DDoS Attacks & Countermeasures Duong Ngoc Thai <thaidn AT gmail DOT com> http://vnhacker.blogspot.com

Duong Ngoc Thai

<thaidn AT gmail DOT com>

Hello!

Overview DDoS Attacks What's new? DDoS Countermeasures What NOT to do? What to do? Q & A

DDoS Attacks

What's new?

DDoS Countermeasures

What NOT to do?

What to do?

Q & A

Part I DDoS Attacks – What's new? Botnet Attacks DRDoS Distributed Reflected DNS Attacks xFlash Attacks HTTP-based applications Welcome to the brave new world of Flash 9 Socket

DDoS Attacks – What's new?

Botnet Attacks

DRDoS

Distributed Reflected DNS Attacks

xFlash Attacks

HTTP-based applications

Welcome to the brave new world of Flash 9 Socket

What is botnet?

DDoS Attacks through Botnet Traditional DDoS Attacks DRDoS

Traditional DDoS Attacks

DRDoS

DDoS Attacks through Botnet Distributed Reflected DNS Attacks

Distributed Reflected DNS Attacks

Okay, botnet is scary . But wait, there's no botnet in VN, YET!

Bad news: building a botnet is easy! bot source code is available for free! some even released under GPL !

bot source code is available for free! some even released under GPL !

Bad news: building a botnet is easy! Gái đẹp online đây bà con ơi!!!! Remember gaixinh or xRobot ?

Gái đẹp online đây bà con ơi!!!! Remember

gaixinh or xRobot ?

Bad news: building a botnet is easy! I don't want to pay for software! ever wonder what those keygen.exe or crack.exe actually do? no license --> no update --> hack me please! (hint: use Linux )

I don't want to pay for software!

ever wonder what those keygen.exe or crack.exe

actually do?

no license --> no update --> hack me please!

(hint: use Linux )

Bad news: building a botnet is easy! can't build yourself? buy one online!

can't build yourself? buy one online!

Vietnam Botnet Factbook

What's xFlash? ActionScript in Flash can send HTTP requests to 3rd party sites through the browser which invoked it.

ActionScript in Flash can send HTTP requests to 3rd party sites through the browser which invoked it.

What's xFlash? The main DDoS attack mechanism used to attack many websites in VN: hvaonline.net, vietco.com, ddth.com , <insert your sites here>, etc...

The main DDoS attack mechanism used to attack many websites in VN: hvaonline.net, vietco.com, ddth.com , <insert your sites here>, etc...

xFlash to attack HTTP-based applications <insert x-flash source code here>

<insert x-flash source code here>

xFlash to attack HTTP-based applications forging HTTP request headers var req:LoadVars=new LoadVars(); req.addRequestHeader(&quot;Foo&quot;,&quot;Bar&quot;); req.send(&quot;http://www.site.com/index.php&quot;,&quot;_blank&quot;,&quot; GET &quot;);

forging HTTP request headers

var req:LoadVars=new LoadVars();

req.addRequestHeader(&quot;Foo&quot;,&quot;Bar&quot;);

req.send(&quot;http://www.site.com/index.php&quot;,&quot;_blank&quot;,&quot; GET &quot;);

xFlash to attack HTTP-based applications forging HTTP request headers var req:LoadVars=new LoadVars(); req.addRequestHeader(&quot;Foo&quot;,&quot;Bar&quot;); req.decode(&quot;a=b&c=d&quot;); req.send(&quot;http://www.site.com/index.php&quot;,&quot;_blank&quot;,&quot; POST &quot;);

forging HTTP request headers

var req:LoadVars=new LoadVars();

req.addRequestHeader(&quot;Foo&quot;,&quot;Bar&quot;);

req.decode(&quot;a=b&c=d&quot;);

req.send(&quot;http://www.site.com/index.php&quot;,&quot;_blank&quot;,&quot; POST &quot;);

Welcome to The Brave New World of Flash 9 Socket Quote from Flash 9 documentation “ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Quote from Flash 9 documentation

“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Welcome to The Brave New World of Flash 9 Socket Quote from Flash 9 documentation “ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” Let's port nmap to ActionScript !

Quote from Flash 9 documentation

“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Welcome to The Brave New World of Flash 9 Socket Quote from Flash 9 documentation “ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.” Let's port nmap to ActionScript ! Err wait, how about same origin policy ?

Quote from Flash 9 documentation

“ The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols.”

Let's port nmap to ActionScript !

Err wait, how about same origin policy ?

Part II DDoS Countermeasures DON'T .htaccess referer checking PHP anti-DDoS script DOs performance tuning - killing the bottlenecks start small, think big defense in depth

DDoS Countermeasures

DON'T

.htaccess

referer checking

PHP anti-DDoS script

DOs

performance tuning - killing the bottlenecks

start small, think big

defense in depth

First thing first: SHOW ME THE MONEY

Security is always a trade-off

The Art Of Performance Tuning What is performance?

What is performance?

The Art Of Performance Tuning What is performance? rps = requests per second cu = concurrent users

What is performance?

rps = requests per second

cu = concurrent users

Howto Find The Bottlenecks code profiling – xdebug system profiling – oprofile database query profiling

code profiling – xdebug

system profiling – oprofile

database query profiling

Caching's Your Good Friend, Always opcode caching – APC, Zend Platform object caching – memcached http request caching - squid

opcode caching – APC, Zend Platform

object caching – memcached

http request caching - squid

Start Small Think BIG what is scalability?

what is scalability?

Start Small Think BIG what is scalability? readily enlarged what is scalable system? able to accommodate increased usage able to accommodate an increased dataset maintainable

what is scalability?

readily enlarged

what is scalable system?

able to accommodate increased usage

able to accommodate an increased dataset

maintainable

Hello, world! Is Very Scalable <?php sleep(1); echo “Hello, world!”; ?>

<?php

sleep(1);

echo “Hello, world!”;

?>

Verizontal vs Horizontal Scaling

Share Nothing Architecture

Scaling The Database With SNA

Scaling The Storage Amazon S3 anybody?

Amazon S3 anybody?

Wikipedia: a scalable system

The Blueprint of Defense In Depth

The case for the reverse proxy

Recommend Reading Building scalable web sites Kí sự các vụ DDoS vào HVAOnline.net

Building scalable web sites

Kí sự các vụ DDoS vào HVAOnline.net

DDoS Attacks & Countermeasures Thank you! Questions/Comments? Duong Ngoc Thai

Thank you!

Questions/Comments?