2. Agenda
Intro to D/DoS
Methodology of work
DDoS tactics in-the-wild and how to improve
10 ‘from-the-books’ strategies & how to
leverage your attack to fit them
Q&A
2
3. ~$ whoami
Hi! Moshe Zioni, I do security stuff
3 years of designing & providing a full-blown on-demand DDoS
attack service.
Mainly exp. in Ethical Hacking & Penetration Testing
1st time speaker @ CCC, grateful to have this honor.
.///. END OF SHAMELESS PROMOTION SLIDE .///.
3
6. Run-of-the-Mill DDoS attacks in-the-wild
Rely heavily on bandwidth consumption
53% of attacks are < 2Gbps (SANS)
Reflection combined with Amplification relies on
3rd party domains (DNS, NTP etc.)
Most attacks does not require brains
6
7. Strike Harder! (!=Larger botnet)
There is more to a web site then a front-end (!!)
Overload the backend by making the system
work for you
Keep it stealthy, they might be using the
‘magic of sniffing’
Think of amplification in a general way
7
8. Generalized Amplification - “4 Pillars”
Amplification factors
Network – The usual suspect
CPU – Very limited on some mediators
and web application servers,
Memory – Volatile, everything uses it,
multi-step operations is prime target.
Storage – Can be filled up or
exhausting I/O buffer
8
16. The customer has been hit by a DDoS
attack that consumed ALL BANDWIDTH
To rectify the situation the ISP suggested
limiting incoming packet rate to ensure
availability
And so he did… believing that now he
upped the game significantly for us
16
17. Reflection to the rescue!
Consumption by reflection
Send in 1Kb
Consume
according to
file-length
17
21. MegaCommonPractive now went on to
buy a Anti-DDoS solution
A known Anti-DDoS cloud-based
protection solution approached the client
and offered a very solid looking solution
including 24/7 third party monitoring
21
26. Mapping the backend for DDoS
Databases are very susceptible to DDoS attacks and
provide good grounds for intra-amplification
How can we find DBs?
You can always guess, pentersters do that
all the time…
Takes more time == more elaborate
operation, may involve BE !!!
PROFIT!!!
26
30. Really??!?! ALL OF THE DOMAINS?!?
What is the strategy of
mitigation? Do you understand
it?
“Doesn’t matter, let’s do it!”
30
31. So, remember the booklet that you
didn’t read?
Interesting strategy – the system is devising some
unknown algorithm to detect probable attacks.
Defense mechanism is ‘draining’ out all traffic
first and do some magic.
Mitigation is kicked in 20 seconds after detection
(supposedly to allow of building a model,
dunno)
31
35. Talk to me in layer 7…
Defense have chosen not to
monitor layer 7 – HTTPS attacks..
SSL re/negotiation
Plus –transmitting via HTTPS
GET/POST/… the vendor product
can’t learn and analyze traffic
35
39. Logs need to be handled
Storage Boom
Result in a complete lock-down,
including not be able to manage the
overflowed device
It was the IPS, so no traffic allowed to go
anywhere, no traffic in/out the system
SILO NEEDED!
39
52. How to find an ‘invisible’ origin?
Find other known subdomain ->
translate to IP -> scan the /24 or /16 ->
good chance it’s there.
AND….. WHOIS never forgets
http://viewdns.info FTW!
52
55. “Block ‘em!, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them, now
them, now them, now them. “
55
61. Collected misconceptions
There is no magic pill or best cocktail mix of
technologies/appliances/services, never was
– prepare a plan, not just a mitigation.
You can have all the toys and money in the
world – best mitigation – don’t do drugs
TEST your infrastructure regularly.
If you won’t do that – you can be evaluated
for this presentation in the future
61