The document discusses methods to identify and mitigate Denial of Service (DoS) and Distributed Denial of Service (DDoS) volumetric attacks, specifically focusing on various attack types such as SYN flood, UDP flood, ICMP flood, and application-layer attacks like GET flood and slow POST. It details identification techniques using monitoring tools and resource utilization, as well as mitigation strategies including rate limiting, load balancing, and scaling resources. Overall, it emphasizes understanding attack vectors and implementing best security practices to protect against these threats.

1. So what?
You’ve been
(D)Dosed!

2. Agenda
DoS & DDoS
About DoS and DDoS
Volumetric Attack
<
<
>
>
Identify & Mitigate
How to identify and Mitigate
using tool
Security Best Practice

3. DoS and DDoS

4. Volumetric
Attack
Injection
Attack
Volumetric: name it self contain large
amount of volume of attack vector
Injection: Execute command or query
DDoS Attack
Type

5. Volumetric Attack

6. Volumetric DDoS Attack
Congest resources/network by flooding them with
more traffic than they are able to handle
e.g. SYN Flood, UDP Flood, ICMP Flood

7. Network Layer
Attack
Application
Layer Attack
Network Layer - Transport Layer
Application Layer - Layer 7
Volumetric
Attack

8. Volumetric: Network Layer Attack
> Goal
> Attack:
• SYN Flood
• UDP Flood
• ICMP Flood
> Vector
> Identify
> Mitigation

9. SYN Flood
 Attack Vector: High number of request rate (tcp half open)
 How to Identify ? – netstat
 Mitigate ? – SYN Cookies, RST Cookies

10. UDP Flood
 Vector: High Number of request rate, Reflection (spoofing)
 How to Identify ? – monitoringg tool, scripting
 Mitigate ? – Rate limit, Access-list, Source Port Block

11. Attack Vectors
Reflection (Attack)
UDP Flood
ICMP Flood
Amplification (Attack)
DNS Amplification
NTP Amplification

12. DNS Reflection

13. DNS Reflection

14. NTP Reflection

15. Application-layer DDoS Attack
Use well-formed but malicious request to circumvent
mitigation and consume application resources.
e.g. GET Flood, Slow POST

16. Volumetric: Application Layer Attack
> Goal
> Attack:
• GET Flood
• Slow POST
> Vector
> Identify
> Mitigation

17. GET Flood

18. GET Flood - Vector
 Attack Vector: -
 High number of request rate with GET method, URI, Query String
 How to Identify ?
 Access-log parsing, Resource Utilization (Memory, CPU, I/O)
 Method of Mitigation ?
 Header based blocking, Load Balancer, Scaling of resources, Decoupled
architecture, Rate limit
Request 1:
GET / HTTP/1.1 CRLF
Connection: keep-alive CRLFv019-09-18 at 10.27.58 PM
Request 2:
Referer: http://www.qualys.com/products/qg_suite/was/ CRLF

19. POST Flood | SLOW POST

20. Slow POST | HTTP POST Flood - Vector
 Attack Vector: -
 High number of request rate with POST method, URI, Content-Length
 How to Identify ?
 Header Checking, Access-log parsing, Resource Utilization (Memory, CPU, I/O)
 Method of Mitigation ?
 Scaling of resources, Decoupled architecture, Data-Transfer within specific time.
POST /url_that_accepts_post HTTP/1.1 CRLF
Host: host_to_test:port_if_not_default CRLF
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0;) CRLF
Connection: close CRLF
Referer: http://www.qualys.com/products/qg_suite/was/ CRLF
Content-Type: application/x-www-form-urlencoded CRLF
Content-Length: 512 CRLF
Accept: text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 CRLF
CRLF
foo=bar

21. Any question?
Thank You