super effective denial of service attacks
If you can't read please download the document
DESCRIPTION
Talk given on October 16th at Latinoware 2013 - Foz do Iguaçu - Brazil This talk gave an introduction on denial of service attacks, going trough attacks in layer 3 to layer 7, introduced the concept of using load-balancing software for attacks with multiple IPs (Jericho Attack) and introduced the GoldenEye tool written in python and Android (Java), as well as a brief introduction to mitigate layer 7 denial-of-service attacks on most popular webservers. Presentation Video (pt_BR) @ FISL 2014: https://www.youtube.com/watch?v=ozk0HiMjVNYTRANSCRIPT
- 1. super effectivedenial of service attacksJan Seidl
2. $ whoami Full Name: Jan Origin: Rio deSeidl Janeiro, RJ BrazilWork: Technical Coordinator @ TI Safe OpenSource contributor for: PEV, Logstash Codes and snippets @ github.com/jseidl Features: UNIX Evangelist/Addict/Freak (but no fanboy!) Python and C lover Coffee dependent Hates printers and social networks Proud DC Labs Member Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 3. agenda 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xAIntroduction to Denial-of-Service Background: Layer 3 attacks Attacking Layer 7: Fundamentals Attacking Layer 7: Vectors & Tools WebServer DoS Mitigation 101 Proxies (SOCKS/TOR) and Layer 7 attacks Jericho Attack Technique: Load-balancing attacks XSS D/DoS Size doesn't matter: Mobile-launched Denial-of-Service Demo/Video: GoldenEye MdoS Android Tool Questions?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 4. Introduction to Denial-of-ServiceWhat is denial of service?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 5. Introduction to Denial-of-Service What is denial of service?A denial-of-service attack (...), is an attempt to make a machine or network resource unavailable to its intended users.Source: Wikipedia/en_USSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 6. Introduction to Denial-of-ServiceSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 7. Introduction to Denial-of-Service Result?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 8. Introduction to Denial-of-Service Result?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 9. Introduction to Denial-of-ServiceSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 10. Introduction to Denial-of-Service Symptoms Oddly low performance Unavailability of given resource Unavailability of all resourcesSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 11. Introduction to Denial-of-ServiceRecent CasesSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 12. Introduction to Denial-of-Servicehttp://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 13. Introduction to Denial-of-ServiceSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 14. Introduction to Denial-of-Servicehttp://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-victim-in-series-of-attacks/Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 15. Introduction to Denial-of-Servicehttp://nakedsecurity.sophos.com/2012/04/07/anonymous-attacks-home-office/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 16. Introduction to Denial-of-Servicehttp://usatoday30.usatoday.com/tech/news/story/2012-07-19/hactivism-anonymous-attacks/56464792/1Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 17. Introduction to Denial-of-Servicehttp://olhardigital.uol.com.br/negocios/digital_news/noticias/ataques-ddos-cresceram-70-em-2012,-dizpesquisa Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 18. Introduction to Denial-of-Service Targets (OSI layer)Network (Layer 3)Bandwidth consumptionApplication (Layer 7)Application or operating system resources consumptionSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 19. Introduction to Denial-of-ServiceNetwork (Layer 3)Bandwidth consumptionSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 20. Background: Layer 3 attacks Popular Attacks Ping Flood() is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets (...) The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. Source: Wikipedia/en_USSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 21. Background: Layer 3 attacks Popular Attacks Smurf AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 22. Background: Layer 3 attacks Popular Attacks Smurf AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 23. Background: Layer 3 attacks Popular Attacks Smurf AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 24. Background: Layer 3 attacks Popular Attacks SYN FloodSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 25. Background: Layer 3 attacks Popular Attacks SYN FloodSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 26. Background: Layer 3 attacks Popular Attacks Teardrop AttackWhen the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash, especially if it is running an older operating system that has this vulnerability. http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/understanding-teardrop-attacks.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 27. Background: Layer 3 attacks Popular Attacks Teardrop AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 28. Background: Layer 3 attacks Popular Attacks Teardrop AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 29. Background: Layer 3 attacks Popular Attacks Teardrop AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 30. Background: Layer 3 attacks Popular Attacks Teardrop AttackSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 31. Attacking Layer 7: FundamentalsApplication (Layer 7)Application or operating system resources consumptionSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 32. Attacking Layer 7: Fundamentals FocusLayer 3Layer 7Exhaust bandwidthExhaust application or operating system keyresourcesSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 33. Attacking Layer 7: Fundamentals Stealthness Layer 3Layer 7High network noise (noisy attack)Low network noise, might emulate legit requestsSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 34. Attacking Layer 7: Fundamentals Efficiency Layer 3Layer 7Requires lot of participants for significant outage. May be blocking by sparringSometimes only one machine can cause damage. Difficult to blockSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 35. Attacking Layer 7: Fundamentals Mitigation Layer 3Layer 7Large link, connectionlimiting, rate-limiting, sparring?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 36. Attacking Layer 7: Fundamentals Layer 7 attacks targets Intense CPU, Disk I/O & Swapping operations, long/slow/complex queriesFinite application resources: Maximum Sockets Limits, Maximum Memory Limits, Disk space etcSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 37. Attacking Layer 7: Vectors & ToolsSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 38. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack15% more processing power needed on server than on client to establish handshake. On the wild since 2003. Still affects most implementations. Found by THC group (ww.thc.org) in 2011Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 39. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack Tool: THC-SSL-DOS - or thcssldosit(){while:;do(while:;doechoR; done)|openssls_clientconnect127.0.0.1:443 2>/dev/null;done} forxin`seq1100`;dothcssldosit&doneSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 40. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack Affects any TLS/SSL secured protocol: HTTPS, SMTPS, POP3S, Database secure ports etc Mitigation? Turning off SSL renegotiation might help, but not solve SSL accelerators might help, but also don't 100% solve IPTables mitigation http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 41. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Parallel requests of small GZIP'ed content parts Forces the webserver to perform several parallel compression operations = high load Discovered in 2011 (CVE-2011-3192)Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 42. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Tools: killapache.pl < http://seclists.org/fulldisclosure/2011/Aug/175> Slowhttptest Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 43. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Mitigation: SetEnvIf or mod_rewrite (ref: http://httpd.apache.org/security/CVE-2011-3192.txt) Use a WAF (Web Application Firewall) Update Apache to version 2.2.21 or greaterSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 44. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers, Slow Post, Slow Read Read or send data in small chunks, with interval between reads / writes. Waiting for the full request is part of the Web Server's natureSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 45. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers: send request headers 'Slowly' Slow Post: send request post body (post data) 'Slowly' Slow Read: Small TCP window size to force slow response readingSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 46. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers: send request headers 'Slowly' GET / HTTP/1.1 rn /* sleep(1) */ Connection: keep-alive rn /* sleep(1) */ ...Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 47. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Post: send request post body (post data) 'Slowly' Content-Type: application/x-www-form-urlencoded Content-Length: 512 Accept: text/html;q=0.9,text/plain;q=0.8 foo=bar /* sleep(1) */ bar=baz /* sleep(1) */ baz=foo /* sleep(1) */ ...Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 48. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Read: Small TCP window size to force slow response reading /* pseudocode */ int len = 1; while (data = read(sock, buffer, len)) { sleep(5); }Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 49. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Tools: Slow Headers: Slowloris, slowhttptest, OWASP HTTP Post Tool Slow Post: RUDY, slowhttptest, OWASP HTTP Post Tool Slow Read: slowhttptestSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 50. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks - Mitigation: Slow Headers: request timeout (apache's mod_reqtimeout), WAF Slow Post: request timeout, WAF Slow Read: Disable pipelining and oddly slow window sizes, limit maximum request request time, WAF Good article on slow attacks mitigation https://community.qualys.com/blogs/securitylabs/2011/11/02 /how-to-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 51. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache Keep connections open and force cache regeneration. First POC: HULK HTTP Unbearable Load King Created on May 2012 by Barry Shteiman. Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 52. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache: HULKHighly effective against IIS, Apache & Reverse Proxies Caveat: Python, Urllib2 Always sends headers on the same order Spiderlabs: modsecurity rule to mitigate URLLib attacks (Hulk) (http://blog.spiderlabs.com/2012/05/hulk-vs-thor-applicationdos-smackdown.html) Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 53. Attacking Layer 7: Vectors & Tools Randomization FTW!Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 54. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache + Randomness: GoldenEye Author: Me! :)Initially born as aHulk fork due to its fingerprinting weakness Transformed further into a new independent HTTP DoS ToolBorn to test WAF blocking abilities under random and semi-natural payloads Available at https://github.com/jseidl/GoldenEyeSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 55. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache + Randomness: GoldenEye Main Features: GET, POST or Random HTTP methods Random headers quantity Random Headers content with legit values as per RFC Better random block function to avoid fingerprintingSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, JanHackers to Hackers Conference 2012 So Paulo, Brasil Hackers to Hackers Conference 2012 So Paulo, Brasil 56. Attacking Layer 7: Vectors & Tools Mitigation Granular page permissions Filter POST where not needed Filter querystring parameters where not needed ProxyCache Use caching proxies (ex: Varnish) and disable cache reload KeepAlive e TimeOuts Tune KeepAlive, TimeOut & KeepAliveTimeOut (Apache) and equivalent in other webservers Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, JanHackers to Hackers Conference 2012 So Paulo, Brasil Hackers to Hackers Conference 2012 So Paulo, Brasil 57. WebServer DoS Mitigation 101Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 58. WebServer DoS Mitigation 101 ApacheLimitRequestFields, LimitRequestFieldSize, LimitRequestBody, LimitRequestLine, LimitXMLRequestBody, TimeOut, KeepAliveTimeOut, ListenBackLog, MaxRequestWorkers [core] RequestReadTimeout [mod_reqtimeout] Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 59. WebServer DoS Mitigation 101 Nginxclient_max_body_size, client_body_buffer_size, client_header_buffer_size, large_client_header_buffers, client_body_timeout, client_header_timeout [core] Modules: HttpLimitReqModule, HttpLimitZoneModuleSource: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 60. WebServer DoS Mitigation 101 IIS 6 & 7 IIS 6: connectionTimeout, HeaderWaitTimeout, MaxConnections IIS 7: maxAllowedContentLength, maxQueryString, maxUrl / connectionTimeout, headerWaitTimeout, minBytesPerSecond Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 61. WebServer DoS Mitigation 101 USE A WEB APPLICATION FIREWALL (WAF)Modsecurity (Apache / Nginx) http://www.modsecurity.org/NAXSI (Nginx) http://code.google.com/p/naxsi/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 62. Proxies and Layer 7 attacksSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 63. Proxies and Layer 7 attacks Layer 3Layer 7Bad to attack through proxies as they usually have low bandwidth and you might get banned from themRequires low bandwidth Low network noise Not degraded by low outputSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 64. Proxies and Layer 7 attacks Why use proxies in HTTP attacks?Simple answer Geographic location at your will Different source IPsCan provide high anonymityLargely available on the internetSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 65. Proxies and Layer 7 attacks Attack pivoting by proxies Tool: Socat: Multipurpose Relay http://www.dest-unreach.org/socat/ Also with SSL support: HTTPS, IMAPS, POPS, LDAPSSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 66. Proxies and Layer 7 attacks Attack pivoting by proxies: Regular Proxies #socatTCP4LISTEN:80 PROXY:::80,proxyport= #echo127.0.0.1>>/etc/hosts #./goldeneye.pyhttp:///index.phpt1000 mgetSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 67. Proxies and Layer 7 attacks Attack pivoting by proxies: TOR #socatTCP4LISTEN:80,fork SOCKS4A:localhost::80,socksport=9052 #echo127.0.0.1>>/etc/hosts #./goldeneye.pyhttp:///index.phpt1000 mgetSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 68. Proxies and Layer 7 attacks Bnus: Multi-TOR The TOR client supports spawning as many instances and opening as many circuits as necessary. torRunAsDaemon1CookieAuthentication0 HashedControlPassword"pwd"ControlPort4444 PidFiletorN.pidSocksPort5090DataDirectory data/torN Tool: Multi-TOR https://github.com/jseidl/Multi-TOR/ EX: ./multi-tor.sh 5 # Opens 5 TOR instances Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 69. Proxies and Layer 7 attacks Mitigating TOR with TORBlock Blocking TOR-sourced access TORBlock: IPTables-based blocking Tool: https://github.com/jseidl/torblockSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 70. Load Balancing Attacks Meet JerichoSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 71. Load Balancing Attacks Starring: HAProxy The Reliable, High Performance TCP/HTTP Load Balancer REQUEST HAPROXY { SERVER A, SERVER B, SERVER C }Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 72. Load Balancing Attacks 'Load-balanced' attacks anatomy Attacker: 1. Open lots of socat tunnels to the victim, each one from a different proxy (regular, TOR or both) 2. Put local port addresses (socat'ed ones) on HAProxy 3. Place victim's domain on /etc/hosts 4. Attack normally from your favorite toolSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 73. Load Balancing Attacks 'Load-balanced' attacks anatomy listen ddos 0.0.0.0:80 mode tcp balance roundrobin server inst1 localhost:8080 server inst2 localhost:8081 server inst3 localhost:8082 server inst4 localhost:8083 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 74. Load Balancing Attacks 'Load-balanced' attacks anatomySuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 75. Load Balancing Attacks 'Load-balanced' attacks anatomy Proxy 1 Proxy 2 AttackerHAProxyProxy 3 Proxy 4VictimProxy 5 Proxy 6 Proxy 7Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 76. Load Balancing Attacks 'Load-balanced' attacks anatomySuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 77. Load Balancing Attacks Dangers of 'load-balanced' attacks? Bypass connection-limiting DoS DDoSMutiple origin IPsOrigins can be from multiple countriesSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 78. Load Balancing Attacks Dangers of 'load-balanced' attacks?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 79. Load Balancing Attacks More about the Jericho Attack Techniquehttp://www.slideshare.net/jseidl/slides-the-jerichoattackperspective Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 80. XSS D/DoS What if an XSS flaw could turn your visitors into D/DoS clients? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 81. Mobile-launched Denial-of-Service PoC Tool: GoldenEye MobileSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 82. Mobile-launched Denial-of-Service Objective Test if mobile devices alone could conduct a successful DoS attack. Test if equipment and configurations are able to deter DoS attacks from mobile platforms.Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 83. Mobile-launched Denial-of-Service Android: Limitations Max 128 threads (Android 2.1) Maximum number of concurrent sockets per thread: 30 (>30 too many open files)Can we get better results if device is 'rooted' (sysctl) ?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 84. Mobile-launched Denial-of-Service Firepower 5 min test on an Apache webserver, default configuration, in a Debian 6 virtual machine, also with default configuration. CPUUsage:u5.85s4.52cu0cs02.37%CPU loadLowCPUfingerprintServeroverloaded (a.k.a.down)https://github.com/jseidl/GoldenEye-Mobile Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 85. Mobile-launched Denial-of-Service GoldenEye Mobile: Mitigation GoldenEye Mobile uses HEAD method for maximum speed. Easily blocked (Module: Mod_Rewrite) RewriteEngineon RewriteCond%{THE_REQUEST}!^(GET|POST)/.*HTTP/1.1$ RewriteRule.*[F] mod_security SecFilterSelectiveREQUEST_METHOD"!^(GET|POST)$""deny,auditlog,status:405"Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 86. Demo: DoS Fun GoldenEye Mobile DoS Android Tool Demo!http://bit.ly/GoldenEyeMDOS Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 87. Questions?Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 88. Thanks! To Peace!Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil 89. Thanks! Thanks for your time! [email protected] / http://wroot.org https://github.com/jseidl http://www.slideshare.net/jseidl @jseidlSuper Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 Foz do Igua, Brazil Latinoware/2013 Foz do Igua, Brazil