BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer

1,587 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer

  1. 1. Layer 7 DOS attack By :Oussama Elhamer Abdelkhalek.
  2. 2. Summary• The History of Dos attack .• Layer 4 Ddos : Overview.• Layer 7 Dos One attacker Brings Down one site .• Link-Local Dos : RA ip6 attack.
  3. 3. The Dos History
  4. 4. The Dos History
  5. 5. Layer 4 Ddos Attack :• Primitive DDOS attack controlled via IRC.• Sends Thousands of packets per second from the attacker directly to the target.• Needs Thousands of participants to bring down a large site.• Take down master card for more than a day (3.000 to 30.000)• Nothing More Than Pressing F5. (The Low Orbit lon Cannon Do That For u /:p)
  6. 6. Layer 7 DOS• Operates at the application protocol level (OSI Layer 7).• Can Be routed through proxies .• More Dangerous.• Low Bandwidth .• Can Be Very Difficult To Distinguish From normal trafic. Eg. HTTP(S), SMTP, FTP and etc.
  7. 7. Some Example Of Layer 7 Dos AttacksWe will focus on The weaknesses of The HttpProtocol .
  8. 8. HTTP GET
  9. 9. HTTP GET attack :-Dont Send A Complete Request To The WebServer (IncompleteHeaders ) Send SomeThing That Will hold The Web ServerContinues To Send Headers at Regular intervals to keep theSockets active !-So If You Open One Thousand Connection On A server That can OnlyHandle Five Hundred It Will be Rejecting Requests .Example Message syntax :GET /indexPage.html HTTP/1.1 CRLF <- Request LineHost : www.host.com:8080 CRLFContent-Length :25 CRLFCRLF<Optional Messaga Body >- The Server Stop Reading When See Two CRLF and Start generatingthe response and sending feed back .
  10. 10. • Example• The Server Will Drop The Connection If There Are No Data In 60 Seconds !• Get/http/1.1 rn• Host :Server rn• X-skdvbk :sdjvjrn• ----59 Sec later• X-skdvbk :sdjvjrn• ----59 Sec later• X-skdvbk :sdjvjrn• ----59 Sec later• X-skdvbk :sdjvjrn• ----59 Sec laterClient Server• This Attack Don’t Works With IIS because it Use a time out .• No Realible Configurartion Universal To Protect your Web Server• But there Are some Recommandation THAT minimize the damage
  11. 11. SlowLoris• Send Incomplete GET requests• And Freezes Apache With One Packet Per Second .• keeps sessions at halt• using neverending GET transmissions
  12. 12. HTTP post• Similar To http gET.• The Connections Whith The Server Stay Opened.• instead of prolongating The Header Section Of The http Request It Prolongate The Message Body Section
  13. 13. R-U-Dead-Yet :• Incomplete HTTP POSTs• implements the generic HTTP DoS attack via long form field submissions.• Stops IIS, But Requires Thousands Of packets per second.
  14. 14. More Variation• Keep-Alive Dos: A variation of The incomplete http get requests But Less Powerful .• XerXes A Tool Developped By Th3j35t3r•• -Can be Imported To a 3G cell phone• -Can be run throught VPN.
  15. 15. Link-Local Dos• IPv6 Router Advertisments• In ip v4 :• The Client Request An Ip• The Router Provides One• In ipv6• The Router announces its presence• Every client on the Lan Creates an adress and joins the network
  16. 16. • The problem That you can Send A lot Of Router advertisement• The Lan Machines Will Join All Those Networks• And Windows Is inefficient in doing That• You can take Down all The Lan .
  17. 17. Demo :• Slowloris .• R-u-dead yet .• RA ip6 attack .
  18. 18. Thanks

×