hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users
Upcoming SlideShare
Loading in...5
×
 

hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users

on

  • 1,324 views

Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is ...

Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server's incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really.
Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular.
Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini's analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/

Statistics

Views

Total Views
1,324
Slideshare-icon Views on SlideShare
1,324
Embed Views
0

Actions

Likes
0
Downloads
15
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal harm to your users Presentation Transcript

    • Security & Risk Conference October 26th - 29th 2011 Lucerne, Switzerland Sniping Slowloris and Friends Taking out DDoS attackers with minimal harm to your usersDr. Christian Folini - netnea AG - christian.folini@netnea.com
    • Christian Folini CV IT Consultant at netnea, Berne. Working for Swiss Post, one or two banks etc. Started to work on defense against Slowloris type DDoS in 2006 Specialised in Webserver Security and Web Application Security on Unix Servers and System Administration in general Speaker at Security Conferences (OWASP, Swiss Cyberstorm etc.) Developer of a ModSecurity Rule Editor named “REMO“ Studies in History and Computer Science in Fribourg, Berne, Bielefeld and Berlin PhD in Medieval History at Fribourg University, Switzerland#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 2
    • ModSecurity Mailinglist 2006#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 3
    • RSnake Announcing Slowloris#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 4
    • Swiss Post Press Release Dec 06, 2010#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 5
    • Being Attacked By Anonymous „We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.“#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 6
    • Quotes from the Attackers Chat-Room < machiavelli> again I think holding postfinance.ch down for several weeks would lead to cash in wikileaks hands. Postfinance would be forced to actually release the wikileaks funds theyve stolen or go out of business. < biertrinker> paypal is wasting time. lets do postfinance.ch [...] to let them see that war is still not over < RemmiDemmi> postfinance.ch would be good < pride2> it would make a good statement#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 7
    • Incoming Internet IP Traffic During Attack Two weeks of Internet traffic on one of the links of Swiss Post (Above the line are outgoing, below the line are Incoming PPS = IP Packets per Second) ● The attacks started within minutes after the press release. ● The attacks were very chaotic and heterogeneous. Literally dozens of attacks in parallel. ● The attackers were able to fill the complete network bandwith for a certain time (even if 90% of the attack traffic was filtered by the ISP).#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 8
    • Request Delaying / Slowloris DDoS Explained Imagine somebody paying a big bill with small coins ... producing them ... slowly ... one ... by ... one ...#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 9
    • Blindness / Apache mod_status screenshot A standard webserver does not have a clue what is happening. The attack hits home before he has finished initializing the request, hence the ”..reading..“.#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 10
    • Defense: What Everybody Tells You ● Ivan Ristić: „With some exceptions, DoS are very difficult to defend against.“ ● Official Response to bug report regarding Slowloris: „DoS attacks by tying up TCP connections are expected.“ ● Apache documentation: „All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely.“#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 11
    • Defense Strategy It boils down to a problem of Strict Differentiation: The defense is about telling good traffic from bad traffic when the bad traffic mimics good traffic and you are blind to start with.#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 12
    • What You Can Do : Build Up Knowledge ● Know your architecture So you know your weak spots ● Know your protocols So you know the options of the attackers ● Know your application So you know their behaviour under normal load and under attack ● Know your customers So you are aware of their habits and tolerance levels ● Know your allies and their phone number So you are not alone when the attackers hit you ● Know your tools Because a combination of tools is your best defense ● Know your defense plan So you are sure to react in a well-prepared manner ● Know your enemies So you know their motivation, resources, location and knowledge level#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 13
    • What You Can Do: The Basics Think about using an "event based" webserver (but they have other limits...) Think about routing the traffic through an external specialist Understand HTTP Keepalive and decide if you really need it Lower your timeouts (3s sounds like a decent value in my eyes) Use mod_reqtimeout Look into mod_qos (by Pascal Buchbinder, Winterthur) Use GeoIP Use netstat Use tcpdump Use IP Blacklisting Look into ModSecurity – there are a few useful directives Look into mod_backdoor Think about separating Uploads / big POSTs from the rest of the application Forget mod_evasive#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 14
    • ModSecurity / modreqtimeout stuff You work with the following directives: ModSec: Limit number of connections: ● SecReadStateLimit 5 ● SecWriteStateLimit 5 ModReqtimeout: Limit the total timeout per request phase: ● RequestReadTimeout header=1, body=30#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 15
    • What You Can Do: Combining the Tools Slowloris type DDoS tools dont ever finish a request -> comparing netstat output and the access log should be able to tell you more Other DDoS tools do full requests, but they do not fetch follow up css, javascript and image files -> the access log has the details There is a typical median lifetime of a connection to your application -> observing netstat output should give you an idea And now the really advanced stuff: Run an agent that supervises the connections and observes the access log and the login log (if that exists in your application): Look for clients accessing the wrong URLs Look for clients using the wrong method on the wrong URLs (i.e. Doing a POST on a page where POST is not expected) Look for clients having an atypical order of requests Look for clients with atypical request structure#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 16
    • Introducing: flying-frog.rb Flying frog is a monitoring agent that hovers over the incoming traffic and the application log. It picks individual attackers, like a frog eats a mosquito. Features: ● Monitoring SYN requests as they come in (and add connections to the its own connection table). ● Check out the connections in the connection table and calculate their age. ● Monitor authentication log and register authstate of client IPs (Their ability to authenticate their session with the server). ● Report median connection lifetime of all connections (this is the key variable that tells you if you are under an attack). ● Report client IPs with more connections then the limit allows. ● Report client IPs with a connection that is older than the limit allows. ● Limits can be configured based on GeoIP country field, port and authentication state: i.e. The maximum lifetime of a connection should be 10s, but authenticated customers from Switzerland on port 443 are allowed 60 seconds (so they can upload the files to the server)#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 17
    • Configuring flying-frog.rb Limit the individual number of connections: $params["basemaxconnection"] = 10  $params["maxconnectionconditions"] = <<EOF  country:CH 20  auth:auth 100  EOF Limit the individual timeouts:  $params["basetimeout"] = 5  $params["timeoutconditions"] = <<EOF  port:443 10  country:CH 20  auth:auth 50  country:CH auth:auth 100  EOF#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 18
    • Downloading flying-frog.rb CAVEAT: flying-frog.rb is provided as is with no warranty attached. It has been tested, but please consider it alpha code quality. Download from https://www.netnea.com#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 19
    • Defense of Medieval Castles Just a thought which might be new to you: Footpaths around castles and staircases within the towers are almost always in clockwise direction. Who knows why?#days Security Conference – October 26 th – 29th 2011 / Dr. Christian Folini: Sniping Slowloris and Friends 20