DDoS Attack Preparation and Mitigation

2,016 views

Published on

Layered controls to help you prepare for and defend yourself from a distributed denial of service (DDoS) attack.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,016
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
69
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

DDoS Attack Preparation and Mitigation

  1. 1. DDoS Attack Preparation and Mitigation Presented by Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  2. 2. Overview • What is a DDoS attack? • Why are these attacks launched? • How do we prepare? • How do we respond? • Resources
  3. 3. In the News… http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/
  4. 4. DoS Attacks • Denial of Service o Network resources o Host resources o Application resources • Types o ICMP Flood • Smurf attack • Ping flood • Ping of death o SYN Flood • SYN – SYN/ACK… Wait. Where’s my ACK? • Unending knock-knock joke o Teardrop Attack o Low and Slow
  5. 5. DDoS Attacks • Distributed Denial of Service o Simultaneous attacks from multiple sources o Traditional countermeasures don’t work • Examples o Botnet downloads entire site, repeats ad nauseum o Abuse SSL negotiation phase
  6. 6. Why Launch a DDoS Attack? • Motive o Extortion o Revenge o Hacktivism o Unintentional (@feliciaday) • Means o Botnet • Infected machines • Voluntary (mobile devices?) o Availability of tools • Low Orbit Ion Cannon (LOIC) – TCP/UDP • slowhttptest – HTTP • Slowloris – HTTP • Opportunity o We’re talking about the INTERNET…
  7. 7. Preparation • Technical: Defense-in-Depth o Network o Operating System o Web/Application Server o Application • Procedural: Security Incident Response o Policy o Procedures o Tabletop Exercises
  8. 8. Preparation – Network Architecture • Align with Cisco SAFE security reference architecture o Redundancy • Deploy and tune tools o Intrusion Prevention System (IPS) o Security Information Event Management (SIEM) o Bandwidth Monitoring and Management o Anti-DDoS Hardware (*) • Cisco Guard / PrevenTier (Rackspace) • DOSarrest • RioRey • Evaluate IPv6 configurations
  9. 9. Preparation – Network Router • Enable Reverse Path Forwarding o ip verify unicast reverse path • Filter all RFC-1918 address spaces o 10.0.0.0 - 10.255.255.255 (10/8 prefix) o 169.254.0 – 169.254.255.255 (169.254/16 prefix) o 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) o 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) • Network Ingress Filtering, per RFC-2827 o Drop forged packets • Enforce rate limiting for ICMP and SYN packets
  10. 10. Preparation – Network Firewall • Deny private, illegal, and routable source IP’s o 0.0.0.0 o 10.0.0.0-10.255.255.255 o 127.0.0.0 o 172.16.0.0-172.31.255.255 o 192.168.0.0-192.168.255.255 o 240.0.0.0 o 255.255.255.255
  11. 11. Preparation - Operating System • Harden the Host o Center for Internet Security o DISA STIG’s • Defense Information Systems Agency Security Technical Implementation Guides o Vendor guides • Patch o Automate the process o Trust, but verify • Host Vulnerability Scans o DoS vulnerabilities
  12. 12. Preparation – Apache on Linux • Advanced Policy Firewall (APF) o iptables (netfilter) • (D)DoS Deflate o netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort –n o Automatically block attacking IP’s o Automatically unblock IP’s after x seconds • Apache modules o mod_evasive o mod_security
  13. 13. Preparation – IIS on Windows • UrlScan o Integrate with IIS o Mitigate SQL injection attacks o Restrict potentially malicious HTTP requests (web app firewall function) • Dynamic IP Restrictions o Requests over time o Deny action o Logging
  14. 14. Preparation - Application • Third Party Services o Akamai – Web Application Acceleration o Prolexic – Pipe Cleaner • Web App Firewall o Hosted o Cloud • Load Balancers o Take advantage of virtualization • Baseline Your Performance o Thresholds (Load Testing) o Source IP reports • Web Application Vulnerability Scan o DoS vulnerabilities o Vulnerable forms (CAPTCHA)
  15. 15. Mitigation - Network • Log analysis o Understand the attack o netstat, awk, grep • Contact your ISP o Drop attacking traffic before it hits any of your resources • Null route attackers o Example: ip route 192.168.0.0 255.255.0.0 Null0 • Implement yourgeographic IP rules o Deny all traffic from non-customer IP blocks • Enable third party services/solutions o Temporary o Cost
  16. 16. Mitigation – Host and App • Add additional servers o Temporary (co$t) o Again, take advantage of virtualization • Tighten web app firewall rules o Based on attack pattern
  17. 17. Contact Law Enforcement? • Pros o Prevent future attacks against your org o Prevent future attacks against other orgs • Cons o Attack becomes public record o Additional resources = time + money • Decide in writing what action you will take before an incident occurs.
  18. 18. Resources • Denial of Service Attacks Explained o CERT • http://www.cert.org/tech_tips/denial_of_service.html o Wikipedia • http://en.wikipedia.org/wiki/Denial-of-service_attack • RFC’s o RFC-1918 – Address Allocation for Private Internets • http://tools.ietf.org/html/rfc1918 o RFC-2827 – Network Ingress Filtering • http://www.ietf.org/rfc/rfc2827.txt • HardeningInformation o Center for Internet Security • http://www.cisecurity.org/ o Cisco SAFE • http://www.cisco.com/en/US/netsol/ns954/index.html o Country IP Blocks • http://www.countryipblocks.net/ o DISA STIG’s • http://iase.disa.mil/stigs/ o How to Protect Against Slow HTTP Attacks (via @Qualys) • https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http- attacks
  19. 19. Resources (cont’d) • Tools o Low Orbit Ion Cannon • http://sourceforge.net/projects/loic/ • Installed on your iPhone: http://www.youtube.com/watch?v=9VxA_DSflG0 o slowhttptest • http://code.google.com/p/slowhttptest/ o Slowloris • http://ha.ckers.org/slowloris/ o Advanced Policy Firewall (APF) • http://www.rfxn.com/projects/advanced-policy-firewall/ o (D)DoS Deflate • http://deflate.medialayer.com/ o UrlScan • http://technet.microsoft.com/en-us/security/cc242650 o Dynamic IP Restrictions • http://www.iis.net/download/DynamicIPRestrictions • Apache Modules o Mod_evasive • http://www.topwebhosts.org/articles/mod_evasive.php o Mod_security • http://www.topwebhosts.org/articles/mod_security.php
  20. 20. Questions / Contact Info Jerod Brennen, CISSP http://www.linkedin.com/in/slandail http://twitter.com/#!/slandail http://www.jacadis.com/ contact@jacadis.com

×