Your SlideShare is downloading. ×
DDoS: practical survival
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

DDoS: practical survival

1,449
views

Published on

Published in: Technology

1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
1,449
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
48
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DDoS: practical survival guide Alexander Lyamin <la@highloadlab.com>
  • 2. Q1 2012• Incidents: 365• Daily max: 12• Avg. botnet size: 2637• Max botnet size: 37834
  • 3. 2012: 1 Jan – 30 May• Incidents: 728• Daily max: 51• Avg. botnet size: 3288• Max botnet size: 116265
  • 4. Daily55 Jan50 Feb45 Mar40 Apr35 May302520151050
  • 5. Weekday distribution20% 18.82%18% 15.93% 15.52%16% 13.60%14% 12.77% 12.50%12% 10.85%10%8%6%4%2%0% Monday Tuesday Wednesday Thursday Friday Saturday Sunday
  • 6. High speed attacks 3.16% >=1Gbps 96.84% <1Gbps
  • 7. Spoofed source attacks 29.67% Spoofed Full connect 70.33%
  • 8. Scary stuff• DNS: NIC, Masterhost, FastVPS.• DataCenters: CROC, WAhome.• “Invisible” russian elections botnets.• Minerbot.
  • 9. New reality• 1k botnet - 100-160 USD.• Readily available botnet toolkits.• Fall of prices - 20 USD/day.
  • 10. New competition
  • 11. Apache mod_evasive
  • 12. Apache mod_evasive<IfModule mod_evasive20.c>DOSHashTableSize 3097DOSPageCount 8DOSSiteCount 100DOSPageInterval 2DOSSiteInterval 2DOSBlockingPeriod 600DOSEmailNotify secure@adminmail.com</IfModule>
  • 13. Apache mod_evasivePositive NegativeIt works! Apache
  • 14. Iptables --string
  • 15. Iptables --stringiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent --set --name httpddos --rsourceiptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP
  • 16. Iptables --stringPositive NegativeIt works. Not always works. (fragmentet packets)Its fast. Not always fast. (kmp matched packets) Orphaned sockets + retransmit. Requires conntrack(statefull is bad).
  • 17. NGINX testcookie_module
  • 18. JS
  • 19. Cookie/Redirect
  • 20. NGINX testcookie_module testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on;location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; }Further reading: http://habrahabr.ru/post/139931/
  • 21. NGINX testcookie_modulePositive NegativeIt works. Doesn’t block traffic.*NGINX. Alternates UX.Its fast. Is not effective on FBS.Predictable.Expandable (Flash, QT checks). * That’s what ipset is for.
  • 22. Neuron network PyBrain
  • 23. Neuron network PyBrainRequest:0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0(Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0»Dictionary:[__UA___OS_U, __UA_EMPTY, __REQ___METHOD_POST, __REQ___HTTP_VER_HTTP/1.0, __REQ___URL___NETLOC_, __REQ___URL___PATH_/forum/rss.php, __REQ___URL___PATH_/forum/index.php, __REQ___URL___SCHEME_, __REQ___HTTP_VER_HTTP/1.1, __UA___VER_Firefox/3.0, __REFER___NETLOC_www.mozilla-europe.org, __UA___OS_Windows, __UA___BASE_Mozilla/5.0, __CODE_503, __UA___OS_pl, __REFER___PATH_/, __REFER___SCHEME_http, __NO_REFER__, __REQ___METHOD_GET, __UA___OS_Windows NT5.1, __UA___OS_rv:1.9, __REQ___URL___QS_topic, __UA___VER_Gecko/2008052906’Further reading: http://habrahabr.ru/post/136237/
  • 24. Neuron network PyBrainPositive NegativeIt works. May not work.Nerd award! No historical analysis.
  • 25. tcpdump
  • 26. tcpdumptcpdump -v -n -w attack.log dst port 80 -c 250tcpdump -nr attack.log |awk {print $3} |grep -oE [0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,} |sort |uniq -c |sort -rn
  • 27. tcpdumpPositive NegativeIt works. why tcpdump? Ask kernel (nicely)!
  • 28. Cisco ASA
  • 29. Cisco ASA
  • 30. Cisco ASAPositive NegativeIt works. Performance is theoretical.Expen$ive High Performance $olution. Fun is real.
  • 31. More recipes
  • 32. Recipes VS LOIC/HOIC• HTTP1.0 + Host header• Header order signatures• Leading space character signature• Mod_security• SnortMore reading: http://blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html
  • 33. Results?• Every solution works.• Not always.• Not for everyone.• UPTIME > DOWNTIME.
  • 34. Definition of happiness• Minimal FALSE POSITIVES.• No vulnerabilities on lower levels.• Up to challenge.
  • 35. NGINX testcookie_module
  • 36. One last thing… (protect your TCP stack) 29.67% 3.16% >=1Gbps Spoofed96.84% <1Gbps Full connect 70.33%
  • 37. Have a fun ride!
  • 38. Homework.1. NGINX/ipset pre-installed.2. No stateful firewalls.3. Fortified TCP stack.4. Dedicated IP per critical published service.5. Blackhole communities present and tested.