SlideShare ist ein Scribd-Unternehmen logo

A Cyberwarfare Weapon: Slowreq

Community Protection Forum
Community Protection Forum

by Maurizio Aiello CNR - Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni mail: maurizio.aiello@ieiit.cnr.it

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
A Cyberwarfare Weapon: SlowReq Maurizio Aiello maurizio.aiello@ieiit.cnr.it Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy Genoa, Cpexpo meeting, Italy 30 October 2013
Cyberwarfare “Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an informative system owned by the adversary” Governments vs. Governments ¤  Titan Rain ¤  Moonlight Maze Groups vs. Governments ¤  Hacktivistic Groups Operations Anonymous ¤  Maurizio Aiello ¤  LulzSec
Attack Technologies INTRUSIONS & MALWARE ON ECTI BUFFER J OVE QL IN S RFLOW ES ORS NH BAC OJA KDO TR O DENIAL OF SERVICE (DoS) “An attempt to make a machine or network resource unavailable to its intended users” DISTRIBUTED DENIAL OF SERVICE (DDoS) Amplification of the attack resources through the enrollment of (willing or not) botnet agents Maurizio Aiello R
Denial of Service Attacks ¤ Attacks to the system ¤  ZIP Bomb ¤  Fork Bomb ¤ Attacks to the network ¤  Multipliers: DNS, Smurf attack, etc… ¤  Volumetric: flooding DoS attacks ¤  Application Layer: Slow DoS Attacks Maurizio Aiello
“Old Style” Flooding DoS Attacks ¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, … Flooding based attacks LEVEL-4 Denial of Service Maurizio Aiello
The ISO/OSI Model Application Presentation Session Transport Network Data Link Physical Maurizio Aiello Slow DoS Attacks Flooding DoS Attacks
Hacktivist Groups: Anonymous and LulzSec
Hacktivist Groups 2008 Project Chanology 2009 Iranian election protests Anonymous LulzSec 2010 Operation Payback 2011 2012 Visa, Mastercard, Paypal Operation Payback Operation Sony Interpol Vatican
Slow DoS Attack (SDA) “An attack which exhausts the resources of a victim using low bandwidth” Maurizio Aiello
SDAs’ Strategy ¤ They move the victim to the saturation state ¤ Low bandwidth rate: ¤  Attack resources are minimized ¤  It’s easier to bypass security systems ¤ ON-OFF Nature ¤ Almost all the packets contribute to the success of the attack Maurizio Aiello
Slow DoS Attacks An Example: Slowloris ¤  A script written in Perl programming language ¤  Used during the protests against Iranian presidential elections in 2009 ¤  It sends a lot of endless requests with the pattern: GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn X-a: brn rn X-a: brn X-a: brn X-a: brn Maurizio Aiello Source: http://ha.ckers.org/slowloris/
Making Order Into the Slow DoS Field Slow DoS Attacks S ORI L OW SL CPU/Memory/Disk QUIET ATTACK SHREW Network REDOS E RANG Client Timeout Server ACHE ER AP YET HEAD DEADR-U# Request Response HASH Server Behavior DOS Alteration EW R THC D SH E -SSL DUCResources Other IN Delayed DO Delayed Slow Pending AS S Occupation Unknown LO D Responses Responses Requests R Requests Planning Attacks Maurizio Aiello
SlowReq Attack ¤  It opens a large amount of endless connections with the victim ¤  It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure SLOWLORIS SLOWREQ GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] Maurizio Aiello
SlowReq Attack ¤ No rn implies no parsing (stealth and difficult to prevent) ¤ Bandwidth very limited ¤ Cpu and ram requested limited ¤ Tunable in parameters (number of connections; wait timeout; time between characters etc) Maurizio Aiello
Protocol Independence ¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case) ¤ SlowReq is able to naturally affect multiple protocols ¤  Packets payload is a sequence of white spaces ¤  Tested against FTP, SMTP, SSH servers ¤  Bounded to TCP based protocols Maurizio Aiello
Performance Results DoS state reached after a few seconds Maurizio Aiello
Signature Based Countermeasures Apache Web Server software modules ¤ mod-security module limits the number of simultaneous connections established from the same IP address ¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests Maurizio Aiello
Performance Results – mod-security A non distributed attack is successfully mitigated Maurizio Aiello
Performance Results – reqtimeout Differently to Slowloris, SlowReq is not mitigated Maurizio Aiello
Statistical Based Countermeasures tstart _ request ! request tend _ request ! delay tstart _ response ! response tend _ response ! next Maurizio Aiello
Statistical Signature Based SDAs Detection Maurizio Aiello
Statistical Signature Based SDAs Detection Comparison with standard traffic conditions " n(y) = # ( f (x) ! g(x + y))2 dx !" UE VAL UM NIM CV) MI (N NCV = min(n(y)) Maurizio Aiello
Statistical Signature Based SDAs Detection Real traffic distribution (Δdelay example) Maurizio Aiello
Statistical Signature Based SDAs Detection Protocol: ¤  n representations of standard traffic ¤  m comparisons extracting m different NCV values ¤  Retrievement of μ and σ values from NCV ¤  Baseline: μ + 3σ ¤  Comparison of anomalous traffic with f (average) standard distributions ¤  NCV value retrieval for analyzed traffic and result Maurizio Aiello
Conclusions and Future Work ¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection ¤ Due to its requirements, we are working to a mobile deployment of SlowReq ¤ Deployment of a (mobile and) distributed attack Maurizio Aiello
Acknowledge Enrico Cambiaso Gianluca Papaleo Silvia Scaglione Maurizio Aiello
The End Thanks!! Maurizio Aiello

Empfohlen

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
Mauricio Velazco
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018
randomuserid
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
Chelsea Sisson
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
Mauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Mauricio Velazco
 

Empfohlen

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
Mauricio Velazco
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018
randomuserid
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
Chelsea Sisson
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
Mauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Mauricio Velazco
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
Positive Hack Days
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
EC-Council
 
Backtrack
BacktrackBacktrack
Backtrack
One97 Communications Limited
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
idsecconf
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
Sajjad "JJ" Arshad
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
Ayush Goyal
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
Anton Chuvakin
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
Thomas Roccia
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
securityxploded
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
Cysinfo Cyber Security Community
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
OWASP-Qatar Chapter
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
Radware
 

Weitere ähnliche Inhalte

Was ist angesagt?

Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
EC-Council
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
idsecconf
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Josh Sokol
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Mauricio Velazco
 

Was ist angesagt? (20)

Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
Backtrack
BacktrackBacktrack
Backtrack
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in ActionBurning Down the Haystack to Find the Needle: Security Analytics in Action
Burning Down the Haystack to Find the Needle: Security Analytics in Action
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 

Ähnlich wie A Cyberwarfare Weapon: Slowreq

InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
Radware
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Maulana Arif
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
Duwinowo NT
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumeration
Mehrdad Jingoism
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
AlexisHarvey8
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
Implementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorImplementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoor
Gaetano Zappulla
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
Rod Soto
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
bestip
 

Ähnlich wie A Cyberwarfare Weapon: Slowreq (20)

Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumeration
 
Exp w22 exp-w22
Exp w22 exp-w22Exp w22 exp-w22
Exp w22 exp-w22
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Super1
Super1Super1
Super1
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
 
Implementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoorImplementation and implications of a stealth hard drive backdoor
Implementation and implications of a stealth hard drive backdoor
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsA Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
A Survey Report on DDOS Attacking Tools, Detection and Prevention Mechanisms
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Presentation on iot- Internet of Things
Presentation on iot- Internet of ThingsPresentation on iot- Internet of Things
Presentation on iot- Internet of Things
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through Infosec
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

Mehr von Community Protection Forum

Mehr von Community Protection Forum (20)

The Role of the Commonwealth in Cyberspace
The Role of the Commonwealth in CyberspaceThe Role of the Commonwealth in Cyberspace
The Role of the Commonwealth in Cyberspace
 
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
Critical Infrastucture Protection: a strategic opportunity for countries’ mod...
 
Industrial Safety and Security in Horizon 2020
Industrial Safety and Security in Horizon 2020Industrial Safety and Security in Horizon 2020
Industrial Safety and Security in Horizon 2020
 
New Frontiers for Nuclear Power Plants Safety
New Frontiers for Nuclear Power Plants SafetyNew Frontiers for Nuclear Power Plants Safety
New Frontiers for Nuclear Power Plants Safety
 
New Models and New Technologies for an Integrated Risk Management in Complex ...
New Models and New Technologies for an Integrated Risk Management in Complex ...New Models and New Technologies for an Integrated Risk Management in Complex ...
New Models and New Technologies for an Integrated Risk Management in Complex ...
 
Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
 
Security Projects & Projects Safety
Security Projects & Projects SafetySecurity Projects & Projects Safety
Security Projects & Projects Safety
 
Security of the Supply Chain & Commerce Facilitation with a PM approach
Security of the Supply Chain & Commerce Facilitation with a PM approachSecurity of the Supply Chain & Commerce Facilitation with a PM approach
Security of the Supply Chain & Commerce Facilitation with a PM approach
 
Emergency Electrical Power Supply to Nuclear Safety Systems: design basis and...
Emergency Electrical Power Supply to Nuclear Safety Systems: design basis and...Emergency Electrical Power Supply to Nuclear Safety Systems: design basis and...
Emergency Electrical Power Supply to Nuclear Safety Systems: design basis and...
 
Touristic Port Security
Touristic Port SecurityTouristic Port Security
Touristic Port Security
 
Cyber Security Applications for Smart Communities
Cyber Security Applications for Smart CommunitiesCyber Security Applications for Smart Communities
Cyber Security Applications for Smart Communities
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT ApproachCyber Security: Differences between Industrial Control Systems and ICT Approach
Cyber Security: Differences between Industrial Control Systems and ICT Approach
 
Accidents in the Energy Sector and Energy Infrastructure Attacks in the conte...
Accidents in the Energy Sector and Energy Infrastructure Attacks in the conte...Accidents in the Energy Sector and Energy Infrastructure Attacks in the conte...
Accidents in the Energy Sector and Energy Infrastructure Attacks in the conte...
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 
Safety and Security Task in the Operation of Multipurpose Italian Navy Units
Safety and Security Task in the Operation of Multipurpose Italian Navy UnitsSafety and Security Task in the Operation of Multipurpose Italian Navy Units
Safety and Security Task in the Operation of Multipurpose Italian Navy Units
 
IT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOsIT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOs
 
Cyber Security and the National Central Banks
Cyber Security and the National Central BanksCyber Security and the National Central Banks
Cyber Security and the National Central Banks
 
Smart Cities: Technologies for Efficient and Sustainable Cities
Smart Cities: Technologies for Efficient and Sustainable CitiesSmart Cities: Technologies for Efficient and Sustainable Cities
Smart Cities: Technologies for Efficient and Sustainable Cities
 
The DRIHM Infrastructure Design and Projects Experience
The DRIHM Infrastructure Design and Projects ExperienceThe DRIHM Infrastructure Design and Projects Experience
The DRIHM Infrastructure Design and Projects Experience
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

A Cyberwarfare Weapon: Slowreq

  • 1. A Cyberwarfare Weapon: SlowReq Maurizio Aiello maurizio.aiello@ieiit.cnr.it Consiglio Nazionale delle Ricerche Instituto di Elettronica e di Ingegneria dell’Informazione e delle Telecomunicazioni via De Marini, 6 16149 – Genova Italy Genoa, Cpexpo meeting, Italy 30 October 2013
  • 2. Cyberwarfare “Politically motivated hacking to conduct military operations, such as sabotage or espionage, against an informative system owned by the adversary” Governments vs. Governments ¤  Titan Rain ¤  Moonlight Maze Groups vs. Governments ¤  Hacktivistic Groups Operations Anonymous ¤  Maurizio Aiello ¤  LulzSec
  • 3. Attack Technologies INTRUSIONS & MALWARE ON ECTI BUFFER J OVE QL IN S RFLOW ES ORS NH BAC OJA KDO TR O DENIAL OF SERVICE (DoS) “An attempt to make a machine or network resource unavailable to its intended users” DISTRIBUTED DENIAL OF SERVICE (DDoS) Amplification of the attack resources through the enrollment of (willing or not) botnet agents Maurizio Aiello R
  • 4. Denial of Service Attacks ¤ Attacks to the system ¤  ZIP Bomb ¤  Fork Bomb ¤ Attacks to the network ¤  Multipliers: DNS, Smurf attack, etc… ¤  Volumetric: flooding DoS attacks ¤  Application Layer: Slow DoS Attacks Maurizio Aiello
  • 5. “Old Style” Flooding DoS Attacks ¤ Large bandwidth usage ¤ SYN flood, UDP flood, ICMP flood, … Flooding based attacks LEVEL-4 Denial of Service Maurizio Aiello
  • 6. The ISO/OSI Model Application Presentation Session Transport Network Data Link Physical Maurizio Aiello Slow DoS Attacks Flooding DoS Attacks
  • 9. Slow DoS Attack (SDA) “An attack which exhausts the resources of a victim using low bandwidth” Maurizio Aiello
  • 10. SDAs’ Strategy ¤ They move the victim to the saturation state ¤ Low bandwidth rate: ¤  Attack resources are minimized ¤  It’s easier to bypass security systems ¤ ON-OFF Nature ¤ Almost all the packets contribute to the success of the attack Maurizio Aiello
  • 11. Slow DoS Attacks An Example: Slowloris ¤  A script written in Perl programming language ¤  Used during the protests against Iranian presidential elections in 2009 ¤  It sends a lot of endless requests with the pattern: GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn X-a: brn rn X-a: brn X-a: brn X-a: brn Maurizio Aiello Source: http://ha.ckers.org/slowloris/
  • 12. Making Order Into the Slow DoS Field Slow DoS Attacks S ORI L OW SL CPU/Memory/Disk QUIET ATTACK SHREW Network REDOS E RANG Client Timeout Server ACHE ER AP YET HEAD DEADR-U# Request Response HASH Server Behavior DOS Alteration EW R THC D SH E -SSL DUCResources Other IN Delayed DO Delayed Slow Pending AS S Occupation Unknown LO D Responses Responses Requests R Requests Planning Attacks Maurizio Aiello
  • 13. SlowReq Attack ¤  It opens a large amount of endless connections with the victim ¤  It slowly send data to the victim, through a specific timeout, preventing a server-side connection closure SLOWLORIS SLOWREQ GET / HTTP/1.1rn" Host: www.example.comrn" User-Agent: Mozilla/4.0 [...]rn" Content -Length: 42rn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] X-a: brn [space] Maurizio Aiello
  • 14. SlowReq Attack ¤ No rn implies no parsing (stealth and difficult to prevent) ¤ Bandwidth very limited ¤ Cpu and ram requested limited ¤ Tunable in parameters (number of connections; wait timeout; time between characters etc) Maurizio Aiello
  • 15. Protocol Independence ¤ Attacks like Slowloris are bounded to a specific protocol (HTTP in this case) ¤ SlowReq is able to naturally affect multiple protocols ¤  Packets payload is a sequence of white spaces ¤  Tested against FTP, SMTP, SSH servers ¤  Bounded to TCP based protocols Maurizio Aiello
  • 16. Performance Results DoS state reached after a few seconds Maurizio Aiello
  • 17. Signature Based Countermeasures Apache Web Server software modules ¤ mod-security module limits the number of simultaneous connections established from the same IP address ¤ reqtimeout module applies temporal limits to the received requests, avoiding the acceptance of long requests Maurizio Aiello
  • 18. Performance Results – mod-security A non distributed attack is successfully mitigated Maurizio Aiello
  • 19. Performance Results – reqtimeout Differently to Slowloris, SlowReq is not mitigated Maurizio Aiello
  • 20. Statistical Based Countermeasures tstart _ request ! request tend _ request ! delay tstart _ response ! response tend _ response ! next Maurizio Aiello
  • 21. Statistical Signature Based SDAs Detection Maurizio Aiello
  • 22. Statistical Signature Based SDAs Detection Comparison with standard traffic conditions " n(y) = # ( f (x) ! g(x + y))2 dx !" UE VAL UM NIM CV) MI (N NCV = min(n(y)) Maurizio Aiello
  • 23. Statistical Signature Based SDAs Detection Real traffic distribution (Δdelay example) Maurizio Aiello
  • 24. Statistical Signature Based SDAs Detection Protocol: ¤  n representations of standard traffic ¤  m comparisons extracting m different NCV values ¤  Retrievement of μ and σ values from NCV ¤  Baseline: μ + 3σ ¤  Comparison of anomalous traffic with f (average) standard distributions ¤  NCV value retrieval for analyzed traffic and result Maurizio Aiello
  • 25. Conclusions and Future Work ¤ Extension of the algorithm are possible: we are releasing a framework for SDAs detection ¤ Due to its requirements, we are working to a mobile deployment of SlowReq ¤ Deployment of a (mobile and) distributed attack Maurizio Aiello