CP using Flow)
2. Activate TMS (manual or automatic)
4. Clean the Traffic and forward the legitimate(Network wide: using ON-Ramp Technique [e.g. MPLS, GRE, VLAN, ])
3. Divert Traffic (Network wide: BGP OFF-Ramp announcement)
CPCP
TMSTMS
-
DDoS - Mitigation
1. Detect(Network wide: CP using Flow)
2. Activate TMS (manual or automatic)
4. Clean the Traffic and forward the legitimate(Network wide: using ON-Ramp Technique [e.g. MPLS, GRE, VLAN, ])
5. Protected
3. Divert Traffic (Network wide: BGP OFF-Ramp announcement)
CPCP
TMSTMS
-
StatelessStatic&DynamicPacketPreventions
StatelessStatic&DynamicPacketPreventions
InvalidPackets&BehavioralPreventions
InvalidPackets&BehavioralPreventions
Malformed&ClientChallenge
ResponsePreventions
Malformed&ClientChallenge
ResponsePreventions
HTTP(s),DNS,SIPApplicationLayer&BehavioralPreventions
HTTP(s),DNS,SIPApplicationLayer&BehavioralPreventions
DynamicAttackPreventions
(e.g.AIFSignatures)
DynamicAttackPreventions
(e.g.AIFSignatures)
Each Source is evaluated by the Multi-Layer-Countermeasures
Specialized Multi-Layer-Countermeasures toBlock Complex DDoS Attacks
FloodingAttacksFloodingAttacks
ProtocolAttacksProtocolAttacks
SessionAttacksSessionAttacks
Application,Slow&LowAttacks
Application,Slow&LowAttacks
DynamicBotnet&Tool
Attacks
DynamicBotnet&Tool
Attacks
-
DDoS Multi-Layer-Countermeasure (Overview)
ZombieDetectionZombieDetection INVALIDPacketsINVALIDPackets SYNFLOODPreventionSYNFLOODPrevention
FlexibleRatebasedBlocking
FlexibleRatebasedBlocking
IPLOCATIONBlocking
IPLOCATIONBlocking
IPLocationPolicingIPLocationPolicing TCPCONNECTIONVerificationTCPCONNECTION
VerificationIPBlack/White
ListingIPBlack/White
ListingSYN
AUTHENTICATIONSYN
AUTHENTICATIONFRAGMENTATION
PreventionFRAGMENTATION
Prevention
LargeIP/FCAP&DNS &HTTP
FilterLists
LargeIP/FCAP&DNS &HTTP
FilterLists
PAYLOADFilter
PAYLOADFilter
ATLASINTELLIGENCEFEED(AIF)Prevention
ATLASINTELLIGENCEFEED(AIF)Prevention
SSL/TLSPROTOCOLMULTIATTACKPrevention
SSL/TLSPROTOCOLMULTIATTACKPrevention
URLBlockingURLBlocking
HTTPMALFORMEDPrevention
HTTPMALFORMEDPrevention
HTTPAUTHENTICATION
HTTPAUTHENTICATION
HTTPFLOODPreventionHTTPFLOODPrevention
HTTPBASICBOTNETPrevention
HTTPBASICBOTNETPrevention
HTTPREGULAREXPRESSIONFilterHTTPREGULAR
EXPRESSIONFilter
DNSAUTHENTICATION
DNSAUTHENTICATION
DNSREQUESTLimiting
DNSREQUESTLimiting
DNSNXDOMAINRateLimiting
DNSNXDOMAINRateLimiting
DNSMALFORMEDPrevention
DNSMALFORMEDPrevention
DNSDOMAINBlacklisting
DNSDOMAINBlacklisting
DNSREGULAREXPRESSIONFilterDNSREGULAR
EXPRESSIONFilterMULTIPLESIPPreventionsMULTIPLESIPPreventions
ICMPFLOODPreventionICMPFLOODPrevention TrafficShapingTrafficShaping
+many others ...growing
+many others ...growing
-
Multilayer Protection /Countermeasures by groups
FilterListFilterList ChallengersChallengersTraffic
Limiting/Shaping
TrafficLimiting/Shaping
HeuristicsHeuristics SignaturesSignatures
PCAPs StaticBlacklist Static,
Whitelist Dynamic
Blacklist, Countries Multicast Private
Address
TCPAuthentication
DNSAuthentication
HTTPAuthentication
Ratebase TCP
Connection DNSRate DNS
NXDomainRate
HTTPRate ICMPRate UDPRate
TCPConnectionsReset
WebCrawlerSupport
CDNAndProxySupport
TLSAttacks TCPSyncFlood Fragment
Detection Application
Misbehavior
RegularExpressions
DNSRegularExpressions
HTTPRegularExpressions
BotnetPrevention
-
CloudPeakflow mitigation OnsitemitigationPravail
OpAbabil (AlQaeda): Attack to USS Banks
~67GbpsAttacktraffic
~14GbpsLeakedtraffic
-
MultiVector HTTP Attack to a Large Bank
HTTPRegularExpression:^AcceptLanguage:ru$
StandardCountermeasures notworking
Low&SlowCountermeasures:SlowLoris
-
Attack to a Large Carrier
8Gbps stoppedbyIPFilterlist.
1 Mpps of Malformed DNS traffic.
Real Time packet capture
-
Agenda
86
Smart.Secure.Available.
Attack TechniquesWhat is DDoS?
Defense Techniques War Games
-
Thank You