SlideShare ist ein Scribd-Unternehmen logo

44CON London 2015 - DDoS mitigation EPIC FAIL collection

44CON
44CON

DDoS mitigation EPIC FAIL collection by Moshe Zioni

Technologie
1 von 49
Downloaden Sie, um offline zu lesen
DDoS Mitigation collection TL;DR: LEARN HOW TO DO DDOS PROPERLY AND (EASILY) BYPASS MITIGATION TACTICS 1
Agenda  Intro to D/DoS  Methodology of work  DDoS tactics in-the-wild and how to improve  Common strategies and how to counter them  Q&A 2
~$ whoami  Moshe Zioni, Head of Research, Comsec  3 years (and counting) of designing & providing full-blown an on-demand DDoS attack service.  1st time in 44con  Thank you for  .///. END OF SHAMELESS PROMOTION SLIDE .///. 3
Method 4
DDoS for Everyone! 5
Run-of-the-Mill DDoS attacks nowadays Rely heavily on bandwidth consumption 53% of attacks are < 2Gbps (SANS) Most attacks does not require brains Amplification and Reflection relies on 3rd party domains (DNS, NTP etc.) 6
Strike Harder! (!=Larger botnet) There is more to a web site then a front-end (!!) Overload the backend by making the system work for you Keep it stealthy, they might be sniffing Generalized term for Amplification 7
Generalized Amplification - “4 Pillars” Amplification factors Network – The usual suspect CPU – Very limited on some mediators and web application servers Memory – Volatile, everything uses it Storage – Can be filled up or exhausting I/O buffer 8
Just before we start  NO SHAMING POLICY - Client identity will remain anonymous  Meet - “SuperBank”  10 common-practices and the appropriate bypass/attack 9
Ready? Set. FACEPALM! 10
11
“Limit the rate of incoming packets” 12
 The bank has been hit by a DDoS attack that consumed ALL BANDWIDTH  To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability 13
Reflection to the rescue! Consumption by reflection Send in 1Kb Consume according to file-length 14
15
“It’s OK now, monitoring shows everything is back to normal” 16
 MegaCommonPractive now went on to buy a Anti-DDoS solution  A known Anti-DDoS cloud-based protection solution approached the client and offered a very solid looking solution including 24/7 third party monitoring 17
ACTUALLY TRY TO ACCESS THE WEB SITE!!!! 18
19
“Backend servers are not important to protect against DDoS” 20
Mapping the backend for DDoS  Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification  How can we find DBs? You can always guess, pentersters do that all the time… Takes more time == talk more with BE !!! PROFIT!!! 21
22
23
Really??!?! ALL OF THE DOMAINS?!? What is the strategy of mitigation? Do you understand it? 24
25
“We don’t trust the vendor, we don’t give them certificates” 26
Talk to me in layer 7… Defense have chosen not to monitor layer 7 – HTTPS attacks.. SSL re/negotiation Full blown HTTPS GET/POST/… no one can see you now 27
28
“We need Big Data, collect all the logs” 29
Logs need to be handled Storage Boom Result in a complete lock-down, including not be able to manage the overflowed device It was the IPS, so no traffic allowed to anything SILO NEEDED! 30
31
“We are under attack – enforce the on-demand Scrubbing Service” 32
Learning mode – did you do it? All is learned Attack considered legitimate traffic 33
34
“So what CDN is not dynamic? Let’s enable it” 35
NOT IN CACHE? ASK THE ORIGIN! 36
37
38
39
How to find an ‘invisible’ origin? Find other known subdomain -> translate to IP -> scan the /24 or /16 -> good chance it’s there. AND….. WHOIS never forgets http://viewdns.info FTW! 40
41
“Block ‘em!, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them. “ 42
Total IPs (UK): ~119 M 43
About 1,800 class B ranges 44
We spoof IPs from those classes and deliver a very detectable TCP SYN flood attack from each source 45
Now think of a monkey blocking every incoming alert. 15 MINUTES TO SELF INFLICTED DDOS 46
Collected misconceptions  There is no magic pill or best cocktail mix of technologies/appliances/services, never was  DDoS is a subset of DoS, not the other way around  You can have all the toys and money in the world – best mitigation – don’t do drugs  DDoS is easy, try before you buy!  If you won’t do that – you can be evaluated for this presentation in the future 48
Questions? 49
Thank you! Moshe Zioni zimoshe@gmail.com, @dalmoz_ corp:moshez@comsecglobal.com 50

Empfohlen

44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
Zoltan Balazs
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye
 

Empfohlen

44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
Zoltan Balazs
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
Andrew Morris
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
Moshe Zioni
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
Julia Yu-Chin Cheng
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - Exploitation
PRISMA CSI
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
HeadLightSecurity
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
HeadLightSecurity
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
A tale of a rouge router firmware
A tale of a rouge router firmwareA tale of a rouge router firmware
A tale of a rouge router firmware
Bijay Senihang
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
Cyber Security Alliance
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
Outhai SAIOUDOM
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 

Weitere ähnliche Inhalte

Was ist angesagt?

Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
Andrew Morris
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
Moshe Zioni
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
HeadLightSecurity
 

Was ist angesagt? (20)

Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Practical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - ExploitationPractical White Hat Hacker Training - Exploitation
Practical White Hat Hacker Training - Exploitation
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
A tale of a rouge router firmware
A tale of a rouge router firmwareA tale of a rouge router firmware
A tale of a rouge router firmware
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 

Andere mochten auch

Andere mochten auch (6)

44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 

Ähnlich wie 44CON London 2015 - DDoS mitigation EPIC FAIL collection

Ähnlich wie 44CON London 2015 - DDoS mitigation EPIC FAIL collection (20)

DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3DDoS mitigation EPIC FAIL collection - 32C3
DDoS mitigation EPIC FAIL collection - 32C3
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Dos attack
Dos attackDos attack
Dos attack
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Recent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respondRecent DDoS attack trends, and how you should respond
Recent DDoS attack trends, and how you should respond
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber world
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
DDoS Hurts Everyone
DDoS Hurts EveryoneDDoS Hurts Everyone
DDoS Hurts Everyone
 
Ddos
DdosDdos
Ddos
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 
DoS.ppt
DoS.pptDoS.ppt
DoS.ppt
 

Mehr von 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON
 

Mehr von 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Kürzlich hochgeladen (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

44CON London 2015 - DDoS mitigation EPIC FAIL collection

  • 1. DDoS Mitigation collection TL;DR: LEARN HOW TO DO DDOS PROPERLY AND (EASILY) BYPASS MITIGATION TACTICS 1
  • 2. Agenda  Intro to D/DoS  Methodology of work  DDoS tactics in-the-wild and how to improve  Common strategies and how to counter them  Q&A 2
  • 3. ~$ whoami  Moshe Zioni, Head of Research, Comsec  3 years (and counting) of designing & providing full-blown an on-demand DDoS attack service.  1st time in 44con  Thank you for  .///. END OF SHAMELESS PROMOTION SLIDE .///. 3
  • 6. Run-of-the-Mill DDoS attacks nowadays Rely heavily on bandwidth consumption 53% of attacks are < 2Gbps (SANS) Most attacks does not require brains Amplification and Reflection relies on 3rd party domains (DNS, NTP etc.) 6
  • 7. Strike Harder! (!=Larger botnet) There is more to a web site then a front-end (!!) Overload the backend by making the system work for you Keep it stealthy, they might be sniffing Generalized term for Amplification 7
  • 8. Generalized Amplification - “4 Pillars” Amplification factors Network – The usual suspect CPU – Very limited on some mediators and web application servers Memory – Volatile, everything uses it Storage – Can be filled up or exhausting I/O buffer 8
  • 9. Just before we start  NO SHAMING POLICY - Client identity will remain anonymous  Meet - “SuperBank”  10 common-practices and the appropriate bypass/attack 9
  • 11. 11
  • 12. “Limit the rate of incoming packets” 12
  • 13.  The bank has been hit by a DDoS attack that consumed ALL BANDWIDTH  To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability 13
  • 14. Reflection to the rescue! Consumption by reflection Send in 1Kb Consume according to file-length 14
  • 15. 15
  • 16. “It’s OK now, monitoring shows everything is back to normal” 16
  • 17.  MegaCommonPractive now went on to buy a Anti-DDoS solution  A known Anti-DDoS cloud-based protection solution approached the client and offered a very solid looking solution including 24/7 third party monitoring 17
  • 18. ACTUALLY TRY TO ACCESS THE WEB SITE!!!! 18
  • 19. 19
  • 20. “Backend servers are not important to protect against DDoS” 20
  • 21. Mapping the backend for DDoS  Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification  How can we find DBs? You can always guess, pentersters do that all the time… Takes more time == talk more with BE !!! PROFIT!!! 21
  • 22. 22
  • 23. 23
  • 24. Really??!?! ALL OF THE DOMAINS?!? What is the strategy of mitigation? Do you understand it? 24
  • 25. 25
  • 26. “We don’t trust the vendor, we don’t give them certificates” 26
  • 27. Talk to me in layer 7… Defense have chosen not to monitor layer 7 – HTTPS attacks.. SSL re/negotiation Full blown HTTPS GET/POST/… no one can see you now 27
  • 28. 28
  • 29. “We need Big Data, collect all the logs” 29
  • 30. Logs need to be handled Storage Boom Result in a complete lock-down, including not be able to manage the overflowed device It was the IPS, so no traffic allowed to anything SILO NEEDED! 30
  • 31. 31
  • 32. “We are under attack – enforce the on-demand Scrubbing Service” 32
  • 33. Learning mode – did you do it? All is learned Attack considered legitimate traffic 33
  • 34. 34
  • 35. “So what CDN is not dynamic? Let’s enable it” 35
  • 36. NOT IN CACHE? ASK THE ORIGIN! 36
  • 37. 37
  • 38. 38
  • 39. 39
  • 40. How to find an ‘invisible’ origin? Find other known subdomain -> translate to IP -> scan the /24 or /16 -> good chance it’s there. AND….. WHOIS never forgets http://viewdns.info FTW! 40
  • 41. 41
  • 42. “Block ‘em!, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them. “ 42
  • 44. About 1,800 class B ranges 44
  • 45. We spoof IPs from those classes and deliver a very detectable TCP SYN flood attack from each source 45
  • 46. Now think of a monkey blocking every incoming alert. 15 MINUTES TO SELF INFLICTED DDOS 46
  • 47. Collected misconceptions  There is no magic pill or best cocktail mix of technologies/appliances/services, never was  DDoS is a subset of DoS, not the other way around  You can have all the toys and money in the world – best mitigation – don’t do drugs  DDoS is easy, try before you buy!  If you won’t do that – you can be evaluated for this presentation in the future 48
  • 49. Thank you! Moshe Zioni zimoshe@gmail.com, @dalmoz_ corp:moshez@comsecglobal.com 50