DDoS – Yesterday, Today and tomorrow
Frank Tse, William Guo Nexusguard
Agenda
1
DDoS Introduction
2
DDoS Attack Analysis
3
DDoS Detection and Mitigation
4
Fighting DDoS in Mobile Era
5
FAQ
Page§2
About us
Nexusguard, incorporated in 2008, is a premium provider of end-to-end, in-the-cloud Internet Security Solutions. Nexusguard delivers solutions over the internet to ensure that our clients enjoy uninterrupted web- service delivery to their users, by protecting them against the ever- increasing and evolving multitude of internet threats, particularly Denial- of-Service (DDoS) attacks, and other attacks directed at web application software.
Page§3
What is DDoS
§ A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
§ The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
Page§4
What is DDoS
Zombies on innocent computers
Infrastructure-level DDoS attacks
Bandwidth-level DDoS attacks
Server-level DDoS attacks
(Protocol / Application)
5Page § 5
What is DDoS
Credit http://www.wired.com/politics/security/magazine/15-09/ff_estonia_bots
Page§6
DDoS in the news
Page§7
Motivation of Cyber Attack
Page§8
DDoS vs. Hacking Hacking
If (Availble){
try
{ SQLi, XSS, CSRF
MITM, Brute Force, Reverse Engineering, Buffer Overflow, RFI, Session Hijacking, Information Leakage, Defacement,
something cool
} catch (data) finally
{ DDoS }
while (Available){
try
{ DDoS()} finally
{ Give_up()}
DDoS
Page§9
Trend of DDoS attack
100+Gbps / 70Mpps
POC Organized
Collaborated
Volume Focus
0-day focus
2008 2009
DJB33X
Page § 10
DDoS Attack – Brief History
Packet Generator Packet Crafter Creative Attacks
Page § 11
DDoS – Yesterday
2002 root DNS attack
All thirteen (13) DNS root name servers were targeted simultaneously. Attack volume was approximately 50 to 100 Mbits/sec (100 to 200 Kpkts/ sec) per root name server, yielding a total attack volume was approximately 900 Mbits/sec (1.8 Mpkts/sec).
Attack traffic contained ICMP, TCP SYN, fragmented TCP, and UDP.
Some attack types you might heard of
ICMP flood, Ping flood, UDP flood, IP Fragment, SYN flood, Teardrop, ACK flood, RST flood, Land attack, smurf attack, Ping to death, Nuke, ARP Poison, Reflex attack, TCP NULL, XMAS, Malformed TCP flags, PUSH ACK flood, DNS query flood, GET flood, POST flood, authentication flood, de-authentication flood, SIP flood
Page § 12
DDoS – Yesterday
Tools (comes with your OS) Ping, telnet, wget
Tools ( can easily get from internet) hping, scapy, cURL,
Library:
Libpcap-dev, libthread, libnet-dev, netinet/*.h, string.h
Simple GET flood in 1 line
for ((i=0;i<100;i++)) do `wget target.com &`; done
Page § 13
DDoS - Today
• Opensource,
• Crossplatform,
• Moreinflowcontrol,
• Moreinapplicationlayer
Tools ( can be easily get from internet) apache-killer.pl, slowloris.pl, slowhttptest, LOIC, HOIC, via IRC channel
Library:
Libpcap-dev, libthread, libnet-dev, urllib, libpcap-dev, libdnet-dev, socket
Page § 14
DDoS - Today
apache-killer.pl
$p = "";
for ($k=0;$k<1300;$k++) {
$p .= ",5-$k";
}
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r \nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n”;
Page § 15
DDoS - Today
Slowhttp ‘test’
-w bytes
start of the range advertised window size would be picked from.
Effective in slow read (-X) mode only, min: 1, default: 1
-y bytes,
end of the range advertised window size would be picked from. Effective in slow read (-X) mode only, min: 1, default: 512
-x bytes,
max length of each randomized name/value pair of follow up data
per tick, e.g. -x 2 generates X-xx: xx for header or &xx=xx for
body, where x is random character, default: 32
-z bytes
bytes to slow read from receive buffer with single read() call. Effective in slow read (-X) mode only, default: 5
Page § 16
DDoS – Tomorrow
• 0-dayfocused
• Standardized–partofwormsandbots • DDoSasaproject,inateam
• Focusontargetapplication
Tools:
HashDDoS – DJB33X, protocol fuzzer, iFrame
bot, js bot, Unicornscan (2007), plug-in for worms, mobile bots
DDoS as a Service:
DDoS attack repository, open DDoS ‘testing’ server, RFC for DDoS, “Like” this attack, DDoS ‘app’ market, auto CAPTCHA breaking
Page § 17
DDoS – Tomorrow
Internet is
designed for inter-connect,
goodwill in self-discipline Internet is NOT
designed for security. TCP is :
designed for state-ful,
connection-oriented connection, TCP is NOT:
temper proof
synchronized
source authenticate sensitive to intercept (MITM)
Page § 18
DDoS – Tomorrow
Unicronscan (http://www.unicornscan.org/ ) Unicrons are fast!
Asynchronous stateless TCP scanning with all variations of TCP Flags. Asynchronous stateless TCP banner grabbing
Asynchronous protocol specific UDP Scanning
Page § 19
DDoS – Tomorrow Web Shell
Credit http://ddos.arbornetworks.com/2012/02/ddos-tools/
Page § 20
DDoS Detection and mitigation– Brief History
Collect & Filter
Detect & Challenge
Learn
& Fight back
Page § 21
DDoS Detection and mitigation – Yesterday
• Blackhole
• Rate-limiting
• ACL
• iptables
• CoPP
• SYN-cookie
• IDS
• IPS
• Loadbalancing • Port-security
• Detection:SNMP,netflow Page § 22
DDoS Detection and mitigation – Today
• DNSpoisoning
• CDN
• WAF
• Hot-linkprotection • CAPTCHA
• Sourceauthentication
• Detection:SNMP,Netflow,PCAP
Page § 23
DDoS Detection and mitigation – Tomorrow
• Browserauthentication • Userbehaviorvalidation • Applicationlearning
• User-idcorrelation
• Differentiatemitigation • Bot/toolsidentification • (Friendly)Attackback
• Detection:SNMP,Netflow,PCAP,logs+bigdata
"Apparently the war is over and you are ordered to cease firing; so, if you see any Jap planes in the air, you will just have to shoot them down in a friendly manner.”
- Admiral Halsey, 1945
Page § 24
Next Generation Detection---Profiling and Data Mining
Page § 25
A HTTP Get Flood Attack Analysis
Page § 26
A HTTP Get Flood Attack Analysis
Page § 27
Next Generation Detection---With Google API ?
Page § 28
Mobile Internet & Web API
Page § 29
API Request Load
•
•
•
•
•
Make money
60% of all lis2ngs on eBay.com added via their APIs
Save money
SmugMug saves > $500K/year with Amazon S3 Storage
Build brand
Google Maps 300% growth vs 20% MapQuest
Move to the cloud
Over 50% of all transac2ons via their API, Force.com
Go anywhere
NeQlix now available on over 200 devices
Credit : ProgrammableWeb
30
Flipboard / Instgram Down?
Page § 31
Know it before you hack it
Page § 32
API Abused DDoS
§ API Security Threats
– API Key spoofing
– API Throttling bypass
– Quota System bypass
– API ACL (Private API accessed by Public)
§ API Request DDoS
– HTTP/HTTPS GET flood – HTTP/HTTPS POST flood – PUT/DELETE/HEAD ?
Page § 33
What if it’s not abuse?
100,000 Users Have Downloaded Malware From Google Play
Page § 34
Google/ Alternative Android Markets and the Audit Policy
Page § 35
Mobile Device Botnet—Existing Apps
Android DDoS Tool
Available in Google Play
1. Requires Internet access to send the http post data
2. Requires phone state to access the IMEI
Pretty common requirement for Apps.
Page § 36
Mobile Device Botnet— Free App Generator
Page § 37
Next Generation Detection—Profiling and Data Mining
§ Traffic Baseline
– HTTP Field Pattern
– HTTP Traffic Volume – TCP Connections
§ IP Ranking
– Geo IP
– 80/20
– Open API Data Comparison—e.g. Google Safe Browsing API
–
Seculert API(expensive!).
Page § 38
Do You Have Any Questions?
Contact us at: research@nexusguard.com
Page § 39