SlideShare ist ein Scribd-Unternehmen logo

DDoS mitigation EPIC FAIL collection - 32C3

Moshe Zioni
Moshe Zioni

Speaker slide-deck from 32C3, December 2015 (CCH, Hamburg)

Technologie
1 von 63
Downloaden Sie, um offline zu lesen
DDoS Mitigation collection TL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND (EASILY) BYPASS MITIGATION TACTICS 1
Agenda  Intro to D/DoS  Methodology of work  DDoS tactics in-the-wild and how to improve  10 ‘from-the-books’ strategies & how to leverage your attack to fit them  Q&A 2
~$ whoami  Hi! Moshe Zioni, I do security stuff  3 years of designing & providing a full-blown on-demand DDoS attack service.  Mainly exp. in Ethical Hacking & Penetration Testing  1st time speaker @ CCC, grateful to have this honor.  .///. END OF SHAMELESS PROMOTION SLIDE .///. 3
DDoS for Everyone! 4
Method 5
Run-of-the-Mill DDoS attacks in-the-wild Rely heavily on bandwidth consumption 53% of attacks are < 2Gbps (SANS) Reflection combined with Amplification relies on 3rd party domains (DNS, NTP etc.) Most attacks does not require brains 6
Strike Harder! (!=Larger botnet) There is more to a web site then a front-end (!!) Overload the backend by making the system work for you Keep it stealthy, they might be using the ‘magic of sniffing’ Think of amplification in a general way 7
Generalized Amplification - “4 Pillars” Amplification factors Network – The usual suspect CPU – Very limited on some mediators and web application servers, Memory – Volatile, everything uses it, multi-step operations is prime target. Storage – Can be filled up or exhausting I/O buffer 8
W
Ready? Set. 12
FACEPALM 13
14
“Limit the rate of incoming packets” 15
 The customer has been hit by a DDoS attack that consumed ALL BANDWIDTH  To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability  And so he did… believing that now he upped the game significantly for us 16
Reflection to the rescue! Consumption by reflection Send in 1Kb Consume according to file-length 17
19
“It’s OK now, monitoring shows everything is back to normal” 20
 MegaCommonPractive now went on to buy a Anti-DDoS solution  A known Anti-DDoS cloud-based protection solution approached the client and offered a very solid looking solution including 24/7 third party monitoring 21
DID YOU ACTUALLY TRY TO ACCESS THE WEB SITE!!!! 22
23
24
“Backend servers are not important to protect against DDoS” 25
Mapping the backend for DDoS  Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification  How can we find DBs? You can always guess, pentersters do that all the time… Takes more time == more elaborate operation, may involve BE !!! PROFIT!!! 26
27
28
29
Really??!?! ALL OF THE DOMAINS?!? What is the strategy of mitigation? Do you understand it? “Doesn’t matter, let’s do it!” 30
So, remember the booklet that you didn’t read?  Interesting strategy – the system is devising some unknown algorithm to detect probable attacks.  Defense mechanism is ‘draining’ out all traffic first and do some magic.  Mitigation is kicked in 20 seconds after detection (supposedly to allow of building a model, dunno) 31
32
33
“We don’t trust the vendor, we don’t give them certificates” 34
Talk to me in layer 7… Defense have chosen not to monitor layer 7 – HTTPS attacks.. SSL re/negotiation Plus –transmitting via HTTPS GET/POST/… the vendor product can’t learn and analyze traffic 35
36
37
“We need Big Data, collect all the logs” 38
Logs need to be handled Storage Boom Result in a complete lock-down, including not be able to manage the overflowed device It was the IPS, so no traffic allowed to go anywhere, no traffic in/out the system SILO NEEDED! 39
40
41
“We are under attack – enforce the on-demand Scrubbing Service” 42
Learning mode – did you do it? All is learned Attack considered legitimate traffic RTFM And… Vendor response was epic by itself 43
44
45
“So what CDN is not dynamic? Let’s enable it” 46
NOT IN CACHE? ASK THE ORIGIN! 47
48
49
50
51
How to find an ‘invisible’ origin? Find other known subdomain -> translate to IP -> scan the /24 or /16 -> good chance it’s there. AND….. WHOIS never forgets http://viewdns.info FTW! 52
53
54
“Block ‘em!, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them. “ 55
Total IPs (DE): ~116 M 56 * http://www.nirsoft.net/countryip/de.html
Roughly -1,800 class B ranges 57
We spoofed IPs from those classes and deliver a very detectable TCP SYN flood attack from each source 58
Now think of a monkey blocking every incoming alert. 15 MINUTES TO SELF INFLICTED DDOS 59
60
Collected misconceptions  There is no magic pill or best cocktail mix of technologies/appliances/services, never was – prepare a plan, not just a mitigation.  You can have all the toys and money in the world – best mitigation – don’t do drugs  TEST your infrastructure regularly.  If you won’t do that – you can be evaluated for this presentation in the future 61
Questions? 62
Thank you! Moshe Zioni zimoshe@gmail.com, @dalmoz_ 63

Empfohlen

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasures
thaidn
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Cloudflare
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
Cloudflare
 

Empfohlen

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasures
thaidn
 
Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017Anatomy of DDoS - Builderscon Tokyo 2017
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlareSurviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Surviving A DDoS Attack: Securing CDN Traffic at CloudFlare
Cloudflare
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
Cloudflare
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Michiel Cazemier
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
Amazon Web Services
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
APNIC
 
BADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoSBADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
Ozkan E
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
KubeConEU - NATS Deep Dive
KubeConEU - NATS Deep DiveKubeConEU - NATS Deep Dive
KubeConEU - NATS Deep Dive
wallyqs
 
SF Python Meetup - Introduction to NATS Messaging with Python3
SF Python Meetup - Introduction to NATS Messaging with Python3SF Python Meetup - Introduction to NATS Messaging with Python3
SF Python Meetup - Introduction to NATS Messaging with Python3
wallyqs
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native EraNATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
wallyqs
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
NGINX, Inc.
 
Dos threats and countermeasures
Dos threats and countermeasuresDos threats and countermeasures
Dos threats and countermeasures
n|u - The Open Security Community
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
Cloudflare
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
Vikas Phonsa
 
NATS + Docker meetup talk Oct - 2016
NATS + Docker meetup talk Oct - 2016NATS + Docker meetup talk Oct - 2016
NATS + Docker meetup talk Oct - 2016
wallyqs
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
Devang Badrakiya
 
Protect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with ReblazeProtect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with Reblaze
Jason Newell
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
wallyqs
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
Top 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 InfographicTop 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 Infographic
State of the Internet
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 

Weitere ähnliche Inhalte

Was ist angesagt?

AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
Amazon Web Services
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
NGINX, Inc.
 

Was ist angesagt? (20)

PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
BADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoSBADCamp 2017 - Anatomy of DDoS
BADCamp 2017 - Anatomy of DDoS
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
KubeConEU - NATS Deep Dive
KubeConEU - NATS Deep DiveKubeConEU - NATS Deep Dive
KubeConEU - NATS Deep Dive
 
SF Python Meetup - Introduction to NATS Messaging with Python3
SF Python Meetup - Introduction to NATS Messaging with Python3SF Python Meetup - Introduction to NATS Messaging with Python3
SF Python Meetup - Introduction to NATS Messaging with Python3
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native EraNATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
 
The 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference ArchitectureThe 3 Models in the NGINX Microservices Reference Architecture
The 3 Models in the NGINX Microservices Reference Architecture
 
Dos threats and countermeasures
Dos threats and countermeasuresDos threats and countermeasures
Dos threats and countermeasures
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
 
What is DDoS ?
What is DDoS ?What is DDoS ?
What is DDoS ?
 
NATS + Docker meetup talk Oct - 2016
NATS + Docker meetup talk Oct - 2016NATS + Docker meetup talk Oct - 2016
NATS + Docker meetup talk Oct - 2016
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
Protect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with ReblazeProtect Websites against DDoS attacks with Reblaze
Protect Websites against DDoS attacks with Reblaze
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 

Andere mochten auch

Andere mochten auch (7)

Top 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 InfographicTop 10 DDoS Trends for 2013 Infographic
Top 10 DDoS Trends for 2013 Infographic
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
Seniors Housing
Seniors Housing Seniors Housing
Seniors Housing
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 

Ähnlich wie DDoS mitigation EPIC FAIL collection - 32C3

Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:
Recursion Ventures
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
Dan Kaminsky
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasers
Amiga Utomo
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
Dan Kaminsky
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
DefconRussia
 

Ähnlich wie DDoS mitigation EPIC FAIL collection - 32C3 (20)

44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber world
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:Black Ops of Fundamental Defense:
Black Ops of Fundamental Defense:
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasers
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Dos attack
Dos attackDos attack
Dos attack
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Off-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdfOff-Path-Attacks-Against-PKI.pdf
Off-Path-Attacks-Against-PKI.pdf
 

Mehr von Moshe Zioni

Pipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorPipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructor
Moshe Zioni
 
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
Moshe Zioni
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
Moshe Zioni
 
InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...
InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...
InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...
Moshe Zioni
 

Mehr von Moshe Zioni (6)

Pipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorPipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructor
 
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
 
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
MQTT - IoT - explore & exploit - BSidesTLV 2017 (June 2017)
 
InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...
InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...
InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...
 
Abusing the Train Communication Network or What could have derailed the North...
Abusing the Train Communication Network or What could have derailed the North...Abusing the Train Communication Network or What could have derailed the North...
Abusing the Train Communication Network or What could have derailed the North...
 
Lexical captcha beat down - Structured attack approach
Lexical captcha beat down - Structured attack approachLexical captcha beat down - Structured attack approach
Lexical captcha beat down - Structured attack approach
 

Kürzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Kürzlich hochgeladen (20)

Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

DDoS mitigation EPIC FAIL collection - 32C3

  • 1. DDoS Mitigation collection TL;DR: LEARN HOW TO DO (EFFICIENT) DDOS AND (EASILY) BYPASS MITIGATION TACTICS 1
  • 2. Agenda  Intro to D/DoS  Methodology of work  DDoS tactics in-the-wild and how to improve  10 ‘from-the-books’ strategies & how to leverage your attack to fit them  Q&A 2
  • 3. ~$ whoami  Hi! Moshe Zioni, I do security stuff  3 years of designing & providing a full-blown on-demand DDoS attack service.  Mainly exp. in Ethical Hacking & Penetration Testing  1st time speaker @ CCC, grateful to have this honor.  .///. END OF SHAMELESS PROMOTION SLIDE .///. 3
  • 6. Run-of-the-Mill DDoS attacks in-the-wild Rely heavily on bandwidth consumption 53% of attacks are < 2Gbps (SANS) Reflection combined with Amplification relies on 3rd party domains (DNS, NTP etc.) Most attacks does not require brains 6
  • 7. Strike Harder! (!=Larger botnet) There is more to a web site then a front-end (!!) Overload the backend by making the system work for you Keep it stealthy, they might be using the ‘magic of sniffing’ Think of amplification in a general way 7
  • 8. Generalized Amplification - “4 Pillars” Amplification factors Network – The usual suspect CPU – Very limited on some mediators and web application servers, Memory – Volatile, everything uses it, multi-step operations is prime target. Storage – Can be filled up or exhausting I/O buffer 8
  • 9.
  • 10.
  • 11. W
  • 14. 14
  • 15. “Limit the rate of incoming packets” 15
  • 16.  The customer has been hit by a DDoS attack that consumed ALL BANDWIDTH  To rectify the situation the ISP suggested limiting incoming packet rate to ensure availability  And so he did… believing that now he upped the game significantly for us 16
  • 17. Reflection to the rescue! Consumption by reflection Send in 1Kb Consume according to file-length 17
  • 18.
  • 19. 19
  • 20. “It’s OK now, monitoring shows everything is back to normal” 20
  • 21.  MegaCommonPractive now went on to buy a Anti-DDoS solution  A known Anti-DDoS cloud-based protection solution approached the client and offered a very solid looking solution including 24/7 third party monitoring 21
  • 22. DID YOU ACTUALLY TRY TO ACCESS THE WEB SITE!!!! 22
  • 23. 23
  • 24. 24
  • 25. “Backend servers are not important to protect against DDoS” 25
  • 26. Mapping the backend for DDoS  Databases are very susceptible to DDoS attacks and provide good grounds for intra-amplification  How can we find DBs? You can always guess, pentersters do that all the time… Takes more time == more elaborate operation, may involve BE !!! PROFIT!!! 26
  • 27. 27
  • 28. 28
  • 29. 29
  • 30. Really??!?! ALL OF THE DOMAINS?!? What is the strategy of mitigation? Do you understand it? “Doesn’t matter, let’s do it!” 30
  • 31. So, remember the booklet that you didn’t read?  Interesting strategy – the system is devising some unknown algorithm to detect probable attacks.  Defense mechanism is ‘draining’ out all traffic first and do some magic.  Mitigation is kicked in 20 seconds after detection (supposedly to allow of building a model, dunno) 31
  • 32. 32
  • 33. 33
  • 34. “We don’t trust the vendor, we don’t give them certificates” 34
  • 35. Talk to me in layer 7… Defense have chosen not to monitor layer 7 – HTTPS attacks.. SSL re/negotiation Plus –transmitting via HTTPS GET/POST/… the vendor product can’t learn and analyze traffic 35
  • 36. 36
  • 37. 37
  • 38. “We need Big Data, collect all the logs” 38
  • 39. Logs need to be handled Storage Boom Result in a complete lock-down, including not be able to manage the overflowed device It was the IPS, so no traffic allowed to go anywhere, no traffic in/out the system SILO NEEDED! 39
  • 40. 40
  • 41. 41
  • 42. “We are under attack – enforce the on-demand Scrubbing Service” 42
  • 43. Learning mode – did you do it? All is learned Attack considered legitimate traffic RTFM And… Vendor response was epic by itself 43
  • 44. 44
  • 45. 45
  • 46. “So what CDN is not dynamic? Let’s enable it” 46
  • 47. NOT IN CACHE? ASK THE ORIGIN! 47
  • 48. 48
  • 49. 49
  • 50. 50
  • 51. 51
  • 52. How to find an ‘invisible’ origin? Find other known subdomain -> translate to IP -> scan the /24 or /16 -> good chance it’s there. AND….. WHOIS never forgets http://viewdns.info FTW! 52
  • 53. 53
  • 54. 54
  • 55. “Block ‘em!, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them, now them. “ 55
  • 56. Total IPs (DE): ~116 M 56 * http://www.nirsoft.net/countryip/de.html
  • 58. We spoofed IPs from those classes and deliver a very detectable TCP SYN flood attack from each source 58
  • 59. Now think of a monkey blocking every incoming alert. 15 MINUTES TO SELF INFLICTED DDOS 59
  • 60. 60
  • 61. Collected misconceptions  There is no magic pill or best cocktail mix of technologies/appliances/services, never was – prepare a plan, not just a mitigation.  You can have all the toys and money in the world – best mitigation – don’t do drugs  TEST your infrastructure regularly.  If you won’t do that – you can be evaluated for this presentation in the future 61