Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
A Cyberwarfare Weapon: Slowreq
1. A Cyberwarfare Weapon: SlowReq
Maurizio Aiello
maurizio.aiello@ieiit.cnr.it
Consiglio Nazionale delle Ricerche
Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni
via De Marini, 6
16149 – Genova
Italy
Genoa, Cpexpo meeting, Italy
30 October 2013
2. Cyberwarfare
“Politically motivated hacking to conduct military
operations, such as sabotage or espionage, against an
informative system owned by the adversary”
Governments vs.
Governments
¤ Titan Rain
¤ Moonlight Maze
Groups vs.
Governments
¤ Hacktivistic Groups
Operations
Anonymous
¤
Maurizio Aiello
¤
LulzSec
3. Attack Technologies
INTRUSIONS & MALWARE
ON
ECTI BUFFER
J
OVE
QL IN
S
RFLOW
ES
ORS
NH
BAC
OJA
KDO
TR
O
DENIAL OF SERVICE (DoS)
“An attempt to make a machine or network
resource unavailable to its intended users”
DISTRIBUTED DENIAL OF SERVICE (DDoS)
Amplification of the attack resources through the
enrollment of (willing or not) botnet agents
Maurizio Aiello
R
4. Denial of Service Attacks
¤ Attacks to the system
¤ ZIP Bomb
¤ Fork Bomb
¤ Attacks to the network
¤ Multipliers: DNS, Smurf attack, etc…
¤ Volumetric: flooding DoS attacks
¤ Application Layer: Slow DoS Attacks
Maurizio Aiello
5. “Old Style” Flooding DoS Attacks
¤ Large bandwidth usage
¤ SYN flood, UDP flood, ICMP flood, …
Flooding based attacks
LEVEL-4 Denial of Service
Maurizio Aiello
9. Slow DoS Attack (SDA)
“An attack which exhausts the
resources of a victim using low
bandwidth”
Maurizio Aiello
10. SDAs’ Strategy
¤ They move the victim to the saturation state
¤ Low bandwidth rate:
¤ Attack resources are minimized
¤ It’s easier to bypass security systems
¤ ON-OFF Nature
¤ Almost all the packets contribute to the success
of the attack
Maurizio Aiello
11. Slow DoS Attacks
An Example: Slowloris
¤ A script written in Perl programming language
¤ Used during the protests against Iranian presidential
elections in 2009
¤ It sends a lot of endless requests with the pattern:
GET / HTTP/1.1rn"
Host: www.example.comrn"
User-Agent: Mozilla/4.0 [...]rn"
Content -Length: 42rn
X-a: brn
rn
X-a: brn
X-a: brn
X-a: brn
Maurizio Aiello
Source: http://ha.ckers.org/slowloris/
12. Making Order Into the Slow DoS Field
Slow DoS Attacks
S
ORI
L
OW
SL
CPU/Memory/Disk
QUIET ATTACK
SHREW
Network
REDOS
E
RANG
Client
Timeout
Server
ACHE ER
AP
YET
HEAD
DEADR-U#
Request
Response HASH Server
Behavior
DOS
Alteration
EW
R
THC
D SH
E
-SSL
DUCResources
Other
IN
Delayed DO
Delayed
Slow
Pending
AS
S
Occupation
Unknown
LO D
Responses
Responses
Requests R Requests
Planning
Attacks
Maurizio Aiello
13. SlowReq Attack
¤ It opens a large amount of endless connections with the
victim
¤ It slowly send data to the victim, through a specific
timeout, preventing a server-side connection closure
SLOWLORIS
SLOWREQ
GET / HTTP/1.1rn"
Host: www.example.comrn"
User-Agent: Mozilla/4.0 [...]rn"
Content -Length: 42rn
[space]
X-a: brn
[space]
X-a: brn
[space]
X-a: brn
[space]
X-a: brn
[space]
Maurizio Aiello
14. SlowReq Attack
¤ No rn implies no parsing (stealth and difficult
to prevent)
¤ Bandwidth very limited
¤ Cpu and ram requested limited
¤ Tunable in parameters (number of connections;
wait timeout; time between characters etc)
Maurizio Aiello
15. Protocol Independence
¤ Attacks like Slowloris are bounded to a
specific protocol (HTTP in this case)
¤ SlowReq is able to naturally affect multiple
protocols
¤ Packets payload is a sequence of white spaces
¤ Tested against FTP, SMTP, SSH servers
¤ Bounded to TCP based protocols
Maurizio Aiello
17. Signature Based Countermeasures
Apache Web Server software modules
¤ mod-security module limits the number of
simultaneous connections established from the
same IP address
¤ reqtimeout module applies temporal limits to
the received requests, avoiding the
acceptance of long requests
Maurizio Aiello
18. Performance Results – mod-security
A non distributed attack is successfully mitigated
Maurizio Aiello
19. Performance Results – reqtimeout
Differently to Slowloris, SlowReq is not mitigated
Maurizio Aiello
22. Statistical Signature Based SDAs
Detection
Comparison with standard traffic conditions
"
n(y) = # ( f (x) ! g(x + y))2 dx
!"
UE
VAL
UM
NIM CV)
MI
(N
NCV = min(n(y))
Maurizio Aiello
24. Statistical Signature Based SDAs
Detection
Protocol:
¤ n representations of standard traffic
¤ m comparisons extracting m different NCV values
¤ Retrievement of μ and σ values from NCV
¤ Baseline: μ + 3σ
¤ Comparison of anomalous traffic with f (average)
standard distributions
¤ NCV value retrieval for analyzed traffic and result
Maurizio Aiello
25. Conclusions and Future Work
¤ Extension of the algorithm are possible: we
are releasing a framework for SDAs
detection
¤ Due to its requirements, we are working to a
mobile deployment of SlowReq
¤ Deployment of a (mobile and) distributed
attack
Maurizio Aiello