Date post: | 12-Apr-2017 |
Category: |
Technology |
Upload: | moshe-zioni |
View: | 822 times |
Download: | 0 times |
DDoS Mitigation
collectionTL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND (EASILY) BYPASS MITIGATION TACTICS
1
Agenda
Intro to D/DoS
Methodology of work
DDoS tactics in-the-wild and how to improve
10 ‘from-the-books’ strategies & how to leverage your attack to fit them
Q&A
2
~$ whoami Hi! Moshe Zioni, I do security stuff
3 years of designing & providing a full-blown on-demand DDoS
attack service.
Mainly exp. in Ethical Hacking & Penetration Testing
1st time speaker @ CCC, grateful to have this honor.
.///. END OF SHAMELESS PROMOTION SLIDE .///.
3
DDoS for Everyone! 4
Method 5
Run-of-the-Mill DDoS attacks in-the-wild
Rely heavily on bandwidth consumption
53% of attacks are < 2Gbps (SANS)
Reflection combined with Amplification relies on 3rd party domains (DNS, NTP etc.)
Most attacks does not require brains
6
Strike Harder! (!=Larger botnet)
There is more to a web site then a front-end (!!)
Overload the backend by making the system work for you
Keep it stealthy, they might be using the ‘magic of sniffing’
Think of amplification in a general way
7
Generalized Amplification - “4 Pillars”
Amplification factors
Network – The usual suspect
CPU – Very limited on some mediators
and web application servers,
Memory – Volatile, everything uses it, multi-step operations is prime target.
Storage – Can be filled up or
exhausting I/O buffer
8
W
Ready?
Set.
12
FACEPALM
13
14
“Limit the rate
of incoming
packets”
15
The customer has been hit by a DDoSattack that consumed ALL BANDWIDTH
To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability
And so he did… believing that now he upped the game significantly for us
16
Reflection to the rescue!
Consumption by reflection
Send in 1Kb
Consume
according to
file-length
17
19
“It’s OK now,
monitoring shows
everything is
back to normal”
20
MegaCommonPractive now went on to
buy a Anti-DDoS solution
A known Anti-DDoS cloud-based
protection solution approached the client
and offered a very solid looking solution
including 24/7 third party monitoring
21
DID YOU
ACTUALLY TRY
TO ACCESS
THE WEB SITE!!!!
22
23
24
“Backend servers
are not important
to protect
against DDoS”
25
Mapping the backend for DDoS
Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification
How can we find DBs?
You can always guess, pentersters do that all the time…
Takes more time == more elaborate operation, may involve BE !!!
PROFIT!!!
26
27
28
29
Really??!?! ALL OF THE DOMAINS?!?
What is the strategy of
mitigation? Do you understand
it?
“Doesn’t matter, let’s do it!”
30
So, remember the booklet that you
didn’t read?
Interesting strategy – the system is devising some unknown algorithm to detect probable attacks.
Defense mechanism is ‘draining’ out all traffic first and do some magic.
Mitigation is kicked in 20 seconds after detection (supposedly to allow of building a model, dunno)
31
32
33
“We don’t trust
the vendor, we
don’t give them
certificates”
34
Talk to me in layer 7…
Defense have chosen not to monitor layer 7 – HTTPS attacks..
SSL re/negotiation
Plus –transmitting via HTTPS GET/POST/… the vendor product can’t learn and analyze traffic
35
36
37
“We need Big
Data, collect all
the logs”
38
Logs need to be handled
Storage Boom
Result in a complete lock-down, including not be able to manage the overflowed device
It was the IPS, so no traffic allowed to go anywhere, no traffic in/out the system
SILO NEEDED!
39
40
41
“We are under
attack – enforce
the on-demand
Scrubbing Service”
42
Learning mode – did you do it?
All is learned
Attack considered legitimate traffic
RTFM
And… Vendor response was epic by itself
43
44
45
“So what CDN is
not dynamic?
Let’s enable it”
46
NOT IN CACHE? ASK THE ORIGIN! 47
48
49
50
51
How to find an ‘invisible’ origin?
Find other known subdomain ->
translate to IP -> scan the /24 or /16 ->
good chance it’s there.
AND….. WHOIS never forgets
http://viewdns.info FTW!
52
53
54
“Block ‘em!, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them. “
55
Total IPs (DE):
~116 M
56
* http://www.nirsoft.net/countryip/de.html
Roughly -1,800
class B ranges
57
We spoofed IPs from
those classes and deliver
a very detectable TCP
SYN flood attack from
each source
58
Now think of a monkey
blocking every incoming
alert.
15 MINUTES TO SELF
INFLICTED DDOS
59
60
Collected misconceptions
There is no magic pill or best cocktail mix of
technologies/appliances/services, never was
– prepare a plan, not just a mitigation.
You can have all the toys and money in the
world – best mitigation – don’t do drugs
TEST your infrastructure regularly.
If you won’t do that – you can be evaluated
for this presentation in the future
61
Questions?
62