Real Life Application DOS Attacks
Ziv Gadot,Radware
Slide 2
Agenda
• Short Introduction to DOS Attacks
• Real Life DOS Attacks Review
• Q & A
DOS Typology
Single Packet DOS Multi-Packet DOS(Floods)
Based on SoftwareVulnerability
Saturation (network, service)
Attackers Resource
Single host Computer network, botnet
Cure Patch Anti-DOS products/services
Slide 3
DOS Typology (Cont)
Slide 4
FewPacketsAttacks
Numerous PacketsAttacks
SYNFlood
ICMPFlood
Slowloris
Sockstress
HTTPFloods ReDoS
Application Level
Design Weakness
20 RPS
100-500 K PPS
Lecture Scope
Slide 5
Multi Packet DOS Attacks
Web Attacks
Real life Attacks (seen by us)• SYN Flood• 3-Way-Handshake Flood• Connection Saturation Attack• GET Slash Flood• Image Fetching• Caching Bypass• Web Reflection Attack• Blended Attacks
• Sockstress
• Slowloris
• ReDoS
• SMTP Attacks • DNS Attacks• SIP Attacks
Goals
• Knowing the enemy (as it actually is)
• Once an attack is fully identified and characterized it becomes much easier to mitigate
Slide 6
DOS ATTACKS
SYN Attack
Slide 8
SYN
SYN+ACK
Motivation• Simple yet effective• SRC IP is spoofed (Attacker’s IP is not compromised, difficult to block)• Botnets power challenges the capacity of existing protections
Characterization• From 1K PPS up to 1M PPS and more
Identification : TCP Flag Distribution
3-Way-Handshake Flood
Slide 9
Motivation• Evade SYN attack protections• Attacks different resource (application)
Characterization• 27K PPS
Identification• TCP Flag distribution• SRC IP is not spoofed
SYN
SYN+ACK
ACK
FIN
27K PPS
Slow Connection Saturation Flood
Slide 10
SYN
SYN+ACK
ACK
Keep alive
Keep alive
Motivation• Exhaustion the number of maximum sessions of a system• Evade classic protections
Characterization• Very slow rate (of opening new connections)
Identification• Numerous on-going connections from an IP
GET Slash Flood
Slide 11
Motivation• Application level attack• Very simple
Characterization• Lower rate than L3-L4 attacks• 2K RPS
Identification• Increase in HTTP RPS• Increase in users or RPS-per-users•The “GET /” is very noticeable
Large Image/Data Fetching
Slide 12
Motivation• Small request generates large reply (and labor)
Characterization•Fetching a reach page which triggered the pulling of large data
IdentificationChange in inbound/outbound traffic rate (L2 bps)Normal: 1:5Attack 1:30
/images/large-image.jpg
Large replay
Cache
Caching Bypass
Slide 13
WebsiteCache
GET …. HTTP/1.1….Cache-Control: no-store, must-revalidate….
Motivation• Force all impact on web server
Characterization• Cache control directive to override
Identification• Appropriate ‘Cache Control’ values
Reflection Attack
Slide 14
Website A Website B(Victim)
Attacker
HTTPGET
Slide 15
iframe, width=1, height=1
search.php
Blended Attacks
Slide 16
SYN Flood (16K PPS)
PSH+ACK Flood (14.6K PPS)
UDP Flood (18.4 Mbps)
Motivation• “SHITAT MATSLIACH”• Mitigation systems don’t handle well several attacks at once
Characterization• Blended attacks
Identification• Hard to identify, requires careful analysis
SUMMARY
Summary
• DOS attacks become more application oriented
• Attacker constantly raise the bar
• When handling a DOS attack its careful identification and characterization is a key to a successful mitigation
Slide 18
Q & A