H...t...t...p...p...o...s...t. OWASP AppSec DC 2010. The OWASP Foundation http://www.owasp.org. Wong Onn Chee OWASP Singapore Lead ocwong@usa.

Similar documents
Web Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research

Solution of Exercise Sheet 5

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Chapter 8 Security Pt 2

Playing with Web Application Firewalls

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Research of Web Real-Time Communication Based on Web Socket

HTTP Response Splitting

Lecture 23: Firewalls

Cyber Security Workshop Ethical Web Hacking

TCP/IP Networking An Example

Application Denial of Service Is it Really That Easy?

Background (

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Proxies. Chapter 4. Network & Security Gildas Avoine

DDoS Black and White Kungfu Revealed (DEF CON 20 Edition)

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Firewall VPN Router. Quick Installation Guide M73-APO09-380

DC++ and DDoS Attacks

Multi-Homing Dual WAN Firewall Router

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

DoS: Attack and Defense

Configuration Guide BES12. Version 12.3

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Networking for Caribbean Development

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Configuration Guide BES12. Version 12.1

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Configuration Guide BES12. Version 12.2

DDoS Protection on the Security Gateway

Cyber Security Scan Report

NSFOCUS Web Application Firewall White Paper

Configuring Health Monitoring

Locking down a Hitachi ID Suite server

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Criteria for web application security check. Version

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Firewalls and Software Updates

Alteon Browser-Smart Load Balancing

Domain Name System WWW. Application Layer. Mahalingam Ramkumar Mississippi State University, MS. September 15, 2014.

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Firewalls and Intrusion Detection

Playing with Web Application Firewalls

Analysis of Slow Read DoS Attack and Countermeasures

Grandstream Networks, Inc. UCM6100 Security Manual

Introduction to Computer Security Benoit Donnet Academic Year

About Firewall Protection

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

A Decision Maker s Guide to Securing an IT Infrastructure

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Steelcape Product Overview and Functional Description

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Configuring and Monitoring the Client Desktop Component

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Implementation of Web Application Firewall

How To Test The Bandwidth Meter For Hyperv On Windows V (Windows) On A Hyperv Server (Windows V2) On An Uniden V2 (Amd64) Or V2A (Windows 2

BlackBerry Enterprise Service 10. Version: Configuration Guide

SECURING APACHE : DOS & DDOS ATTACKS - II

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

What is Web Security? Motivation

CS5008: Internet Computing

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

Lecture (02) Networking Model (TCP/IP) Networking Standard (OSI) (I)

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Network Configuration Settings

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

April 23, 2015 ACME Company. Security Assessment Report

Docufide Client Installation Guide for Windows

All You Can Eat Realtime

MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM?

Firewall Firewall August, 2003

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Computer Security - Tutorial Sheet 3: Network & Programming Security

BASIC ANALYSIS OF TCP/IP NETWORKS

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

DOSarrest Security Services (DSS) Version 4.0

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Kaseya Server Instal ation User Guide June 6, 2008

White Paper How to Remotely Access Ethernet I/O Over the Internet

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Chapter 4 Firewall Protection and Content Filtering

How To Attack A Website With An Asymmetric Attack

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Active Defense and Prevention

Revised: 14-Nov-07. Inmarsat Fleet from Stratos MPDS Firewall Service Version 1.0

Risks with web programming technologies. Steve Branigan Lucent Technologies

Protecting the Home Network (Firewall)

PrintFleet Enterprise Security Overview

Transcription:

H...t...t...p...p...o...s...t Wong Onn Chee OWASP Singapore Lead ocwong@usa.net OWASP AppSec DC 2010 11 Nov 2010 Tom Brennan OWASP Foundation tomb@owasp.org Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 2

First, there was Layer 4 DDOS... Past DDOS attacks were mainly Layer 4 (TCP) attacks. OWASP 3

Layer 4 DDOS attacks Reach bandwidth or connection limits of hosts or networking equipment. Fortunately, current anti-ddos solutions are effective in handling Layer 4 DDOS attacks. OWASP 4

Then, there were Layer 7 DDOS attacks Operates at the application protocol level (OSI Layer 7). Eg. HTTP(S), SMTP, FTP and etc. OWASP 5

Effectiveness of Layer 7 DDOS attacks Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity. Requires lesser number of connections => higher efficiency. Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality. OWASP 6

Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 7

Types of Layer 7 DDOS web attacks Excludes causes related to stupid or inefficient codes. (Yes! You can DOS yourself) We will focus on protocol weaknesses of HTTP or HTTPS. HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris) HTTP POST => Wong Onn Chee OWASP 8

HTTP GET DDOS attack First highlighted by Michal Zalewski and Adrian Ilarion Ciobanu in 2007 http://www.securityfocus.com/archive/1/456339/30/0/threaded Popularized in 2009 by Rsnake with the free tool, Slowloris. Slowloris used time-delayed HTTP headers to hold on to HTTP connections and exhaust web server threads or resources. Can evade Layer 4 DDOS protection systems. More info can be found at http://ha.ckers.org/blog/20090617/slowloris-http-dos/ OWASP 9

1 0 HTTP GET DDOS attack Apache Foundation disagreed this is a bug and had no plans to fix it. To AF, waiting for the HTTP headers to complete sending is a basic and inherent behavior of web servers. Microsoft IIS imposes a timeout for HTTP headers to be sent. Any HTTP connection which exceeds the headers timeout will be closed, hence rendering HTTP GET attacks ineffective against IIS web servers.

Limitations of HTTP GET DDOS attack Does not work on IIS web servers or web servers with timeout limits for HTTP headers. Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris. Anti-DDOS systems may use delayed binding / TCP Splicing to defend against HTTP GET attacks. OWASP 11

1 2 Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo

1 3 HTTP POST DDOS attack First discovered in Sep 2009 by Wong Onn Chee and his team. Escalated to Microsoft and AF in Q1 2010. Both interpreted this to be a protocol bug. Apache: What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software. MS: While we recognize this is an issue, this issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.

1 4 How HTTP POST DDOS attack works (HTTP/1.0) Uses HTTP POST requests, instead of HTTP GET which is used by Slowloris. A POST request includes a message body in addition to a URL used to specify information for the action being performed. This body can use any encoding, but when webpages send POST requests from an HTML form element the Internet media type is "application/x-www-formurlencoded". (source: Wikipedia - POST (HTTP) )

1 5 How HTTP POST DDOS attack works (HTTP/1.0) (cont'd) The field Content-Length in the HTTP Header tells the web server how large the message body is, for e.g., Content-Length = 1000 The HTTP Header portion is complete and sent in full to the web server, hence bypassing IIS inherent protection.

How HTTP POST DDOS attack works (HTTP/1.0) (cont'd) For e.g., Content-Length = 1000 (bytes) The HTTP message body is properly URLencoded, but......is sent at, again for e.g., 1 byte per 110 seconds. Multiply such connections by 20,000 and your IIS web server will be DDOS. Most web servers can accept up to 2GB worth of content in a single HTTP POST request. OWASP 1 6

Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) private String getrequestheader() { String requestheader = ""; requestheader += param.getmethod() + " " + param.geturl() + " HTTP/1.1\r\n"; requestheader += "Host: " + param.gethost() + "\r\n" + "User-Agent: " + httpuseragent + "\r\n" + "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" + "Accept-Language: en-us,en;q=0.5\r\n" + "Accept-Encoding: gzip,deflate\r\n" + "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" Construction of legitimate headers if (param.getcontentlength() > 0) { requestheader += "Connection: keep-alive\r\n"; requestheader += "Keep-Alive: 900\r\n"; requestheader += "Content-Length: " + param.getcontentlength() + "\r\n"; requestheader += "\r\n"; } return requestheader; } Random values for Content-Length header OWASP 1 7

1 8 Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) Get random data --> public static byte getrandombyte() { int character = gen.nextint(); return (byte) character; } Byte randomness Send random data --> public void sendxheader() throws IOException { StringBuffer header1 = new StringBuffer(); StringBuffer header2 = new StringBuffer(); int lengthofxa = param.getrandomlengthofxa(); int lengthofxb = param.getrandomlengthofxb(); for (int i=0 ; i<lengthofxa ; i++) { header1.append(misc.getrandombyte()); } Time interval randomness

1 9 Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) for (int i=0 ; i<lengthofxb ; i++) { header2.append(misc.getrandombyte()); } socket.getoutputstream().write(("x-" + header1.tostring() + ": " + header2.tostring() + "\r\n").getbytes()); socket.getoutputstream().flush(); } public void sendpostbodyrandombyte() throws IOException { socket.getoutputstream().write(misc.getrandombyte()); socket.getoutputstream().flush(); } Sends the payload

2 0 Why HTTP POST DDOS attack works Being kind folks (like all of you), web servers will obey the Content-Length field to wait for the remaining message body to be sent. By waiting for the complete message body to be sent, web servers can support users with slow or intermittent connections. Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks. Common uses of HTTP POST requests: login, uploading photo/video, sending webmail / attachments, submitting feedback and etc.

2 1 Why HTTP POST DDOS attack works This attack can evade Layer 4 detection techniques as there is no malformed TCP, just like Slowloris. Unlike Slowloris, there is no delay in sending HTTP Header, hence nullifying IIS built-in defense, making IIS vulnerable too. Size, character sets and time intervals can be randomised to foil any recognition of Layer 7 traffic patterns by DDOS protection systems. Difficult to differentiate from legit connections which are slow.

2 2 Interesting findings IIS 6.0 (W2K3) web server is vulnerable to this attack even when there is no form. Apache, IIS 7 or later require presence of forms for this attack to work. Apache requires lesser number of connections due to mandatory client or thread limit in httpd.conf. Besides its unlimited connections settings, a default IIS configuration will go down with 20,000 HTTP POST DDOS connections, regardless of hardware capabilities. This is due to the rapid fail protection sandbox feature in IIS.

2 3 Interesting findings IIS with 8 cores and 16GB RAM = IIS with 2 cores and 2GB RAM Only 20k HTTP POST connections to DDOS either IIS! In HTTP/1.1 where chunked encoding is supported and there is no Content-Length HTTP header, the lethality is amplified. The web server does not even know up front from the headers how large is the POST request!

2 4 Interesting findings Botnet operators had begun their 3G upgrade to include Layer 7 DDOS techniques. Some may have completed their upgrade to include HTTP POST. We believe Layer 7 attacks may supersede Layer 4 attacks as the modus operandi of DDOS botnets in this new decade.

2 5 Potential countermeasures Apache (experimental) mod_reqtimeout LimitRequestBody directive IIS No reply from Microsoft on the availability of the proposed controls in the latest service pack for IIS.

2 6 Potential countermeasures General Limit the size of the request to each form's requirements. For e.g. a login form with a 20-char username field and a 20-char password field should not accept a 1KB POST message body Identify the 95% or 99% percentile of normal access speed range to your website. Establish a speed floor for the outliers. With the speed floor and maximum allowable body size for each form, establish a request timeout for each form (= Tedious! Good news for infosec folks?)

2 7 Weaknesses of countermeasures Hackers can sense the speed floor and execute attacks just above the speed floor. Most (broadband) home users have uplink speed of at least 256 kbps. But we cannot set speed floors at 256 kbps. Speed floors = not friendly to overseas customers/visitors or local ones using mobile devices. HTTPS will be a challenge for front appliancebased defensive systems.

Future exploits? - WebSockets WebSockets in HTML5 (draft expires February 17, 2011) http://www.whatwg.org/specs/web-socket-protocol/ Conceptually, WebSocket is really just a layer on top of TCP that adds a Web "origin"-based security model for browsers; adds an addressing and subprotocol naming mechanism to support multiple services on one port and multiple host names on one IP address; layers a framing mechanism on top of TCP to get back to the IP packet mechanism that TCP is built on, but without length limits; and reimplements the closing handshake in-band... OWASP 2 8

2 9 Future exploits? - WebSockets 6.3. Data framing The server must run through the following steps to process the bytes sent by the client. If at any point during these steps a read is attempted but fails because the WebSocket connection is closed, then abort. 1. Try to read a byte from the client. Let /frame type/ be that byte. 2. Try to read eight more bytes from the client. Let /frame length/ be the result of interpreting those eight bytes as a big-endian 64 bit unsigned integer. (e.g. 99,999,999). 99,999,999 / 1 byte per 110 secs = 10,999,999,890 secs = 127,315 days = 349 years

3 0 Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo

3 1 Demo Old = you may already know about the components. New = New trend of weaponized online games which are web-based or client-based. Desktop firewalls do not block outgoing Port 80 connections once the process is whitelisted. (Need to be whitelisted, else game will not run) The one we are showing is a simple game using a self-signed Java applet. (good old Java sandbox bypass)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information