DDoS Attacks & Mitigation

Transcription

1 DDoS Attacks & Mitigation Sang Young Security Consultant 1

2 DoS Attack DoS & DDoS an attack render a target unusable by legitimate users DDoS Attack launch the DoS attacks from various source from Internet to a target 2

3 DDoS Attack Volume Source: Worldwide Infrastructure Security Report, Volume V by Arbot Networks 3

4 Twitter 4

5 GoDaddy Happened in Year 2009, 2007 and 2005 Affected the Hosting Servers 5

6 Wordpress 6

7 DNS Root Servers 7

8 Others hit by DDoS attacks BBC Possible unethical competition Worldpay Authorize Authorize-It Checkout StormPay AlertPay An Anti-fraud site: Bobbear.co.uk Norwegian BitTorrent tracker: norbits.net 8

9 Proof-of-Concept DoS Tools Network Based Targa Land LaTierra Nemesy UDP Flooder FSMax Crazy Pinger Other Application Based SomeTrouble: smtp, icq, net send ihateperl.pl: dns HTTP Based Blast DoSHTTP 9

10 Nemesy 10

11 UDP Flood 11

12 DoSHTTP 12

13 Crazy Pinger 13

14 My Collections 14

15 Botnet Botnet consists of multiple bots (machines) in the Internet They are multiple purposes Concept: A relatively small botnet with around 1,000 bots (computers) combined bandwidth that is higher than the Internet connection of most corporate systems 15

16 Agobot Phatbot Forbot XtremBot SDBot RBot UrBot UrXot GT-Bots Nuclear Bot PoC Bots H Attacker H H H Victim handlers (master) agents A A A A A A 16

17 Uses of Botnets Botnet Estimated Size Main Functions Conficker 9 to 15 Million Botnet Resilience BlackEnergy 20 to 200k DDoS Machbot 15 nets, 100,000k each DDoS Cutwail About 1 Million Spam, ID Theft Pushdo Torpig About 1.9 Million Financial and ID Theft Sinowal Hexzone 200k to 500k RansomWare Ghostnet ~1200 in 103 countries Cyber Espionage 17

18 BlackEnergy Attack vectors HTTP DNS Request Floods ICMP Spoofed IP s SynFloods UDP Floods Random Binary Packet Floods Capabilities 1 to 7 Gbps New BlackEnergy can be created over a few days to a size of 4,000 to 20,000 bots 18

19 DDoS Attack Taxonomy DDoS Attacks Bandwidth Depletion Resource Depletion Flood Attack Amplification Attack Protocol Exploit Malformed Packet TCP UDP ICMP Smurf Fraggle TCP Syn Push+Ack 19

20 Amplification Attack Attacker Agent(s) Generate a Packet: src: victim ip dst: amplifier net Victim Amplifier Networks Systems Reply: src: system ip dst: victim ip 20

21 Reflective DNS Attacks Send a large number of queries to open DNS servers These queries will be spoofed to look like they come from the victim Small queries (60 byte) can generate large UDP packets (512 byte) in response, an amplification factor of 8.5 By combining different response type (A, TXT, SOA), 122 byte query results in response of 4320 bytes. An amplification factor of 73 21

22 Observed Bots 22

23 Traditional Countermeasures Threshold Based Attack Detection and Mitigation Deep Packet Inspection & Protocol Validation Protocol Identification Network & Applications Identify and Disable Handler L7 Mitigation / WAF More Bandwidth 23

24 Mitigation Defense vs Attacker Countermeasure Mitigation Defense Threshold Based Attack Detection and Mitigation Deep Packet Inspection & Protocol Validation L7 Mitigation / WAF More Bandwidth Attacker Countermeasure Low and Slow Hit and Run Encryption Vary Requests More and More Traffic 24

25 defense Hit and Run Attacks rely on sampling traffic flows take time to react: seconds 25

26 Observed Attack Vectors 26

27 Trend Everything over IP Everything over HTTP 27

28 Application Layer Attacks (Layer-7) Low Packet Rate Packet - Bandwidth > Request - Layer 7 > Session - Behavior 28

29 DDoS and Infrastructure 29

30 Most Common HTTP Attacks Methods Effects ge POST action with huge amount of data Large Botnet, low IP rate, high delays Partial Requests Extra I/O from 404 s loggged Raises CPU on web servers Load on Load balancer due to -ve cache hits Loading on I/O to the db server High CPU via script pages Affect RAM Affect loads threads Bypassing DDoS equipment HTTP requests always get through Tie down all available threads 30

31 Damaging Queries ch&type=all&mode=search Produce most matches and cross-reference queries: e, t, a, o, n, i, r, s, d, h, l, c, u, f, p, m, w, y, b, g, v, k, x, j, q, z th, he, an, in, er, re, es, on, ti, at the, and, hat, ent, ion, for, tio, has, tis you, can, her, was, has, him, his Results: hit both CPU on web and database servers 31

32 New Mitigation Approach Protocol Validation Inspects the structure of information in packets at application layer HTTP anomaly detection: XYZ is not a valid command in HTTP header Signature/Fingerprint Search for pattern in network packet to determine if an attack exists Vendor specific Open source Adhoc Customization: Particular Custom Application Signatures Require human operational Statistical A.k.a Network Behavioral Analysis Adaptive and predictive models of network behavior Require human operational 32

33 New Mitigation Approach Reputational a database of good and bad IP address bad IP address includes bots, spammer etc. Honeypot can help to track these IPs Client Validation Determine if a source is a real person or an automated script Real Browser Detection: by sending a JavaScript and determine the response Transactional Inspection and validation of application transactions, e.g. HTTP Request, SIP request Look at the nature of groups of transactions 33

34 New Mitigation Approach Decryption to inspect the encrypted transactions and protocols decrypt https traffic Zero-Day Requires human operation Requires log consolidation from different network devices 34

35 Largest Anticipated Threat 35

36 Questions? Sang Young 36