This document discusses practical steps to mitigate distributed denial of service (DDoS) attacks and provides recommendations for Juniper firewalls. It describes common types of DDoS attacks and factors that improve them. It then lists recommendations for identifying risks and testing networks, and provides examples of configuration settings for Juniper firewalls to limit sessions, age connections, blacklist traffic, prioritize critical traffic, and protect against SYN floods, ICMP floods and other attack types. It also discusses techniques like SYN cookies and hardware acceleration that can help mitigate the impact of DDoS attacks.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
Presentation given by Roland Dobbins covering our recent draft of use case scenarios for use in DDoS Open Threat Signaling. This presentation was given on Nov. 3rd, 2015 at IETF 94 in Yokohama, Japan.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
Remote-access VPNs allow secure access to corporate resources by establishing an encrypted tunnel
across the Internet. The ubiquity of the Internet, combined with today's VPN technologies, allows
organizations to cost-effectively and securely extend the reach of their networks to anyone, anyplace,
anytime.
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to avoid it, being one step ahead to keep your systems secure.
You can give that step in order defend your servers against the first phase in all APT operations: Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.
This presentation will discuss the current techniques used for OS fingerprinting and how to frustrate them:
- Active remote OS fingerprinting: like Nmap or Xprobe (with Live Demo: Laptop and Mobile)
- Passive remote OS fingeprinting: like p0f or pfsense (with Live Demo: Mobile)
- Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting (with Live Demo: Laptop)
There will be a many live demos, and will release OSfoller, that have some interesting features:
- No need for kernel modification or patches
- Highly portable and configurable
- Will emulate any OS
- Capable of handling nmap and p0f fingerprint database (beta phase)
- Transparent for the user
- Undetectable for the attacker
- Available for your Linux laptop, server and mobile device
Sorry guys, remote OS fingerprinting is over…
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
Presentation given by Roland Dobbins covering our recent draft of use case scenarios for use in DDoS Open Threat Signaling. This presentation was given on Nov. 3rd, 2015 at IETF 94 in Yokohama, Japan.
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
Remote-access VPNs allow secure access to corporate resources by establishing an encrypted tunnel
across the Internet. The ubiquity of the Internet, combined with today's VPN technologies, allows
organizations to cost-effectively and securely extend the reach of their networks to anyone, anyplace,
anytime.
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to avoid it, being one step ahead to keep your systems secure.
You can give that step in order defend your servers against the first phase in all APT operations: Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.
This presentation will discuss the current techniques used for OS fingerprinting and how to frustrate them:
- Active remote OS fingerprinting: like Nmap or Xprobe (with Live Demo: Laptop and Mobile)
- Passive remote OS fingeprinting: like p0f or pfsense (with Live Demo: Mobile)
- Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting (with Live Demo: Laptop)
There will be a many live demos, and will release OSfoller, that have some interesting features:
- No need for kernel modification or patches
- Highly portable and configurable
- Will emulate any OS
- Capable of handling nmap and p0f fingerprint database (beta phase)
- Transparent for the user
- Undetectable for the attacker
- Available for your Linux laptop, server and mobile device
Sorry guys, remote OS fingerprinting is over…
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.
There are lot of reasons to hide your OS to the entire world:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
And finally, privacy; nobody needs to know the systems you've got running.
This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.
Sorry guys, OS fingerprinting is over...
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
Kazdy z nas w dobie obecnego Internetu i Pokemon Go ma swoja stronę internetowa, forum czy tez prowadzi sklep e-commerce. Z punktu widzenia klienta, rozwiązanie jest proste. Loguje się na swoje konto, uruchamia instalator CMS i zaczyna prowadzić swoje usługi bądź
tez dostarczać treści. Będzie to pierwsze case study skutecznej obrony przed potężnymi atakami
wolumetrycznymi mające na celu wyłącznie usług HTTP bądź HTTPS za pomocą wysyłania dużej ilości pakietów SYN na serwer który hostuje zainfekowana stronę www. Celem prezentacji jest pokazanie mechanizmu obrony przed szeroko znanego problemu jakim jestDDoS, metody mitygacji, blackholing oraz przykładowe scenariusze w raz z konfiguracja w oparciu o dystrybucje CentOS oraz modułu HAProxy.
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoTran Thanh Song
Nếu bạn cho rằng một máy tính cài phần mềm chống virus bản quyền được update liên tục bởi công nghệ đám mây gì đó là an toàn thì vẫn chưa đủ bởi Antivirus chỉ tìm và diệt được khi nó đã có mẫu. Điều gì xảy ra khi một sâu máy tính mới hoặc Attacker/Hacker xâm nhập vào máy tính của bạn rồi lặng lẽ nhân bản sang toàn bộ máy trong mạng LAN của công ty ??? Tài liệu này nhằm dành cho kỹ thuật để so sánh thiết bị switch bảo mật của HDN và thiết bị switch của Cisco từ đó có quyết định lựa chọn thiết bị nào vừa kinh tế vừa hiệu quả trong việc đảm bảo độ tin cậy và an toàn thông tin.
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
By Andy Wingo.
Refreshing your Twitter feed is such a drag over 3G, taking forever to connect and fetch those precious kilobytes. The reasons for this go deep into the architecture of the internet: making an HTTPS connection simply has terrible latency.
So let’s fix the internet! MinimaLT is an exciting new network protocol that connects faster than TCP, is more secure than TLS (crypto by DJ Bernstein), and allows mobile devices to keep connections open as they change IP addresses. This talk presents the MinimaLT protocol and a Node library that allows JS hackers to experimentally build a new Internet.
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
Solve the colocation conundrum: Performance and density at scale with KubernetesNiklas Quarfot Nielsen
As we move from monolithic applications to microservices, the ability to colocate workloads offers a tremendous opportunity to realize greater development velocity, robustness, and resource utilization. But workload colocation can also introduce performance variability and affect service levels. Google describes the problem as the “tail at scale”—the amplification of negative results observed at the tail of the latency curve when many systems are involved.
With its latest tooling capabilities, Intel has an experiments framework to calculate the trade-offs between low latency and higher density. Niklas Nielsen discusses the challenges and complexities of workload colocation, why solving these challenges matters to your business no matter the size, and how Intel intends to help smarter resource allocations with its latest tooling capabilities and Kubernetes.
DDoS Mitigation Solution
360° Protection for Your IT Network Resources
Distributed denial of service attacks continues to evolve in scale, complexity, and sophistication: more distributed, high volumetric traffic, and intruding on the application layer.
A successful attack can potentially enhance unwanted costs on your IT setup and infrastructure. More significantly, it can lead to revenue & brand loss and can hurt customer satisfaction.
To combat these attacks from reaching the enterprise network, you need a resilient, scalable, and secure solution.
HaltDos DDoS Mitigation Solution is an artificial intelligence-based IT security solution that automatically detects and accurately mitigates cyber-attacks on websites and IT Networks in real-time. It provides round the clock multi-layered security with combined network behavioral analysis (NBA), heuristic and reputation techniques to automatically detect and accurately mitigate a wide range of network and application layer DDoS attacks without any human intervention with minimal latency.
Similar to Practical steps to mitigate DDoS attacks (20)
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Italy Agriculture Equipment Market Outlook to 2027
Practical steps to mitigate DDoS attacks
1. Practical steps to mitigate
DDoS attacks
Martin Čmelík
www.security-portal.cz
Security Session 2013, Brno, Czech Republic
2. What DoeS it mean?
Exhausting resources like:
CPU
Memory/Buffers
I/O operations
Disk space
Network bandwidth
Reach HW/SW or user defined limits (max. number of ...)
Disruption of configuration or service crash
3. Attack motivation
Financial gain
Self-realization and social credit
Revenge
Political / Demonstration
Cyber Terrorism
Selling Anti-DDoS protection products
To hide secondary attack
4. Factors improving DoS attacks
Vulnerable systems
Spoofing
Existence of reflectors and amplifiers
Data randomization (no signature)
Bugs in applications
Low bandwidth
Lack of planning/testing/monitoring and risk management
10. Common recommendations
Go through all devices on network, from L2 switches to backend
servers and identify possible leaks, bottlenecks, attack vectors,
applicable DoS attacks, vulnerabilities ... and mitigate or (rate)limit
them
Take our mind map and identify all applicable DoS attacks based
on network layer where device operating
In case of applications: identify time and resource consuming
functions, make stress/fuzz testing and source code analysis
Test your network and devices by simulating real DoS attack
(LOIC/HOIC, hping, slowhttptest, thc-ssl-dos, pktgen, ... )
12. Juniper DoS protection
“In general, NetScreen offers DoS attack mitigation, hostile packet signature
detection and blocking, and protection against port scans, address sweeps,
and various flood attacks. In all current releases, NetScreen also offers a
limited form of Malicious URL protection.”
// Source and Destination based session limits
# destination based limits can prevent amplification attack from internal DNS servers
set zone untrust screen limit-session destination-ip-based 4000
set zone untrust screen limit-session destination-ip-based
# source based can help against attempts to fill session table, or limit access
set zone dmz screen limit-session source-ip-based 1
set zone dmz screen limit-session source-ip-based
13. // Aggressive aging
Decrease timeouts for 3-way handshake (20s), TCP (30min), HTTP
(5min), UDP (1min), ... when reached high-watermark threshold (for
example 80%) and begins aggressively aging out the oldest
sessions, until the number of sessions is under low-watermark. In
this example timeouts will be decreased - 40 seconds from default.
set flow aging low-watermark 70
set flow aging high-watermark 80
set flow aging early-timeout 4
// CPU Protection with Blacklisting DoS attack traffic
Can create blacklists (up to 30) of IP addresses from which malicious
traffic reach device and drop it without other processing inside
device itself. This saves processing load on CPU during DoS
set cpu-protection blacklist id 1 1.1.1.0/24 2.2.2.0/24 protocol 17 src-port
5 dst-port 7
timeout 0
14. // Prioritizing critical Traffic
Security device allows critical traffic (during high-utilization) such as
management/routing/VPN/NSM traffic pass with priority and drops
noncritical traffic. In this example activated when CPU is above 80%
set cpu-protection threshold 80
// SYN-ACK-ACK Proxy Flood
Prevent the SYN-ACK-ACK attack, which occurs when the attacker
establishes multiple telnet sessions without allowing each session to
terminate. This behavior consumes all open slots, generating a
denial-of-service condition.
set zone untrust screen syn-ack-ack-proxy threshold 512
15. // SYN Flood protection
Limit the number of SYN pps based on source or destination IP address. When
traffic exceeds threshold device will start proxying SYN packets. Same applies
to Cisco embryonic connection protection and OpenBSD pf synproxy.
16. // SYN Flood protection - setup
# enable syn flood protection
set zone untrust screen syn-flood
set zone untrust screen syn-flood attack-threshold 1000
# alarm threshold here become effective when 3001 pps occur
set zone untrust screen syn-flood alarm-threshold 2000
set zone untrust screen syn-flood source-threshold 250
set zone untrust screen syn-flood destination-threshold 1000
# time until half-open connections are droped in queue (5s)
set zone untrust screen syn-flood timeout 5
# number of proxied connections before device starts rejecting new
connection requests
set zone zone screen syn-flood queue-size 20000
17. // SYN cookies
Because SYN cookie is stateless, it does not set up a session or do
policy and route lookups upon receipt of a SYN segment. This
dramatically reduces CPU and memory usage and is main advantage
instead of SYN proxying.
SYN cookie itself is computed ISN from first SYN packet: time,
source IP and port, destination IP and port and MSS. When final
ACK arrives (ISN+1) server knows to which cookie is that related.
In high-end devices, the PPU ASIC chip in the security device
performs the SYN cookie mechanism instead of the security device
CPU.
set zone untrust screen syn-flood
set zone untrust screen syn-flood attack-threshold 1000
set flow syn-proxy syn-cookie
18. // ICMP and UDP Flood protection
PING and UDP floods can have dramatic effect on firewall. In this
example we will limit ICMP to 1000 pps and UDP to 10000 pps.
# enable ICMP flood protection
set zone untrust screen icmp-flood
set zone untrust screen icmp-flood threshold 1000
# block large ICMP
set zone untrust screen icmp-large
# enable UDP flood
set zone untrust screen udp-flood
set zone untrust screen udp-flood threshold 10000
// Land attack
Land attack occurs when an attacker sends spoofed SYN packets
containing the IP address of the victim as both the destination and
source IP address.
set zone untrust screen land
19. // Old types of DoS attacks
# Ping of Death (oversized ICMP packet)
set zone untrust screen ping-death
# Teardrop attack (reassembly of fragmented IP packets)
set zone untrust screen tear-drop
# WinNuke (NetBIOS packet with URG flag set -> BSOD)
set zone untrust screen winnuke
20. DoS mitigation
Applicable same improvements as for Linux
SecureXL (traffic acceleration)
CoreXL (balance rulebase processing across CPU cores)
SIM Affinity (NICs IRQs balances across CPU cores)
Global connection limit (by default only 25.000)
Most of DoS attacks can be mitigated only by IPS
module or DDoS Protector (upcoming)
21. SecureXL
SecureXL is the security performance architecture which offloads
many intensive security operations to optimized hardware or
network processor. Offloaded security operations include TCP
state negotiation, packet forwarding, Network Address Translation,
VPN cryptography, anti-spoofing, routing and accounting.
# enable firewall acceleration
[Expert@internet-fw]# fwaccel on
# view statistics
[Expert@internet-fw]# fwaccel stats -s
Accelerated conns/Total conns : 68520/68706 (99%)
Accelerated pkts/Total pkts : 8731331828/9006544387 (96%)
F2Fed pkts/Total pkts : 275212333/9006544387 (3%)
PXL pkts/Total pkts : 226/9006544387 (0%)
22. CoreXL
This feature provides scalability of performance, according to the
number of processor cores on a single machine. No change to
network topology or management is required. CoreXL joins
ClusterXL Load Sharing and SecureXL as part of the Check Point
traffic acceleration technologies. The firewall kernel is replicated a
number of times in a CoreXL gateway. Each instance or replicated
copy of the firewall kernel runs on one processor core. These
instances handle traffic concurrently, and each instance is a
complete and independent inspection kernel.
Enable via cpconfig option menu
23. CoreXL
When running CoreXL on four or more processing cores, the number of kernel
instances in the CoreXL post-setup configuration is one less than the number of
processing cores. The remaining processing core is responsible for processing
incoming traffic from the network interfaces, securely accelerating authorized packets
(if Performance Pack is running) and distributing non-accelerated packets among
kernel instances.
#As you can see connections are balanced across CPU cores
[Expert@internet-fw]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
-------------------------------------------
0 | Yes | 7 | 11592 | 24596
1 | Yes | 6 | 13077 | 23970
2 | Yes | 5 | 10749 | 21975
3 | Yes | 4 | 10466 | 20683
4 | Yes | 3 | 12060 | 22448
5 | Yes | 2 | 12013 | 21772
24. SIM Affinity
This feature balances NICs IRQs across CPU cores. In ideal case
each NIC will be assigned to unique CPU core. If it is not possible
balance at least most utilized interfaces.
# Set automatic affinity
[Expert@internet-fw]# sim affinity -a
# Check that SIM affinity works
[Expert@internet-fw]# fw ctl affinity -l -v # or # sim affinity -l
Interface Exp1-1 (irq 123): CPU 6
Interface Exp1-2 (irq 147): CPU 2
Interface Sync (irq 194): CPU 0
Interface Exp2-1 (irq 218): CPU 1
Interface Exp2-2 (irq 51): CPU 7
Interface Lan8 (irq 219): CPU 1
26. Maximum concurrent connections
Please be sure that you have increased maximum
connections limit, which is by default 25.000 only and
can be biggest bottleneck on your firewall.
27. DoS mitigation
Tune kernel parameters
Increase NIC TX/RX buffers
(D)DoS Deflate
...and you're safe :] (just kidding)
28. /etc/sysctl.conf tuning
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Enable tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# This removes an odd behavior in the 2.6 kernels, whereby the
kernel stores the slow start threshold for a client between TCP
sessions.
net.ipv4.tcp_no_metrics_save = 1
29. /etc/sysctl.conf tuning
# Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
# Buffer size autotuning - buffer size (and tcp window size) is dynamically updated for
each connection. This option is not present in kernels older then 2.4.27 or 2.6.7 -
(update your kernel). In that case tuning options net.ipv4.tcp_wmem and
net.ipv4.tcp_rmem isnt recommended
net.ipv4.tcp_moderate_rcvbuf = 1
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Increase allowed local port range
net.ipv4.ip_local_port_range = 1024 64000
30. Increase TX/RX buffer size
If you have server under heavy (soft interrupts) load and interfaces aren't able to
handle all incoming traffic, then RX-DRP occur, which in fact means: dropped, needs
to be resend. If it is re-occurring issue client can recognize slowness of connection
and intermittent disruption of service. In that case you have to check maximum
allowed buffer size and increase it.
Linux ~ $ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR
eth0 1500 0 1742981407 0 2607898 0 1176287425 0 0
lo 16436 0 126382 0 0 0 126382 0 0
# check current setup
Linux ~ $ ethtool -g eth0
Pre-set maximums:
RX: 4096
TX: 4096
Current hardware settings:
RX: 256
TX: 256
# set maximum values (put into rc scripts, settings will be lost after restart)
ethtool -G eth0 rx 4096 tx 4096
31. Simple connection limiting -
(D)DoS Deflate
(D)DoS Deflate is a lightweight bash shell script designed to assist in
the process of blocking a denial of service attack. It utilizes the
command below to create a list of IP addresses connected to the
server, along with their total number of connections. It is one of the
simplest and easiest to install solutions at the software level.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
IP addresses with over a pre-configured number of connections are
automatically blocked in the server's firewall, which can be direct
iptables or Advanced Policy Firewall (APF).
http://deflate.medialayer.com/
32. Apache DoS mitigation - mod_evasive
Module mainly utilized for rate-limiting. Can mitigate common HTTP flood attacks.
<IfModule mod_evasive20.c>
# size of hash table
DOSHashTableSize 4096
# requests for the _same_ page per interval and client
DOSPageCount 20
# requests for any object by same client
DOSSiteCount 300
# threshold in second intervals
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 30
#DOSCloseSocket On
#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
DOSWhitelist 127.0.0.1
DOSEmailNotify your@email.com
DOSLogDir /var/log/httpd/evasive.log
</IfModule>
33. Web Application DoS mitigation - mod_security
ModSecurity is open source web application firewall (WAF) operating as Apache/
Nginx/IIS module. WAFs are deployed to establish an external security layer that
increases security, detects and prevents attacks (SQLi, XSS, LFI/RFI, ...) before
they reach web applications. It provides protection from a range of attacks against
web applications and allows for HTTP traffic monitoring and real-time analysis with
little or no changes to existing infrastructure.
// OWASP Core rules
In order to provide generic web applications protection, the OWASP Core Rules
use the following techniques:
HTTP Protection (protocol violations)
Real-time Blacklist Lookups (3rd IP reputation)
Web-based Malware Detection (Google Safe Browsing API)
HTTP Denial of Service Protections (flooding, slow attacks)
Automation Detection (bots, crawlers, scanners)
Integration with AV Scanning for File Uploads
Tracking Sensitive Data (credit cards)
Trojan Protection
Identification of Application Defects
Error Detection and Hiding
https://www.owasp.org/index.pCategory:OWASP_ModSecurity_Core_Rule_Set_Project#Home
34. F5 BigIP Application Security
Manager
“F5 BIG-IP® Application Security Manager™ (ASM) is a flexible
web application firewall that secures web applications in
traditional, virtual, and private cloud environments. BIG-IP ASM
provides unmatched web application and website protection,
helps secure deployed applications against unknown
vulnerabilities, and enables compliance for key regulatory
mandates—all on a platform that consolidates application delivery
with a data center firewall solution, and network and application
access control.”
36. BigIP ASM DoS Attack Prevention
Latency increased by
Specifies that the system considers traffic to be an attack if the latency has increased by this percentage.
Latency reached
Specifies that the system considers traffic to be an attack if the latency is equal to or greater than this value.
Source IP-Based Client-Side Integrity Defense
Checks whether a client is a legal browser or an illegal script by injecting JavaScript into responses when
suspicious IP addresses are requested.
URL-Based Client-Side Integrity Defense
Checks whether a client is a legal browser or an illegal script by injecting JavaScript into responses when
suspicious URLs are requested.
Source IP-Based Rate Limiting
Check to drop requests from suspicious IP addresses. Application Security Manager drops connections to limit
the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the
IP detection TPS reached setting.
URL-Based Rate Limiting
Check to indicate that when the system detects a URL under attack, Application Security Manager drops
connections to limit the rate of requests to the URL to the average rate prior to the attack.
Effective Challenge/Response authentication mechanism to differentiate attackers
from normal users during DoS attack is usually JavaScript
37. BigIP LTM DoS attack prevention
System -> Configuration -> Local Traffic -> General
38. BigIP LTM DoS attack prevention
Reaper High-water Mark
Specifies, in percent, the memory usage at which the system stops establishing
new connections.
Reaper Low-water Mark
Specifies, in percent, the memory usage at which the system silently purges stale
connections, without sending reset packets (RST) to the client.
SYN Check Activation Threshold
Specifies the number of new or untrusted TCP connections that can be established
before the system activates the SYN Cookies.
Please read following documentation for LTM DoS mitigation in detail (if needed)
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7301.html
39. DNS Reflection and Amplification DoS
prevention
Don't setup DNS server as open resolver. A DNS resolver is open
if it provides recursive name resolution for clients outside of its
administrative domain.
DNS RRL is an experimental feature for domain name servers
including CZ-NIC Knot DNS, NLNetLabs NSD, and ISC BIND9.
BIND example:
rate-limit {
responses-per-second 5;
window 5;
};
Knot example:
system {
rate-limit 200; # Each flow is allowed to 200 resp. per second
rate-limit-slip 2; # Every other response is slipped (default)
}
Why not utilizing TTL related limitation in combination with source IP
based limit?
40. based DoS protection
Highly recommended to websites hosted on shared webhosting or
VPS, but can be used on enterprise level as well. Relatively cheap
and effective solution for most known DoS attacks.
Take those risks on mind:
not all services can be protected, in most cases used for HTTP/S only
If you want HTTPS protection, SSL key pair will be sent to cloud provider and in
fact they see unencrypted traffic (if not, your site can be subject of THC SSL
DoS attack)
you must limit access to website only from cloud IP addresses, otherwise
attacker can bypass cloud protection and access website directly
42. based DoS protection
Largest known DDoS attack peaking at 300Gb/s of traffic (Spamhaus).
You're simply unable to block this amount of traffic on your Internet pipe.
This is the biggest benefit of cloud based DoS protection. Cloud services
can also protect you against application based attacks (XSS, SQLi, CSRF,
Flooding, Slow attacks, protocol violations, ...) as described before in
mode_security and thus looking like best choice. Don't forget that they can’t
limit all of them on your perimeter, that they have some limitations (often
crucial) and can’t protect your internal network or devices.
Ask your ISP what he can do for you. What protections can offer (hopefully
at least traffic blackholing - RTHB) and how to cooperate in case of DoS
attack.
43. At the and I would like to recommend some providers
Dedicated DDoS mitigation equipment: Arbor Networks, Cisco (CicoGuard),
Toplayer, RioRey
Cloud protection for websites/small companies: Incapsula, CloudFlare,
Rivalhost, Imperva
Enterprise level cloud protection: Akamai (DDoS Defender), Verisign,
Prolexic, Gigenet, Staminus
Security of your company is in your hands. DoS/DDoS is only one
of many (often more dangerous) attacks.