This document discusses layer 7 denial of service attacks and mitigation techniques. It describes how layer 7 attacks target application layer protocols like HTTP and FTP to overwhelm servers. The document then provides an example of an HTTP flood attack against a website and the steps taken to analyze logs and implement mitigation like rate limiting, timeouts, and firewall rules. Effective mitigation requires identifying attacks, hardening servers, and contacting authorities.

1. Layer7 Denial Of Sevice
Attack Mitigation
IT LESEHAN - y3dips
Saturday, November 12, 11

2. Agenda
• Introduction
• Denial Of Service
• Layer 7 Denial Of Service
• Case Stories
• Demo
• Discussion
Saturday, November 12, 11

3. Introduction
• Freelance IT Security Consultant
• More than 9 years in IT Security
• Founder of “ECHO” one of Indonesian Hacker
Community, established 2003
• Founder of IDSECCONF - Indonesia Security
Conference in Cooperation with DEPKOMINFO
• More Info:
• me@ammar.web.id
• @y3dips
Saturday, November 12, 11

4. Denial of Service
Suatu jenis kegiatan yang bertujuan untuk menggagalkan kerja suatu
sistem secara maksimal baik sebagian atau seluruhnya.
Saturday, November 12, 11

5. DOS
• Stupid Act
• Exhausted also yours
• Old story,
• moby write ddos in 2003 *
• I write apache dos in 2003**
• Well handle by now
*http://ezine.echo.or.id/ezine2/ddos%7EMoby.txt
**http://ezine.echo.or.id/ezine2/dos_buat_apache%7Ey3dips.txt
Saturday, November 12, 11

6. Type of Network DOS
• Layer 4
• Attack layer 4 protocol
• TCP
• SYN, FIN, ACK
• smurf, TRINOO, stacheldart, teardrop
Saturday, November 12, 11

7. Type of Network DOS
• Layer 7
• Attack Layer 7 Protocol
• HTTP, FTP, DNS
• HTTP-slow post, HTTP-GET
Saturday, November 12, 11

8. Real Life Stories
When this all begin
Saturday, November 12, 11

9. DOS Terhadap ECHO
• 7 - 8 November 2011
• Unknown Motives
• Echo Web Access Down
Saturday, November 12, 11

10. Attack Detection
Saturday, November 12, 11

11. See TKP :)
Saturday, November 12, 11

12. Check Validitas DOS
• Only you?
• Or for everyone :D
• http://downforeveryoneorjustme.com/
Saturday, November 12, 11

13. Analyze :|
Saturday, November 12, 11

14. Analyze
• The Server Down?
• Or onlye specific service Down
Saturday, November 12, 11

15. In this Case 80 down
Saturday, November 12, 11

16. Layer 7 DOS
Lets Dig arround on 80!
Saturday, November 12, 11

17. See Stats :)
Saturday, November 12, 11

18. Ganti Periode Laporan: 201111 - Bulan Nov 2011 Go
Statistik untuk: echo.or.id
Terakhir diupdate: 08 Nov 2011 - 14:20
Periode Laporan: Bulan Nov 2011
Kapan: Monthly history Days of month Hari Jam (Waktu Server)
Siapa: Countries Daftar Lengkap Host Daftar Lengkap Kunjungan Terakhir Alamat IP yang tidak teresolve Robot/Spider Daftar Lengkap
Kunjungan Terakhir
Navigasi: Lama kunjungan Jenis File Halaman yang Dilihat Daftar Lengkap Halaman masuk (entry page) Halaman keluar (exit page) Sistem Operasi
Versi Tidak Diketahui Browser Versi Tidak Diketahui
Referer: Asal Search engine referer Situs referer Pencarian Frase Pencarian Kata Kunci Pencarian
Lainnya: Miscellaneous Kode error HTTP Halaman tidak ditemukan (not found)
Ringkasan
Periode Laporan Bulan Nov 2011
Kunjungan Pertama 01 Nov 2011 - 00:00
Kunjungan Terakhir 08 Nov 2011 - 11:35
Pengunjung Unik Jumlah Kunjungan Halaman Hit Bandwidth
10021 14357 102822 417078 1.45 GB
Traffic viewed *
(1.43 kunjungan/pengunjung) (7.16 Halaman/Kunjungan) (29.05 Hit/Kunjungan) (105.69 KB/Kunjungan)
Traffic not viewed * 88111 145915 395.12 MB
* Not viewed traffic includes traffic generated by robots, worms, or replies with special HTTP status codes.
Monthly history
Jan Feb Mar Apr Mei Jun Jul Agu Sep Okt Nov Des
2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011
Bulan Pengunjung Jumlah Halaman Hit Bandwidth
Seems all Legit 11/9/11
Saturday, November 12, 11

19. 7, 8 November?
Saturday, November 12, 11

20. 7, 8 November?
Saturday, November 12, 11

21. Ask the Logs :)
Saturday, November 12, 11

22. Logs
• HTTP/S logs
• http-access
• http-error
Saturday, November 12, 11

23. A Valid One
Saturday, November 12, 11

24. A Valid One but also http-flood GET
Saturday, November 12, 11

25. Conclusion
• Its an HTTP-flood GET
• Connection need to be Established
• IP need to be valid?
Saturday, November 12, 11

26. Learn from Code :)
Saturday, November 12, 11

27. *Credit to Google for the code, just dig and found
Saturday, November 12, 11

28. Attack Mitigation
Saturday, November 12, 11

29. Mitigation
• Always Have your backup
• No privil8 access to server; LAPORKAN
Saturday, November 12, 11

30. Mitigation
• Had The Privileged
• check netstat -n | grep 80 | wc -l
• block :
• iptables -A INPUT -s x. x. x. x -p tcp -
j TARPIT
• iptables -A INPUT -s x. x. x. x -p tcp -
j DROP
Saturday, November 12, 11

31. TARPITING
Care to Send and double the packet :) ?
http://www.secureworks.com/research/threats/ddos/
Saturday, November 12, 11

32. Hardening Apache
• TimeOut=Default 300 detik atau 5
Menit, disarankan 10 detik
• TimeOut akan melindungi server dari rikues dalam jumlah
besar, dan tidak pernah di putus oleh Attacker, dengan adanya
TimeOut, apabila tidak terjadi transaksi dalam waktu tersebut
(10 detik), maka Apache akan memutus koneksi
Saturday, November 12, 11

33. Hardening Apache
• KeepAlive = On
• KeepAlive akan mengijinkan Berbagai jenis HTTP rikues
dilakukan dalam satu koneksi.
• KeepAlive = 15 detik
• Setting ini akan melindungi Server dari Rikues Keepalive tanpa
transaksi
Saturday, November 12, 11

34. Hardening Apache
• AcceptFilter = http/https data
• Melindungi dari jenis serangan, dimana attacker membuka
koneksi via socket dan membiarkannya tanpa terjadinya
transaksi data. Dengan mendefinisikan data pada http dan
https akan meminimalisir jenis serangan ini.
Saturday, November 12, 11

35. DeMo
Saturday, November 12, 11

36. Saturday, November 12, 11

37. Layer7 Denial Of Sevice
Attack Mitigation
IT LESEHAN - y3dips
Saturday, November 12, 11