Universal DDoS Mitigation Bypass. DDoS Mitigation Lab

Transcription

1 Universal DDoS Mitigation Bypass DDoS Mitigation Lab

2 About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. DDoS Mitigation Lab Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with the defense community.

3 Outline DDoS Attack Categories DDoS Detection and Mitigation Techniques How they work? How to bypass / take advantage? DDoS Mitigation Bypass How to use our PoC tool? PoC tool capability Next-Generation Mitigation

4 Financial Impact Source: NTT Communications, Successfully Combating DDoS Attacks, Aug 2012

5 Volumetric Attacks Packet-Rate-Based Bit-Rate-Based

6 Semantic Attacks API attacks Hash DoS Apache Killer Teardrop (old textbook example) Slowloris / RUDY SYN Flood (old textbook example) Smurf (old textbook example)

7 Blended Attacks

8 Attack Quadrant xxx Gbps+ Volume xxx Mbps+ Simple Complexity Sophisticated

9 DDoS Mitigations xxx Gbps+ Volume Traffic Policing Black- / Whitelisting Proactive Resource Release xxx Mbps+ Simple Complexity Sophisticated

10 DDoS Mitigation: Traffic Policing Source: Cisco

11 DDoS Mitigation: Proactive Resource Release 3. Detect idle / slow TCP connections RST 2. TCP connection pool starved 4. Close idle / slow TCP connections With RST Example: Slowloris Attack 1. Open lots of TCP connections

12 DDoS Mitigation: Black- / Whitelisting Src: Black List B (dropped) Src: White List = free pass (for awhile / for x amount of volume) Backend

13 DDoS Mitigation: Source Isolation AS AS AS Source:

14 DDoS Solution: Secure CDN Backend 3: return 2: redirect to nearest server End User 1: request 4: bypass distribution, attack backend!

15 DDoS Detection xxx Gbps+ Rate Measurement (SNMP) Baselining (Netflow) Volume Big Data Analysis Protocol Sanity (PCAP) Protocol Behavior (PCAP) Application (SYSLOG) xxx Mbps+ Simple Complexity Sophisticated

16 Rate- / Flow-Based Countermeasures Detection Mitigation

17 Protocol-Based Countermeasures Detection Mitigation

18 Blanket Countermeasures Detection Mitigation Traffic Statistics and Behavior Big Data Analysis Source Host Verification

19 Source Host Verification TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth

20 PoC Tool

21 PoC Tool Strengths True TCP/IP behavior (RST, resend, etc.) Believable HTTP headers (User-Agent strings, etc.) Embedded JavaScript engine CAPTCHA solving capability Randomized payload Tunable post-authentication traffic model

22 PoC Tool: Authentication Bypass

23 TCP SYN Auth (TCP Reset) SYN SYN ACK ACK RST SYN SYN ACK ACK

24 TCP SYN Auth (TCP Out-of-Sequence) SYN SYN ACK RST SYN SYN ACK ACK

25 HTTP Redirect Auth GET HTTP 302 redir to /index.html /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html

26 HTTP Cookie Auth GET HTTP 302 redir to GET HTTP 302 redir to GET /index.html /index.html /index.html /index.html /index.html

27 HTTP Cookie Auth (Header Token) GET HTTP 302 redir to [X-Header: foo=bar] GET HTTP 302 redir to [X-Header: foo=bar] [X-Header: foo=bar] GET GET /index.html [X-Header: foo=bar] /index.html /index.html [X-Header: foo=bar] /index.html /index.html /index.html

28 JavaScript Auth GET /index.html JS 7+nine=? ans=16 POST /auth.php HTTP 302 redir to /index.html GET /index.html

29 CAPTCHA Auth GET /index.html POST /auth.php HTTP 302 redir to /index.html GET /index.html

30 CAPTCHA Pwnage

31 PoC Tool: TCP Traffic Model

32 TCP Traffic Model Connection Hold Time Before 1 st Request Connection Idle Timeout After Last Request Number of Connections TCP Connection TCP Connection TCP Connection Connections Interval Connections Interval

33 PoC Tool: HTTP Traffic Model

34 HTTP Traffic Model TCP Connection Number of Requests per Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection Requests Interval Requests Interval Requests Interval

35 PoC Tool Design 3 tries per authentication attempt (in practice more likely to success) True TCP/IP behavior thru use of OS TCP/IP stack Auth cookies persist during subsequent dialogues JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation)

36 CAPTCHA Bypass Design 1. Converted to black-and-white for max contrast 2. 3x3 median filter applied for denoising 3. Word segmentation 4. Boundary recognition 5. Pixel difference computed against character map

37 PoC Tool in Action

38 Testing Environment Against Devices Against Services Measure Attack Traffic Measure Attack Traffic

39 Mitigation Bypass (Protection Products) Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013

40 Mitigation Bypass (Protection Services) Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013

41 Next-Generation Mitigation Client Puzzle add cost to individual zombies.

42 Conclusion DDoS is expensive to business Existing DDoS protection insufficient Next-Generation solution should make attack expensive

43 Thank You!

44