Your SlideShare is downloading. ×
A Cyberwarfare Weapon: Slowreq
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

A Cyberwarfare Weapon: Slowreq


Published on

by Maurizio Aiello …

by Maurizio Aiello

CNR - Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni


Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. A Cyberwarfare Weapon: SlowReq Maurizio Aiello Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy Genoa, Cpexpo meeting, Italy 30 October 2013
  • 2. Cyberwarfare “Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an informative system owned by the adversary” Governments vs. Governments ¤  Titan Rain ¤  Moonlight Maze Groups vs. Governments ¤  Hacktivistic Groups Operations Anonymous ¤  Maurizio Aiello ¤  LulzSec
  • 3. Attack Technologies INTRUSIONS & MALWARE ON ECTI BUFFER J OVE QL IN S RFLOW ES ORS NH BAC OJA KDO TR O DENIAL OF SERVICE (DoS) “An attempt to make a machine or network resource unavailable to its intended users” DISTRIBUTED DENIAL OF SERVICE (DDoS) Amplification of the attack resources through the enrollment of (willing or not) botnet agents Maurizio Aiello R
  • 4. Denial of Service Attacks ¤ Attacks to the system ¤  ZIP Bomb ¤  Fork Bomb ¤ Attacks to the network ¤  Multipliers: DNS, Smurf attack, etc… ¤  Volumetric: flooding DoS attacks ¤  Application Layer: Slow DoS Attacks Maurizio Aiello
  • 5. “Old Style” Flooding DoS Attacks ¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, … Flooding based attacks LEVEL-4 Denial of Service Maurizio Aiello
  • 6. The ISO/OSI Model Application Presentation Session Transport Network Data Link Physical Maurizio Aiello Slow DoS Attacks Flooding DoS Attacks
  • 7. Hacktivist Groups: Anonymous and LulzSec
  • 8. Hacktivist Groups 2008 Project Chanology 2009 Iranian election protests Anonymous LulzSec 2010 Operation Payback 2011 2012 Visa, Mastercard, Paypal Operation Payback Operation Sony Interpol Vatican
  • 9. Slow DoS Attack (SDA) “An attack which exhausts the resources of a victim using low bandwidth” Maurizio Aiello
  • 10. SDAs’ Strategy ¤ They move the victim to the saturation state ¤ Low bandwidth rate: ¤  Attack resources are minimized ¤  It’s easier to bypass security systems ¤ ON-OFF Nature ¤ Almost all the packets contribute to the success of the attack Maurizio Aiello
  • 11. Slow DoS Attacks An Example: Slowloris ¤  A script written in Perl programming language ¤  Used during the protests against Iranian presidential elections in 2009 ¤  It sends a lot of endless requests with the pattern: GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn X-a: brn rn X-a: brn X-a: brn X-a: brn Maurizio Aiello Source:
  • 12. Making Order Into the Slow DoS Field Slow DoS Attacks S ORI L OW SL CPU/Memory/Disk QUIET ATTACK SHREW Network REDOS E RANG Client Timeout Server ACHE ER AP YET HEAD DEADR-U# Request Response HASH Server Behavior DOS Alteration EW R THC D SH E -SSL DUCResources Other IN Delayed DO Delayed Slow Pending AS S Occupation Unknown LO D Responses Responses Requests R Requests Planning Attacks Maurizio Aiello
  • 13. SlowReq Attack ¤  It opens a large amount of endless connections with the victim ¤  It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure SLOWLORIS SLOWREQ GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] Maurizio Aiello
  • 14. SlowReq Attack ¤ No rn implies no parsing (stealth and difficult to prevent) ¤ Bandwidth very limited ¤ Cpu and ram requested limited ¤ Tunable in parameters (number of connections; wait timeout; time between characters etc) Maurizio Aiello
  • 15. Protocol Independence ¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case) ¤ SlowReq is able to naturally affect multiple protocols ¤  Packets payload is a sequence of white spaces ¤  Tested against FTP, SMTP, SSH servers ¤  Bounded to TCP based protocols Maurizio Aiello
  • 16. Performance Results DoS state reached after a few seconds Maurizio Aiello
  • 17. Signature Based Countermeasures Apache Web Server software modules ¤ mod-security module limits the number of simultaneous connections established from the same IP address ¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests Maurizio Aiello
  • 18. Performance Results – mod-security A non distributed attack is successfully mitigated Maurizio Aiello
  • 19. Performance Results – reqtimeout Differently to Slowloris, SlowReq is not mitigated Maurizio Aiello
  • 20. Statistical Based Countermeasures tstart _ request ! request tend _ request ! delay tstart _ response ! response tend _ response ! next Maurizio Aiello
  • 21. Statistical Signature Based SDAs Detection Maurizio Aiello
  • 22. Statistical Signature Based SDAs Detection Comparison with standard traffic conditions " n(y) = # ( f (x) ! g(x + y))2 dx !" UE VAL UM NIM CV) MI (N NCV = min(n(y)) Maurizio Aiello
  • 23. Statistical Signature Based SDAs Detection Real traffic distribution (Δdelay example) Maurizio Aiello
  • 24. Statistical Signature Based SDAs Detection Protocol: ¤  n representations of standard traffic ¤  m comparisons extracting m different NCV values ¤  Retrievement of μ and σ values from NCV ¤  Baseline: μ + 3σ ¤  Comparison of anomalous traffic with f (average) standard distributions ¤  NCV value retrieval for analyzed traffic and result Maurizio Aiello
  • 25. Conclusions and Future Work ¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection ¤ Due to its requirements, we are working to a mobile deployment of SlowReq ¤ Deployment of a (mobile and) distributed attack Maurizio Aiello
  • 26. Acknowledge Enrico Cambiaso Gianluca Papaleo Silvia Scaglione Maurizio Aiello
  • 27. The End Thanks!! Maurizio Aiello