SlideShare a Scribd company logo

Cyber-security

Qasim Zaidi
Qasim Zaidi

A Presentation in Tokopedia Tech A Break about some big DDos Attacks we saw

Engineering
1 of 38
Download to read offline
fighting the cyber threats Qasim Zaidi
Text We were DDos’ed we must be doing something right !
Text Denial of Service Legitimate users are denied service
Types Volumetric (UDP Floods) State Exhaustion (TCP Syn Attacks) Application Layer Attacks (HTTP, DNS query flood)
Application 15% State Exhaustion 20% Volumetric 65%
Reflection Attacks Do not directly attack the Target. Forge Reply to Address Send request to normal servers Trick them to reply to the Target Makes it distributed and harder to deal with.
Amplification A new class of reflection
Amplification attacks Because a small question can have a big answer. Why? How?
; <<>> DiG 9.8.3-P1 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64739 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dig. IN ANY ;; AUTHORITY SECTION: . 73193 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016041601 1800 900 604800 86400 ;; Query time: 80 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 17 10:19:42 2016 ;; MSG SIZE rcvd: 96 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39944 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 10 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1762 IN A 98.139.183.24 yahoo.com. 1762 IN A 206.190.36.45 yahoo.com. 1762 IN A 98.138.253.109 ;; AUTHORITY SECTION: yahoo.com. 17439 IN NS ns3.yahoo.com. yahoo.com. 17439 IN NS ns5.yahoo.com. yahoo.com. 17439 IN NS ns2.yahoo.com. yahoo.com. 17439 IN NS ns1.yahoo.com. yahoo.com. 17439 IN NS ns6.yahoo.com. yahoo.com. 17439 IN NS ns4.yahoo.com. ;; ADDITIONAL SECTION: ns1.yahoo.com. 1197500 IN A 68.180.131.16 ns1.yahoo.com. 66008 IN AAAA 2001:4998:130::1001 ns2.yahoo.com. 1197500 IN A 68.142.255.16 ns2.yahoo.com. 85955 IN AAAA 2001:4998:140::1002 ns3.yahoo.com. 1197585 IN A 203.84.221.53 ns3.yahoo.com. 73296 IN AAAA 2406:8600:b8:fe03::1003 ns4.yahoo.com. 1198687 IN A 98.138.11.157 ns5.yahoo.com. 1197585 IN A 119.160.247.124 ns6.yahoo.com. 160785 IN A 121.101.144.139 ns6.yahoo.com. 1762 IN AAAA 2406:2000:108:4::1006 ;; Query time: 27 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 17 10:19:42 2016 ;; MSG SIZE rcvd: 391 dig ANY yahoo.com @8.8.8.8 (64 bytes) A (391 bytes) 6x amplification
The D in DDos
SSDP Simple Service Discovery Protocol (UPnP) Example: Used to discover printers on your network SSDP Discovery - HTTP over UDP sent to a multicast address.
1. Recruiting Zombies
2. Flooding the victim
First Attack Happened at 6 PM on a Monday Website seemed slow SSH to servers even slower
public ips private ips
dmesg output UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 318 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 318 UDP: bad checksum. From 190.129.30.190:1900 to 182.253.224.184:80 ulen 347 UDP: bad checksum. From 190.129.169.3:1900 to 182.253.224.184:80 ulen 291 UDP: bad checksum. From 190.129.169.3:1900 to 182.253.224.184:80 ulen 291 UDP: bad checksum. From 200.87.245.44:1900 to 182.253.224.184:80 ulen 311 UDP: bad checksum. From 190.129.81.203:1900 to 182.253.224.184:80 ulen 281 UDP: bad checksum. From 190.129.6.33:1900 to 182.253.224.184:80 ulen 301 UDP: bad checksum. From 73.201.211.248:1900 to 182.253.224.184:80 ulen 253 UDP: bad checksum. From 190.129.199.12:1900 to 182.253.224.184:80 ulen 347 UDP: bad checksum. From 200.87.155.100:1900 to 182.253.224.184:80 ulen 285 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 300 UDP: bad checksum. From 190.129.182.57:1900 to 182.253.224.184:80 ulen 280 UDP: bad checksum. From 190.129.165.180:1900 to 182.253.224.184:80 ulen 237 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 306 UDP: bad checksum. From 190.129.81.26:1900 to 182.253.224.184:80 ulen 283 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 300 UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 343 UDP: bad checksum. From 190.129.195.29:1900 to 182.253.224.184:80 ulen 246 UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 237 UDP: bad checksum. From 190.129.165.171:1900 to 182.253.224.184:80 ulen 301 UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 237 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 302 UDP: bad checksum. From 190.129.30.176:1900 to 182.253.224.184:80 ulen 289
First Response sudo iptables -A INPUT -p udp -sport 1900 -j DROP Drops all incoming packets with source Port 1900 saves some resources, but remember that packets still have to be processed by NIC card, and the pipe is still clogged. dmesg output goes away, but recovery isn’t complete.
GEO IP Lookup
But we knew we haven’t yet
During Q4 (2015), repeat DDoS attacks were the norm, with an average of 24 attacks per targeted customer in Q4. Three targets were subject to more than 100 attacks each and one customer suffered 188 attacks – an average of more than two per day. Source: Akamai Attacker’s persist, especially if they don’t get what they wanted.
Attack 2 The very next day, at 2 PM Same attack vector, but more distributed Lot’s of Indonesian IP addresses Attacked all of our public IP’s, not DNS based.
identify netstat dmesg iptraf netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg em1 1500 0 266063410705 0 327198 0 269121217381 0 2 em2 1500 0 19266620548 0 197 0 20700650229 0 0 0 lo 16436 0 79744956 0 0 0 79744956 0 0 0 LRU
iptables/netfilter/tuning kernel parameters tuning NIC TX/RX Buffer tuning sudo iptables -A INPUT -p udp --sport 1900 -j DROP netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n iptables -I INPUT -s <ipaddress> —j DROP tcpkill / cutter synproxy (against syn flood attacks) sudo ethtool -g em1 Ring parameters for em1: Pre-set maximums: RX: 2047 RX Mini: 0 RX Jumbo: 0 TX: 511 Current hardware settings: RX: 200 RX Mini: 0 RX Jumbo: 0 TX: 511
Know who to call @ ISP
tc / firehol Ensure you can ssh to the server when your network is congested Limit bandwidth class ssh commit 2Mbit server ssh client ssh class rsync commit 2Mbit max 10Mbit server rsync client rsync
private net Minimize Attack Surface
private net under attack normal whois tokopedia.com 1 2 2 Use a WAF / hide origin
–Johnny Appleseed “Type a quote here.”

Recommended

Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
fangjiafu
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddos
Oleh Stupak
 

Recommended

Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
fangjiafu
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddos
Oleh Stupak
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
Seungjoo Kim
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
 
9534715
95347159534715
9534715
Pavel Odintsov
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
IntruGuard
 
Rdmap Security
Rdmap SecurityRdmap Security
Rdmap Security
Sanjeev Kumar Jaiswal
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN Controller
Lippo Group Digital
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
BADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoSBADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
Pavel Odintsov
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
Seungjoo Kim
 
CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014
Đồng Quốc Vương
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Golang @ Tokopedia
Golang @ TokopediaGolang @ Tokopedia
Golang @ Tokopedia
Qasim Zaidi
 
Presentasi Tokopedia di Bancakan 2.0 3rd meetup
Presentasi Tokopedia di Bancakan 2.0 3rd meetupPresentasi Tokopedia di Bancakan 2.0 3rd meetup
Presentasi Tokopedia di Bancakan 2.0 3rd meetup
Fachry Bafadal
 

More Related Content

What's hot

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 

What's hot (20)

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
9534715
95347159534715
9534715
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Rdmap Security
Rdmap SecurityRdmap Security
Rdmap Security
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN Controller
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
BADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoSBADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoS
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 

Viewers also liked

Presentasi Tokopedia di Bancakan 2.0 3rd meetup
Presentasi Tokopedia di Bancakan 2.0 3rd meetupPresentasi Tokopedia di Bancakan 2.0 3rd meetup
Presentasi Tokopedia di Bancakan 2.0 3rd meetup
Fachry Bafadal
 
Virgin Mobile India Strategy
Virgin Mobile India StrategyVirgin Mobile India Strategy
Virgin Mobile India Strategy
Qasim Zaidi
 

Viewers also liked (7)

Golang @ Tokopedia
Golang @ TokopediaGolang @ Tokopedia
Golang @ Tokopedia
 
Presentasi Tokopedia di Bancakan 2.0 3rd meetup
Presentasi Tokopedia di Bancakan 2.0 3rd meetupPresentasi Tokopedia di Bancakan 2.0 3rd meetup
Presentasi Tokopedia di Bancakan 2.0 3rd meetup
 
Apple Computers to Apple Inc
Apple Computers to Apple IncApple Computers to Apple Inc
Apple Computers to Apple Inc
 
Virgin Mobile India Strategy
Virgin Mobile India StrategyVirgin Mobile India Strategy
Virgin Mobile India Strategy
 
Tokopedia - How Tokopedia Became one of Indonesia’s Most Promising Startups
Tokopedia - How Tokopedia Became one of Indonesia’s Most Promising StartupsTokopedia - How Tokopedia Became one of Indonesia’s Most Promising Startups
Tokopedia - How Tokopedia Became one of Indonesia’s Most Promising Startups
 
Scaling tokopedia-past-present-future
Scaling tokopedia-past-present-futureScaling tokopedia-past-present-future
Scaling tokopedia-past-present-future
 
IP Valuation
IP ValuationIP Valuation
IP Valuation
 

Similar to Cyber-security

Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 

Similar to Cyber-security (20)

How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Cldap threat-advisory
Cldap threat-advisoryCldap threat-advisory
Cldap threat-advisory
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptx
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
 
Day 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server RedirectionDay 2 Dns Cert 4b Name Server Redirection
Day 2 Dns Cert 4b Name Server Redirection
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 

Recently uploaded

Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 

Recently uploaded (20)

Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 

Cyber-security

  • 1. fighting the cyber threats Qasim Zaidi
  • 2. Text We were DDos’ed we must be doing something right !
  • 3. Text Denial of Service Legitimate users are denied service
  • 4.
  • 5.
  • 6. Types Volumetric (UDP Floods) State Exhaustion (TCP Syn Attacks) Application Layer Attacks (HTTP, DNS query flood)
  • 8. Reflection Attacks Do not directly attack the Target. Forge Reply to Address Send request to normal servers Trick them to reply to the Target Makes it distributed and harder to deal with.
  • 9. Amplification A new class of reflection
  • 10. Amplification attacks Because a small question can have a big answer. Why? How?
  • 11. ; <<>> DiG 9.8.3-P1 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64739 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dig. IN ANY ;; AUTHORITY SECTION: . 73193 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016041601 1800 900 604800 86400 ;; Query time: 80 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 17 10:19:42 2016 ;; MSG SIZE rcvd: 96 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39944 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 10 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1762 IN A 98.139.183.24 yahoo.com. 1762 IN A 206.190.36.45 yahoo.com. 1762 IN A 98.138.253.109 ;; AUTHORITY SECTION: yahoo.com. 17439 IN NS ns3.yahoo.com. yahoo.com. 17439 IN NS ns5.yahoo.com. yahoo.com. 17439 IN NS ns2.yahoo.com. yahoo.com. 17439 IN NS ns1.yahoo.com. yahoo.com. 17439 IN NS ns6.yahoo.com. yahoo.com. 17439 IN NS ns4.yahoo.com. ;; ADDITIONAL SECTION: ns1.yahoo.com. 1197500 IN A 68.180.131.16 ns1.yahoo.com. 66008 IN AAAA 2001:4998:130::1001 ns2.yahoo.com. 1197500 IN A 68.142.255.16 ns2.yahoo.com. 85955 IN AAAA 2001:4998:140::1002 ns3.yahoo.com. 1197585 IN A 203.84.221.53 ns3.yahoo.com. 73296 IN AAAA 2406:8600:b8:fe03::1003 ns4.yahoo.com. 1198687 IN A 98.138.11.157 ns5.yahoo.com. 1197585 IN A 119.160.247.124 ns6.yahoo.com. 160785 IN A 121.101.144.139 ns6.yahoo.com. 1762 IN AAAA 2406:2000:108:4::1006 ;; Query time: 27 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Apr 17 10:19:42 2016 ;; MSG SIZE rcvd: 391 dig ANY yahoo.com @8.8.8.8 (64 bytes) A (391 bytes) 6x amplification
  • 12. The D in DDos
  • 13.
  • 14. SSDP Simple Service Discovery Protocol (UPnP) Example: Used to discover printers on your network SSDP Discovery - HTTP over UDP sent to a multicast address.
  • 15.
  • 17. 2. Flooding the victim
  • 18.
  • 19.
  • 20. First Attack Happened at 6 PM on a Monday Website seemed slow SSH to servers even slower
  • 22. dmesg output UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 318 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 318 UDP: bad checksum. From 190.129.30.190:1900 to 182.253.224.184:80 ulen 347 UDP: bad checksum. From 190.129.169.3:1900 to 182.253.224.184:80 ulen 291 UDP: bad checksum. From 190.129.169.3:1900 to 182.253.224.184:80 ulen 291 UDP: bad checksum. From 200.87.245.44:1900 to 182.253.224.184:80 ulen 311 UDP: bad checksum. From 190.129.81.203:1900 to 182.253.224.184:80 ulen 281 UDP: bad checksum. From 190.129.6.33:1900 to 182.253.224.184:80 ulen 301 UDP: bad checksum. From 73.201.211.248:1900 to 182.253.224.184:80 ulen 253 UDP: bad checksum. From 190.129.199.12:1900 to 182.253.224.184:80 ulen 347 UDP: bad checksum. From 200.87.155.100:1900 to 182.253.224.184:80 ulen 285 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 300 UDP: bad checksum. From 190.129.182.57:1900 to 182.253.224.184:80 ulen 280 UDP: bad checksum. From 190.129.165.180:1900 to 182.253.224.184:80 ulen 237 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 306 UDP: bad checksum. From 190.129.81.26:1900 to 182.253.224.184:80 ulen 283 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 300 UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 343 UDP: bad checksum. From 190.129.195.29:1900 to 182.253.224.184:80 ulen 246 UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 237 UDP: bad checksum. From 190.129.165.171:1900 to 182.253.224.184:80 ulen 301 UDP: bad checksum. From 172.97.240.102:1900 to 182.253.224.184:80 ulen 237 UDP: bad checksum. From 182.215.214.137:1900 to 182.253.224.184:80 ulen 302 UDP: bad checksum. From 190.129.30.176:1900 to 182.253.224.184:80 ulen 289
  • 23. First Response sudo iptables -A INPUT -p udp -sport 1900 -j DROP Drops all incoming packets with source Port 1900 saves some resources, but remember that packets still have to be processed by NIC card, and the pipe is still clogged. dmesg output goes away, but recovery isn’t complete.
  • 25.
  • 26.
  • 27.
  • 28. But we knew we haven’t yet
  • 29. During Q4 (2015), repeat DDoS attacks were the norm, with an average of 24 attacks per targeted customer in Q4. Three targets were subject to more than 100 attacks each and one customer suffered 188 attacks – an average of more than two per day. Source: Akamai Attacker’s persist, especially if they don’t get what they wanted.
  • 30. Attack 2 The very next day, at 2 PM Same attack vector, but more distributed Lot’s of Indonesian IP addresses Attacked all of our public IP’s, not DNS based.
  • 31.
  • 32. identify netstat dmesg iptraf netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg em1 1500 0 266063410705 0 327198 0 269121217381 0 2 em2 1500 0 19266620548 0 197 0 20700650229 0 0 0 lo 16436 0 79744956 0 0 0 79744956 0 0 0 LRU
  • 33. iptables/netfilter/tuning kernel parameters tuning NIC TX/RX Buffer tuning sudo iptables -A INPUT -p udp --sport 1900 -j DROP netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n iptables -I INPUT -s <ipaddress> —j DROP tcpkill / cutter synproxy (against syn flood attacks) sudo ethtool -g em1 Ring parameters for em1: Pre-set maximums: RX: 2047 RX Mini: 0 RX Jumbo: 0 TX: 511 Current hardware settings: RX: 200 RX Mini: 0 RX Jumbo: 0 TX: 511
  • 34. Know who to call @ ISP
  • 35. tc / firehol Ensure you can ssh to the server when your network is congested Limit bandwidth class ssh commit 2Mbit server ssh client ssh class rsync commit 2Mbit max 10Mbit server rsync client rsync
  • 37. private net under attack normal whois tokopedia.com 1 2 2 Use a WAF / hide origin