DDoS Attacks & Mitigation Sang Young Security Consultant ws.young@stshk.com 1
DoS Attack DoS & DDoS an attack render a target unusable by legitimate users DDoS Attack launch the DoS attacks from various source from Internet to a target 2
DDoS Attack Volume Source: Worldwide Infrastructure Security Report, Volume V by Arbot Networks 3
Twitter http://status.twitter.com/post/157191978/ongoing-denial-of-service-attack 4
GoDaddy Happened in Year 2009, 2007 and 2005 Affected the Hosting Servers http://www.zdnet.com/blog/security/godaddy-hit-by-a-ddos-attack/2391 5
Wordpress http://www.pcmag.com/article2/0,2817,2333361,00.asp 6
DNS Root Servers http://www.crn.com/security/197004065 7
Others hit by DDoS attacks BBC Possible unethical competition 2004 - Worldpay 2004 - Authorize 2004 - Authorize-It 2004-2Checkout 2006 - StormPay 2008 - AlertPay An Anti-fraud site: Bobbear.co.uk Norwegian BitTorrent tracker: norbits.net 8
Proof-of-Concept DoS Tools Network Based Targa Land LaTierra Nemesy UDP Flooder FSMax Crazy Pinger Other Application Based SomeTrouble: smtp, icq, net send ihateperl.pl: dns HTTP Based Blast DoSHTTP 9
Nemesy 10
UDP Flood 11
DoSHTTP 12
Crazy Pinger 13
My Collections 14
Botnet Botnet consists of multiple bots (machines) in the Internet They are multiple purposes Concept: A relatively small botnet with around 1,000 bots (computers) combined bandwidth that is higher than the Internet connection of most corporate systems 15
Agobot Phatbot Forbot XtremBot SDBot RBot UrBot UrXot GT-Bots Nuclear Bot PoC Bots H Attacker H H H Victim handlers (master) agents A A A A A A 16
Uses of Botnets Botnet Estimated Size Main Functions Conficker 9 to 15 Million Botnet Resilience BlackEnergy 20 to 200k DDoS Machbot 15 nets, 100,000k each DDoS Cutwail About 1 Million Spam, ID Theft Pushdo Torpig About 1.9 Million Financial and ID Theft Sinowal Hexzone 200k to 500k RansomWare Ghostnet ~1200 in 103 countries Cyber Espionage 17
BlackEnergy Attack vectors HTTP DNS Request Floods ICMP Spoofed IP s SynFloods UDP Floods Random Binary Packet Floods Capabilities 1 to 7 Gbps New BlackEnergy can be created over a few days to a size of 4,000 to 20,000 bots 18
DDoS Attack Taxonomy DDoS Attacks Bandwidth Depletion Resource Depletion Flood Attack Amplification Attack Protocol Exploit Malformed Packet TCP UDP ICMP Smurf Fraggle TCP Syn Push+Ack 19
Amplification Attack Attacker Agent(s) Generate a Packet: src: victim ip dst: amplifier net Victim Amplifier Networks Systems Reply: src: system ip dst: victim ip 20
Reflective DNS Attacks Send a large number of queries to open DNS servers These queries will be spoofed to look like they come from the victim Small queries (60 byte) can generate large UDP packets (512 byte) in response, an amplification factor of 8.5 By combining different response type (A, TXT, SOA), 122 byte query results in response of 4320 bytes. An amplification factor of 73 21
Observed Bots 22
Traditional Countermeasures Threshold Based Attack Detection and Mitigation Deep Packet Inspection & Protocol Validation Protocol Identification Network & Applications Identify and Disable Handler L7 Mitigation / WAF More Bandwidth 23
Mitigation Defense vs Attacker Countermeasure Mitigation Defense Threshold Based Attack Detection and Mitigation Deep Packet Inspection & Protocol Validation L7 Mitigation / WAF More Bandwidth Attacker Countermeasure Low and Slow Hit and Run Encryption Vary Requests More and More Traffic 24
defense Hit and Run Attacks rely on sampling traffic flows take time to react: 15 60 seconds 25
Observed Attack Vectors 26
Trend Everything over IP Everything over HTTP 27
Application Layer Attacks (Layer-7) Low Packet Rate Packet - Bandwidth > Request - Layer 7 > Session - Behavior 28
DDoS and Infrastructure 29
Most Common HTTP Attacks Methods Effects http://<target>/random_pa ge http://<target>/login.php http://<target>/search.php POST action with huge amount of data Large Botnet, low IP rate, high delays Partial Requests Extra I/O from 404 s loggged Raises CPU on web servers Load on Load balancer due to -ve cache hits Loading on I/O to the db server High CPU via script pages Affect RAM Affect loads threads Bypassing DDoS equipment HTTP requests always get through Tie down all available threads 30
Damaging Queries http://target/search.php?=query=e&submit=sear ch&type=all&mode=search Produce most matches and cross-reference queries: e, t, a, o, n, i, r, s, d, h, l, c, u, f, p, m, w, y, b, g, v, k, x, j, q, z th, he, an, in, er, re, es, on, ti, at the, and, hat, ent, ion, for, tio, has, tis you, can, her, was, has, him, his Results: hit both CPU on web and database servers 31
New Mitigation Approach Protocol Validation Inspects the structure of information in packets at application layer HTTP anomaly detection: XYZ is not a valid command in HTTP header Signature/Fingerprint Search for pattern in network packet to determine if an attack exists Vendor specific Open source Adhoc Customization: Particular Custom Application Signatures Require human operational Statistical A.k.a Network Behavioral Analysis Adaptive and predictive models of network behavior Require human operational 32
New Mitigation Approach Reputational a database of good and bad IP address bad IP address includes bots, spammer etc. Honeypot can help to track these IPs Client Validation Determine if a source is a real person or an automated script Real Browser Detection: by sending a JavaScript and determine the response Transactional Inspection and validation of application transactions, e.g. HTTP Request, SIP request Look at the nature of groups of transactions 33
New Mitigation Approach Decryption to inspect the encrypted transactions and protocols decrypt https traffic Zero-Day Requires human operation Requires log consolidation from different network devices 34
Largest Anticipated Threat 35
Questions? Sang Young wsyoung@wsyoung.com 36