A Cyberwarfare Weapon: SlowReq
Maurizio Aiello

maurizio.aiello@ieiit.cnr.it

Consiglio Nazionale delle Ricerche
Instituto...
Cyberwarfare
“Politically motivated hacking to conduct military
operations, such as sabotage or espionage, against an
info...
Attack Technologies
INTRUSIONS & MALWARE
ON
ECTI BUFFER
J
OVE
QL IN

S

RFLOW

ES
ORS
NH
BAC
OJA
KDO
TR
O

DENIAL OF SERVI...
Denial of Service Attacks
¤ Attacks to the system
¤  ZIP Bomb
¤  Fork Bomb

¤ Attacks to the network
¤  Multipliers: ...
“Old Style” Flooding DoS Attacks
¤ Large bandwidth usage
¤ SYN flood, UDP flood, ICMP flood, …

Flooding based attacks

...
The ISO/OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
Maurizio Aiello

Slow DoS Attacks
...
Hacktivist Groups:
Anonymous and LulzSec
Hacktivist
Groups
2008

Project
Chanology

2009

Iranian
election
protests

Anonymous
LulzSec
2010

Operation
Payback

201...
Slow DoS Attack (SDA)

“An attack which exhausts the
resources of a victim using low
bandwidth”

Maurizio Aiello
SDAs’ Strategy
¤ They move the victim to the saturation state
¤ Low bandwidth rate:
¤  Attack resources are minimized
¤...
Slow DoS Attacks
An Example: Slowloris
¤  A script written in Perl programming language
¤  Used during the protests agai...
Making Order Into the Slow DoS Field
Slow DoS Attacks

S
ORI
L
OW
SL
CPU/Memory/Disk
QUIET ATTACK

SHREW

Network

REDOS

...
SlowReq Attack
¤  It opens a large amount of endless connections with the
victim
¤  It slowly send data to the victim, t...
SlowReq Attack
¤ No rn implies no parsing (stealth and difficult
to prevent)
¤ Bandwidth very limited
¤ Cpu and ram req...
Protocol Independence
¤ Attacks like Slowloris are bounded to a
specific protocol (HTTP in this case)
¤ SlowReq is able ...
Performance Results

DoS state reached after a few seconds
Maurizio Aiello
Signature Based Countermeasures
Apache Web Server software modules
¤ mod-security module limits the number of
simultaneou...
Performance Results – mod-security

A non distributed attack is successfully mitigated
Maurizio Aiello
Performance Results – reqtimeout

Differently to Slowloris, SlowReq is not mitigated
Maurizio Aiello
Statistical Based Countermeasures

tstart _ request

! request
tend _ request
! delay

tstart _ response

! response

tend...
Statistical Signature Based SDAs
Detection

Maurizio Aiello
Statistical Signature Based SDAs
Detection
Comparison with standard traffic conditions
"

n(y) = # ( f (x) ! g(x + y))2 dx...
Statistical Signature Based SDAs
Detection
Real traffic distribution
(Δdelay example)

Maurizio Aiello
Statistical Signature Based SDAs
Detection
Protocol:
¤  n representations of standard traffic
¤  m comparisons extractin...
Conclusions and Future Work
¤ Extension of the algorithm are possible: we
are releasing a framework for SDAs
detection
¤...
Acknowledge
Enrico Cambiaso
Gianluca Papaleo

Silvia Scaglione

Maurizio Aiello
The End

Thanks!!
Maurizio Aiello
Upcoming SlideShare
Loading in …5
×

A Cyberwarfare Weapon: Slowreq

1,013 views

Published on

by Maurizio Aiello

CNR - Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni

mail: maurizio.aiello@ieiit.cnr.it

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,013
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A Cyberwarfare Weapon: Slowreq

  1. 1. A Cyberwarfare Weapon: SlowReq Maurizio Aiello maurizio.aiello@ieiit.cnr.it Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy Genoa, Cpexpo meeting, Italy 30 October 2013
  2. 2. Cyberwarfare “Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an informative system owned by the adversary” Governments vs. Governments ¤  Titan Rain ¤  Moonlight Maze Groups vs. Governments ¤  Hacktivistic Groups Operations Anonymous ¤  Maurizio Aiello ¤  LulzSec
  3. 3. Attack Technologies INTRUSIONS & MALWARE ON ECTI BUFFER J OVE QL IN S RFLOW ES ORS NH BAC OJA KDO TR O DENIAL OF SERVICE (DoS) “An attempt to make a machine or network resource unavailable to its intended users” DISTRIBUTED DENIAL OF SERVICE (DDoS) Amplification of the attack resources through the enrollment of (willing or not) botnet agents Maurizio Aiello R
  4. 4. Denial of Service Attacks ¤ Attacks to the system ¤  ZIP Bomb ¤  Fork Bomb ¤ Attacks to the network ¤  Multipliers: DNS, Smurf attack, etc… ¤  Volumetric: flooding DoS attacks ¤  Application Layer: Slow DoS Attacks Maurizio Aiello
  5. 5. “Old Style” Flooding DoS Attacks ¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, … Flooding based attacks LEVEL-4 Denial of Service Maurizio Aiello
  6. 6. The ISO/OSI Model Application Presentation Session Transport Network Data Link Physical Maurizio Aiello Slow DoS Attacks Flooding DoS Attacks
  7. 7. Hacktivist Groups: Anonymous and LulzSec
  8. 8. Hacktivist Groups 2008 Project Chanology 2009 Iranian election protests Anonymous LulzSec 2010 Operation Payback 2011 2012 Visa, Mastercard, Paypal Operation Payback Operation Sony Interpol Vatican
  9. 9. Slow DoS Attack (SDA) “An attack which exhausts the resources of a victim using low bandwidth” Maurizio Aiello
  10. 10. SDAs’ Strategy ¤ They move the victim to the saturation state ¤ Low bandwidth rate: ¤  Attack resources are minimized ¤  It’s easier to bypass security systems ¤ ON-OFF Nature ¤ Almost all the packets contribute to the success of the attack Maurizio Aiello
  11. 11. Slow DoS Attacks An Example: Slowloris ¤  A script written in Perl programming language ¤  Used during the protests against Iranian presidential elections in 2009 ¤  It sends a lot of endless requests with the pattern: GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn X-a: brn rn X-a: brn X-a: brn X-a: brn Maurizio Aiello Source: http://ha.ckers.org/slowloris/
  12. 12. Making Order Into the Slow DoS Field Slow DoS Attacks S ORI L OW SL CPU/Memory/Disk QUIET ATTACK SHREW Network REDOS E RANG Client Timeout Server ACHE ER AP YET HEAD DEADR-U# Request Response HASH Server Behavior DOS Alteration EW R THC D SH E -SSL DUCResources Other IN Delayed DO Delayed Slow Pending AS S Occupation Unknown LO D Responses Responses Requests R Requests Planning Attacks Maurizio Aiello
  13. 13. SlowReq Attack ¤  It opens a large amount of endless connections with the victim ¤  It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure SLOWLORIS SLOWREQ GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] Maurizio Aiello
  14. 14. SlowReq Attack ¤ No rn implies no parsing (stealth and difficult to prevent) ¤ Bandwidth very limited ¤ Cpu and ram requested limited ¤ Tunable in parameters (number of connections; wait timeout; time between characters etc) Maurizio Aiello
  15. 15. Protocol Independence ¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case) ¤ SlowReq is able to naturally affect multiple protocols ¤  Packets payload is a sequence of white spaces ¤  Tested against FTP, SMTP, SSH servers ¤  Bounded to TCP based protocols Maurizio Aiello
  16. 16. Performance Results DoS state reached after a few seconds Maurizio Aiello
  17. 17. Signature Based Countermeasures Apache Web Server software modules ¤ mod-security module limits the number of simultaneous connections established from the same IP address ¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests Maurizio Aiello
  18. 18. Performance Results – mod-security A non distributed attack is successfully mitigated Maurizio Aiello
  19. 19. Performance Results – reqtimeout Differently to Slowloris, SlowReq is not mitigated Maurizio Aiello
  20. 20. Statistical Based Countermeasures tstart _ request ! request tend _ request ! delay tstart _ response ! response tend _ response ! next Maurizio Aiello
  21. 21. Statistical Signature Based SDAs Detection Maurizio Aiello
  22. 22. Statistical Signature Based SDAs Detection Comparison with standard traffic conditions " n(y) = # ( f (x) ! g(x + y))2 dx !" UE VAL UM NIM CV) MI (N NCV = min(n(y)) Maurizio Aiello
  23. 23. Statistical Signature Based SDAs Detection Real traffic distribution (Δdelay example) Maurizio Aiello
  24. 24. Statistical Signature Based SDAs Detection Protocol: ¤  n representations of standard traffic ¤  m comparisons extracting m different NCV values ¤  Retrievement of μ and σ values from NCV ¤  Baseline: μ + 3σ ¤  Comparison of anomalous traffic with f (average) standard distributions ¤  NCV value retrieval for analyzed traffic and result Maurizio Aiello
  25. 25. Conclusions and Future Work ¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection ¤ Due to its requirements, we are working to a mobile deployment of SlowReq ¤ Deployment of a (mobile and) distributed attack Maurizio Aiello
  26. 26. Acknowledge Enrico Cambiaso Gianluca Papaleo Silvia Scaglione Maurizio Aiello
  27. 27. The End Thanks!! Maurizio Aiello

×