BSidesDetroit2012 Tweaking to get away from SlowDOS Sergey Shekyan, Senior Software Engineer June 2nd, 2012.

Slides:



Advertisements
Similar presentations
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CCNA – Network Fundamentals
Transmission Control Protocol (TCP)
1 Reading Log Files. 2 Segment Format
BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.
Copyright 1999, S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 32 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Lecture 15 Denial of Service Attacks
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Process-to-Process Delivery:
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
1 Chapter Internetworking Part 4 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
1 Transport Layer Computer Networks. 2 Where are we?
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Chapter 6: Packet Filtering
Universal HTTP Denial-of-Service. About Hybrid Creating web-business-logic security Doing cool stuff in AI research Optimizing acceptance rate for Web-bound.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking Introducing the Application Layer 0.
HTTP HTTP stands for Hypertext Transfer Protocol. It is an TCP/IP based communication protocol which is used to deliver virtually all files and other.
--Harish Reddy Vemula Distributed Denial of Service.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 2.5 Internetworking Chapter 25 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
Transmission Control Protocol TCP. Transport layer function.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Copyright 2002, S.D. Personick. All Rights Reserved.1 Telecommunications Networking II Topic 20 Transmission Control Protocol (TCP) Ref: Tanenbaum pp:
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
1 TCP: Reliable Transport Service. 2 Transmission Control Protocol (TCP) Major transport protocol used in Internet Heavily used Completely reliable transfer.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Networking Basics CCNA 1 Chapter 11.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
2: Application Layer 1 Chapter 2: Application layer r 2.1 Principles of network applications  app architectures  app requirements r 2.2 Web and HTTP.
CITA 310 Section 2 HTTP (Selected Topics from Textbook Chapter 6)
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
DoS/DDoS attack and defense
TCP continued. Discussion – TCP Throughput TCP will most likely generate the saw tooth type of traffic. – A rough estimate is that the congestion window.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 7 Omar Meqdadi Department of Computer Science and Software Engineering University of.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
© 2002, Cisco Systems, Inc. All rights reserved..
1 Computer Communication & Networks Lecture 23 & 24 Transport Layer: UDP and TCP Waleed Ejaz
McGraw-Hill Chapter 23 Process-to-Process Delivery: UDP, TCP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Week 11: Application Layer 1 Web and HTTP r Web page consists of objects r Object can be HTML file, JPEG image, Java applet, audio file,… r Web page consists.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Computer Networks 1000-Transport layer, TCP Gergely Windisch v spring.
1 Chapter 24 Internetworking Part 4 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
Tiny http client and server
DDoS Attacks on Financial Institutions Presentation
WWW and HTTP King Fahd University of Petroleum & Minerals
Internet transport protocols services
06- Transport Layer Transport Layer.
Introduction to Networking
TCP Transport layer Er. Vikram Dhiman LPU.
Process-to-Process Delivery:
Process-to-Process Delivery: UDP, TCP
Transport Layer 9/22/2019.
Presentation transcript:

BSidesDetroit2012 Tweaking to get away from SlowDOS Sergey Shekyan, Senior Software Engineer June 2nd, 2012

2 BSIDES DETROIT 2012 Denial of Service Attacks 2

3 BSIDES DETROIT 2012 Types of attack  There is a variety of forms aiming at a variety of services: −Traffic consuming attacks (DNS, firewall, router, load balancer, OS, etc.) −Application Layer attacks (web server, media server, mail server) 3

4 BSIDES DETROIT 2012 Network Layer attacks 4

5 BSIDES DETROIT 2012 Application Layer attacks 5

6 BSIDES DETROIT 2012 What is low-bandwidth attack? 6 Mbps/sec Seconds

7 BSIDES DETROIT 2012  DDoS attacks are affordable (from $5/hour)  DDoS attack is a great way to promote your start-up (attacks on Russian travel agencies are 5 times as frequent in high season)  Longest attack detected by Kaspersky DDos Prevention System in the second half of 2011 targeted a travel agency website and lasted 80 days 19 hours 13 minutes 05 seconds  Akamai reports DDoS attack incidents soar 2,000 percent in the past three years2,000 percent DDoS economics 7

8 BSIDES DETROIT 2012 Actual page from a forum offering DDoS services  We take projects with anti-DDoS  Wholesale discounts  We are clear against the law  Best quality-to-dollar ratio  $5/hour, $40/day, $260/week, $900/month 8

9 BSIDES DETROIT 2012 Same botnet operator offering menu:  HTTP GET flood  HTTP POST flood  Download flood  UDP flood  SYN flood 9

10 BSIDES DETROIT 2012 Application Layer DoS attacks  Slow HTTP headers attack (a.k.a. Slowloris)  Slow HTTP message body attack (a.k.a Slow Post)  Slow read HTTP attack (a.k.a. TCP Persist Timer exploit) 10

11 BSIDES DETROIT 2012 Demo time 11

12 BSIDES DETROIT 2012 What is common?  All mentioned attacks aim at draining the pool of concurrent connections (usually relatively small) 12

13 BSIDES DETROIT 2012 HyperText Transfer Protocol (HTTP) Message syntax −Per RFC 2616 − generic-message = start-line  *(message-header CRLF)  CRLF  [ message-body ]  start-line = Request-Line | Status-Line 13

14 BSIDES DETROIT 2012 HyperText Transfer Protocol (HTTP) Message example  GET /page.htm HTTP/1.1CRLF  Host:  Content-Length: 25CRLF  CRLF  Optional Message Body 14

15 BSIDES DETROIT 2012 Slowloris  Low bandwidth attack that sends HTTP requests with incomplete headers. Continues to send headers at regular intervals to keep the sockets active  First mentioned by Adrian Ilarion Ciobanu in 2007 and implemeted by Robert Hansen in 2009Adrian Ilarion Ciobanu 15

16 BSIDES DETROIT 2012 How slowloris works 16 GET / HTTP/1.1\r\n Host: vulnerable-server.com:80\r\n X-sadwqeq: dfg4t3\r\n X-4rete: fdsgvry\r\n X-egyr7j: 8ih\r\n 59 seconds later 59 seconds later 59 seconds later... ClientServer

17 BSIDES DETROIT 2012 Slow POST  Attack that sends HTTP requests with complete headers but incomplete message body. Continues to send data at regular intervals to keep the sockets active  Discovered by Wong Onn Chee and popularized by Tom Brennan in

18 BSIDES DETROIT 2012 How Slow POST works 18 POST / HTTP/1.1\r\nHost: vulnerable-server.com:80\r\n Content-Length: 4096\r\n Content-Type: application/x-www-form-urlencoded\r\n foo=bar\r\n &Owkuvj5=POaLLI\r\n &uWat9wGqrP4SxV=SN3q\r\n 59 seconds later 59 seconds later 59 seconds later... \r\n ClientServer

19 BSIDES DETROIT 2012 Slow Read  Attack that keeps server sockets busy by maliciously throttling down the receipt of large HTTP responses  Uses known Network Layer flaws to aim Application Layer  First mentioned by Outpost24 in sockstress. Implemented as part of nkiller2 by Fotis Hantzis, a.k.a. ithilgore in

20 BSIDES DETROIT 2012 Related TCP details   “Window size (16 bits) – the size of the receive window, which specifies the number of bytes (beyond the sequence number in the acknowledgment field) that the sender of this segment is currently willing to receive” – Wikipedia 20

21 BSIDES DETROIT 2012 How Slow Read works 21 Recv buffer Send buffer bigpage.html ClientServer GET bigpage.html HTTP/1.1\r\n Host: vulnerable-server.com:80\r\n\r\n BTW, my recv window is only 32 bytes HTTP/ OK\r\n Content-Length: \r\n Content-type: text/html\r\n\r\n message Kernel to app: I can send only 32 bytes now Got it, wait for now (ACK window 0) 90 Are you ready to receive more bytes? OK, give me another 32 bytes... b ig p a g e. h t m l

22 BSIDES DETROIT 2012 Prerequisites for successful Slow Read attack  The larger server response is - increasing the chances of prolonging the connection  make server generate a data stream that doesn't fully fit into socket's send buffer (65536 bytes is default on most Linux systems /proc/sys/net/ipv4/tcp_wmem, if server doesn't set its own value)  Request large resource by naturally finding it and/or amplifying the response size by using HTTP pipelining. Dynamic resources are welcome. 22 time

23 BSIDES DETROIT 2012 Why is Slow Read is different? Traditional (slowloris/slowpost) DoS  Customer stuck deciding what he wants  Makes an order  Pays  Takes the order  Next! 23 It is possible to identify and isolate slow client in his request state

24 BSIDES DETROIT 2012 Why Slow Read is different? Slow Read DoS  Makes an order for party of 50  Pays  Cannot take the entire order with him, makes several trips to the car.  Next! 24 it is quite late to do anything, as the request was already accepted and processed

25 BSIDES DETROIT 2012 Why is Slow Read is different?  Makes an order for party of 50  Pays  Cannot take the entire order with him, makes several trips to the car  Next! 25  Customer stuck deciding what he wants Makes an orderPays Takes the order Next!

26 BSIDES DETROIT 2012 Why is Slow Read is different? (continued)  Defense mechanisms expect the crushing fist of malice to appear in the request  Instead, the entire transaction should be monitored 26

27 BSIDES DETROIT 2012  There is a good chance that you are. Default configurations of nginx, lighttpd, IIS, Apache, Varnish cache proxy, Shoutcast streaming server - are vulnerable to at least one of the mentioned attacks Am I vulnerable? 27

28 BSIDES DETROIT 2012  Use available tools to simulate attacks. SlowHTTPTest covers all mentioned attacks and some more at  Check out soon to get access to your own whitehat botnet in the cloud  Use Qualys WAF or other firewalls that are supposed to protect, but test before you pay! What should I do? 28

29 BSIDES DETROIT 2012 Detection and Mitigation  Drop connections with abnormally small TCP advertised window(s)  Set an absolute connection timeout, if possible  Limit length, number of headers to accept  Limit max size of message body to accept  Drop connections with HTTP methods (verbs) not supported by the URL  Limit accepted header and message body to a minimal reasonable length  Define the minimum data rate, and drop connections that are slower than that rate 29

30 BSIDES DETROIT 2012 Detection and Mitigation continued  Qualys Web Application Scanner passively detects the slow attack vulnerabilities  ModSecurity v2.6 introduced a directive called SecWriteStateLimit that places a time limit on the concurrent number of threads (per IP address)SecWriteStateLimit  Snort is working on detecting connections with small TCP advertised window(s)  Christian Folini introduced Flying Frog script at 30

31 BSIDES DETROIT 2012 Example of misconfiguration  Even if the server is configured to handle tens of thousands of concurrent connections, the OS might still create a bottleneck by limiting the server by the number of open file descriptors 31

32 BSIDES DETROIT 2012 Are anti-DoS solutions going to help?  Have no idea, test yourself! 32

33 BSIDES DETROIT 2012 Who reacted first? TThose who really care - gamers! OOpen Transport Tycoon Deluxe found that by using a slow read type attack, it is possible to prevent anyone from joining a game server with virtually no resources. PPatches for all affected version where released within a week! 33

34 BSIDES DETROIT 2012 Summary  Even though the simpliest distributed DoS attacks are enough to knock down most web sites today, the nature of the attack will be sure to improve, and it’s better to be ready or, at least be aware of upcoming problems. 34

35 BSIDES DETROIT 2012 References  ModSecurity Advanced Topic of the Week: Mitigation of 'Slow Read" Denial of Service Attack  of-slow-read-denial-of-service-attack.html of-slow-read-denial-of-service-attack.html  DDoS attacks in H   The State of the Internet   Evaluation of slowhttptest against servers protected by CloudFlare   Blog posts on hardening web servers  35

Thank

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.