This document discusses strategies for conducting distributed denial-of-service (DDoS) attacks and bypassing mitigation tactics. It presents 10 attack strategies, including targeting backend systems like databases to cause amplification, using reflection techniques, and spoofing large ranges of IP addresses to overwhelm blocklisting defenses. The document also critiques common misconceptions that can leave systems vulnerable, such as not protecting HTTPS traffic or enabling dynamic cloud distribution without origin protection. The overall message is that comprehensive testing and planning is needed to effectively mitigate DDoS attacks.

1. DDoS Mitigation
collection
TL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND
(EASILY) BYPASS MITIGATION TACTICS
1

2. Agenda
 Intro to D/DoS
 Methodology of work
 DDoS tactics in-the-wild and how to improve
 10 ‘from-the-books’ strategies & how to
leverage your attack to fit them
 Q&A
2

3. ~$ whoami
 Hi! Moshe Zioni, I do security stuff
 3 years of designing & providing a full-blown on-demand DDoS
attack service.
 Mainly exp. in Ethical Hacking & Penetration Testing
 1st time speaker @ CCC, grateful to have this honor.
 .///. END OF SHAMELESS PROMOTION SLIDE .///.
3

4. DDoS for Everyone! 4

5. Method 5

6. Run-of-the-Mill DDoS attacks in-the-wild
Rely heavily on bandwidth consumption
53% of attacks are < 2Gbps (SANS)
Reflection combined with Amplification relies on
3rd party domains (DNS, NTP etc.)
Most attacks does not require brains
6

7. Strike Harder! (!=Larger botnet)
There is more to a web site then a front-end (!!)
Overload the backend by making the system
work for you
Keep it stealthy, they might be using the
‘magic of sniffing’
Think of amplification in a general way
7

8. Generalized Amplification - “4 Pillars”
Amplification factors
Network – The usual suspect
CPU – Very limited on some mediators
and web application servers,
Memory – Volatile, everything uses it,
multi-step operations is prime target.
Storage – Can be filled up or
exhausting I/O buffer
8

11. W

12. Ready?
Set.
12

13. FACEPALM
13

14. 14

15. “Limit the rate
of incoming
packets”
15

16.  The customer has been hit by a DDoS
attack that consumed ALL BANDWIDTH
 To rectify the situation the ISP suggested
limiting incoming packet rate to ensure
availability
 And so he did… believing that now he
upped the game significantly for us
16

17. Reflection to the rescue!
Consumption by reflection
Send in 1Kb
Consume
according to
file-length
17

19. 19

20. “It’s OK now,
monitoring shows
everything is
back to normal”
20

21.  MegaCommonPractive now went on to
buy a Anti-DDoS solution
 A known Anti-DDoS cloud-based
protection solution approached the client
and offered a very solid looking solution
including 24/7 third party monitoring
21

22. DID YOU
ACTUALLY TRY
TO ACCESS
THE WEB SITE!!!!
22

23. 23

24. 24

25. “Backend servers
are not important
to protect
against DDoS”
25

26. Mapping the backend for DDoS
 Databases are very susceptible to DDoS attacks and
provide good grounds for intra-amplification
 How can we find DBs?
You can always guess, pentersters do that
all the time…
Takes more time == more elaborate
operation, may involve BE !!!
PROFIT!!!
26

27. 27

28. 28

29. 29

30. Really??!?! ALL OF THE DOMAINS?!?
What is the strategy of
mitigation? Do you understand
it?
“Doesn’t matter, let’s do it!”
30

31. So, remember the booklet that you
didn’t read?
 Interesting strategy – the system is devising some
unknown algorithm to detect probable attacks.
 Defense mechanism is ‘draining’ out all traffic
first and do some magic.
 Mitigation is kicked in 20 seconds after detection
(supposedly to allow of building a model,
dunno)
31

32. 32

33. 33

34. “We don’t trust
the vendor, we
don’t give them
certificates”
34

35. Talk to me in layer 7…
Defense have chosen not to
monitor layer 7 – HTTPS attacks..
SSL re/negotiation
Plus –transmitting via HTTPS
GET/POST/… the vendor product
can’t learn and analyze traffic
35

36. 36

37. 37

38. “We need Big
Data, collect all
the logs”
38

39. Logs need to be handled
Storage Boom
Result in a complete lock-down,
including not be able to manage the
overflowed device
It was the IPS, so no traffic allowed to go
anywhere, no traffic in/out the system
SILO NEEDED!
39

40. 40

41. 41

42. “We are under
attack – enforce
the on-demand
Scrubbing Service”
42

43. Learning mode – did you do it?
All is learned
Attack considered legitimate traffic
RTFM
And… Vendor response was epic by
itself
43

44. 44

45. 45

46. “So what CDN is
not dynamic?
Let’s enable it”
46

47. NOT IN CACHE? ASK THE ORIGIN! 47

48. 48

49. 49

50. 50

51. 51

52. How to find an ‘invisible’ origin?
Find other known subdomain ->
translate to IP -> scan the /24 or /16 ->
good chance it’s there.
AND….. WHOIS never forgets
http://viewdns.info FTW!
52

53. 53

54. 54

55. “Block ‘em!, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them. “
55

56. Total IPs (DE):
~116 M
56
* http://www.nirsoft.net/countryip/de.html

57. Roughly -1,800
class B ranges
57

58. We spoofed IPs from
those classes and deliver
a very detectable TCP
SYN flood attack from
each source
58

59. Now think of a monkey
blocking every incoming
alert.
15 MINUTES TO SELF
INFLICTED DDOS
59

60. 60

61. Collected misconceptions
 There is no magic pill or best cocktail mix of
technologies/appliances/services, never was
– prepare a plan, not just a mitigation.
 You can have all the toys and money in the
world – best mitigation – don’t do drugs
 TEST your infrastructure regularly.
 If you won’t do that – you can be evaluated
for this presentation in the future
61

62. Questions?
62

63. Thank you!
Moshe Zioni
zimoshe@gmail.com, @dalmoz_
63