lightning talk proposal

•Als PPTX, PDF herunterladen•

0 gefällt mir•557 views

Alexander Lyamin

Technologie

Q1 2012
• Incidents: 365
• Daily max: 12
• Avg. botnet size: 2637
• Max botnet size: 37834

Daily
12
11
10
9
8
7
6 Jan
5
4 Feb
3
2 Mar
1
0

Weekday distribution
20.00%

18.00% 17.26%
16.71%
15.89%
16.00%
14.52% 14.25%
14.00%
11.78%
12.00%
9.59%
10.00%

8.00%

6.00%

4.00%

2.00%

0.00%
Monday Tuesday Wednesday Thursday Friday Saturday Sunday

High speed attacks

3.56% > 1 Gbps < 1Gbps
96.44%

Spoofed source attacks

22.74%

Spoofed Full connect

77.26%

Scary stuff

• DNS: NIC, Masterhost, FastVPS.
• DataCenters: CROK, WAhome.
• “Invisible” elections botnets.
• Minerbot.

New reality
• 1k botnet - 100-160 USD.
• Readily available botnet toolkits.
• Fall of prices - 20 USD/day.

Apache mod_evasive
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 8
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
DOSEmailNotify secure@adminmail.com
</IfModule>

Apache mod_evasive
Positive Negative
It works! Apache

Iptables --string
iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to
1024 -m recent --set --name httpddos --rsource

iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to
1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP

Iptables --string
Positive Negative

It works. Not always works. (fragmentet packets)

Its fast. Not always fast. (kmp matched packets)

Orphaned sockets + retransmit.

Requires conntrack(statefull is bad).

$NGINX testcookie_module testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } More reading: http://habrahabr.ru/post/139931/$

NGINX testcookie_module
Positive Negative
It works. Doesn’t block traffic.*
NGINX. Alternates UX.
Its fast. Is not effective on FBS.
Predictable.
Expandable (Flash, QT checks).
* That’s what ipset is for.

Neuron network PyBrain
Request:
0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0
(Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0»

Dictionary:
['__UA___OS_U', '__UA_EMPTY', '__REQ___METHOD_POST', '__REQ___HTTP_VER_HTTP/1.0', '__REQ___URL_
__NETLOC_', '__REQ___URL___PATH_/forum/rss.php', '__REQ___URL___PATH_/forum/index.php', '__REQ___URL
___SCHEME_', '__REQ___HTTP_VER_HTTP/1.1', '__UA___VER_Firefox/3.0', '__REFER___NETLOC_www.mozilla-
europe.org', '__UA___OS_Windows', '__UA___BASE_Mozilla/5.0', '__CODE_503', '__UA___OS_pl', '__REFER___PA
TH_/', '__REFER___SCHEME_http', '__NO_REFER__', '__REQ___METHOD_GET', '__UA___OS_Windows NT
5.1', '__UA___OS_rv:1.9', '__REQ___URL___QS_topic', '__UA___VER_Gecko/2008052906’

Далее: http://habrahabr.ru/post/136237/

Neuron network PyBrain
Positive Negative
It works. May not work.
Nerd award! No historical analysis.

tcpdump
tcpdump -v -n -w attack.log dst port 80 -c 250
tcpdump -nr attack.log |awk '{print $3}' |grep -oE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-
9]{1,}' |sort |uniq -c |sort -rn

tcpdump
Positive Negative
It works. why tcpdump? Ask kernel!

Summary
• Every solution works.
• Not always.
• Not for everyone.
• UPTIME > DOWNTIME.

Definition of happiness
• Minimal FALSE POSITIVES.
• No vulnerabilities on lower levels.
• Up to challenge.

One last thing…
(protect your TCP stack)

22.74%

3.56%
Spoofed
96.44%
Full connect
> 1Gbps < 1Gbps 77.26%

Homework.
1. NGINX/ipset preinstalled.

2. No conntrack.

3. Dedicated IP per critical published service.

4. Blackhole communities present and tested.

Empfohlen

DDoS: practical survivalPositive Hack Days

DDoS: Practical Survival GuideHLL

Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSSadique Puthen

Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov

FastNetMonを試してみたYutaka Ishizaki

NGINX Can Do That? Test Drive Your Config File!Jeff Anderson

Dhcp security #netseckhHEM Sothon

Protect your edge BGP security made simplePavel Odintsov

Empfohlen

DDoS: practical survivalPositive Hack Days

DDoS: Practical Survival GuideHLL

Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSSadique Puthen

Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov

FastNetMonを試してみたYutaka Ishizaki

NGINX Can Do That? Test Drive Your Config File!Jeff Anderson

Dhcp security #netseckhHEM Sothon

Protect your edge BGP security made simplePavel Odintsov

Keeping your rack cool Pavel Odintsov

FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov

9534715Pavel Odintsov

How to monitor NGINXServer Density

Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov

Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly

Eduardo Silva - monkey http-server everywhereStarTech Conference

Jon Nield FastNetMonPavel Odintsov

Be Mean to Your CodeJames Wickett

mod_perl 2.0 For Speed Freaks!Philippe M. Chiasson

Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov

What are your competitors doing seletskiy 10lsmichael

Nanog66 vicente de luca fast netmonPavel Odintsov

Mobile Api and CachingNew Relic

NATS: Simple, Secure and Scalable Messaging For the Cloud Native Erawallyqs

distributed tracing in 5 minutesDan Kuebrich

Primeiros Passos na API do Zabbix com Python - 2º ZABBIX MEETUP DO INTERIOR-SPZabbix BR

Testing Wi-Fi with OSS ToolsAll Things Open

AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...Amazon Web Services

Debugging Network IssuesApcera

Hl++2012 lyamin qrator ddos highload 2012Alexander Lyamin

Ritconf2011 Asimov "Russian Internet Core"Alexander Lyamin

Weitere ähnliche Inhalte

Was ist angesagt?

Keeping your rack cool Pavel Odintsov

FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov

9534715Pavel Odintsov

How to monitor NGINXServer Density

Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov

Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly

Eduardo Silva - monkey http-server everywhereStarTech Conference

Jon Nield FastNetMonPavel Odintsov

Be Mean to Your CodeJames Wickett

mod_perl 2.0 For Speed Freaks!Philippe M. Chiasson

Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov

What are your competitors doing seletskiy 10lsmichael

Nanog66 vicente de luca fast netmonPavel Odintsov

Mobile Api and CachingNew Relic

NATS: Simple, Secure and Scalable Messaging For the Cloud Native Erawallyqs

distributed tracing in 5 minutesDan Kuebrich

Primeiros Passos na API do Zabbix com Python - 2º ZABBIX MEETUP DO INTERIOR-SPZabbix BR

Testing Wi-Fi with OSS ToolsAll Things Open

AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...Amazon Web Services

Debugging Network IssuesApcera

Was ist angesagt? (20)

Keeping your rack cool

FastNetMon - ENOG9 speech about DDoS mitigation

9534715

How to monitor NGINX

Distributed Denial of Service Attack - Detection And Mitigation

Altitude SF 2017: QUIC - A low-latency secure transport for HTTP

Eduardo Silva - monkey http-server everywhere

Jon Nield FastNetMon

Be Mean to Your Code

mod_perl 2.0 For Speed Freaks!

Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)

What are your competitors doing seletskiy 10

Nanog66 vicente de luca fast netmon

Mobile Api and Caching

NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era

distributed tracing in 5 minutes

Primeiros Passos na API do Zabbix com Python - 2º ZABBIX MEETUP DO INTERIOR-SP

Testing Wi-Fi with OSS Tools

AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...

Debugging Network Issues

Andere mochten auch

Hl++2012 lyamin qrator ddos highload 2012Alexander Lyamin

Ritconf2011 Asimov "Russian Internet Core"Alexander Lyamin

Goods searchAlexander Lyamin

RITConf 2011 "DDoS Classification"Alexander Lyamin

How to secure your web applications with NGINXWallarm

Activism x TechnologyWebVisions

How to Battle Bad ReviewsGlassdoor

Andere mochten auch (7)

Hl++2012 lyamin qrator ddos highload 2012

Ritconf2011 Asimov "Russian Internet Core"

Goods search

RITConf 2011 "DDoS Classification"

How to secure your web applications with NGINX

Activism x Technology

How to Battle Bad Reviews

Ähnlich wie lightning talk proposal

Honeypots - November 8th Misec presentationTazdrumm3r

Aerospike & GCE (LSPE Talk)Sayyaparaju Sunil

Malware Analysis For The EnterpriseJason Ross

How to Troubleshoot OpenStack Without Losing SleepSadique Puthen

Keeping your rack cool with one "/IP route rule"Faelix Ltd

Velocity 2012 - Learning WebOps the Hard WayCosimo Streppone

Putting Rugged Into your DevOps ToolchainJames Wickett

Planning to Fail #phpne13Dave Gardner

Handy Networking Tools and How to Use ThemSneha Inguva

DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia

A Developer’s Guide to Kubernetes SecurityGene Gotimer

(NET404) Making Every Packet CountAmazon Web Services

5 issuesm0use

Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 InstanceScyllaDB

AWS re:Invent 2016: Making Every Packet Count (NET404)Amazon Web Services

Non-blocking I/O, Event loops and node.jsMarcus Frödin

Multi-Layer DDoS Mitigation StrategiesSagi Brody

Velocity 2011 - Our first DDoS attackCosimo Streppone

Smit WiFi_2mutew

Ähnlich wie lightning talk proposal (20)

Honeypots - November 8th Misec presentation

Aerospike & GCE (LSPE Talk)

Malware Analysis For The Enterprise

How to Troubleshoot OpenStack Without Losing Sleep

Keeping your rack cool with one "/IP route rule"

Velocity 2012 - Learning WebOps the Hard Way

Putting Rugged Into your DevOps Toolchain

Planning to Fail #phpne13

Handy Networking Tools and How to Use Them

DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)

A Developer’s Guide to Kubernetes Security

(NET404) Making Every Packet Count

5 issues

Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance

AWS re:Invent 2016: Making Every Packet Count (NET404)

Non-blocking I/O, Event loops and node.js

Multi-Layer DDoS Mitigation Strategies

Velocity 2011 - Our first DDoS attack

Smit WiFi_2

Kürzlich hochgeladen

Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

GenAI Risks & Security Meetup 01052024.pdflior mazor

MINDCTI Revenue Release Quarter One 2024MIND CTI

AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays

Corporate and higher education May webinar.pptxRustici Software

DBX First Quarter 2024 Investor PresentationDropbox

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra

Why Teams call analytics are critical to your entire businesspanagenda

FWD Group - Insurer Innovation Award 2024The Digital Insurer

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

Kürzlich hochgeladen (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Automating Google Workspace (GWS) & more with Apps Script

Axa Assurance Maroc - Insurer Innovation Award 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

GenAI Risks & Security Meetup 01052024.pdf

MINDCTI Revenue Release Quarter One 2024

AXA XL - Insurer Innovation Award Americas 2024

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Artificial Intelligence Chap.5 : Uncertainty

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

Corporate and higher education May webinar.pptx

DBX First Quarter 2024 Investor Presentation

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Why Teams call analytics are critical to your entire business

FWD Group - Insurer Innovation Award 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

lightning talk proposal

1. DDoS: practical survival guide Alexander Lyamin <la@highloadlab.com>

2. Poor mans version.

3. Q1 2012 • Incidents: 365 • Daily max: 12 • Avg. botnet size: 2637 • Max botnet size: 37834

4. Daily 12 11 10 9 8 7 6 Jan 5 4 Feb 3 2 Mar 1 0

5. Weekday distribution 20.00% 18.00% 17.26% 16.71% 15.89% 16.00% 14.52% 14.25% 14.00% 11.78% 12.00% 9.59% 10.00% 8.00% 6.00% 4.00% 2.00% 0.00% Monday Tuesday Wednesday Thursday Friday Saturday Sunday

6. High speed attacks 3.56% > 1 Gbps < 1Gbps 96.44%

7. Spoofed source attacks 22.74% Spoofed Full connect 77.26%

8. Scary stuff • DNS: NIC, Masterhost, FastVPS. • DataCenters: CROK, WAhome. • “Invisible” elections botnets. • Minerbot.

9. New reality • 1k botnet - 100-160 USD. • Readily available botnet toolkits. • Fall of prices - 20 USD/day.

10. New competition

11. Apache mod_evasive

12. Apache mod_evasive <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 8 DOSSiteCount 100 DOSPageInterval 2 DOSSiteInterval 2 DOSBlockingPeriod 600 DOSEmailNotify secure@adminmail.com </IfModule>

13. Apache mod_evasive Positive Negative It works! Apache

14. Iptables --string

15. Iptables --string iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --set --name httpddos --rsource iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET / HTTP" --algo kmp --to 1024 -m recent --update --seconds 10 --hitcount 2 --name httpddos --rsource -j DROP

16. Iptables --string Positive Negative It works. Not always works. (fragmentet packets) Its fast. Not always fast. (kmp matched packets) Orphaned sockets + retransmit. Requires conntrack(statefull is bad).

17. NGINX testcookie_module

18. JS

19. Cookie/Redirect

20. NGINX testcookie_module testcookie_name BPC; testcookie_secret keepmescret; testcookie_session $remote_addr; testcookie_arg attempt; testcookie_max_attempts 3; testcookie_fallback /cookies.html?backurl=http://$host$request_uri; testcookie_get_only on; location / { testcookie on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://127.0.0.1:8080; } More reading: http://habrahabr.ru/post/139931/

21. NGINX testcookie_module Positive Negative It works. Doesn’t block traffic.* NGINX. Alternates UX. Its fast. Is not effective on FBS. Predictable. Expandable (Flash, QT checks). * That’s what ipset is for.

22. Neuron network PyBrain

23. Neuron network PyBrain Request: 0.0.0.0 - - [20/Dec/2011:15:00:03 +0400] "GET /forum/rss.php?topic=347425 HTTP/1.0" 200 1685 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9) Gecko/2008052906 Firefox/3.0» Dictionary: ['__UA___OS_U', '__UA_EMPTY', '__REQ___METHOD_POST', '__REQ___HTTP_VER_HTTP/1.0', '__REQ___URL_ __NETLOC_', '__REQ___URL___PATH_/forum/rss.php', '__REQ___URL___PATH_/forum/index.php', '__REQ___URL ___SCHEME_', '__REQ___HTTP_VER_HTTP/1.1', '__UA___VER_Firefox/3.0', '__REFER___NETLOC_www.mozilla- europe.org', '__UA___OS_Windows', '__UA___BASE_Mozilla/5.0', '__CODE_503', '__UA___OS_pl', '__REFER___PA TH_/', '__REFER___SCHEME_http', '__NO_REFER__', '__REQ___METHOD_GET', '__UA___OS_Windows NT 5.1', '__UA___OS_rv:1.9', '__REQ___URL___QS_topic', '__UA___VER_Gecko/2008052906’ Далее: http://habrahabr.ru/post/136237/

24. Neuron network PyBrain Positive Negative It works. May not work. Nerd award! No historical analysis.

25. tcpdump

26. tcpdump tcpdump -v -n -w attack.log dst port 80 -c 250 tcpdump -nr attack.log |awk '{print $3}' |grep -oE '[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0- 9]{1,}' |sort |uniq -c |sort -rn

27. tcpdump Positive Negative It works. why tcpdump? Ask kernel!

28. Summary • Every solution works. • Not always. • Not for everyone. • UPTIME > DOWNTIME.

29. Definition of happiness • Minimal FALSE POSITIVES. • No vulnerabilities on lower levels. • Up to challenge.

30. NGINX testcookie_module

31. One last thing… (protect your TCP stack) 22.74% 3.56% Spoofed 96.44% Full connect > 1Gbps < 1Gbps 77.26%

32. Have a fun ride!

33. Homework. 1. NGINX/ipset preinstalled. 2. No conntrack. 3. Dedicated IP per critical published service. 4. Blackhole communities present and tested.