SlideShare a Scribd company logo

Defending Against Application DoS attacks

Roberto Suggi Liverani
Roberto Suggi Liverani

Abstract: Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations. The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.

Technology
1 of 51
Download to read offline
Defending Against Application Level DoS Attacks Roberto Suggi Liverani Security-Assessment.com OWASP New Zealand Day 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org
Who am I?  Roberto Suggi Liverani  Senior Security Consultant - Security-Assessment.com  roberto.suggi@security-assessment.com  http://www.security-assessment.com  OWASP New Zealand Chapter Leader  robertosl@owasp.org  http://owasp.org/index.php/owasp_new_zealand  Previous research:  Black SEO  Firefox Extensions  Personal site:  http://malerisch.net OWASP 2
Agenda  Layer 7 DoS Overview  Implications  Root Causes  Attacks and Defenses  Web Application  Web Server  Web Services  Database  Dealing with DDoS HTTP Attack  Before  During  Post - attack  Conclusion OWASP 3
Introduction  Definition: ... an attack designed to render a computer or network incapable of providing normal services.  Traditional DoS attack – layer 3 and 4  Target computer/network bandwidth  Consume all network resources  Deny resources to legitimate clients  Sold as a service...  Cost: ~ 80$ USD per day OWASP 4
L7 DoS Attacks  Not easily detectable  Legitimate application traffic  HTTP, HTTPS  SOAP, XML  More efficient, less resources  Target a bug, insecure feature  Botnet is not required  DoS single request  Harder to trace  Chain-proxy  Tor  No Source IP address spoofing  HTTP requires complete TCP handshake OWASP 5
Layer 7 DoS – Targets  3-tier  Web tier  Web application  Web server  Application tier  App framework – JBoss – SAP  Data tier  Database – Oracle – MS SQL – MySQL OWASP 6
L7 DoS - Implications  Memory  Invalid memory allocation/access/leak  Starvation  CPU  Starvation  Processes/Thread  Fork bomb  Resource starvation  Thread starvation  Deadlock  Race Condition  Disk  Disk overflow  Synptoms: crash, reboot, freeze, CPU runtime 100% OWASP 7
Layer 7 DoS – Root Causes  Insecure feature/reasonable use expectation  Trusted input / action sequence  Human actions expected  Bug/implementation flaw  Poor input filtering and validation  Failing to supply required element/object  Application logic/environment  Application logic open to abuse  Time degrading application actions  Bottlenecks in application framework/environment  Session management  Limited connection pool  Expensive session generation/login process OWASP 8
L7 DoS Attacks And Defenses Web Application OWASP 9
User Specified Object Allocation  Vulnerable PHP code  Attacker controls $num to generate a lot of items in $stack array OWASP 10
Failure To Release Resources  Vulnerable Database Connection Routine  catch() statement fails to close thisConnection OWASP 11
Session Related DoS  Storing lot of session objects for caching/performance instead of re-querying data from other sources (e.g. database)  Consuming session token/login process  Examples  Web tracking, multiple session parameters in use  Large database records are stored in user session for later use  Session created even if user did not register  Session created following user login but registration open to everyone OWASP 12
User Input As A Loop Counter  Vulnerable Loop Counter  Attacker can tamper with $loop, which is used in a loop counter involving fopen() operation OWASP 13
RegEx DoS or ReDoS  Exponential RegEx algorithm  2003, Crosby/Wallach - 2009, Alex Roichman / Adar Weidman  Deterministic algorithm will try all paths before returning a match or no match result  Regex in this case: ^(a+)+$  Payload: aaaaX -> will go through 16 paths OWASP 14
Web Application DoS Amplifiers  XSS  HTML element pointing to a site/page/request  XSRF  Force a resource consuming login process  Performing a resource consuming POST request  SQLi  Generate exception, leave database connection open  SQL Wildcard attacks  LFI  Request a large file in the internal host  Point to drives such as PRN: CON:  RFI  Request large size resource from a remote host  Request a resource which result in network timeout OWASP 15
Recommendations  Input strict validation and filtering  Handle exceptions and properly release resources  Set limits for:  Session related objects and memory allocated  Token expiration  Object allocation  Loop counters  User registration – captcha  Concurrent session tokens per IP address  Testing your web app  Test RegEx, database queries  DoS and Stress testing  Security testing OWASP 16
L7 DoS Attacks And Defenses Web Services OWASP 17
XML Parser DoS  XML Parser DOM loads entire XML stream into memory  Nesting and recursive capability with no defined limits  Reiterated elements  Recursive elements OWASP 18
XML Attribute Blowup  Large number of attributes  10000 attributes ~= 90K XML payload ~= 5.000.000 XML parser operations  Results in non-linear runtime OWASP 19
XML Entity DoS Attacks  XML Exponential Entity Expansion  Forced recursive entity expansion  Many laughs   Quadratic blowup OWASP 20
XML External Entity Injection  www.attacker.com may point to:  Nonexistent resource  Network timeout during parsing, might block the process  Large size resource OWASP 21
SOAP Header  Large payload  Large binary attachment OWASP 22
SOAP Other attacks  SOAP Body  Valid, but very large SOAP body request matching web service schema  SOAP Attachment  Over sized SOAP attachment referred from the SOAP body  SOAP request resulting in heavy database query  Amplifiers  HTTP/1.1 pipeline  Multiple fragmented SOAP requests OWASP 23
Schema With No Restrictions  No restrictions on the maximum size of the data that can be embedded in any of the elements OWASP 24
Recommendations  No customised XML parser  Define input type restrictions on web service schema  Validation and filtering (XML FW):  XML “well-formatted” checks  SOAP header/body/attachment checks  Buffer overrun checks  XML schema validation  XML filtering  Limit size of:  XML message  Expanded entities  Attributes  Do not process inline and external DTD references OWASP 25
L7 DoS Attacks And Defenses Web Server OWASP 26
Low bandwidth DoS Attacks  Slowloris – RSnake (tool)  Technique from Adrian Ilarion Ciobanu – apkill tool http://www.securityfocus.com/archive/1/455833/100/0/threaded  Fingerprint web server timeout  Change http headers to simulate multiple connections/browsers  Exhaust all threads available  HTTP POST DoS – Wong Onn Chee (identified in honeypot)  No delay in sending HTTP Headers (!= Slowloris)  Content-Length = 1000 bytes  HTTP message body is sent 1 byte each 110 seconds till the last byte  Require a good number of threads per each machine – <10k connections to bring down Apache – ~60k connections for IIS (if rapid fail protection is on) OWASP 27
HTTP POST DoS  A simple bash script  Sleep 110 seconds before sending next byte  y determines number of threads OWASP 28
HTTP Flooders/DDoS Attack  Most common L7 attack  Typically launched from botnets  Black Energy botnet C&C interface  Frequencies, thread and command option OWASP 29
Apache - Recommendations  Key Directives  Maxclients, Timeout, KeepAlive and KeepAlive Timeout  Traffic Shaping  mod_throttle - limit the frequency of requests allowed from a single client within a window of time  mod_bwshare - bandwidth throttling by HTTP client IP address  mod_limitipconn - limit the number of simultaneous downloads permitted from a single IP address  mod_dosevasive - detects too many connections and temporaribly block offending IP address  mod_security – WAF, filtering, monitoring, logging  Load/Stressing testing  http_load  Jmeter  Slowloris + DoS tools OWASP 30
IIS - Recommendations  IIS Extensions:  URLScan or Webknight  MaxAllowedContentLength, MaxUrl and MaxQueryString attributes  Dynamic IP Restrictions  Dynamically blocking of requests from IP address based on: – The number of concurrent requests – The number of requests over a period of time  ISA Server Network Protection  Act as load balancer and WAF at the same time  Multiple options for HTTP DoS attacks  HTTP requests per minute, per IP address  Check Application pool health monitoring  IIS worker threads status OWASP 31
L7 DoS Attacks And Defenses Database OWASP 32
SQL Wildcard Attacks  Ferruh Mavituna – 2008  Affect MS SQL and other databases (MySQL, PostsgreSQL, Access)  Query should return few or no results – it must go through the entire data on the database  OR combinations should be different otherwise db performance algorithms may optimise query  Longer query, longer time to execute  Avoids caching in the database, so every query would be different OWASP 33
Recommendations  Perform input validation and filtering based on whitelist  Discard wildcards and other potential characters  Limit number of characters on the query  Input type strict validation (e.g. number must be a number)  Implement CAPTCHA for advanced searches/queries  Search/Query Limits  Set limit of searches/queries per user per day  Only authenticated users can run consuming search/queries  Limit SQL query execution time  Limit number of records/rows returned by database  Memcached  High performance, memory object caching system OWASP 34
Dealing with an HTTP DDoS Attack Part I - Before the Attack OWASP 35
Generic Principles  Business continuity planning  Business impact analysis  Classify critical assets based on MTD (Max Tolerable Downtime)  Develop a 3 phases plan  Protection  ISP agreements, insurance and trade off strategy  Systems, devices and application hardening  Design network for attacks  Detection  Monitoring and analysing  Reaction  Incident Plan OWASP 36
Protection And Prevention  ISP agreements  DoS protection included in agreements  Insurance policy  Establish trade-off strategies/tactics  Absorbe attack  Degrade service  Shut down service  Systems Hardening  Perform regular host reviews against CIS and NIST standards  Perform application reviews  Network Hardening  Load and stress testing network OWASP 37
Segmentation And Overprovision  Segmentation  Redundancy for critical services  Critical services with dedicated server  Overprovision  Hardware and network  Monitoring  Host and Network Intrusion Detection System  Centralised log system  Incident planning  What to do during in incident  Escalation line  Action items  Test your incident plan regularly! OWASP 38
Dealing with an HTTP DDoS Attack Part II – During the attack OWASP 39
Under attack or not?  Establish if it is a real attack  Check unusual spikes/anomalies compared to baseline traffic  Multiple IP addresses requesting a large number of connections in a relative short time  In case of attack, what is the target?  IP address, domain, multiple services  Is target critical? How much can you lose ?  Communication  Everyone on the same page  Internal staff may know the reason why they are attacked  Document everything  Logs, graphs and reports  Correlation and timeline OWASP 40
External collaboration  Contact ISPs  Provide detailed information  Triangulation software helps identifying botnet C&C server  Uncooperative hosting providers can be declared to press  Security Community/Botnet Researcher  Attack fingerprint may help in detecting type of botnet and C&C  Contact Law Enforcement – CCIP, NZCERT  Set a “we are down” web page OWASP 41
Reacting  Slowing the attack  Tarpitting  Delays incoming connections for as long as possible  Deflection  IP Hopping: IP address changed at “random” intervals within a specified set of IP addresses range  Dropping  Dropping connections for a determined time  Escalation (law/legal implications)  Identify C&C and track down botnet C&C server  Report C&C to authorities  …  Look at the botnet  … OWASP 42
Dealing with an HTTP DDoS Attack Part III – The day after OWASP 43
Recovering  Lesson learnt analysis  Meet the day after (everything still fresh)  Go over what worked and what didn’t  Update incident plan  Root causes  Was attack targeting a specific and vulnerable system?  Was just a standard flooding attack?  What if it happens again?  Business Recovery  Recover services as soon as possible  Provide incident data to law enforcement agencies OWASP 44
Conclusions  No generic anti-DoS solution  Each organisation = different environment  Harden systems, applications and networks  Perform regular DoS testing and audits  Continuous monitoring and alerting  Don’t trust anti-DDoS vendors  Carefully evaluate anti-DDoS related products/services  Networking and cooperation  Good relationships with security community, ISP and law enforcement agencies OWASP 45
Questions?  Thanks! ;-) OWASP 46
References  Slowloris - http://ha.ckers.org/slowloris/  Apache HTTP DoS tool mitigation - http://isc.sans.edu/diary.html?storyid=6613  Mitigating the Slowloris HTTP DoS Attack - http://threatpost.com/en_us/blogs/mitigating-slowloris-http- dos-attack-062209  Regular Expression DoS - http://www.owasp.org/index.php/Regular_expression_Denial_of _Service_-_ReDoS  Testing for Storing too much data in session - http://www.owasp.org/index.php/Testing_for_Storing_too_Muc h_Data_in_Session_(OWASP-DS-008)  Testing for writing user provided data to disk - http://www.owasp.org/index.php/Testing_for_Writing_User_Pro vided_Data_to_Disk_(OWASP-DS-006) OWASP 47
References  Testing for user input as loop counter - http://www.owasp.org/index.php/Testing_for_User_Input_as_a_ Loop_Counter_(OWASP-DS-005)  Testing for DoS User Specified Object allocation - http://www.owasp.org/index.php/Testing_for_DoS_User_Specifi ed_Object_Allocation_(OWASP-DS-004)  Testing for Denial of Service - http://www.owasp.org/index.php/Testing_for_Denial_of_Service  HTTP DDoS Attack mitigation using tarpitting - http://www.secureworks.com/research/threats/ddos/  Guest Blog: Defending against DDoS - http://www.sectechno.com/2009/12/06/guest-blog-defending- against-ddos/  A cheesy Apache / IIS DoS vul (+a question) - http://www.securityfocus.com/archive/1/456339/30/0/threaded OWASP 48
References  The top 10 things to do while under ddos attack - http://www.blyon.com/blog/index.php/2010/01/24/ddos_top_10/  Apache httpd server denial of service attack example - http://pub.mud.ro/~cia/computing/apache-httpd-denial-of- service-example.html  Distributed Denial of Service (DDoS) attack tools - http://staff.washington.edu/dittrich/misc/ddos/  Help defeat distributed denial of service attacks: steps by steps - http://www.sans.org/dosstep/  Intentando detener un DDoS - http://foro.elhacker.net/tutoriales_documentacion/intentando_d etener_un_ddos-t137442.0.html  Using squid to fight ddos - http://www.blyon.com/blog/index.php/2009/07/24/using-squid- proxy-to-fight-ddos/ OWASP 49
References  Surviving DDoS Attacks - http://research.corsaire.com/whitepapers/040211-surviving- ddos-attacks.pdf  Application Denial of Service attacks - http://research.corsaire.com/whitepapers/040405-application- level-dos-attacks.pdf  Denial of service attack – wikipedia - http://en.wikipedia.org/wiki/Denial-of-service_attack  DDoS A&D International Workshop on DDoS Attacks and Defenses - http://caislab.kaist.ac.kr/77ddos/Program.html  DDoS Self Defense - http://caislab.kaist.ac.kr/77ddos/DDoS%20Self-Defense.pdf  DDoS Traceback and Beyond - http://caislab.kaist.ac.kr/77ddos/DDoS%20Attack%20Traceback %20and%20Beyond.pdf OWASP 50
References  DoS Attacks Using Sql Wildcards - http://www.portcullis- security.com/uplds/wildcard_attacks.pdf  Anyone interested in the details of latest HTTP POST DDOS attack technique? - https://lists.owasp.org/pipermail/owasp- leaders/attachments/20100308/bc2a1777/attachment-0001.pdf  CERT – Managing the threat of denial-of-service attacks - http://www.cert.org/archive/pdf/Managing_DoS.pdf  O’Reilly, 2005 - Apache SecurityBy Ivan Ristic  OWASP Guide 2.0, denial of service attacks  RESPONDING TO A DISTRIBUTED DENIAL OF SERVICE ATTACK WITH A SELECTIVE TARPIT http://psifertex.com/download/Jordan_Wiens_GCIH.pdf  Attacking Web Services - http://www.owasp.org/index.php/File:AppSec2005DC- Alex_Stamos-Attacking_Web_Services.ppt OWASP 51

Recommended

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
Roberto Suggi Liverani
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 

Recommended

Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
Roberto Suggi Liverani
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
Vedran Krivokuca
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
Michele Orru
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacks
Chu Xu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 

More Related Content

What's hot

Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
Vedran Krivokuca
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
Michele Orru
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
n|u - The Open Security Community
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
Bart Leppens
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
Csaba Fitzl
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Rob Fuller
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
Michele Orru
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 

What's hot (20)

Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Flashack
FlashackFlashack
Flashack
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingTools
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Nikto
NiktoNikto
Nikto
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 

Similar to Defending Against Application DoS attacks

Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacks
Chu Xu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
No sql but even less security
No sql but even less securityNo sql but even less security
No sql but even less security
iammutex
 
Introduction to REST and Jersey
Introduction to REST and JerseyIntroduction to REST and Jersey
Introduction to REST and JerseyChris Winters
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOS
Jatin Singh
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
Document Databases & RavenDB
Document Databases & RavenDBDocument Databases & RavenDB
Document Databases & RavenDB
Brian Ritchie
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
jangomanso
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
 
Full Web Stack Security
Full Web Stack SecurityFull Web Stack Security
Full Web Stack Security
Drupal Portugal
 
Ajp notes-chapter-06
Ajp notes-chapter-06Ajp notes-chapter-06
Ajp notes-chapter-06
Ankit Dubey
 
HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)
HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)
HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)
Eldar Marcussen
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
 
Squid
SquidSquid
Squid
Syeda Javeria
 
Web technologies lesson 1
Web technologies lesson 1Web technologies lesson 1
Web technologies lesson 1nhepner
 

Similar to Defending Against Application DoS attacks (20)

Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacks
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
gofortution
gofortutiongofortution
gofortution
 
No sql but even less security
No sql but even less securityNo sql but even less security
No sql but even less security
 
Introduction to REST and Jersey
Introduction to REST and JerseyIntroduction to REST and Jersey
Introduction to REST and Jersey
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOS
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Document Databases & RavenDB
Document Databases & RavenDBDocument Databases & RavenDB
Document Databases & RavenDB
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
Full Web Stack Security
Full Web Stack SecurityFull Web Stack Security
Full Web Stack Security
 
Ajp notes-chapter-06
Ajp notes-chapter-06Ajp notes-chapter-06
Ajp notes-chapter-06
 
HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)
HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)
HTTP FIngerprinting - The next generation (OWASP AppSec APAC 2012)
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
 
Squid
SquidSquid
Squid
 
Web technologies lesson 1
Web technologies lesson 1Web technologies lesson 1
Web technologies lesson 1
 

More from Roberto Suggi Liverani

None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
Roberto Suggi Liverani
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
Roberto Suggi Liverani
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
Roberto Suggi Liverani
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
Roberto Suggi Liverani
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
Roberto Suggi Liverani
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
Roberto Suggi Liverani
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 

More from Roberto Suggi Liverani (8)

None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 

Recently uploaded

State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 

Recently uploaded (20)

State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 

Defending Against Application DoS attacks

  • 1. Defending Against Application Level DoS Attacks Roberto Suggi Liverani Security-Assessment.com OWASP New Zealand Day 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org
  • 2. Who am I?  Roberto Suggi Liverani  Senior Security Consultant - Security-Assessment.com  roberto.suggi@security-assessment.com  http://www.security-assessment.com  OWASP New Zealand Chapter Leader  robertosl@owasp.org  http://owasp.org/index.php/owasp_new_zealand  Previous research:  Black SEO  Firefox Extensions  Personal site:  http://malerisch.net OWASP 2
  • 3. Agenda  Layer 7 DoS Overview  Implications  Root Causes  Attacks and Defenses  Web Application  Web Server  Web Services  Database  Dealing with DDoS HTTP Attack  Before  During  Post - attack  Conclusion OWASP 3
  • 4. Introduction  Definition: ... an attack designed to render a computer or network incapable of providing normal services.  Traditional DoS attack – layer 3 and 4  Target computer/network bandwidth  Consume all network resources  Deny resources to legitimate clients  Sold as a service...  Cost: ~ 80$ USD per day OWASP 4
  • 5. L7 DoS Attacks  Not easily detectable  Legitimate application traffic  HTTP, HTTPS  SOAP, XML  More efficient, less resources  Target a bug, insecure feature  Botnet is not required  DoS single request  Harder to trace  Chain-proxy  Tor  No Source IP address spoofing  HTTP requires complete TCP handshake OWASP 5
  • 6. Layer 7 DoS – Targets  3-tier  Web tier  Web application  Web server  Application tier  App framework – JBoss – SAP  Data tier  Database – Oracle – MS SQL – MySQL OWASP 6
  • 7. L7 DoS - Implications  Memory  Invalid memory allocation/access/leak  Starvation  CPU  Starvation  Processes/Thread  Fork bomb  Resource starvation  Thread starvation  Deadlock  Race Condition  Disk  Disk overflow  Synptoms: crash, reboot, freeze, CPU runtime 100% OWASP 7
  • 8. Layer 7 DoS – Root Causes  Insecure feature/reasonable use expectation  Trusted input / action sequence  Human actions expected  Bug/implementation flaw  Poor input filtering and validation  Failing to supply required element/object  Application logic/environment  Application logic open to abuse  Time degrading application actions  Bottlenecks in application framework/environment  Session management  Limited connection pool  Expensive session generation/login process OWASP 8
  • 9. L7 DoS Attacks And Defenses Web Application OWASP 9
  • 10. User Specified Object Allocation  Vulnerable PHP code  Attacker controls $num to generate a lot of items in $stack array OWASP 10
  • 11. Failure To Release Resources  Vulnerable Database Connection Routine  catch() statement fails to close thisConnection OWASP 11
  • 12. Session Related DoS  Storing lot of session objects for caching/performance instead of re-querying data from other sources (e.g. database)  Consuming session token/login process  Examples  Web tracking, multiple session parameters in use  Large database records are stored in user session for later use  Session created even if user did not register  Session created following user login but registration open to everyone OWASP 12
  • 13. User Input As A Loop Counter  Vulnerable Loop Counter  Attacker can tamper with $loop, which is used in a loop counter involving fopen() operation OWASP 13
  • 14. RegEx DoS or ReDoS  Exponential RegEx algorithm  2003, Crosby/Wallach - 2009, Alex Roichman / Adar Weidman  Deterministic algorithm will try all paths before returning a match or no match result  Regex in this case: ^(a+)+$  Payload: aaaaX -> will go through 16 paths OWASP 14
  • 15. Web Application DoS Amplifiers  XSS  HTML element pointing to a site/page/request  XSRF  Force a resource consuming login process  Performing a resource consuming POST request  SQLi  Generate exception, leave database connection open  SQL Wildcard attacks  LFI  Request a large file in the internal host  Point to drives such as PRN: CON:  RFI  Request large size resource from a remote host  Request a resource which result in network timeout OWASP 15
  • 16. Recommendations  Input strict validation and filtering  Handle exceptions and properly release resources  Set limits for:  Session related objects and memory allocated  Token expiration  Object allocation  Loop counters  User registration – captcha  Concurrent session tokens per IP address  Testing your web app  Test RegEx, database queries  DoS and Stress testing  Security testing OWASP 16
  • 17. L7 DoS Attacks And Defenses Web Services OWASP 17
  • 18. XML Parser DoS  XML Parser DOM loads entire XML stream into memory  Nesting and recursive capability with no defined limits  Reiterated elements  Recursive elements OWASP 18
  • 19. XML Attribute Blowup  Large number of attributes  10000 attributes ~= 90K XML payload ~= 5.000.000 XML parser operations  Results in non-linear runtime OWASP 19
  • 20. XML Entity DoS Attacks  XML Exponential Entity Expansion  Forced recursive entity expansion  Many laughs   Quadratic blowup OWASP 20
  • 21. XML External Entity Injection  www.attacker.com may point to:  Nonexistent resource  Network timeout during parsing, might block the process  Large size resource OWASP 21
  • 22. SOAP Header  Large payload  Large binary attachment OWASP 22
  • 23. SOAP Other attacks  SOAP Body  Valid, but very large SOAP body request matching web service schema  SOAP Attachment  Over sized SOAP attachment referred from the SOAP body  SOAP request resulting in heavy database query  Amplifiers  HTTP/1.1 pipeline  Multiple fragmented SOAP requests OWASP 23
  • 24. Schema With No Restrictions  No restrictions on the maximum size of the data that can be embedded in any of the elements OWASP 24
  • 25. Recommendations  No customised XML parser  Define input type restrictions on web service schema  Validation and filtering (XML FW):  XML “well-formatted” checks  SOAP header/body/attachment checks  Buffer overrun checks  XML schema validation  XML filtering  Limit size of:  XML message  Expanded entities  Attributes  Do not process inline and external DTD references OWASP 25
  • 26. L7 DoS Attacks And Defenses Web Server OWASP 26
  • 27. Low bandwidth DoS Attacks  Slowloris – RSnake (tool)  Technique from Adrian Ilarion Ciobanu – apkill tool http://www.securityfocus.com/archive/1/455833/100/0/threaded  Fingerprint web server timeout  Change http headers to simulate multiple connections/browsers  Exhaust all threads available  HTTP POST DoS – Wong Onn Chee (identified in honeypot)  No delay in sending HTTP Headers (!= Slowloris)  Content-Length = 1000 bytes  HTTP message body is sent 1 byte each 110 seconds till the last byte  Require a good number of threads per each machine – <10k connections to bring down Apache – ~60k connections for IIS (if rapid fail protection is on) OWASP 27
  • 28. HTTP POST DoS  A simple bash script  Sleep 110 seconds before sending next byte  y determines number of threads OWASP 28
  • 29. HTTP Flooders/DDoS Attack  Most common L7 attack  Typically launched from botnets  Black Energy botnet C&C interface  Frequencies, thread and command option OWASP 29
  • 30. Apache - Recommendations  Key Directives  Maxclients, Timeout, KeepAlive and KeepAlive Timeout  Traffic Shaping  mod_throttle - limit the frequency of requests allowed from a single client within a window of time  mod_bwshare - bandwidth throttling by HTTP client IP address  mod_limitipconn - limit the number of simultaneous downloads permitted from a single IP address  mod_dosevasive - detects too many connections and temporaribly block offending IP address  mod_security – WAF, filtering, monitoring, logging  Load/Stressing testing  http_load  Jmeter  Slowloris + DoS tools OWASP 30
  • 31. IIS - Recommendations  IIS Extensions:  URLScan or Webknight  MaxAllowedContentLength, MaxUrl and MaxQueryString attributes  Dynamic IP Restrictions  Dynamically blocking of requests from IP address based on: – The number of concurrent requests – The number of requests over a period of time  ISA Server Network Protection  Act as load balancer and WAF at the same time  Multiple options for HTTP DoS attacks  HTTP requests per minute, per IP address  Check Application pool health monitoring  IIS worker threads status OWASP 31
  • 32. L7 DoS Attacks And Defenses Database OWASP 32
  • 33. SQL Wildcard Attacks  Ferruh Mavituna – 2008  Affect MS SQL and other databases (MySQL, PostsgreSQL, Access)  Query should return few or no results – it must go through the entire data on the database  OR combinations should be different otherwise db performance algorithms may optimise query  Longer query, longer time to execute  Avoids caching in the database, so every query would be different OWASP 33
  • 34. Recommendations  Perform input validation and filtering based on whitelist  Discard wildcards and other potential characters  Limit number of characters on the query  Input type strict validation (e.g. number must be a number)  Implement CAPTCHA for advanced searches/queries  Search/Query Limits  Set limit of searches/queries per user per day  Only authenticated users can run consuming search/queries  Limit SQL query execution time  Limit number of records/rows returned by database  Memcached  High performance, memory object caching system OWASP 34
  • 35. Dealing with an HTTP DDoS Attack Part I - Before the Attack OWASP 35
  • 36. Generic Principles  Business continuity planning  Business impact analysis  Classify critical assets based on MTD (Max Tolerable Downtime)  Develop a 3 phases plan  Protection  ISP agreements, insurance and trade off strategy  Systems, devices and application hardening  Design network for attacks  Detection  Monitoring and analysing  Reaction  Incident Plan OWASP 36
  • 37. Protection And Prevention  ISP agreements  DoS protection included in agreements  Insurance policy  Establish trade-off strategies/tactics  Absorbe attack  Degrade service  Shut down service  Systems Hardening  Perform regular host reviews against CIS and NIST standards  Perform application reviews  Network Hardening  Load and stress testing network OWASP 37
  • 38. Segmentation And Overprovision  Segmentation  Redundancy for critical services  Critical services with dedicated server  Overprovision  Hardware and network  Monitoring  Host and Network Intrusion Detection System  Centralised log system  Incident planning  What to do during in incident  Escalation line  Action items  Test your incident plan regularly! OWASP 38
  • 39. Dealing with an HTTP DDoS Attack Part II – During the attack OWASP 39
  • 40. Under attack or not?  Establish if it is a real attack  Check unusual spikes/anomalies compared to baseline traffic  Multiple IP addresses requesting a large number of connections in a relative short time  In case of attack, what is the target?  IP address, domain, multiple services  Is target critical? How much can you lose ?  Communication  Everyone on the same page  Internal staff may know the reason why they are attacked  Document everything  Logs, graphs and reports  Correlation and timeline OWASP 40
  • 41. External collaboration  Contact ISPs  Provide detailed information  Triangulation software helps identifying botnet C&C server  Uncooperative hosting providers can be declared to press  Security Community/Botnet Researcher  Attack fingerprint may help in detecting type of botnet and C&C  Contact Law Enforcement – CCIP, NZCERT  Set a “we are down” web page OWASP 41
  • 42. Reacting  Slowing the attack  Tarpitting  Delays incoming connections for as long as possible  Deflection  IP Hopping: IP address changed at “random” intervals within a specified set of IP addresses range  Dropping  Dropping connections for a determined time  Escalation (law/legal implications)  Identify C&C and track down botnet C&C server  Report C&C to authorities  …  Look at the botnet  … OWASP 42
  • 43. Dealing with an HTTP DDoS Attack Part III – The day after OWASP 43
  • 44. Recovering  Lesson learnt analysis  Meet the day after (everything still fresh)  Go over what worked and what didn’t  Update incident plan  Root causes  Was attack targeting a specific and vulnerable system?  Was just a standard flooding attack?  What if it happens again?  Business Recovery  Recover services as soon as possible  Provide incident data to law enforcement agencies OWASP 44
  • 45. Conclusions  No generic anti-DoS solution  Each organisation = different environment  Harden systems, applications and networks  Perform regular DoS testing and audits  Continuous monitoring and alerting  Don’t trust anti-DDoS vendors  Carefully evaluate anti-DDoS related products/services  Networking and cooperation  Good relationships with security community, ISP and law enforcement agencies OWASP 45
  • 47. References  Slowloris - http://ha.ckers.org/slowloris/  Apache HTTP DoS tool mitigation - http://isc.sans.edu/diary.html?storyid=6613  Mitigating the Slowloris HTTP DoS Attack - http://threatpost.com/en_us/blogs/mitigating-slowloris-http- dos-attack-062209  Regular Expression DoS - http://www.owasp.org/index.php/Regular_expression_Denial_of _Service_-_ReDoS  Testing for Storing too much data in session - http://www.owasp.org/index.php/Testing_for_Storing_too_Muc h_Data_in_Session_(OWASP-DS-008)  Testing for writing user provided data to disk - http://www.owasp.org/index.php/Testing_for_Writing_User_Pro vided_Data_to_Disk_(OWASP-DS-006) OWASP 47
  • 48. References  Testing for user input as loop counter - http://www.owasp.org/index.php/Testing_for_User_Input_as_a_ Loop_Counter_(OWASP-DS-005)  Testing for DoS User Specified Object allocation - http://www.owasp.org/index.php/Testing_for_DoS_User_Specifi ed_Object_Allocation_(OWASP-DS-004)  Testing for Denial of Service - http://www.owasp.org/index.php/Testing_for_Denial_of_Service  HTTP DDoS Attack mitigation using tarpitting - http://www.secureworks.com/research/threats/ddos/  Guest Blog: Defending against DDoS - http://www.sectechno.com/2009/12/06/guest-blog-defending- against-ddos/  A cheesy Apache / IIS DoS vul (+a question) - http://www.securityfocus.com/archive/1/456339/30/0/threaded OWASP 48
  • 49. References  The top 10 things to do while under ddos attack - http://www.blyon.com/blog/index.php/2010/01/24/ddos_top_10/  Apache httpd server denial of service attack example - http://pub.mud.ro/~cia/computing/apache-httpd-denial-of- service-example.html  Distributed Denial of Service (DDoS) attack tools - http://staff.washington.edu/dittrich/misc/ddos/  Help defeat distributed denial of service attacks: steps by steps - http://www.sans.org/dosstep/  Intentando detener un DDoS - http://foro.elhacker.net/tutoriales_documentacion/intentando_d etener_un_ddos-t137442.0.html  Using squid to fight ddos - http://www.blyon.com/blog/index.php/2009/07/24/using-squid- proxy-to-fight-ddos/ OWASP 49
  • 50. References  Surviving DDoS Attacks - http://research.corsaire.com/whitepapers/040211-surviving- ddos-attacks.pdf  Application Denial of Service attacks - http://research.corsaire.com/whitepapers/040405-application- level-dos-attacks.pdf  Denial of service attack – wikipedia - http://en.wikipedia.org/wiki/Denial-of-service_attack  DDoS A&D International Workshop on DDoS Attacks and Defenses - http://caislab.kaist.ac.kr/77ddos/Program.html  DDoS Self Defense - http://caislab.kaist.ac.kr/77ddos/DDoS%20Self-Defense.pdf  DDoS Traceback and Beyond - http://caislab.kaist.ac.kr/77ddos/DDoS%20Attack%20Traceback %20and%20Beyond.pdf OWASP 50
  • 51. References  DoS Attacks Using Sql Wildcards - http://www.portcullis- security.com/uplds/wildcard_attacks.pdf  Anyone interested in the details of latest HTTP POST DDOS attack technique? - https://lists.owasp.org/pipermail/owasp- leaders/attachments/20100308/bc2a1777/attachment-0001.pdf  CERT – Managing the threat of denial-of-service attacks - http://www.cert.org/archive/pdf/Managing_DoS.pdf  O’Reilly, 2005 - Apache SecurityBy Ivan Ristic  OWASP Guide 2.0, denial of service attacks  RESPONDING TO A DISTRIBUTED DENIAL OF SERVICE ATTACK WITH A SELECTIVE TARPIT http://psifertex.com/download/Jordan_Wiens_GCIH.pdf  Attacking Web Services - http://www.owasp.org/index.php/File:AppSec2005DC- Alex_Stamos-Attacking_Web_Services.ppt OWASP 51