DDoS: practical survival        guide     Alexander Lyamin  <la@highloadlab.com>
Poor mans version.
Q1 2012•   Incidents:          365•   Daily max:          12•   Avg. botnet size:      2637•   Max botnet size:       37834
Daily121110 9 8 7 6           Jan 5 4           Feb 3 2           Mar 1 0
Weekday distribution20.00%18.00%                        17.26%                                                    16.71%  ...
High speed attacks           3.56%   > 1 Gbps   < 1Gbps  96.44%
Spoofed source attacks             22.74%                      Spoofed   Full connect    77.26%
Scary stuff•   DNS: NIC, Masterhost, FastVPS.•   DataCenters: CROK, WAhome.•   “Invisible” elections botnets.•   Minerbot.
New reality• 1k botnet - 100-160 USD.• Readily available botnet toolkits.• Fall of prices - 20 USD/day.
New competition
Apache mod_evasive
Apache mod_evasive<IfModule mod_evasive20.c>DOSHashTableSize 3097DOSPageCount 8DOSSiteCount 100DOSPageInterval 2DOSSiteInt...
Apache mod_evasivePositive             NegativeIt works!            Apache
Iptables --string
Iptables --stringiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent ...
Iptables --stringPositive            NegativeIt works.           Not always works. (fragmentet packets)Its fast.          ...
NGINX testcookie_module
JS
Cookie/Redirect
NGINX testcookie_module   testcookie_name BPC;   testcookie_secret keepmescret;   testcookie_session $remote_addr;   testc...
NGINX testcookie_modulePositive                         NegativeIt works.                        Doesn’t block traffic.*NG...
Neuron network PyBrain
Neuron network PyBrainRequest:0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685...
Neuron network PyBrainPositive                 NegativeIt works.                May not work.Nerd award!              No h...
tcpdump
tcpdumptcpdump -v -n -w attack.log dst port 80 -c 250tcpdump -nr attack.log |awk {print $3} |grep -oE [0-9]{1,}.[0-9]{1,}....
tcpdumpPositive       NegativeIt works.      why tcpdump? Ask kernel!
Summary•   Every solution works.•   Not always.•   Not for everyone.•   UPTIME > DOWNTIME.
Definition of happiness• Minimal FALSE POSITIVES.• No vulnerabilities on lower levels.• Up to challenge.
NGINX testcookie_module
One last thing…                      (protect your TCP stack)                                                          22....
Have a fun ride!
Homework.1. NGINX/ipset preinstalled.2. No conntrack.3. Dedicated IP per critical published service.4. Blackhole communiti...
Upcoming SlideShare
Loading in...5
×

lightning talk proposal

590

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
590
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

lightning talk proposal

  1. 1. DDoS: practical survival guide Alexander Lyamin <la@highloadlab.com>
  2. 2. Poor mans version.
  3. 3. Q1 2012• Incidents: 365• Daily max: 12• Avg. botnet size: 2637• Max botnet size: 37834
  4. 4. Daily121110 9 8 7 6 Jan 5 4 Feb 3 2 Mar 1 0
  5. 5. Weekday distribution20.00%18.00% 17.26% 16.71% 15.89%16.00% 14.52% 14.25%14.00% 11.78%12.00% 9.59%10.00% 8.00% 6.00% 4.00% 2.00% 0.00% Monday Tuesday Wednesday Thursday Friday Saturday Sunday
  6. 6. High speed attacks 3.56% > 1 Gbps < 1Gbps 96.44%
  7. 7. Spoofed source attacks 22.74% Spoofed Full connect 77.26%
  8. 8. Scary stuff• DNS: NIC, Masterhost, FastVPS.• DataCenters: CROK, WAhome.• “Invisible” elections botnets.• Minerbot.
  9. 9. New reality• 1k botnet - 100-160 USD.• Readily available botnet toolkits.• Fall of prices - 20 USD/day.
  10. 10. New competition
  11. 11. Apache mod_evasive
  12. 12. Apache mod_evasive<IfModule mod_evasive20.c>DOSHashTableSize 3097DOSPageCount 8DOSSiteCount 100DOSPageInterval 2DOSSiteInterval 2DOSBlockingPeriod 600DOSEmailNotify secure@adminmail.com</IfModule>
  13. 13. Apache mod_evasivePositive NegativeIt works! Apache
  14. 14. Iptables --string
  15. 15. Iptables --stringiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent --set --name httpddos --rsourceiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP
  16. 16. Iptables --stringPositive NegativeIt works. Not always works. (fragmentet packets)Its fast. Not always fast. (kmp matched packets) Orphaned sockets + retransmit. Requires conntrack(statefull is bad).
  17. 17. NGINX testcookie_module
  18. 18. JS
  19. 19. Cookie/Redirect
  20. 20. NGINX testcookie_module testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on;location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; }More reading: http://habrahabr.ru/post/139931/
  21. 21. NGINX testcookie_modulePositive NegativeIt works. Doesn’t block traffic.*NGINX. Alternates UX.Its fast. Is not effective on FBS.Predictable.Expandable (Flash, QT checks). * That’s what ipset is for.
  22. 22. Neuron network PyBrain
  23. 23. Neuron network PyBrainRequest:0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0(Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0»Dictionary:[__UA___OS_U, __UA_EMPTY, __REQ___METHOD_POST, __REQ___HTTP_VER_HTTP/1.0, __REQ___URL___NETLOC_, __REQ___URL___PATH_/forum/rss.php, __REQ___URL___PATH_/forum/index.php, __REQ___URL___SCHEME_, __REQ___HTTP_VER_HTTP/1.1, __UA___VER_Firefox/3.0, __REFER___NETLOC_www.mozilla-europe.org, __UA___OS_Windows, __UA___BASE_Mozilla/5.0, __CODE_503, __UA___OS_pl, __REFER___PATH_/, __REFER___SCHEME_http, __NO_REFER__, __REQ___METHOD_GET, __UA___OS_Windows NT5.1, __UA___OS_rv:1.9, __REQ___URL___QS_topic, __UA___VER_Gecko/2008052906’Далее: http://habrahabr.ru/post/136237/
  24. 24. Neuron network PyBrainPositive NegativeIt works. May not work.Nerd award! No historical analysis.
  25. 25. tcpdump
  26. 26. tcpdumptcpdump -v -n -w attack.log dst port 80 -c 250tcpdump -nr attack.log |awk {print $3} |grep -oE [0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,} |sort |uniq -c |sort -rn
  27. 27. tcpdumpPositive NegativeIt works. why tcpdump? Ask kernel!
  28. 28. Summary• Every solution works.• Not always.• Not for everyone.• UPTIME > DOWNTIME.
  29. 29. Definition of happiness• Minimal FALSE POSITIVES.• No vulnerabilities on lower levels.• Up to challenge.
  30. 30. NGINX testcookie_module
  31. 31. One last thing… (protect your TCP stack) 22.74% 3.56% Spoofed96.44% Full connect > 1Gbps < 1Gbps 77.26%
  32. 32. Have a fun ride!
  33. 33. Homework.1. NGINX/ipset preinstalled.2. No conntrack.3. Dedicated IP per critical published service.4. Blackhole communities present and tested.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×