Akamai Confidential Web targeted DDoS attack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

Enabling Secure Internet Access with ISA Server

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

Chapter 17: WEB COMPONENTS

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Akamai Confidential©2011 Akamai. In the Cloud Security Highlighting the Need for Defense-in-Depth R. H. Powell IV Director, Government Solutions CISSP.

Barracuda Web Application Firewall

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Web server security Dr Jim Briggs WEBP security1.

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Lecture 15 Denial of Service Attacks

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

1 Computer Security: Protect your PC and Protect Yourself.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

ISSA Nashville Chapter, May 17 th 2013 Alexander Karstens Senior Systems Engineer IXIA Communications Preparing your organization for DDoS.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Web Application Firewall (WAF) RSA ® Conference 2013.

Final Introduction ---- Web Security, DDoS, others

Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.

Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.

Operating Systems Lecture 2 Processes and Threads Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

--Harish Reddy Vemula Distributed Denial of Service.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

Protecting Students on the School Computer Network Enfield High School.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

XP Browser and Basics COM111 Introduction to Computer Applications.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.

DoS/DDoS attack and defense

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

© 2002, Cisco Systems, Inc. All rights reserved..

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Fortinet NSE8 Exam Do You Want To Pass In First Attempt.

Web Application Protection Against Hackers and Vulnerabilities

DDoS Attacks on Financial Institutions Presentation

Secure Sockets Layer (SSL)

Securing the Network Perimeter with ISA 2004

Web Application Firewall Bypassing – an approach for pentesters

HACKIN G CITRIX.

Presentation transcript:

Akamai Confidential Web targeted DDoS attack: trends, tools and tactics Christiaan Ehlers, Senior Service Consultant – Akamai Technologies

Akamai Confidential©2012 Akamai Faster Forward TM Anonymous Attack on the Home Office 7 th April 2012

Akamai Confidential©2012 Akamai Faster Forward TM DoS motivation Organized Crime - Profit Political Hackitivism State Sponsored Traditional Hackers: Glory Hounds

Akamai Confidential©2012 Akamai Faster Forward TM Let’s Hold up Somebody for Ransom (actual ransom note) Your site will be subjected to DDoS attacks 100 Gbit/s. Pay 100 btc(bitcoin) on the account 1ACFJHoB8Z3KDwDn6XdNTEJb6S7VsQiLZG Do not reply to this

Akamai Confidential©2012 Akamai Faster Forward TM Over 40X Increase in Traffic

Akamai Confidential©2012 Akamai Faster Forward TM A very brief introduction DoS attacks have moved up the stack, from IP floods, SYN floods and now to application level attacks. Attacks on the Network and Transport layers targeted the OS of the receiving machine. Attack on the application layer penetrates deeper into the infrastructure. Target not only the firewall or proxy, now we can reach the backend database. Development and architecture is focused on securing against more classical hacking attacks, DoS vulnerability gets a back seat.

Akamai Confidential©2012 Akamai Faster Forward TM DoS Vulnerability If the target system spends a disproportionately larger amount of resources in its attempt to serve a response when compared with the amount of resources spent by the attacker in serving the request, you potentially have a DoS vulnerability.

Akamai Confidential©2012 Akamai Faster Forward TM Target Areas Bandwidth Inbound (sometimes difficult to exploit, but also difficult to protect) Outbound Data access and processing (CPU, Memory and disk access) Database searches Formatting, regular expressions, encoding, etc… Cryptographic processing System limits Registers, file handles, configured limits, etc… (slow attacks) Algorithmic or architectural inefficiencies

Akamai Confidential©2012 Akamai Faster Forward TM Brute Force Attacks Usually aimed at bandwidth and data accessing and processing targets. Attempt to interfere with normal operation by consuming resources through the sending large volumes or requests to targets. Traffic could seem like normal browser traffic. The traffic volume required for an effective attack is determined by the capacity and overhead of the target system.

Akamai Confidential©2012 Akamai Faster Forward TM Algorithmic or architectural inefficiencies ApacheKiller Apache prepares an memory space for each requested range in the “Range” header. If enough ranges are requested, it could exhaust the server’s memory Hash Table collision Hash table collision attack turns the problem of adding elements to a hash table from a O(nlogn) problem to a O(n 2 ) problem. Exploitation requires “abnormal” requests, thus fairly easy to identify, block and fix.

Akamai Confidential©2012 Akamai Faster Forward TM Attack distribution Single origin DoS attack -Less resources available -Potentially easier to block -Attacker has no synchronization or management problems Distributed DoS -More resources available -Difficult to block -Attackers have a synchronization and management problem -Bot-Net Command and Control centers -Opt in networks (Thrall-Net)

Akamai Confidential©2012 Akamai Faster Forward TM Attack Tools Common opt-in attack tools LOIC – Low Orbit Ion Cannon HOIC – High Orbit Ion Cannon Slow attack tool Slow Loris RUDY – R U Dead Yet

Akamai Confidential©2012 Akamai Faster Forward TM LOIC -Java versions that can be browsed to, no need to install software. -IRC interface for coordination -Easy interface -Multithreaded -One type of request per session -Not very configurable -Easy to detect

Akamai Confidential©2012 Akamai Faster Forward TM HOIC -Easy to use interface -Booster packs to randomise various HTTP headers and target URLs -Multi-threaded -Rate throttling

Akamai Confidential©2012 Akamai Faster Forward TM HOIC booster pack Dim useragents() as String Dim referers() as String dim randheaders() as string Dim randURLs() as string # // populate rotating urls # // By Nathos, don't use to many threads or you may nuke yourself. # // IF YOU WANT TO IMPROVE THE ATTACK, ADD URLS BELONGING TO THIS DOMAIN OR RELATED SUBDOMAINS!!! PRO-TIP: You should create anew target and.HOIC file if u want to attack a different organization # randURLs.Append " # randURLs.Append " # randURLs.Append " # randURLs.Append " # randURLs.Append " # randURLs.Append " # randURLs.Append " # randURLs.Append " # randURLs.Append // rotate out url # URL = randURLs(RndNumber(0, randURLs.UBound)) # // EDIT THE FOLLOWING STRINGS TO MAKE YOUR OWN BOOST UNIQUE AND THEREFORE MORE EVASIVE! # useragents.Append "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: ) Gecko/ Firefox/ " # useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" # useragents.Append "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR ;.NET CLR ;.NET CLR )" # useragents.Append "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;.NET CLR )” Booster pack features: randURLs.Append – Attack random URLs useragents.Append – Randomly selected User- Agents referers.Append – Randomly selected Referer headers randheaders.Append – Randomly select header to append -Makes it harder to separate attack traffic from legitimate traffic. -Can be easily distributed since it is just an text file. Usually posted on -Can be customised for a particular target

Akamai Confidential©2012 Akamai Faster Forward TM Slow Attacks Tie up web server resources by sending requests very slowly Examples: -Slow Loris -R U Dead Yet (RUDY) Trickle feed of characters to the web server ensures that a connection is occupied for as long as possible. Is this an attack or just a client on dial-up? Apache web server has a default of 256 concurrent connections.

Akamai Confidential©2012 Akamai Faster Forward TM Hardening against DoS – tactic 1 Avoid resource intensive processing Optimize processing and data retrieval processes. Caching processing and data retrieval operations. -Cache the results of resource intensive processing. DB -> Disk -> Memory. -Use reverse web caches

Akamai Confidential©2012 Akamai Faster Forward TM Hardening against DoS – tactic 2 If you are going to work hard to generate the response, make sure the client works hard to generate the request! Protect resource intensive operations behind authentication User and User Agent validation: Challenge-response tests to prove it’s a human or browser: -CAPTCHA to prove you are dealing with a human -Javascript or Flash challenges to prove that you are dealing with a browser. Session management -Issue and rotate session management cookies URL tokens The list goes on, but how appropriate are the mechanisms?

Akamai Confidential©2012 Akamai Faster Forward TM Additional Mitigation (is hardening enough) Mitigation devices such as scrubbers or WAF devices How do we separate the good from the bad? -Signatures -Rate limiting -Anomaly detection Where does the mitigation go? -At the origin -In the cloud Which layer should be inspected to sort the good from the bad? -Transport (socket) and Network layer -Application layer – What about SSL?

Akamai Confidential©2012 Akamai Faster Forward TM Questions?