So what?
The usual disclaimer   Opinions expressed in the presentation do not   necessary represent the stance of my employer.   Le...
Agenda1.   Business Side     1.   Motivation     2.   Considerations     3.   Insurance     4.   Preparedness     5.   Mon...
Audience poll Tell me who you are
What DDoS is not  it is not an act of G--  you can be prepared  you can have insurance…so don’t panic ;)…and no you don’t ...
Motivation Financial Gain   Competitions   Extortion   Divert attention   Proof of power Political statement   Hacktivism ...
Consider thisHow is a DDoS different from CNN pointing to your home page?How is that different from your primary Internet ...
Few words about insurance  Insurance is money you pay to be protected from  something bad if it is ever to happen  You can...
In peace time Have a Incident response plan You should have your monitoring ahead of time When do you need to escalate?   ...
Monitoring Impact The most neglected resource No matter how much traffic they throw at you there is no problem until your ...
In the heat of the moment  What is actually happening? Focus on the facts  Collect data (from LBs, systems, network graphs...
Enough business let’s get down to business
Attack Types Asymmetric    DNS queries    SYN flood Symetric    GET flood Reflected    Smurf/DNS (spoofed source) Brute fo...
Game of Resource Exhaustion Pick one:      Bandwidth      PPS      QPS      Storage      CPU      Application specific (ha...
Attack surface (classification by layer)
Layer 1/2 attacks   Think?
Layer 1/2 attacks   Cut cables                    Jamming                    Power surge                    EMP           ...
Layer 3 attacks                  • Think?
Layer 3 attacks                  • Floods (ICMP)                  • Teardrop                   (overlapping IP segments)
Layer 4 attacks   Think?
Layer 4 attacks   SYN Flood                  RST Flood                  FIN Flood                  You name it…           ...
Layer 5 attacks   Think?
Layer 5 attacks   Sloworis                  Just send data to a                  port with no NL in it                  Se...
Layer 6 attacks   Think?
Layer 6 attacks   Expensive queries                  (repeated many times)                  XML Attacks                  <...
Layer 7 attacks   Think?
Layer 7 attacks   SPAM?                  DNS queries                  Black fax
Intro to TCPRFC: 793 / September 1981TRANSMISSION CONTROL PROTOCOL
Simplified TCP state machine LISTEN – waiting for a connection request SYN_RECV – received request still negotiating ESTAB...
Life of a socket  Socket = TCP/UDP port + IP address   Normal connection[root@knight ghost]# netstat -nap | grep 12345tcp ...
Detection on the host Your best friend: netstat netstat -nap Your next best friend: tcpdump tcpdump –n –i <interface> –s 0...
Mitigation Depends on the layer of attack Depends on the resource affected Do it yourself   dedicated hardware   Tune (cha...
SYN Flood            What does it take:              Think 3-way handshake              Server has a number of            ...
How to recognize SYN flood?Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address         ...
SYN Mitigation SYN Cookies   Special hash   Enable by:   echo 1 > /proc/sys/net/ipv4/tcp_syncookies   Other timeouts to tw...
SYN mitigation (cont’d) SYN Proxy (TCP Intercept active)   Terminates at device/opens a second connection TCP Intercept pa...
What is a SYN Cookie Hiding information in ISN (initial seq no) SYN Cookie: Timestamp % 32 + MSS + 24-bit hash Components ...
How to recognize socketexhaustion?Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address  ...
Mitigation socket exhaustion/connect Enable socket reuse  echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle  echo 1 > /proc/sys/n...
Mitigation upper layers Architecture of applications   Apache – process based – In Linux kernel level threads   Nginx – ev...
How to DoS Click really, really fast the “retry” button Scale hierarchically => recruit your friends/kids to do so Scale h...
Botnet components C&C (Command and Control) Proxy layer (optional) – think NginX ☺ Bots/drones (any machine could be a dro...
Drones Usually malware   Multiple ways of infection Rarely Opt-In (Anonymous)   User needs to download software   User nee...
Commandthe drones Attack is issued                  and Control (C&C) read it and execute Scalability issues Inertia
You always have friends (find them!) Look around, who else might be suffering this? Build partnerships Build social contac...
Tools to remember netstat tcpdump / wireshark
What can I do about it? RFC 2827/BCP 38 – Paul Ferguson   If possible filter all outgoing traffic and use proxy Patch your...
Q&A
December 9-11   Mountain View, CAhttp://www.baythreat.org/
Upcoming SlideShare
Loading in...5
×

Layer one 2011-gh0stwood-d-dos-attacks

389

Published on

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
389
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Layer one 2011-gh0stwood-d-dos-attacks

  1. 1. So what?
  2. 2. The usual disclaimer Opinions expressed in the presentation do not necessary represent the stance of my employer. Let me know if I speak too fast and if it’s difficult to understand me
  3. 3. Agenda1. Business Side 1. Motivation 2. Considerations 3. Insurance 4. Preparedness 5. Monitoring2. Attack types 1. Classification type 2. Attack surface from OSI perspective 3. Intro to TCP 4. Life of a socket 5. Tools3. Recognition and mitigation
  4. 4. Audience poll Tell me who you are
  5. 5. What DDoS is not it is not an act of G-- you can be prepared you can have insurance…so don’t panic ;)…and no you don’t need magical powers to deal it …you justneed to proper training
  6. 6. Motivation Financial Gain Competitions Extortion Divert attention Proof of power Political statement Hacktivism “I’m a cooler kid than you” Attack types TCP data to a listening port Slowris Add your own to the list…
  7. 7. Consider thisHow is a DDoS different from CNN pointing to your home page?How is that different from your primary Internet connection goes down or servers crash?Reactive vs. nonreactive handling?DDoS absorption == being able to serve more users fasterChange your attitude!
  8. 8. Few words about insurance Insurance is money you pay to be protected from something bad if it is ever to happen You can be prepared: Incident response plan Tools Gear Partnerships …it may not be sufficient – you should have picked the higher premium policy…
  9. 9. In peace time Have a Incident response plan You should have your monitoring ahead of time When do you need to escalate? Why?!?
  10. 10. Monitoring Impact The most neglected resource No matter how much traffic they throw at you there is no problem until your users start seeing it Use internal monitoring Use external monitoring services
  11. 11. In the heat of the moment What is actually happening? Focus on the facts Collect data (from LBs, systems, network graphs, capture traffic) Create a response plan! EXECUTE IT! Observe! (have the metrics improved?)
  12. 12. Enough business let’s get down to business
  13. 13. Attack Types Asymmetric DNS queries SYN flood Symetric GET flood Reflected Smurf/DNS (spoofed source) Brute force or logicstate attacks Distributed Any of the above (and many more) ;) Based on the network layer Stateful/permanent Backscatter
  14. 14. Game of Resource Exhaustion Pick one: Bandwidth PPS QPS Storage CPU Application specific (hardest) – could be any …and only one is needed Another way to look is: Last but not least – patience – Who gets tired first?
  15. 15. Attack surface (classification by layer)
  16. 16. Layer 1/2 attacks Think?
  17. 17. Layer 1/2 attacks Cut cables Jamming Power surge EMP MAC Spoofing MAC flood
  18. 18. Layer 3 attacks • Think?
  19. 19. Layer 3 attacks • Floods (ICMP) • Teardrop (overlapping IP segments)
  20. 20. Layer 4 attacks Think?
  21. 21. Layer 4 attacks SYN Flood RST Flood FIN Flood You name it… Window size 0 (looks like Sloworis) Connect attack LAND (same IP as src/dst)
  22. 22. Layer 5 attacks Think?
  23. 23. Layer 5 attacks Sloworis Just send data to a port with no NL in it Send data to the server with no CR
  24. 24. Layer 6 attacks Think?
  25. 25. Layer 6 attacks Expensive queries (repeated many times) XML Attacks <!DOCTYPE lolz [ <!ENTITY lol1 "&lol2;"> <!ENTITY lol2 "&lol1;"> ]> <lolz>&lol1;</lolz>
  26. 26. Layer 7 attacks Think?
  27. 27. Layer 7 attacks SPAM? DNS queries Black fax
  28. 28. Intro to TCPRFC: 793 / September 1981TRANSMISSION CONTROL PROTOCOL
  29. 29. Simplified TCP state machine LISTEN – waiting for a connection request SYN_RECV – received request still negotiating ESTABLISHED – connection working OK FIN-WAIT1/2 – one side closed the connection TIME-WAIT – waiting for a while… - What is MSL?
  30. 30. Life of a socket Socket = TCP/UDP port + IP address Normal connection[root@knight ghost]# netstat -nap | grep 12345tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 2903/nc[root@knight ghost]# netstat -nap | grep 12345tcp 0 0 127.0.0.1:12345 127.0.0.1:49188 ESTABLISHED 2903/nc[root@knight ghost]# netstat -nap | grep 12345tcp 0 0 127.0.0.1:49188 127.0.0.1:12345 TIME_WAIT -[root@knight ghost]# netstat -nap | grep 12345[root@knight ghost]#
  31. 31. Detection on the host Your best friend: netstat netstat -nap Your next best friend: tcpdump tcpdump –n –i <interface> –s 0 –w <target_file.pcap> –c <packet_count> Dedicated IDS (snort/suricata)
  32. 32. Mitigation Depends on the layer of attack Depends on the resource affected Do it yourself dedicated hardware Tune (change) your software Scrubbing providers Firewalls and challenges Horizontally scaled server frontends “To the cloud!” ;)
  33. 33. SYN Flood What does it take: Think 3-way handshake Server has a number of slots for incoming connections When slots are full no more connections are accepted
  34. 34. How to recognize SYN flood?Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1339/rpcbindtcp 0 0 0.0.0.0:33586 0.0.0.0:* LISTEN 1395/rpc.statdtcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1962/dnsmasqtcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1586/cupsdtcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2703/sendmail: accetcp 0 0 127.0.0.1:25 127.0.0.1:49718 SYN_RECV -tcp 0 0 127.0.0.1:25 127.0.0.1:49717 SYN_RECV -tcp 0 0 127.0.0.1:25 127.0.0.1:49722 SYN_RECV -tcp 0 0 127.0.0.1:25 127.0.0.1:49720 SYN_RECV -tcp 0 0 127.0.0.1:25 127.0.0.1:49719 SYN_RECV -tcp 0 0 127.0.0.1:25 127.0.0.1:49721 SYN_RECV -tcp 0 0 127.0.0.1:25 127.0.0.1:49716 SYN_RECV -…
  35. 35. SYN Mitigation SYN Cookies Special hash Enable by: echo 1 > /proc/sys/net/ipv4/tcp_syncookies Other timeouts to tweak (in /proc/sys/net/ipv4/): tcp_max_syn_backlog tcp_synack_retries tcp_syn_retries
  36. 36. SYN mitigation (cont’d) SYN Proxy (TCP Intercept active) Terminates at device/opens a second connection TCP Intercept passive/watch – sends reset Resets the connection after a timeout Hybrid Dynamic white lists
  37. 37. What is a SYN Cookie Hiding information in ISN (initial seq no) SYN Cookie: Timestamp % 32 + MSS + 24-bit hash Components of 24-bit hash: server IP address server port number client IP address client port timestamp >> 6 (64 sec resolution) What’s bad about them?
  38. 38. How to recognize socketexhaustion?Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1339/rpcbindtcp 0 0 0.0.0.0:33586 0.0.0.0:* LISTEN 1395/rpc.statdtcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1962/dnsmasqtcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1586/cupsdtcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2703/sendmail: accetcp 0 0 0.0.0.0:1241 0.0.0.0:* LISTEN 1851/nessusd: waititcp 0 0 127.0.0.1:25 127.0.0.1:60365 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60240 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60861 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60483 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60265 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60618 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60407 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60423 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60211 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60467 TIME_WAIT -tcp 0 0 127.0.0.1:25 127.0.0.1:60213 TIME_WAIT -
  39. 39. Mitigation socket exhaustion/connect Enable socket reuse echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse Check learn about the value in /proc/sys/net/ipv4/tcp_* MSL decrease (on LBs) to a few seconds
  40. 40. Mitigation upper layers Architecture of applications Apache – process based – In Linux kernel level threads Nginx – event based Nginx (pronounced “engine x”) http://www.nginx.net/ Mitigation through challenges Nginx plugin – Roboo (ECL-LABS.ORG)
  41. 41. How to DoS Click really, really fast the “retry” button Scale hierarchically => recruit your friends/kids to do so Scale horizontally => get a botnet
  42. 42. Botnet components C&C (Command and Control) Proxy layer (optional) – think NginX ☺ Bots/drones (any machine could be a drone)
  43. 43. Drones Usually malware Multiple ways of infection Rarely Opt-In (Anonymous) User needs to download software User needs to point it to target Sometimes targeting can be automated
  44. 44. Commandthe drones Attack is issued and Control (C&C) read it and execute Scalability issues Inertia
  45. 45. You always have friends (find them!) Look around, who else might be suffering this? Build partnerships Build social contacts Prepare before it hits Be prepared so your ISP suffers before you
  46. 46. Tools to remember netstat tcpdump / wireshark
  47. 47. What can I do about it? RFC 2827/BCP 38 – Paul Ferguson If possible filter all outgoing traffic and use proxy Patch your systems Learn how to use tcpdump/wireshark netstat Check out the Arbor Networks Report http://www.arbornetworks.com/report
  48. 48. Q&A
  49. 49. December 9-11 Mountain View, CAhttp://www.baythreat.org/

×