Mitigate DDoS attack
with effective cost
Nguyễn Chấn Việt
Đơn vị tổ chức:

Đơn vị tài trợ:
The Growth of DDoS Attacks
• Malware
• Exploit

10/29/2013 11:16 AM

www.securitybootcamp.vn
Classification
•

Volume Based Attacks –The attacker tries to saturate the bandwidth of the target’s
website by flooding i...
What we care ?
• Exhausting resources like:
– CPU
– Memory/Buffers
– I/O operations
– Disk space
– Network bandwidth

10/2...
Where to start ?
• Go through all devices on network, from
L2 switches to backend servers and
identify possible leaks, bot...
Infrastructure
• Hosting and VM is not good idea

10/29/2013 11:16 AM

www.securitybootcamp.vn
[1]

10/29/2013 11:16 AM

www.securitybootcamp.vn
Architecture
• Rule: Defence in depth (multi-layer)

10/29/2013 11:16 AM

www.securitybootcamp.vn
OS Tuning
• *nix is good choice
• Rule : If not used, turn off

10/29/2013 11:16 AM

www.securitybootcamp.vn
/etc/sysctl.conf tuning
• net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_sy...
Layer 3-4
• Stateful Firewall
– Iptables
– Tuning connections tracking

• Rule : Deny all, allow selective

10/29/2013 11:...
Layer 7
• WAF : to filter what firewall missed at IP
layer
– Mod_security

• Why not snort ?

10/29/2013 11:16 AM

www.sec...
Layer 7
• Choosing webserver
– Nginx is the best

• Tuning webserver
– Improve Apache with mod_reqtimeout

• Caching is ve...
Patching
• Keep Your System Up-to-date
• Example :
– Slowloris : based on missing CRLF
– Slow Read attack : based on TCP p...
Proactive with NSM
• Logs is very important
• My suggestion : Syslog-ng + Splunk

10/29/2013 11:16 AM

www.securitybootcam...
Proactive with NSM

10/29/2013 11:16 AM

www.securitybootcamp.vn
Proactive with NSM

10/29/2013 11:16 AM

www.securitybootcamp.vn
Proactive with NSM
• Alternative :

Logstash is a free tool for
managing events and logs. It
has three primary
components,...
Proactive with NSM

10/29/2013 11:16 AM

www.securitybootcamp.vn
[2] Case Study

10/29/2013 11:16 AM

www.securitybootcamp.vn
Our suggestion
• Diagram

10/29/2013 11:16 AM

www.securitybootcamp.vn
Our suggestion
• Router with high throughput
• reverse proxy servers :
– 32Gb RAM, 10Gb NIC, Quad Core I7, SSD
disk (for i...
Our suggestion
• cache servers :
– Using SSD Disk
– Application cache (ex : xcache/APC for
PHP, …)
– Generic cache : Apach...
Cloud-based Solutions
• For large DDoS attack (e.g Spamhaus
was DDoS by 300Gb/s of traffic), we
need a third-party :
– Inc...
Cloud-based Solutions

10/29/2013 11:16 AM

www.securitybootcamp.vn
Simple but effective
• If you can determine C&C servers, just
null route them

10/29/2013 11:16 AM

www.securitybootcamp.v...
Testing
• Test your network and devices by
simulating real DoS attack (LOIC/HOIC,
hping, slowhttptest, thc-ssl-dos, pktgen...
Conclusion
• This approach is not “silver bullet” for
preventing DDoS attacks
• There isn’t “a technique” for mitigrating
...
Thank you !

10/29/2013 11:16 AM

www.securitybootcamp.vn
Upcoming SlideShare
Loading in...5
×

Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt

1,154

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,154
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
80
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Chấn Việt

  1. 1. Mitigate DDoS attack with effective cost Nguyễn Chấn Việt
  2. 2. Đơn vị tổ chức: Đơn vị tài trợ:
  3. 3. The Growth of DDoS Attacks • Malware • Exploit 10/29/2013 11:16 AM www.securitybootcamp.vn
  4. 4. Classification • Volume Based Attacks –The attacker tries to saturate the bandwidth of the target’s website by flooding it with a huge quantity of data. This category includes ICMP floods, UDP floods and other spoofed-packet floods. The magnitude of Volume Based Attacks is measured in bits per second (Bps). • Protocol Attacks –The attacker’s goal is to saturate the target’s server resources or those of intermediate communication equipment (e.g., Load balancers) by exploiting network protocol flaws. This category includes SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS and more. The magnitude of Protocol Attacks is measured in Packets per second. • Application Layer (Layer 7) Attacks – Designed to exhaust the resource limits of Web services, application layer attacks target specific web applications, flooding them with a huge quantity of HTTP requests that saturate a target’s resources. Examples of application layer DDoS attacks include Slowloris, as well as DDoS attacks that target Apache, Windows, or OpenBSD vulnerabilities. The magnitude of application layer attacks is measured in Requests per second. 10/29/2013 11:16 AM www.securitybootcamp.vn
  5. 5. What we care ? • Exhausting resources like: – CPU – Memory/Buffers – I/O operations – Disk space – Network bandwidth 10/29/2013 11:16 AM www.securitybootcamp.vn
  6. 6. Where to start ? • Go through all devices on network, from L2 switches to backend servers and identify possible leaks, bottlenecks, attack vectors, applicable DoS attacks, vulnerabilities ... and mitigate or (rate)limit them 10/29/2013 11:16 AM www.securitybootcamp.vn
  7. 7. Infrastructure • Hosting and VM is not good idea 10/29/2013 11:16 AM www.securitybootcamp.vn
  8. 8. [1] 10/29/2013 11:16 AM www.securitybootcamp.vn
  9. 9. Architecture • Rule: Defence in depth (multi-layer) 10/29/2013 11:16 AM www.securitybootcamp.vn
  10. 10. OS Tuning • *nix is good choice • Rule : If not used, turn off 10/29/2013 11:16 AM www.securitybootcamp.vn
  11. 11. /etc/sysctl.conf tuning • net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 2 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_mem = 786432 1048576 1572864 net.ipv4.tcp_rmem = 4096 87380 1048576 net.ipv4.tcp_wmem = 4096 16384 1048576 net.ipv4.tcp_max_orphans = 2048 10/29/2013 11:16 AM www.securitybootcamp.vn
  12. 12. Layer 3-4 • Stateful Firewall – Iptables – Tuning connections tracking • Rule : Deny all, allow selective 10/29/2013 11:16 AM www.securitybootcamp.vn
  13. 13. Layer 7 • WAF : to filter what firewall missed at IP layer – Mod_security • Why not snort ? 10/29/2013 11:16 AM www.securitybootcamp.vn
  14. 14. Layer 7 • Choosing webserver – Nginx is the best • Tuning webserver – Improve Apache with mod_reqtimeout • Caching is very important – Static cache – memcached 10/29/2013 11:16 AM www.securitybootcamp.vn
  15. 15. Patching • Keep Your System Up-to-date • Example : – Slowloris : based on missing CRLF – Slow Read attack : based on TCP persist timer exploit – Apache Range Header attack 10/29/2013 11:16 AM www.securitybootcamp.vn
  16. 16. Proactive with NSM • Logs is very important • My suggestion : Syslog-ng + Splunk 10/29/2013 11:16 AM www.securitybootcamp.vn
  17. 17. Proactive with NSM 10/29/2013 11:16 AM www.securitybootcamp.vn
  18. 18. Proactive with NSM 10/29/2013 11:16 AM www.securitybootcamp.vn
  19. 19. Proactive with NSM • Alternative : Logstash is a free tool for managing events and logs. It has three primary components, an Input module for collecting logs from various sources 10/29/2013 11:16 AM ElasticSearch is this awesome distributable, RESTful, free Lucene powered search engine/server. Unlike SOLR, ES is very simple to use and maintain and similar to SOLR, indexing is near realtime. www.securitybootcamp.vn Kibana is a presentation layer that sits on top of Elasticsearch to analyze and make sense of logs that logstash throws into Elastic search; Kibana is a highly scalable interface for Logstash and ElasticSearch that allows you to efficiently search, graph, analyze and otherwise make sense of a mountain of logs.
  20. 20. Proactive with NSM 10/29/2013 11:16 AM www.securitybootcamp.vn
  21. 21. [2] Case Study 10/29/2013 11:16 AM www.securitybootcamp.vn
  22. 22. Our suggestion • Diagram 10/29/2013 11:16 AM www.securitybootcamp.vn
  23. 23. Our suggestion • Router with high throughput • reverse proxy servers : – 32Gb RAM, 10Gb NIC, Quad Core I7, SSD disk (for internal I/O better) – Linux OS, running IPTables + apache (worker MPM) + mod_security 10/29/2013 11:16 AM www.securitybootcamp.vn
  24. 24. Our suggestion • cache servers : – Using SSD Disk – Application cache (ex : xcache/APC for PHP, …) – Generic cache : Apache Traffic Server 10/29/2013 11:16 AM www.securitybootcamp.vn
  25. 25. Cloud-based Solutions • For large DDoS attack (e.g Spamhaus was DDoS by 300Gb/s of traffic), we need a third-party : – Incapsula – CloudFlare 10/29/2013 11:16 AM www.securitybootcamp.vn
  26. 26. Cloud-based Solutions 10/29/2013 11:16 AM www.securitybootcamp.vn
  27. 27. Simple but effective • If you can determine C&C servers, just null route them 10/29/2013 11:16 AM www.securitybootcamp.vn
  28. 28. Testing • Test your network and devices by simulating real DoS attack (LOIC/HOIC, hping, slowhttptest, thc-ssl-dos, pktgen, ... ) 10/29/2013 11:16 AM www.securitybootcamp.vn
  29. 29. Conclusion • This approach is not “silver bullet” for preventing DDoS attacks • There isn’t “a technique” for mitigrating DDoS – DDoS Mitigation = Hardened System + Money 10/29/2013 11:16 AM www.securitybootcamp.vn
  30. 30. Thank you ! 10/29/2013 11:16 AM www.securitybootcamp.vn
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×