A Cyberwarfare Weapon: Slowreq
Upcoming SlideShare
Loading in...5
×
 

A Cyberwarfare Weapon: Slowreq

on

  • 645 views

by Maurizio Aiello

by Maurizio Aiello

CNR - Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni

mail: maurizio.aiello@ieiit.cnr.it

Statistics

Views

Total Views
645
Views on SlideShare
645
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A Cyberwarfare Weapon: Slowreq A Cyberwarfare Weapon: Slowreq Presentation Transcript

  • A Cyberwarfare Weapon: SlowReq Maurizio Aiello maurizio.aiello@ieiit.cnr.it Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy Genoa, Cpexpo meeting, Italy 30 October 2013
  • Cyberwarfare “Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an informative system owned by the adversary” Governments vs. Governments ¤  Titan Rain ¤  Moonlight Maze Groups vs. Governments ¤  Hacktivistic Groups Operations Anonymous ¤  Maurizio Aiello ¤  LulzSec
  • Attack Technologies INTRUSIONS & MALWARE ON ECTI BUFFER J OVE QL IN S RFLOW ES ORS NH BAC OJA KDO TR O DENIAL OF SERVICE (DoS) “An attempt to make a machine or network resource unavailable to its intended users” DISTRIBUTED DENIAL OF SERVICE (DDoS) Amplification of the attack resources through the enrollment of (willing or not) botnet agents Maurizio Aiello R
  • Denial of Service Attacks ¤ Attacks to the system ¤  ZIP Bomb ¤  Fork Bomb ¤ Attacks to the network ¤  Multipliers: DNS, Smurf attack, etc… ¤  Volumetric: flooding DoS attacks ¤  Application Layer: Slow DoS Attacks Maurizio Aiello
  • “Old Style” Flooding DoS Attacks ¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, … Flooding based attacks LEVEL-4 Denial of Service Maurizio Aiello
  • The ISO/OSI Model Application Presentation Session Transport Network Data Link Physical Maurizio Aiello Slow DoS Attacks Flooding DoS Attacks
  • Hacktivist Groups: Anonymous and LulzSec
  • Hacktivist Groups 2008 Project Chanology 2009 Iranian election protests Anonymous LulzSec 2010 Operation Payback 2011 2012 Visa, Mastercard, Paypal Operation Payback Operation Sony Interpol Vatican
  • Slow DoS Attack (SDA) “An attack which exhausts the resources of a victim using low bandwidth” Maurizio Aiello
  • SDAs’ Strategy ¤ They move the victim to the saturation state ¤ Low bandwidth rate: ¤  Attack resources are minimized ¤  It’s easier to bypass security systems ¤ ON-OFF Nature ¤ Almost all the packets contribute to the success of the attack Maurizio Aiello
  • Slow DoS Attacks An Example: Slowloris ¤  A script written in Perl programming language ¤  Used during the protests against Iranian presidential elections in 2009 ¤  It sends a lot of endless requests with the pattern: GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn X-a: brn rn X-a: brn X-a: brn X-a: brn Maurizio Aiello Source: http://ha.ckers.org/slowloris/
  • Making Order Into the Slow DoS Field Slow DoS Attacks S ORI L OW SL CPU/Memory/Disk QUIET ATTACK SHREW Network REDOS E RANG Client Timeout Server ACHE ER AP YET HEAD DEADR-U# Request Response HASH Server Behavior DOS Alteration EW R THC D SH E -SSL DUCResources Other IN Delayed DO Delayed Slow Pending AS S Occupation Unknown LO D Responses Responses Requests R Requests Planning Attacks Maurizio Aiello
  • SlowReq Attack ¤  It opens a large amount of endless connections with the victim ¤  It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure SLOWLORIS SLOWREQ GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] Maurizio Aiello
  • SlowReq Attack ¤ No rn implies no parsing (stealth and difficult to prevent) ¤ Bandwidth very limited ¤ Cpu and ram requested limited ¤ Tunable in parameters (number of connections; wait timeout; time between characters etc) Maurizio Aiello
  • Protocol Independence ¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case) ¤ SlowReq is able to naturally affect multiple protocols ¤  Packets payload is a sequence of white spaces ¤  Tested against FTP, SMTP, SSH servers ¤  Bounded to TCP based protocols Maurizio Aiello
  • Performance Results DoS state reached after a few seconds Maurizio Aiello
  • Signature Based Countermeasures Apache Web Server software modules ¤ mod-security module limits the number of simultaneous connections established from the same IP address ¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests Maurizio Aiello
  • Performance Results – mod-security A non distributed attack is successfully mitigated Maurizio Aiello
  • Performance Results – reqtimeout Differently to Slowloris, SlowReq is not mitigated Maurizio Aiello
  • Statistical Based Countermeasures tstart _ request ! request tend _ request ! delay tstart _ response ! response tend _ response ! next Maurizio Aiello
  • Statistical Signature Based SDAs Detection Maurizio Aiello
  • Statistical Signature Based SDAs Detection Comparison with standard traffic conditions " n(y) = # ( f (x) ! g(x + y))2 dx !" UE VAL UM NIM CV) MI (N NCV = min(n(y)) Maurizio Aiello
  • Statistical Signature Based SDAs Detection Real traffic distribution (Δdelay example) Maurizio Aiello
  • Statistical Signature Based SDAs Detection Protocol: ¤  n representations of standard traffic ¤  m comparisons extracting m different NCV values ¤  Retrievement of μ and σ values from NCV ¤  Baseline: μ + 3σ ¤  Comparison of anomalous traffic with f (average) standard distributions ¤  NCV value retrieval for analyzed traffic and result Maurizio Aiello
  • Conclusions and Future Work ¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection ¤ Due to its requirements, we are working to a mobile deployment of SlowReq ¤ Deployment of a (mobile and) distributed attack Maurizio Aiello
  • Acknowledge Enrico Cambiaso Gianluca Papaleo Silvia Scaglione Maurizio Aiello
  • The End Thanks!! Maurizio Aiello