This document describes a simulated DDoS attack scenario. It introduces Widgets LLC, the victim company, which relies on its website for business. It also introduces Thomas Scriptkid, the attacker, who has a small botnet capable of DDoS attacks. After port scanning reveals open services, various attack vectors are identified, including SYN floods, reflection floods, and application layer attacks. A SYN flood is launched, severely degrading the website's performance. Finally, various mitigation options are discussed, each with deficiencies for fully addressing DDoS attacks.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points to Craft Advanced DDoS Attacks
1. STORM SURGESTORM SURGE
: A DDoS Attack and Defend: A DDoS Attack and Defend
ScenarioScenario
Background photo courtesy of Ben Salter https://creativecommons.org/licenses/by/2.0/legalcode
2. ANDY SHOEMAKER - NimbusDDOS Founder
Contact:
andy@nimbusddos.com
781.591.2575
www.nimbusddos.com
Bio:
Over 15 years of operations experience in massive-scale consumer websites
Past Gigs
TripAdvisor.com - Massive online travel website
Harmonix Music Corp / MTV Games - Video game studio
Cambridge Interactive Development Corp - Online poker and casinos
WorldWinner.com / GSN - Online gaming destination
4. Why Perform DDoS Simulations?
Assess environment susceptibility to DDoS
Am I susceptible to DDoS?
What are the DDoS risk areas in my organization?
Evaluate various mitigation solutions prior to purchase
DDoS mitigation vendors are a partner in your infrastructure, so you better like them!
Validate DDoS mitigation hardware and services once installed
Don't wait for the next DDoS to find out whether your mitigation strategy works!
Train IT staff in identification and mitigation of DDoS
Preparedness drills can be invaluable in creating strategies that can be used during a crisis.
Compliance
Vendors and suppliers are increasingly being asked whether they have a DDoS strategy.
5. The Victim: Introducing Widgets LLC
Overview
A major manufacturer of custom Widgets
Mid-sized company with 200 employees and a 3 person IT team
The website is the primary marketing/sales/support channel for the organization
http://widgetsllc.nimbusddos.com/
Technology Stack
Amazon Web Services (AWS) hosted infrastructure
Wordpress CMS
Quad core, 7.5GB RAM, SSD storage (c3.xlarge)
Approximately 500Mbps of network capacity
Security Preparedness
Has defined procedures for software updates to ensure prompt patching of vulnerabilities
Periodic vulnerability scans with Nessus or similar
Was told by an AWS account representative that DDoS will not effect them due to Amazon's size
8. The Attacker: Introducing Thomas Scriptkid
Overview
Uses DDoS to extort money (via Bitcoin) from companies
Sometimes performs DDoS for hire using “darknet” marketplaces
Botnet Capabilities
A very small botnet of 50 compromised hosts
Capable of 5Gbps of traffic for bandwidth DDoS
Capable of 5 million packets per second SYN floods
Capable of 50,000 requests per second layer7 HTTP
Sense of Scale
BredoLab botnet initiated a DDoS using 220,000 hosts in 2010
In Q1 2015 there were 25 attacks in excess of 100Gbps globally
9. Let's See that Website Again....this time as our attacker
Search likely hits DB
Search tends to use
lots of CPU
Log-in likely hits DB
Log-in tends to use
lots of CPU
Large media is a juicy
target (122K)
10. The facts:
Port scanners allow an attacker to see what services are accessible from the Internet
Multiple applications are freely available, just a mouse click away
https://nmap.org/
Most scanners support a variety of cloaking modes
Scanners are very quick with only a single packet sent/received being necessary to scan a port
- A modest linux server capable of processing 200k packets/sec scanning all ports
Single host: <1 second
Class C (254 hosts): <3 minutes
Class B (65,534 hosts): 12 hours
Class A (16,777,214 hosts): 127 days
- MASSCAN can reportedly scan the entire Internet in under 6 minutes given sufficient
resources https://github.com/robertdavidgraham/masscan
Port Scanners: the primary tool of all attackers
16. Mitigation Options (and their deficiencies)
Block via firewall
SYN floods are often spoofed from random IPs making them difficult to block
Substantial administrative overhead
Blocking must occur upstream of the bottleneck, which may not be possible
Auto-scale resources in the cloud
May not be possible with older applications, or those with monolithic databases
Now becomes a DDoS on your wallet as you need to pay for the cloud resources
Dedicated on-premise DDoS mitigation hardware
Requires time and resources to setup
Requires in-house DDoS expertise which can be challenging even for large IT teams
Blocking must occur upstream of the bottleneck, which may not be possible
Hide behind a content distribution network (CDN)
Will not protect against layer7 DDoS as these will pass through the CDN to the origin
DDoS “clean pipe” vendor (proxy solutions)
Will not prevent attacks directly targeting the origin
DDoS “clean pipe” vendor (BGP routed solutions)
Only available to organizations that talk BGP