SlideShare ist ein Scribd-Unternehmen logo

Layer 7 ddos

F
fangjiafu
Technologie
1 von 31
Downloaden Sie, um offline zu lesen
H.....t.....t....p....p....o....s....t Wong Onn Chee OWASP Singapore Lead ocwong@usa.net Tom Brennan OWASP Foundation OWASP AppSec tomb@owasp.org DC 2010 Copyright © The OWASP Foundation 11 Nov 2010 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 2
First, there was Layer 4 DDOS...... Past DDOS attacks were mainly Layer 4 (TCP) attacks. OWASP 3
Layer 4 DDOS attacks Reach bandwidth or connection limits of hosts or networking equipment. Fortunately, current anti-DDOS solutions are effective in handling Layer 4 DDOS attacks. OWASP 4
Then, there were Layer 7 DDOS attacks Operates at the application protocol level (OSI Layer 7). Eg. HTTP(S), SMTP, FTP and etc. OWASP 5
Effectiveness of Layer 7 DDOS attacks Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity. Requires lesser number of connections => higher efficiency. Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality. OWASP 6
Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 7
Types of Layer 7 DDOS web attacks Excludes causes related to stupid or inefficient codes. (Yes! You can DOS yourself) We will focus on protocol weaknesses of HTTP or HTTPS. HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris) HTTP POST => Wong Onn Chee OWASP 8
HTTP GET DDOS attack First highlighted by Michal Zalewski and Adrian Ilarion Ciobanu in 2007 http://www.securityfocus.com/archive/1/456339/30/0/threaded Popularized in 2009 by Rsnake with the free tool, Slowloris. Slowloris used time-delayed HTTP headers to hold on to HTTP connections and exhaust web server threads or resources. Can evade Layer 4 DDOS protection systems. More info can be found at http://ha.ckers.org/blog/20090617/slowloris-http-dos/ OWASP 9
HTTP GET DDOS attack Apache Foundation disagreed this is a bug and had no plans to “fix it”. To AF, waiting for the HTTP headers to complete sending is a basic and inherent behavior of web servers. Microsoft IIS imposes a timeout for HTTP headers to be sent. Any HTTP connection which exceeds the headers timeout will be closed, hence rendering HTTP GET attacks ineffective against IIS web servers. OWASP 1 0
Limitations of HTTP GET DDOS attack Does not work on IIS web servers or web servers with timeout limits for HTTP headers. Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris. Anti-DDOS systems may use “delayed binding”/“TCP Splicing” to defend against HTTP GET attacks. OWASP 11
Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 1 2
HTTP POST DDOS attack First discovered in Sep 2009 by Wong Onn Chee and his team. Escalated to Microsoft and AF in Q1 2010. Both interpreted this to be a protocol bug. Apache: “What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software.” MS: “While we recognize this is an issue, this issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.” OWASP 1 3
How HTTP POST DDOS attack works (HTTP/1.0) Uses HTTP POST requests, instead of HTTP GET which is used by Slowloris. “A POST request includes a message body in addition to a URL used to specify information for the action being performed. This body can use any encoding, but when webpages send POST requests from an HTML form element the Internet media type is "application/x-www-form- urlencoded". (source: Wikipedia - “POST (HTTP)”)” OWASP 1 4
How HTTP POST DDOS attack works (HTTP/1.0) (cont'd) The field “Content-Length” in the HTTP Header tells the web server how large the message body is, for e.g., “Content-Length = 1000” The HTTP Header portion is complete and sent in full to the web server, hence bypassing IIS inherent protection. OWASP 1 5
How HTTP POST DDOS attack works (HTTP/1.0) (cont'd) For e.g., Content-Length = 1000 (bytes) The HTTP message body is properly URL- encoded, but ...... .....is sent at, again for e.g., 1 byte per 110 seconds. Multiply such connections by 20,000 and your IIS web server will be DDOS. Most web servers can accept up to 2GB worth of content in a single HTTP POST request. OWASP 1 6
Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) private String getRequestHeader() { String requestHeader = ""; requestHeader += param.getMethod() + " " + param.getUrl() + " HTTP/1.1rn"; requestHeader += Construction of legitimate "Host: " + param.getHost() + "rn" headers + "User-Agent: " + httpUserAgent + "rn" + "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn" + "Accept-Language: en-us,en;q=0.5rn" + "Accept-Encoding: gzip,deflatern" + "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn" if (param.getContentLength() > 0) { Random values for requestHeader += "Connection: keep-alivern"; Content-Length header requestHeader += "Keep-Alive: 900rn"; requestHeader += "Content-Length: " + param.getContentLength() + "rn"; requestHeader += "rn"; } return requestHeader; } OWASP 1 7
Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) Get random data --> public static byte getRandomByte() { Byte randomness int character = gen.nextInt(); return (byte) character; } Send random data --> public void sendXHeader() throws IOException { StringBuffer header1 = new StringBuffer(); StringBuffer header2 = new StringBuffer(); Time interval randomness int lengthOfXA = param.getRandomLengthOfXA(); int lengthOfXB = param.getRandomLengthOfXB(); for (int i=0 ; i<lengthOfXA ; i++) { header1.append(Misc.getRandomByte()); } OWASP 1 8
Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) for (int i=0 ; i<lengthOfXB ; i++) { header2.append(Misc.getRandomByte()); } socket.getOutputStream().write(("X-" + header1.toString() + ": " + header2.toString() + "rn").getBytes()); socket.getOutputStream().flush(); } Sends the payload public void sendPOSTBodyRandomByte() throws IOException { socket.getOutputStream().write(Misc.getRandomByte()); socket.getOutputStream().flush(); } OWASP 1 9
Why HTTP POST DDOS attack works Being “kind” folks (like all of you), web servers will “obey” the “Content-Length” field to wait for the remaining message body to be sent. By waiting for the complete message body to be sent, web servers can support users with slow or intermittent connections. Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks. Common uses of HTTP POST requests: login, uploading photo/video, sending webmail / attachments, submitting feedback and etc. OWASP 2 0
Why HTTP POST DDOS attack works This attack can evade Layer 4 detection techniques as there is no malformed TCP, just like Slowloris. Unlike Slowloris, there is no delay in sending HTTP Header, hence nullifying IIS built-in defense, making IIS vulnerable too. Size, character sets and time intervals can be randomised to foil any recognition of Layer 7 traffic patterns by DDOS protection systems. Difficult to differentiate from legit connections which are slow. OWASP 2 1
Interesting findings IIS 6.0 (W2K3) web server is vulnerable to this attack even when there is no form. Apache, IIS 7 or later require presence of forms for this attack to work. Apache requires lesser number of connections due to mandatory client or thread limit in httpd.conf. Besides its “unlimited connections” settings, a default IIS configuration will go down with 20,000 HTTP POST DDOS connections, regardless of hardware capabilities. This is due to the rapid fail protection sandbox feature in IIS. OWASP 2 2
Interesting findings IIS with 8 cores and 16GB RAM = IIS with 2 cores and 2GB RAM Only 20k HTTP POST connections to DDOS either IIS! In HTTP/1.1 where chunked encoding is supported and there is no “Content-Length” HTTP header, the lethality is amplified. The web server does not even know up front from the headers how large is the POST request! OWASP 2 3
Interesting findings Botnet operators had begun their “3G upgrade” to include Layer 7 DDOS techniques. Some may have completed their upgrade to include HTTP POST. We believe Layer 7 attacks may supersede Layer 4 attacks as the modus operandi of DDOS botnets in this new decade. OWASP 2 4
Potential countermeasures Apache (experimental) mod_reqtimeout LimitRequestBody directive IIS No reply from Microsoft on the availability of the proposed controls in the latest service pack for IIS. OWASP 2 5
Potential countermeasures General Limit the size of the request to each form's requirements. For e.g. a login form with a 20-char username field and a 20-char password field should not accept a 1KB POST message body Identify the 95% or 99% percentile of normal access speed range to your website. Establish a speed floor for the outliers. With the speed floor and maximum allowable body size for each form, establish a request timeout for each form (= Tedious! Good news for infosec folks?) OWASP 2 6
Weaknesses of countermeasures Hackers can “sense” the speed floor and execute attacks just above the speed floor. Most (broadband) home users have uplink speed of at least 256 kbps. But we cannot set speed floors at 256 kbps. Speed floors = not friendly to overseas customers/visitors or local ones using mobile devices. HTTPS will be a challenge for front appliance- based defensive systems. OWASP 2 7
Future “exploits”? - WebSockets WebSockets in HTML5 (draft expires February 17, 2011) http://www.whatwg.org/specs/web-socket-protocol/ “Conceptually, WebSocket is really just a layer on top of TCP that adds a Web "origin"-based security model for browsers; adds an addressing and subprotocol naming mechanism to support multiple services on one port and multiple host names on one IP address; layers a framing mechanism on top of TCP to get back to the IP packet mechanism that TCP is built on, but without length limits; and reimplements the closing handshake in-band....” OWASP 2 8
Future “exploits”? - WebSockets 6.3. Data framing The server must run through the following steps to process the bytes sent by the client. If at any point during these steps a read is attempted but fails because the WebSocket connection is closed, then abort. 1. Try to read a byte from the client. Let /frame type/ be that byte. 2. Try to read eight more bytes from the client. Let /frame length/ be the result of interpreting those eight bytes as a big-endian 64 bit unsigned integer. (e.g. 99,999,999) …….  99,999,999 / 1 byte per 110 secs = 10,999,999,890 secs = 127,315 days = 349 years OWASP 2 9
Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 3 0
Demo Old = you may already know about the components. New = New trend of “weaponized” online games which are web-based or client-based. Desktop firewalls do not block outgoing Port 80 connections once the process is whitelisted. (Need to be whitelisted, else game will not run) The one we are showing is a simple game using a self-signed Java applet. (good old Java sandbox bypass) OWASP 3 1

Empfohlen

Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Rust Hack
Rust HackRust Hack
Rust HackViral Parmar
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒Toki Kanno
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)Shteryana Shopova
 

Empfohlen

Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security
 
Rust Hack
Rust HackRust Hack
Rust HackViral Parmar
 
支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒支撐英雄聯盟戰績網的那條巨蟒
支撐英雄聯盟戰績網的那條巨蟒Toki Kanno
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)OpenSSL programming (still somewhat initial version)
OpenSSL programming (still somewhat initial version)Shteryana Shopova
 
Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Alexis Von Glasow
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Openssl
OpensslOpenssl
Opensslpsychesnet Hsieh
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fuAditya Balapure
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Plone 5 and machine learning
Plone 5 and machine learningPlone 5 and machine learning
Plone 5 and machine learningRamon Navarro
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisitedmarctritschler
 
How containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveHow containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveRamon Navarro
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_securityDavid Blevins
 
Native or External?
Native or External?Native or External?
Native or External?ESUG
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacksChu Xu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Alexis Von Glasow
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers한익 주
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012Martin Kobetic
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Plone 5 and machine learning
Plone 5 and machine learningPlone 5 and machine learning
Plone 5 and machine learningRamon Navarro
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisitedmarctritschler
 
How containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveHow containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveRamon Navarro
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_securityDavid Blevins
 
Native or External?
Native or External?Native or External?
Native or External?ESUG
 

Was ist angesagt? (20)

Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017Meetup mini conférences AFUP Paris Deezer Janvier 2017
Meetup mini conférences AFUP Paris Deezer Janvier 2017
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
 
Openssl
OpensslOpenssl
Openssl
 
List of useful security related http headers
List of useful security related http headersList of useful security related http headers
List of useful security related http headers
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
 
Cors kung fu
Cors kung fuCors kung fu
Cors kung fu
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Burp suite
Burp suiteBurp suite
Burp suite
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Plone 5 and machine learning
Plone 5 and machine learningPlone 5 and machine learning
Plone 5 and machine learning
 
Juglouvain http revisited
Juglouvain http revisitedJuglouvain http revisited
Juglouvain http revisited
 
How containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go liveHow containers helped a SaaS startup be developed and go live
How containers helped a SaaS startup be developed and go live
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security
 
Native or External?
Native or External?Native or External?
Native or External?
 

Ähnlich wie Layer 7 ddos

Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacksChu Xu
 
Browser security
Browser securityBrowser security
Browser securityUday Anand
 
Nodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredevNodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredevFelix Geisendörfer
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWebsecurify
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOSJatin Singh
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)webhostingguy
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)webhostingguy
 
Node.js: The What, The How and The When
Node.js: The What, The How and The WhenNode.js: The What, The How and The When
Node.js: The What, The How and The WhenFITC
 
Node.js - A practical introduction (v2)
Node.js - A practical introduction (v2)Node.js - A practical introduction (v2)
Node.js - A practical introduction (v2)Felix Geisendörfer
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backendDavid Padbury
 
Scalable network applications, event-driven - Node JS
Scalable network applications, event-driven - Node JSScalable network applications, event-driven - Node JS
Scalable network applications, event-driven - Node JSCosmin Mereuta
 
Web Server and how we can design app in C#
Web Server and how we can design app in C#Web Server and how we can design app in C#
Web Server and how we can design app in C#caohansnnuedu
 
Consuming RESTful Web services in PHP
Consuming RESTful Web services in PHPConsuming RESTful Web services in PHP
Consuming RESTful Web services in PHPZoran Jeremic
 

Ähnlich wie Layer 7 ddos (20)

Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacks
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Browser security
Browser securityBrowser security
Browser security
 
Nodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredevNodejs a-practical-introduction-oredev
Nodejs a-practical-introduction-oredev
 
Web Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The BasicsWeb Application Security 101 - 02 The Basics
Web Application Security 101 - 02 The Basics
 
Spider Course Day 1
Spider Course Day 1Spider Course Day 1
Spider Course Day 1
 
Implementation Of real testbed of DDOS
Implementation Of real testbed of DDOSImplementation Of real testbed of DDOS
Implementation Of real testbed of DDOS
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
 
Rpi python web
Rpi python webRpi python web
Rpi python web
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)
 
Presentation (PowerPoint File)
Presentation (PowerPoint File)Presentation (PowerPoint File)
Presentation (PowerPoint File)
 
Node.js: The What, The How and The When
Node.js: The What, The How and The WhenNode.js: The What, The How and The When
Node.js: The What, The How and The When
 
Node.js - A practical introduction (v2)
Node.js - A practical introduction (v2)Node.js - A practical introduction (v2)
Node.js - A practical introduction (v2)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Null HYD VRTDOS
Null HYD VRTDOSNull HYD VRTDOS
Null HYD VRTDOS
 
node.js: Javascript's in your backend
node.js: Javascript's in your backendnode.js: Javascript's in your backend
node.js: Javascript's in your backend
 
Scalable network applications, event-driven - Node JS
Scalable network applications, event-driven - Node JSScalable network applications, event-driven - Node JS
Scalable network applications, event-driven - Node JS
 
Web Server and how we can design app in C#
Web Server and how we can design app in C#Web Server and how we can design app in C#
Web Server and how we can design app in C#
 
Consuming RESTful Web services in PHP
Consuming RESTful Web services in PHPConsuming RESTful Web services in PHP
Consuming RESTful Web services in PHP
 

Mehr von fangjiafu

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 

Mehr von fangjiafu (20)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 

Kürzlich hochgeladen

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Kürzlich hochgeladen (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Layer 7 ddos

  • 1. H.....t.....t....p....p....o....s....t Wong Onn Chee OWASP Singapore Lead ocwong@usa.net Tom Brennan OWASP Foundation OWASP AppSec tomb@owasp.org DC 2010 Copyright © The OWASP Foundation 11 Nov 2010 Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 2
  • 3. First, there was Layer 4 DDOS...... Past DDOS attacks were mainly Layer 4 (TCP) attacks. OWASP 3
  • 4. Layer 4 DDOS attacks Reach bandwidth or connection limits of hosts or networking equipment. Fortunately, current anti-DDOS solutions are effective in handling Layer 4 DDOS attacks. OWASP 4
  • 5. Then, there were Layer 7 DDOS attacks Operates at the application protocol level (OSI Layer 7). Eg. HTTP(S), SMTP, FTP and etc. OWASP 5
  • 6. Effectiveness of Layer 7 DDOS attacks Legitimate TCP or UDP connections. Difficult to differentiate from legitimate users => higher obscurity. Requires lesser number of connections => higher efficiency. Reach resource limits of services. Can deny services regardless of hardware capabilities of host => higher lethality. OWASP 6
  • 7. Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 7
  • 8. Types of Layer 7 DDOS web attacks Excludes causes related to stupid or inefficient codes. (Yes! You can DOS yourself) We will focus on protocol weaknesses of HTTP or HTTPS. HTTP GET => Michal Zalewski, Adrian Ilarion Ciobanu, RSnake (Slowloris) HTTP POST => Wong Onn Chee OWASP 8
  • 9. HTTP GET DDOS attack First highlighted by Michal Zalewski and Adrian Ilarion Ciobanu in 2007 http://www.securityfocus.com/archive/1/456339/30/0/threaded Popularized in 2009 by Rsnake with the free tool, Slowloris. Slowloris used time-delayed HTTP headers to hold on to HTTP connections and exhaust web server threads or resources. Can evade Layer 4 DDOS protection systems. More info can be found at http://ha.ckers.org/blog/20090617/slowloris-http-dos/ OWASP 9
  • 10. HTTP GET DDOS attack Apache Foundation disagreed this is a bug and had no plans to “fix it”. To AF, waiting for the HTTP headers to complete sending is a basic and inherent behavior of web servers. Microsoft IIS imposes a timeout for HTTP headers to be sent. Any HTTP connection which exceeds the headers timeout will be closed, hence rendering HTTP GET attacks ineffective against IIS web servers. OWASP 1 0
  • 11. Limitations of HTTP GET DDOS attack Does not work on IIS web servers or web servers with timeout limits for HTTP headers. Easily defensible using popular load balancers, such as F5 and Cisco, reverse proxies and certain Apache modules, such as mod_antiloris. Anti-DDOS systems may use “delayed binding”/“TCP Splicing” to defend against HTTP GET attacks. OWASP 11
  • 12. Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 1 2
  • 13. HTTP POST DDOS attack First discovered in Sep 2009 by Wong Onn Chee and his team. Escalated to Microsoft and AF in Q1 2010. Both interpreted this to be a protocol bug. Apache: “What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software.” MS: “While we recognize this is an issue, this issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.” OWASP 1 3
  • 14. How HTTP POST DDOS attack works (HTTP/1.0) Uses HTTP POST requests, instead of HTTP GET which is used by Slowloris. “A POST request includes a message body in addition to a URL used to specify information for the action being performed. This body can use any encoding, but when webpages send POST requests from an HTML form element the Internet media type is "application/x-www-form- urlencoded". (source: Wikipedia - “POST (HTTP)”)” OWASP 1 4
  • 15. How HTTP POST DDOS attack works (HTTP/1.0) (cont'd) The field “Content-Length” in the HTTP Header tells the web server how large the message body is, for e.g., “Content-Length = 1000” The HTTP Header portion is complete and sent in full to the web server, hence bypassing IIS inherent protection. OWASP 1 5
  • 16. How HTTP POST DDOS attack works (HTTP/1.0) (cont'd) For e.g., Content-Length = 1000 (bytes) The HTTP message body is properly URL- encoded, but ...... .....is sent at, again for e.g., 1 byte per 110 seconds. Multiply such connections by 20,000 and your IIS web server will be DDOS. Most web servers can accept up to 2GB worth of content in a single HTTP POST request. OWASP 1 6
  • 17. Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) private String getRequestHeader() { String requestHeader = ""; requestHeader += param.getMethod() + " " + param.getUrl() + " HTTP/1.1rn"; requestHeader += Construction of legitimate "Host: " + param.getHost() + "rn" headers + "User-Agent: " + httpUserAgent + "rn" + "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn" + "Accept-Language: en-us,en;q=0.5rn" + "Accept-Encoding: gzip,deflatern" + "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn" if (param.getContentLength() > 0) { Random values for requestHeader += "Connection: keep-alivern"; Content-Length header requestHeader += "Keep-Alive: 900rn"; requestHeader += "Content-Length: " + param.getContentLength() + "rn"; requestHeader += "rn"; } return requestHeader; } OWASP 1 7
  • 18. Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) Get random data --> public static byte getRandomByte() { Byte randomness int character = gen.nextInt(); return (byte) character; } Send random data --> public void sendXHeader() throws IOException { StringBuffer header1 = new StringBuffer(); StringBuffer header2 = new StringBuffer(); Time interval randomness int lengthOfXA = param.getRandomLengthOfXA(); int lengthOfXB = param.getRandomLengthOfXB(); for (int i=0 ; i<lengthOfXA ; i++) { header1.append(Misc.getRandomByte()); } OWASP 1 8
  • 19. Sample code to simulate HTTP POST DDOS attack (HTTP/1.0) for (int i=0 ; i<lengthOfXB ; i++) { header2.append(Misc.getRandomByte()); } socket.getOutputStream().write(("X-" + header1.toString() + ": " + header2.toString() + "rn").getBytes()); socket.getOutputStream().flush(); } Sends the payload public void sendPOSTBodyRandomByte() throws IOException { socket.getOutputStream().write(Misc.getRandomByte()); socket.getOutputStream().flush(); } OWASP 1 9
  • 20. Why HTTP POST DDOS attack works Being “kind” folks (like all of you), web servers will “obey” the “Content-Length” field to wait for the remaining message body to be sent. By waiting for the complete message body to be sent, web servers can support users with slow or intermittent connections. Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks. Common uses of HTTP POST requests: login, uploading photo/video, sending webmail / attachments, submitting feedback and etc. OWASP 2 0
  • 21. Why HTTP POST DDOS attack works This attack can evade Layer 4 detection techniques as there is no malformed TCP, just like Slowloris. Unlike Slowloris, there is no delay in sending HTTP Header, hence nullifying IIS built-in defense, making IIS vulnerable too. Size, character sets and time intervals can be randomised to foil any recognition of Layer 7 traffic patterns by DDOS protection systems. Difficult to differentiate from legit connections which are slow. OWASP 2 1
  • 22. Interesting findings IIS 6.0 (W2K3) web server is vulnerable to this attack even when there is no form. Apache, IIS 7 or later require presence of forms for this attack to work. Apache requires lesser number of connections due to mandatory client or thread limit in httpd.conf. Besides its “unlimited connections” settings, a default IIS configuration will go down with 20,000 HTTP POST DDOS connections, regardless of hardware capabilities. This is due to the rapid fail protection sandbox feature in IIS. OWASP 2 2
  • 23. Interesting findings IIS with 8 cores and 16GB RAM = IIS with 2 cores and 2GB RAM Only 20k HTTP POST connections to DDOS either IIS! In HTTP/1.1 where chunked encoding is supported and there is no “Content-Length” HTTP header, the lethality is amplified. The web server does not even know up front from the headers how large is the POST request! OWASP 2 3
  • 24. Interesting findings Botnet operators had begun their “3G upgrade” to include Layer 7 DDOS techniques. Some may have completed their upgrade to include HTTP POST. We believe Layer 7 attacks may supersede Layer 4 attacks as the modus operandi of DDOS botnets in this new decade. OWASP 2 4
  • 25. Potential countermeasures Apache (experimental) mod_reqtimeout LimitRequestBody directive IIS No reply from Microsoft on the availability of the proposed controls in the latest service pack for IIS. OWASP 2 5
  • 26. Potential countermeasures General Limit the size of the request to each form's requirements. For e.g. a login form with a 20-char username field and a 20-char password field should not accept a 1KB POST message body Identify the 95% or 99% percentile of normal access speed range to your website. Establish a speed floor for the outliers. With the speed floor and maximum allowable body size for each form, establish a request timeout for each form (= Tedious! Good news for infosec folks?) OWASP 2 6
  • 27. Weaknesses of countermeasures Hackers can “sense” the speed floor and execute attacks just above the speed floor. Most (broadband) home users have uplink speed of at least 256 kbps. But we cannot set speed floors at 256 kbps. Speed floors = not friendly to overseas customers/visitors or local ones using mobile devices. HTTPS will be a challenge for front appliance- based defensive systems. OWASP 2 7
  • 28. Future “exploits”? - WebSockets WebSockets in HTML5 (draft expires February 17, 2011) http://www.whatwg.org/specs/web-socket-protocol/ “Conceptually, WebSocket is really just a layer on top of TCP that adds a Web "origin"-based security model for browsers; adds an addressing and subprotocol naming mechanism to support multiple services on one port and multiple host names on one IP address; layers a framing mechanism on top of TCP to get back to the IP packet mechanism that TCP is built on, but without length limits; and reimplements the closing handshake in-band....” OWASP 2 8
  • 29. Future “exploits”? - WebSockets 6.3. Data framing The server must run through the following steps to process the bytes sent by the client. If at any point during these steps a read is attempted but fails because the WebSocket connection is closed, then abort. 1. Try to read a byte from the client. Let /frame type/ be that byte. 2. Try to read eight more bytes from the client. Let /frame length/ be the result of interpreting those eight bytes as a big-endian 64 bit unsigned integer. (e.g. 99,999,999) …….  99,999,999 / 1 byte per 110 secs = 10,999,999,890 secs = 127,315 days = 349 years OWASP 2 9
  • 30. Agenda Introduction to Layer 7 DDOS attacks Different types of Layer 7 DDOS web attacks Analysis of HTTP POST DDOS attack Demo OWASP 3 0
  • 31. Demo Old = you may already know about the components. New = New trend of “weaponized” online games which are web-based or client-based. Desktop firewalls do not block outgoing Port 80 connections once the process is whitelisted. (Need to be whitelisted, else game will not run) The one we are showing is a simple game using a self-signed Java applet. (good old Java sandbox bypass) OWASP 3 1