Universal DDoS Mitigation Bypass


Published on

We demonstrated how commercial DDoS mitigation solutions can be bypassed and why the approaches adopted are heading in the wrong direction. An economics-based countermeasure is then proposed as the next-gen solution.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Universal DDoS Mitigation Bypass

  1. 1. Universal DDoS Mitigation Bypass DDoS Mitigation Lab
  2. 2. About Us DDoS Mitigation Lab Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with the defense community. Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge.
  3. 3. • DDoS Attack Categories • DDoS Detection and Mitigation Techniques – How they work? – How to bypass / take advantage? • DDoS Mitigation Bypass – How to use our PoC tool? – PoC tool capability • Next-Generation Mitigation Outline
  4. 4. Financial Impact Source: NTT Communications, “Successfully Combating DDoS Attacks”, Aug 2012
  5. 5. Volumetric Attacks • Packet-Rate-Based • Bit-Rate-Based
  6. 6. Semantic Attacks API attacks Hash DoS Apache Killer Teardrop (old textbook example) Slowloris / RUDY SYN Flood (old textbook example) Smurf (old textbook example)
  7. 7. Blended Attacks
  8. 8. Attack Quadrant Complexity Simple Sophisticated Volume xxx Gbps+ xxx Mbps+
  9. 9. DDoS Mitigations Traffic Policing Proactive Resource Release Black- / Whitelisting xxx Gbps+ xxx Mbps+ Complexity Simple Sophisticated Volume
  10. 10. DDoS Mitigation: Traffic Policing Source: Cisco
  11. 11. DDoS Mitigation: Proactive Resource Release RST 1. Open lots of TCP connections 2. TCP connection pool starved3. Detect idle / slow TCP connections 4. Close idle / slow TCP connections With RST Example: Slowloris Attack
  12. 12. B Backend (dropped) DDoS Mitigation: Black- / Whitelisting Black List White List = free pass (for awhile / for x amount of volume) Src: Src:
  13. 13. DDoS Mitigation: Source Isolation Source: http://www.cs.duke.edu/nds/ddos/ AS AS AS
  14. 14. DDoS Solution: Secure CDN Backend End User 3: return 1: request 2: redirect to nearest server 4: bypass distribution, attack backend!
  15. 15. DDoS Detection Rate Measurement (SNMP) Baselining (Netflow) Protocol Sanity (PCAP) Application (SYSLOG) Protocol Behavior (PCAP) Big Data Analysis Complexity Simple Sophisticated Volume xxx Gbps+ xxx Mbps+
  16. 16. Rate- / Flow-Based Countermeasures Detection Mitigation
  17. 17. Protocol-Based Countermeasures Detection Mitigation
  18. 18. Blanket Countermeasures Traffic Statistics and Behavior Big Data Analysis Detection Mitigation Source Host Verification
  19. 19. Source Host Verification • TCP SYN Auth • HTTP Redirect Auth • HTTP Cookie Auth • JavaScript Auth • CAPTCHA Auth
  20. 20. PoC Tool
  21. 21. • True TCP/IP behavior (RST, resend, etc.) • Believable HTTP headers (User-Agent strings, etc.) • Embedded JavaScript engine • CAPTCHA solving capability • Randomized payload • Tunable post-authentication traffic model PoC Tool Strengths
  22. 22. PoC Tool: Authentication Bypass
  24. 24. TCP SYN Auth (TCP Out-of-Sequence) RST SYN SYN SYN ACK ACK  SYN ACK
  25. 25. HTTP Redirect Auth GET /index.html HTTP 302 redir to /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html 
  26. 26. HTTP Cookie Auth GET /index.html HTTP 302 redir to /index.html HTTP 302 redir to /index.html GET /index.html GET /index.html 
  27. 27. HTTP Cookie Auth (Header Token) GET /index.html HTTP 302 redir to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] HTTP 302 redir to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar]
  28. 28. JavaScript Auth GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.phpans=16 JS 7+nine=? 
  29. 29. CAPTCHA Auth GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.php 
  30. 30. CAPTCHA Pwnage
  31. 31. PoC Tool: TCP Traffic Model
  32. 32. TCP Traffic Model NumberofConnections Connection Hold Time Before 1st Request Connection Idle Timeout After Last Request Connections Interval Connections Interval TCP Connection TCP Connection TCP Connection
  33. 33. PoC Tool: HTTP Traffic Model
  34. 34. HTTP Traffic ModelNumberofRequests perConnection Requests Interval Requests Interval Requests Interval TCP Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection
  35. 35. • 3 tries per authentication attempt (in practice more likely to success) • True TCP/IP behavior thru use of OS TCP/IP stack • Auth cookies persist during subsequent dialogues • JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation) PoC Tool Design
  36. 36. 1. Converted to black-and-white for max contrast 2. 3x3 median filter applied for denoising 3. Word segmentation 4. Boundary recognition 5. Pixel difference computed against character map CAPTCHA Bypass Design
  37. 37. PoC Tool in Action
  38. 38. Testing Environment Against Devices Against Services Measure Attack Traffic Measure Attack Traffic
  39. 39. Mitigation Bypass (Protection Products) Auth Bypass Post-Auth Testing results under specific conditions, valid as of Jul 13, 2013 Proactive Resource Release
  40. 40. Mitigation Bypass (Protection Services) Auth Bypass Post-Auth Testing results under specific conditions, valid as of Jul 13, 2013 Proactive Resource Release
  41. 41. • Client Puzzle – add cost to individual zombies. Next-Generation Mitigation
  42. 42. • DDoS is expensive to business • Existing DDoS protection insufficient • Next-Generation solution should make attack expensive Conclusion
  43. 43. tony.miu@nexusguard.com albert.hui@ntisac.org waileng.lee@ntisac.org Thank You! http://www.ntisac.org