Layer 7 denial of services attack mitigation
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Layer 7 denial of services attack mitigation

on

  • 2,956 views

RISTEK - IT lesehan 12 nov 2011

RISTEK - IT lesehan 12 nov 2011

Statistics

Views

Total Views
2,956
Views on SlideShare
2,438
Embed Views
518

Actions

Likes
1
Downloads
237
Comments
3

3 Embeds 518

http://clog.ammar.web.id 483
http://a0.twimg.com 22
http://www.mefeedia.com 13

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Why .pdf, because i created it using keynote (.key) and it isnt wise to push people using keynote also. I will not export it to .ppt (because it would be the same and worst) or to .odp , PDF is widely support also in slideshare, free reader, thats only i can think of it. Any other suggesting format?
    Are you sure you want to
    Your message goes here
    Processing…
  • Why PDF?
    Are you sure you want to
    Your message goes here
    Processing…
  • Cool!!!
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Layer 7 denial of services attack mitigation Presentation Transcript

  • 1. Layer7 Denial Of Sevice Attack Mitigation IT LESEHAN - y3dipsSaturday, November 12, 11
  • 2. Agenda • Introduction • Denial Of Service • Layer 7 Denial Of Service • Case Stories • Demo • DiscussionSaturday, November 12, 11
  • 3. Introduction • Freelance IT Security Consultant • More than 9 years in IT Security • Founder of “ECHO” one of Indonesian Hacker Community, established 2003 • Founder of IDSECCONF - Indonesia Security Conference in Cooperation with DEPKOMINFO • More Info: • me@ammar.web.id • @y3dipsSaturday, November 12, 11
  • 4. Denial of Service Suatu jenis kegiatan yang bertujuan untuk menggagalkan kerja suatu sistem secara maksimal baik sebagian atau seluruhnya.Saturday, November 12, 11
  • 5. DOS • Stupid Act • Exhausted also yours • Old story, • moby write ddos in 2003 * • I write apache dos in 2003** • Well handle by now *http://ezine.echo.or.id/ezine2/ddos%7EMoby.txt **http://ezine.echo.or.id/ezine2/dos_buat_apache%7Ey3dips.txtSaturday, November 12, 11
  • 6. Type of Network DOS • Layer 4 • Attack layer 4 protocol • TCP • SYN, FIN, ACK • smurf, TRINOO, stacheldart, teardropSaturday, November 12, 11
  • 7. Type of Network DOS • Layer 7 • Attack Layer 7 Protocol • HTTP, FTP, DNS • HTTP-slow post, HTTP-GETSaturday, November 12, 11
  • 8. Real Life Stories When this all beginSaturday, November 12, 11
  • 9. DOS Terhadap ECHO • 7 - 8 November 2011 • Unknown Motives • Echo Web Access DownSaturday, November 12, 11
  • 10. Attack DetectionSaturday, November 12, 11
  • 11. See TKP :)Saturday, November 12, 11
  • 12. Check Validitas DOS • Only you? • Or for everyone :D • http://downforeveryoneorjustme.com/Saturday, November 12, 11
  • 13. Analyze :|Saturday, November 12, 11
  • 14. Analyze • The Server Down? • Or onlye specific service DownSaturday, November 12, 11
  • 15. In this Case 80 downSaturday, November 12, 11
  • 16. Layer 7 DOS Lets Dig arround on 80!Saturday, November 12, 11
  • 17. See Stats :)Saturday, November 12, 11
  • 18. Ganti Periode Laporan: 201111 - Bulan Nov 2011 GoStatistik untuk: echo.or.idTerakhir diupdate: 08 Nov 2011 - 14:20Periode Laporan: Bulan Nov 2011Kapan: Monthly history Days of month Hari Jam (Waktu Server)Siapa: Countries Daftar Lengkap Host Daftar Lengkap Kunjungan Terakhir Alamat IP yang tidak teresolve Robot/Spider Daftar Lengkap Kunjungan TerakhirNavigasi: Lama kunjungan Jenis File Halaman yang Dilihat Daftar Lengkap Halaman masuk (entry page) Halaman keluar (exit page) Sistem Operasi Versi Tidak Diketahui Browser Versi Tidak DiketahuiReferer: Asal Search engine referer Situs referer Pencarian Frase Pencarian Kata Kunci PencarianLainnya: Miscellaneous Kode error HTTP Halaman tidak ditemukan (not found) RingkasanPeriode Laporan Bulan Nov 2011Kunjungan Pertama 01 Nov 2011 - 00:00Kunjungan Terakhir 08 Nov 2011 - 11:35 Pengunjung Unik Jumlah Kunjungan Halaman Hit Bandwidth 10021 14357 102822 417078 1.45 GBTraffic viewed * (1.43 kunjungan/pengunjung) (7.16 Halaman/Kunjungan) (29.05 Hit/Kunjungan) (105.69 KB/Kunjungan)Traffic not viewed * 88111 145915 395.12 MB* Not viewed traffic includes traffic generated by robots, worms, or replies with special HTTP status codes. Monthly history Jan Feb Mar Apr Mei Jun Jul Agu Sep Okt Nov Des 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 Bulan Pengunjung Jumlah Halaman Hit Bandwidth Seems all Legit 11/9/11 Saturday, November 12, 11
  • 19. 7, 8 November?Saturday, November 12, 11
  • 20. 7, 8 November?Saturday, November 12, 11
  • 21. Ask the Logs :)Saturday, November 12, 11
  • 22. Logs • HTTP/S logs • http-access • http-errorSaturday, November 12, 11
  • 23. A Valid OneSaturday, November 12, 11
  • 24. A Valid One but also http-flood GETSaturday, November 12, 11
  • 25. Conclusion • Its an HTTP-flood GET • Connection need to be Established • IP need to be valid?Saturday, November 12, 11
  • 26. Learn from Code :)Saturday, November 12, 11
  • 27. *Credit to Google for the code, just dig and found Saturday, November 12, 11
  • 28. Attack MitigationSaturday, November 12, 11
  • 29. Mitigation • Always Have your backup • No privil8 access to server; LAPORKANSaturday, November 12, 11
  • 30. Mitigation • Had The Privileged • check netstat -n | grep 80 | wc -l • block : • iptables -A INPUT -s x. x. x. x -p tcp - j TARPIT • iptables -A INPUT -s x. x. x. x -p tcp - j DROPSaturday, November 12, 11
  • 31. TARPITING Care to Send and double the packet :) ? http://www.secureworks.com/research/threats/ddos/Saturday, November 12, 11
  • 32. Hardening Apache • TimeOut=Default 300 detik atau 5 Menit, disarankan 10 detik • TimeOut akan melindungi server dari rikues dalam jumlah besar, dan tidak pernah di putus oleh Attacker, dengan adanya TimeOut, apabila tidak terjadi transaksi dalam waktu tersebut (10 detik), maka Apache akan memutus koneksiSaturday, November 12, 11
  • 33. Hardening Apache • KeepAlive = On • KeepAlive akan mengijinkan Berbagai jenis HTTP rikues dilakukan dalam satu koneksi. • KeepAlive = 15 detik • Setting ini akan melindungi Server dari Rikues Keepalive tanpa transaksiSaturday, November 12, 11
  • 34. Hardening Apache • AcceptFilter = http/https data • Melindungi dari jenis serangan, dimana attacker membuka koneksi via socket dan membiarkannya tanpa terjadinya transaksi data. Dengan mendefinisikan data pada http dan https akan meminimalisir jenis serangan ini.Saturday, November 12, 11
  • 35. DeMoSaturday, November 12, 11
  • 36. Saturday, November 12, 11
  • 37. Layer7 Denial Of Sevice Attack Mitigation IT LESEHAN - y3dipsSaturday, November 12, 11