Web targeted DDoS attack: trends, tools and tactics. Christiaan Ehlers, Senior Service Consultant Akamai Technologies. Anonymous Attack on the Home Office 7 th April 2012. DoS motivation. State Sponsored. Traditional Hackers: Glory Hounds. Organized Crime - Profit. - PowerPoint PPT Presentation
Web targeted DDoS attack: trends, tools and tacticsChristiaan Ehlers, Senior Service Consultant Akamai TechnologiesAkamai ConfidentialAkamai Confidential2012 AkamaiFaster ForwardTMAnonymous Attack on the Home Office 7th April 2012
Akamai Confidential2012 AkamaiFaster ForwardTM2DoS motivationOrganized Crime - Profit
Traditional Hackers: Glory Hounds
Akamai Confidential2012 AkamaiFaster ForwardTM3Lets Hold up Somebody for Ransom (actual ransom note)Your site www.#####.de will be subjected to DDoS attacks 100 Gbit/s.
Pay 100 btc(bitcoin) on the account
Do not reply to this email
Akamai Confidential2012 AkamaiFaster ForwardTM4Over 40X Increase in Traffic
Akamai Confidential2012 AkamaiFaster ForwardTMA very brief introductionDoS attacks have moved up the stack, from IP floods, SYN floods and now to application level attacks.Attacks on the Network and Transport layers targeted the OS of the receiving machine.Attack on the application layer penetrates deeper into the infrastructure. Target not only the firewall or proxy, now we can reach the backend database.Development and architecture is focused on securing against more classical hacking attacks, DoS vulnerability gets a back seat.Akamai Confidential2012 AkamaiFaster ForwardTMDoS VulnerabilityIf the target system spends a disproportionately larger amount of resources in its attempt to serve a response when compared with the amount of resources spent by the attacker in serving the request, you potentially have a DoS vulnerability.
Akamai Confidential2012 AkamaiFaster ForwardTMTarget AreasBandwidthInbound (sometimes difficult to exploit, but also difficult to protect)Outbound
Data access and processing (CPU, Memory and disk access)Database searchesFormatting, regular expressions, encoding, etcCryptographic processing
System limitsRegisters, file handles, configured limits, etc (slow attacks)
Algorithmic or architectural inefficiencies
Akamai Confidential2012 AkamaiFaster ForwardTMBrute Force AttacksUsually aimed at bandwidth and data accessing and processing targets.Attempt to interfere with normal operation by consuming resources through the sending large volumes or requests to targets.Traffic could seem like normal browser traffic.The traffic volume required for an effective attack is determined by the capacity and overhead of the target system.
Akamai Confidential2012 AkamaiFaster ForwardTMAlgorithmic or architectural inefficienciesApacheKillerApache prepares an memory space for each requested range in the Range header.If enough ranges are requested, it could exhaust the servers memory
Hash Table collisionHash table collision attack turns the problem of adding elements to a hash table from a O(nlogn) problem to a O(n2) problem.
Exploitation requires abnormal requests, thus fairly easy to identify, block and fix.
Akamai Confidential2012 AkamaiFaster ForwardTMAttack distribution Single origin DoS attackLess resources availablePotentially easier to blockAttacker has no synchronization or management problemsDistributed DoSMore resources availableDifficult to blockAttackers have a synchronization and management problemBot-Net Command and Control centersOpt in networks (Thrall-Net)
Akamai Confidential2012 AkamaiFaster ForwardTMAttack ToolsCommon opt-in attack toolsLOIC Low Orbit Ion CannonHOIC High Orbit Ion Cannon
Slow attack toolSlow LorisRUDY R U Dead YetAkamai Confidential2012 AkamaiFaster ForwardTMLOIC
Java versions that can be browsed to, no need to install software.IRC interface for coordinationEasy interfaceMultithreaded One type of request per sessionNot very configurableEasy to detect
Akamai Confidential2012 AkamaiFaster ForwardTM13HOIC
Easy to use interfaceBooster packs to randomise various HTTP headers and target URLsMulti-threadedRate throttling
Akamai Confidential2012 AkamaiFaster ForwardTMHOIC booster pack Dim useragents() as String Dim referers() as String dim randheaders() as string Dim randURLs() as string# // populate rotating urls# // By Nathos, don't use to many threads or you may nuke yourself.# // IF YOU WANT TO IMPROVE THE ATTACK, ADD URLS BELONGING TO THIS DOMAIN OR RELATED SUBDOMAINS!!! PRO-TIP: You should create anew target and .HOIC file if u want to attack a different organization#randURLs.Append "http://www.formula1.com/default.html"#randURLs.Append "http://www.formula1.com/news/" #randURLs.Append "http://www.formula1.com/races/" #randURLs.Append "http://www.formula1.com/results/"#randURLs.Append "http://www.formula1.com/gallery/"#randURLs.Append "http://www.formula1.com/teams_and_drivers/"#randURLs.Append "http://www.formula1.com/inside_f1/"#randURLs.Append "http://www.formula1.com/live_timing/"#randURLs.Append http://www.formula1.com/video/ // rotate out url# URL = randURLs(RndNumber(0, randURLs.UBound))# // EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE!## useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:126.96.36.199) Gecko/20070725 Firefox/188.8.131.52"# useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"# useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"# useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Booster pack features:randURLs.Append Attack random URLsuseragents.Append Randomly selected User-Agentsreferers.Append Randomly selected Referer headersrandheaders.Append Randomly select header to append
Makes it harder to separate attack traffic from legitimate traffic.Can be easily distributed since it is just an text file. Usually posted on http://pastebin.comCan be customised for a particular targetAkamai Confidential2012 AkamaiFaster ForwardTMSlow AttacksTie up web server resources by sending requests very slowly
Examples:Slow LorisR U Dead Yet (RUDY)Trickle feed of characters to the web server ensures that a connection is occupied for as long as possible.Is this an attack or just a client on dial-up?Apache web server has a default of 256 concurrent connections.Akamai Confidential2012 AkamaiFaster ForwardTMHardening against DoS tactic 1Avoid resource intensive processingOptimize processing and data retrieval processes.Caching processing and data retrieval operations.Cache the results of resource intensive processing. DB -> Disk -> Memory.Use reverse web caches
Akamai Confidential2012 AkamaiFaster ForwardTMAdditional Mitigation (is hardening enough)Mitigation devices such as scrubbers or WAF devicesHow do we separate the good from the bad?SignaturesRate limitingAnomaly detectionWhere does the mitigation go?At the originIn the cloudWhich layer should be inspected to sort the good from the bad?Transport (socket) and Network layerApplication layer What about SSL?
Akamai Confidential2012 AkamaiFaster ForwardTMQuestions?Akamai Confidential2012 AkamaiFaster ForwardTM