Your SlideShare is downloading. ×
0
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Universal DDoS Mitigation Bypass

1,224

Published on

We demonstrated how commercial DDoS mitigation solutions can be bypassed and why the approaches adopted are heading in the wrong direction. An economics-based countermeasure is then proposed as the …

We demonstrated how commercial DDoS mitigation solutions can be bypassed and why the approaches adopted are heading in the wrong direction. An economics-based countermeasure is then proposed as the next-gen solution.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,224
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Universal DDoS Mitigation Bypass DDoS Mitigation Lab
  • 2. About Us DDoS Mitigation Lab Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with the defense community. Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge.
  • 3. • DDoS Attack Categories • DDoS Detection and Mitigation Techniques – How they work? – How to bypass / take advantage? • DDoS Mitigation Bypass – How to use our PoC tool? – PoC tool capability • Next-Generation Mitigation Outline
  • 4. Financial Impact Source: NTT Communications, “Successfully Combating DDoS Attacks”, Aug 2012
  • 5. Volumetric Attacks • Packet-Rate-Based • Bit-Rate-Based
  • 6. Semantic Attacks API attacks Hash DoS Apache Killer Teardrop (old textbook example) Slowloris / RUDY SYN Flood (old textbook example) Smurf (old textbook example)
  • 7. Blended Attacks
  • 8. Attack Quadrant Complexity Simple Sophisticated Volume xxx Gbps+ xxx Mbps+
  • 9. DDoS Mitigations Traffic Policing Proactive Resource Release Black- / Whitelisting xxx Gbps+ xxx Mbps+ Complexity Simple Sophisticated Volume
  • 10. DDoS Mitigation: Traffic Policing Source: Cisco
  • 11. DDoS Mitigation: Proactive Resource Release RST 1. Open lots of TCP connections 2. TCP connection pool starved3. Detect idle / slow TCP connections 4. Close idle / slow TCP connections With RST Example: Slowloris Attack
  • 12. B Backend (dropped) DDoS Mitigation: Black- / Whitelisting Black List White List 1.2.3.4 5.6.7.8 5.6.7.8 3.4.5.6 6.7.8.9 = free pass (for awhile / for x amount of volume) Src: 1.2.3.4 Src: 3.4.5.6
  • 13. DDoS Mitigation: Source Isolation Source: http://www.cs.duke.edu/nds/ddos/ AS AS AS
  • 14. DDoS Solution: Secure CDN Backend End User 3: return 1: request 2: redirect to nearest server 4: bypass distribution, attack backend!
  • 15. DDoS Detection Rate Measurement (SNMP) Baselining (Netflow) Protocol Sanity (PCAP) Application (SYSLOG) Protocol Behavior (PCAP) Big Data Analysis Complexity Simple Sophisticated Volume xxx Gbps+ xxx Mbps+
  • 16. Rate- / Flow-Based Countermeasures Detection Mitigation
  • 17. Protocol-Based Countermeasures Detection Mitigation
  • 18. Blanket Countermeasures Traffic Statistics and Behavior Big Data Analysis Detection Mitigation Source Host Verification
  • 19. Source Host Verification • TCP SYN Auth • HTTP Redirect Auth • HTTP Cookie Auth • JavaScript Auth • CAPTCHA Auth
  • 20. PoC Tool
  • 21. • True TCP/IP behavior (RST, resend, etc.) • Believable HTTP headers (User-Agent strings, etc.) • Embedded JavaScript engine • CAPTCHA solving capability • Randomized payload • Tunable post-authentication traffic model PoC Tool Strengths
  • 22. PoC Tool: Authentication Bypass
  • 23. TCP SYN Auth (TCP Reset) SYN ACK SYN ACK RST SYN SYN ACK ACK 
  • 24. TCP SYN Auth (TCP Out-of-Sequence) RST SYN SYN SYN ACK ACK  SYN ACK
  • 25. HTTP Redirect Auth GET /index.html HTTP 302 redir to /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html 
  • 26. HTTP Cookie Auth GET /index.html HTTP 302 redir to /index.html HTTP 302 redir to /index.html GET /index.html GET /index.html 
  • 27. HTTP Cookie Auth (Header Token) GET /index.html HTTP 302 redir to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] HTTP 302 redir to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar]
  • 28. JavaScript Auth GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.phpans=16 JS 7+nine=? 
  • 29. CAPTCHA Auth GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.php 
  • 30. CAPTCHA Pwnage
  • 31. PoC Tool: TCP Traffic Model
  • 32. TCP Traffic Model NumberofConnections Connection Hold Time Before 1st Request Connection Idle Timeout After Last Request Connections Interval Connections Interval TCP Connection TCP Connection TCP Connection
  • 33. PoC Tool: HTTP Traffic Model
  • 34. HTTP Traffic ModelNumberofRequests perConnection Requests Interval Requests Interval Requests Interval TCP Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection
  • 35. • 3 tries per authentication attempt (in practice more likely to success) • True TCP/IP behavior thru use of OS TCP/IP stack • Auth cookies persist during subsequent dialogues • JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation) PoC Tool Design
  • 36. 1. Converted to black-and-white for max contrast 2. 3x3 median filter applied for denoising 3. Word segmentation 4. Boundary recognition 5. Pixel difference computed against character map CAPTCHA Bypass Design
  • 37. PoC Tool in Action
  • 38. Testing Environment Against Devices Against Services Measure Attack Traffic Measure Attack Traffic
  • 39. Mitigation Bypass (Protection Products) Auth Bypass Post-Auth Testing results under specific conditions, valid as of Jul 13, 2013 Proactive Resource Release
  • 40. Mitigation Bypass (Protection Services) Auth Bypass Post-Auth Testing results under specific conditions, valid as of Jul 13, 2013 Proactive Resource Release
  • 41. • Client Puzzle – add cost to individual zombies. Next-Generation Mitigation
  • 42. • DDoS is expensive to business • Existing DDoS protection insufficient • Next-Generation solution should make attack expensive Conclusion
  • 43. tony.miu@nexusguard.com albert.hui@ntisac.org waileng.lee@ntisac.org Thank You! http://www.ntisac.org

×