SlideShare ist ein Scribd-Unternehmen logo

Layer one 2011-gh0stwood-d-dos-attacks

F
fangjiafu
TechnologieNews & Politik
1 von 49
So what?
The usual disclaimer Opinions expressed in the presentation do not necessary represent the stance of my employer. Let me know if I speak too fast and if it’s difficult to understand me
Agenda 1. Business Side 1. Motivation 2. Considerations 3. Insurance 4. Preparedness 5. Monitoring 2. Attack types 1. Classification type 2. Attack surface from OSI perspective 3. Intro to TCP 4. Life of a socket 5. Tools 3. Recognition and mitigation
Audience poll Tell me who you are
What DDoS is not it is not an act of G-- you can be prepared you can have insurance …so don’t panic ;) …and no you don’t need magical powers to deal it …you justneed to proper training
Motivation Financial Gain Competitions Extortion Divert attention Proof of power Political statement Hacktivism “I’m a cooler kid than you” Attack types TCP data to a listening port Slowris Add your own to the list…
Consider this How is a DDoS different from CNN pointing to your home page? How is that different from your primary Internet connection goes down or servers crash? Reactive vs. nonreactive handling? DDoS absorption == being able to serve more users faster Change your attitude!
Few words about insurance Insurance is money you pay to be protected from something bad if it is ever to happen You can be prepared: Incident response plan Tools Gear Partnerships …it may not be sufficient – you should have picked the higher premium policy…
In peace time Have a Incident response plan You should have your monitoring ahead of time When do you need to escalate? Why?!?
Monitoring Impact The most neglected resource No matter how much traffic they throw at you there is no problem until your users start seeing it Use internal monitoring Use external monitoring services
In the heat of the moment What is actually happening? Focus on the facts Collect data (from LBs, systems, network graphs, capture traffic) Create a response plan! EXECUTE IT! Observe! (have the metrics improved?)
Enough business let’s get down to business
Attack Types Asymmetric DNS queries SYN flood Symetric GET flood Reflected Smurf/DNS (spoofed source) Brute force or logicstate attacks Distributed Any of the above (and many more) ;) Based on the network layer Stateful/permanent Backscatter
Game of Resource Exhaustion Pick one: Bandwidth PPS QPS Storage CPU Application specific (hardest) – could be any …and only one is needed Another way to look is: Last but not least – patience – Who gets tired first?
Attack surface (classification by layer)
Layer 1/2 attacks Think?
Layer 1/2 attacks Cut cables Jamming Power surge EMP MAC Spoofing MAC flood
Layer 3 attacks • Think?
Layer 3 attacks • Floods (ICMP) • Teardrop (overlapping IP segments)
Layer 4 attacks Think?
Layer 4 attacks SYN Flood RST Flood FIN Flood You name it… Window size 0 (looks like Sloworis) Connect attack LAND (same IP as src/dst)
Layer 5 attacks Think?
Layer 5 attacks Sloworis Just send data to a port with no NL in it Send data to the server with no CR
Layer 6 attacks Think?
Layer 6 attacks Expensive queries (repeated many times) XML Attacks <!DOCTYPE lolz [ <!ENTITY lol1 "&lol2;"> <!ENTITY lol2 "&lol1;"> ]> <lolz>&lol1;</lolz>
Layer 7 attacks Think?
Layer 7 attacks SPAM? DNS queries Black fax
Intro to TCP RFC: 793 / September 1981 TRANSMISSION CONTROL PROTOCOL
Simplified TCP state machine LISTEN – waiting for a connection request SYN_RECV – received request still negotiating ESTABLISHED – connection working OK FIN-WAIT1/2 – one side closed the connection TIME-WAIT – waiting for a while… - What is MSL?
Life of a socket Socket = TCP/UDP port + IP address Normal connection [root@knight ghost]# netstat -nap | grep 12345 tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 2903/nc [root@knight ghost]# netstat -nap | grep 12345 tcp 0 0 127.0.0.1:12345 127.0.0.1:49188 ESTABLISHED 2903/nc [root@knight ghost]# netstat -nap | grep 12345 tcp 0 0 127.0.0.1:49188 127.0.0.1:12345 TIME_WAIT - [root@knight ghost]# netstat -nap | grep 12345 [root@knight ghost]#
Detection on the host Your best friend: netstat netstat -nap Your next best friend: tcpdump tcpdump –n –i <interface> –s 0 –w <target_file.pcap> –c <packet_count> Dedicated IDS (snort/suricata)
Mitigation Depends on the layer of attack Depends on the resource affected Do it yourself dedicated hardware Tune (change) your software Scrubbing providers Firewalls and challenges Horizontally scaled server frontends “To the cloud!” ;)
SYN Flood What does it take: Think 3-way handshake Server has a number of slots for incoming connections When slots are full no more connections are accepted
How to recognize SYN flood? Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1339/rpcbind tcp 0 0 0.0.0.0:33586 0.0.0.0:* LISTEN 1395/rpc.statd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1962/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1586/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2703/sendmail: acce tcp 0 0 127.0.0.1:25 127.0.0.1:49718 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49717 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49722 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49720 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49719 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49721 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49716 SYN_RECV - …
SYN Mitigation SYN Cookies Special hash Enable by: echo 1 > /proc/sys/net/ipv4/tcp_syncookies Other timeouts to tweak (in /proc/sys/net/ipv4/): tcp_max_syn_backlog tcp_synack_retries tcp_syn_retries
SYN mitigation (cont’d) SYN Proxy (TCP Intercept active) Terminates at device/opens a second connection TCP Intercept passive/watch – sends reset Resets the connection after a timeout Hybrid Dynamic white lists
What is a SYN Cookie Hiding information in ISN (initial seq no) SYN Cookie: Timestamp % 32 + MSS + 24-bit hash Components of 24-bit hash: server IP address server port number client IP address client port timestamp >> 6 (64 sec resolution) What’s bad about them?
How to recognize socket exhaustion? Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1339/rpcbind tcp 0 0 0.0.0.0:33586 0.0.0.0:* LISTEN 1395/rpc.statd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1962/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1586/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2703/sendmail: acce tcp 0 0 0.0.0.0:1241 0.0.0.0:* LISTEN 1851/nessusd: waiti tcp 0 0 127.0.0.1:25 127.0.0.1:60365 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60240 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60861 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60483 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60265 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60618 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60407 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60423 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60211 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60467 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60213 TIME_WAIT -
Mitigation socket exhaustion/connect Enable socket reuse echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse Check learn about the value in /proc/sys/net/ipv4/tcp_* MSL decrease (on LBs) to a few seconds
Mitigation upper layers Architecture of applications Apache – process based – In Linux kernel level threads Nginx – event based Nginx (pronounced “engine x”) http://www.nginx.net/ Mitigation through challenges Nginx plugin – Roboo (ECL-LABS.ORG)
How to DoS Click really, really fast the “retry” button Scale hierarchically => recruit your friends/kids to do so Scale horizontally => get a botnet
Botnet components C&C (Command and Control) Proxy layer (optional) – think NginX ☺ Bots/drones (any machine could be a drone)
Drones Usually malware Multiple ways of infection Rarely Opt-In (Anonymous) User needs to download software User needs to point it to target Sometimes targeting can be automated
Commandthe drones Attack is issued and Control (C&C) read it and execute Scalability issues Inertia
You always have friends (find them!) Look around, who else might be suffering this? Build partnerships Build social contacts Prepare before it hits Be prepared so your ISP suffers before you
Tools to remember netstat tcpdump / wireshark
What can I do about it? RFC 2827/BCP 38 – Paul Ferguson If possible filter all outgoing traffic and use proxy Patch your systems Learn how to use tcpdump/wireshark netstat Check out the Arbor Networks Report http://www.arbornetworks.com/report
Q&A
December 9-11 Mountain View, CA http://www.baythreat.org/

Empfohlen

Cyber-security
Cyber-securityCyber-security
Cyber-securityQasim Zaidi
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 

Empfohlen

Cyber-security
Cyber-securityCyber-security
Cyber-securityQasim Zaidi
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Отчет Csa report RAPID7
Отчет Csa report RAPID7Отчет Csa report RAPID7
Отчет Csa report RAPID7Sergey Yrievich
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7Sergey Yrievich
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceCumulus Networks
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Sergey Yrievich
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Linux System Troubleshooting
Linux System TroubleshootingLinux System Troubleshooting
Linux System TroubleshootingThomas Howard Uphill
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10Nutan Kumar Panda
 
9534715
95347159534715
9534715Pavel Odintsov
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 aSelectedPresentations
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 

Weitere ähnliche Inhalte

Was ist angesagt?

Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Отчет Csa report RAPID7
Отчет Csa report RAPID7Отчет Csa report RAPID7
Отчет Csa report RAPID7Sergey Yrievich
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsAnton Chuvakin
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceCumulus Networks
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Sergey Yrievich
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 

Was ist angesagt? (19)

Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Отчет Csa report RAPID7
Отчет Csa report RAPID7Отчет Csa report RAPID7
Отчет Csa report RAPID7
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Days of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, IncidentsDays of the Honeynet: Attacks, Tools, Incidents
Days of the Honeynet: Attacks, Tools, Incidents
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performance
 
Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7Отчет Executive penetration RAPID 7
Отчет Executive penetration RAPID 7
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
Linux System Troubleshooting
Linux System TroubleshootingLinux System Troubleshooting
Linux System Troubleshooting
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Backtrack Manual Part10
Backtrack Manual Part10Backtrack Manual Part10
Backtrack Manual Part10
 
9534715
95347159534715
9534715
 

Ähnlich wie Layer one 2011-gh0stwood-d-dos-attacks

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Securitykktamang
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threatSensePost
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
cloud computing final year project
cloud computing final year projectcloud computing final year project
cloud computing final year projectAmeya Vashishth
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16Radware
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricksJim MacLeod
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 

Ähnlich wie Layer one 2011-gh0stwood-d-dos-attacks (20)

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Cisco Router Security
Cisco Router SecurityCisco Router Security
Cisco Router Security
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Community
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 
cloud computing final year project
cloud computing final year projectcloud computing final year project
cloud computing final year project
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Stupid iptables tricks
Stupid iptables tricksStupid iptables tricks
Stupid iptables tricks
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 

Mehr von fangjiafu

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 

Mehr von fangjiafu (20)

Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 

Kürzlich hochgeladen

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Layer one 2011-gh0stwood-d-dos-attacks

  • 2. The usual disclaimer Opinions expressed in the presentation do not necessary represent the stance of my employer. Let me know if I speak too fast and if it’s difficult to understand me
  • 3. Agenda 1. Business Side 1. Motivation 2. Considerations 3. Insurance 4. Preparedness 5. Monitoring 2. Attack types 1. Classification type 2. Attack surface from OSI perspective 3. Intro to TCP 4. Life of a socket 5. Tools 3. Recognition and mitigation
  • 4. Audience poll Tell me who you are
  • 5. What DDoS is not it is not an act of G-- you can be prepared you can have insurance …so don’t panic ;) …and no you don’t need magical powers to deal it …you justneed to proper training
  • 6. Motivation Financial Gain Competitions Extortion Divert attention Proof of power Political statement Hacktivism “I’m a cooler kid than you” Attack types TCP data to a listening port Slowris Add your own to the list…
  • 7. Consider this How is a DDoS different from CNN pointing to your home page? How is that different from your primary Internet connection goes down or servers crash? Reactive vs. nonreactive handling? DDoS absorption == being able to serve more users faster Change your attitude!
  • 8. Few words about insurance Insurance is money you pay to be protected from something bad if it is ever to happen You can be prepared: Incident response plan Tools Gear Partnerships …it may not be sufficient – you should have picked the higher premium policy…
  • 9. In peace time Have a Incident response plan You should have your monitoring ahead of time When do you need to escalate? Why?!?
  • 10. Monitoring Impact The most neglected resource No matter how much traffic they throw at you there is no problem until your users start seeing it Use internal monitoring Use external monitoring services
  • 11. In the heat of the moment What is actually happening? Focus on the facts Collect data (from LBs, systems, network graphs, capture traffic) Create a response plan! EXECUTE IT! Observe! (have the metrics improved?)
  • 12. Enough business let’s get down to business
  • 13. Attack Types Asymmetric DNS queries SYN flood Symetric GET flood Reflected Smurf/DNS (spoofed source) Brute force or logicstate attacks Distributed Any of the above (and many more) ;) Based on the network layer Stateful/permanent Backscatter
  • 14. Game of Resource Exhaustion Pick one: Bandwidth PPS QPS Storage CPU Application specific (hardest) – could be any …and only one is needed Another way to look is: Last but not least – patience – Who gets tired first?
  • 17. Layer 1/2 attacks Cut cables Jamming Power surge EMP MAC Spoofing MAC flood
  • 18. Layer 3 attacks • Think?
  • 19. Layer 3 attacks • Floods (ICMP) • Teardrop (overlapping IP segments)
  • 20. Layer 4 attacks Think?
  • 21. Layer 4 attacks SYN Flood RST Flood FIN Flood You name it… Window size 0 (looks like Sloworis) Connect attack LAND (same IP as src/dst)
  • 22. Layer 5 attacks Think?
  • 23. Layer 5 attacks Sloworis Just send data to a port with no NL in it Send data to the server with no CR
  • 24. Layer 6 attacks Think?
  • 25. Layer 6 attacks Expensive queries (repeated many times) XML Attacks <!DOCTYPE lolz [ <!ENTITY lol1 "&lol2;"> <!ENTITY lol2 "&lol1;"> ]> <lolz>&lol1;</lolz>
  • 26. Layer 7 attacks Think?
  • 27. Layer 7 attacks SPAM? DNS queries Black fax
  • 28. Intro to TCP RFC: 793 / September 1981 TRANSMISSION CONTROL PROTOCOL
  • 29. Simplified TCP state machine LISTEN – waiting for a connection request SYN_RECV – received request still negotiating ESTABLISHED – connection working OK FIN-WAIT1/2 – one side closed the connection TIME-WAIT – waiting for a while… - What is MSL?
  • 30. Life of a socket Socket = TCP/UDP port + IP address Normal connection [root@knight ghost]# netstat -nap | grep 12345 tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 2903/nc [root@knight ghost]# netstat -nap | grep 12345 tcp 0 0 127.0.0.1:12345 127.0.0.1:49188 ESTABLISHED 2903/nc [root@knight ghost]# netstat -nap | grep 12345 tcp 0 0 127.0.0.1:49188 127.0.0.1:12345 TIME_WAIT - [root@knight ghost]# netstat -nap | grep 12345 [root@knight ghost]#
  • 31. Detection on the host Your best friend: netstat netstat -nap Your next best friend: tcpdump tcpdump –n –i <interface> –s 0 –w <target_file.pcap> –c <packet_count> Dedicated IDS (snort/suricata)
  • 32. Mitigation Depends on the layer of attack Depends on the resource affected Do it yourself dedicated hardware Tune (change) your software Scrubbing providers Firewalls and challenges Horizontally scaled server frontends “To the cloud!” ;)
  • 33. SYN Flood What does it take: Think 3-way handshake Server has a number of slots for incoming connections When slots are full no more connections are accepted
  • 34. How to recognize SYN flood? Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1339/rpcbind tcp 0 0 0.0.0.0:33586 0.0.0.0:* LISTEN 1395/rpc.statd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1962/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1586/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2703/sendmail: acce tcp 0 0 127.0.0.1:25 127.0.0.1:49718 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49717 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49722 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49720 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49719 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49721 SYN_RECV - tcp 0 0 127.0.0.1:25 127.0.0.1:49716 SYN_RECV - …
  • 35. SYN Mitigation SYN Cookies Special hash Enable by: echo 1 > /proc/sys/net/ipv4/tcp_syncookies Other timeouts to tweak (in /proc/sys/net/ipv4/): tcp_max_syn_backlog tcp_synack_retries tcp_syn_retries
  • 36. SYN mitigation (cont’d) SYN Proxy (TCP Intercept active) Terminates at device/opens a second connection TCP Intercept passive/watch – sends reset Resets the connection after a timeout Hybrid Dynamic white lists
  • 37. What is a SYN Cookie Hiding information in ISN (initial seq no) SYN Cookie: Timestamp % 32 + MSS + 24-bit hash Components of 24-bit hash: server IP address server port number client IP address client port timestamp >> 6 (64 sec resolution) What’s bad about them?
  • 38. How to recognize socket exhaustion? Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1339/rpcbind tcp 0 0 0.0.0.0:33586 0.0.0.0:* LISTEN 1395/rpc.statd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1962/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1586/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2703/sendmail: acce tcp 0 0 0.0.0.0:1241 0.0.0.0:* LISTEN 1851/nessusd: waiti tcp 0 0 127.0.0.1:25 127.0.0.1:60365 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60240 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60861 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60483 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60265 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60618 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60407 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60423 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60211 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60467 TIME_WAIT - tcp 0 0 127.0.0.1:25 127.0.0.1:60213 TIME_WAIT -
  • 39. Mitigation socket exhaustion/connect Enable socket reuse echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse Check learn about the value in /proc/sys/net/ipv4/tcp_* MSL decrease (on LBs) to a few seconds
  • 40. Mitigation upper layers Architecture of applications Apache – process based – In Linux kernel level threads Nginx – event based Nginx (pronounced “engine x”) http://www.nginx.net/ Mitigation through challenges Nginx plugin – Roboo (ECL-LABS.ORG)
  • 41. How to DoS Click really, really fast the “retry” button Scale hierarchically => recruit your friends/kids to do so Scale horizontally => get a botnet
  • 42. Botnet components C&C (Command and Control) Proxy layer (optional) – think NginX ☺ Bots/drones (any machine could be a drone)
  • 43. Drones Usually malware Multiple ways of infection Rarely Opt-In (Anonymous) User needs to download software User needs to point it to target Sometimes targeting can be automated
  • 44. Commandthe drones Attack is issued and Control (C&C) read it and execute Scalability issues Inertia
  • 45. You always have friends (find them!) Look around, who else might be suffering this? Build partnerships Build social contacts Prepare before it hits Be prepared so your ISP suffers before you
  • 46. Tools to remember netstat tcpdump / wireshark
  • 47. What can I do about it? RFC 2827/BCP 38 – Paul Ferguson If possible filter all outgoing traffic and use proxy Patch your systems Learn how to use tcpdump/wireshark netstat Check out the Arbor Networks Report http://www.arbornetworks.com/report
  • 48. Q&A
  • 49. December 9-11 Mountain View, CA http://www.baythreat.org/