Universal DDoS Mitigation Bypass
Transcription
Universal DDoS Mitigation Bypass
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. DDoS Mitigation Lab Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with the defense community. Outline • DDoS Attack Categories • DDoS Detection and Mitigation Techniques – How they work? – How to bypass / take advantage? • DDoS Mitigation Bypass – How to use our PoC tool? – PoC tool capability • Next-Generation Mitigation Financial Impact Source: NTT Communications, “Successfully Combating DDoS Attacks”, Aug 2012 Volumetric Attacks • Packet-Rate-Based • Bit-Rate-Based Semantic Attacks API attacks Hash DoS Apache Killer Teardrop (old textbook example) Slowloris / RUDY SYN Flood (old textbook example) Smurf (old textbook example) Blended Attacks Attack Quadrant Volume xxx Gbps+ xxx Mbps+ Simple Complexity Sophisticated DDoS Mitigations Volume xxx Gbps+ Black- / Whitelisting Traffic Policing Proactive Resource Release xxx Mbps+ Simple Complexity Sophisticated DDoS Mitigation: Traffic Policing Source: Cisco DDoS Mitigation: Proactive Resource Release 3. Detect idle / slow TCP connections RST 2. TCP connection pool starved 4. Close idle / slow TCP connections With RST Example: Slowloris Attack 1. Open lots of TCP connections DDoS Mitigation: Black- / Whitelisting Src: 1.2.3.4 1.2.3.4 5.6.7.8 Black List (dropped) B Src: 3.4.5.6 5.6.7.8 3.4.5.6 6.7.8.9 White List = free pass (for awhile / for x amount of volume) Backend DDoS Mitigation: Source Isolation AS AS AS Source: http://www.cs.duke.edu/nds/ddos/ DDoS Solution: Secure CDN Backend 3: return 2: redirect to nearest server 1: request End User 4: bypass distribution, attack backend! DDoS Detection xxx Gbps+ Rate Measurement (SNMP) Volume Baselining (Netflow) Big Data Analysis Protocol Sanity (PCAP) Protocol Behavior (PCAP) Application (SYSLOG) xxx Mbps+ Simple Complexity Sophisticated Rate- / Flow-Based Countermeasures Detection Mitigation Protocol-Based Countermeasures Detection Mitigation Blanket Countermeasures Detection Mitigation Traffic Statistics and Behavior Big Data Analysis Source Host Verification Source Host Verification • • • • • TCP SYN Auth HTTP Redirect Auth HTTP Cookie Auth JavaScript Auth CAPTCHA Auth PoC Tool PoC Tool Strengths • • • • • • True TCP/IP behavior (RST, resend, etc.) Believable HTTP headers (User-Agent strings, etc.) Embedded JavaScript engine CAPTCHA solving capability Randomized payload Tunable post-authentication traffic model PoC Tool: Authentication Bypass TCP SYN Auth (TCP Reset) SYN SYN ACK ACK RST SYN SYN ACK ACK TCP SYN Auth (TCP Out-of-Sequence) SYN SYN ACK RST SYN SYN ACK ACK HTTP Redirect Auth GET /index.html HTTP 302 redir to GET /foo/index.html /foo/index.html HTTP 302 redir to GET /index.html /index.html HTTP Cookie Auth GET HTTP 302 redir to GET HTTP 302 redir to GET /index.html /index.html /index.html /index.html /index.html HTTP Cookie Auth (Header Token) GET HTTP 302 redir to /index.html [X-Header: foo=bar] /index.html [X-Header: foo=bar] GET HTTP 302 redir to /index.html [X-Header: foo=bar] /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] GET /index.html JavaScript Auth GET /index.html JS ans=16 POST /auth.php HTTP 302 redir to GET 7+nine=? /index.html /index.html CAPTCHA Auth GET POST /index.html /auth.php HTTP 302 redir to GET /index.html /index.html CAPTCHA Pwnage PoC Tool: TCP Traffic Model TCP Traffic Model Number of Connections Connection Hold Time Before 1st Request Connection Idle Timeout After Last Request TCP Connection TCP Connection TCP Connection Connections Interval Connections Interval PoC Tool: HTTP Traffic Model HTTP Traffic Model Number of Requests per Connection TCP Connection HTTP Connection HTTP Connection HTTP Connection HTTP Connection Requests Interval Requests Interval Requests Interval PoC Tool Design • 3 tries per authentication attempt (in practice more likely to success) • True TCP/IP behavior thru use of OS TCP/IP stack • Auth cookies persist during subsequent dialogues • JavaScript execution using embedded JS engine (lack of complete DOM an obstacle to full emulation) CAPTCHA Bypass Design 1. 2. 3. 4. 5. Converted to black-and-white for max contrast 3x3 median filter applied for denoising Word segmentation Boundary recognition Pixel difference computed against character map PoC Tool in Action Testing Environment Against Devices Against Services Measure Attack Traffic Measure Attack Traffic Mitigation Bypass (Protection Products) Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013 Mitigation Bypass (Protection Services) Auth Bypass Post-Auth Proactive Resource Release Testing results under specific conditions, valid as of Jul 13, 2013 Next-Generation Mitigation • Client Puzzle – add cost to individual zombies. Conclusion • DDoS is expensive to business • Existing DDoS protection insufficient • Next-Generation solution should make attack expensive Thank You! [email protected] [email protected] [email protected] http://www.ntisac.org
Similar documents
Marc Lampo - Principal Security Consultant
DDOS what? “A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.” (Source: wikipedia)
More informationShut the Front Door (and the Back Door too)
Cybercrime Trends – BGP Hijacking • This occurs when an unauthorized AS announces IP Prefixes that they do NOT own via BGP – Sometimes happens accidentally – Often happens on purpose • Turkey hija...
More information