4. DoS Attacks
• Denial of Service
o Network resources
o Host resources
o Application resources
• Types
o ICMP Flood
• Smurf attack
• Ping flood
• Ping of death
o SYN Flood
• SYN – SYN/ACK… Wait. Where’s my ACK?
• Unending knock-knock joke
o Teardrop Attack
o Low and Slow
5. DDoS Attacks
• Distributed Denial of Service
o Simultaneous attacks from multiple sources
o Traditional countermeasures don’t work
• Examples
o Botnet downloads entire site, repeats ad nauseum
o Abuse SSL negotiation phase
6. Why Launch a DDoS Attack?
• Motive
o Extortion
o Revenge
o Hacktivism
o Unintentional (@feliciaday)
• Means
o Botnet
• Infected machines
• Voluntary (mobile devices?)
o Availability of tools
• Low Orbit Ion Cannon (LOIC) – TCP/UDP
• slowhttptest – HTTP
• Slowloris – HTTP
• Opportunity
o We’re talking about the INTERNET…
7. Preparation
• Technical: Defense-in-Depth
o Network
o Operating System
o Web/Application Server
o Application
• Procedural: Security Incident Response
o Policy
o Procedures
o Tabletop Exercises
8. Preparation – Network
Architecture
• Align with Cisco SAFE security reference
architecture
o Redundancy
• Deploy and tune tools
o Intrusion Prevention System (IPS)
o Security Information Event Management (SIEM)
o Bandwidth Monitoring and Management
o Anti-DDoS Hardware (*)
• Cisco Guard / PrevenTier (Rackspace)
• DOSarrest
• RioRey
• Evaluate IPv6 configurations
9. Preparation – Network
Router
• Enable Reverse Path Forwarding
o ip verify unicast reverse path
• Filter all RFC-1918 address spaces
o 10.0.0.0 - 10.255.255.255 (10/8 prefix)
o 169.254.0 – 169.254.255.255 (169.254/16 prefix)
o 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
o 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
• Network Ingress Filtering, per RFC-2827
o Drop forged packets
• Enforce rate limiting for ICMP and SYN packets
10. Preparation – Network
Firewall
• Deny private, illegal, and routable source IP’s
o 0.0.0.0
o 10.0.0.0-10.255.255.255
o 127.0.0.0
o 172.16.0.0-172.31.255.255
o 192.168.0.0-192.168.255.255
o 240.0.0.0
o 255.255.255.255
11. Preparation - Operating
System
• Harden the Host
o Center for Internet Security
o DISA STIG’s
• Defense Information Systems Agency Security Technical
Implementation Guides
o Vendor guides
• Patch
o Automate the process
o Trust, but verify
• Host Vulnerability Scans
o DoS vulnerabilities
12. Preparation – Apache on
Linux
• Advanced Policy Firewall (APF)
o iptables (netfilter)
• (D)DoS Deflate
o netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort
| uniq -c | sort –n
o Automatically block attacking IP’s
o Automatically unblock IP’s after x seconds
• Apache modules
o mod_evasive
o mod_security
13. Preparation – IIS on
Windows
• UrlScan
o Integrate with IIS
o Mitigate SQL injection attacks
o Restrict potentially malicious HTTP requests (web app firewall function)
• Dynamic IP Restrictions
o Requests over time
o Deny action
o Logging
14. Preparation - Application
• Third Party Services
o Akamai – Web Application Acceleration
o Prolexic – Pipe Cleaner
• Web App Firewall
o Hosted
o Cloud
• Load Balancers
o Take advantage of virtualization
• Baseline Your Performance
o Thresholds (Load Testing)
o Source IP reports
• Web Application Vulnerability Scan
o DoS vulnerabilities
o Vulnerable forms (CAPTCHA)
15. Mitigation - Network
• Log analysis
o Understand the attack
o netstat, awk, grep
• Contact your ISP
o Drop attacking traffic before it hits any of your resources
• Null route attackers
o Example: ip route 192.168.0.0 255.255.0.0 Null0
• Implement yourgeographic IP rules
o Deny all traffic from non-customer IP blocks
• Enable third party services/solutions
o Temporary
o Cost
16. Mitigation – Host and App
• Add additional servers
o Temporary (co$t)
o Again, take advantage of virtualization
• Tighten web app firewall rules
o Based on attack pattern
17. Contact Law Enforcement?
• Pros
o Prevent future attacks against your org
o Prevent future attacks against other orgs
• Cons
o Attack becomes public record
o Additional resources = time + money
• Decide in writing what action you will take before
an incident occurs.
18. Resources
• Denial of Service Attacks Explained
o CERT
• http://www.cert.org/tech_tips/denial_of_service.html
o Wikipedia
• http://en.wikipedia.org/wiki/Denial-of-service_attack
• RFC’s
o RFC-1918 – Address Allocation for Private Internets
• http://tools.ietf.org/html/rfc1918
o RFC-2827 – Network Ingress Filtering
• http://www.ietf.org/rfc/rfc2827.txt
• HardeningInformation
o Center for Internet Security
• http://www.cisecurity.org/
o Cisco SAFE
• http://www.cisco.com/en/US/netsol/ns954/index.html
o Country IP Blocks
• http://www.countryipblocks.net/
o DISA STIG’s
• http://iase.disa.mil/stigs/
o How to Protect Against Slow HTTP Attacks (via @Qualys)
• https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-
attacks
19. Resources (cont’d)
• Tools
o Low Orbit Ion Cannon
• http://sourceforge.net/projects/loic/
• Installed on your iPhone: http://www.youtube.com/watch?v=9VxA_DSflG0
o slowhttptest
• http://code.google.com/p/slowhttptest/
o Slowloris
• http://ha.ckers.org/slowloris/
o Advanced Policy Firewall (APF)
• http://www.rfxn.com/projects/advanced-policy-firewall/
o (D)DoS Deflate
• http://deflate.medialayer.com/
o UrlScan
• http://technet.microsoft.com/en-us/security/cc242650
o Dynamic IP Restrictions
• http://www.iis.net/download/DynamicIPRestrictions
• Apache Modules
o Mod_evasive
• http://www.topwebhosts.org/articles/mod_evasive.php
o Mod_security
• http://www.topwebhosts.org/articles/mod_security.php