BSidesDetroit2012                  Tweaking to get away from SlowDOS                             Sergey Shekyan, Senior So...
BSIDES DETROIT 2012                            22Thursday, December 13, 12
Denial of Service Attacks                                       BSIDES DETROIT 2012                                  22Thu...
Denial of Service Attacks                                       BSIDES DETROIT 2012                                  22Thu...
Types of attack    There is a variety of forms aiming at a variety of services:              − Traffic consuming attacks (D...
Network Layer attacks                                   BSIDES DETROIT 2012                              44Thursday, Decem...
Network Layer attacks                                   BSIDES DETROIT 2012                              44Thursday, Decem...
Application Layer attacks                                       BSIDES DETROIT 2012                                  55Thu...
Application Layer attacks                                       BSIDES DETROIT 2012                                  55Thu...
What is low-bandwidth attack?                                      Slowloris                  GET Flood                   ...
DDoS economics     § DDoS attacks are affordable (from $5/hour)     § DDoS attack is a great way to promote your start-u...
Actual page from a forum offering DDoS services     § We take projects with anti-DDoS     § Wholesale discounts     § We...
Same botnet operator offering menu:     § HTTP GET flood     § HTTP POST flood     § Download flood     § UDP flood     § ...
Application Layer DoS attacks    § Slow HTTP headers attack (a.k.a. Slowloris)    § Slow HTTP message body attack (a.k.a...
Demo time                                             BSIDES DETROIT 2012                                        11Thursda...
What is common?     § All mentioned attacks aim at draining the pool of concurrent        connections (usually relatively...
HyperText Transfer Protocol (HTTP) Message syntax                            Per RFC 2616       generic-message = start-li...
HyperText Transfer Protocol (HTTP) Message example        GET /page.htm HTTP/1.1CRLF        Host: www.example.com:8080CRLF...
Slowloris    §Low bandwidth attack that sends HTTP requests with incomplete headers.    Continues to send headers at regu...
How slowloris works              Client                   Server                                 BSIDES DETROIT 2012      ...
How slowloris works                            GET	  /	  HTTP/1.1rn                            Host:	  vulnerable-­‐server...
How slowloris works                            GET	  /	  HTTP/1.1rn                            Host:	  vulnerable-­‐server...
How slowloris works                            GET	  /	  HTTP/1.1rn                            Host:	  vulnerable-­‐server...
How slowloris works                            GET	  /	  HTTP/1.1rn                            Host:	  vulnerable-­‐server...
How slowloris works                             GET	  /	  HTTP/1.1rn                             Host:	  vulnerable-­‐serv...
How slowloris works                             GET	  /	  HTTP/1.1rn                             Host:	  vulnerable-­‐serv...
How slowloris works                             GET	  /	  HTTP/1.1rn                             Host:	  vulnerable-­‐serv...
How slowloris works                             GET	  /	  HTTP/1.1rn                             Host:	  vulnerable-­‐serv...
Slow POST     § Attack that sends HTTP requests with complete headers but incomplete        message body. Continues to se...
How Slow POST works             Client                          Server                                 BSIDES DETROIT 2012...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
How Slow POST works                            POST	  /	  HTTP/1.1rnHost:	  vulnerable-­‐server.com:80rn                  ...
Slow Read     § Attack that keeps server sockets busy by maliciously throttling down the receipt of large        HTTP res...
Related TCP details	         §“Window size (16 bits) – the size of the receive window, which specifies the number of    by...
How Slow Read works                    Client                               Server                                        ...
How Slow Read works                    Client                                                                          Ser...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
How Slow Read works                    Client                                                                             ...
Prerequisites for successful Slow Read attack    The larger server response is - increasing the chances of prolonging the ...
Prerequisites for successful Slow Read attack    The larger server response is - increasing the chances of prolonging the ...
Why is Slow Read is different?      Traditional (slowloris/slowpost) DoS     § Customer stuck deciding        what he want...
Why is Slow Read is different?      Traditional (slowloris/slowpost) DoS     § Customer stuck deciding        what he want...
Why Slow Read is different?      Slow Read DoS                               § Makes an order for party                   ...
Why Slow Read is different?      Slow Read DoS                                                                             ...
Why is Slow Read is different?       § Customer stuck deciding     § Makes an order for party          what he wants Make...
Why is Slow Read is different? (continued)     § Defense mechanisms expect the crushing fist of malice to appear in the req...
Am I vulnerable?     § There is a good chance that you are. Default configurations of nginx, lighttpd, IIS, Apache,       ...
What should I do?     § Use available tools to simulate attacks. SlowHTTPTest covers all mentioned attacks and        som...
Detection and Mitigation     § Drop connections with abnormally small TCP advertised window(s)     § Set an absolute con...
Detection and Mitigation continued     § Qualys Web Application Scanner passively detects the slow attack vulnerabilities...
Example of misconfiguration     § Even if the server is configured to handle tens of thousands of concurrent connections, t...
Are anti-DoS solutions going to help?     § Have no idea, test yourself!                                                 ...
Who reacted first?	                                 BSIDES DETROIT 2012                            33Thursday, December 13,...
Who reacted first?	                                 BSIDES DETROIT 2012                            33Thursday, December 13,...
Who reacted first?	     Those who really care - gamers!     Open Transport Tycoon Deluxe found that by using a slow read ty...
Summary	     § Even though the simpliest distributed DoS attacks are enough to knock down        most web sites today, th...
References    ModSecurity Advanced Topic of the Week: Mitigation of Slow Read" Denial of Service Attack    http://blog.spi...
Thank you!                            sshekyan@qualys.com                                 @sshekyanThursday, December 13, 12
Upcoming SlideShare
Loading in …5
×

Tweaking to get away from Application Layer DoS attacks

1,426 views

Published on

Slides I presented at BSides Detroit 2012

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,426
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
16
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Tweaking to get away from Application Layer DoS attacks

  1. 1. BSidesDetroit2012 Tweaking to get away from SlowDOS Sergey Shekyan, Senior Software Engineer June 2nd, 2012Thursday, December 13, 12
  2. 2. BSIDES DETROIT 2012 22Thursday, December 13, 12
  3. 3. Denial of Service Attacks BSIDES DETROIT 2012 22Thursday, December 13, 12
  4. 4. Denial of Service Attacks BSIDES DETROIT 2012 22Thursday, December 13, 12
  5. 5. Types of attack There is a variety of forms aiming at a variety of services: − Traffic consuming attacks (DNS, firewall, router, load balancer, OS, etc.) − Application Layer attacks (web server, media server, mail server) BSIDES DETROIT 2012 33Thursday, December 13, 12
  6. 6. Network Layer attacks BSIDES DETROIT 2012 44Thursday, December 13, 12
  7. 7. Network Layer attacks BSIDES DETROIT 2012 44Thursday, December 13, 12
  8. 8. Application Layer attacks BSIDES DETROIT 2012 55Thursday, December 13, 12
  9. 9. Application Layer attacks BSIDES DETROIT 2012 55Thursday, December 13, 12
  10. 10. What is low-bandwidth attack? Slowloris GET Flood 400 300 Mbps/sec 200 100 0 0 10 20 30 40 Seconds BSIDES DETROIT 2012 66Thursday, December 13, 12
  11. 11. DDoS economics § DDoS attacks are affordable (from $5/hour) § DDoS attack is a great way to promote your start-up (attacks on Russian travel agencies are 5 times as frequent in high season) § Longest attack detected by Kaspersky DDos Prevention System in the second half of 2011 targeted a travel agency website and lasted 80 days 19 hours 13 minutes 05 seconds § Akamai reports DDoS attack incidents soar 2,000 percent in the past three years BSIDES DETROIT 2012 77Thursday, December 13, 12
  12. 12. Actual page from a forum offering DDoS services § We take projects with anti-DDoS § Wholesale discounts § We are clear against the law § Best quality-to-dollar ratio § $5/hour, $40/day, $260/week, $900/month BSIDES DETROIT 2012 88Thursday, December 13, 12
  13. 13. Same botnet operator offering menu: § HTTP GET flood § HTTP POST flood § Download flood § UDP flood § SYN flood BSIDES DETROIT 2012 99Thursday, December 13, 12
  14. 14. Application Layer DoS attacks § Slow HTTP headers attack (a.k.a. Slowloris) § Slow HTTP message body attack (a.k.a Slow Post) § Slow read HTTP attack (a.k.a. TCP Persist Timer exploit) BSIDES DETROIT 2012 10Thursday, December 13, 12
  15. 15. Demo time BSIDES DETROIT 2012 11Thursday, December 13, 12
  16. 16. What is common? § All mentioned attacks aim at draining the pool of concurrent connections (usually relatively small) BSIDES DETROIT 2012 12Thursday, December 13, 12
  17. 17. HyperText Transfer Protocol (HTTP) Message syntax Per RFC 2616 generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line BSIDES DETROIT 2012 13Thursday, December 13, 12
  18. 18. HyperText Transfer Protocol (HTTP) Message example GET /page.htm HTTP/1.1CRLF Host: www.example.com:8080CRLF Content-Length: 25CRLF CRLF Optional Message Body BSIDES DETROIT 2012 14Thursday, December 13, 12
  19. 19. Slowloris §Low bandwidth attack that sends HTTP requests with incomplete headers. Continues to send headers at regular intervals to keep the sockets active §First mentioned by Adrian Ilarion Ciobanu in 2007 and implemeted by Robert Hansen in 2009 BSIDES DETROIT 2012 15Thursday, December 13, 12
  20. 20. How slowloris works Client Server BSIDES DETROIT 2012 16Thursday, December 13, 12
  21. 21. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn Client Server BSIDES DETROIT 2012 16Thursday, December 13, 12
  22. 22. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client Server BSIDES DETROIT 2012 16Thursday, December 13, 12
  23. 23. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server BSIDES DETROIT 2012 16Thursday, December 13, 12
  24. 24. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later BSIDES DETROIT 2012 16Thursday, December 13, 12
  25. 25. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn BSIDES DETROIT 2012 16Thursday, December 13, 12
  26. 26. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later BSIDES DETROIT 2012 16Thursday, December 13, 12
  27. 27. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later X-­‐egyr7j:  8ihrn BSIDES DETROIT 2012 16Thursday, December 13, 12
  28. 28. How slowloris works GET  /  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rn X-­‐sadwqeq:  dfg4t3rn 59  seconds  later Client X-­‐4rete:  fdsgvryrn Server 59  seconds  later X-­‐4rete:  fdsgvryrn 59  seconds  later X-­‐egyr7j:  8ihrn ... BSIDES DETROIT 2012 16Thursday, December 13, 12
  29. 29. Slow POST § Attack that sends HTTP requests with complete headers but incomplete message body. Continues to send data at regular intervals to keep the sockets active § Discovered by Wong Onn Chee and popularized by Tom Brennan in 2009 BSIDES DETROIT 2012 17Thursday, December 13, 12
  30. 30. How Slow POST works Client Server BSIDES DETROIT 2012 18Thursday, December 13, 12
  31. 31. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn Client Server BSIDES DETROIT 2012 18Thursday, December 13, 12
  32. 32. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn Client Server BSIDES DETROIT 2012 18Thursday, December 13, 12
  33. 33. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server BSIDES DETROIT 2012 18Thursday, December 13, 12
  34. 34. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn BSIDES DETROIT 2012 18Thursday, December 13, 12
  35. 35. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later BSIDES DETROIT 2012 18Thursday, December 13, 12
  36. 36. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn BSIDES DETROIT 2012 18Thursday, December 13, 12
  37. 37. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later BSIDES DETROIT 2012 18Thursday, December 13, 12
  38. 38. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later &uWat9wGqrP4SxV=SN3qrn BSIDES DETROIT 2012 18Thursday, December 13, 12
  39. 39. How Slow POST works POST  /  HTTP/1.1rnHost:  vulnerable-­‐server.com:80rn Content-­‐Length:  4096rn Content-­‐Type:  applicaRon/x-­‐www-­‐form-­‐urlencodedrn rn 59  seconds  later Client Server foo=barrn 59  seconds  later &Owkuvj5=POaLLIrn 59  seconds  later &uWat9wGqrP4SxV=SN3qrn ... BSIDES DETROIT 2012 18Thursday, December 13, 12
  40. 40. Slow Read § Attack that keeps server sockets busy by maliciously throttling down the receipt of large HTTP responses § Uses known Network Layer flaws to aim Application Layer § First mentioned by Outpost24 in sockstress. Implemented as part of nkiller2 by Fotis Hantzis, a.k.a. ithilgore in 2009 BSIDES DETROIT 2012 19Thursday, December 13, 12
  41. 41. Related TCP details   §“Window size (16 bits) – the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive” – Wikipedia BSIDES DETROIT 2012 20Thursday, December 13, 12
  42. 42. How Slow Read works Client Server Send  buffer Recv  buffer BSIDES DETROIT 2012 21Thursday, December 13, 12
  43. 43. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn Send  buffer Recv  buffer BSIDES DETROIT 2012 21Thursday, December 13, 12
  44. 44. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes Send  buffer Recv  buffer BSIDES DETROIT 2012 21Thursday, December 13, 12
  45. 45. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes bigpage.html Send  buffer Recv  buffer BSIDES DETROIT 2012 21Thursday, December 13, 12
  46. 46. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Send  buffer Recv  buffer BSIDES DETROIT 2012 21Thursday, December 13, 12
  47. 47. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Send  buffer Recv  buffer BSIDES DETROIT 2012 21Thursday, December 13, 12
  48. 48. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Send  buffer Recv  buffer m bi e. p h a g g t l BSIDES DETROIT 2012 21Thursday, December 13, 12
  49. 49. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer m bi e. p h a g g t l BSIDES DETROIT 2012 21Thursday, December 13, 12
  50. 50. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l BSIDES DETROIT 2012 21Thursday, December 13, 12
  51. 51. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l OK,  give  me  another  32  bytes BSIDES DETROIT 2012 21Thursday, December 13, 12
  52. 52. How Slow Read works Client Server GET  bigpage.html  HTTP/1.1rn Host:  vulnerable-­‐server.com:80rnrn BTW,  my  recv  window  is  only  32  bytes HTTP/1.1  200  OKrn Content-­‐Length:  131072rn bigpage.html Content-­‐type:  text/htmlrnrn  message Kernel  to  app:  I  can  send  only  32  bytes  now Got  it,  wait  for  now  (ACK  window  0) Send  buffer Recv  buffer 90 Are  you  ready  to  receive  more  bytes? m bi e. p h a g g t l OK,  give  me  another  32  bytes ... BSIDES DETROIT 2012 21Thursday, December 13, 12
  53. 53. Prerequisites for successful Slow Read attack The larger server response is - increasing the chances of prolonging the connection §make server generate a data stream that doesnt fully fit into sockets send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesnt set its own value) §Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. BSIDES DETROIT 2012 22Thursday, December 13, 12
  54. 54. Prerequisites for successful Slow Read attack The larger server response is - increasing the chances of prolonging the connection §make server generate a data stream that doesnt fully fit into sockets send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesnt set its own value) §Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. Rme BSIDES DETROIT 2012 22Thursday, December 13, 12
  55. 55. Why is Slow Read is different? Traditional (slowloris/slowpost) DoS § Customer stuck deciding what he wants § Makes an order § Pays § Takes the order § Next! BSIDES DETROIT 2012 23Thursday, December 13, 12
  56. 56. Why is Slow Read is different? Traditional (slowloris/slowpost) DoS § Customer stuck deciding what he wants § Makes an order It  is  possible  to  idenRfy  and  isolate   slow  client  in  his  request  state § Pays § Takes the order § Next! BSIDES DETROIT 2012 23Thursday, December 13, 12
  57. 57. Why Slow Read is different? Slow Read DoS § Makes an order for party of 50 § Pays § Cannot take the entire order with him, makes several trips to the car. § Next! BSIDES DETROIT 2012 24Thursday, December 13, 12
  58. 58. Why Slow Read is different? Slow Read DoS § Makes an order for party it  is  quite  late  to  do  anything,  as   of 50 the  request  was  already  accepted   and  processed § Pays § Cannot take the entire order with him, makes several trips to the car. § Next! BSIDES DETROIT 2012 24Thursday, December 13, 12
  59. 59. Why is Slow Read is different? § Customer stuck deciding § Makes an order for party what he wants Makes an of 50 orderPays Takes the order § Pays Next! § Cannot take the entire order with him, makes several trips to the car § Next! BSIDES DETROIT 2012 25Thursday, December 13, 12
  60. 60. Why is Slow Read is different? (continued) § Defense mechanisms expect the crushing fist of malice to appear in the request § Instead, the entire transaction should be monitored BSIDES DETROIT 2012 26Thursday, December 13, 12
  61. 61. Am I vulnerable? § There is a good chance that you are. Default configurations of nginx, lighttpd, IIS, Apache, Varnish cache proxy, Shoutcast streaming server - are vulnerable to at least one of the mentioned attacks BSIDES DETROIT 2012 27Thursday, December 13, 12
  62. 62. What should I do? § Use available tools to simulate attacks. SlowHTTPTest covers all mentioned attacks and some more at http://slowhttptest.googlecode.com § Check out http://slowhammer.me soon to get access to your own whitehat botnet in the cloud § Use Qualys WAF or other firewalls that are supposed to protect, but test before you pay! BSIDES DETROIT 2012 28Thursday, December 13, 12
  63. 63. Detection and Mitigation § Drop connections with abnormally small TCP advertised window(s) § Set an absolute connection timeout, if possible § Limit length, number of headers to accept § Limit max size of message body to accept § Drop connections with HTTP methods (verbs) not supported by the URL § Limit accepted header and message body to a minimal reasonable length § Define the minimum data rate, and drop connections that are slower than that rate BSIDES DETROIT 2012 29Thursday, December 13, 12
  64. 64. Detection and Mitigation continued § Qualys Web Application Scanner passively detects the slow attack vulnerabilities § ModSecurity v2.6 introduced a directive called SecWriteStateLimit that places a time limit on the concurrent number of threads (per IP address) § Snort is working on detecting connections with small TCP advertised window(s) § Christian Folini introduced Flying Frog script at https://www.netnea.com BSIDES DETROIT 2012 30Thursday, December 13, 12
  65. 65. Example of misconfiguration § Even if the server is configured to handle tens of thousands of concurrent connections, the OS might still create a bottleneck by limiting the server by the number of open file descriptors BSIDES DETROIT 2012 31Thursday, December 13, 12
  66. 66. Are anti-DoS solutions going to help? § Have no idea, test yourself! BSIDES DETROIT 2012 32Thursday, December 13, 12
  67. 67. Who reacted first? BSIDES DETROIT 2012 33Thursday, December 13, 12
  68. 68. Who reacted first? BSIDES DETROIT 2012 33Thursday, December 13, 12
  69. 69. Who reacted first? Those who really care - gamers! Open Transport Tycoon Deluxe found that by using a slow read type attack, it is possible to prevent anyone from joining a game server with virtually no resources. Patches for all affected version where released within a week! BSIDES DETROIT 2012 33Thursday, December 13, 12
  70. 70. Summary § Even though the simpliest distributed DoS attacks are enough to knock down most web sites today, the nature of the attack will be sure to improve, and it’s better to be ready or, at least be aware of upcoming problems. BSIDES DETROIT 2012 34Thursday, December 13, 12
  71. 71. References ModSecurity Advanced Topic of the Week: Mitigation of Slow Read" Denial of Service Attack http://blog.spiderlabs.com/2012/01/modsecurity-advanced-topic-of-the-week-mitigation-of- slow-read-denial-of-service-attack.html DDoS attacks in H2 2011 http://www.securelist.com/en/analysis/204792221/DDoS_attacks_in_H2_2011 The State of the Internet http://www.akamai.com/stateoftheinternet/ Evaluation of slowhttptest against servers protected by CloudFlare http://samsclass.info/123/proj10/slow-read.html Blog posts on hardening web servers https://community.qualys.com/blogs/securitylabs/ BSIDES DETROIT 2012 35Thursday, December 13, 12
  72. 72. Thank you! sshekyan@qualys.com @sshekyanThursday, December 13, 12

×