DDoS Protecion Total AnnihilationD. DDoS Mitigation Lab

Transcription

1 DDoS Protecion Total AnnihilationD A

2 Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with defense community.

3 DDoS Relevance, Attack Categories, Detection & Mitigation Source Host Verification: Authentication Methods TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth PoC Tool TCP Traffic Model HTTP Traffic Model

4 Source: NTT Communications, Successfully Combating DDoS Attacks, Aug 2012

5 Volumetric Semantic Blended

6 xxx Gbps+ Volume xxx Mbps+ Simple Complexity Sophisticated

7 xxx Gbps+ Volume Traffic Policing Black- / Whitelisting Proactive Resource Release xxx Mbps+ Simple Complexity Sophisticated

8 xxx Gbps+ Rate Measurement (SNMP) Baselining (Netflow) Volume Big Data Analysis Protocol Sanity (PCAP) Protocol Behavior (PCAP) Application (SYSLOG) xxx Mbps+ Simple Complexity Sophisticated

9 c

10 Traffic Pattern simulation, e.g. Like traffic behind Proxy HTTP Header Simulation Simulate Normal traffic Pattern and Behavior!!!!!

11 Conn B and User-agent B Attack Traffic Proxy

12 HTTP header will change during the attack For example, first HTTP request for HTTP Header Accept First Request Second Request Accept: */* Accept: image/gif, image/jpeg, imag,..

13 TCP option against Detection Empower attack Power

14 Connection Hold Time SYN SYN ACK ACK Push ACK (HTTP Request e.g. GET, POST) ACK Push ACK Full Control every TCP State!!!!

15 OLD-FASHIONED GET Flood SYN SYN ACK ACK High CPU and constant no. of conns But Still ALIVE!!! Push ACK (HTTP GET) ACK Fin ACK Conns closed

16 Kill EM ALL!!!!!! SYN SYN ACK ACK Push ACK (HTTP Request) High Memory, High CPU and no. of conns increasing HTTP 503 Service unavailable ACK Push ACK (HTTP Request) ACK

17 TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth

18 SYN SYN ACK ACK RST SYN SYN ACK ACK

19 SYN SYN ACK RST SYN SYN ACK ACK

20 SYN SYN ACK Spoofed Src IP RST (May be from Real host) TCP REST and TCP Out of Seq are SAME!!!!!!

21 Handling a Real User access: TCP REST TCP out of Seq TCP Flag Total Length TCP Flag Total Length SYN 60 SYN 60 SYN ACK 40 SYN ACK 40 ACK 40 RST 40 RST 40 Total 180 Bytes Total 140 Bytes P.S. TCP SYN Packet size = Header length + Total Length

22 SYN SYN ACK RST SYN 33% Attack traffic Bypassed Same Spoofed a real Host IP as Src IP

23 The traditional SYN Flood is 40 bytes, missing TCP Option How to simulate a real SYN traffic: In IP layer: Randomize TTL In TCP layer: Randomize Window size, Correct Option added, e.g. Maximum Segment Size, etc bytes TCP SYN Flood attack is nightmare

24 GET HTTP 302 redir to /index.html /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html

25 HTTP / Found\r\n Location: http: a.c.com\r\n Loop the script, until HTTP / ok

26 GET HTTP 302 redir to GET HTTP 302 redir to GET /index.html /index.html /index.html /index.html /index.html

27 Set-Cookie: AuthCode=d8e; expires=mon, 23-Dec :50:00 GMT;., etc If Date and time of Expire is between hour or minutes, it is the our REAUTH threshold!!!!!!!! If you saw this in third HTTP redirect request Set-Cookie:AuthCode=deleted;.bad luck

28 GET HTTP 302 redir to [X-Header: foo=bar] GET HTTP 302 redir to [X-Header: foo=bar] [X-Header: foo=bar] GET GET /index.html [X-Header: foo=bar] /index.html /index.html [X-Header: foo=bar] /index.html /index.html /index.html

29 API, AJAX or XHR2 is used to deploy header token Not all browser compatibility those Techniques Existing Mitigation devices can not fully using those Techniques Simulation the Traffic Flow BYPASS it!!!!

30 GET /index.html JS 7+nine=? ans=16 POST /auth.php HTTP 302 redir to /index.html GET /index.html

31 JavaScript is client-side-program Find the path download and analyze it. Challenge to embedded JavaScript in Botnet, guys using: Simulate the traffic flow Client Deployment Model Server Deployment Model Kill Em All is below 1M bytes!!!!!!

32 Cmd: Attack!!! ATTACK!!! Bot with JS Engine C&C Server Bot with JS Engine Victim Bot with JS Engine..

33 Cmd: Attack!!! ATTACK!!! Tell me the ANS, plz~ C&C Server Tell me the ANS, plz~ Victim Tell me the ASN, plz~ Server Resolve auth.js e.g. Application Bundle..

34 GET /index.html POST /auth.php HTTP 302 redir to /index.html GET /index.html

35 JavaScript is client-side-program Find the path download and analyze it. Challenge to embedded CAPTCHA Engine in Botnet, guys using: Simulate the traffic flow Client Deployment Model Server Deployment Model DEFCON have FXXKING many CATPCHA engine!!!!

36

37 3 tries per authentication attempt (in practice more likely to success) True TCP/IP behavior thru use of OS TCP/IP stack Auth cookies persist during subsequent dialogues JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation)

38 c

39

40 1. Converted to black-and-white for max contrast 2. 3x3 median filter applied for denoising 3. Word segmentation 4. Boundary recognition 5. Pixel difference computed against character map

41 c

42 Connection Hold Time Before 1 st Request Connection Idle Timeout After Last Request Number of Connections TCP Connection TCP Connection TCP Connection Connections Interval Connections Interval

43 c

44 TCP Connection Number of Requests per Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection Requests Interval Requests Interval Requests Interval

45

46 True TCP/IP behavior (RST, resend, etc.) thru use of true OS TCP/IP stack Believable HTTP headers (User-Agent strings, etc.) Embedded JavaScript engine CAPTCHA solving capability Randomized payload Tunable post-authentication traffic model

47 44 Page views 44 regular traffic

48 Against Devices Against Services Measure Attack Traffic Measure Attack Traffic

49 Post-Auth Auth Bypass Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013

50 Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013

51