Real Life Application DOS Attacks

Ziv Gadot,Radware

Slide 2

Agenda

• Short Introduction to DOS Attacks

• Real Life DOS Attacks Review

• Q & A

DOS Typology

Single Packet DOS Multi-Packet DOS(Floods)

Based on SoftwareVulnerability

Saturation (network, service)

Attackers Resource

Single host Computer network, botnet

Cure Patch Anti-DOS products/services

Slide 3

DOS Typology (Cont)

Slide 4

FewPacketsAttacks

Numerous PacketsAttacks

SYNFlood

ICMPFlood

Slowloris

Sockstress

HTTPFloods ReDoS

Application Level

Design Weakness

20 RPS

100-500 K PPS

Lecture Scope

Slide 5

Multi Packet DOS Attacks

Web Attacks

Real life Attacks (seen by us)• SYN Flood• 3-Way-Handshake Flood• Connection Saturation Attack• GET Slash Flood• Image Fetching• Caching Bypass• Web Reflection Attack• Blended Attacks

• Sockstress

• Slowloris

• ReDoS

• SMTP Attacks • DNS Attacks• SIP Attacks

Goals

• Knowing the enemy (as it actually is)

• Once an attack is fully identified and characterized it becomes much easier to mitigate

Slide 6

DOS ATTACKS

SYN Attack

Slide 8

SYN

SYN+ACK

Motivation• Simple yet effective• SRC IP is spoofed (Attacker’s IP is not compromised, difficult to block)• Botnets power challenges the capacity of existing protections

Characterization• From 1K PPS up to 1M PPS and more

Identification : TCP Flag Distribution

3-Way-Handshake Flood

Slide 9

Motivation• Evade SYN attack protections• Attacks different resource (application)

Characterization• 27K PPS

Identification• TCP Flag distribution• SRC IP is not spoofed

SYN

SYN+ACK

ACK

FIN

27K PPS

Slow Connection Saturation Flood

Slide 10

SYN

SYN+ACK

ACK

Keep alive

Keep alive

Motivation• Exhaustion the number of maximum sessions of a system• Evade classic protections

Characterization• Very slow rate (of opening new connections)

Identification• Numerous on-going connections from an IP

GET Slash Flood

Slide 11

Motivation• Application level attack• Very simple

Characterization• Lower rate than L3-L4 attacks• 2K RPS

Identification• Increase in HTTP RPS• Increase in users or RPS-per-users•The “GET /” is very noticeable

Large Image/Data Fetching

Slide 12

Motivation• Small request generates large reply (and labor)

Characterization•Fetching a reach page which triggered the pulling of large data

IdentificationChange in inbound/outbound traffic rate (L2 bps)Normal: 1:5Attack 1:30

/images/large-image.jpg

Large replay

Cache

Caching Bypass

Slide 13

WebsiteCache

GET …. HTTP/1.1….Cache-Control: no-store, must-revalidate….

Motivation• Force all impact on web server

Characterization• Cache control directive to override

Identification• Appropriate ‘Cache Control’ values

Reflection Attack

Slide 14

Website A Website B(Victim)

Attacker

HTTPGET

Slide 15

iframe, width=1, height=1

search.php

Blended Attacks

Slide 16

SYN Flood (16K PPS)

PSH+ACK Flood (14.6K PPS)

UDP Flood (18.4 Mbps)

Motivation• “SHITAT MATSLIACH”• Mitigation systems don’t handle well several attacks at once

Characterization• Blended attacks

Identification• Hard to identify, requires careful analysis

SUMMARY

Summary

• DOS attacks become more application oriented

• Attacker constantly raise the bar

• When handling a DOS attack its careful identification and characterization is a key to a successful mitigation

Slide 18

Q & A